From: Ross Burton <ross.bur...@arm.com>
Signed-off-by: Ross Burton <ross.bur...@arm.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
(cherry picked from commit a84538dbe760fed94cfe22a39b0a6f95c61c307d)
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
...-the-FPE-in-tiffcrop-415-427-and-428.patch | 182 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 183 insertions(+)
create mode 100644
meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
diff --git
a/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
b/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
new file mode 100644
index 0000000000..a28df6ed8c
--- /dev/null
+++
b/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
@@ -0,0 +1,182 @@
+From 029da2cf70e8e38f10d62d4b0be440fb9d145af0 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augus...@qq.com>
+Date: Sat, 11 Jun 2022 09:31:43 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
+
+CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.bur...@arm.com>
+Signed-off-by: Steve Sakoman <st...@sakoman.com>
+
+---
+ libtiff/tif_aux.c | 9 +++++++
+ libtiff/tiffiop.h | 1 +
+ tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
+ 3 files changed, 44 insertions(+), 28 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 140f26c..5b88c8d 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
+ return (float)val;
+ }
+
++uint32_t _TIFFClampDoubleToUInt32(double val)
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32_t)val;
++}
++
+ int _TIFFSeekOK(TIFF* tif, toff_t off)
+ {
+ /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index f1151f5..c1d0276 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -368,6 +368,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
+ extern float _TIFFUInt64ToFloat(uint64_t);
+
+ extern float _TIFFClampDoubleToFloat(double);
++extern uint32_t _TIFFClampDoubleToUInt32(double);
+
+ extern tmsize_t
+ _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index e407bf5..b9b13d8 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5182,17 +5182,17 @@ computeInputPixelOffsets(struct crop_mask *crop,
struct image_data *image,
+ {
+ if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit ==
RESUNIT_CENTIMETER))
+ {
+- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
+- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
+- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
+- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
+ }
+ else
+ {
+- x1 = (uint32_t) (crop->corners[i].X1);
+- x2 = (uint32_t) (crop->corners[i].X2);
+- y1 = (uint32_t) (crop->corners[i].Y1);
+- y2 = (uint32_t) (crop->corners[i].Y2);
++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+ if (x1 < 1)
+ crop->regionlist[i].x1 = 0;
+@@ -5255,17 +5255,17 @@ computeInputPixelOffsets(struct crop_mask *crop,
struct image_data *image,
+ {
+ if (crop->res_unit != RESUNIT_INCH && crop->res_unit !=
RESUNIT_CENTIMETER)
+ { /* User has specified pixels as reference unit */
+- tmargin = (uint32_t)(crop->margins[0]);
+- lmargin = (uint32_t)(crop->margins[1]);
+- bmargin = (uint32_t)(crop->margins[2]);
+- rmargin = (uint32_t)(crop->margins[3]);
++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
+ }
+ else
+ { /* inches or centimeters specified */
+- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
+- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
+- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
+- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
+ }
+
+ if ((lmargin + rmargin) > image->width)
+@@ -5295,24 +5295,24 @@ computeInputPixelOffsets(struct crop_mask *crop,
struct image_data *image,
+ if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
+ {
+ if (crop->crop_mode & CROP_WIDTH)
+- width = (uint32_t)crop->width;
++ width = _TIFFClampDoubleToUInt32(crop->width);
+ else
+ width = image->width - lmargin - rmargin;
+
+ if (crop->crop_mode & CROP_LENGTH)
+- length = (uint32_t)crop->length;
++ length = _TIFFClampDoubleToUInt32(crop->length);
+ else
+ length = image->length - tmargin - bmargin;
+ }
+ else
+ {
+ if (crop->crop_mode & CROP_WIDTH)
+- width = (uint32_t)(crop->width * scale * image->xres);
++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
+ else
+ width = image->width - lmargin - rmargin;
+
+ if (crop->crop_mode & CROP_LENGTH)
+- length = (uint32_t)(crop->length * scale * image->yres);
++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
+ else
+ length = image->length - tmargin - bmargin;
+ }
+@@ -5711,13 +5711,13 @@ computeOutputPixelOffsets (struct crop_mask *crop,
struct image_data *image,
+ {
+ if (page->res_unit == RESUNIT_INCH || page->res_unit ==
RESUNIT_CENTIMETER)
+ { /* inches or centimeters specified */
+- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps
+ 7) / 8));
+- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps
+ 7) / 8));
++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres *
((image->bps + 7) / 8));
++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres *
((image->bps + 7) / 8));
+ }
+ else
+ { /* Otherwise user has specified pixels as reference unit */
+- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
+- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps
+ 7) / 8));
++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps
+ 7) / 8));
+ }
+
+ if ((hmargin * 2.0) > (pwidth * page->hres))
+@@ -5755,13 +5755,13 @@ computeOutputPixelOffsets (struct crop_mask *crop,
struct image_data *image,
+ {
+ if (page->mode & PAGE_MODE_PAPERSIZE )
+ {
+- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
+- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin *
2));
++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin *
2));
+ }
+ else
+ {
+- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
+- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 *
page->vres));
+ }
+ }
+
+@@ -5770,6 +5770,12 @@ computeOutputPixelOffsets (struct crop_mask *crop,
struct image_data *image,
+ if (olength > ilength)
+ olength = ilength;
+
++ if (owidth == 0 || olength == 0)
++ {
++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating
the number of pages");
++ exit(EXIT_FAILURE);
++ }
++
+ /* Compute the number of pages required for Portrait or Landscape */
+ switch (page->orient)
+ {
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 7a5e4816a6..c2d4b35d49 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -18,6 +18,7 @@ SRC_URI =
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
file://0005-fix-the-FPE-in-tiffcrop-393.patch \
file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
+ file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
"
SRC_URI[sha256sum] =
"0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#168003):
https://lists.openembedded.org/g/openembedded-core/message/168003
Mute This Topic: https://lists.openembedded.org/mt/92373440/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
