[dunfell] tiff: Fix for CVE-2022-2867/8/9

Message ID	20220908050409.17606-1-virendra.thakur@kpit.com
State	Accepted, archived
Commit	67df7488bf66183ffdb9f497f00ad291b79210d3
Headers	show Return-Path: <virendra.thakur@kpit.com> ip: 40.107.222.79, mailfrom: virendra.thakur@kpit.com) From: Virendra Thakur <virendra.thakur@kpit.com> To: openembedded-core@lists.openembedded.org Cc: Virendra Thakur <virendrak@kpit.com> Subject: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9 Date: Thu, 8 Sep 2022 10:34:09 +0530 Message-Id: <20220908050409.17606-1-virendra.thakur@kpit.com> Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[dunfell] tiff: Fix for CVE-2022-2867/8/9 \| expand [dunfell] tiff: Fix for CVE-2022-2867/8/9

Message ID

20220908050409.17606-1-virendra.thakur@kpit.com

State

Accepted, archived

Commit

67df7488bf66183ffdb9f497f00ad291b79210d3

Headers

From: Virendra Thakur <virendra.thakur@kpit.com>
To: openembedded-core@lists.openembedded.org
Cc: Virendra Thakur <virendrak@kpit.com>
Subject: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
Date: Thu,  8 Sep 2022 10:34:09 +0530
Message-Id: <20220908050409.17606-1-virendra.thakur@kpit.com>
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 0f1onunwpmUro6CnvGzKTclHbdWUCVMKtPeHCbILIUfP7lOcL2BwWaW4Q+5R1GD6u0N+cWYfq1GmyYudvyRmHYkU6056pR3CRGtTy2knbWfQ9eHXPaZgvVAyqNBUq+Dsz9YAPvaaN3IoHo9M9Ke+VGn1s4UYGjWtQtDSmcflZ6ZOSLG2GXovDmX9thF0NBMvDzouppb5qBBjgw8geSC48qxTEnJUUJLSL3UXWpRi2JlOQG49NXJoelQeAWIDhluIR02nS44tDNE5A2LSMrmOjFOmpvXCEXJEh2eFNEJDdh4ArEdcdyLA1ob+kfUy3mhWZyW8mytWWOH9/+UaPLChNFBPrVQYQbNIJGhlUk04FVZuPSG36gViNjnD2HLJvZqobXTPJFT/Yq2xER/NmsNkxdNu7lPXVqpAEOFIVy9GMo7ukLAp0sRev5dIrZHadLIQ7Z7UWbKGK5JzKzgLAzF2DMYEMpytputIknSb9su8OES8QQ+m8h75HW9Xnhx+zMwYLXqo5EskFKToMgS2mHe9gB3mi27xYEKhixHBD/d2lYhKW3wQ/0V4dEX6XVYoOh9aOpGba1Az5ENjCMFPhfZWiBQ1O2VynzrLOVw9cXe4ObtIDZjG4ZlBAUnRreHkGoyO4pENiWtR9vL8jC5I1gC7yfsJHiuER51rvNzcLHlncNtz6Zr0d+f7zr7eK+58UQj023uOpYzAVWfTRgRfo8709UIptbqgQwG9zp6VbGrfkoW4vAv5s2y+3XELgdCVhGiFLg+Kq8yWKMcfoNSjxm4FV5Om740qpzdokaqSoolnPs0nXS6aI9onWP7KyNBT50w2OgzKkA3ujADunnBFglqfW3n53rBjJl5Atu1aCxiDVtg/kVS0MNERIJHveWlUANvRJu9FStya3y2OcyMaGD/9E+zUmS00QKSnYU055auzawsV4cXqUGYBK86pfkArSXSl01J6h6FwBIpNW49BtOjWJiRjw3uQUobd2Lsbfe+0Xu4dmZ1LykrNOHA+n35Ryr71r9c9nSeYxPgrsuPTCNgUCTplHN1N8Q9urEeMGl8VPnSwPqJCOG7/f5fBfvgxMbfYBvxIWFv9nljHu5HL/7KMJ+UBjx86aB74HUy1nihrCV+YrttxxS0vP2ITbKJ8/RjHa8e4ePwnnOqkGBn0F1/yh64D6yZmC0FaqPx5mtndPYT59BOTfp84yewe8N4BXtrh+7vqNpeqkJ81epofqOyeaeAr7Cqs9lcwoPFAa+sSaq1NuNX2zLa0fjlyKM1aMGzKJ0YXVSCj92JQtEjIK88jtK4i65lVWzVbYSMu4SGuqq93va66xbVCb+l2WF3BDenYXTyJpcTx6dPpyd6BGPcsNxLFmKa33IcgxT4ml8lmoc2fjEmOEQxXsOZOoTcA8v/cVtA93FEBODtq3s4Kyp9lqtxRdGtwtg7jiSgQ9NoTqWrPHMchsMHECJA6ljuUYo73uSfAg5LT69Ls7b7K5bjXXtf8oQ7dJtdMb6X+p79vxkZ+tZJprU9Jto3EkpcR3W9F7AixjZ2VZLKWW2UcY2n9E0sXZXBeZ+UkLxWfetQFjmbQkcJ94YLSySzP8Y9NyhoA
X-OriginatorOrg: kpit.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 c488292c-b24b-4d33-e614-08da91579d2e
X-MS-Exchange-CrossTenant-AuthSource: MAXPR01MB4327.INDPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Sep 2022 05:04:31.3812
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3539451e-b46e-4a26-a242-ff61502855c7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 DV5fyArzlPOLlid6dt5BH6S7sUsMM5uvWswxrZIlK5EtZVyds8S3FxNsKLdgS9uschD/AO4Ug+Y+EJx3rNmN0w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PN3PR01MB5434
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 08 Sep 2022 05:04:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/170448

Series

[dunfell] tiff: Fix for CVE-2022-2867/8/9 | expand

Commit Message

Virendra Kumar Thakur Sept. 8, 2022, 5:04 a.m. UTC

From: Virendra Thakur <virendrak@kpit.com>

Add Patch to fix CVE-2022-2867, CVE-2022-2868
CVE-2022-2869

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
 ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 2 files changed, 160 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch

--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Comments

Steve Sakoman Sept. 8, 2022, 6:44 p.m. UTC | #1

On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via
lists.openembedded.org
<virendra.thakur=kpit.com@lists.openembedded.org> wrote:
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add Patch to fix CVE-2022-2867, CVE-2022-2868
> CVE-2022-2869

This fails on the autobuilder:

ERROR: tiff-4.1.0-r0 do_patch: Applying patch
'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0'
Command Error: 'quilt --quiltrc
/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0  Output:
Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
patching file tools/tiffcrop.c
Hunk #1 FAILED at 5153.
Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines).
Hunk #4 FAILED at 5332.
Hunk #5 succeeded at 5449 with fuzz 2.
Hunk #6 succeeded at 5588 with fuzz 2.
2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c
Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply
(enforce with -f)

Perhaps your mailer is corrupting the patch?  This has been an issue
lately with other patches from kpit!

Steve

>
> Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> ---
>  ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
>  meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
>  2 files changed, 160 insertions(+)
>  create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> new file mode 100644
> index 0000000000..131ff94119
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> @@ -0,0 +1,159 @@
> +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
> +From: Su Laus <sulau@freenet.de>
> +Date: Wed, 9 Feb 2022 21:31:29 +0000
> +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
> + uint32_t underflow.
> +
> +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
> +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
> +Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> +---
> +Index: tiff-4.1.0/tools/tiffcrop.c
> +===================================================================
> +--- tiff-4.1.0.orig/tools/tiffcrop.c
> ++++ tiff-4.1.0/tools/tiffcrop.c
> +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
> +       y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
> +       y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
> +       }
> +-      if (x1 < 1)
> +-        crop->regionlist[i].x1 = 0;
> +-      else
> +-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
> ++      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
> ++       * b) Corners are expected to be submitted as top-left to bottom-right.
> ++       *    Therefore, check that and reorder input.
> ++       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
> ++       */
> ++      uint32_t aux;
> ++      if (x1 > x2) {
> ++        aux = x1;
> ++        x1 = x2;
> ++        x2 = aux;
> ++      }
> ++      if (y1 > y2) {
> ++        aux = y1;
> ++        y1 = y2;
> ++        y2 = aux;
> ++      }
> ++      if (x1 > image->width - 1)
> ++        crop->regionlist[i].x1 = image->width - 1;
> ++      else if (x1 > 0)
> ++        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
> +
> +       if (x2 > image->width - 1)
> +         crop->regionlist[i].x2 = image->width - 1;
> +-      else
> +-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
> +-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> +-
> +-      if (y1 < 1)
> +-        crop->regionlist[i].y1 = 0;
> +-      else
> +-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
> ++      else if (x2 > 0)
> ++        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
> ++
> ++      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> ++
> ++      if (y1 > image->length - 1)
> ++        crop->regionlist[i].y1 = image->length - 1;
> ++      else if (y1 > 0)
> ++        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
> +
> +       if (y2 > image->length - 1)
> +         crop->regionlist[i].y2 = image->length - 1;
> +-      else
> +-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
> +-
> +-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> ++      else if (y2 > 0)
> ++        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
> +
> ++      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> +       if (zwidth > max_width)
> +         max_width = zwidth;
> +       if (zlength > max_length)
> +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
> +       }
> +       }
> +     return (0);
> +-    }
> ++    }  /* crop_mode == CROP_REGIONS */
> +
> +   /* Convert crop margins into offsets into image
> +    * Margins are expressed as pixel rows and columns, not bytes
> +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
> +       bmargin = (uint32) 0;
> +       return (-1);
> +       }
> +-    }
> ++    }  /* crop_mode == CROP_MARGINS */
> +   else
> +     { /* no margins requested */
> +     tmargin = (uint32) 0;
> +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
> +   off->endx   = endx;
> +   off->endy   = endy;
> +
> +-  crop_width  = endx - startx + 1;
> +-  crop_length = endy - starty + 1;
> +-
> +-  if (crop_width <= 0)
> ++  if (endx + 1 <= startx)
> +     {
> +     TIFFError("computeInputPixelOffsets",
> +                "Invalid left/right margins and /or image crop width requested");
> +     return (-1);
> +     }
> ++  crop_width  = endx - startx + 1;
> +   if (crop_width > image->width)
> +     crop_width = image->width;
> +
> +-  if (crop_length <= 0)
> ++  if (endy + 1 <= starty)
> +     {
> +     TIFFError("computeInputPixelOffsets",
> +               "Invalid top/bottom margins and /or image crop length requested");
> +     return (-1);
> +     }
> ++  crop_length = endy - starty + 1;
> +   if (crop_length > image->length)
> +     crop_length = image->length;
> +
> +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
> +   else
> +     crop->selections = crop->zones;
> +
> +-  for (i = 0; i < crop->zones; i++)
> ++  /* Initialize regions iterator i */
> ++  i = 0;
> ++  for (int j = 0; j < crop->zones; j++)
> +     {
> +-    seg = crop->zonelist[i].position;
> +-    total = crop->zonelist[i].total;
> ++    seg = crop->zonelist[j].position;
> ++    total = crop->zonelist[j].total;
> ++
> ++    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
> ++    if (seg == 0 || total == 0 || seg > total) {
> ++        continue;
> ++    }
> +
> +     switch (crop->edge_ref)
> +       {
> +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
> +                     i + 1, (uint32)zwidth, (uint32)zlength,
> +                   crop->regionlist[i].x1, crop->regionlist[i].x2,
> +                     crop->regionlist[i].y1, crop->regionlist[i].y2);
> ++  /* increment regions iterator */
> ++  i++;
> +     }
> +-
> ++    /* set number of generated regions out of given zones */
> ++    crop->selections = i;
> +   return (0);
> +   } /* end getCropOffsets */
> +
> +--
> +GitLab
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> index c061d2aaac..93a35230d6 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>             file://CVE-2022-0924.patch \
>             file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
>             file://CVE-2022-34526.patch \
> +           file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
>            "
>  SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
>  SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170448): https://lists.openembedded.org/g/openembedded-core/message/170448
> Mute This Topic: https://lists.openembedded.org/mt/93542683/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Virendra Kumar Thakur Sept. 9, 2022, 5:11 a.m. UTC | #2

Hi Steve,

I am attaching here with tiff patchset .
please let me know if its fine.

Virendra Kumar Thakur Sept. 9, 2022, 5:15 a.m. UTC | #3

Please take this patch .
removed change-ID as its not needed.

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@ 
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
++++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+       y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+       y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+       }
+-      if (x1 < 1)
+-        crop->regionlist[i].x1 = 0;
+-      else
+-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
++      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
++       * b) Corners are expected to be submitted as top-left to bottom-right.
++       *    Therefore, check that and reorder input.
++       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
++       */
++      uint32_t aux;
++      if (x1 > x2) {
++        aux = x1;
++        x1 = x2;
++        x2 = aux;
++      }
++      if (y1 > y2) {
++        aux = y1;
++        y1 = y2;
++        y2 = aux;
++      }
++      if (x1 > image->width - 1)
++        crop->regionlist[i].x1 = image->width - 1;
++      else if (x1 > 0)
++        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+
+       if (x2 > image->width - 1)
+         crop->regionlist[i].x2 = image->width - 1;
+-      else
+-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
+-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+-
+-      if (y1 < 1)
+-        crop->regionlist[i].y1 = 0;
+-      else
+-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
++      else if (x2 > 0)
++        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
++      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++
++      if (y1 > image->length - 1)
++        crop->regionlist[i].y1 = image->length - 1;
++      else if (y1 > 0)
++        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+
+       if (y2 > image->length - 1)
+         crop->regionlist[i].y2 = image->length - 1;
+-      else
+-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
++      else if (y2 > 0)
++        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
++      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+       if (zwidth > max_width)
+         max_width = zwidth;
+       if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+       }
+       }
+     return (0);
+-    }
++    }  /* crop_mode == CROP_REGIONS */
+
+   /* Convert crop margins into offsets into image
+    * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+       bmargin = (uint32) 0;
+       return (-1);
+       }
+-    }
++    }  /* crop_mode == CROP_MARGINS */
+   else
+     { /* no margins requested */
+     tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+   off->endx   = endx;
+   off->endy   = endy;
+
+-  crop_width  = endx - startx + 1;
+-  crop_length = endy - starty + 1;
+-
+-  if (crop_width <= 0)
++  if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets",
+                "Invalid left/right margins and /or image crop width requested");
+     return (-1);
+     }
++  crop_width  = endx - startx + 1;
+   if (crop_width > image->width)
+     crop_width = image->width;
+
+-  if (crop_length <= 0)
++  if (endy + 1 <= starty)
+     {
+     TIFFError("computeInputPixelOffsets",
+               "Invalid top/bottom margins and /or image crop length requested");
+     return (-1);
+     }
++  crop_length = endy - starty + 1;
+   if (crop_length > image->length)
+     crop_length = image->length;
+
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+   else
+     crop->selections = crop->zones;
+
+-  for (i = 0; i < crop->zones; i++)
++  /* Initialize regions iterator i */
++  i = 0;
++  for (int j = 0; j < crop->zones; j++)
+     {
+-    seg = crop->zonelist[i].position;
+-    total = crop->zonelist[i].total;
++    seg = crop->zonelist[j].position;
++    total = crop->zonelist[j].total;
++
++    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++    if (seg == 0 || total == 0 || seg > total) {
++        continue;
++    }
+
+     switch (crop->edge_ref)
+       {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+                     i + 1, (uint32)zwidth, (uint32)zlength,
+                   crop->regionlist[i].x1, crop->regionlist[i].x2,
+                     crop->regionlist[i].y1, crop->regionlist[i].y2);
++  /* increment regions iterator */
++  i++;
+     }
+-
++    /* set number of generated regions out of given zones */
++    crop->selections = i;
+   return (0);
+   } /* end getCropOffsets */
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c061d2aaac..93a35230d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2022-0924.patch \
            file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
            file://CVE-2022-34526.patch \
+           file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
           "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"