diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2022-04-21 22:36:50 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2022-04-21 22:37:46 +0300 |
commit | a515de07dfa9eda7a303af296666e2572e581df7 (patch) | |
tree | e2a372f00be0586f0f420f06913c7bba48199dd9 /poky/meta/recipes-multimedia | |
parent | 5ffb1169cb6b3ed547d1b882cd9340cc7b7b6f07 (diff) | |
download | openbmc-a515de07dfa9eda7a303af296666e2572e581df7.tar.xz |
subtree updates
meta-openembedded: c05ae80ba6..9a0caf5b09:
Armin Kuster (1):
pw-am.sh: update to new patcwork system
Changqing Li (1):
zabbix: Fix sereval CVEs
Christian Eggers (2):
ebtables: remove perl from RDEPENDS
graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot
Jeremy A. Puhlman (1):
cdrkit: remove ${PN} from ${PN}-dev RDEPENDS
Kartikey Rameshbhai Parmar (1):
imagemagick: update SRC_URI branch to main
Martin Jansa (1):
htop: switch branch from master to main
Ovidiu Panait (1):
syslog-ng: adjust control socket location
Peter Kjellerstedt (2):
libsrtp: Switch branch from master to main
net-snmp: Avoid running `make clean` as it may fail
Thomas Perrot (1):
breakpad: fix branch for gtest in SRC_URI
Trevor Gamblin (3):
python3-django: upgrade 2.2.24 -> 2.2.27
python3-django: upgrade 3.2.10 -> 3.2.12
python3-lxml: upgrade 4.6.3 -> 4.6.5
Yi Zhao (1):
apache2: upgrade 2.4.52 -> 2.4.53
poky: e0ab08bb6a..eff78b3802:
Alexander Kanavin (5):
ruby: update 3.0.2 -> 3.0.3
libarchive: upgrade 3.5.1 -> 3.5.2
devtool: explicitly set main or master branches in upgrades when available
util-linux: update 2.37.2 -> 2.37.3
util-linux: upgrade 2.37.3 -> 2.37.4
Anuj Mittal (3):
poky.conf: bump version for 3.4.3 honister release
documentation: prepare for 3.4.3 release
crate-fetch: fix setscene failures
Bill Pittman (1):
wic: Use custom kernel path if provided
Bruce Ashfield (13):
linux-yocto/5.10: update to v5.10.96
linux-yocto/5.10: update to v5.10.99
linux-yocto/5.10: ppc/riscv: fix build with binutils 2.3.8
linux-yocto/5.10: fix dssall build error with binutils 2.3.8
linux-yocto/5.10: features/zram: remove CONFIG_ZRAM_DEF_COMP
linux-yocto/5.10: update to v5.10.101
linux-yocto/5.10: Fix ramoops/ftrace
linux-yocto/5.10: update to v5.10.103
linux-yocto: nohz_full boot arg fix
linux-yocto/5.10: split vtpm for more granular inclusion
linux-yocto/5.10: cfg/debug: add configs for kcsan
linux-yocto-rt/5.10: update to -rt61
linux-yocto/5.10: update to v5.10.107
Chee Yang Lee (3):
ghostscript: fix CVE-2021-3781
go: update to 1.16.15
webkitgtk: update to 2.32.4
Christian Eggers (3):
mc: fix build if ncurses have been configured without wide characters
sdk: fix search for dynamic loader
gcsections: add nativesdk-cairo to exclude list
Daniel Gomez (1):
bitbake: contrib: Fix hash server Dockerfile dependencies
Daniel Müller (1):
scripts/runqemu-ifdown: Don't treat the last iptables command as special
Daniel Wagenknecht (1):
bitbake: fetch2: ssh: username and password are optional
Florian Amstutz (1):
devtool: deploy-target: Remove stripped binaries in pseudo context
Joe Slater (3):
virglrenderer: fix CVE-2022-0135 and -0175
zip: modify when match.S is built
libxml2: fix CVE-2022-23308 regression
Jose Quaresma (13):
gstreamer1.0: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-base: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-good: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-bad: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-ugly: 1.18.5 -> 1.18.6
gstreamer1.0-vaapi: 1.18.5 -> 1.18.6
gstreamer1.0-libav: 1.18.5 -> 1.18.6
gstreamer1.0-omx: 1.18.5 -> 1.18.6
gstreamer1.0-rtsp-server: 1.18.5 -> 1.18.6
gstreamer1.0-python: 1.18.5 -> 1.18.6
gst-devtools: 1.18.5 -> 1.18.6
gst-examples: 1.18.5 -> 1.18.6
sstate: inside the threadedpool don't write to the shared localdata
Justin Bronder (1):
initramfs-framework: unmount automounts before switch_root
Lee Chee Yang (2):
libarchive : update to 3.5.3
ghostscript: fix CVE-2021-45949
Michael Halstead (3):
releases: update to include 3.4.2
uninative: Upgrade to 3.5
releases: update to include 3.3.5
Michael Opdenacker (3):
documentation: conf.py: update for 3.4.2
docs: fix hardcoded link warning messages
conf/machine: fix QEMU x86 sound options
Minjae Kim (2):
gnu-config: update SRC_URI
virglrenderer: update SRC_URI
Oleksandr Ocheretnyi (1):
kernel-devsrc: do not copy Module.symvers file during install
Oleksandr Suvorov (1):
depmodwrapper-cross: add config directory option
Pavel Zhukov (1):
patch.py: Prevent git repo reinitialization
Peter Kjellerstedt (2):
selftest: recipetool: Correct the URI for socat
oe-pkgdata-util: Adapt to the new variable override syntax
Ralph Siemsen (2):
libxml2: move to gitlab.gnome.org
libxml2: update to 2.9.13
Richard Purdie (26):
bitbake: tests/fetch: Handle upstream master -> main branch change
vim: Upgrade 4269 -> 4134
binutils: Add fix for CVE-2021-45078
default-distrovars.inc: Switch connectivity check to a yoctoproject.org page
oeqa/buildtools: Switch to our webserver instead of example.com
expat: Upgrade 2.4.4 -> 2.4.5
vim: Upgrade 8.2.4314 -> 8.2.4424
tiff: Add backports for two CVEs from upstream
expat: Upgrade 2.4.5 -> 2.4.6
perl: Improve and update module RPDEPENDS
libxml-parser-perl: Add missing RDEPENDS
expat: Upgrade 2.4.6 -> 2.4.7
bitbake: data_smart: Fix overrides file/line message additions
bitbake: cooker: Improve parsing failure from handled exception usability
bitbake: utils: Ensure shell function failure in python logging is correct
vim: Update to 8.2.4524 for further CVE fixes
build-appliance-image: Update to honister head revision
bitbake: build: Tweak exception handling for setscene tasks
build-appliance-image: Update to honister head revision
toaster: Fix broken overrides usage
bitbake: server/xmlrpcserver: Add missing xmlrpcclient import
bitbake: toaster: Fix IMAGE_INSTALL issues with _append vs :append
pseudo: Add patch to workaround paths with crazy lengths
sanity: Add warning for local hasheqiv server with remote sstate mirrors
bitbake: server/process: Disable gc around critical section
conf.py/poky.yaml: Move version information to poky.yaml and read in conf.py
Robert Yang (2):
quilt: Disable external sendmail for deterministic build
cups: Add --with-dbusdir to EXTRA_OECONF for deterministic build
Ross Burton (9):
coreutils: remove obsolete ignored CVE list
cve-check: get_cve_info should open the database read-only
Revert "cve-check: add lockfile to task"
asciidoc: update git repository
devupstream: fix handling of SRC_URI
tiff: backport CVE fixes:
grub: ignore CVE-2021-46705
oeqa/selftest/devtool: ensure Git username is set before upgrade tests
zlib: backport the fix for CVE-2018-25032
Sakib Sajal (1):
go: upgrade 1.16.13 -> 1.16.14
Saul Wold (1):
recipetool: Fix circular reference in SRC_URI
Sean Anderson (1):
libpcap: Disable DPDK explicitly
Stefan Herbrechtsmeier (2):
cve-check: create directory of CVE_CHECK_MANIFEST before copy
gcc-target: fix glob to remove gcc-<version> binary
Tamizharasan Kumar (1):
linux-yocto/5.10: update genericx86* machines to v5.10.99
Tean Cunningham (1):
rootfs-postcommands: amend systemd_create_users add user to group check
Tim Orling (1):
bitbake: toaster: fixtures replace gatesgarth
Zoltán Böszörményi (1):
qemuboot: Fix build error if UNINATIVE_LOADER is unset
pgowda (1):
gcc : Fix CVE-2021-46195
wangmy (4):
linux-firmware: upgrade 20211216 -> 20220209
harfbuzz: upgrade 2.9.0 -> 2.9.1
wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
linux-firmware: upgrade 20220209 -> 20220310
meta-raspberrypi: 1584bddcf3..378d4b6e7b:
Devendra Tewari (1):
linux-raspberrypi: Upgrade to 5.10.83
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I7e76d58ee794d7a2965816d096a757b6f7ddbc74
Diffstat (limited to 'poky/meta/recipes-multimedia')
22 files changed, 559 insertions, 13 deletions
diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.6.bb index 1b46b89cb9..4f4ded8d24 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.6.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "fecffc86447daf5c2a06843c757a991d745caa2069446a0d746e99b13f7cb079" +SRC_URI[sha256sum] = "3725622c740a635452e54b79d065f963ab7706ca2403de6c43072ae7610a0de4" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-examples_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gst-examples_1.18.6.bb index a720bb73ff..2a7a3c3111 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-examples_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-examples_1.18.6.bb @@ -12,7 +12,7 @@ SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=http file://gst-player.desktop \ " -SRCREV = "fe9a365dc0f1ff632abcfe3322ac5527a2cf30a0" +SRCREV = "70e4fcf4fc8ae19641aa990de5f37d758cdfcea4" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.6.bb index a77ec62759..d46342285d 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.6.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "822e008a910e9dd13aedbdd8dc63fedef4040c0ee2e927bab3112e9de693a548" +SRC_URI[sha256sum] = "e4e50dcd5a29441ae34de60d2221057e8064ed824bb6ca4dc0fd9ee88fbe9b81" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.6.bb index b2c1eb3ea0..a220d677aa 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.6.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "2cd457c1e8deb1a9b39608048fb36a44f6c9a864a6b6115b1453a32e7be93b42" +SRC_URI[sha256sum] = "b5281c938e959fd2418e989cfb6065fdd9fe5f6f87ee86236c9427166e708163" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.6.bb index 6209a62712..df148c0aff 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.6.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://0005-msdk-fix-includedir-path.patch \ " -SRC_URI[sha256sum] = "a164923b94f0d08578a6fcaeaac6e0c05da788a46903a1086870e9ca45ad678e" +SRC_URI[sha256sum] = "0b1b50ac6311f0c510248b6cd64d6d3c94369344828baa602db85ded5bc70ec9" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.6.bb index 5e2cca3864..e20145ea8d 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.6.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ file://0004-glimagesink-Downrank-to-marginal.patch \ " -SRC_URI[sha256sum] = "960b7af4585700db0fdd5b843554e11e2564fed9e061f591fae88a7be6446fa3" +SRC_URI[sha256sum] = "56a9ff2fe9e6603b9e658cf6897d412a173d2180829fe01e92568549c6bd0f5b" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.6.bb index ade935df9e..a43b8095c5 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.6.bb @@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ " -SRC_URI[sha256sum] = "3aaeeea7765fbf8801acce4a503a9b05f73f04e8a35352e9d00232cfd555796b" +SRC_URI[sha256sum] = "26723ac01fcb360ade1f41d168c7c322d8af4ceb7e55c8c12ed2690d06a76eed" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.6.bb index 9777aaee19..5b31627141 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.6.bb @@ -13,7 +13,7 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "df32803e98f8a9979373fa2ca7e05e62f977b1097576d3a80619d9f5c69f66d9" +SRC_URI[sha256sum] = "4969c409cb6a88317d2108b8577108e18623b2333d7b587ae3f39459c70e3a7f" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.6.bb index 74dd15b3eb..c80c3928eb 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.6.bb @@ -8,7 +8,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "533685871305959d6db89507f3b3aa6c765c2f2b0dacdc32c5a6543e72e5bc52" +SRC_URI[sha256sum] = "bdc0ea22fbd7335ad9decc151561aacc53c51206a9735b81eac700ce5b0bbd4a" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.6.bb index 50426ad46d..f105713f33 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.6.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "04d63bf48816c6f41c73f6de0f912a7cef0aab39c44162a7bcece1923dfc9d1f" +SRC_URI[sha256sum] = "826f32afbcf94b823541efcac4a0dacdb62f6145ef58f363095749f440262be9" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.6.bb index 9a68a3fadf..f3255e5554 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.6.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "4a460fb95559f41444eb24864ad2d9e37922b6eea941510310319fc3e0ba727b" +SRC_URI[sha256sum] = "ab6270f1e5e4546fbe6f5ea246d86ca3d196282eb863d46e6cdcc96f867449e0" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.5.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.6.bb index 0d82dd338c..4bf89ed109 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.5.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.6.bb @@ -25,7 +25,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0006-tests-use-a-dictionaries-for-environment.patch \ file://0007-tests-install-the-environment-for-installed_tests.patch \ " -SRC_URI[sha256sum] = "55862232a63459bbf56abebde3085ca9aec211b478e891dacea4d6df8cafe80a" +SRC_URI[sha256sum] = "4ec816010dd4d3a93cf470ad0a6f25315f52b204eb1d71dfa70ab8a1c3bd06e6" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch new file mode 100644 index 0000000000..f1a4ab4251 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch @@ -0,0 +1,38 @@ +CVE: CVE-2022-0865 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple + IFD in memory-mapped mode and when bit reversal is needed (fixes #385) + +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 74086338..8bfa4cef 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch index 72776f09ba..72776f09ba 100644 --- a/poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch new file mode 100644 index 0000000000..d31e9650d1 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch @@ -0,0 +1,218 @@ +CVE: CVE-2022-0891 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection + +--- + tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 56 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b85c2ce7..302a7e91 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch new file mode 100644 index 0000000000..a0b856b9e1 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch @@ -0,0 +1,93 @@ +CVE: CVE-2022-0907 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001 +From: Augustus <wangdw.augustus@qq.com> +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392) + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 302a7e91..e407bf51 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch new file mode 100644 index 0000000000..719dabaecc --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch @@ -0,0 +1,33 @@ +CVE: CVE-2022-0908 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #383) + +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index d84147a0..4e8ce729 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ } + o[(uint32_t)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch new file mode 100644 index 0000000000..64dbe9ef92 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch @@ -0,0 +1,36 @@ +CVE: CVE-2022-0909 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393) + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index a6c254fc..77da6ea4 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch new file mode 100644 index 0000000000..afd5e59960 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch @@ -0,0 +1,57 @@ +CVE: CVE-2022-0924 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 1f889516..552d8fad 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch new file mode 100644 index 0000000000..0b41dde606 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch @@ -0,0 +1,30 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +Upstream-Status: Backport +CVE: CVE-2022-0562 + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch new file mode 100644 index 0000000000..74f9649fdf --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch @@ -0,0 +1,32 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +Upstream-Status: Backport +CVE: CVE-2022-0561 + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index ef8e8460fb..0a82f0d780 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -9,7 +9,16 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch" + file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ + file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ + file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ + file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \ + file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \ + file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \ + file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \ + file://0005-fix-the-FPE-in-tiffcrop-393.patch \ + file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \ + " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |