diff options
author | akash hadke <akash.hadke@kpit.com> | 2021-05-24 13:06:57 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2021-05-24 07:07:39 -1000 |
commit | 03a65159093e0b2df4bc867c873b5c43721b9a9c (patch) | |
tree | d151066b0d525d39322461413d5771993c450239 /meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | |
parent | 68ee8fd1ec0f09c6477578de40e1adfc7ba35027 (diff) | |
download | openembedded-core-contrib-03a65159093e0b2df4bc867c873b5c43721b9a9c.tar.gz |
tiff: Add fix for CVE-2020-35521 and CVE-2020-35522
Added fix for CVE-2020-35521 and CVE-2020-35522
Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch
Added below support patches for CVE-2020-35521 and CVE-2020-35522
1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch
2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch @@ -0,0 +1,119 @@ +From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Sun, 15 Nov 2020 17:02:51 +0100 +Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba + +fixes #207 +fixes #209 + +Signed-off-by: akash hadke <akash.hadke@kpit.com> +--- + tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) +--- +CVE: CVE-2020-35521 +CVE: CVE-2020-35522 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch] +--- +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index fbc383aa..764395f6 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1; + int process_by_block = 0; /* default is whole image at once */ + int no_alpha = 0; + int bigtiff_output = 0; ++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) ++/* malloc size limit (in bytes) ++ * disabled when set to 0 */ ++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; + + + static int tiffcvt(TIFF* in, TIFF* out); +@@ -75,8 +79,11 @@ main(int argc, char* argv[]) + extern char *optarg; + #endif + +- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) ++ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1) + switch (c) { ++ case 'M': ++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; ++ break; + case 'b': + process_by_block = 1; + break; +@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) + (unsigned long)width, (unsigned long)height); + return 0; + } ++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { ++ TIFFError(TIFFFileName(in), ++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", ++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); ++ return 0; ++ } + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); +@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out) + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); + CopyField(TIFFTAG_DOCUMENTNAME, stringv); + ++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) ++ { ++ TIFFError(TIFFFileName(in), ++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", ++ (uint64)TIFFStripSize(in), (uint64)maxMalloc); ++ return 0; ++ } + if( process_by_block && TIFFIsTiled( in ) ) + return( cvt_by_tile( in, out ) ); + else if( process_by_block ) +@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out) + } + + static const char* stuff[] = { +- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", ++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", + "where comp is one of the following compression algorithms:", + " jpeg\t\tJPEG encoding", + " zip\t\tZip/Deflate encoding", +@@ -551,6 +571,7 @@ static const char* stuff[] = { + " -b (progress by block rather than as a whole image)", + " -n don't emit alpha component.", + " -8 write BigTIFF file instead of ClassicTIFF", ++ " -M set the memory allocation limit in MiB. 0 to disable limit", + NULL + }; + +-- +GitLab + + +From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Sun, 15 Nov 2020 17:08:42 +0100 +Subject: [PATCH 2/2] tiff2rgba.1: -M option + +--- + man/tiff2rgba.1 | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 +index d9c9baae..fe9ebb2c 100644 +--- a/man/tiff2rgba.1 ++++ b/man/tiff2rgba.1 +@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. + Currently this does not work if the + .B \-b + flag is also in effect. ++.TP ++.BI \-M " size" ++Set maximum memory allocation size (in MiB). The default is 256MiB. ++Set to 0 to disable the limit. + .SH "SEE ALSO" + .BR tiff2bw (1), + .BR TIFFReadRGBAImage (3t), +-- +GitLab |