From: Siddharth Doshi <[email protected]>

Upstream-Status: Backport from 
[https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]

CVE's Fixed:
CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c

Signed-off-by: Siddharth Doshi <[email protected]>
Signed-off-by: Steve Sakoman <[email protected]>
---
 .../libtiff/tiff/CVE-2024-7006.patch          | 64 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
new file mode 100644
index 0000000000..217de0ea92
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
@@ -0,0 +1,64 @@
+From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
+From: Su_Laus <[email protected]>
+Date: Fri, 1 Dec 2023 20:12:25 +0100
+Subject: [PATCH] Check return value of _TIFFCreateAnonField().
+
+Fixes #624
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
+CVE: CVE-2024-7006
+Signed-off-by: Siddharth Doshi <[email protected]>
+---
+ libtiff/tif_dirinfo.c |  2 +-
+ libtiff/tif_dirread.c | 15 ++++++---------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index a212d01..95226a8 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, 
TIFFDataType dt)
+       fld = TIFFFindField(tif, tag, dt);
+       if (fld == NULL) {
+               fld = _TIFFCreateAnonField(tif, tag, dt);
+-              if (!_TIFFMergeFields(tif, fld, 1))
++              if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+                       return NULL;
+       }
+ 
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 0e283fc..1781166 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3735,11 +3735,9 @@ TIFFReadDirectory(TIFF* tif)
+                                   dp->tdir_tag,dp->tdir_tag);
+                               /* the following knowingly leaks the 
+                                  anonymous field structure */
+-                              if (!_TIFFMergeFields(tif,
+-                                      _TIFFCreateAnonField(tif,
+-                                              dp->tdir_tag,
+-                                              (TIFFDataType) dp->tdir_type),
+-                                      1)) {
++                const TIFFField *fld = _TIFFCreateAnonField(
++                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) {
+                                       TIFFWarningExt(tif->tif_clientdata,
+                                           module,
+                                           "Registering anonymous field with 
tag %"PRIu16" (0x%"PRIx16") failed",
+@@ -4502,10 +4500,9 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
+                       TIFFWarningExt(tif->tif_clientdata, module,
+                           "Unknown field with tag %"PRIu16" (0x%"PRIx16") 
encountered",
+                           dp->tdir_tag, dp->tdir_tag);
+-                      if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
+-                                              dp->tdir_tag,
+-                                              (TIFFDataType) dp->tdir_type),
+-                                           1)) {
++            const TIFFField *fld = _TIFFCreateAnonField(
++                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) {
+                               TIFFWarningExt(tif->tif_clientdata, module,
+                                   "Registering anonymous field with tag 
%"PRIu16" (0x%"PRIx16") failed",
+                                   dp->tdir_tag, dp->tdir_tag);
+-- 
+2.35.7
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index b4af179e76..209b38b8f2 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -53,6 +53,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-6277-2.patch \
            file://CVE-2023-6277-3.patch \
            file://CVE-2023-6277-4.patch \
+           file://CVE-2024-7006.patch \
            "
 
 SRC_URI[sha256sum] = 
"0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203727): 
https://lists.openembedded.org/g/openembedded-core/message/203727
Mute This Topic: https://lists.openembedded.org/mt/108091948/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to