diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch new file mode 100644 index 0000000000..59c14e2703 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch @@ -0,0 +1,60 @@ +From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Aug 2025 18:55:54 +0200 +Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for + TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer + dereference. + +Closes #718 + +CVE: CVE-2025-8534 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b] + +Signed-off-by: Yogita Urade +--- + tools/tiff2ps.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c +index a598ede..05a346a 100644 +--- a/tools/tiff2ps.c ++++ b/tools/tiff2ps.c +@@ -2193,10 +2193,20 @@ PS_Lvl2page(FILE* fd, TIFF* tif, uint32_t w, uint32_t h) + tiled_image = TIFFIsTiled(tif); + if (tiled_image) { + num_chunks = TIFFNumberOfTiles(tif); +- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of tiles at PS_Lvl2page()"); ++ return (FALSE); ++ } + } else { + num_chunks = TIFFNumberOfStrips(tif); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of strips at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + + if (use_rawdata) { +@@ -2791,7 +2801,11 @@ PSRawDataBW(FILE* fd, TIFF* tif, uint32_t w, uint32_t h) + + (void) w; (void) h; + TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()"); ++ return; ++ } + + /* + * Find largest strip: +-- +2.40.0 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index d5ae82bc7c..137dc7f478 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -60,6 +60,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8176-0003.patch \ file://CVE-2025-8177.patch \ file://CVE-2024-13978.patch \ + file://CVE-2025-8534.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"