new file mode 100644
@@ -0,0 +1,238 @@
+From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 1 Feb 2024 13:06:08 +0000
+Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
+ and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.
+
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++
+ doc/functions/TIFFError.rst | 3 ++
+ doc/functions/TIFFOpen.rst | 13 +++---
+ doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++-
+ doc/functions/TIFFStrileQuery.rst | 5 +++
+ doc/libtiff.rst | 31 ++++++++++++-
+ 6 files changed, 91 insertions(+), 10 deletions(-)
+
+diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
+index 60ee746..705aebc 100644
+--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
++++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
+@@ -61,6 +61,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+
++Note
++----
++
++This functionality was introduced with libtiff 4.1.
++
+ See also
+ --------
+
+diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
+index 99924ad..cf4b37c 100644
+--- a/doc/functions/TIFFError.rst
++++ b/doc/functions/TIFFError.rst
+@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
+ Furthermore, a **custom defined data structure** *user_data* for the
+ error handler can be given along.
+
++Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
++application-specific handler introduced with libtiff 4.5.
++
+ Note
+ ----
+
+diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
+index db79d7b..adc474f 100644
+--- a/doc/functions/TIFFOpen.rst
++++ b/doc/functions/TIFFOpen.rst
+@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
+ file should be closed using its file descriptor *fd*.
+
+ :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL.
++but options, such as re-entrant error and warning handlers and a limit in byte
++that libtiff internal memory allocation functions are allowed to request per call
++may be passed with the *opts* argument. The *opts* argument may be NULL.
+ Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
+ parameters. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
+ but opens a TIFF file with a Unicode filename.
+
+ :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL.
+-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
++but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
+
+ :c:func:`TIFFSetFileName` sets the file name in the tif-structure
+ and returns the old file name.
+@@ -326,5 +325,5 @@ See also
+
+ :doc:`libtiff` (3tiff),
+ :doc:`TIFFClose` (3tiff),
+-:doc:`TIFFStrileQuery`,
+-:doc:`TIFFOpenOptions`
+\ No newline at end of file
++:doc:`TIFFStrileQuery` (3tiff),
++:doc:`TIFFOpenOptions`
+diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
+index 5c67566..23f2975 100644
+--- a/doc/functions/TIFFOpenOptions.rst
++++ b/doc/functions/TIFFOpenOptions.rst
+@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
+ :c:func:`TIFFOpenOptionsFree` releases the allocated memory for
+ :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
++TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
+
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
+ maximum single memory limit in byte that ``libtiff`` internal memory allocation
+ functions are allowed to request per call.
+
++.. note::
++ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
++ and :c:func:`_TIFFrealloc` **do not apply** this internal memory
++ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
++
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
+ an application-specific and per-TIFF handle (re-entrant) error handler.
+ Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data*
+@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL.
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
+ which is invoked through :c:func:`TIFFWarningExtR`
+
++Example
++-------
++
++::
++
++ #include "tiffio.h"
++
++ typedef struct MyErrorHandlerUserDataStruct
++ {
++ /* ... any user data structure ... */
++ } MyErrorHandlerUserDataStruct;
++
++ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
++ const char *fmt, va_list ap)
++ {
++ MyErrorHandlerUserDataStruct *errorhandler_user_data =
++ (MyErrorHandlerUserDataStruct *)user_data;
++ /*... code of myErrorHandler ...*/
++ return 1;
++ }
++
++
++ main()
++ {
++ tmsize_t limit = (256 * 1024 * 1024);
++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
++
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
++ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++
++ TIFFClose(tif);
++ }
++
+ Note
+ ----
+
+diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
+index f8631af..7931fe4 100644
+--- a/doc/functions/TIFFStrileQuery.rst
++++ b/doc/functions/TIFFStrileQuery.rst
+@@ -66,6 +66,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+
++Note
++----
++
++This functionality was introduced with libtiff 4.1.
++
+ See also
+ --------
+
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index 6a0054c..d96a860 100644
+--- a/doc/libtiff.rst
++++ b/doc/libtiff.rst
+@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
+ :c:func:`realloc`, and :c:func:`free` routines in the C library.)
+
+ To deal with segmented pointer issues ``libtiff`` also provides
+-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
++:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
+ routines that mimic the equivalent ANSI C routines, but that are
+ intended for use with memory allocated through :c:func:`_TIFFmalloc`
+ and :c:func:`_TIFFrealloc`.
+
++With ``libtiff`` 4.5 a method was introduced to limit the internal
++memory allocation that functions are allowed to request per call
++(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
++
+ Error Handling
+ --------------
+
+@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
+ Likewise warning messages are directed to a single handler routine
+ that can be specified with a call to :c:func:`TIFFSetWarningHandler`
+
++Further application-specific and per-TIFF handle (re-entrant) error handler
++and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
++and :doc:`/functions/TIFFOpenOptions`.
++
+ Basic File Handling
+ -------------------
+
+@@ -139,7 +147,7 @@ a ``"w"`` argument:
+ main()
+ {
+ TIFF* tif = TIFFOpen("foo.tif", "w");
+- ... do stuff ...
++ /* ... do stuff ... */
+ TIFFClose(tif);
+ }
+
+@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
+ buffered information to a file. Note that if you call :c:func:`TIFFClose`
+ you do not need to call :c:func:`TIFFFlush`.
+
++.. warning::
++
++ In order to prevent out-of-memory issues when opening a TIFF file
++ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
++ limit in byte that ``libtiff`` internal memory allocation functions
++ are allowed to request per call can be set with
++ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
++
++Example
++
++::
++
++ tmsize_t limit = (256 * 1024 * 1024);
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++
+ TIFF Directories
+ ----------------
+
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,28 @@
+From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <theta682@gmail.com>
+Date: Thu, 1 Feb 2024 11:19:06 +0000
+Subject: [PATCH] Fix typo.
+
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/libtiff.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index d96a860..4fedc3e 100644
+--- a/doc/libtiff.rst
++++ b/doc/libtiff.rst
+@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`.
+
+ In order to prevent out-of-memory issues when opening a TIFF file
+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+- limit in byte that ``libtiff`` internal memory allocation functions
++ limit in bytes that ``libtiff`` internal memory allocation functions
+ are allowed to request per call can be set with
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,49 @@
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 1 Feb 2024 11:38:14 +0000
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+CVE: CVE-2023-52356
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd..9cd6eee 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+ if (TIFFRGBAImageOK(tif, emsg) &&
+ TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+ {
++ if (row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+ return (0);
+ }
+
++ if (col >= img.width || row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
+--
+2.40.0
@@ -13,6 +13,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
file://CVE-2023-6228.patch \
+ file://CVE-2023-52355-0001.patch \
+ file://CVE-2023-52355-0002.patch \
+ file://CVE-2023-52356.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"