openclaw/tqma6-yocto-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete Yocto mirror with license table for TQMa6UL (2038-compliance)

Browse Source 
- 264 license table entries with exact download URLs (224/264 resolved)
- Complete sources/ directory with all BitBake recipes
- Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl)
- Full traceability for Softwarefreigabeantrag
- GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4
- License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16)
This commit is contained in:
Siggi (OpenClaw Agent)
2026-03-01 20:58:18 +00:00
commit 16accb6b24
15086 changed files with 1292356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

238
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch Normal file
View File

@@ -0,0 +1,238 @@
From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 1 Feb 2024 13:06:08 +0000
Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.
CVE: CVE-2023-52355
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++
doc/functions/TIFFError.rst | 3 ++
doc/functions/TIFFOpen.rst | 13 +++---
doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++-
doc/functions/TIFFStrileQuery.rst | 5 +++
doc/libtiff.rst | 31 ++++++++++++-
6 files changed, 91 insertions(+), 10 deletions(-)
diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
index 60ee746..705aebc 100644
--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
+++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
@@ -61,6 +61,11 @@ Diagnostics
All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
See also
--------
diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
index 99924ad..cf4b37c 100644
--- a/doc/functions/TIFFError.rst
+++ b/doc/functions/TIFFError.rst
@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
Furthermore, a **custom defined data structure** *user_data* for the
error handler can be given along.
+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
+application-specific handler introduced with libtiff 4.5.
+
Note
----
diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
index db79d7b..adc474f 100644
--- a/doc/functions/TIFFOpen.rst
+++ b/doc/functions/TIFFOpen.rst
@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
file should be closed using its file descriptor *fd*.
:c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
-but options, such as re-entrant error and warning handlers may be passed
-with the *opts* argument. The *opts* argument may be NULL.
+but options, such as re-entrant error and warning handlers and a limit in byte
+that libtiff internal memory allocation functions are allowed to request per call
+may be passed with the *opts* argument. The *opts* argument may be NULL.
Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
parameters. The allocated memory for :c:type:`TIFFOpenOptions`
can be released straight after successful execution of the related
@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
but opens a TIFF file with a Unicode filename.
:c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
-but options, such as re-entrant error and warning handlers may be passed
-with the *opts* argument. The *opts* argument may be NULL.
-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
+but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
:c:func:`TIFFSetFileName` sets the file name in the tif-structure
and returns the old file name.
@@ -326,5 +325,5 @@ See also
:doc:`libtiff` (3tiff),
:doc:`TIFFClose` (3tiff),
-:doc:`TIFFStrileQuery`,
-:doc:`TIFFOpenOptions`
\ No newline at end of file
+:doc:`TIFFStrileQuery` (3tiff),
+:doc:`TIFFOpenOptions`
diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
index 5c67566..23f2975 100644
--- a/doc/functions/TIFFOpenOptions.rst
+++ b/doc/functions/TIFFOpenOptions.rst
@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
:c:func:`TIFFOpenOptionsFree` releases the allocated memory for
:c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
can be released straight after successful execution of the related
-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
:c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
maximum single memory limit in byte that ``libtiff`` internal memory allocation
functions are allowed to request per call.
+.. note::
+ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
+ and :c:func:`_TIFFrealloc` **do not apply** this internal memory
+ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
+
:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
an application-specific and per-TIFF handle (re-entrant) error handler.
Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data*
@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL.
:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
which is invoked through :c:func:`TIFFWarningExtR`
+Example
+-------
+
+::
+
+ #include "tiffio.h"
+
+ typedef struct MyErrorHandlerUserDataStruct
+ {
+ /* ... any user data structure ... */
+ } MyErrorHandlerUserDataStruct;
+
+ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
+ const char *fmt, va_list ap)
+ {
+ MyErrorHandlerUserDataStruct *errorhandler_user_data =
+ (MyErrorHandlerUserDataStruct *)user_data;
+ /*... code of myErrorHandler ...*/
+ return 1;
+ }
+
+
+ main()
+ {
+ tmsize_t limit = (256 * 1024 * 1024);
+ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
+
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
+ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
+ TIFFOpenOptionsFree(opts);
+ /* ... go on here ... */
+
+ TIFFClose(tif);
+ }
+
Note
----
diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
index f8631af..7931fe4 100644
--- a/doc/functions/TIFFStrileQuery.rst
+++ b/doc/functions/TIFFStrileQuery.rst
@@ -66,6 +66,11 @@ Diagnostics
All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
See also
--------
diff --git a/doc/libtiff.rst b/doc/libtiff.rst
index 6a0054c..d96a860 100644
--- a/doc/libtiff.rst
+++ b/doc/libtiff.rst
@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
:c:func:`realloc`, and :c:func:`free` routines in the C library.)
To deal with segmented pointer issues ``libtiff`` also provides
-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
routines that mimic the equivalent ANSI C routines, but that are
intended for use with memory allocated through :c:func:`_TIFFmalloc`
and :c:func:`_TIFFrealloc`.
+With ``libtiff`` 4.5 a method was introduced to limit the internal
+memory allocation that functions are allowed to request per call
+(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
+
Error Handling
--------------
@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
Likewise warning messages are directed to a single handler routine
that can be specified with a call to :c:func:`TIFFSetWarningHandler`
+Further application-specific and per-TIFF handle (re-entrant) error handler
+and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
+and :doc:`/functions/TIFFOpenOptions`.
+
Basic File Handling
-------------------
@@ -139,7 +147,7 @@ a ``"w"`` argument:
main()
{
TIFF* tif = TIFFOpen("foo.tif", "w");
- ... do stuff ...
+ /* ... do stuff ... */
TIFFClose(tif);
}
@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
buffered information to a file. Note that if you call :c:func:`TIFFClose`
you do not need to call :c:func:`TIFFFlush`.
+.. warning::
+
+ In order to prevent out-of-memory issues when opening a TIFF file
+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+ limit in byte that ``libtiff`` internal memory allocation functions
+ are allowed to request per call can be set with
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+
+Example
+
+::
+
+ tmsize_t limit = (256 * 1024 * 1024);
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
+ TIFFOpenOptionsFree(opts);
+ /* ... go on here ... */
+
TIFF Directories
----------------
--
2.40.0

28
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch Normal file
View File

@@ -0,0 +1,28 @@
From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001
From: Timothy Lyanguzov <theta682@gmail.com>
Date: Thu, 1 Feb 2024 11:19:06 +0000
Subject: [PATCH] Fix typo.
CVE: CVE-2023-52355
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
doc/libtiff.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/libtiff.rst b/doc/libtiff.rst
index d96a860..4fedc3e 100644
--- a/doc/libtiff.rst
+++ b/doc/libtiff.rst
@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`.
In order to prevent out-of-memory issues when opening a TIFF file
:c:func:`TIFFOpenExt` can be used and then the maximum single memory
- limit in byte that ``libtiff`` internal memory allocation functions
+ limit in bytes that ``libtiff`` internal memory allocation functions
are allowed to request per call can be set with
:c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
--
2.40.0

49
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch Normal file
View File

@@ -0,0 +1,49 @@
From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 1 Feb 2024 11:38:14 +0000
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
col/row (fixes #622)
CVE: CVE-2023-52356
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
libtiff/tif_getimage.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 41f7dfd..9cd6eee 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
if (TIFFRGBAImageOK(tif, emsg) &&
TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
{
+ if (row >= img.height)
+ {
+ TIFFErrorExtR(tif, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
img.row_offset = row;
img.col_offset = 0;
@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
return (0);
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExtR(tif, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we
--
2.40.0

31
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch Normal file
View File

@@ -0,0 +1,31 @@
From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Wed, 17 Jan 2024 06:57:08 +0000
Subject: [PATCH] codec of input image is available, independently from codec
check of output image and return with error if not.
Fixes #606.
CVE: CVE-2023-6228
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index aff0626..a4f7f6b 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
if (!TIFFIsCODECConfigured(compression))
return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG)
{
--
2.40.0

27
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch Normal file
View File

@@ -0,0 +1,27 @@
From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 15:04:37 +0000
Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s)
CVE: CVE-2023-6277
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libtiff/tif_dirread.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index fe8d6f8..58a4276 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
{
uint64_t space;
uint16_t n;
- filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags & TIFF_BIGTIFF))
space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
else
--
2.43.0

36
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch Normal file
View File

@@ -0,0 +1,36 @@
From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 30 Oct 2023 21:21:57 +0100
Subject: [PATCH 2/3] At image reading, compare data size of some tags / data
structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
file size to prevent provoked out-of-memory attacks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
See issue #614.
Correct declaration of filesize shadows a previous local.
CVE: CVE-2023-6277
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libtiff/tif_dirread.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index c52d41f..fe8d6f8 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (td->td_compression != COMPRESSION_NONE)
{
uint64_t space;
- uint64_t filesize;
uint16_t n;
filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags & TIFF_BIGTIFF))
--
2.43.0

162
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch Normal file
View File

@@ -0,0 +1,162 @@
From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 27 Oct 2023 22:11:10 +0200
Subject: [PATCH 1/3] At image reading, compare data size of some tags / data
structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
file size to prevent provoked out-of-memory attacks.
See issue #614.
CVE: CVE-2023-6277
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2c49dc6..c52d41f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExtR(tif, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
return TIFFReadDirEntryErrIo;
@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
+
if (td->td_stripbytecount_p)
_TIFFfreeExt(tif, td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
"directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry *)_TIFFCheckMalloc(
tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
if (dir == 0)
@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfreeExt(tif, data);
+ return (0);
+ }
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata == 0)
@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
+
newcounts =
(uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
"for chopped \"StripByteCounts\" array");
--
2.43.0

65
sources/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch Normal file
View File

@@ -0,0 +1,65 @@
From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 1 Dec 2023 20:12:25 +0100
Subject: [PATCH] Check return value of _TIFFCreateAnonField().
Fixes #624
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
CVE: CVE-2024-7006
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirread.c | 16 ++++++----------
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index 0e705e8..4cfdaad 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
if (fld == NULL)
{
fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL;
}
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 58a4276..738df9f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif)
dp->tdir_tag, dp->tdir_tag);
/* the following knowingly leaks the
anonymous field structure */
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(
tif, module,
@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
"Unknown field with tag %" PRIu16 " (0x%" PRIx16
") encountered",
dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(tif, module,
"Registering anonymous field with tag %" PRIu16
--
2.44.1

69
sources/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb Normal file
View File

@@ -0,0 +1,69 @@
SUMMARY = "Provides support for the Tag Image File Format (TIFF)"
DESCRIPTION = "Library provides support for the Tag Image File Format \
(TIFF), a widely used format for storing image data. This library \
provide means to easily access and create TIFF image files."
HOMEPAGE = "http://www.libtiff.org/"
LICENSE = "libtiff"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
file://CVE-2023-6228.patch \
file://CVE-2023-52355-0001.patch \
file://CVE-2023-52355-0002.patch \
file://CVE-2023-52356.patch \
file://CVE-2024-7006.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
inherit autotools multilib_header
CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no"
PACKAGECONFIG ?= "cxx jpeg zlib lzma \
strip-chopping extrasample-as-alpha check-ycbcr-subsampling"
PACKAGECONFIG[cxx] = "--enable-cxx,--disable-cxx,,"
PACKAGECONFIG[jbig] = "--enable-jbig,--disable-jbig,jbig,"
PACKAGECONFIG[jpeg] = "--enable-jpeg,--disable-jpeg,jpeg,"
PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib,"
PACKAGECONFIG[lzma] = "--enable-lzma,--disable-lzma,xz,"
PACKAGECONFIG[webp] = "--enable-webp,--disable-webp,libwebp,"
PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd,"
PACKAGECONFIG[libdeflate] = "--enable-libdeflate,--disable-libdeflate,libdeflate,"
# Convert single-strip uncompressed images to multiple strips of specified
# size (default: 8192) to reduce memory usage
PACKAGECONFIG[strip-chopping] = "--enable-strip-chopping,--disable-strip-chopping,,"
# Treat a fourth sample with no EXTRASAMPLE_ value as being ASSOCALPHA
PACKAGECONFIG[extrasample-as-alpha] = "--enable-extrasample-as-alpha,--disable-extrasample-as-alpha,,"
# Control picking up YCbCr subsample info. Disable to support files lacking
# the tag
PACKAGECONFIG[check-ycbcr-subsampling] = "--enable-check-ycbcr-subsampling,--disable-check-ycbcr-subsampling,,"
# Support a mechanism allowing reading large strips (usually one strip files)
# in chunks when using TIFFReadScanline. Experimental 4.0+ feature
PACKAGECONFIG[chunky-strip-read] = "--enable-chunky-strip-read,--disable-chunky-strip-read,,"
PACKAGES =+ "tiffxx tiff-utils"
FILES:tiffxx = "${libdir}/libtiffxx.so.*"
FILES:tiff-utils = "${bindir}/*"
do_install:append() {
oe_multilib_header tiffconf.h
}
BBCLASSEXTEND = "native nativesdk"