mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-19 13:49:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356

Browse Source 
import patches from ubuntu to fix
 CVE-2023-6277
 CVE-2023-52356

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
5320c9d89c
&
0b02532471
&
de7bfd7d43
&
dbb825a831
&
51558511bd]

(From OE-Core rev: 15abae1f6a9861e28ce35b015cb3ddc434f9fca4)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
2024-03-22 18:34:35 +05:30
committed by Steve Sakoman
parent 1c2fbec01f
commit e555aefeef
6 changed files with 541 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch Normal file
View File

@@ -0,0 +1,53 @@
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]
Backport of:
From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 15:58:41 +0100
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
col/row (fixes #622)
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
CVE: CVE-2023-52356
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_getimage.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
}
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ if (row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
img.row_offset = row;
img.col_offset = 0;
@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
return( 0 );
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we

191
meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch Normal file
View File

@@ -0,0 +1,191 @@
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. included inttypes.h header to support PRIu32 and PRIu64;
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
. using uint64 instead of uint64_t to preserve the current code usage;
. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
. calls to the check size, that is the idea of the patch, were added before
_TIFFCheckMalloc and may note match the original patch methods;
-- Rodrigo Figueiredo Zaiden]
Backport of:
From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks
Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 90 insertions(+), 2 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -37,6 +37,7 @@
#include "tiffiop.h"
#include <float.h>
#include <stdlib.h>
+#include <inttypes.h>
#define FAILED_FII ((uint32) -1)
@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64 filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
if( isMapped(tif) && datasize > (uint32)tif->tif_size )
return TIFFReadDirEntryErrIo;
@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
+
if (td->td_stripbytecount_p)
_TIFFfree(td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64*)
@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
if (td->td_compression != COMPRESSION_NONE) {
uint64 space;
- uint64 filesize;
uint16 n;
- filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags&TIFF_BIGTIFF))
space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
else
@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
dircount16 = (uint16)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
"Sanity check on directory count failed, zero tag directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize,
"to read TIFF directory");
@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
sizeof(TIFFDirEntry),
"to read TIFF directory");
@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
_TIFFfree(data);
return(0);
}
-
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
_TIFFfree(data);
@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+ uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

152
meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch Normal file
View File

@@ -0,0 +1,152 @@
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
. using uint64 instead of uint64_t to preserve the current code usage;
-- Rodrigo Figueiredo Zaiden]
Backport of:
From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 19:47:22 +0100
Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
RAM requests
Ammends 5320c9d89c054fa805d037d84c57da874470b01a
This fixes a performance regression caught by the GDAL regression test
suite.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
1 file changed, 48 insertions(+), 35 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size.
- */
- uint64 filesize = TIFFGetFileSize(tif);
- if (datasize > filesize)
+ if (datasize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
- "Requested memory size for tag %d (0x%x) %" PRIu32
- " is greather than filesize %" PRIu64
- ". Memory not allocated, tag not read",
- direntry->tdir_tag, direntry->tdir_tag, datasize,
- filesize);
- return (TIFFReadDirEntryErrAlloc);
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size.
+ */
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
}
if( isMapped(tif) && datasize > (uint32)tif->tif_size )
@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size. */
- uint64 filesize = TIFFGetFileSize(tif);
- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
- if (allocsize > filesize)
+ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+ uint64 filesize = 0;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripByteCounts of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greater than filesize %" PRIu64 ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
}
if (td->td_stripbytecount_p)
@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
return -1;
space+=datasize;
}
+ if (filesize == 0)
+ filesize = TIFFGetFileSize(tif);
if( filesize < space )
- /* we should perhaps return in error ? */
- space = filesize;
- else
- space = filesize - space;
+ /* we should perhaps return in error ? */
+ space = filesize;
+ else
+ space = filesize - space;
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
space /= td->td_samplesperpixel;
for (strip = 0; strip < td->td_nstrips; strip++)
@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
dircount16 = (uint16)dircount64;
dirsize = 20;
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64 filesize = TIFFGetFileSize(tif);
- uint64 allocsize = (uint64)dircount16 * dirsize;
- if (allocsize > filesize)
+ const uint64 allocsize = (uint64)dircount16 * dirsize;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(
- tif->tif_clientdata, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
}
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");

46
meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch Normal file
View File

@@ -0,0 +1,46 @@
Backport of:
From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 20:13:45 +0100
Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
check
CoverityScan rightly points that the max value for dircount16 * dirsize
is 4096 * 20. That's small enough not to do any check
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 18 ------------------
1 file changed, 18 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
dircount16 = (uint16)dircount64;
dirsize = 20;
}
- const uint64 allocsize = (uint64)dircount16 * dirsize;
- if (allocsize > 100 * 1024 * 1024)
- {
- /* Before allocating a huge amount of memory for corrupted files,
- * check if size of requested memory is not greater than file size.
- */
- const uint64 filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExt(
- tif->tif_clientdata, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greater than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
- }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)

94
meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch Normal file
View File

@@ -0,0 +1,94 @@
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
. using uint64 instead of uint64_t to preserve the current code usage;
. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]
Backport of:
From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 21:30:58 +0100
Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
RAM requests
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 23 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
_TIFFfree(data);
return(0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64 filesize = TIFFGetFileSize(tif);
- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
- if (allocsize > filesize)
+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfree(data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
}
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
- uint64 filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

5
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
View File

@@ -49,6 +49,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-41175.patch \
file://CVE-2022-40090.patch \
file://CVE-2023-6228.patch \
file://CVE-2023-6277-1.patch \
file://CVE-2023-6277-2.patch \
file://CVE-2023-6277-3.patch \
file://CVE-2023-6277-4.patch \
file://CVE-2023-52356.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"