diff options
-rw-r--r-- | download.lst | 4 | ||||
-rw-r--r-- | external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch | 79 | ||||
-rw-r--r-- | external/libtiff/UnpackedTarball_libtiff.mk | 1 |
3 files changed, 2 insertions, 82 deletions
diff --git a/download.lst b/download.lst index f1f1ed87e036..d83931988bdd 100644 --- a/download.lst +++ b/download.lst @@ -528,8 +528,8 @@ LIBPNG_TARBALL := libpng-1.6.40.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -LIBTIFF_SHA256SUM := 3c080867114c26edab3129644a63b708028a90514b7fe3126e38e11d24f9f88a -LIBTIFF_TARBALL := tiff-4.5.1.tar.xz +LIBTIFF_SHA256SUM := e178649607d1e22b51cf361dd20a3753f244f022eefab1f2f218fc62ebaf87d2 +LIBTIFF_TARBALL := tiff-4.6.0.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch b/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch deleted file mode 100644 index 68353bd9ed20..000000000000 --- a/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 350ff161c8a61b6483a1e4689e09cd47dd0dd5f9 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Sat, 17 Jun 2023 16:22:38 +0200 -Subject: [PATCH] WebP decoder: validate WebP blob width, height, band count - against TIFF parameters - -to avoid use of uninitialized variable, or decoding corrupted content -without explicit error - -Fixes #581, fixes #582 ---- - libtiff/tif_webp.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/libtiff/tif_webp.c b/libtiff/tif_webp.c -index 07db7cce..ce15391e 100644 ---- a/libtiff/tif_webp.c -+++ b/libtiff/tif_webp.c -@@ -149,6 +149,57 @@ static int TWebPDecode(TIFF *tif, uint8_t *op, tmsize_t occ, uint16_t s) - segment_height = td->td_rowsperstrip; - } - -+ int webp_width, webp_height; -+ if (!WebPGetInfo(tif->tif_rawcp, -+ tif->tif_rawcc > UINT32_MAX ? UINT32_MAX -+ : (uint32_t)tif->tif_rawcc, -+ &webp_width, &webp_height)) -+ { -+ TIFFErrorExtR(tif, module, "WebPGetInfo() failed"); -+ return 0; -+ } -+ if ((uint32_t)webp_width != segment_width || -+ (uint32_t)webp_height != segment_height) -+ { -+ TIFFErrorExtR( -+ tif, module, "WebP blob dimension is %dx%d. Expected %ux%u", -+ webp_width, webp_height, segment_width, segment_height); -+ return 0; -+ } -+ -+#if WEBP_DECODER_ABI_VERSION >= 0x0002 -+ WebPDecoderConfig config; -+ if (!WebPInitDecoderConfig(&config)) -+ { -+ TIFFErrorExtR(tif, module, "WebPInitDecoderConfig() failed"); -+ return 0; -+ } -+ -+ const bool bWebPGetFeaturesOK = -+ WebPGetFeatures(tif->tif_rawcp, -+ tif->tif_rawcc > UINT32_MAX -+ ? UINT32_MAX -+ : (uint32_t)tif->tif_rawcc, -+ &config.input) == VP8_STATUS_OK; -+ -+ WebPFreeDecBuffer(&config.output); -+ -+ if (!bWebPGetFeaturesOK) -+ { -+ TIFFErrorExtR(tif, module, "WebPInitDecoderConfig() failed"); -+ return 0; -+ } -+ -+ const int webp_bands = config.input.has_alpha ? 4 : 3; -+ if (webp_bands != sp->nSamples) -+ { -+ TIFFErrorExtR(tif, module, -+ "WebP blob band count is %d. Expected %d", webp_bands, -+ sp->nSamples); -+ return 0; -+ } -+#endif -+ - buffer_size = segment_width * segment_height * sp->nSamples; - if (occ == (tmsize_t)buffer_size) - { --- -2.41.0 - diff --git a/external/libtiff/UnpackedTarball_libtiff.mk b/external/libtiff/UnpackedTarball_libtiff.mk index 32ed699b7491..f7eeb6ace868 100644 --- a/external/libtiff/UnpackedTarball_libtiff.mk +++ b/external/libtiff/UnpackedTarball_libtiff.mk @@ -16,7 +16,6 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,libtiff,1)) $(eval $(call gb_UnpackedTarball_add_patches,libtiff,\ external/libtiff/libtiff.linknolibs.patch \ external/libtiff/0001-ofz-54685-Timeout.patch \ - external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch \ )) # vim: set noet sw=4 ts=4: |