diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch new file mode 100644 index 0000000000..bda3427c0f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch @@ -0,0 +1,84 @@ +From b4cf40182c865db554c6e67034afa6ea12c5554d Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Sun, 6 Feb 2022 10:53:45 +0100 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + + uint32_t underflow. + +CVE: CVE-2022-2869 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> + +--- + tools/tiffcrop.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b9b13d8..4a4ace8 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else ++ /* region needs to be within image sizes 0.. width-1; 0..length-1 ++ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ++ */ ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) + crop->regionlist[i].x1 = (uint32_t) (x1 - 1); + +- if (x2 > image->width - 1) +- crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); ++ if (x2 > image->width - 1) ++ crop->regionlist[i].x2 = image->width - 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + +@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + crop_width = endx - startx + 1; + crop_length = endy - starty + 1; + +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); +@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); |