2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch
new file mode 100644
index 0000000000..29089ab833
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch
@@ -0,0 +1,71 @@
+From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sun, 11 Aug 2024 16:01:07 +0000
+Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444, 
+ 1605445, and 1605449.
+CVE: CVE-2025-8851
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffcrop.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 1b072d4..e16bc2d 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5024,7 +5024,14 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+       buff = srcbuffs[s];
+       strip = (s * strips_per_sample) + j; 
+       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
+-      rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+      if (bytes_read < 0)
+      {
+         rows_this_strip = 0;
+      }
+      else
+      {
+         rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+      }
+       if (bytes_read < 0 && !ignore)
+         {
+         TIFFError(TIFFFileName(in),
+@@ -5434,14 +5441,14 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+       rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
+       }
+ 
+-    if ((lmargin + rmargin) > image->width)
+    if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width)
+       {
+       TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
+       lmargin = (uint32_t) 0;
+       rmargin = (uint32_t) 0;
+       return (-1);
+       }
+-    if ((tmargin + bmargin) > image->length)
+    if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length)
+       {
+       TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length"); 
+       tmargin = (uint32_t) 0;
+@@ -5977,14 +5984,14 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+       vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
+       }
+ 
+-    if ((hmargin * 2.0) > (pwidth * page->hres))
+    if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres))
+       {
+       TIFFError("computeOutputPixelOffsets", 
+                 "Combined left and right margins exceed page width");
+       hmargin = (uint32_t) 0;
+       return (-1);
+       }
+-    if ((vmargin * 2.0) > (plength * page->vres))
+    if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres))
+       {
+       TIFFError("computeOutputPixelOffsets", 
+                 "Combined top and bottom margins exceed page length"); 
+-- 
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 137dc7f478..6db4d80cdf 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -61,6 +61,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8177.patch \
           file://CVE-2024-13978.patch \
           file://CVE-2025-8534.patch \
+           file://CVE-2025-8851.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch new file mode 100644 index 0000000000..29089ab833 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch
@@ -0,0 +1,71 @@
		1	From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sun, 11 Aug 2024 16:01:07 +0000
		4	Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444,
		5	1605445, and 1605449.
		6
		7	CVE: CVE-2025-8851
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	tools/tiffcrop.c \| 17 ++++++++++++-----
		13	1 file changed, 12 insertions(+), 5 deletions(-)
		14
		15	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		16	index 1b072d4..e16bc2d 100644
		17	--- a/tools/tiffcrop.c
		18	+++ b/tools/tiffcrop.c
		19	@@ -5024,7 +5024,14 @@ static int readSeparateStripsIntoBuffer (TIFF in, uint8_t obuf, uint32_t lengt
		20	buff = srcbuffs[s];
		21	strip = (s * strips_per_sample) + j;
		22	bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
		23	- rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
		24	+ if (bytes_read < 0)
		25	+ {
		26	+ rows_this_strip = 0;
		27	+ }
		28	+ else
		29	+ {
		30	+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
		31	+ }
		32	if (bytes_read < 0 && !ignore)
		33	{
		34	TIFFError(TIFFFileName(in),
		35	@@ -5434,14 +5441,14 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		36	rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
		37	}
		38
		39	- if ((lmargin + rmargin) > image->width)
		40	+ if (lmargin == 0xFFFFFFFFU \|\| rmargin == 0xFFFFFFFFU \|\| (lmargin + rmargin) > image->width)
		41	{
		42	TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
		43	lmargin = (uint32_t) 0;
		44	rmargin = (uint32_t) 0;
		45	return (-1);
		46	}
		47	- if ((tmargin + bmargin) > image->length)
		48	+ if (tmargin == 0xFFFFFFFFU \|\| bmargin == 0xFFFFFFFFU \|\| (tmargin + bmargin) > image->length)
		49	{
		50	TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length");
		51	tmargin = (uint32_t) 0;
		52	@@ -5977,14 +5984,14 @@ computeOutputPixelOffsets (struct crop_mask crop, struct image_data image,
		53	vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
		54	}
		55
		56	- if ((hmargin * 2.0) > (pwidth * page->hres))
		57	+ if (hmargin == 0xFFFFFFFFU \|\| (hmargin * 2.0) > (pwidth * page->hres))
		58	{
		59	TIFFError("computeOutputPixelOffsets",
		60	"Combined left and right margins exceed page width");
		61	hmargin = (uint32_t) 0;
		62	return (-1);
		63	}
		64	- if ((vmargin * 2.0) > (plength * page->vres))
		65	+ if (vmargin == 0xFFFFFFFFU \|\| (vmargin * 2.0) > (plength * page->vres))
		66	{
		67	TIFFError("computeOutputPixelOffsets",
		68	"Combined top and bottom margins exceed page length");
		69	--
		70	2.40.0
		71


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 137dc7f478..6db4d80cdf 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -61,6 +61,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
61	file://CVE-2025-8177.patch \	61	file://CVE-2025-8177.patch \
62	file://CVE-2024-13978.patch \	62	file://CVE-2024-13978.patch \
63	file://CVE-2025-8534.patch \	63	file://CVE-2025-8534.patch \
		64	file://CVE-2025-8851.patch \
64	"	65	"
65		66
66	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	67	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"