mirror of
https://git.yoctoproject.org/poky
synced 2026-05-02 18:32:15 +02:00
eba805ace4
CVE-2023-52355: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. Issue fixed by providing a documentation update. CVE-2023-52356: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52355 https://security-tracker.debian.org/tracker/CVE-2023-52355 https://gitlab.com/libtiff/libtiff/-/issues/621 https://gitlab.com/libtiff/libtiff/-/merge_requests/553 https://nvd.nist.gov/vuln/detail/CVE-2023-52356 https://gitlab.com/libtiff/libtiff/-/issues/622 https://gitlab.com/libtiff/libtiff/-/merge_requests/546 (From OE-Core rev: 831d7a2fffb3dec94571289292f0940bc7ecd70a) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
|
|
From: Even Rouault <even.rouault@spatialys.com>
|
|
Date: Thu, 1 Feb 2024 11:38:14 +0000
|
|
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
|
|
col/row (fixes #622)
|
|
|
|
CVE: CVE-2023-52356
|
|
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
|
|
|
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
|
---
|
|
libtiff/tif_getimage.c | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 41f7dfd..9cd6eee 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
|
|
if (TIFFRGBAImageOK(tif, emsg) &&
|
|
TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
|
|
{
|
|
+ if (row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExtR(tif, TIFFFileName(tif),
|
|
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
|
|
img.row_offset = row;
|
|
img.col_offset = 0;
|
|
@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
|
|
return (0);
|
|
}
|
|
|
|
+ if (col >= img.width || row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExtR(tif, TIFFFileName(tif),
|
|
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/*
|
|
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
|
* edge of the image, even to fill an otherwise valid tile. So we
|
|
--
|
|
2.40.0
|