[oe-core][mickledore][PATCH] tiff: backport a fix for CVE-2023-26965

Nat Bailey via lists.openembedded.org Wed, 28 Jun 2023 10:26:24 -0700

Fixes a bug where a buffer was used after a potential reallocation.

Signed-off-by: Natasha Bailey <nat.bai...@windriver.com>
---
 .../libtiff/files/CVE-2023-26965.patch        | 100 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |   1 +
 2 files changed, 101 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..987ee5178f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,100 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [mickledore][PATCH] tiffcrop: Do not reuse input buffer for
+ subsequent images. Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, 
because other functions (like rotateImage() etc.) reallocate that buffer with 
different size without updating the local prev_readsize value.
+
+Closes #527
+
+CVE: CVE-2023-26965
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf?merge_request_iid=472]
+Signed-off-by: Natasha Bailey <nat.bai...@windriver.com>
+
+---
+ tools/tiffcrop.c | 47 +++++++++++++----------------------------------
+ 1 file changed, 13 insertions(+), 34 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index d7ad5ca8..d3e11ba2 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, 
struct dump_opts *dump,
+     uint32_t tw = 0, tl = 0; /* Tile width and length */
+     tmsize_t tile_rowsize = 0;
+     unsigned char *read_buff = NULL;
+-    unsigned char *new_buff = NULL;
+     int readunit = 0;
+-    static tmsize_t prev_readsize = 0;
+ 
+     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data 
*image, struct dump_opts *dump,
+     }
+ 
+     read_buff = *read_ptr;
+-    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit 
*/
+-    /* outside buffer */
+-    if (!read_buff)
++    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
++     * outside buffer */
++    /* Reuse of read_buff from previous image is quite unsafe, because other
++     * functions (like rotateImage() etc.) reallocate that buffer with 
different
++     * size without updating the local prev_readsize value. */
++    if (read_buff)
+     {
+-        if (buffsize > 0xFFFFFFFFU - 3)
+-        {
+-            TIFFError("loadImage", "Unable to allocate/reallocate read 
buffer");
+-            return (-1);
+-        }
+-        read_buff =
+-            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++        _TIFFfree(read_buff);
+     }
+-    else
++    if (buffsize > 0xFFFFFFFFU - 3)
+     {
+-        if (prev_readsize < buffsize)
+-        {
+-            if (buffsize > 0xFFFFFFFFU - 3)
+-            {
+-                TIFFError("loadImage",
+-                          "Unable to allocate/reallocate read buffer");
+-                return (-1);
+-            }
+-            new_buff =
+-                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            if (!new_buff)
+-            {
+-                free(read_buff);
+-                read_buff = (unsigned char *)limitMalloc(
+-                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            }
+-            else
+-                read_buff = new_buff;
+-        }
++        TIFFError("loadImage", "Required read buffer size too large");
++        return (-1);
+     }
++    read_buff =
++        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!read_buff)
+     {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++        TIFFError("loadImage", "Unable to allocate read buffer");
+         return (-1);
+     }
+ 
+@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, 
struct dump_opts *dump,
+     read_buff[buffsize + 1] = 0;
+     read_buff[buffsize + 2] = 0;
+ 
+-    prev_readsize = buffsize;
+     *read_ptr = read_buff;
+ 
+     /* N.B. The read functions used copy separate plane data into a buffer as
+-- 
+2.39.0
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..2bde8fe9d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2022-48281.patch \
            file://CVE-2023-2731.patch \
+           file://CVE-2023-26965.patch \
 "
 
 SRC_URI[sha256sum] = 
"c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
-- 
2.39.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183597): 
https://lists.openembedded.org/g/openembedded-core/message/183597
Mute This Topic: https://lists.openembedded.org/mt/99835604/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][mickledore][PATCH] tiff: backport a fix for CVE-2023-26965

Reply via email to