mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-30 12:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

libtiff: fix CVE-2023-26965 heap-based use after free

Browse Source 
Upstream-Status: Backport from ec8ef90c1f

(From OE-Core rev: 9b9f88d8828ee822635ed645cc192829fecec39e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2023-07-26 12:20:20 +05:30
committed by Steve Sakoman
parent 3c2e546a1a
commit d198c0d738
2 changed files with 98 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch Normal file
View File

@@ -0,0 +1,97 @@
From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 14 Feb 2023 20:43:43 +0100
Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
Closes #527
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
CVE: CVE-2023-26965
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tools/tiffcrop.c | 47 +++++++++++++++--------------------------------
1 file changed, 15 insertions(+), 32 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index b811fbb..ce77c74 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
}
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
+ _TIFFfree(read_buff);
}
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
+ if (buffsize > 0xFFFFFFFFU - 3)
{
- if (prev_readsize < buffsize)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large");
+ return (-1);
}
- if (!read_buff)
+ read_buff =
+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
+ TIFFError("loadImage", "Unable to allocate read buffer");
+ return (-1);
}
read_buff[buffsize] = 0;
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as interleaved
--
2.25.1

1
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
View File

@@ -37,6 +37,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-0795_0796_0797_0798_0799.patch \
file://CVE-2023-25433.patch \
file://CVE-2023-25434-CVE-2023-25435.patch \
file://CVE-2023-26965.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"