* [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0
@ 2022-09-29 8:33 jay.shen.teoh
2022-09-29 8:33 ` [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953 jay.shen.teoh
2022-09-30 15:58 ` [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 Steve Sakoman
0 siblings, 2 replies; 8+ messages in thread
From: jay.shen.teoh @ 2022-09-29 8:33 UTC (permalink / raw)
To: openembedded-core
From: Teoh Jay Shen <jay.shen.teoh@intel.com>
-Drop all CVE backports for tiff_4.3.0
-Update include fixes for:
CVE-2022-2867 [https://bugzilla.redhat.com/show_bug.cgi?id=2118847],
CVE-2022-2868 [https://bugzilla.redhat.com/show_bug.cgi?id=2118863],
CVE-2022-2869 [https://bugzilla.redhat.com/show_bug.cgi?id=2118869]
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
---
...rash-when-reading-a-file-with-multip.patch | 38 ---
...al-buffer-overflow-for-ASCII-tags-wh.patch | 43 ----
...ue-380-and-382-heap-buffer-overflow-.patch | 219 ------------------
...-for-return-value-of-limitMalloc-392.patch | 93 --------
...ag-avoid-calling-memcpy-with-a-null-.patch | 33 ---
.../0005-fix-the-FPE-in-tiffcrop-393.patch | 36 ---
...x-heap-buffer-overflow-in-tiffcp-278.patch | 57 -----
...99c99f987dc32ae110370cfdd7df7975586b.patch | 30 ---
.../libtiff/tiff/CVE-2022-1354.patch | 212 -----------------
.../libtiff/tiff/CVE-2022-1355.patch | 62 -----
...0712f4c3a5b449f70c57988260a667ddbdef.patch | 32 ---
.../libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} | 13 +-
12 files changed, 1 insertion(+), 867 deletions(-)
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
rename meta/recipes-multimedia/libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} (75%)
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
deleted file mode 100644
index f1a4ab4251..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-CVE: CVE-2022-0865
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 24 Feb 2022 22:26:02 +0100
-Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
- IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
-
----
- libtiff/tif_jbig.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 74086338..8bfa4cef 100644
---- a/libtiff/tif_jbig.c
-+++ b/libtiff/tif_jbig.c
-@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
- */
- tif->tif_flags |= TIFF_NOBITREV;
- tif->tif_flags &= ~TIFF_MAPPED;
-+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
-+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
-+ * value to be consistent with the state of a non-memory mapped file.
-+ */
-+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
-+ tif->tif_rawdata = NULL;
-+ tif->tif_rawdatasize = 0;
-+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
-+ tif->tif_flags |= TIFF_MYBUFFER;
-+ }
-
- /* Setup the function pointers for encode, decode, and cleanup. */
- tif->tif_setupdecode = JBIGSetupDecode;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
deleted file mode 100644
index 72776f09ba..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-CVE: CVE-2022-22844
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 25 Jan 2022 16:25:28 +0000
-Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
- count is required (fixes #355)
-
----
- tools/tiffset.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/tools/tiffset.c b/tools/tiffset.c
-index 8c9e23c5..e7a88c09 100644
---- a/tools/tiffset.c
-+++ b/tools/tiffset.c
-@@ -146,9 +146,19 @@ main(int argc, char* argv[])
-
- arg_index++;
- if (TIFFFieldDataType(fip) == TIFF_ASCII) {
-- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
-- fprintf( stderr, "Failed to set %s=%s\n",
-- TIFFFieldName(fip), argv[arg_index] );
-+ if(TIFFFieldPassCount( fip )) {
-+ size_t len;
-+ len = strlen(argv[arg_index]) + 1;
-+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
-+ (uint16_t)len, argv[arg_index]) != 1)
-+ fprintf( stderr, "Failed to set %s=%s\n",
-+ TIFFFieldName(fip), argv[arg_index] );
-+ } else {
-+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
-+ argv[arg_index]) != 1)
-+ fprintf( stderr, "Failed to set %s=%s\n",
-+ TIFFFieldName(fip), argv[arg_index] );
-+ }
- } else if (TIFFFieldWriteCount(fip) > 0
- || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
- int ret = 1;
---
-2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
deleted file mode 100644
index 812ffb232d..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-CVE: CVE-2022-0891
-CVE: CVE-2022-1056
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Tue, 8 Mar 2022 17:02:44 +0000
-Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
- extractImageSection
-
----
- tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
- 1 file changed, 36 insertions(+), 56 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index b85c2ce7..302a7e91 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -105,8 +105,8 @@
- * of messages to monitor progress without enabling dump logs.
- */
-
--static char tiffcrop_version_id[] = "2.4";
--static char tiffcrop_rev_date[] = "12-13-2010";
-+static char tiffcrop_version_id[] = "2.4.1";
-+static char tiffcrop_rev_date[] = "03-03-2010";
-
- #include "tif_config.h"
- #include "libport.h"
-@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- uint32_t img_length;
- #endif
-- uint32_t j, shift1, shift2, trailing_bits;
-+ uint32_t j, shift1, trailing_bits;
- uint32_t row, first_row, last_row, first_col, last_col;
- uint32_t src_offset, dst_offset, row_offset, col_offset;
-- uint32_t offset1, offset2, full_bytes;
-+ uint32_t offset1, full_bytes;
- uint32_t sect_width;
- #ifdef DEVELMODE
- uint32_t sect_length;
-@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- int k;
- unsigned char bitset;
-- static char *bitarray = NULL;
- #endif
-
- img_width = image->width;
-@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- dst_offset = 0;
-
- #ifdef DEVELMODE
-- if (bitarray == NULL)
-- {
-- if ((bitarray = (char *)malloc(img_width)) == NULL)
-- {
-- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
-- return (-1);
-- }
-- }
-+ char bitarray[39];
- #endif
-
-- /* rows, columns, width, length are expressed in pixels */
-+ /* rows, columns, width, length are expressed in pixels
-+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
-+ * last_col shall be also extracted. */
- first_row = section->y1;
- last_row = section->y2;
- first_col = section->x1;
-@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- sect_length = last_row - first_row + 1;
- #endif
-- img_rowsize = ((img_width * bps + 7) / 8) * spp;
-- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
-- trailing_bits = (sect_width * bps) % 8;
-+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
-+ * samples rather than separate planes so the same logic works to extract regions
-+ * regardless of the way the data are organized in the input file.
-+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
-+ */
-+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
-+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
-+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
-
- #ifdef DEVELMODE
- TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
-@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
-
- if ((bps % 8) == 0)
- {
-- col_offset = first_col * spp * bps / 8;
-+ col_offset = (first_col * spp * bps) / 8;
- for (row = first_row; row <= last_row; row++)
- {
-- /* row_offset = row * img_width * spp * bps / 8; */
- row_offset = row * img_rowsize;
- src_offset = row_offset + col_offset;
-
-@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- }
- else
- { /* bps != 8 */
-- shift1 = spp * ((first_col * bps) % 8);
-- shift2 = spp * ((last_col * bps) % 8);
-+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
- for (row = first_row; row <= last_row; row++)
- {
- /* pull out the first byte */
- row_offset = row * img_rowsize;
-- offset1 = row_offset + (first_col * bps / 8);
-- offset2 = row_offset + (last_col * bps / 8);
-+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
-
- #ifdef DEVELMODE
- for (j = 0, k = 7; j < 8; j++, k--)
-@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- sprintf(&bitarray[9], " ");
- for (j = 10, k = 7; j < 18; j++, k--)
- {
-- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
-+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
- sprintf(&bitarray[j], (bitset) ? "1" : "0");
- }
- bitarray[18] = '\0';
-- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
-- row, offset1, shift1, offset2, shift2);
-+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
-+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
- #endif
-
- bytebuff1 = bytebuff2 = 0;
-@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
-
- if (trailing_bits != 0)
- {
-- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
-+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
-+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
- sect_buff[dst_offset] = bytebuff2;
- #ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
-- offset2, dst_offset);
-+ offset1 + full_bytes, dst_offset);
- for (j = 30, k = 7; j < 38; j++, k--)
- {
- bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
-@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #endif
- for (j = 0; j <= full_bytes; j++)
- {
-- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
-- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
-+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
-+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
-+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
-+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
- sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
- }
- #ifdef DEVELMODE
-@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #endif
- dst_offset += full_bytes;
-
-+ /* Copy the trailing_bits for the last byte in the destination buffer.
-+ Could come from one ore two bytes of the source buffer. */
- if (trailing_bits != 0)
- {
- #ifdef DEVELMODE
-- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
--#endif
-- if (shift2 > shift1)
-- {
-- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
-- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
-- sect_buff[dst_offset] = bytebuff2;
--#ifdef DEVELMODE
-- TIFFError ("", " Shift2 > Shift1\n");
-+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
- #endif
-+ /* More than necessary bits are already copied into last destination buffer,
-+ * only masking of last byte in destination buffer is necessary.*/
-+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
- }
-- else
-- {
-- if (shift2 < shift1)
-- {
-- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
-- sect_buff[dst_offset] &= bytebuff2;
--#ifdef DEVELMODE
-- TIFFError ("", " Shift2 < Shift1\n");
--#endif
-- }
--#ifdef DEVELMODE
-- else
-- TIFFError ("", " Shift2 == Shift1\n");
--#endif
-- }
-- }
- #ifdef DEVELMODE
- sprintf(&bitarray[28], " ");
- sprintf(&bitarray[29], " ");
-@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
- width = sections[i].x2 - sections[i].x1 + 1;
- length = sections[i].y2 - sections[i].y1 + 1;
- sectsize = (uint32_t)
-- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
-+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
- /* allocate a buffer if we don't have one already */
- if (createImageSection(sectsize, sect_buff_ptr))
- {
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
deleted file mode 100644
index a0b856b9e1..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-CVE: CVE-2022-0907
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
-From: Augustus <wangdw.augustus@qq.com>
-Date: Mon, 7 Mar 2022 18:21:49 +0800
-Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
-
----
- tools/tiffcrop.c | 33 +++++++++++++++++++++------------
- 1 file changed, 21 insertions(+), 12 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 302a7e91..e407bf51 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
- if (!sect_buff)
- {
- sect_buff = (unsigned char *)limitMalloc(sectsize);
-- *sect_buff_ptr = sect_buff;
-+ if (!sect_buff)
-+ {
-+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-+ return (-1);
-+ }
- _TIFFmemset(sect_buff, 0, sectsize);
- }
- else
-@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
- else
- sect_buff = new_buff;
-
-+ if (!sect_buff)
-+ {
-+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-+ return (-1);
-+ }
- _TIFFmemset(sect_buff, 0, sectsize);
- }
- }
-
-- if (!sect_buff)
-- {
-- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-- return (-1);
-- }
- prev_sectsize = sectsize;
- *sect_buff_ptr = sect_buff;
-
-@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
- if (!crop_buff)
- {
- crop_buff = (unsigned char *)limitMalloc(cropsize);
-- *crop_buff_ptr = crop_buff;
-+ if (!crop_buff)
-+ {
-+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-+ return (-1);
-+ }
- _TIFFmemset(crop_buff, 0, cropsize);
- prev_cropsize = cropsize;
- }
-@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
- }
- else
- crop_buff = new_buff;
-+ if (!crop_buff)
-+ {
-+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-+ return (-1);
-+ }
- _TIFFmemset(crop_buff, 0, cropsize);
- }
- }
-
-- if (!crop_buff)
-- {
-- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-- return (-1);
-- }
- *crop_buff_ptr = crop_buff;
-
- if (crop->crop_mode & CROP_INVERT)
-@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
- * fill-column: 78
- * End:
- */
-+
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
deleted file mode 100644
index 719dabaecc..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-CVE: CVE-2022-0908
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Feb 2022 15:28:43 +0100
-Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #383)
-
----
- libtiff/tif_dirread.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index d84147a0..4e8ce729 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
- _TIFFfree(data);
- return(0);
- }
-- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
-+ if (dp->tdir_count > 0 )
-+ {
-+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
-+ }
- o[(uint32_t)dp->tdir_count]=0;
- if (data!=0)
- _TIFFfree(data);
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
deleted file mode 100644
index 64dbe9ef92..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-CVE: CVE-2022-0909
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 8 Mar 2022 16:22:04 +0000
-Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
-
----
- libtiff/tif_dir.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index a6c254fc..77da6ea4 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
- break;
- case TIFFTAG_XRESOLUTION:
- dblval = va_arg(ap, double);
-- if( dblval < 0 )
-+ if( dblval != dblval || dblval < 0 )
- goto badvaluedouble;
- td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
- break;
- case TIFFTAG_YRESOLUTION:
- dblval = va_arg(ap, double);
-- if( dblval < 0 )
-+ if( dblval != dblval || dblval < 0 )
- goto badvaluedouble;
- td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
- break;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
deleted file mode 100644
index afd5e59960..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-CVE: CVE-2022-0924
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Thu, 10 Mar 2022 08:48:00 +0000
-Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
-
----
- tools/tiffcp.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 1f889516..552d8fad 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
- tdata_t obuf;
- tstrip_t strip = 0;
- tsample_t s;
-+ uint16_t bps = 0, bytes_per_sample;
-
- obuf = limitMalloc(stripsize);
- if (obuf == NULL)
- return (0);
- _TIFFmemset(obuf, 0, stripsize);
- (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-+ if( bps == 0 )
-+ {
-+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
-+ _TIFFfree(obuf);
-+ return 0;
-+ }
-+ if( (bps % 8) != 0 )
-+ {
-+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
-+ _TIFFfree(obuf);
-+ return 0;
-+ }
-+ bytes_per_sample = bps/8;
- for (s = 0; s < spp; s++) {
- uint32_t row;
- for (row = 0; row < imagelength; row += rowsperstrip) {
-@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
-
- cpContigBufToSeparateBuf(
- obuf, (uint8_t*) buf + row * rowsize + s,
-- nrows, imagewidth, 0, 0, spp, 1);
-+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
- if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
- TIFFError(TIFFFileName(out),
- "Error, can't write strip %"PRIu32,
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
deleted file mode 100644
index 0b41dde606..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 5 Feb 2022 20:36:41 +0100
-Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #362)
-
-Upstream-Status: Backport
-CVE: CVE-2022-0562
-
----
- libtiff/tif_dirread.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 2bbc4585..23194ced 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
- goto bad;
- }
-
-- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
-+ if (old_extrasamples > 0)
-+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
- _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
- _TIFFfree(new_sampleinfo);
- }
---
-GitLab
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
deleted file mode 100644
index 71b85cac10..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 5 Dec 2021 14:37:46 +0100
-Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
-
-to avoid having the size of the strip arrays inconsistent with the
-number of strips returned by TIFFNumberOfStrips(), which may cause
-out-ouf-bounds array read afterwards.
-
-One of the OJPEG hack that alters SamplesPerPixel may influence the
-number of strips. Hence compute tif_dir.td_nstrips only afterwards.
-
-CVE: CVE-2022-1354
-
-Upstream-Status: Backport
-[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
- 1 file changed, 83 insertions(+), 79 deletions(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 8f434ef5..14c031d1 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
- MissingRequired(tif,"ImageLength");
- goto bad;
- }
-- /*
-- * Setup appropriate structures (by strip or by tile)
-- */
-- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
-- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
-- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
-- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
-- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
-- tif->tif_flags &= ~TIFF_ISTILED;
-- } else {
-- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
-- tif->tif_flags |= TIFF_ISTILED;
-- }
-- if (!tif->tif_dir.td_nstrips) {
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "Cannot handle zero number of %s",
-- isTiled(tif) ? "tiles" : "strips");
-- goto bad;
-- }
-- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
-- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
-- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
-- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
--#ifdef OJPEG_SUPPORT
-- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
-- (isTiled(tif)==0) &&
-- (tif->tif_dir.td_nstrips==1)) {
-- /*
-- * XXX: OJPEG hack.
-- * If a) compression is OJPEG, b) it's not a tiled TIFF,
-- * and c) the number of strips is 1,
-- * then we tolerate the absence of stripoffsets tag,
-- * because, presumably, all required data is in the
-- * JpegInterchangeFormat stream.
-- */
-- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
-- } else
--#endif
-- {
-- MissingRequired(tif,
-- isTiled(tif) ? "TileOffsets" : "StripOffsets");
-- goto bad;
-- }
-- }
-+
- /*
- * Second pass: extract other information.
- */
-@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
- } /* -- if (!dp->tdir_ignore) */
- } /* -- for-loop -- */
-
-- if( tif->tif_mode == O_RDWR &&
-- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
-- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
-- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
-- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
-- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
-- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
-- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
-- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
-- {
-- /* Directory typically created with TIFFDeferStrileArrayWriting() */
-- TIFFSetupStrips(tif);
-- }
-- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
-- {
-- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
-- {
-- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
-- tif->tif_dir.td_nstrips,
-- &tif->tif_dir.td_stripoffset_p))
-- {
-- goto bad;
-- }
-- }
-- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
-- {
-- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
-- tif->tif_dir.td_nstrips,
-- &tif->tif_dir.td_stripbytecount_p))
-- {
-- goto bad;
-- }
-- }
-- }
--
- /*
- * OJPEG hack:
- * - If a) compression is OJPEG, and b) photometric tag is missing,
-@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
- }
- }
-
-+ /*
-+ * Setup appropriate structures (by strip or by tile)
-+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
-+ * and thus influences the number of strips in the separate planarconfig.
-+ */
-+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
-+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
-+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
-+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
-+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
-+ tif->tif_flags &= ~TIFF_ISTILED;
-+ } else {
-+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
-+ tif->tif_flags |= TIFF_ISTILED;
-+ }
-+ if (!tif->tif_dir.td_nstrips) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Cannot handle zero number of %s",
-+ isTiled(tif) ? "tiles" : "strips");
-+ goto bad;
-+ }
-+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
-+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
-+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
-+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
-+#ifdef OJPEG_SUPPORT
-+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
-+ (isTiled(tif)==0) &&
-+ (tif->tif_dir.td_nstrips==1)) {
-+ /*
-+ * XXX: OJPEG hack.
-+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
-+ * and c) the number of strips is 1,
-+ * then we tolerate the absence of stripoffsets tag,
-+ * because, presumably, all required data is in the
-+ * JpegInterchangeFormat stream.
-+ */
-+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
-+ } else
-+#endif
-+ {
-+ MissingRequired(tif,
-+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
-+ goto bad;
-+ }
-+ }
-+
-+ if( tif->tif_mode == O_RDWR &&
-+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
-+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
-+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
-+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
-+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
-+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
-+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
-+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
-+ {
-+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
-+ TIFFSetupStrips(tif);
-+ }
-+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
-+ {
-+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
-+ {
-+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
-+ tif->tif_dir.td_nstrips,
-+ &tif->tif_dir.td_stripoffset_p))
-+ {
-+ goto bad;
-+ }
-+ }
-+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
-+ {
-+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
-+ tif->tif_dir.td_nstrips,
-+ &tif->tif_dir.td_stripbytecount_p))
-+ {
-+ goto bad;
-+ }
-+ }
-+ }
-+
- /*
- * Make sure all non-color channels are extrasamples.
- * If it's not the case, define them as such.
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
deleted file mode 100644
index e59f5aad55..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Sat, 2 Apr 2022 22:33:31 +0200
-Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
-
-CVE: CVE-2022-1355
-
-Upstream-Status: Backport
-[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- tools/tiffcp.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index fd129bb7..8d944ff6 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -274,19 +274,34 @@ main(int argc, char* argv[])
- deftilewidth = atoi(optarg);
- break;
- case 'B':
-- *mp++ = 'b'; *mp = '\0';
-+ if (strlen(mode) < (sizeof(mode) - 1))
-+ {
-+ *mp++ = 'b'; *mp = '\0';
-+ }
- break;
- case 'L':
-- *mp++ = 'l'; *mp = '\0';
-+ if (strlen(mode) < (sizeof(mode) - 1))
-+ {
-+ *mp++ = 'l'; *mp = '\0';
-+ }
- break;
- case 'M':
-- *mp++ = 'm'; *mp = '\0';
-+ if (strlen(mode) < (sizeof(mode) - 1))
-+ {
-+ *mp++ = 'm'; *mp = '\0';
-+ }
- break;
- case 'C':
-- *mp++ = 'c'; *mp = '\0';
-+ if (strlen(mode) < (sizeof(mode) - 1))
-+ {
-+ *mp++ = 'c'; *mp = '\0';
-+ }
- break;
- case '8':
-- *mp++ = '8'; *mp = '\0';
-+ if (strlen(mode) < (sizeof(mode)-1))
-+ {
-+ *mp++ = '8'; *mp = '\0';
-+ }
- break;
- case 'x':
- pageInSeq = 1;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
deleted file mode 100644
index 74f9649fdf..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 6 Feb 2022 13:08:38 +0100
-Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #362)
-
-Upstream-Status: Backport
-CVE: CVE-2022-0561
-
----
- libtiff/tif_dirread.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 23194ced..50ebf8ac 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
- _TIFFfree(data);
- return(0);
- }
-- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
-- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
-+ if( dir->tdir_count )
-+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
-+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
- _TIFFfree(data);
- data=resizeddata;
- }
---
-GitLab
-
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
similarity index 75%
rename from meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
rename to meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index b5ccd859f3..e30df0b3e9 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -9,22 +9,11 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
- file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
- file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
- file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
- file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
- file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
- file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
- file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
- file://0005-fix-the-FPE-in-tiffcrop-393.patch \
- file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
- file://CVE-2022-1354.patch \
- file://CVE-2022-1355.patch \
file://CVE-2022-34526.patch \
"
-SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
+SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
--
2.37.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
2022-09-29 8:33 [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 jay.shen.teoh
@ 2022-09-29 8:33 ` jay.shen.teoh
2022-10-19 19:32 ` Qiu, Zheng
2022-09-30 15:58 ` [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 Steve Sakoman
1 sibling, 1 reply; 8+ messages in thread
From: jay.shen.teoh @ 2022-09-29 8:33 UTC (permalink / raw)
To: openembedded-core
From: Teoh Jay Shen <jay.shen.teoh@intel.com>
Link for the patch : https://gitlab.com/libtiff/libtiff/-/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+ =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
+ =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
+ =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"
SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
--
2.37.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0
2022-09-29 8:33 [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 jay.shen.teoh
2022-09-29 8:33 ` [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953 jay.shen.teoh
@ 2022-09-30 15:58 ` Steve Sakoman
2022-10-03 21:28 ` Randy MacLeod
2022-10-04 5:09 ` Teoh, Jay Shen
1 sibling, 2 replies; 8+ messages in thread
From: Steve Sakoman @ 2022-09-30 15:58 UTC (permalink / raw)
To: openembedded-core; +Cc: Teoh, Jay Shen
This is a version update with some API changes, so further review
would be appreciated before I can take this.
To help with review, here are the changes in this release:
Software configuration changes
Handle absolute paths in pkg-config file (issue #333)
Correct fix for the pkgconf file relative paths.
cmake: allow running the tests with a read-only source directory.
cmake: Fix STRIPCHOP_DEFAULT value in CMake builds.
build: Fix static library imports in mingw related to LERC
Fix version in libtiff-4.pc.in, and CMake build: Add requirements to pc file
cmake: Fix build with CMake 3.10.
cmake: Export tiff targets.
Make LERC_SUPPORT conditional on ZLIB_SUPPORT
Library changes
New/improved functionalities:
TIFFIsBigTiff() function added.
Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added.
LZWDecode(): major speed improvements (~30% faster)
Predictor 2 (horizontal differenciation): support 64-bit
Support libjpeg 9d
Bug fixes:
Remove incorrect assert (issue #329)
avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is
attempted to be created
tif_jbig.c: fix crash when reading a file with multiple IFD in
memory-mapped mode and when bit reversal is needed (fixes issue #385)
TIFFFetchNormalTag(): avoid calling memcpy() with a null source
pointer and size of zero (fixes issue #383)
TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime check
TIFFFetchStripThing(): avoid calling memcpy() with a null source
pointer and size of zero (fixes issue #362)
TIFFReadDirectory(): avoid calling memcpy() with a null source pointer
and size of zero (fixes issue #362)
TIFFYCbCrToRGBInit(): avoid Integer-overflow
TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return
error if returned pointer is NULL (fixes issue #342)
OJPEG: avoid assertion when using TIFFReadScanline() (fixes issue #337)
TIFFReadDirectory(): fix OJPEG hack (fixes issue #319)
LZW codec: fix support for strips/tiles > 2 GB on Windows
TIFFAppendToStrip(): fix rewrite-in-place logic (fixes issue #309)
Fix TIFFRewriteDirectory() discarding directories.
TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance
tag on a non EXIF directory (issue #316)
Fix Segmentation fault printing GPS directory if Altitude tag is present
tif_jpeg.c: do not emit progressive scans with mozjpeg. (issue #266)
_TIFFRewriteField(): fix when writing a IFD with a single tile that is
a sparse one, on big endian hosts
Fix all remaining uses of legacy Deflate compression id and warn on use.
Tools changes
Bug fixes:
tiffcrop: Fix issue issue #330 and some more from 320 to 349.
tiffcrop: fix issue issue #395: generation of strange section images.
tiffcrop: fix issue issue #380 and issue #382 heap buffer overflow in
extractImageSection
tiffcrop: fix FPE (issue #393)
tiffcrop: buffsize check formula in loadImage() amended (fixes issue
#273, issue #275)
tiffcrop.c: Fix issue issue #352 heap-buffer-overflow by correcting
uint32_t underflow.
tiff2pdf: handle 8-bit palette colormap.
tiffcp: avoid buffer overflow in "mode" string (fixes issue #400)
tiffcp: Fix incomprehensible setting of orientation tag (fixes issue #29)
tiffcp: do not try to fetch compressor-specific tags when not
appropriate (fixes issue #396)
tiffcp: fix heap buffer overflow (issue #278)
tiff2ps: In limitMalloc() check for negative size (fixes issue #284)
tiffinfo: add a -M switch to define the maximum heap allocation, and
default it to 256 MiB (fixes issue #287, issue #290)
tiffinfo: limit more memory allocations using -M switch (fixes issue #288)
tiffset: fix global-buffer-overflow for ASCII tags where count is
required (fixes issue #355)
raw2tiff: check that band number if not zero to avoid floating point
exception(fixes issue #338)
tiffinfo/tiffdump: improve output for GDAL tags.
On Wed, Sep 28, 2022 at 10:33 PM Teoh, Jay Shen <jay.shen.teoh@intel.com> wrote:
>
> From: Teoh Jay Shen <jay.shen.teoh@intel.com>
>
> -Drop all CVE backports for tiff_4.3.0
> -Update include fixes for:
> CVE-2022-2867 [https://bugzilla.redhat.com/show_bug.cgi?id=2118847],
> CVE-2022-2868 [https://bugzilla.redhat.com/show_bug.cgi?id=2118863],
> CVE-2022-2869 [https://bugzilla.redhat.com/show_bug.cgi?id=2118869]
>
> Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
> ---
> ...rash-when-reading-a-file-with-multip.patch | 38 ---
> ...al-buffer-overflow-for-ASCII-tags-wh.patch | 43 ----
> ...ue-380-and-382-heap-buffer-overflow-.patch | 219 ------------------
> ...-for-return-value-of-limitMalloc-392.patch | 93 --------
> ...ag-avoid-calling-memcpy-with-a-null-.patch | 33 ---
> .../0005-fix-the-FPE-in-tiffcrop-393.patch | 36 ---
> ...x-heap-buffer-overflow-in-tiffcp-278.patch | 57 -----
> ...99c99f987dc32ae110370cfdd7df7975586b.patch | 30 ---
> .../libtiff/tiff/CVE-2022-1354.patch | 212 -----------------
> .../libtiff/tiff/CVE-2022-1355.patch | 62 -----
> ...0712f4c3a5b449f70c57988260a667ddbdef.patch | 32 ---
> .../libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} | 13 +-
> 12 files changed, 1 insertion(+), 867 deletions(-)
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
> rename meta/recipes-multimedia/libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} (75%)
>
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
> deleted file mode 100644
> index f1a4ab4251..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -CVE: CVE-2022-0865
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
> -From: Even Rouault <even.rouault@spatialys.com>
> -Date: Thu, 24 Feb 2022 22:26:02 +0100
> -Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
> - IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
> -
> ----
> - libtiff/tif_jbig.c | 10 ++++++++++
> - 1 file changed, 10 insertions(+)
> -
> -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
> -index 74086338..8bfa4cef 100644
> ---- a/libtiff/tif_jbig.c
> -+++ b/libtiff/tif_jbig.c
> -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
> - */
> - tif->tif_flags |= TIFF_NOBITREV;
> - tif->tif_flags &= ~TIFF_MAPPED;
> -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
> -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
> -+ * value to be consistent with the state of a non-memory mapped file.
> -+ */
> -+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
> -+ tif->tif_rawdata = NULL;
> -+ tif->tif_rawdatasize = 0;
> -+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
> -+ tif->tif_flags |= TIFF_MYBUFFER;
> -+ }
> -
> - /* Setup the function pointers for encode, decode, and cleanup. */
> - tif->tif_setupdecode = JBIGSetupDecode;
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
> deleted file mode 100644
> index 72776f09ba..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -CVE: CVE-2022-22844
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
> -From: 4ugustus <wangdw.augustus@qq.com>
> -Date: Tue, 25 Jan 2022 16:25:28 +0000
> -Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
> - count is required (fixes #355)
> -
> ----
> - tools/tiffset.c | 16 +++++++++++++---
> - 1 file changed, 13 insertions(+), 3 deletions(-)
> -
> -diff --git a/tools/tiffset.c b/tools/tiffset.c
> -index 8c9e23c5..e7a88c09 100644
> ---- a/tools/tiffset.c
> -+++ b/tools/tiffset.c
> -@@ -146,9 +146,19 @@ main(int argc, char* argv[])
> -
> - arg_index++;
> - if (TIFFFieldDataType(fip) == TIFF_ASCII) {
> -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
> -- fprintf( stderr, "Failed to set %s=%s\n",
> -- TIFFFieldName(fip), argv[arg_index] );
> -+ if(TIFFFieldPassCount( fip )) {
> -+ size_t len;
> -+ len = strlen(argv[arg_index]) + 1;
> -+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
> -+ (uint16_t)len, argv[arg_index]) != 1)
> -+ fprintf( stderr, "Failed to set %s=%s\n",
> -+ TIFFFieldName(fip), argv[arg_index] );
> -+ } else {
> -+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
> -+ argv[arg_index]) != 1)
> -+ fprintf( stderr, "Failed to set %s=%s\n",
> -+ TIFFFieldName(fip), argv[arg_index] );
> -+ }
> - } else if (TIFFFieldWriteCount(fip) > 0
> - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
> - int ret = 1;
> ---
> -2.25.1
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
> deleted file mode 100644
> index 812ffb232d..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
> +++ /dev/null
> @@ -1,219 +0,0 @@
> -CVE: CVE-2022-0891
> -CVE: CVE-2022-1056
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
> -From: Su Laus <sulau@freenet.de>
> -Date: Tue, 8 Mar 2022 17:02:44 +0000
> -Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
> - extractImageSection
> -
> ----
> - tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
> - 1 file changed, 36 insertions(+), 56 deletions(-)
> -
> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> -index b85c2ce7..302a7e91 100644
> ---- a/tools/tiffcrop.c
> -+++ b/tools/tiffcrop.c
> -@@ -105,8 +105,8 @@
> - * of messages to monitor progress without enabling dump logs.
> - */
> -
> --static char tiffcrop_version_id[] = "2.4";
> --static char tiffcrop_rev_date[] = "12-13-2010";
> -+static char tiffcrop_version_id[] = "2.4.1";
> -+static char tiffcrop_rev_date[] = "03-03-2010";
> -
> - #include "tif_config.h"
> - #include "libport.h"
> -@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - #ifdef DEVELMODE
> - uint32_t img_length;
> - #endif
> -- uint32_t j, shift1, shift2, trailing_bits;
> -+ uint32_t j, shift1, trailing_bits;
> - uint32_t row, first_row, last_row, first_col, last_col;
> - uint32_t src_offset, dst_offset, row_offset, col_offset;
> -- uint32_t offset1, offset2, full_bytes;
> -+ uint32_t offset1, full_bytes;
> - uint32_t sect_width;
> - #ifdef DEVELMODE
> - uint32_t sect_length;
> -@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - #ifdef DEVELMODE
> - int k;
> - unsigned char bitset;
> -- static char *bitarray = NULL;
> - #endif
> -
> - img_width = image->width;
> -@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - dst_offset = 0;
> -
> - #ifdef DEVELMODE
> -- if (bitarray == NULL)
> -- {
> -- if ((bitarray = (char *)malloc(img_width)) == NULL)
> -- {
> -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
> -- return (-1);
> -- }
> -- }
> -+ char bitarray[39];
> - #endif
> -
> -- /* rows, columns, width, length are expressed in pixels */
> -+ /* rows, columns, width, length are expressed in pixels
> -+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
> -+ * last_col shall be also extracted. */
> - first_row = section->y1;
> - last_row = section->y2;
> - first_col = section->x1;
> -@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - #ifdef DEVELMODE
> - sect_length = last_row - first_row + 1;
> - #endif
> -- img_rowsize = ((img_width * bps + 7) / 8) * spp;
> -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
> -- trailing_bits = (sect_width * bps) % 8;
> -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
> -+ * samples rather than separate planes so the same logic works to extract regions
> -+ * regardless of the way the data are organized in the input file.
> -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
> -+ */
> -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
> -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
> -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
> -
> - #ifdef DEVELMODE
> - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
> -@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> -
> - if ((bps % 8) == 0)
> - {
> -- col_offset = first_col * spp * bps / 8;
> -+ col_offset = (first_col * spp * bps) / 8;
> - for (row = first_row; row <= last_row; row++)
> - {
> -- /* row_offset = row * img_width * spp * bps / 8; */
> - row_offset = row * img_rowsize;
> - src_offset = row_offset + col_offset;
> -
> -@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - }
> - else
> - { /* bps != 8 */
> -- shift1 = spp * ((first_col * bps) % 8);
> -- shift2 = spp * ((last_col * bps) % 8);
> -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
> - for (row = first_row; row <= last_row; row++)
> - {
> - /* pull out the first byte */
> - row_offset = row * img_rowsize;
> -- offset1 = row_offset + (first_col * bps / 8);
> -- offset2 = row_offset + (last_col * bps / 8);
> -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
> -
> - #ifdef DEVELMODE
> - for (j = 0, k = 7; j < 8; j++, k--)
> -@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - sprintf(&bitarray[9], " ");
> - for (j = 10, k = 7; j < 18; j++, k--)
> - {
> -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
> -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
> - sprintf(&bitarray[j], (bitset) ? "1" : "0");
> - }
> - bitarray[18] = '\0';
> -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
> -- row, offset1, shift1, offset2, shift2);
> -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
> -+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
> - #endif
> -
> - bytebuff1 = bytebuff2 = 0;
> -@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> -
> - if (trailing_bits != 0)
> - {
> -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
> -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
> -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
> - sect_buff[dst_offset] = bytebuff2;
> - #ifdef DEVELMODE
> - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
> -- offset2, dst_offset);
> -+ offset1 + full_bytes, dst_offset);
> - for (j = 30, k = 7; j < 38; j++, k--)
> - {
> - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
> -@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - #endif
> - for (j = 0; j <= full_bytes; j++)
> - {
> -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
> -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
> -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
> -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
> -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
> -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
> - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
> - }
> - #ifdef DEVELMODE
> -@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
> - #endif
> - dst_offset += full_bytes;
> -
> -+ /* Copy the trailing_bits for the last byte in the destination buffer.
> -+ Could come from one ore two bytes of the source buffer. */
> - if (trailing_bits != 0)
> - {
> - #ifdef DEVELMODE
> -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
> --#endif
> -- if (shift2 > shift1)
> -- {
> -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
> -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
> -- sect_buff[dst_offset] = bytebuff2;
> --#ifdef DEVELMODE
> -- TIFFError ("", " Shift2 > Shift1\n");
> -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
> - #endif
> -+ /* More than necessary bits are already copied into last destination buffer,
> -+ * only masking of last byte in destination buffer is necessary.*/
> -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
> - }
> -- else
> -- {
> -- if (shift2 < shift1)
> -- {
> -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
> -- sect_buff[dst_offset] &= bytebuff2;
> --#ifdef DEVELMODE
> -- TIFFError ("", " Shift2 < Shift1\n");
> --#endif
> -- }
> --#ifdef DEVELMODE
> -- else
> -- TIFFError ("", " Shift2 == Shift1\n");
> --#endif
> -- }
> -- }
> - #ifdef DEVELMODE
> - sprintf(&bitarray[28], " ");
> - sprintf(&bitarray[29], " ");
> -@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
> - width = sections[i].x2 - sections[i].x1 + 1;
> - length = sections[i].y2 - sections[i].y1 + 1;
> - sectsize = (uint32_t)
> -- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
> -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
> - /* allocate a buffer if we don't have one already */
> - if (createImageSection(sectsize, sect_buff_ptr))
> - {
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
> deleted file mode 100644
> index a0b856b9e1..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
> +++ /dev/null
> @@ -1,93 +0,0 @@
> -CVE: CVE-2022-0907
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
> -From: Augustus <wangdw.augustus@qq.com>
> -Date: Mon, 7 Mar 2022 18:21:49 +0800
> -Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
> -
> ----
> - tools/tiffcrop.c | 33 +++++++++++++++++++++------------
> - 1 file changed, 21 insertions(+), 12 deletions(-)
> -
> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> -index 302a7e91..e407bf51 100644
> ---- a/tools/tiffcrop.c
> -+++ b/tools/tiffcrop.c
> -@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
> - if (!sect_buff)
> - {
> - sect_buff = (unsigned char *)limitMalloc(sectsize);
> -- *sect_buff_ptr = sect_buff;
> -+ if (!sect_buff)
> -+ {
> -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
> -+ return (-1);
> -+ }
> - _TIFFmemset(sect_buff, 0, sectsize);
> - }
> - else
> -@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
> - else
> - sect_buff = new_buff;
> -
> -+ if (!sect_buff)
> -+ {
> -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
> -+ return (-1);
> -+ }
> - _TIFFmemset(sect_buff, 0, sectsize);
> - }
> - }
> -
> -- if (!sect_buff)
> -- {
> -- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
> -- return (-1);
> -- }
> - prev_sectsize = sectsize;
> - *sect_buff_ptr = sect_buff;
> -
> -@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
> - if (!crop_buff)
> - {
> - crop_buff = (unsigned char *)limitMalloc(cropsize);
> -- *crop_buff_ptr = crop_buff;
> -+ if (!crop_buff)
> -+ {
> -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
> -+ return (-1);
> -+ }
> - _TIFFmemset(crop_buff, 0, cropsize);
> - prev_cropsize = cropsize;
> - }
> -@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
> - }
> - else
> - crop_buff = new_buff;
> -+ if (!crop_buff)
> -+ {
> -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
> -+ return (-1);
> -+ }
> - _TIFFmemset(crop_buff, 0, cropsize);
> - }
> - }
> -
> -- if (!crop_buff)
> -- {
> -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
> -- return (-1);
> -- }
> - *crop_buff_ptr = crop_buff;
> -
> - if (crop->crop_mode & CROP_INVERT)
> -@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
> - * fill-column: 78
> - * End:
> - */
> -+
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
> deleted file mode 100644
> index 719dabaecc..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -CVE: CVE-2022-0908
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
> -From: Even Rouault <even.rouault@spatialys.com>
> -Date: Thu, 17 Feb 2022 15:28:43 +0100
> -Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
> - source pointer and size of zero (fixes #383)
> -
> ----
> - libtiff/tif_dirread.c | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
> -index d84147a0..4e8ce729 100644
> ---- a/libtiff/tif_dirread.c
> -+++ b/libtiff/tif_dirread.c
> -@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
> - _TIFFfree(data);
> - return(0);
> - }
> -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
> -+ if (dp->tdir_count > 0 )
> -+ {
> -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
> -+ }
> - o[(uint32_t)dp->tdir_count]=0;
> - if (data!=0)
> - _TIFFfree(data);
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
> deleted file mode 100644
> index 64dbe9ef92..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -CVE: CVE-2022-0909
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
> -From: 4ugustus <wangdw.augustus@qq.com>
> -Date: Tue, 8 Mar 2022 16:22:04 +0000
> -Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
> -
> ----
> - libtiff/tif_dir.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
> -index a6c254fc..77da6ea4 100644
> ---- a/libtiff/tif_dir.c
> -+++ b/libtiff/tif_dir.c
> -@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
> - break;
> - case TIFFTAG_XRESOLUTION:
> - dblval = va_arg(ap, double);
> -- if( dblval < 0 )
> -+ if( dblval != dblval || dblval < 0 )
> - goto badvaluedouble;
> - td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
> - break;
> - case TIFFTAG_YRESOLUTION:
> - dblval = va_arg(ap, double);
> -- if( dblval < 0 )
> -+ if( dblval != dblval || dblval < 0 )
> - goto badvaluedouble;
> - td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
> - break;
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
> deleted file mode 100644
> index afd5e59960..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
> +++ /dev/null
> @@ -1,57 +0,0 @@
> -CVE: CVE-2022-0924
> -Upstream-Status: Backport
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
> -From: 4ugustus <wangdw.augustus@qq.com>
> -Date: Thu, 10 Mar 2022 08:48:00 +0000
> -Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
> -
> ----
> - tools/tiffcp.c | 17 ++++++++++++++++-
> - 1 file changed, 16 insertions(+), 1 deletion(-)
> -
> -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
> -index 1f889516..552d8fad 100644
> ---- a/tools/tiffcp.c
> -+++ b/tools/tiffcp.c
> -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
> - tdata_t obuf;
> - tstrip_t strip = 0;
> - tsample_t s;
> -+ uint16_t bps = 0, bytes_per_sample;
> -
> - obuf = limitMalloc(stripsize);
> - if (obuf == NULL)
> - return (0);
> - _TIFFmemset(obuf, 0, stripsize);
> - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
> -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
> -+ if( bps == 0 )
> -+ {
> -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
> -+ _TIFFfree(obuf);
> -+ return 0;
> -+ }
> -+ if( (bps % 8) != 0 )
> -+ {
> -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
> -+ _TIFFfree(obuf);
> -+ return 0;
> -+ }
> -+ bytes_per_sample = bps/8;
> - for (s = 0; s < spp; s++) {
> - uint32_t row;
> - for (row = 0; row < imagelength; row += rowsperstrip) {
> -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
> -
> - cpContigBufToSeparateBuf(
> - obuf, (uint8_t*) buf + row * rowsize + s,
> -- nrows, imagewidth, 0, 0, spp, 1);
> -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
> - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
> - TIFFError(TIFFFileName(out),
> - "Error, can't write strip %"PRIu32,
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
> deleted file mode 100644
> index 0b41dde606..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
> -From: Even Rouault <even.rouault@spatialys.com>
> -Date: Sat, 5 Feb 2022 20:36:41 +0100
> -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
> - source pointer and size of zero (fixes #362)
> -
> -Upstream-Status: Backport
> -CVE: CVE-2022-0562
> -
> ----
> - libtiff/tif_dirread.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
> -index 2bbc4585..23194ced 100644
> ---- a/libtiff/tif_dirread.c
> -+++ b/libtiff/tif_dirread.c
> -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
> - goto bad;
> - }
> -
> -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
> -+ if (old_extrasamples > 0)
> -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
> - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
> - _TIFFfree(new_sampleinfo);
> - }
> ---
> -GitLab
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> deleted file mode 100644
> index 71b85cac10..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> +++ /dev/null
> @@ -1,212 +0,0 @@
> -From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
> -From: Even Rouault <even.rouault@spatialys.com>
> -Date: Sun, 5 Dec 2021 14:37:46 +0100
> -Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
> -
> -to avoid having the size of the strip arrays inconsistent with the
> -number of strips returned by TIFFNumberOfStrips(), which may cause
> -out-ouf-bounds array read afterwards.
> -
> -One of the OJPEG hack that alters SamplesPerPixel may influence the
> -number of strips. Hence compute tif_dir.td_nstrips only afterwards.
> -
> -CVE: CVE-2022-1354
> -
> -Upstream-Status: Backport
> -[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
> -
> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ----
> - libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
> - 1 file changed, 83 insertions(+), 79 deletions(-)
> -
> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
> -index 8f434ef5..14c031d1 100644
> ---- a/libtiff/tif_dirread.c
> -+++ b/libtiff/tif_dirread.c
> -@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
> - MissingRequired(tif,"ImageLength");
> - goto bad;
> - }
> -- /*
> -- * Setup appropriate structures (by strip or by tile)
> -- */
> -- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
> -- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
> -- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
> -- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
> -- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
> -- tif->tif_flags &= ~TIFF_ISTILED;
> -- } else {
> -- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
> -- tif->tif_flags |= TIFF_ISTILED;
> -- }
> -- if (!tif->tif_dir.td_nstrips) {
> -- TIFFErrorExt(tif->tif_clientdata, module,
> -- "Cannot handle zero number of %s",
> -- isTiled(tif) ? "tiles" : "strips");
> -- goto bad;
> -- }
> -- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
> -- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
> -- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
> -- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
> --#ifdef OJPEG_SUPPORT
> -- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
> -- (isTiled(tif)==0) &&
> -- (tif->tif_dir.td_nstrips==1)) {
> -- /*
> -- * XXX: OJPEG hack.
> -- * If a) compression is OJPEG, b) it's not a tiled TIFF,
> -- * and c) the number of strips is 1,
> -- * then we tolerate the absence of stripoffsets tag,
> -- * because, presumably, all required data is in the
> -- * JpegInterchangeFormat stream.
> -- */
> -- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
> -- } else
> --#endif
> -- {
> -- MissingRequired(tif,
> -- isTiled(tif) ? "TileOffsets" : "StripOffsets");
> -- goto bad;
> -- }
> -- }
> -+
> - /*
> - * Second pass: extract other information.
> - */
> -@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
> - } /* -- if (!dp->tdir_ignore) */
> - } /* -- for-loop -- */
> -
> -- if( tif->tif_mode == O_RDWR &&
> -- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
> -- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
> -- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
> -- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
> -- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
> -- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
> -- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
> -- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
> -- {
> -- /* Directory typically created with TIFFDeferStrileArrayWriting() */
> -- TIFFSetupStrips(tif);
> -- }
> -- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
> -- {
> -- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
> -- {
> -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
> -- tif->tif_dir.td_nstrips,
> -- &tif->tif_dir.td_stripoffset_p))
> -- {
> -- goto bad;
> -- }
> -- }
> -- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
> -- {
> -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
> -- tif->tif_dir.td_nstrips,
> -- &tif->tif_dir.td_stripbytecount_p))
> -- {
> -- goto bad;
> -- }
> -- }
> -- }
> --
> - /*
> - * OJPEG hack:
> - * - If a) compression is OJPEG, and b) photometric tag is missing,
> -@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
> - }
> - }
> -
> -+ /*
> -+ * Setup appropriate structures (by strip or by tile)
> -+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
> -+ * and thus influences the number of strips in the separate planarconfig.
> -+ */
> -+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
> -+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
> -+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
> -+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
> -+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
> -+ tif->tif_flags &= ~TIFF_ISTILED;
> -+ } else {
> -+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
> -+ tif->tif_flags |= TIFF_ISTILED;
> -+ }
> -+ if (!tif->tif_dir.td_nstrips) {
> -+ TIFFErrorExt(tif->tif_clientdata, module,
> -+ "Cannot handle zero number of %s",
> -+ isTiled(tif) ? "tiles" : "strips");
> -+ goto bad;
> -+ }
> -+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
> -+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
> -+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
> -+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
> -+#ifdef OJPEG_SUPPORT
> -+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
> -+ (isTiled(tif)==0) &&
> -+ (tif->tif_dir.td_nstrips==1)) {
> -+ /*
> -+ * XXX: OJPEG hack.
> -+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
> -+ * and c) the number of strips is 1,
> -+ * then we tolerate the absence of stripoffsets tag,
> -+ * because, presumably, all required data is in the
> -+ * JpegInterchangeFormat stream.
> -+ */
> -+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
> -+ } else
> -+#endif
> -+ {
> -+ MissingRequired(tif,
> -+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
> -+ goto bad;
> -+ }
> -+ }
> -+
> -+ if( tif->tif_mode == O_RDWR &&
> -+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
> -+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
> -+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
> -+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
> -+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
> -+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
> -+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
> -+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
> -+ {
> -+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
> -+ TIFFSetupStrips(tif);
> -+ }
> -+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
> -+ {
> -+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
> -+ {
> -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
> -+ tif->tif_dir.td_nstrips,
> -+ &tif->tif_dir.td_stripoffset_p))
> -+ {
> -+ goto bad;
> -+ }
> -+ }
> -+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
> -+ {
> -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
> -+ tif->tif_dir.td_nstrips,
> -+ &tif->tif_dir.td_stripbytecount_p))
> -+ {
> -+ goto bad;
> -+ }
> -+ }
> -+ }
> -+
> - /*
> - * Make sure all non-color channels are extrasamples.
> - * If it's not the case, define them as such.
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> deleted file mode 100644
> index e59f5aad55..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> +++ /dev/null
> @@ -1,62 +0,0 @@
> -From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
> -From: Su_Laus <sulau@freenet.de>
> -Date: Sat, 2 Apr 2022 22:33:31 +0200
> -Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
> -
> -CVE: CVE-2022-1355
> -
> -Upstream-Status: Backport
> -[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
> -
> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ----
> - tools/tiffcp.c | 25 ++++++++++++++++++++-----
> - 1 file changed, 20 insertions(+), 5 deletions(-)
> -
> -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
> -index fd129bb7..8d944ff6 100644
> ---- a/tools/tiffcp.c
> -+++ b/tools/tiffcp.c
> -@@ -274,19 +274,34 @@ main(int argc, char* argv[])
> - deftilewidth = atoi(optarg);
> - break;
> - case 'B':
> -- *mp++ = 'b'; *mp = '\0';
> -+ if (strlen(mode) < (sizeof(mode) - 1))
> -+ {
> -+ *mp++ = 'b'; *mp = '\0';
> -+ }
> - break;
> - case 'L':
> -- *mp++ = 'l'; *mp = '\0';
> -+ if (strlen(mode) < (sizeof(mode) - 1))
> -+ {
> -+ *mp++ = 'l'; *mp = '\0';
> -+ }
> - break;
> - case 'M':
> -- *mp++ = 'm'; *mp = '\0';
> -+ if (strlen(mode) < (sizeof(mode) - 1))
> -+ {
> -+ *mp++ = 'm'; *mp = '\0';
> -+ }
> - break;
> - case 'C':
> -- *mp++ = 'c'; *mp = '\0';
> -+ if (strlen(mode) < (sizeof(mode) - 1))
> -+ {
> -+ *mp++ = 'c'; *mp = '\0';
> -+ }
> - break;
> - case '8':
> -- *mp++ = '8'; *mp = '\0';
> -+ if (strlen(mode) < (sizeof(mode)-1))
> -+ {
> -+ *mp++ = '8'; *mp = '\0';
> -+ }
> - break;
> - case 'x':
> - pageInSeq = 1;
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
> deleted file mode 100644
> index 74f9649fdf..0000000000
> --- a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
> +++ /dev/null
> @@ -1,32 +0,0 @@
> -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
> -From: Even Rouault <even.rouault@spatialys.com>
> -Date: Sun, 6 Feb 2022 13:08:38 +0100
> -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
> - source pointer and size of zero (fixes #362)
> -
> -Upstream-Status: Backport
> -CVE: CVE-2022-0561
> -
> ----
> - libtiff/tif_dirread.c | 5 +++--
> - 1 file changed, 3 insertions(+), 2 deletions(-)
> -
> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
> -index 23194ced..50ebf8ac 100644
> ---- a/libtiff/tif_dirread.c
> -+++ b/libtiff/tif_dirread.c
> -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
> - _TIFFfree(data);
> - return(0);
> - }
> -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
> -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
> -+ if( dir->tdir_count )
> -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
> -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
> - _TIFFfree(data);
> - data=resizeddata;
> - }
> ---
> -GitLab
> -
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> similarity index 75%
> rename from meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> rename to meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> index b5ccd859f3..e30df0b3e9 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> @@ -9,22 +9,11 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
> CVE_PRODUCT = "libtiff"
>
> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> - file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
> - file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
> - file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
> - file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
> - file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
> - file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
> - file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
> - file://0005-fix-the-FPE-in-tiffcrop-393.patch \
> - file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
> - file://CVE-2022-1354.patch \
> - file://CVE-2022-1355.patch \
> file://CVE-2022-34526.patch \
> "
>
> -SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
> +SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
>
> # exclude betas
> UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
> --
> 2.37.3
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#171174): https://lists.openembedded.org/g/openembedded-core/message/171174
> Mute This Topic: https://lists.openembedded.org/mt/93990329/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0
2022-09-30 15:58 ` [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 Steve Sakoman
@ 2022-10-03 21:28 ` Randy MacLeod
2022-10-04 5:09 ` Teoh, Jay Shen
1 sibling, 0 replies; 8+ messages in thread
From: Randy MacLeod @ 2022-10-03 21:28 UTC (permalink / raw)
To: Steve Sakoman, openembedded-core; +Cc: Teoh, Jay Shen, zheng.qiu
From a quick look, this update seems like it extends existing APIs
to support 64 bit tiff files by adding new functions rather
than changing the existing ABI.
I won't be able to do a detailed analysis until later this week.
It would be nice if we had an easy way to run:
https://lvc.github.io/abi-compliance-checker/
I may check that out.
All for now,
../Randy
On 2022-09-30 11:58, Steve Sakoman wrote:
> This is a version update with some API changes, so further review
> would be appreciated before I can take this.
>
> To help with review, here are the changes in this release:
>
> Software configuration changes
>
> Handle absolute paths in pkg-config file (issue #333)
> Correct fix for the pkgconf file relative paths.
> cmake: allow running the tests with a read-only source directory.
> cmake: Fix STRIPCHOP_DEFAULT value in CMake builds.
> build: Fix static library imports in mingw related to LERC
> Fix version in libtiff-4.pc.in, and CMake build: Add requirements to pc file
> cmake: Fix build with CMake 3.10.
> cmake: Export tiff targets.
> Make LERC_SUPPORT conditional on ZLIB_SUPPORT
>
> Library changes
>
> New/improved functionalities:
>
> TIFFIsBigTiff() function added.
> Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added.
> LZWDecode(): major speed improvements (~30% faster)
> Predictor 2 (horizontal differenciation): support 64-bit
> Support libjpeg 9d
>
> Bug fixes:
>
> Remove incorrect assert (issue #329)
> avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is
> attempted to be created
> tif_jbig.c: fix crash when reading a file with multiple IFD in
> memory-mapped mode and when bit reversal is needed (fixes issue #385)
> TIFFFetchNormalTag(): avoid calling memcpy() with a null source
> pointer and size of zero (fixes issue #383)
> TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime check
> TIFFFetchStripThing(): avoid calling memcpy() with a null source
> pointer and size of zero (fixes issue #362)
> TIFFReadDirectory(): avoid calling memcpy() with a null source pointer
> and size of zero (fixes issue #362)
> TIFFYCbCrToRGBInit(): avoid Integer-overflow
> TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return
> error if returned pointer is NULL (fixes issue #342)
> OJPEG: avoid assertion when using TIFFReadScanline() (fixes issue #337)
> TIFFReadDirectory(): fix OJPEG hack (fixes issue #319)
> LZW codec: fix support for strips/tiles > 2 GB on Windows
> TIFFAppendToStrip(): fix rewrite-in-place logic (fixes issue #309)
> Fix TIFFRewriteDirectory() discarding directories.
> TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance
> tag on a non EXIF directory (issue #316)
> Fix Segmentation fault printing GPS directory if Altitude tag is present
> tif_jpeg.c: do not emit progressive scans with mozjpeg. (issue #266)
> _TIFFRewriteField(): fix when writing a IFD with a single tile that is
> a sparse one, on big endian hosts
> Fix all remaining uses of legacy Deflate compression id and warn on use.
>
> Tools changes
>
> Bug fixes:
>
> tiffcrop: Fix issue issue #330 and some more from 320 to 349.
> tiffcrop: fix issue issue #395: generation of strange section images.
> tiffcrop: fix issue issue #380 and issue #382 heap buffer overflow in
> extractImageSection
> tiffcrop: fix FPE (issue #393)
> tiffcrop: buffsize check formula in loadImage() amended (fixes issue
> #273, issue #275)
> tiffcrop.c: Fix issue issue #352 heap-buffer-overflow by correcting
> uint32_t underflow.
> tiff2pdf: handle 8-bit palette colormap.
> tiffcp: avoid buffer overflow in "mode" string (fixes issue #400)
> tiffcp: Fix incomprehensible setting of orientation tag (fixes issue #29)
> tiffcp: do not try to fetch compressor-specific tags when not
> appropriate (fixes issue #396)
> tiffcp: fix heap buffer overflow (issue #278)
> tiff2ps: In limitMalloc() check for negative size (fixes issue #284)
> tiffinfo: add a -M switch to define the maximum heap allocation, and
> default it to 256 MiB (fixes issue #287, issue #290)
> tiffinfo: limit more memory allocations using -M switch (fixes issue #288)
> tiffset: fix global-buffer-overflow for ASCII tags where count is
> required (fixes issue #355)
> raw2tiff: check that band number if not zero to avoid floating point
> exception(fixes issue #338)
> tiffinfo/tiffdump: improve output for GDAL tags.
>
> On Wed, Sep 28, 2022 at 10:33 PM Teoh, Jay Shen <jay.shen.teoh@intel.com> wrote:
>>
>> From: Teoh Jay Shen <jay.shen.teoh@intel.com>
>>
>> -Drop all CVE backports for tiff_4.3.0
>> -Update include fixes for:
>> CVE-2022-2867 [https://bugzilla.redhat.com/show_bug.cgi?id=2118847],
>> CVE-2022-2868 [https://bugzilla.redhat.com/show_bug.cgi?id=2118863],
>> CVE-2022-2869 [https://bugzilla.redhat.com/show_bug.cgi?id=2118869]
>>
>> Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
>> ---
>> ...rash-when-reading-a-file-with-multip.patch | 38 ---
>> ...al-buffer-overflow-for-ASCII-tags-wh.patch | 43 ----
>> ...ue-380-and-382-heap-buffer-overflow-.patch | 219 ------------------
>> ...-for-return-value-of-limitMalloc-392.patch | 93 --------
>> ...ag-avoid-calling-memcpy-with-a-null-.patch | 33 ---
>> .../0005-fix-the-FPE-in-tiffcrop-393.patch | 36 ---
>> ...x-heap-buffer-overflow-in-tiffcp-278.patch | 57 -----
>> ...99c99f987dc32ae110370cfdd7df7975586b.patch | 30 ---
>> .../libtiff/tiff/CVE-2022-1354.patch | 212 -----------------
>> .../libtiff/tiff/CVE-2022-1355.patch | 62 -----
>> ...0712f4c3a5b449f70c57988260a667ddbdef.patch | 32 ---
>> .../libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} | 13 +-
>> 12 files changed, 1 insertion(+), 867 deletions(-)
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
>> delete mode 100644 meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
>> rename meta/recipes-multimedia/libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} (75%)
>>
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
>> deleted file mode 100644
>> index f1a4ab4251..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
>> +++ /dev/null
>> @@ -1,38 +0,0 @@
>> -CVE: CVE-2022-0865
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault@spatialys.com>
>> -Date: Thu, 24 Feb 2022 22:26:02 +0100
>> -Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
>> - IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
>> -
>> ----
>> - libtiff/tif_jbig.c | 10 ++++++++++
>> - 1 file changed, 10 insertions(+)
>> -
>> -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
>> -index 74086338..8bfa4cef 100644
>> ---- a/libtiff/tif_jbig.c
>> -+++ b/libtiff/tif_jbig.c
>> -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
>> - */
>> - tif->tif_flags |= TIFF_NOBITREV;
>> - tif->tif_flags &= ~TIFF_MAPPED;
>> -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
>> -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
>> -+ * value to be consistent with the state of a non-memory mapped file.
>> -+ */
>> -+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
>> -+ tif->tif_rawdata = NULL;
>> -+ tif->tif_rawdatasize = 0;
>> -+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
>> -+ tif->tif_flags |= TIFF_MYBUFFER;
>> -+ }
>> -
>> - /* Setup the function pointers for encode, decode, and cleanup. */
>> - tif->tif_setupdecode = JBIGSetupDecode;
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
>> deleted file mode 100644
>> index 72776f09ba..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
>> +++ /dev/null
>> @@ -1,43 +0,0 @@
>> -CVE: CVE-2022-22844
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
>> -From: 4ugustus <wangdw.augustus@qq.com>
>> -Date: Tue, 25 Jan 2022 16:25:28 +0000
>> -Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
>> - count is required (fixes #355)
>> -
>> ----
>> - tools/tiffset.c | 16 +++++++++++++---
>> - 1 file changed, 13 insertions(+), 3 deletions(-)
>> -
>> -diff --git a/tools/tiffset.c b/tools/tiffset.c
>> -index 8c9e23c5..e7a88c09 100644
>> ---- a/tools/tiffset.c
>> -+++ b/tools/tiffset.c
>> -@@ -146,9 +146,19 @@ main(int argc, char* argv[])
>> -
>> - arg_index++;
>> - if (TIFFFieldDataType(fip) == TIFF_ASCII) {
>> -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
>> -- fprintf( stderr, "Failed to set %s=%s\n",
>> -- TIFFFieldName(fip), argv[arg_index] );
>> -+ if(TIFFFieldPassCount( fip )) {
>> -+ size_t len;
>> -+ len = strlen(argv[arg_index]) + 1;
>> -+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
>> -+ (uint16_t)len, argv[arg_index]) != 1)
>> -+ fprintf( stderr, "Failed to set %s=%s\n",
>> -+ TIFFFieldName(fip), argv[arg_index] );
>> -+ } else {
>> -+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
>> -+ argv[arg_index]) != 1)
>> -+ fprintf( stderr, "Failed to set %s=%s\n",
>> -+ TIFFFieldName(fip), argv[arg_index] );
>> -+ }
>> - } else if (TIFFFieldWriteCount(fip) > 0
>> - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
>> - int ret = 1;
>> ---
>> -2.25.1
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
>> deleted file mode 100644
>> index 812ffb232d..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
>> +++ /dev/null
>> @@ -1,219 +0,0 @@
>> -CVE: CVE-2022-0891
>> -CVE: CVE-2022-1056
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
>> -From: Su Laus <sulau@freenet.de>
>> -Date: Tue, 8 Mar 2022 17:02:44 +0000
>> -Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
>> - extractImageSection
>> -
>> ----
>> - tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
>> - 1 file changed, 36 insertions(+), 56 deletions(-)
>> -
>> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
>> -index b85c2ce7..302a7e91 100644
>> ---- a/tools/tiffcrop.c
>> -+++ b/tools/tiffcrop.c
>> -@@ -105,8 +105,8 @@
>> - * of messages to monitor progress without enabling dump logs.
>> - */
>> -
>> --static char tiffcrop_version_id[] = "2.4";
>> --static char tiffcrop_rev_date[] = "12-13-2010";
>> -+static char tiffcrop_version_id[] = "2.4.1";
>> -+static char tiffcrop_rev_date[] = "03-03-2010";
>> -
>> - #include "tif_config.h"
>> - #include "libport.h"
>> -@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - #ifdef DEVELMODE
>> - uint32_t img_length;
>> - #endif
>> -- uint32_t j, shift1, shift2, trailing_bits;
>> -+ uint32_t j, shift1, trailing_bits;
>> - uint32_t row, first_row, last_row, first_col, last_col;
>> - uint32_t src_offset, dst_offset, row_offset, col_offset;
>> -- uint32_t offset1, offset2, full_bytes;
>> -+ uint32_t offset1, full_bytes;
>> - uint32_t sect_width;
>> - #ifdef DEVELMODE
>> - uint32_t sect_length;
>> -@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - #ifdef DEVELMODE
>> - int k;
>> - unsigned char bitset;
>> -- static char *bitarray = NULL;
>> - #endif
>> -
>> - img_width = image->width;
>> -@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - dst_offset = 0;
>> -
>> - #ifdef DEVELMODE
>> -- if (bitarray == NULL)
>> -- {
>> -- if ((bitarray = (char *)malloc(img_width)) == NULL)
>> -- {
>> -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
>> -- return (-1);
>> -- }
>> -- }
>> -+ char bitarray[39];
>> - #endif
>> -
>> -- /* rows, columns, width, length are expressed in pixels */
>> -+ /* rows, columns, width, length are expressed in pixels
>> -+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
>> -+ * last_col shall be also extracted. */
>> - first_row = section->y1;
>> - last_row = section->y2;
>> - first_col = section->x1;
>> -@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - #ifdef DEVELMODE
>> - sect_length = last_row - first_row + 1;
>> - #endif
>> -- img_rowsize = ((img_width * bps + 7) / 8) * spp;
>> -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
>> -- trailing_bits = (sect_width * bps) % 8;
>> -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
>> -+ * samples rather than separate planes so the same logic works to extract regions
>> -+ * regardless of the way the data are organized in the input file.
>> -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
>> -+ */
>> -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
>> -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
>> -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
>> -
>> - #ifdef DEVELMODE
>> - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
>> -@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> -
>> - if ((bps % 8) == 0)
>> - {
>> -- col_offset = first_col * spp * bps / 8;
>> -+ col_offset = (first_col * spp * bps) / 8;
>> - for (row = first_row; row <= last_row; row++)
>> - {
>> -- /* row_offset = row * img_width * spp * bps / 8; */
>> - row_offset = row * img_rowsize;
>> - src_offset = row_offset + col_offset;
>> -
>> -@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - }
>> - else
>> - { /* bps != 8 */
>> -- shift1 = spp * ((first_col * bps) % 8);
>> -- shift2 = spp * ((last_col * bps) % 8);
>> -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
>> - for (row = first_row; row <= last_row; row++)
>> - {
>> - /* pull out the first byte */
>> - row_offset = row * img_rowsize;
>> -- offset1 = row_offset + (first_col * bps / 8);
>> -- offset2 = row_offset + (last_col * bps / 8);
>> -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
>> -
>> - #ifdef DEVELMODE
>> - for (j = 0, k = 7; j < 8; j++, k--)
>> -@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - sprintf(&bitarray[9], " ");
>> - for (j = 10, k = 7; j < 18; j++, k--)
>> - {
>> -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
>> -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
>> - sprintf(&bitarray[j], (bitset) ? "1" : "0");
>> - }
>> - bitarray[18] = '\0';
>> -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
>> -- row, offset1, shift1, offset2, shift2);
>> -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
>> -+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
>> - #endif
>> -
>> - bytebuff1 = bytebuff2 = 0;
>> -@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> -
>> - if (trailing_bits != 0)
>> - {
>> -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
>> -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
>> -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
>> - sect_buff[dst_offset] = bytebuff2;
>> - #ifdef DEVELMODE
>> - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
>> -- offset2, dst_offset);
>> -+ offset1 + full_bytes, dst_offset);
>> - for (j = 30, k = 7; j < 38; j++, k--)
>> - {
>> - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
>> -@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - #endif
>> - for (j = 0; j <= full_bytes; j++)
>> - {
>> -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
>> -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
>> -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
>> -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
>> -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
>> -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
>> - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
>> - }
>> - #ifdef DEVELMODE
>> -@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
>> - #endif
>> - dst_offset += full_bytes;
>> -
>> -+ /* Copy the trailing_bits for the last byte in the destination buffer.
>> -+ Could come from one ore two bytes of the source buffer. */
>> - if (trailing_bits != 0)
>> - {
>> - #ifdef DEVELMODE
>> -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
>> --#endif
>> -- if (shift2 > shift1)
>> -- {
>> -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
>> -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
>> -- sect_buff[dst_offset] = bytebuff2;
>> --#ifdef DEVELMODE
>> -- TIFFError ("", " Shift2 > Shift1\n");
>> -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
>> - #endif
>> -+ /* More than necessary bits are already copied into last destination buffer,
>> -+ * only masking of last byte in destination buffer is necessary.*/
>> -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
>> - }
>> -- else
>> -- {
>> -- if (shift2 < shift1)
>> -- {
>> -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
>> -- sect_buff[dst_offset] &= bytebuff2;
>> --#ifdef DEVELMODE
>> -- TIFFError ("", " Shift2 < Shift1\n");
>> --#endif
>> -- }
>> --#ifdef DEVELMODE
>> -- else
>> -- TIFFError ("", " Shift2 == Shift1\n");
>> --#endif
>> -- }
>> -- }
>> - #ifdef DEVELMODE
>> - sprintf(&bitarray[28], " ");
>> - sprintf(&bitarray[29], " ");
>> -@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
>> - width = sections[i].x2 - sections[i].x1 + 1;
>> - length = sections[i].y2 - sections[i].y1 + 1;
>> - sectsize = (uint32_t)
>> -- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
>> -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
>> - /* allocate a buffer if we don't have one already */
>> - if (createImageSection(sectsize, sect_buff_ptr))
>> - {
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
>> deleted file mode 100644
>> index a0b856b9e1..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
>> +++ /dev/null
>> @@ -1,93 +0,0 @@
>> -CVE: CVE-2022-0907
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
>> -From: Augustus <wangdw.augustus@qq.com>
>> -Date: Mon, 7 Mar 2022 18:21:49 +0800
>> -Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
>> -
>> ----
>> - tools/tiffcrop.c | 33 +++++++++++++++++++++------------
>> - 1 file changed, 21 insertions(+), 12 deletions(-)
>> -
>> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
>> -index 302a7e91..e407bf51 100644
>> ---- a/tools/tiffcrop.c
>> -+++ b/tools/tiffcrop.c
>> -@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
>> - if (!sect_buff)
>> - {
>> - sect_buff = (unsigned char *)limitMalloc(sectsize);
>> -- *sect_buff_ptr = sect_buff;
>> -+ if (!sect_buff)
>> -+ {
>> -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
>> -+ return (-1);
>> -+ }
>> - _TIFFmemset(sect_buff, 0, sectsize);
>> - }
>> - else
>> -@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
>> - else
>> - sect_buff = new_buff;
>> -
>> -+ if (!sect_buff)
>> -+ {
>> -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
>> -+ return (-1);
>> -+ }
>> - _TIFFmemset(sect_buff, 0, sectsize);
>> - }
>> - }
>> -
>> -- if (!sect_buff)
>> -- {
>> -- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
>> -- return (-1);
>> -- }
>> - prev_sectsize = sectsize;
>> - *sect_buff_ptr = sect_buff;
>> -
>> -@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
>> - if (!crop_buff)
>> - {
>> - crop_buff = (unsigned char *)limitMalloc(cropsize);
>> -- *crop_buff_ptr = crop_buff;
>> -+ if (!crop_buff)
>> -+ {
>> -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
>> -+ return (-1);
>> -+ }
>> - _TIFFmemset(crop_buff, 0, cropsize);
>> - prev_cropsize = cropsize;
>> - }
>> -@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
>> - }
>> - else
>> - crop_buff = new_buff;
>> -+ if (!crop_buff)
>> -+ {
>> -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
>> -+ return (-1);
>> -+ }
>> - _TIFFmemset(crop_buff, 0, cropsize);
>> - }
>> - }
>> -
>> -- if (!crop_buff)
>> -- {
>> -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
>> -- return (-1);
>> -- }
>> - *crop_buff_ptr = crop_buff;
>> -
>> - if (crop->crop_mode & CROP_INVERT)
>> -@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
>> - * fill-column: 78
>> - * End:
>> - */
>> -+
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
>> deleted file mode 100644
>> index 719dabaecc..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
>> +++ /dev/null
>> @@ -1,33 +0,0 @@
>> -CVE: CVE-2022-0908
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault@spatialys.com>
>> -Date: Thu, 17 Feb 2022 15:28:43 +0100
>> -Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
>> - source pointer and size of zero (fixes #383)
>> -
>> ----
>> - libtiff/tif_dirread.c | 5 ++++-
>> - 1 file changed, 4 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
>> -index d84147a0..4e8ce729 100644
>> ---- a/libtiff/tif_dirread.c
>> -+++ b/libtiff/tif_dirread.c
>> -@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
>> - _TIFFfree(data);
>> - return(0);
>> - }
>> -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
>> -+ if (dp->tdir_count > 0 )
>> -+ {
>> -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
>> -+ }
>> - o[(uint32_t)dp->tdir_count]=0;
>> - if (data!=0)
>> - _TIFFfree(data);
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
>> deleted file mode 100644
>> index 64dbe9ef92..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
>> +++ /dev/null
>> @@ -1,36 +0,0 @@
>> -CVE: CVE-2022-0909
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
>> -From: 4ugustus <wangdw.augustus@qq.com>
>> -Date: Tue, 8 Mar 2022 16:22:04 +0000
>> -Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
>> -
>> ----
>> - libtiff/tif_dir.c | 4 ++--
>> - 1 file changed, 2 insertions(+), 2 deletions(-)
>> -
>> -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
>> -index a6c254fc..77da6ea4 100644
>> ---- a/libtiff/tif_dir.c
>> -+++ b/libtiff/tif_dir.c
>> -@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
>> - break;
>> - case TIFFTAG_XRESOLUTION:
>> - dblval = va_arg(ap, double);
>> -- if( dblval < 0 )
>> -+ if( dblval != dblval || dblval < 0 )
>> - goto badvaluedouble;
>> - td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
>> - break;
>> - case TIFFTAG_YRESOLUTION:
>> - dblval = va_arg(ap, double);
>> -- if( dblval < 0 )
>> -+ if( dblval != dblval || dblval < 0 )
>> - goto badvaluedouble;
>> - td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
>> - break;
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
>> deleted file mode 100644
>> index afd5e59960..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
>> +++ /dev/null
>> @@ -1,57 +0,0 @@
>> -CVE: CVE-2022-0924
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton <ross.burton@arm.com>
>> -
>> -From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
>> -From: 4ugustus <wangdw.augustus@qq.com>
>> -Date: Thu, 10 Mar 2022 08:48:00 +0000
>> -Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
>> -
>> ----
>> - tools/tiffcp.c | 17 ++++++++++++++++-
>> - 1 file changed, 16 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
>> -index 1f889516..552d8fad 100644
>> ---- a/tools/tiffcp.c
>> -+++ b/tools/tiffcp.c
>> -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
>> - tdata_t obuf;
>> - tstrip_t strip = 0;
>> - tsample_t s;
>> -+ uint16_t bps = 0, bytes_per_sample;
>> -
>> - obuf = limitMalloc(stripsize);
>> - if (obuf == NULL)
>> - return (0);
>> - _TIFFmemset(obuf, 0, stripsize);
>> - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
>> -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
>> -+ if( bps == 0 )
>> -+ {
>> -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
>> -+ _TIFFfree(obuf);
>> -+ return 0;
>> -+ }
>> -+ if( (bps % 8) != 0 )
>> -+ {
>> -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
>> -+ _TIFFfree(obuf);
>> -+ return 0;
>> -+ }
>> -+ bytes_per_sample = bps/8;
>> - for (s = 0; s < spp; s++) {
>> - uint32_t row;
>> - for (row = 0; row < imagelength; row += rowsperstrip) {
>> -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
>> -
>> - cpContigBufToSeparateBuf(
>> - obuf, (uint8_t*) buf + row * rowsize + s,
>> -- nrows, imagewidth, 0, 0, spp, 1);
>> -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
>> - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
>> - TIFFError(TIFFFileName(out),
>> - "Error, can't write strip %"PRIu32,
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
>> deleted file mode 100644
>> index 0b41dde606..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
>> +++ /dev/null
>> @@ -1,30 +0,0 @@
>> -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault@spatialys.com>
>> -Date: Sat, 5 Feb 2022 20:36:41 +0100
>> -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
>> - source pointer and size of zero (fixes #362)
>> -
>> -Upstream-Status: Backport
>> -CVE: CVE-2022-0562
>> -
>> ----
>> - libtiff/tif_dirread.c | 3 ++-
>> - 1 file changed, 2 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
>> -index 2bbc4585..23194ced 100644
>> ---- a/libtiff/tif_dirread.c
>> -+++ b/libtiff/tif_dirread.c
>> -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
>> - goto bad;
>> - }
>> -
>> -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
>> -+ if (old_extrasamples > 0)
>> -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
>> - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
>> - _TIFFfree(new_sampleinfo);
>> - }
>> ---
>> -GitLab
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
>> deleted file mode 100644
>> index 71b85cac10..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
>> +++ /dev/null
>> @@ -1,212 +0,0 @@
>> -From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault@spatialys.com>
>> -Date: Sun, 5 Dec 2021 14:37:46 +0100
>> -Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
>> -
>> -to avoid having the size of the strip arrays inconsistent with the
>> -number of strips returned by TIFFNumberOfStrips(), which may cause
>> -out-ouf-bounds array read afterwards.
>> -
>> -One of the OJPEG hack that alters SamplesPerPixel may influence the
>> -number of strips. Hence compute tif_dir.td_nstrips only afterwards.
>> -
>> -CVE: CVE-2022-1354
>> -
>> -Upstream-Status: Backport
>> -[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
>> -
>> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> ----
>> - libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
>> - 1 file changed, 83 insertions(+), 79 deletions(-)
>> -
>> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
>> -index 8f434ef5..14c031d1 100644
>> ---- a/libtiff/tif_dirread.c
>> -+++ b/libtiff/tif_dirread.c
>> -@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
>> - MissingRequired(tif,"ImageLength");
>> - goto bad;
>> - }
>> -- /*
>> -- * Setup appropriate structures (by strip or by tile)
>> -- */
>> -- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
>> -- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
>> -- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
>> -- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
>> -- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
>> -- tif->tif_flags &= ~TIFF_ISTILED;
>> -- } else {
>> -- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
>> -- tif->tif_flags |= TIFF_ISTILED;
>> -- }
>> -- if (!tif->tif_dir.td_nstrips) {
>> -- TIFFErrorExt(tif->tif_clientdata, module,
>> -- "Cannot handle zero number of %s",
>> -- isTiled(tif) ? "tiles" : "strips");
>> -- goto bad;
>> -- }
>> -- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
>> -- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
>> -- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
>> -- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
>> --#ifdef OJPEG_SUPPORT
>> -- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
>> -- (isTiled(tif)==0) &&
>> -- (tif->tif_dir.td_nstrips==1)) {
>> -- /*
>> -- * XXX: OJPEG hack.
>> -- * If a) compression is OJPEG, b) it's not a tiled TIFF,
>> -- * and c) the number of strips is 1,
>> -- * then we tolerate the absence of stripoffsets tag,
>> -- * because, presumably, all required data is in the
>> -- * JpegInterchangeFormat stream.
>> -- */
>> -- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
>> -- } else
>> --#endif
>> -- {
>> -- MissingRequired(tif,
>> -- isTiled(tif) ? "TileOffsets" : "StripOffsets");
>> -- goto bad;
>> -- }
>> -- }
>> -+
>> - /*
>> - * Second pass: extract other information.
>> - */
>> -@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
>> - } /* -- if (!dp->tdir_ignore) */
>> - } /* -- for-loop -- */
>> -
>> -- if( tif->tif_mode == O_RDWR &&
>> -- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
>> -- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
>> -- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
>> -- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
>> -- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
>> -- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
>> -- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
>> -- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
>> -- {
>> -- /* Directory typically created with TIFFDeferStrileArrayWriting() */
>> -- TIFFSetupStrips(tif);
>> -- }
>> -- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
>> -- {
>> -- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
>> -- {
>> -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
>> -- tif->tif_dir.td_nstrips,
>> -- &tif->tif_dir.td_stripoffset_p))
>> -- {
>> -- goto bad;
>> -- }
>> -- }
>> -- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
>> -- {
>> -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
>> -- tif->tif_dir.td_nstrips,
>> -- &tif->tif_dir.td_stripbytecount_p))
>> -- {
>> -- goto bad;
>> -- }
>> -- }
>> -- }
>> --
>> - /*
>> - * OJPEG hack:
>> - * - If a) compression is OJPEG, and b) photometric tag is missing,
>> -@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
>> - }
>> - }
>> -
>> -+ /*
>> -+ * Setup appropriate structures (by strip or by tile)
>> -+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
>> -+ * and thus influences the number of strips in the separate planarconfig.
>> -+ */
>> -+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
>> -+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
>> -+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
>> -+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
>> -+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
>> -+ tif->tif_flags &= ~TIFF_ISTILED;
>> -+ } else {
>> -+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
>> -+ tif->tif_flags |= TIFF_ISTILED;
>> -+ }
>> -+ if (!tif->tif_dir.td_nstrips) {
>> -+ TIFFErrorExt(tif->tif_clientdata, module,
>> -+ "Cannot handle zero number of %s",
>> -+ isTiled(tif) ? "tiles" : "strips");
>> -+ goto bad;
>> -+ }
>> -+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
>> -+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
>> -+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
>> -+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
>> -+#ifdef OJPEG_SUPPORT
>> -+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
>> -+ (isTiled(tif)==0) &&
>> -+ (tif->tif_dir.td_nstrips==1)) {
>> -+ /*
>> -+ * XXX: OJPEG hack.
>> -+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
>> -+ * and c) the number of strips is 1,
>> -+ * then we tolerate the absence of stripoffsets tag,
>> -+ * because, presumably, all required data is in the
>> -+ * JpegInterchangeFormat stream.
>> -+ */
>> -+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
>> -+ } else
>> -+#endif
>> -+ {
>> -+ MissingRequired(tif,
>> -+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
>> -+ goto bad;
>> -+ }
>> -+ }
>> -+
>> -+ if( tif->tif_mode == O_RDWR &&
>> -+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
>> -+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
>> -+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
>> -+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
>> -+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
>> -+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
>> -+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
>> -+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
>> -+ {
>> -+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
>> -+ TIFFSetupStrips(tif);
>> -+ }
>> -+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
>> -+ {
>> -+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
>> -+ {
>> -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
>> -+ tif->tif_dir.td_nstrips,
>> -+ &tif->tif_dir.td_stripoffset_p))
>> -+ {
>> -+ goto bad;
>> -+ }
>> -+ }
>> -+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
>> -+ {
>> -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
>> -+ tif->tif_dir.td_nstrips,
>> -+ &tif->tif_dir.td_stripbytecount_p))
>> -+ {
>> -+ goto bad;
>> -+ }
>> -+ }
>> -+ }
>> -+
>> - /*
>> - * Make sure all non-color channels are extrasamples.
>> - * If it's not the case, define them as such.
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
>> deleted file mode 100644
>> index e59f5aad55..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
>> +++ /dev/null
>> @@ -1,62 +0,0 @@
>> -From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
>> -From: Su_Laus <sulau@freenet.de>
>> -Date: Sat, 2 Apr 2022 22:33:31 +0200
>> -Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
>> -
>> -CVE: CVE-2022-1355
>> -
>> -Upstream-Status: Backport
>> -[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
>> -
>> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> ----
>> - tools/tiffcp.c | 25 ++++++++++++++++++++-----
>> - 1 file changed, 20 insertions(+), 5 deletions(-)
>> -
>> -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
>> -index fd129bb7..8d944ff6 100644
>> ---- a/tools/tiffcp.c
>> -+++ b/tools/tiffcp.c
>> -@@ -274,19 +274,34 @@ main(int argc, char* argv[])
>> - deftilewidth = atoi(optarg);
>> - break;
>> - case 'B':
>> -- *mp++ = 'b'; *mp = '\0';
>> -+ if (strlen(mode) < (sizeof(mode) - 1))
>> -+ {
>> -+ *mp++ = 'b'; *mp = '\0';
>> -+ }
>> - break;
>> - case 'L':
>> -- *mp++ = 'l'; *mp = '\0';
>> -+ if (strlen(mode) < (sizeof(mode) - 1))
>> -+ {
>> -+ *mp++ = 'l'; *mp = '\0';
>> -+ }
>> - break;
>> - case 'M':
>> -- *mp++ = 'm'; *mp = '\0';
>> -+ if (strlen(mode) < (sizeof(mode) - 1))
>> -+ {
>> -+ *mp++ = 'm'; *mp = '\0';
>> -+ }
>> - break;
>> - case 'C':
>> -- *mp++ = 'c'; *mp = '\0';
>> -+ if (strlen(mode) < (sizeof(mode) - 1))
>> -+ {
>> -+ *mp++ = 'c'; *mp = '\0';
>> -+ }
>> - break;
>> - case '8':
>> -- *mp++ = '8'; *mp = '\0';
>> -+ if (strlen(mode) < (sizeof(mode)-1))
>> -+ {
>> -+ *mp++ = '8'; *mp = '\0';
>> -+ }
>> - break;
>> - case 'x':
>> - pageInSeq = 1;
>> ---
>> -2.25.1
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
>> deleted file mode 100644
>> index 74f9649fdf..0000000000
>> --- a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
>> +++ /dev/null
>> @@ -1,32 +0,0 @@
>> -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault@spatialys.com>
>> -Date: Sun, 6 Feb 2022 13:08:38 +0100
>> -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
>> - source pointer and size of zero (fixes #362)
>> -
>> -Upstream-Status: Backport
>> -CVE: CVE-2022-0561
>> -
>> ----
>> - libtiff/tif_dirread.c | 5 +++--
>> - 1 file changed, 3 insertions(+), 2 deletions(-)
>> -
>> -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
>> -index 23194ced..50ebf8ac 100644
>> ---- a/libtiff/tif_dirread.c
>> -+++ b/libtiff/tif_dirread.c
>> -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
>> - _TIFFfree(data);
>> - return(0);
>> - }
>> -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
>> -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
>> -+ if( dir->tdir_count )
>> -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
>> -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
>> - _TIFFfree(data);
>> - data=resizeddata;
>> - }
>> ---
>> -GitLab
>> -
>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>> similarity index 75%
>> rename from meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
>> rename to meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>> index b5ccd859f3..e30df0b3e9 100644
>> --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>> @@ -9,22 +9,11 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
>> CVE_PRODUCT = "libtiff"
>>
>> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>> - file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
>> - file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
>> - file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
>> - file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
>> - file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
>> - file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
>> - file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
>> - file://0005-fix-the-FPE-in-tiffcrop-393.patch \
>> - file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
>> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
>> - file://CVE-2022-1354.patch \
>> - file://CVE-2022-1355.patch \
>> file://CVE-2022-34526.patch \
>> "
>>
>> -SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
>> +SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
>>
>> # exclude betas
>> UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
>> --
>> 2.37.3
>>
>>
>>
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#171225): https://lists.openembedded.org/g/openembedded-core/message/171225
>> Mute This Topic: https://lists.openembedded.org/mt/93990329/3616765
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
--
# Randy MacLeod
# Wind River Linux
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0
2022-09-30 15:58 ` [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 Steve Sakoman
2022-10-03 21:28 ` Randy MacLeod
@ 2022-10-04 5:09 ` Teoh, Jay Shen
1 sibling, 0 replies; 8+ messages in thread
From: Teoh, Jay Shen @ 2022-10-04 5:09 UTC (permalink / raw)
To: Steve Sakoman, openembedded-core@lists.openembedded.org
Hi Steve,
Sorry, I wasn't aware with the policy where stable branch do not take a version upgrade unless it is a bug fix upgrade only.
I will try to see if backport is available or not. Please ignore this patch for now.
Regards,
Jay
> -----Original Message-----
> From: Steve Sakoman <steve@sakoman.com>
> Sent: Friday, 30 September, 2022 11:59 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Teoh, Jay Shen <jay.shen.teoh@intel.com>
> Subject: Re: [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0
>
> This is a version update with some API changes, so further review would be
> appreciated before I can take this.
>
> To help with review, here are the changes in this release:
>
> Software configuration changes
>
> Handle absolute paths in pkg-config file (issue #333) Correct fix for the pkgconf
> file relative paths.
> cmake: allow running the tests with a read-only source directory.
> cmake: Fix STRIPCHOP_DEFAULT value in CMake builds.
> build: Fix static library imports in mingw related to LERC Fix version in libtiff-
> 4.pc.in, and CMake build: Add requirements to pc file
> cmake: Fix build with CMake 3.10.
> cmake: Export tiff targets.
> Make LERC_SUPPORT conditional on ZLIB_SUPPORT
>
> Library changes
>
> New/improved functionalities:
>
> TIFFIsBigTiff() function added.
> Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added.
> LZWDecode(): major speed improvements (~30% faster) Predictor 2 (horizontal
> differenciation): support 64-bit Support libjpeg 9d
>
> Bug fixes:
>
> Remove incorrect assert (issue #329)
> avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is attempted to be
> created
> tif_jbig.c: fix crash when reading a file with multiple IFD in memory-mapped
> mode and when bit reversal is needed (fixes issue #385)
> TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and
> size of zero (fixes issue #383)
> TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime check
> TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer and size
> of zero (fixes issue #362)
> TIFFReadDirectory(): avoid calling memcpy() with a null source pointer and size
> of zero (fixes issue #362)
> TIFFYCbCrToRGBInit(): avoid Integer-overflow
> TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return error
> if returned pointer is NULL (fixes issue #342)
> OJPEG: avoid assertion when using TIFFReadScanline() (fixes issue #337)
> TIFFReadDirectory(): fix OJPEG hack (fixes issue #319) LZW codec: fix support for
> strips/tiles > 2 GB on Windows
> TIFFAppendToStrip(): fix rewrite-in-place logic (fixes issue #309) Fix
> TIFFRewriteDirectory() discarding directories.
> TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance tag on a
> non EXIF directory (issue #316) Fix Segmentation fault printing GPS directory if
> Altitude tag is present
> tif_jpeg.c: do not emit progressive scans with mozjpeg. (issue #266)
> _TIFFRewriteField(): fix when writing a IFD with a single tile that is a sparse one,
> on big endian hosts Fix all remaining uses of legacy Deflate compression id and
> warn on use.
>
> Tools changes
>
> Bug fixes:
>
> tiffcrop: Fix issue issue #330 and some more from 320 to 349.
> tiffcrop: fix issue issue #395: generation of strange section images.
> tiffcrop: fix issue issue #380 and issue #382 heap buffer overflow in
> extractImageSection
> tiffcrop: fix FPE (issue #393)
> tiffcrop: buffsize check formula in loadImage() amended (fixes issue #273, issue
> #275)
> tiffcrop.c: Fix issue issue #352 heap-buffer-overflow by correcting uint32_t
> underflow.
> tiff2pdf: handle 8-bit palette colormap.
> tiffcp: avoid buffer overflow in "mode" string (fixes issue #400)
> tiffcp: Fix incomprehensible setting of orientation tag (fixes issue #29)
> tiffcp: do not try to fetch compressor-specific tags when not appropriate (fixes
> issue #396)
> tiffcp: fix heap buffer overflow (issue #278)
> tiff2ps: In limitMalloc() check for negative size (fixes issue #284)
> tiffinfo: add a -M switch to define the maximum heap allocation, and default it
> to 256 MiB (fixes issue #287, issue #290)
> tiffinfo: limit more memory allocations using -M switch (fixes issue #288)
> tiffset: fix global-buffer-overflow for ASCII tags where count is required (fixes
> issue #355)
> raw2tiff: check that band number if not zero to avoid floating point
> exception(fixes issue #338)
> tiffinfo/tiffdump: improve output for GDAL tags.
>
> On Wed, Sep 28, 2022 at 10:33 PM Teoh, Jay Shen <jay.shen.teoh@intel.com>
> wrote:
> >
> > From: Teoh Jay Shen <jay.shen.teoh@intel.com>
> >
> > -Drop all CVE backports for tiff_4.3.0 -Update include fixes for:
> > CVE-2022-2867 [https://bugzilla.redhat.com/show_bug.cgi?id=2118847],
> > CVE-2022-2868 [https://bugzilla.redhat.com/show_bug.cgi?id=2118863],
> > CVE-2022-2869 [https://bugzilla.redhat.com/show_bug.cgi?id=2118869]
> >
> > Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
> > ---
> > ...rash-when-reading-a-file-with-multip.patch | 38 ---
> > ...al-buffer-overflow-for-ASCII-tags-wh.patch | 43 ----
> > ...ue-380-and-382-heap-buffer-overflow-.patch | 219 ------------------
> > ...-for-return-value-of-limitMalloc-392.patch | 93 --------
> > ...ag-avoid-calling-memcpy-with-a-null-.patch | 33 ---
> > .../0005-fix-the-FPE-in-tiffcrop-393.patch | 36 ---
> > ...x-heap-buffer-overflow-in-tiffcp-278.patch | 57 -----
> > ...99c99f987dc32ae110370cfdd7df7975586b.patch | 30 ---
> > .../libtiff/tiff/CVE-2022-1354.patch | 212 -----------------
> > .../libtiff/tiff/CVE-2022-1355.patch | 62 -----
> > ...0712f4c3a5b449f70c57988260a667ddbdef.patch | 32 ---
> > .../libtiff/{tiff_4.3.0.bb => tiff_4.4.0.bb} | 13 +-
> > 12 files changed, 1 insertion(+), 867 deletions(-) delete mode
> > 100644
> > meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-re
> > ading-a-file-with-multip.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-ov
> > erflow-for-ASCII-tags-wh.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-3
> > 82-heap-buffer-overflow-.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-
> > of-limitMalloc-392.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-cal
> > ling-memcpy-with-a-null-.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.
> > patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-
> > tiffcp-278.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7
> > 975586b.patch delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> > delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> > delete mode 100644
> > meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a66
> > 7ddbdef.patch rename meta/recipes-multimedia/libtiff/{tiff_4.3.0.bb
> > => tiff_4.4.0.bb} (75%)
> >
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-
> > reading-a-file-with-multip.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-
> > reading-a-file-with-multip.patch
> > deleted file mode 100644
> > index f1a4ab4251..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-
> > reading-a-file-with-multip.patch
> > +++ /dev/null
> > @@ -1,38 +0,0 @@
> > -CVE: CVE-2022-0865
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00
> > 2001
> > -From: Even Rouault <even.rouault@spatialys.com>
> > -Date: Thu, 24 Feb 2022 22:26:02 +0100
> > -Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with
> > multiple
> > - IFD in memory-mapped mode and when bit reversal is needed (fixes
> > #385)
> > -
> > ----
> > - libtiff/tif_jbig.c | 10 ++++++++++
> > - 1 file changed, 10 insertions(+)
> > -
> > -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index
> > 74086338..8bfa4cef 100644
> > ---- a/libtiff/tif_jbig.c
> > -+++ b/libtiff/tif_jbig.c
> > -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
> > - */
> > - tif->tif_flags |= TIFF_NOBITREV;
> > - tif->tif_flags &= ~TIFF_MAPPED;
> > -+ /* We may have read from a previous IFD and thus set
> TIFF_BUFFERMMAP and
> > -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
> > -+ * value to be consistent with the state of a non-memory mapped file.
> > -+ */
> > -+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
> > -+ tif->tif_rawdata = NULL;
> > -+ tif->tif_rawdatasize = 0;
> > -+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
> > -+ tif->tif_flags |= TIFF_MYBUFFER;
> > -+ }
> > -
> > - /* Setup the function pointers for encode, decode, and cleanup. */
> > - tif->tif_setupdecode = JBIGSetupDecode;
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-
> > overflow-for-ASCII-tags-wh.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-
> > overflow-for-ASCII-tags-wh.patch
> > deleted file mode 100644
> > index 72776f09ba..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-
> > overflow-for-ASCII-tags-wh.patch
> > +++ /dev/null
> > @@ -1,43 +0,0 @@
> > -CVE: CVE-2022-22844
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00
> > 2001
> > -From: 4ugustus <wangdw.augustus@qq.com>
> > -Date: Tue, 25 Jan 2022 16:25:28 +0000
> > -Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags
> > where
> > - count is required (fixes #355)
> > -
> > ----
> > - tools/tiffset.c | 16 +++++++++++++---
> > - 1 file changed, 13 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/tools/tiffset.c b/tools/tiffset.c -index
> > 8c9e23c5..e7a88c09 100644
> > ---- a/tools/tiffset.c
> > -+++ b/tools/tiffset.c
> > -@@ -146,9 +146,19 @@ main(int argc, char* argv[])
> > -
> > - arg_index++;
> > - if (TIFFFieldDataType(fip) == TIFF_ASCII) {
> > -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
> > -- fprintf( stderr, "Failed to set %s=%s\n",
> > -- TIFFFieldName(fip), argv[arg_index] );
> > -+ if(TIFFFieldPassCount( fip )) {
> > -+ size_t len;
> > -+ len = strlen(argv[arg_index]) + 1;
> > -+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
> > -+ (uint16_t)len, argv[arg_index]) != 1)
> > -+ fprintf( stderr, "Failed to set %s=%s\n",
> > -+ TIFFFieldName(fip), argv[arg_index] );
> > -+ } else {
> > -+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
> > -+ argv[arg_index]) != 1)
> > -+ fprintf( stderr, "Failed to set %s=%s\n",
> > -+ TIFFFieldName(fip), argv[arg_index] );
> > -+ }
> > - } else if (TIFFFieldWriteCount(fip) > 0
> > - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
> > - int ret = 1;
> > ---
> > -2.25.1
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and
> > -382-heap-buffer-overflow-.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and
> > -382-heap-buffer-overflow-.patch
> > deleted file mode 100644
> > index 812ffb232d..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and
> > -382-heap-buffer-overflow-.patch
> > +++ /dev/null
> > @@ -1,219 +0,0 @@
> > -CVE: CVE-2022-0891
> > -CVE: CVE-2022-1056
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00
> > 2001
> > -From: Su Laus <sulau@freenet.de>
> > -Date: Tue, 8 Mar 2022 17:02:44 +0000
> > -Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer
> > overflow in
> > - extractImageSection
> > -
> > ----
> > - tools/tiffcrop.c | 92
> > +++++++++++++++++++-----------------------------
> > - 1 file changed, 36 insertions(+), 56 deletions(-)
> > -
> > -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index
> > b85c2ce7..302a7e91 100644
> > ---- a/tools/tiffcrop.c
> > -+++ b/tools/tiffcrop.c
> > -@@ -105,8 +105,8 @@
> > - * of messages to monitor progress without enabling dump logs.
> > - */
> > -
> > --static char tiffcrop_version_id[] = "2.4";
> > --static char tiffcrop_rev_date[] = "12-13-2010";
> > -+static char tiffcrop_version_id[] = "2.4.1";
> > -+static char tiffcrop_rev_date[] = "03-03-2010";
> > -
> > - #include "tif_config.h"
> > - #include "libport.h"
> > -@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > - #ifdef DEVELMODE
> > - uint32_t img_length;
> > - #endif
> > -- uint32_t j, shift1, shift2, trailing_bits;
> > -+ uint32_t j, shift1, trailing_bits;
> > - uint32_t row, first_row, last_row, first_col, last_col;
> > - uint32_t src_offset, dst_offset, row_offset, col_offset;
> > -- uint32_t offset1, offset2, full_bytes;
> > -+ uint32_t offset1, full_bytes;
> > - uint32_t sect_width;
> > - #ifdef DEVELMODE
> > - uint32_t sect_length;
> > -@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > - #ifdef DEVELMODE
> > - int k;
> > - unsigned char bitset;
> > -- static char *bitarray = NULL;
> > - #endif
> > -
> > - img_width = image->width;
> > -@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image,
> struct pageseg *section,
> > - dst_offset = 0;
> > -
> > - #ifdef DEVELMODE
> > -- if (bitarray == NULL)
> > -- {
> > -- if ((bitarray = (char *)malloc(img_width)) == NULL)
> > -- {
> > -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
> > -- return (-1);
> > -- }
> > -- }
> > -+ char bitarray[39];
> > - #endif
> > -
> > -- /* rows, columns, width, length are expressed in pixels */
> > -+ /* rows, columns, width, length are expressed in pixels
> > -+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
> > -+ * last_col shall be also extracted. */
> > - first_row = section->y1;
> > - last_row = section->y2;
> > - first_col = section->x1;
> > -@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > - #ifdef DEVELMODE
> > - sect_length = last_row - first_row + 1;
> > - #endif
> > -- img_rowsize = ((img_width * bps + 7) / 8) * spp;
> > -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per
> row in section */
> > -- trailing_bits = (sect_width * bps) % 8;
> > -+ /* The read function loadImage() used copy separate plane data into a
> buffer as interleaved
> > -+ * samples rather than separate planes so the same logic works to extract
> regions
> > -+ * regardless of the way the data are organized in the input file.
> > -+ * Furthermore, bytes and bits are arranged in buffer according to
> COMPRESSION=1 and FILLORDER=1
> > -+ */
> > -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes
> of source image */
> > -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE
> bytes per row in section */
> > -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the
> last byte of destination buffer */
> > -
> > - #ifdef DEVELMODE
> > - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First
> col: %"PRIu32", last col: %"PRIu32"\n",
> > -@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > -
> > - if ((bps % 8) == 0)
> > - {
> > -- col_offset = first_col * spp * bps / 8;
> > -+ col_offset = (first_col * spp * bps) / 8;
> > - for (row = first_row; row <= last_row; row++)
> > - {
> > -- /* row_offset = row * img_width * spp * bps / 8; */
> > - row_offset = row * img_rowsize;
> > - src_offset = row_offset + col_offset;
> > -
> > -@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image,
> struct pageseg *section,
> > - }
> > - else
> > - { /* bps != 8 */
> > -- shift1 = spp * ((first_col * bps) % 8);
> > -- shift2 = spp * ((last_col * bps) % 8);
> > -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first
> byte of source buffer*/
> > - for (row = first_row; row <= last_row; row++)
> > - {
> > - /* pull out the first byte */
> > - row_offset = row * img_rowsize;
> > -- offset1 = row_offset + (first_col * bps / 8);
> > -- offset2 = row_offset + (last_col * bps / 8);
> > -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset
> into source of byte with first bits to be extracted */
> > -
> > - #ifdef DEVELMODE
> > - for (j = 0, k = 7; j < 8; j++, k--)
> > -@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image,
> struct pageseg *section,
> > - sprintf(&bitarray[9], " ");
> > - for (j = 10, k = 7; j < 18; j++, k--)
> > - {
> > -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
> > -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned
> > -+ char)1 << k)) ? 1 : 0;
> > - sprintf(&bitarray[j], (bitset) ? "1" : "0");
> > - }
> > - bitarray[18] = '\0';
> > -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32",
> Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
> > -- row, offset1, shift1, offset2, shift2);
> > -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32",
> Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
> > -+ row, offset1, shift1, offset1+full_bytes,
> > -+ trailing_bits);
> > - #endif
> > -
> > - bytebuff1 = bytebuff2 = 0;
> > -@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > -
> > - if (trailing_bits != 0)
> > - {
> > -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
> > -+ /* Only copy higher bits of samples and mask lower bits of not wanted
> column samples to zero */
> > -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned
> > -+ char)255 << (8 - trailing_bits));
> > - sect_buff[dst_offset] = bytebuff2;
> > - #ifdef DEVELMODE
> > - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst
> offset: %8"PRIu32"\n",
> > -- offset2, dst_offset);
> > -+ offset1 + full_bytes, dst_offset);
> > - for (j = 30, k = 7; j < 38; j++, k--)
> > - {
> > - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
> > -@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > - #endif
> > - for (j = 0; j <= full_bytes; j++)
> > - {
> > -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
> > -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
> > -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before
> save to destination.*/
> > -+ /* Attention: src_buff size needs to be some bytes larger than image
> size, because could read behind image here. */
> > -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
> > -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned
> > -+ char)255 << (8 - shift1));
> > - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 -
> shift1));
> > - }
> > - #ifdef DEVELMODE
> > -@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image,
> > struct pageseg *section,
> > - #endif
> > - dst_offset += full_bytes;
> > -
> > -+ /* Copy the trailing_bits for the last byte in the destination buffer.
> > -+ Could come from one ore two bytes of the source buffer.
> > -+ */
> > - if (trailing_bits != 0)
> > - {
> > - #ifdef DEVELMODE
> > -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst
> offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
> > --#endif
> > -- if (shift2 > shift1)
> > -- {
> > -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 -
> shift2));
> > -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
> > -- sect_buff[dst_offset] = bytebuff2;
> > --#ifdef DEVELMODE
> > -- TIFFError ("", " Shift2 > Shift1\n");
> > -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst
> offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
> > - #endif
> > -+ /* More than necessary bits are already copied into last destination
> buffer,
> > -+ * only masking of last byte in destination buffer is necessary.*/
> > -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 -
> > -+ trailing_bits));
> > - }
> > -- else
> > -- {
> > -- if (shift2 < shift1)
> > -- {
> > -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
> > -- sect_buff[dst_offset] &= bytebuff2;
> > --#ifdef DEVELMODE
> > -- TIFFError ("", " Shift2 < Shift1\n");
> > --#endif
> > -- }
> > --#ifdef DEVELMODE
> > -- else
> > -- TIFFError ("", " Shift2 == Shift1\n");
> > --#endif
> > -- }
> > -- }
> > - #ifdef DEVELMODE
> > - sprintf(&bitarray[28], " ");
> > - sprintf(&bitarray[29], " ");
> > -@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct
> image_data *image,
> > - width = sections[i].x2 - sections[i].x1 + 1;
> > - length = sections[i].y2 - sections[i].y1 + 1;
> > - sectsize = (uint32_t)
> > -- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
> > -+ ceil((width * image->bps * image->spp + 7) / (double)8) *
> > -+ length;
> > - /* allocate a buffer if we don't have one already */
> > - if (createImageSection(sectsize, sect_buff_ptr))
> > - {
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-valu
> > e-of-limitMalloc-392.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-valu
> > e-of-limitMalloc-392.patch
> > deleted file mode 100644
> > index a0b856b9e1..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-valu
> > e-of-limitMalloc-392.patch
> > +++ /dev/null
> > @@ -1,93 +0,0 @@
> > -CVE: CVE-2022-0907
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00
> > 2001
> > -From: Augustus <wangdw.augustus@qq.com>
> > -Date: Mon, 7 Mar 2022 18:21:49 +0800
> > -Subject: [PATCH 3/6] add checks for return value of limitMalloc
> > (#392)
> > -
> > ----
> > - tools/tiffcrop.c | 33 +++++++++++++++++++++------------
> > - 1 file changed, 21 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index
> > 302a7e91..e407bf51 100644
> > ---- a/tools/tiffcrop.c
> > -+++ b/tools/tiffcrop.c
> > -@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned
> char **sect_buff_ptr)
> > - if (!sect_buff)
> > - {
> > - sect_buff = (unsigned char *)limitMalloc(sectsize);
> > -- *sect_buff_ptr = sect_buff;
> > -+ if (!sect_buff)
> > -+ {
> > -+ TIFFError("createImageSection", "Unable to allocate/reallocate section
> buffer");
> > -+ return (-1);
> > -+ }
> > - _TIFFmemset(sect_buff, 0, sectsize);
> > - }
> > - else
> > -@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned
> char **sect_buff_ptr)
> > - else
> > - sect_buff = new_buff;
> > -
> > -+ if (!sect_buff)
> > -+ {
> > -+ TIFFError("createImageSection", "Unable to allocate/reallocate
> section buffer");
> > -+ return (-1);
> > -+ }
> > - _TIFFmemset(sect_buff, 0, sectsize);
> > - }
> > - }
> > -
> > -- if (!sect_buff)
> > -- {
> > -- TIFFError("createImageSection", "Unable to allocate/reallocate section
> buffer");
> > -- return (-1);
> > -- }
> > - prev_sectsize = sectsize;
> > - *sect_buff_ptr = sect_buff;
> > -
> > -@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image,
> struct crop_mask *crop,
> > - if (!crop_buff)
> > - {
> > - crop_buff = (unsigned char *)limitMalloc(cropsize);
> > -- *crop_buff_ptr = crop_buff;
> > -+ if (!crop_buff)
> > -+ {
> > -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop
> buffer");
> > -+ return (-1);
> > -+ }
> > - _TIFFmemset(crop_buff, 0, cropsize);
> > - prev_cropsize = cropsize;
> > - }
> > -@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image,
> struct crop_mask *crop,
> > - }
> > - else
> > - crop_buff = new_buff;
> > -+ if (!crop_buff)
> > -+ {
> > -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop
> buffer");
> > -+ return (-1);
> > -+ }
> > - _TIFFmemset(crop_buff, 0, cropsize);
> > - }
> > - }
> > -
> > -- if (!crop_buff)
> > -- {
> > -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop
> buffer");
> > -- return (-1);
> > -- }
> > - *crop_buff_ptr = crop_buff;
> > -
> > - if (crop->crop_mode & CROP_INVERT)
> > -@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp,
> > uint16_t bps, uint32_t width, ui
> > - * fill-column: 78
> > - * End:
> > - */
> > -+
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-c
> > alling-memcpy-with-a-null-.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-c
> > alling-memcpy-with-a-null-.patch
> > deleted file mode 100644
> > index 719dabaecc..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-c
> > alling-memcpy-with-a-null-.patch
> > +++ /dev/null
> > @@ -1,33 +0,0 @@
> > -CVE: CVE-2022-0908
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00
> > 2001
> > -From: Even Rouault <even.rouault@spatialys.com>
> > -Date: Thu, 17 Feb 2022 15:28:43 +0100
> > -Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy()
> > with a null
> > - source pointer and size of zero (fixes #383)
> > -
> > ----
> > - libtiff/tif_dirread.c | 5 ++++-
> > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index
> > d84147a0..4e8ce729 100644
> > ---- a/libtiff/tif_dirread.c
> > -+++ b/libtiff/tif_dirread.c
> > -@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp,
> int recover)
> > - _TIFFfree(data);
> > - return(0);
> > - }
> > -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
> > -+ if (dp->tdir_count > 0 )
> > -+ {
> > -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
> > -+ }
> > - o[(uint32_t)dp->tdir_count]=0;
> > - if (data!=0)
> > - _TIFFfree(data);
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-39
> > 3.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-39
> > 3.patch
> > deleted file mode 100644
> > index 64dbe9ef92..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-39
> > 3.patch
> > +++ /dev/null
> > @@ -1,36 +0,0 @@
> > -CVE: CVE-2022-0909
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00
> > 2001
> > -From: 4ugustus <wangdw.augustus@qq.com>
> > -Date: Tue, 8 Mar 2022 16:22:04 +0000
> > -Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
> > -
> > ----
> > - libtiff/tif_dir.c | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index
> > a6c254fc..77da6ea4 100644
> > ---- a/libtiff/tif_dir.c
> > -+++ b/libtiff/tif_dir.c
> > -@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
> > - break;
> > - case TIFFTAG_XRESOLUTION:
> > - dblval = va_arg(ap, double);
> > -- if( dblval < 0 )
> > -+ if( dblval != dblval || dblval < 0 )
> > - goto badvaluedouble;
> > - td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
> > - break;
> > - case TIFFTAG_YRESOLUTION:
> > - dblval = va_arg(ap, double);
> > -- if( dblval < 0 )
> > -+ if( dblval != dblval || dblval < 0 )
> > - goto badvaluedouble;
> > - td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
> > - break;
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-i
> > n-tiffcp-278.patch
> > b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-i
> > n-tiffcp-278.patch
> > deleted file mode 100644
> > index afd5e59960..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-i
> > n-tiffcp-278.patch
> > +++ /dev/null
> > @@ -1,57 +0,0 @@
> > -CVE: CVE-2022-0924
> > -Upstream-Status: Backport
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00
> > 2001
> > -From: 4ugustus <wangdw.augustus@qq.com>
> > -Date: Thu, 10 Mar 2022 08:48:00 +0000
> > -Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
> > -
> > ----
> > - tools/tiffcp.c | 17 ++++++++++++++++-
> > - 1 file changed, 16 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index
> > 1f889516..552d8fad 100644
> > ---- a/tools/tiffcp.c
> > -+++ b/tools/tiffcp.c
> > -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
> > - tdata_t obuf;
> > - tstrip_t strip = 0;
> > - tsample_t s;
> > -+ uint16_t bps = 0, bytes_per_sample;
> > -
> > - obuf = limitMalloc(stripsize);
> > - if (obuf == NULL)
> > - return (0);
> > - _TIFFmemset(obuf, 0, stripsize);
> > - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP,
> &rowsperstrip);
> > -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
> > -+ if( bps == 0 )
> > -+ {
> > -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
> > -+ _TIFFfree(obuf);
> > -+ return 0;
> > -+ }
> > -+ if( (bps % 8) != 0 )
> > -+ {
> > -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample
> that is not a multiple of 8");
> > -+ _TIFFfree(obuf);
> > -+ return 0;
> > -+ }
> > -+ bytes_per_sample = bps/8;
> > - for (s = 0; s < spp; s++) {
> > - uint32_t row;
> > - for (row = 0; row < imagelength; row += rowsperstrip) {
> > -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
> > -
> > - cpContigBufToSeparateBuf(
> > - obuf, (uint8_t*) buf + row * rowsize + s,
> > -- nrows, imagewidth, 0, 0, spp, 1);
> > -+ nrows, imagewidth, 0, 0, spp,
> > -+ bytes_per_sample);
> > - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
> > - TIFFError(TIFFFileName(out),
> > - "Error, can't write strip %"PRIu32,
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7d
> > f7975586b.patch
> > b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7d
> > f7975586b.patch
> > deleted file mode 100644
> > index 0b41dde606..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7d
> > f7975586b.patch
> > +++ /dev/null
> > @@ -1,30 +0,0 @@
> > -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00
> > 2001
> > -From: Even Rouault <even.rouault@spatialys.com>
> > -Date: Sat, 5 Feb 2022 20:36:41 +0100
> > -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a
> > null
> > - source pointer and size of zero (fixes #362)
> > -
> > -Upstream-Status: Backport
> > -CVE: CVE-2022-0562
> > -
> > ----
> > - libtiff/tif_dirread.c | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index
> > 2bbc4585..23194ced 100644
> > ---- a/libtiff/tif_dirread.c
> > -+++ b/libtiff/tif_dirread.c
> > -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
> > - goto bad;
> > - }
> > -
> > -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo,
> old_extrasamples * sizeof(uint16_t));
> > -+ if (old_extrasamples > 0)
> > -+ memcpy(new_sampleinfo,
> > -+ tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
> > - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo,
> tif->tif_dir.td_extrasamples);
> > - _TIFFfree(new_sampleinfo);
> > - }
> > ---
> > -GitLab
> > -
> > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> > b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> > deleted file mode 100644
> > index 71b85cac10..0000000000
> > --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
> > +++ /dev/null
> > @@ -1,212 +0,0 @@
> > -From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00
> > 2001
> > -From: Even Rouault <even.rouault@spatialys.com>
> > -Date: Sun, 5 Dec 2021 14:37:46 +0100
> > -Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
> > -
> > -to avoid having the size of the strip arrays inconsistent with the
> > -number of strips returned by TIFFNumberOfStrips(), which may cause
> > -out-ouf-bounds array read afterwards.
> > -
> > -One of the OJPEG hack that alters SamplesPerPixel may influence the
> > -number of strips. Hence compute tif_dir.td_nstrips only afterwards.
> > -
> > -CVE: CVE-2022-1354
> > -
> > -Upstream-Status: Backport
> > -[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6ec
> > a13fac543a542798]
> > -
> > -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> > ----
> > - libtiff/tif_dirread.c | 162
> > ++++++++++++++++++++++--------------------
> > - 1 file changed, 83 insertions(+), 79 deletions(-)
> > -
> > -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index
> > 8f434ef5..14c031d1 100644
> > ---- a/libtiff/tif_dirread.c
> > -+++ b/libtiff/tif_dirread.c
> > -@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
> > - MissingRequired(tif,"ImageLength");
> > - goto bad;
> > - }
> > -- /*
> > -- * Setup appropriate structures (by strip or by tile)
> > -- */
> > -- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
> > -- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
> > -- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
> > -- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
> > -- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
> > -- tif->tif_flags &= ~TIFF_ISTILED;
> > -- } else {
> > -- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
> > -- tif->tif_flags |= TIFF_ISTILED;
> > -- }
> > -- if (!tif->tif_dir.td_nstrips) {
> > -- TIFFErrorExt(tif->tif_clientdata, module,
> > -- "Cannot handle zero number of %s",
> > -- isTiled(tif) ? "tiles" : "strips");
> > -- goto bad;
> > -- }
> > -- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
> > -- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
> > -- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
> > -- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
> > --#ifdef OJPEG_SUPPORT
> > -- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
> > -- (isTiled(tif)==0) &&
> > -- (tif->tif_dir.td_nstrips==1)) {
> > -- /*
> > -- * XXX: OJPEG hack.
> > -- * If a) compression is OJPEG, b) it's not a tiled TIFF,
> > -- * and c) the number of strips is 1,
> > -- * then we tolerate the absence of stripoffsets tag,
> > -- * because, presumably, all required data is in the
> > -- * JpegInterchangeFormat stream.
> > -- */
> > -- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
> > -- } else
> > --#endif
> > -- {
> > -- MissingRequired(tif,
> > -- isTiled(tif) ? "TileOffsets" : "StripOffsets");
> > -- goto bad;
> > -- }
> > -- }
> > -+
> > - /*
> > - * Second pass: extract other information.
> > - */
> > -@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
> > - } /* -- if (!dp->tdir_ignore) */
> > - } /* -- for-loop -- */
> > -
> > -- if( tif->tif_mode == O_RDWR &&
> > -- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
> > -- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
> > -- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
> > -- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
> > -- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
> > -- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
> > -- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
> > -- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
> > -- {
> > -- /* Directory typically created with TIFFDeferStrileArrayWriting() */
> > -- TIFFSetupStrips(tif);
> > -- }
> > -- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
> > -- {
> > -- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
> > -- {
> > -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
> > -- tif->tif_dir.td_nstrips,
> > -- &tif->tif_dir.td_stripoffset_p))
> > -- {
> > -- goto bad;
> > -- }
> > -- }
> > -- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
> > -- {
> > -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
> > -- tif->tif_dir.td_nstrips,
> > -- &tif->tif_dir.td_stripbytecount_p))
> > -- {
> > -- goto bad;
> > -- }
> > -- }
> > -- }
> > --
> > - /*
> > - * OJPEG hack:
> > - * - If a) compression is OJPEG, and b) photometric tag is missing,
> > -@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
> > - }
> > - }
> > -
> > -+ /*
> > -+ * Setup appropriate structures (by strip or by tile)
> > -+ * We do that only after the above OJPEG hack which alters
> SamplesPerPixel
> > -+ * and thus influences the number of strips in the separate planarconfig.
> > -+ */
> > -+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
> > -+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
> > -+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
> > -+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
> > -+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
> > -+ tif->tif_flags &= ~TIFF_ISTILED;
> > -+ } else {
> > -+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
> > -+ tif->tif_flags |= TIFF_ISTILED;
> > -+ }
> > -+ if (!tif->tif_dir.td_nstrips) {
> > -+ TIFFErrorExt(tif->tif_clientdata, module,
> > -+ "Cannot handle zero number of %s",
> > -+ isTiled(tif) ? "tiles" : "strips");
> > -+ goto bad;
> > -+ }
> > -+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
> > -+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
> > -+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
> > -+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { #ifdef
> > -+OJPEG_SUPPORT
> > -+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
> > -+ (isTiled(tif)==0) &&
> > -+ (tif->tif_dir.td_nstrips==1)) {
> > -+ /*
> > -+ * XXX: OJPEG hack.
> > -+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
> > -+ * and c) the number of strips is 1,
> > -+ * then we tolerate the absence of stripoffsets tag,
> > -+ * because, presumably, all required data is in the
> > -+ * JpegInterchangeFormat stream.
> > -+ */
> > -+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
> > -+ } else
> > -+#endif
> > -+ {
> > -+ MissingRequired(tif,
> > -+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
> > -+ goto bad;
> > -+ }
> > -+ }
> > -+
> > -+ if( tif->tif_mode == O_RDWR &&
> > -+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
> > -+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
> > -+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
> > -+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
> > -+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
> > -+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
> > -+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
> > -+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
> > -+ {
> > -+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
> > -+ TIFFSetupStrips(tif);
> > -+ }
> > -+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
> > -+ {
> > -+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
> > -+ {
> > -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
> > -+ tif->tif_dir.td_nstrips,
> > -+ &tif->tif_dir.td_stripoffset_p))
> > -+ {
> > -+ goto bad;
> > -+ }
> > -+ }
> > -+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
> > -+ {
> > -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
> > -+ tif->tif_dir.td_nstrips,
> > -+ &tif->tif_dir.td_stripbytecount_p))
> > -+ {
> > -+ goto bad;
> > -+ }
> > -+ }
> > -+ }
> > -+
> > - /*
> > - * Make sure all non-color channels are extrasamples.
> > - * If it's not the case, define them as such.
> > ---
> > -2.25.1
> > -
> > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> > b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> > deleted file mode 100644
> > index e59f5aad55..0000000000
> > --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
> > +++ /dev/null
> > @@ -1,62 +0,0 @@
> > -From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00
> > 2001
> > -From: Su_Laus <sulau@freenet.de>
> > -Date: Sat, 2 Apr 2022 22:33:31 +0200
> > -Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string
> > (fixes #400)
> > -
> > -CVE: CVE-2022-1355
> > -
> > -Upstream-Status: Backport
> > -[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7d
> > b671af7db3584bc2]
> > -
> > -Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> > ----
> > - tools/tiffcp.c | 25 ++++++++++++++++++++-----
> > - 1 file changed, 20 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index
> > fd129bb7..8d944ff6 100644
> > ---- a/tools/tiffcp.c
> > -+++ b/tools/tiffcp.c
> > -@@ -274,19 +274,34 @@ main(int argc, char* argv[])
> > - deftilewidth = atoi(optarg);
> > - break;
> > - case 'B':
> > -- *mp++ = 'b'; *mp = '\0';
> > -+ if (strlen(mode) < (sizeof(mode) - 1))
> > -+ {
> > -+ *mp++ = 'b'; *mp = '\0';
> > -+ }
> > - break;
> > - case 'L':
> > -- *mp++ = 'l'; *mp = '\0';
> > -+ if (strlen(mode) < (sizeof(mode) - 1))
> > -+ {
> > -+ *mp++ = 'l'; *mp = '\0';
> > -+ }
> > - break;
> > - case 'M':
> > -- *mp++ = 'm'; *mp = '\0';
> > -+ if (strlen(mode) < (sizeof(mode) - 1))
> > -+ {
> > -+ *mp++ = 'm'; *mp = '\0';
> > -+ }
> > - break;
> > - case 'C':
> > -- *mp++ = 'c'; *mp = '\0';
> > -+ if (strlen(mode) < (sizeof(mode) - 1))
> > -+ {
> > -+ *mp++ = 'c'; *mp = '\0';
> > -+ }
> > - break;
> > - case '8':
> > -- *mp++ = '8'; *mp = '\0';
> > -+ if (strlen(mode) < (sizeof(mode)-1))
> > -+ {
> > -+ *mp++ = '8'; *mp = '\0';
> > -+ }
> > - break;
> > - case 'x':
> > - pageInSeq = 1;
> > ---
> > -2.25.1
> > -
> > diff --git
> > a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a
> > 667ddbdef.patch
> > b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a
> > 667ddbdef.patch
> > deleted file mode 100644
> > index 74f9649fdf..0000000000
> > ---
> > a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a
> > 667ddbdef.patch
> > +++ /dev/null
> > @@ -1,32 +0,0 @@
> > -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00
> > 2001
> > -From: Even Rouault <even.rouault@spatialys.com>
> > -Date: Sun, 6 Feb 2022 13:08:38 +0100
> > -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a
> > null
> > - source pointer and size of zero (fixes #362)
> > -
> > -Upstream-Status: Backport
> > -CVE: CVE-2022-0561
> > -
> > ----
> > - libtiff/tif_dirread.c | 5 +++--
> > - 1 file changed, 3 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index
> > 23194ced..50ebf8ac 100644
> > ---- a/libtiff/tif_dirread.c
> > -+++ b/libtiff/tif_dirread.c
> > -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir,
> uint32_t nstrips, uint64_t** l
> > - _TIFFfree(data);
> > - return(0);
> > - }
> > -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count *
> sizeof(uint64_t));
> > -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips -
> (uint32_t)dir->tdir_count) * sizeof(uint64_t));
> > -+ if( dir->tdir_count )
> > -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count *
> sizeof(uint64_t));
> > -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0,
> > -+ (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
> > - _TIFFfree(data);
> > - data=resizeddata;
> > - }
> > ---
> > -GitLab
> > -
> > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> > b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> > similarity index 75%
> > rename from meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> > rename to meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> > index b5ccd859f3..e30df0b3e9 100644
> > --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> > +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> > @@ -9,22 +9,11 @@ LIC_FILES_CHKSUM =
> "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
> > CVE_PRODUCT = "libtiff"
> >
> > SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> > - file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
> > - file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
> > - file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
> > - file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
> > - file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
> \
> > - file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
> > - file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-
> .patch \
> > - file://0005-fix-the-FPE-in-tiffcrop-393.patch \
> > - file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
> > file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
> > - file://CVE-2022-1354.patch \
> > - file://CVE-2022-1355.patch \
> > file://CVE-2022-34526.patch \
> > "
> >
> > -SRC_URI[sha256sum] =
> "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
> > +SRC_URI[sha256sum] =
> "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
> >
> > # exclude betas
> > UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
> > --
> > 2.37.3
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#171174):
> > https://lists.openembedded.org/g/openembedded-core/message/171174
> > Mute This Topic: https://lists.openembedded.org/mt/93990329/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
2022-09-29 8:33 ` [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953 jay.shen.teoh
@ 2022-10-19 19:32 ` Qiu, Zheng
2022-10-19 21:06 ` Randy MacLeod
0 siblings, 1 reply; 8+ messages in thread
From: Qiu, Zheng @ 2022-10-19 19:32 UTC (permalink / raw)
To: Teoh, Jay Shen; +Cc: openembedded-core@lists.openembedded.org
kirkstone now has tiff version 4.3.0.
As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414
Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.
Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.
Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849
>-----Original Message-----
>From: openembedded-core@lists.openembedded.org <openembedded-
>core@lists.openembedded.org> On Behalf Of Teoh, Jay Shen
>Sent: Thursday, September 29, 2022 4:33 AM
>To: openembedded-core@lists.openembedded.org
>Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
>
>[Please note: This e-mail is from an EXTERNAL e-mail address]
>
>From: Teoh Jay Shen <jay.shen.teoh@intel.com>
>
>Link for the patch : https://gitlab.com/libtiff/libtiff/-
>/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
>
>Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
>---
> .../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
> 2 files changed, 87 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
>2953.patch
>
>diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>new file mode 100644
>index 0000000000..2122b46566
>--- /dev/null
>+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>@@ -0,0 +1,86 @@
>+CVE: CVE-2022-2953
>+Upstream-Status: Backport
>+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
>+
>+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
>2001
>+From: Su_Laus <sulau@freenet.de>
>+Date: Mon, 15 Aug 2022 22:11:03 +0200
>+Subject: [PATCH]
>+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
>+
>+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
>+ti?=
>+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
>S=E2=80=9C=20is=20also=20mutually
>+?=
>+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
>Y),=2
>+0-?=
>+ =?UTF-8?q?Z=20and=20-z.?=
>+MIME-Version: 1.0
>+Content-Type: text/plain; charset=UTF-8
>+Content-Transfer-Encoding: 8bit
>+
>+This is now checked and ends tiffcrop if those arguments are not mutually
>exclusive.
>+
>+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
>+#424
>+---
>+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
>+ 1 file changed, 16 insertions(+), 15 deletions(-)
>+
>+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
>+90286a5e..c3b758ec 100644
>+--- a/tools/tiffcrop.c
>++++ b/tools/tiffcrop.c
>+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
>+ #define ROTATECW_270 32
>+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
>+
>+-#define CROP_NONE 0
>+-#define CROP_MARGINS 1
>+-#define CROP_WIDTH 2
>+-#define CROP_LENGTH 4
>+-#define CROP_ZONES 8
>+-#define CROP_REGIONS 16
>++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
>>rows/->cols != 0 */
>++#define CROP_MARGINS 1 /* "-m" */
>++#define CROP_WIDTH 2 /* "-X" */
>++#define CROP_LENGTH 4 /* "-Y" */
>++#define CROP_ZONES 8 /* "-Z" */
>++#define CROP_REGIONS 16 /* "-z" */
>+ #define CROP_ROTATE 32
>+ #define CROP_MIRROR 64
>+ #define CROP_INVERT 128
>+@@ -316,7 +316,7 @@ struct crop_mask {
>+ #define PAGE_MODE_RESOLUTION 1
>+ #define PAGE_MODE_PAPERSIZE 2
>+ #define PAGE_MODE_MARGINS 4
>+-#define PAGE_MODE_ROWSCOLS 8
>++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
>+
>+ #define INVERT_DATA_ONLY 10
>+ #define INVERT_DATA_AND_TAG 11
>+@@ -781,7 +781,7 @@ static const char usage_info[] =
>+ " The four debug/dump options are independent, though it makes
>little sense to\n"
>+ " specify a dump file without specifying a detail level.\n"
>+ "\n"
>+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
>++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
>+ " In no case should the options be applied to a given selection
>successively.\n"
>+ "\n"
>+ ;
>+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
>*argv[], char *mp, char *mode, uint32
>+ /*NOTREACHED*/
>+ }
>+ }
>+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
>mutually exclusive) --*/
>+- char XY, Z, R;
>++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
>mutually exclusive) --*/
>++ char XY, Z, R, S;
>+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
>>crop_mode & CROP_LENGTH));
>+ Z = (crop_data->crop_mode & CROP_ZONES);
>+ R = (crop_data->crop_mode & CROP_REGIONS);
>+- if ((XY && Z) || (XY && R) || (Z && R)) {
>+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
>mutually exclusive.->Exit");
>++ S = (page->mode & PAGE_MODE_ROWSCOLS);
>++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
>{
>++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
>++ -Z, -z and -S are mutually exclusive.->Exit");
>+ exit(EXIT_FAILURE);
>+ }
>+ } /* end process_command_opts */
>+--
>+2.34.1
>+
>diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
>multimedia/libtiff/tiff_4.4.0.bb
>index e30df0b3e9..caf6f60479 100644
>--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
> file://CVE-2022-34526.patch \
>+ file://CVE-2022-2953.patch \
> "
>
> SRC_URI[sha256sum] =
>"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
>"
>--
>2.37.3
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
2022-10-19 19:32 ` Qiu, Zheng
@ 2022-10-19 21:06 ` Randy MacLeod
2022-10-19 21:52 ` Steve Sakoman
0 siblings, 1 reply; 8+ messages in thread
From: Randy MacLeod @ 2022-10-19 21:06 UTC (permalink / raw)
To: Qiu, Zheng, Teoh, Jay Shen; +Cc: openembedded-core@lists.openembedded.org
On 2022-10-19 15:32, Qiu, Zheng wrote:
> kirkstone now has tiff version 4.3.0.
>
> As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414
>
> Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.
>
> Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.
Hold on...
We also checked, because I'm paranoid, by doing:
$ cd .../poky-contrib.git
$ git checkout stable/kirkstone-nut
$ git pull
$ cd ...
$ . ../poky-contrib.git/tiff-patches
$ bitbake -c patch tiff
$ mkdir cp-tiff-patch-by-bb-kirkstone-nut
$ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0
cp-tiff-patch-by-bb-kirkstone-nut/
$ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0
$ ./autogen.sh
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g
-fsanitize=address -fno-omit-frame-pointer" ./configure
--prefix=$PWD/build_asan --disable-shared
$ make -j; make install; make clean
$ wget
https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc
$ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo
and a very similar issue still occurs.
See log below. We'll investigate more and send a patch as needed.
We will enable the address sanitizer and check if the issue
is reproducible in qemux86-64.
../Randy
...
loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418.
=================================================================
==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990
READ of size 1 at 0x7fd1864ff695 thread T0
#0 0x55de6ca63f99 in extractImageSection
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
#1 0x55de6ca6515a in writeImageSections
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085
#2 0x55de6ca4abe9 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453
#3 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392
#5 0x55de6ca413a4 in _start
(/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4)
0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region
[0x7fd1863e8800,0x7fd1864ff695)
allocated by thread T0 here:
#0 0x7fd18a0a1867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55de6cadcd83 in _TIFFmalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314
#2 0x55de6ca41543 in limitMalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627
#3 0x55de6ca61299 in loadImage
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212
#4 0x55de6ca4a4a1 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376
#5 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
in extractImageSection
Shadow bytes around the buggy address:
0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==269609==ABORTING
> Zheng Qiu
> Linux Developer
> _______________
> Wind River
> M/ (437) 341-1849
>
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Teoh, Jay Shen
>> Sent: Thursday, September 29, 2022 4:33 AM
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
>>
>> [Please note: This e-mail is from an EXTERNAL e-mail address]
>>
>> From: Teoh Jay Shen <jay.shen.teoh@intel.com>
>>
>> Link for the patch : https://gitlab.com/libtiff/libtiff/-
>> /commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
>>
>> Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
>> ---
>> .../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
>> meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
>> 2 files changed, 87 insertions(+)
>> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
>> 2953.patch
>>
>> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>> b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>> new file mode 100644
>> index 0000000000..2122b46566
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>> @@ -0,0 +1,86 @@
>> +CVE: CVE-2022-2953
>> +Upstream-Status: Backport
>> +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
>> +
>> +From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
>> 2001
>> +From: Su_Laus <sulau@freenet.de>
>> +Date: Mon, 15 Aug 2022 22:11:03 +0200
>> +Subject: [PATCH]
>> +=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
>> +
>> +=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
>> +ti?=
>> +=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
>> S=E2=80=9C=20is=20also=20mutually
>> +?=
>> +=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
>> Y),=2
>> +0-?=
>> + =?UTF-8?q?Z=20and=20-z.?=
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +This is now checked and ends tiffcrop if those arguments are not mutually
>> exclusive.
>> +
>> +This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
>> +#424
>> +---
>> + tools/tiffcrop.c | 31 ++++++++++++++++---------------
>> + 1 file changed, 16 insertions(+), 15 deletions(-)
>> +
>> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
>> +90286a5e..c3b758ec 100644
>> +--- a/tools/tiffcrop.c
>> ++++ b/tools/tiffcrop.c
>> +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
>> + #define ROTATECW_270 32
>> + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
>> +
>> +-#define CROP_NONE 0
>> +-#define CROP_MARGINS 1
>> +-#define CROP_WIDTH 2
>> +-#define CROP_LENGTH 4
>> +-#define CROP_ZONES 8
>> +-#define CROP_REGIONS 16
>> ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
>>> rows/->cols != 0 */
>> ++#define CROP_MARGINS 1 /* "-m" */
>> ++#define CROP_WIDTH 2 /* "-X" */
>> ++#define CROP_LENGTH 4 /* "-Y" */
>> ++#define CROP_ZONES 8 /* "-Z" */
>> ++#define CROP_REGIONS 16 /* "-z" */
>> + #define CROP_ROTATE 32
>> + #define CROP_MIRROR 64
>> + #define CROP_INVERT 128
>> +@@ -316,7 +316,7 @@ struct crop_mask {
>> + #define PAGE_MODE_RESOLUTION 1
>> + #define PAGE_MODE_PAPERSIZE 2
>> + #define PAGE_MODE_MARGINS 4
>> +-#define PAGE_MODE_ROWSCOLS 8
>> ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
>> +
>> + #define INVERT_DATA_ONLY 10
>> + #define INVERT_DATA_AND_TAG 11
>> +@@ -781,7 +781,7 @@ static const char usage_info[] =
>> + " The four debug/dump options are independent, though it makes
>> little sense to\n"
>> + " specify a dump file without specifying a detail level.\n"
>> + "\n"
>> +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
>> ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
>> + " In no case should the options be applied to a given selection
>> successively.\n"
>> + "\n"
>> + ;
>> +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
>> *argv[], char *mp, char *mode, uint32
>> + /*NOTREACHED*/
>> + }
>> + }
>> +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
>> mutually exclusive) --*/
>> +- char XY, Z, R;
>> ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
>> mutually exclusive) --*/
>> ++ char XY, Z, R, S;
>> + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
>>> crop_mode & CROP_LENGTH));
>> + Z = (crop_data->crop_mode & CROP_ZONES);
>> + R = (crop_data->crop_mode & CROP_REGIONS);
>> +- if ((XY && Z) || (XY && R) || (Z && R)) {
>> +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
>> mutually exclusive.->Exit");
>> ++ S = (page->mode & PAGE_MODE_ROWSCOLS);
>> ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
>> {
>> ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
>> ++ -Z, -z and -S are mutually exclusive.->Exit");
>> + exit(EXIT_FAILURE);
>> + }
>> + } /* end process_command_opts */
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
>> multimedia/libtiff/tiff_4.4.0.bb
>> index e30df0b3e9..caf6f60479 100644
>> --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>> @@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
>> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
>> file://CVE-2022-34526.patch \
>> + file://CVE-2022-2953.patch \
>> "
>>
>> SRC_URI[sha256sum] =
>> "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
>> "
>> --
>> 2.37.3
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#171978): https://lists.openembedded.org/g/openembedded-core/message/171978
> Mute This Topic: https://lists.openembedded.org/mt/93990330/3616765
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
2022-10-19 21:06 ` Randy MacLeod
@ 2022-10-19 21:52 ` Steve Sakoman
0 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2022-10-19 21:52 UTC (permalink / raw)
To: Randy MacLeod
Cc: Qiu, Zheng, Teoh, Jay Shen,
openembedded-core@lists.openembedded.org
On Wed, Oct 19, 2022 at 11:07 AM Randy MacLeod
<randy.macleod@windriver.com> wrote:
>
> On 2022-10-19 15:32, Qiu, Zheng wrote:
> > kirkstone now has tiff version 4.3.0.
> >
> > As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414
> >
> > Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.
> >
> > Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.
>
> Hold on...
>
> We also checked, because I'm paranoid, by doing:
>
> $ cd .../poky-contrib.git
> $ git checkout stable/kirkstone-nut
> $ git pull
> $ cd ...
> $ . ../poky-contrib.git/tiff-patches
> $ bitbake -c patch tiff
>
> $ mkdir cp-tiff-patch-by-bb-kirkstone-nut
> $ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0
> cp-tiff-patch-by-bb-kirkstone-nut/
> $ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0
> $ ./autogen.sh
> $ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g
> -fsanitize=address -fno-omit-frame-pointer" ./configure
> --prefix=$PWD/build_asan --disable-shared
> $ make -j; make install; make clean
> $ wget
> https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc
> $ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo
>
> and a very similar issue still occurs.
>
> See log below. We'll investigate more and send a patch as needed.
Thanks Randy. I'm pretty sure I didn't take the referenced patch
because it was for a version of tiff not in kirkstone.
But I don't see an email from me explaining why, so my bad :-( I
usually try to give feedback when a patch isn't taken.
Steve
>
> We will enable the address sanitizer and check if the issue
> is reproducible in qemux86-64.
>
> ../Randy
>
>
> ...
>
> loadImage: Image lacks Photometric interpretation tag.
> TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418.
> =================================================================
> ==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990
> READ of size 1 at 0x7fd1864ff695 thread T0
> #0 0x55de6ca63f99 in extractImageSection
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
> #1 0x55de6ca6515a in writeImageSections
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085
> #2 0x55de6ca4abe9 in main
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453
> #3 0x7fd189b39d8f in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
> #4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392
> #5 0x55de6ca413a4 in _start
> (/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4)
>
> 0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region
> [0x7fd1863e8800,0x7fd1864ff695)
> allocated by thread T0 here:
> #0 0x7fd18a0a1867 in __interceptor_malloc
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
> #1 0x55de6cadcd83 in _TIFFmalloc
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314
> #2 0x55de6ca41543 in limitMalloc
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627
> #3 0x55de6ca61299 in loadImage
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212
> #4 0x55de6ca4a4a1 in main
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376
> #5 0x7fd189b39d8f in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
> in extractImageSection
> Shadow bytes around the buggy address:
> 0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==269609==ABORTING
>
>
> > Zheng Qiu
> > Linux Developer
> > _______________
> > Wind River
> > M/ (437) 341-1849
> >
> >> -----Original Message-----
> >> From: openembedded-core@lists.openembedded.org <openembedded-
> >> core@lists.openembedded.org> On Behalf Of Teoh, Jay Shen
> >> Sent: Thursday, September 29, 2022 4:33 AM
> >> To: openembedded-core@lists.openembedded.org
> >> Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
> >>
> >> [Please note: This e-mail is from an EXTERNAL e-mail address]
> >>
> >> From: Teoh Jay Shen <jay.shen.teoh@intel.com>
> >>
> >> Link for the patch : https://gitlab.com/libtiff/libtiff/-
> >> /commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
> >>
> >> Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
> >> ---
> >> .../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
> >> meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
> >> 2 files changed, 87 insertions(+)
> >> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
> >> 2953.patch
> >>
> >> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
> >> b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
> >> new file mode 100644
> >> index 0000000000..2122b46566
> >> --- /dev/null
> >> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
> >> @@ -0,0 +1,86 @@
> >> +CVE: CVE-2022-2953
> >> +Upstream-Status: Backport
> >> +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
> >> +
> >> +From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
> >> 2001
> >> +From: Su_Laus <sulau@freenet.de>
> >> +Date: Mon, 15 Aug 2022 22:11:03 +0200
> >> +Subject: [PATCH]
> >> +=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
> >> +
> >> +=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
> >> +ti?=
> >> +=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
> >> S=E2=80=9C=20is=20also=20mutually
> >> +?=
> >> +=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
> >> Y),=2
> >> +0-?=
> >> + =?UTF-8?q?Z=20and=20-z.?=
> >> +MIME-Version: 1.0
> >> +Content-Type: text/plain; charset=UTF-8
> >> +Content-Transfer-Encoding: 8bit
> >> +
> >> +This is now checked and ends tiffcrop if those arguments are not mutually
> >> exclusive.
> >> +
> >> +This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
> >> +#424
> >> +---
> >> + tools/tiffcrop.c | 31 ++++++++++++++++---------------
> >> + 1 file changed, 16 insertions(+), 15 deletions(-)
> >> +
> >> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
> >> +90286a5e..c3b758ec 100644
> >> +--- a/tools/tiffcrop.c
> >> ++++ b/tools/tiffcrop.c
> >> +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
> >> + #define ROTATECW_270 32
> >> + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
> >> +
> >> +-#define CROP_NONE 0
> >> +-#define CROP_MARGINS 1
> >> +-#define CROP_WIDTH 2
> >> +-#define CROP_LENGTH 4
> >> +-#define CROP_ZONES 8
> >> +-#define CROP_REGIONS 16
> >> ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
> >>> rows/->cols != 0 */
> >> ++#define CROP_MARGINS 1 /* "-m" */
> >> ++#define CROP_WIDTH 2 /* "-X" */
> >> ++#define CROP_LENGTH 4 /* "-Y" */
> >> ++#define CROP_ZONES 8 /* "-Z" */
> >> ++#define CROP_REGIONS 16 /* "-z" */
> >> + #define CROP_ROTATE 32
> >> + #define CROP_MIRROR 64
> >> + #define CROP_INVERT 128
> >> +@@ -316,7 +316,7 @@ struct crop_mask {
> >> + #define PAGE_MODE_RESOLUTION 1
> >> + #define PAGE_MODE_PAPERSIZE 2
> >> + #define PAGE_MODE_MARGINS 4
> >> +-#define PAGE_MODE_ROWSCOLS 8
> >> ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
> >> +
> >> + #define INVERT_DATA_ONLY 10
> >> + #define INVERT_DATA_AND_TAG 11
> >> +@@ -781,7 +781,7 @@ static const char usage_info[] =
> >> + " The four debug/dump options are independent, though it makes
> >> little sense to\n"
> >> + " specify a dump file without specifying a detail level.\n"
> >> + "\n"
> >> +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
> >> ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
> >> + " In no case should the options be applied to a given selection
> >> successively.\n"
> >> + "\n"
> >> + ;
> >> +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
> >> *argv[], char *mp, char *mode, uint32
> >> + /*NOTREACHED*/
> >> + }
> >> + }
> >> +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
> >> mutually exclusive) --*/
> >> +- char XY, Z, R;
> >> ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
> >> mutually exclusive) --*/
> >> ++ char XY, Z, R, S;
> >> + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
> >>> crop_mode & CROP_LENGTH));
> >> + Z = (crop_data->crop_mode & CROP_ZONES);
> >> + R = (crop_data->crop_mode & CROP_REGIONS);
> >> +- if ((XY && Z) || (XY && R) || (Z && R)) {
> >> +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
> >> mutually exclusive.->Exit");
> >> ++ S = (page->mode & PAGE_MODE_ROWSCOLS);
> >> ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
> >> {
> >> ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
> >> ++ -Z, -z and -S are mutually exclusive.->Exit");
> >> + exit(EXIT_FAILURE);
> >> + }
> >> + } /* end process_command_opts */
> >> +--
> >> +2.34.1
> >> +
> >> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
> >> multimedia/libtiff/tiff_4.4.0.bb
> >> index e30df0b3e9..caf6f60479 100644
> >> --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> >> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> >> @@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
> >> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> >> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
> >> file://CVE-2022-34526.patch \
> >> + file://CVE-2022-2953.patch \
> >> "
> >>
> >> SRC_URI[sha256sum] =
> >> "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
> >> "
> >> --
> >> 2.37.3
> >
> >
> >
>
> --
> # Randy MacLeod
> # Wind River Linux
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#171983): https://lists.openembedded.org/g/openembedded-core/message/171983
> Mute This Topic: https://lists.openembedded.org/mt/93990330/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-10-19 21:52 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-29 8:33 [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 jay.shen.teoh
2022-09-29 8:33 ` [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953 jay.shen.teoh
2022-10-19 19:32 ` Qiu, Zheng
2022-10-19 21:06 ` Randy MacLeod
2022-10-19 21:52 ` Steve Sakoman
2022-09-30 15:58 ` [OE-core][kirkstone][PATCH 1/2] tiff: update 4.3.0 -> 4.4.0 Steve Sakoman
2022-10-03 21:28 ` Randy MacLeod
2022-10-04 5:09 ` Teoh, Jay Shen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox