poky/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch - openbmc/openbmc - Gitiles

 From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
 From: Thomas Bernard <miniupnp@free.fr>
 Date: Tue, 10 Nov 2020 01:54:30 +0100
 Subject: [PATCH] gtTileContig(): check Tile width for overflow

 fixes #211

 Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
 CVE: CVE-2020-35523
 Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
 ---
  libtiff/tif_getimage.c | 17 +++++++++++++----
  1 file changed, 13 insertions(+), 4 deletions(-)

 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
 index 4da785d3..96ab1460 100644
 --- a/libtiff/tif_getimage.c
 +++ b/libtiff/tif_getimage.c
 @@ -29,6 +29,7 @@
   */
  #include "tiffiop.h"
  #include <stdio.h>
 +#include <limits.h>

  static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
  static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
 @@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

      flip = setorientation(img);
      if (flip & FLIP_VERTICALLY) {
 -	    y = h - 1;
 -	    toskew = -(int32)(tw + w);
 +        if ((tw + w) > INT_MAX) {
 +            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
 +            return (0);
 +        }
 +        y = h - 1;
 +        toskew = -(int32)(tw + w);
      }
      else {
 -	    y = 0;
 -	    toskew = -(int32)(tw - w);
 +        if (tw > (INT_MAX + w)) {
 +            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
 +            return (0);
 +        }
 +        y = 0;
 +        toskew = -(int32)(tw - w);
      }

      /*
 --
 GitLab
	From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
	From: Thomas Bernard <miniupnp@free.fr>
	Date: Tue, 10 Nov 2020 01:54:30 +0100
	Subject: [PATCH] gtTileContig(): check Tile width for overflow

	fixes #211

	Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
	CVE: CVE-2020-35523
	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	---
	libtiff/tif_getimage.c \| 17 +++++++++++++----
	1 file changed, 13 insertions(+), 4 deletions(-)

	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
	index 4da785d3..96ab1460 100644
	--- a/libtiff/tif_getimage.c
	+++ b/libtiff/tif_getimage.c
	@@ -29,6 +29,7 @@
	*/
	#include "tiffiop.h"
	#include <stdio.h>
	+#include <limits.h>

	static int gtTileContig(TIFFRGBAImage, uint32, uint32, uint32);
	static int gtTileSeparate(TIFFRGBAImage, uint32, uint32, uint32);
	@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

	flip = setorientation(img);
	if (flip & FLIP_VERTICALLY) {
	- y = h - 1;
	- toskew = -(int32)(tw + w);
	+ if ((tw + w) > INT_MAX) {
	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
	+ return (0);
	+ }
	+ y = h - 1;
	+ toskew = -(int32)(tw + w);
	}
	else {
	- y = 0;
	- toskew = -(int32)(tw - w);
	+ if (tw > (INT_MAX + w)) {
	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
	+ return (0);
	+ }
	+ y = 0;
	+ toskew = -(int32)(tw - w);
	}

	/*
	--
	GitLab