tiff: upgrade to 4.5.1

Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE updates. (From OE-Core rev: 2200fde7011c4206382150c2602b2eb17423d45e) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-30 12:29:55 +00:00 · 2023-07-03 13:19:25 +01:00
parent 7379a88457
commit 238b4ff55e
4 changed files with 2 additions and 178 deletions
@@ -1,29 +0,0 @@
 CVE: CVE-2022-48281
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
 From: Su Laus <sulau@freenet.de>
 Date: Sat, 21 Jan 2023 15:58:10 +0000
 Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
 ---
 tools/tiffcrop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
 index 14fa18da..7db69883 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
                     cropsize + NUM_BUFF_OVERSIZE_BYTES);
             else
             {
 -                prev_cropsize = seg_buffs[0].size;
 +                prev_cropsize = seg_buffs[i].size;
                 if (prev_cropsize < cropsize)
                 {
                     next_buff = _TIFFrealloc(
 -- 
 GitLab
@@ -1,99 +0,0 @@
 From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
 From: Su_Laus <sulau@freenet.de>
 Date: Tue, 14 Feb 2023 20:43:43 +0100
 Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
 Fix issue 527
 Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
 Closes #527
 CVE: CVE-2023-26965
 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
 Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
 ---
 tools/tiffcrop.c | 47 +++++++++++++----------------------------------
 1 file changed, 13 insertions(+), 34 deletions(-)
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
 index d7ad5ca8..d3e11ba2 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
     uint32_t tw = 0, tl = 0; /* Tile width and length */
     tmsize_t tile_rowsize = 0;
     unsigned char *read_buff = NULL;
 -    unsigned char *new_buff = NULL;
     int readunit = 0;
 -    static tmsize_t prev_readsize = 0;
     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
     }
     read_buff = *read_ptr;
 -    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
 -    /* outside buffer */
 -    if (!read_buff)
 +    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
 +     * outside buffer */
 +    /* Reuse of read_buff from previous image is quite unsafe, because other
 +     * functions (like rotateImage() etc.) reallocate that buffer with different
 +     * size without updating the local prev_readsize value. */
 +    if (read_buff)
     {
 -        if (buffsize > 0xFFFFFFFFU - 3)
 -        {
 -            TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
 -            return (-1);
 -        }
 -        read_buff =
 -            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
 +        _TIFFfree(read_buff);
     }
 -    else
 +    if (buffsize > 0xFFFFFFFFU - 3)
     {
 -        if (prev_readsize < buffsize)
 -        {
 -            if (buffsize > 0xFFFFFFFFU - 3)
 -            {
 -                TIFFError("loadImage",
 -                          "Unable to allocate/reallocate read buffer");
 -                return (-1);
 -            }
 -            new_buff =
 -                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
 -            if (!new_buff)
 -            {
 -                free(read_buff);
 -                read_buff = (unsigned char *)limitMalloc(
 -                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
 -            }
 -            else
 -                read_buff = new_buff;
 -        }
 +        TIFFError("loadImage", "Required read buffer size too large");
 +        return (-1);
     }
 +    read_buff =
 +        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
     if (!read_buff)
     {
 -        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
 +        TIFFError("loadImage", "Unable to allocate read buffer");
         return (-1);
     }
@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
     read_buff[buffsize + 1] = 0;
     read_buff[buffsize + 2] = 0;
 -    prev_readsize = buffsize;
     *read_ptr = read_buff;
     /* N.B. The read functions used copy separate plane data into a buffer as
 -- 
 2.39.0
@@ -1,39 +0,0 @@
 From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Sat, 29 Apr 2023 12:20:46 +0200
 Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
 strip whith a missing end-of-information marker (fixes #548)
 CVE: CVE-2023-2731
 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
 ---
 libtiff/tif_lzw.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
 index ba75a07e..d631fa10 100644
 --- a/libtiff/tif_lzw.c
 +++ b/libtiff/tif_lzw.c
@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
     if (sp->read_error)
     {
 +        TIFFErrorExtR(tif, module,
 +                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
 +                      "previous error",
 +                      tif->tif_row);
         return 0;
     }
@@ -742,6 +746,7 @@ after_loop:
     return (1);
 no_eoi:
 +    sp->read_error = 1;
     TIFFErrorExtR(tif, module,
                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
                   tif->tif_curstrip);
 -- 
 2.34.1
@@ -8,13 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
           file://CVE-2022-48281.patch \
           file://CVE-2023-2731.patch \
           file://CVE-2023-26965.patch \
 "
-SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
+SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
@@ -22,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
 # and 4.3.0 doesn't have the issue
 CVE_CHECK_IGNORE += "CVE-2015-7313"
 # These issues only affect libtiff post-4.3.0 but before 4.4.0,
 # caused by 3079627e and fixed by b4e79bfa.
 CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
 # Issue is in jbig which we don't enable
 CVE_CHECK_IGNORE += "CVE-2022-1210"
 inherit autotools multilib_header