4 files changed, 261 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
new file mode 100644
index 0000000000..ae33a3b4e7
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
@@ -0,0 +1,129 @@
+From 6ad097dac1d4908705f5a9d43dea76b7f2de89eb Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 17:53:53 +0100
+Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
+ Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0
+ in getCropOffsets().
+CVE: CVE-2022-2867
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294]
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+---
+ tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 18 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 4a4ace8..0ef5bb2 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+        y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+        y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+        }
+-      /* region needs to be within image sizes 0.. width-1; 0..length-1 
+-       * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
+      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
+       * b) Corners are expected to be submitted as top-left to bottom-right.
+       *    Therefore, check that and reorder input.
+       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+        */
+-     if (x1 > image->width - 1)
+      uint32_t aux;
+      if (x1 > x2) {
+        aux = x1;
+        x1 = x2;
+        x2 = aux;
+      }
+      if (y1 > y2) {
+        aux = y1;
+        y1 = y2;
+        y2 = aux;
+      }
+      if (x1 > image->width - 1)
+         crop->regionlist[i].x1 = image->width - 1;
+-     else if (x1 > 0)
+-        crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
+      else if (x1 > 0)
+        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+ 
+-     if (x2 > image->width - 1)
+-       crop->regionlist[i].x2 = image->width - 1;
+-     else if (x2 > 0)
+-       crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+      if (x2 > image->width - 1)
+        crop->regionlist[i].x2 = image->width - 1;
+      else if (x2 > 0)
+        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+ 
+-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
+      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ 
+       if (y1 > image->length - 1)
+         crop->regionlist[i].y1 = image->length - 1;
+@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+       else if (y2 > 0)
+         crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ 
+-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
+-
+      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+       if (zwidth > max_width)
+         max_width = zwidth;
+       if (zlength > max_length)
+@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+        }
+       }
+     return (0);
+-    }
+    }  /* crop_mode == CROP_REGIONS */
+   
+   /* Convert crop margins into offsets into image
+    * Margins are expressed as pixel rows and columns, not bytes
+@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+       bmargin = (uint32_t) 0;
+       return (-1);
+       }
+-    }
+    }  /* crop_mode == CROP_MARGINS */
+   else
+     { /* no margins requested */
+     tmargin = (uint32_t) 0;
+@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+   else
+     crop->selections = crop->zones;
+ 
+-  for (i = 0; i < crop->zones; i++)
+  /* Initialize regions iterator i */
+  i = 0;
+  for (int j = 0; j < crop->zones; j++)
+     {
+-    seg = crop->zonelist[i].position;
+-    total = crop->zonelist[i].total;
+    seg = crop->zonelist[j].position;
+    total = crop->zonelist[j].total;
+
+    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+    if (seg == 0 || total == 0 || seg > total) {
+        continue;
+    }
+ 
+     switch (crop->edge_ref) 
+       {
+@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+                     i + 1, zwidth, zlength,
+                crop->regionlist[i].x1, crop->regionlist[i].x2,
+                crop->regionlist[i].y1, crop->regionlist[i].y2);
+  /* increment regions iterator */
+  i++;
+     }
+-
+    /* set number of generated regions out of given zones */
+    crop->selections = i;
+   return (0);
+   } /* end getCropOffsets */
+ 
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
new file mode 100644
index 0000000000..9a23e23fed
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
@@ -0,0 +1,84 @@
+From 0ec36342df880f5ad41576cb1b03061b8697dabd Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 10:53:45 +0100
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+CVE: CVE-2022-2869
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294]
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+---
+ tools/tiffcrop.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b9b13d8..4a4ace8 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+        y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+        y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+        }
+-      if (x1 < 1)
+-        crop->regionlist[i].x1 = 0;
+-      else
+      /* region needs to be within image sizes 0.. width-1; 0..length-1 
+       * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
+       */
+     if (x1 > image->width - 1)
+        crop->regionlist[i].x1 = image->width - 1;
+     else if (x1 > 0)
+         crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
+ 
+-      if (x2 > image->width - 1)
+-        crop->regionlist[i].x2 = image->width - 1;
+-      else
+-        crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
+     if (x2 > image->width - 1)
+       crop->regionlist[i].x2 = image->width - 1;
+     else if (x2 > 0)
+       crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+
+       zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
+ 
+-      if (y1 < 1)
+-        crop->regionlist[i].y1 = 0;
+-      else
+-        crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
+      if (y1 > image->length - 1)
+        crop->regionlist[i].y1 = image->length - 1;
+      else if (y1 > 0)
+        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+ 
+       if (y2 > image->length - 1)
+         crop->regionlist[i].y2 = image->length - 1;
+-      else
+-        crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
+      else if (y2 > 0)
+        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ 
+       zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
+ 
+@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+   crop_width  = endx - startx + 1;
+   crop_length = endy - starty + 1;
+ 
+-  if (crop_width <= 0)
+  if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets", 
+                "Invalid left/right margins and /or image crop width requested");
+@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+   if (crop_width > image->width)
+     crop_width = image->width;
+ 
+-  if (crop_length <= 0)
+  if (endy + 1 <= starty)
+     {
+     TIFFError("computeInputPixelOffsets", 
+               "Invalid top/bottom margins and /or image crop length requested");
diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
new file mode 100644
index 0000000000..1fa6a11104
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
@@ -0,0 +1,45 @@
+From 740111312ca6ae718f233d914662a9969e6820ee Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 19:52:17 +0100
+Subject: [PATCH] Move the crop_width and crop_length computation after the
+ sanity check to avoid warnings when built with
+ -fsanitize=unsigned-integer-overflow.
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294]
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+---
+ tools/tiffcrop.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 0ef5bb2..99e4208 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5389,15 +5389,13 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+   off->endx   = endx;
+   off->endy   = endy;
+ 
+-  crop_width  = endx - startx + 1;
+-  crop_length = endy - starty + 1;
+-
+   if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets", 
+                "Invalid left/right margins and /or image crop width requested");
+     return (-1);
+     }
+  crop_width  = endx - startx + 1;
+   if (crop_width > image->width)
+     crop_width = image->width;
+ 
+@@ -5407,6 +5405,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+               "Invalid top/bottom margins and /or image crop length requested");
+     return (-1);
+     }
+  crop_length = endy - starty + 1;
+   if (crop_length > image->length)
+     crop_length = image->length;
+ 
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index b5ccd859f3..f84057c46b 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-1354.patch \
           file://CVE-2022-1355.patch \
           file://CVE-2022-34526.patch \
+           file://CVE-2022-2869.patch \
+           file://CVE-2022-2867.patch \
+           file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch new file mode 100644 index 0000000000..ae33a3b4e7 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
@@ -0,0 +1,129 @@
		1	From 6ad097dac1d4908705f5a9d43dea76b7f2de89eb Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 6 Feb 2022 17:53:53 +0100
		4	Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
		5
		6	Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0
		7	in getCropOffsets().
		8
		9	CVE: CVE-2022-2867
		10
		11	Upstream-Status: Backport
		12	[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294]
		13
		14	Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
		15
		16	---
		17	tools/tiffcrop.c \| 58 +++++++++++++++++++++++++++++++++---------------
		18	1 file changed, 40 insertions(+), 18 deletions(-)
		19
		20	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		21	index 4a4ace8..0ef5bb2 100644
		22	--- a/tools/tiffcrop.c
		23	+++ b/tools/tiffcrop.c
		24	@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		25	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
		26	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
		27	}
		28	- /* region needs to be within image sizes 0.. width-1; 0..length-1
		29	- * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
		30	+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
		31	+ * b) Corners are expected to be submitted as top-left to bottom-right.
		32	+ * Therefore, check that and reorder input.
		33	+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
		34	*/
		35	- if (x1 > image->width - 1)
		36	+ uint32_t aux;
		37	+ if (x1 > x2) {
		38	+ aux = x1;
		39	+ x1 = x2;
		40	+ x2 = aux;
		41	+ }
		42	+ if (y1 > y2) {
		43	+ aux = y1;
		44	+ y1 = y2;
		45	+ y2 = aux;
		46	+ }
		47	+ if (x1 > image->width - 1)
		48	crop->regionlist[i].x1 = image->width - 1;
		49	- else if (x1 > 0)
		50	- crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
		51	+ else if (x1 > 0)
		52	+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
		53
		54	- if (x2 > image->width - 1)
		55	- crop->regionlist[i].x2 = image->width - 1;
		56	- else if (x2 > 0)
		57	- crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
		58	+ if (x2 > image->width - 1)
		59	+ crop->regionlist[i].x2 = image->width - 1;
		60	+ else if (x2 > 0)
		61	+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
		62
		63	- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		64	+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		65
		66	if (y1 > image->length - 1)
		67	crop->regionlist[i].y1 = image->length - 1;
		68	@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		69	else if (y2 > 0)
		70	crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
		71
		72	- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		73	-
		74	+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		75	if (zwidth > max_width)
		76	max_width = zwidth;
		77	if (zlength > max_length)
		78	@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		79	}
		80	}
		81	return (0);
		82	- }
		83	+ } /* crop_mode == CROP_REGIONS */
		84
		85	/* Convert crop margins into offsets into image
		86	* Margins are expressed as pixel rows and columns, not bytes
		87	@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		88	bmargin = (uint32_t) 0;
		89	return (-1);
		90	}
		91	- }
		92	+ } /* crop_mode == CROP_MARGINS */
		93	else
		94	{ /* no margins requested */
		95	tmargin = (uint32_t) 0;
		96	@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		97	else
		98	crop->selections = crop->zones;
		99
		100	- for (i = 0; i < crop->zones; i++)
		101	+ /* Initialize regions iterator i */
		102	+ i = 0;
		103	+ for (int j = 0; j < crop->zones; j++)
		104	{
		105	- seg = crop->zonelist[i].position;
		106	- total = crop->zonelist[i].total;
		107	+ seg = crop->zonelist[j].position;
		108	+ total = crop->zonelist[j].total;
		109	+
		110	+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
		111	+ if (seg == 0 \|\| total == 0 \|\| seg > total) {
		112	+ continue;
		113	+ }
		114
		115	switch (crop->edge_ref)
		116	{
		117	@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		118	i + 1, zwidth, zlength,
		119	crop->regionlist[i].x1, crop->regionlist[i].x2,
		120	crop->regionlist[i].y1, crop->regionlist[i].y2);
		121	+ /* increment regions iterator */
		122	+ i++;
		123	}
		124	-
		125	+ /* set number of generated regions out of given zones */
		126	+ crop->selections = i;
		127	return (0);
		128	} /* end getCropOffsets */
		129


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch new file mode 100644 index 0000000000..9a23e23fed --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
@@ -0,0 +1,84 @@
		1	From 0ec36342df880f5ad41576cb1b03061b8697dabd Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 6 Feb 2022 10:53:45 +0100
		4	Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
		5
		6	uint32_t underflow.
		7
		8	CVE: CVE-2022-2869
		9
		10	Upstream-Status: Backport
		11	[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294]
		12
		13	Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
		14
		15	---
		16	tools/tiffcrop.c \| 34 +++++++++++++++++++---------------
		17	1 file changed, 19 insertions(+), 15 deletions(-)
		18
		19	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		20	index b9b13d8..4a4ace8 100644
		21	--- a/tools/tiffcrop.c
		22	+++ b/tools/tiffcrop.c
		23	@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		24	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
		25	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
		26	}
		27	- if (x1 < 1)
		28	- crop->regionlist[i].x1 = 0;
		29	- else
		30	+ /* region needs to be within image sizes 0.. width-1; 0..length-1
		31	+ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
		32	+ */
		33	+ if (x1 > image->width - 1)
		34	+ crop->regionlist[i].x1 = image->width - 1;
		35	+ else if (x1 > 0)
		36	crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
		37
		38	- if (x2 > image->width - 1)
		39	- crop->regionlist[i].x2 = image->width - 1;
		40	- else
		41	- crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
		42	+ if (x2 > image->width - 1)
		43	+ crop->regionlist[i].x2 = image->width - 1;
		44	+ else if (x2 > 0)
		45	+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
		46	+
		47	zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		48
		49	- if (y1 < 1)
		50	- crop->regionlist[i].y1 = 0;
		51	- else
		52	- crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
		53	+ if (y1 > image->length - 1)
		54	+ crop->regionlist[i].y1 = image->length - 1;
		55	+ else if (y1 > 0)
		56	+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
		57
		58	if (y2 > image->length - 1)
		59	crop->regionlist[i].y2 = image->length - 1;
		60	- else
		61	- crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
		62	+ else if (y2 > 0)
		63	+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
		64
		65	zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		66
		67	@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		68	crop_width = endx - startx + 1;
		69	crop_length = endy - starty + 1;
		70
		71	- if (crop_width <= 0)
		72	+ if (endx + 1 <= startx)
		73	{
		74	TIFFError("computeInputPixelOffsets",
		75	"Invalid left/right margins and /or image crop width requested");
		76	@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		77	if (crop_width > image->width)
		78	crop_width = image->width;
		79
		80	- if (crop_length <= 0)
		81	+ if (endy + 1 <= starty)
		82	{
		83	TIFFError("computeInputPixelOffsets",
		84	"Invalid top/bottom margins and /or image crop length requested");


diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch new file mode 100644 index 0000000000..1fa6a11104 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
@@ -0,0 +1,45 @@
		1	From 740111312ca6ae718f233d914662a9969e6820ee Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 6 Feb 2022 19:52:17 +0100
		4	Subject: [PATCH] Move the crop_width and crop_length computation after the
		5	sanity check to avoid warnings when built with
		6	-fsanitize=unsigned-integer-overflow.
		7
		8	Upstream-Status: Backport
		9	[https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294]
		10
		11	Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
		12
		13	---
		14	tools/tiffcrop.c \| 5 ++---
		15	1 file changed, 2 insertions(+), 3 deletions(-)
		16
		17	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		18	index 0ef5bb2..99e4208 100644
		19	--- a/tools/tiffcrop.c
		20	+++ b/tools/tiffcrop.c
		21	@@ -5389,15 +5389,13 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		22	off->endx = endx;
		23	off->endy = endy;
		24
		25	- crop_width = endx - startx + 1;
		26	- crop_length = endy - starty + 1;
		27	-
		28	if (endx + 1 <= startx)
		29	{
		30	TIFFError("computeInputPixelOffsets",
		31	"Invalid left/right margins and /or image crop width requested");
		32	return (-1);
		33	}
		34	+ crop_width = endx - startx + 1;
		35	if (crop_width > image->width)
		36	crop_width = image->width;
		37
		38	@@ -5407,6 +5405,7 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
		39	"Invalid top/bottom margins and /or image crop length requested");
		40	return (-1);
		41	}
		42	+ crop_length = endy - starty + 1;
		43	if (crop_length > image->length)
		44	crop_length = image->length;
		45


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b5ccd859f3..f84057c46b 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
22	file://CVE-2022-1354.patch \	22	file://CVE-2022-1354.patch \
23	file://CVE-2022-1355.patch \	23	file://CVE-2022-1355.patch \
24	file://CVE-2022-34526.patch \	24	file://CVE-2022-34526.patch \
		25	file://CVE-2022-2869.patch \
		26	file://CVE-2022-2867.patch \
		27	file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
25	"	28	"
26		29
27	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	30	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"