diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2023-09-22 09:24:27 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-26 10:35:07 +0100 |
commit | 9e80f93ada4eae638350d86b8aa514203f757d43 (patch) | |
tree | da6f612f265b568541b055db25007b798a8f056b /meta/recipes-multimedia/libtiff/files | |
parent | 4274ac35c178392837919f3b8b068e05fccd3a08 (diff) | |
download | openembedded-core-9e80f93ada4eae638350d86b8aa514203f757d43.tar.gz |
tiff: upgrade 4.5.1 -> 4.6.0
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch | 35 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | 63 |
2 files changed, 0 insertions, 98 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch deleted file mode 100644 index 73f1f37bab..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 -From: Arie Haenel <arie.haenel@jct.ac.il> -Date: Thu, 14 Sep 2023 04:31:35 +0000 -Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images - (fixes #591) - -CVE: CVE-2023-40745 - -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] - -Signed-off-by: Yogita Urade <yogita.urade@windriver.com> ---- - tools/tiffcp.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 3b2d1dd..57fa6e8 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - "Width * Samples/Pixel)"); - return 0; - } -+ -+ if ( (imagew - tilew * spp) > INT_MAX ){ -+ TIFFError(TIFFFileName(in), -+ "Error, image raster scan line size is too large"); -+ return 0; -+ } -+ - iskew = imagew - tilew * spp; - tilebuf = limitMalloc(tilesize); - if (tilebuf == 0) --- -2.35.5 diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch deleted file mode 100644 index cca30b2196..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001 -From: Arie Haenel <arie.haenel@jct.ac.il> -Date: Thu, 14 Sep 2023 04:36:58 +0000 -Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes - #592) - -CVE: CVE-2023-41175 - -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] - -Signed-off-by: Yogita Urade <yogita.urade@windriver.com> ---- - tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - -diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c -index 4ee59e5..a811077 100644 ---- a/tools/raw2tiff.c -+++ b/tools/raw2tiff.c -@@ -101,6 +101,7 @@ int main(int argc, char *argv[]) - int fd; - char *outfilename = NULL; - TIFF *out; -+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ - - uint32_t row, col, band; - int c; -@@ -221,6 +222,33 @@ int main(int argc, char *argv[]) - if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) - return EXIT_FAILURE; - -+ /* check for integer overflow in */ -+ /* hdr_size + (*width) * (*length) * nbands * depth */ -+ -+ if ((width == 0) || (length == 0) ){ -+ fprintf(stderr, "Too large nbands value specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ -+ temp_limit_check = nbands * depth; -+ -+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { -+ fprintf(stderr, "Too large length size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ temp_limit_check = temp_limit_check * length; -+ -+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { -+ fprintf(stderr, "Too large width size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ temp_limit_check = temp_limit_check * width; -+ -+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { -+ fprintf(stderr, "Too large header size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ - if (outfilename == NULL) - outfilename = argv[optind + 1]; - out = TIFFOpen(outfilename, "w"); --- -2.35.5 |