diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-07-26 12:20:20 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-07-26 05:36:20 -1000 |
commit | 9b9f88d8828ee822635ed645cc192829fecec39e (patch) | |
tree | fa01dcf827e493c1b17f87021bc5caf76b3bce56 /meta | |
parent | 01b9f7f7bb3eaecd6aa757fa090fcc4424788ce1 (diff) | |
download | openembedded-core-contrib-9b9f88d8828ee822635ed645cc192829fecec39e.tar.gz |
libtiff: fix CVE-2023-26965 heap-based use after free
Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch | 97 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 |
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch new file mode 100644 index 0000000000..2162493e34 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch @@ -0,0 +1,97 @@ +From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Tue, 14 Feb 2023 20:43:43 +0100 +Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. + Fix issue 527 + +Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. + +Closes #527 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] +CVE: CVE-2023-26965 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + tools/tiffcrop.c | 47 +++++++++++++++-------------------------------- + 1 file changed, 15 insertions(+), 32 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b811fbb..ce77c74 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint32_t tw = 0, tl = 0; /* Tile width and length */ + tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; +- unsigned char *new_buff = NULL; + int readunit = 0; +- static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + } + + read_buff = *read_ptr; +- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ +- /* outside buffer */ +- if (!read_buff) +- { +- if( buffsize > 0xFFFFFFFFU - 3 ) ++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit ++ * outside buffer */ ++ /* Reuse of read_buff from previous image is quite unsafe, because other ++ * functions (like rotateImage() etc.) reallocate that buffer with different ++ * size without updating the local prev_readsize value. */ ++ if (read_buff) + { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); ++ _TIFFfree(read_buff); + } +- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); +- } +- else ++ if (buffsize > 0xFFFFFFFFU - 3) + { +- if (prev_readsize < buffsize) +- { +- if( buffsize > 0xFFFFFFFFU - 3 ) +- { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); +- } +- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); +- if (!new_buff) +- { +- free (read_buff); +- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); +- } +- else +- read_buff = new_buff; +- } ++ TIFFError("loadImage", "Required read buffer size too large"); ++ return (-1); + } +- if (!read_buff) ++ read_buff = ++ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ if (!read_buff) + { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); ++ TIFFError("loadImage", "Unable to allocate read buffer"); ++ return (-1); + } + + read_buff[buffsize] = 0; + read_buff[buffsize+1] = 0; + read_buff[buffsize+2] = 0; + +- prev_readsize = buffsize; + *read_ptr = read_buff; + + /* N.B. The read functions used copy separate plane data into a buffer as interleaved +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 2ee10fca72..4796dfde24 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -37,6 +37,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-0795_0796_0797_0798_0799.patch \ file://CVE-2023-25433.patch \ file://CVE-2023-25434-CVE-2023-25435.patch \ + file://CVE-2023-26965.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |