mirror of
https://git.yoctoproject.org/poky
synced 2026-05-02 00:32:12 +02:00
fcc39f3e04
CVE-2023-6228: An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash. References: https://nvd.nist.gov/vuln/detail/CVE-2023-6228 https://gitlab.com/libtiff/libtiff/-/issues/606 (From OE-Core rev: 55735e0d75820d59e569a630679f9ac403c7fdbe) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
32 lines
1.0 KiB
Diff
32 lines
1.0 KiB
Diff
From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
|
|
From: Su_Laus <sulau@freenet.de>
|
|
Date: Wed, 17 Jan 2024 06:57:08 +0000
|
|
Subject: [PATCH] codec of input image is available, independently from codec
|
|
check of output image and return with error if not.
|
|
|
|
Fixes #606.
|
|
|
|
CVE: CVE-2023-6228
|
|
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
|
|
|
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
|
---
|
|
tools/tiffcp.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
index aff0626..a4f7f6b 100644
|
|
--- a/tools/tiffcp.c
|
|
+++ b/tools/tiffcp.c
|
|
@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
|
|
if (!TIFFIsCODECConfigured(compression))
|
|
return FALSE;
|
|
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
|
|
+ if (!TIFFIsCODECConfigured(input_compression))
|
|
+ return FALSE;
|
|
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
|
|
if (input_compression == COMPRESSION_JPEG)
|
|
{
|
|
--
|
|
2.40.0
|