diff options
Diffstat (limited to 'poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch')
-rw-r--r-- | poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch deleted file mode 100644 index afd5e59960..0000000000 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ /dev/null @@ -1,57 +0,0 @@ -CVE: CVE-2022-0924 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 -From: 4ugustus <wangdw.augustus@qq.com> -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) - ---- - tools/tiffcp.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 1f889516..552d8fad 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - tdata_t obuf; - tstrip_t strip = 0; - tsample_t s; -+ uint16_t bps = 0, bytes_per_sample; - - obuf = limitMalloc(stripsize); - if (obuf == NULL) - return (0); - _TIFFmemset(obuf, 0, stripsize); - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ bytes_per_sample = bps/8; - for (s = 0; s < spp; s++) { - uint32_t row; - for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - - cpContigBufToSeparateBuf( - obuf, (uint8_t*) buf + row * rowsize + s, -- nrows, imagewidth, 0, 0, spp, 1); -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { - TIFFError(TIFFFileName(out), - "Error, can't write strip %"PRIu32, --- -2.25.1 - |