poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch

From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 1 Feb 2024 13:06:08 +0000
Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
 and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.

CVE: CVE-2023-52355
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 doc/functions/TIFFDeferStrileArrayWriting.rst |  5 +++
 doc/functions/TIFFError.rst                   |  3 ++
 doc/functions/TIFFOpen.rst                    | 13 +++---
 doc/functions/TIFFOpenOptions.rst             | 44 ++++++++++++++++++-
 doc/functions/TIFFStrileQuery.rst             |  5 +++
 doc/libtiff.rst                               | 31 ++++++++++++-
 6 files changed, 91 insertions(+), 10 deletions(-)

diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
index 60ee746..705aebc 100644
--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
+++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
@@ -61,6 +61,11 @@ Diagnostics
 All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
 Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
 
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
 See also
 --------
 
diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
index 99924ad..cf4b37c 100644
--- a/doc/functions/TIFFError.rst
+++ b/doc/functions/TIFFError.rst
@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
 Furthermore, a **custom defined data structure** *user_data* for the
 error handler can be given along.
 
+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
+application-specific handler introduced with libtiff 4.5.
+
 Note
 ----
 
diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
index db79d7b..adc474f 100644
--- a/doc/functions/TIFFOpen.rst
+++ b/doc/functions/TIFFOpen.rst
@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
 file should be closed using its file descriptor *fd*.
 
 :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
-but options, such as re-entrant error and warning handlers may be passed
-with the *opts* argument. The *opts* argument may be NULL. 
+but options, such as re-entrant error and warning handlers and a limit in byte
+that libtiff internal memory allocation functions are allowed to request per call
+may be passed with the *opts* argument. The *opts* argument may be NULL.
 Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
 parameters. The allocated memory for :c:type:`TIFFOpenOptions`
 can be released straight after successful execution of the related
@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
 but opens a TIFF file with a Unicode filename.
 
 :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
-but options, such as re-entrant error and warning handlers may be passed
-with the *opts* argument. The *opts* argument may be NULL. 
-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
+but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
 
 :c:func:`TIFFSetFileName` sets the file name in the tif-structure
 and returns the old file name.
@@ -326,5 +325,5 @@ See also
 
 :doc:`libtiff` (3tiff),
 :doc:`TIFFClose` (3tiff),
-:doc:`TIFFStrileQuery`,
-:doc:`TIFFOpenOptions`
\ No newline at end of file
+:doc:`TIFFStrileQuery` (3tiff),
+:doc:`TIFFOpenOptions`
diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
index 5c67566..23f2975 100644
--- a/doc/functions/TIFFOpenOptions.rst
+++ b/doc/functions/TIFFOpenOptions.rst
@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
 :c:func:`TIFFOpenOptionsFree` releases the allocated memory for
 :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
 can be released straight after successful execution of the related
-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
 
 :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
 maximum single memory limit in byte that ``libtiff`` internal memory allocation
 functions are allowed to request per call.
 
+.. note::
+    However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
+    and :c:func:`_TIFFrealloc` **do not apply** this internal memory
+    allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
+
 :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
 an application-specific and per-TIFF handle (re-entrant) error handler.
 Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* 
@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL.
 :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
 which is invoked through  :c:func:`TIFFWarningExtR`
 
+Example
+-------
+
+::
+
+    #include "tiffio.h"
+
+    typedef struct MyErrorHandlerUserDataStruct
+    {
+        /* ... any user data structure ... */
+    } MyErrorHandlerUserDataStruct;
+
+    static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
+                          const char *fmt, va_list ap)
+    {
+        MyErrorHandlerUserDataStruct *errorhandler_user_data =
+            (MyErrorHandlerUserDataStruct *)user_data;
+        /*... code of myErrorHandler ...*/
+        return 1;
+    }
+
+
+    main()
+    {
+        tmsize_t limit = (256 * 1024 * 1024);
+        MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
+
+        TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+        TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+        TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
+        TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
+        TIFFOpenOptionsFree(opts);
+        /* ... go on here ... */
+
+        TIFFClose(tif);
+    }
+
 Note
 ----
 
diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
index f8631af..7931fe4 100644
--- a/doc/functions/TIFFStrileQuery.rst
+++ b/doc/functions/TIFFStrileQuery.rst
@@ -66,6 +66,11 @@ Diagnostics
 All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
 Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
 
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
 See also
 --------
 
diff --git a/doc/libtiff.rst b/doc/libtiff.rst
index 6a0054c..d96a860 100644
--- a/doc/libtiff.rst
+++ b/doc/libtiff.rst
@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
 :c:func:`realloc`, and :c:func:`free` routines in the C library.)
 
 To deal with segmented pointer issues ``libtiff`` also provides
-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
 routines that mimic the equivalent ANSI C routines, but that are
 intended for use with memory allocated through :c:func:`_TIFFmalloc`
 and :c:func:`_TIFFrealloc`.
 
+With ``libtiff`` 4.5 a method was introduced to limit the internal
+memory allocation that functions are allowed to request per call
+(see  :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
+
 Error Handling
 --------------
 
@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
 Likewise warning messages are directed to a single handler routine
 that can be specified with a call to :c:func:`TIFFSetWarningHandler`
 
+Further application-specific and per-TIFF handle (re-entrant) error handler
+and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
+and :doc:`/functions/TIFFOpenOptions`.
+
 Basic File Handling
 -------------------
 
@@ -139,7 +147,7 @@ a ``"w"`` argument:
     main()
     {
         TIFF* tif = TIFFOpen("foo.tif", "w");
-        ... do stuff ...
+        /* ... do stuff ... */
         TIFFClose(tif);
     }
 
@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
 buffered information to a file.  Note that if you call :c:func:`TIFFClose`
 you do not need to call :c:func:`TIFFFlush`.
 
+.. warning::
+
+    In order to prevent out-of-memory issues when opening a TIFF file
+    :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+    limit in byte that ``libtiff`` internal memory allocation functions
+    are allowed to request per call can be set with
+    :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+
+Example
+
+::
+
+    tmsize_t limit = (256 * 1024 * 1024);
+    TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+    TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+    TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
+    TIFFOpenOptionsFree(opts);
+    /* ... go on here ... */
+
 TIFF Directories
 ----------------
 
-- 
2.40.0