mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-20 18:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

tiff: Security fix for CVE-2023-25434 and CVE-2023-26965

Browse Source 
Upstream-Status: Backport from [69818e2f2d, ec8ef90c1f]
(From OE-Core rev: 7db6039b809a11dc9b0b51a31a763bec87016568)

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Siddharth
2023-06-29 09:37:03 +05:30
committed by Steve Sakoman
parent 51f94510a9
commit 91f27650e5
3 changed files with 260 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch Normal file
View File

@@ -0,0 +1,159 @@
From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 29 Jan 2023 11:09:26 +0100
Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
image width and length parameters when only cropped image sections are
rotated. Remove buffptr from region structure because never used.
Closes #492 #493 #494 #495 #499 #518 #519
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
CVE: CVE-2023-25434
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index fc5b34b..6e1acc4 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -296,7 +296,6 @@ struct region
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image,
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length,
- work_buff_ptr))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr,
+ TRUE))
{
TIFFError("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image,
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image,
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image,
reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %" PRIu32
@@ -8668,7 +8669,7 @@ static int processCropSelections(struct image_data *image,
*/
if (rotateImage(crop->rotation, image,
&crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ &crop->regionlist[i].length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %" PRIu16
@@ -8815,7 +8816,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %" PRIu16
@@ -9531,7 +9532,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int rotateImage(uint16_t rotation, struct image_data *image,
uint32_t *img_width, uint32_t *img_length,
- unsigned char **ibuff_ptr)
+ unsigned char **ibuff_ptr, int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -9747,11 +9748,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270:
@@ -9834,11 +9839,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;
--
2.35.7

99
meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch Normal file
View File

@@ -0,0 +1,99 @@
From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 14 Feb 2023 20:43:43 +0100
Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
Closes #527
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
CVE: CVE-2023-26965
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
tools/tiffcrop.c | 47 +++++++++++++----------------------------------
1 file changed, 13 insertions(+), 34 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index fb0fbb2..58ed3ab 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6746,9 +6746,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -7072,43 +7070,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
}
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff =
- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if (buffsize > 0xFFFFFFFFU - 3)
{
- if (prev_readsize < buffsize)
- {
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage",
- "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff =
- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free(read_buff);
- read_buff = (unsigned char *)limitMalloc(
- buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large");
+ return (-1);
}
+ read_buff =
+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
@@ -7116,7 +7096,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
read_buff[buffsize + 1] = 0;
read_buff[buffsize + 2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as
--
2.35.7

2
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
View File

@@ -11,6 +11,8 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-48281.patch \
file://CVE-2023-2731.patch \
file://CVE-2023-25434.patch \
file://CVE-2023-26965.patch \
"
SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"