new file mode 100644
@@ -0,0 +1,100 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [mickledore][PATCH] tiffcrop: Do not reuse input buffer for
+ subsequent images. Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+
+Closes #527
+
+CVE: CVE-2023-26965
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf?merge_request_iid=472]
+Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
+
+---
+ tools/tiffcrop.c | 47 +++++++++++++----------------------------------
+ 1 file changed, 13 insertions(+), 34 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index d7ad5ca8..d3e11ba2 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+ uint32_t tw = 0, tl = 0; /* Tile width and length */
+ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+- unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+ }
+
+ read_buff = *read_ptr;
+- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+- /* outside buffer */
+- if (!read_buff)
++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
++ * outside buffer */
++ /* Reuse of read_buff from previous image is quite unsafe, because other
++ * functions (like rotateImage() etc.) reallocate that buffer with different
++ * size without updating the local prev_readsize value. */
++ if (read_buff)
+ {
+- if (buffsize > 0xFFFFFFFFU - 3)
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- read_buff =
+- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++ _TIFFfree(read_buff);
+ }
+- else
++ if (buffsize > 0xFFFFFFFFU - 3)
+ {
+- if (prev_readsize < buffsize)
+- {
+- if (buffsize > 0xFFFFFFFFU - 3)
+- {
+- TIFFError("loadImage",
+- "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- new_buff =
+- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- if (!new_buff)
+- {
+- free(read_buff);
+- read_buff = (unsigned char *)limitMalloc(
+- buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
+- read_buff = new_buff;
+- }
++ TIFFError("loadImage", "Required read buffer size too large");
++ return (-1);
+ }
++ read_buff =
++ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!read_buff)
+ {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ TIFFError("loadImage", "Unable to allocate read buffer");
+ return (-1);
+ }
+
+@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+ read_buff[buffsize + 1] = 0;
+ read_buff[buffsize + 2] = 0;
+
+- prev_readsize = buffsize;
+ *read_ptr = read_buff;
+
+ /* N.B. The read functions used copy separate plane data into a buffer as
+--
+2.39.0
+
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-48281.patch \
file://CVE-2023-2731.patch \
+ file://CVE-2023-26965.patch \
"
SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
Fixes a bug where a buffer was used after a potential reallocation. Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> --- .../libtiff/files/CVE-2023-26965.patch | 100 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 1 + 2 files changed, 101 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch