poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2022-22844
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>

 From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
 From: 4ugustus <wangdw.augustus@qq.com>
 Date: Tue, 25 Jan 2022 16:25:28 +0000
 Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
  count is required (fixes #355)

 ---
  tools/tiffset.c | 16 +++++++++++++---
  1 file changed, 13 insertions(+), 3 deletions(-)

 diff --git a/tools/tiffset.c b/tools/tiffset.c
 index 8c9e23c5..e7a88c09 100644
 --- a/tools/tiffset.c
 +++ b/tools/tiffset.c
 @@ -146,9 +146,19 @@ main(int argc, char* argv[])

              arg_index++;
              if (TIFFFieldDataType(fip) == TIFF_ASCII) {
 -                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
 -                    fprintf( stderr, "Failed to set %s=%s\n",
 -                             TIFFFieldName(fip), argv[arg_index] );
 +                if(TIFFFieldPassCount( fip )) {
 +                    size_t len;
 +                    len = strlen(argv[arg_index]) + 1;
 +                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
 +                            (uint16_t)len, argv[arg_index]) != 1)
 +                        fprintf( stderr, "Failed to set %s=%s\n",
 +                            TIFFFieldName(fip), argv[arg_index] );
 +                } else {
 +                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
 +                            argv[arg_index]) != 1)
 +                        fprintf( stderr, "Failed to set %s=%s\n",
 +                            TIFFFieldName(fip), argv[arg_index] );
 +                }
              } else if (TIFFFieldWriteCount(fip) > 0
  		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
                  int     ret = 1;
 --
 2.25.1
	CVE: CVE-2022-22844
	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@arm.com>

	From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
	From: 4ugustus <wangdw.augustus@qq.com>
	Date: Tue, 25 Jan 2022 16:25:28 +0000
	Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
	count is required (fixes #355)

	---
	tools/tiffset.c \| 16 +++++++++++++---
	1 file changed, 13 insertions(+), 3 deletions(-)

	diff --git a/tools/tiffset.c b/tools/tiffset.c
	index 8c9e23c5..e7a88c09 100644
	--- a/tools/tiffset.c
	+++ b/tools/tiffset.c
	@@ -146,9 +146,19 @@ main(int argc, char* argv[])

	arg_index++;
	if (TIFFFieldDataType(fip) == TIFF_ASCII) {
	- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
	- fprintf( stderr, "Failed to set %s=%s\n",
	- TIFFFieldName(fip), argv[arg_index] );
	+ if(TIFFFieldPassCount( fip )) {
	+ size_t len;
	+ len = strlen(argv[arg_index]) + 1;
	+ if (len > UINT16_MAX \|\| TIFFSetField(tiff, TIFFFieldTag(fip),
	+ (uint16_t)len, argv[arg_index]) != 1)
	+ fprintf( stderr, "Failed to set %s=%s\n",
	+ TIFFFieldName(fip), argv[arg_index] );
	+ } else {
	+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
	+ argv[arg_index]) != 1)
	+ fprintf( stderr, "Failed to set %s=%s\n",
	+ TIFFFieldName(fip), argv[arg_index] );
	+ }
	} else if (TIFFFieldWriteCount(fip) > 0
	\|\| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
	int ret = 1;
	--
	2.25.1