new file mode 100644
@@ -0,0 +1,63 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Thu, 14 Sep 2023 04:36:58 +0000
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
+ #592)
+
+CVE: CVE-2023-41175
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index 4ee59e5..a811077 100644
+--- a/tools/raw2tiff.c
++++ b/tools/raw2tiff.c
+@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
+ int fd;
+ char *outfilename = NULL;
+ TIFF *out;
++ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
+
+ uint32_t row, col, band;
+ int c;
+@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
+ if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
+ return EXIT_FAILURE;
+
++ /* check for integer overflow in */
++ /* hdr_size + (*width) * (*length) * nbands * depth */
++
++ if ((width == 0) || (length == 0) ){
++ fprintf(stderr, "Too large nbands value specified.\n");
++ return (EXIT_FAILURE);
++ }
++
++ temp_limit_check = nbands * depth;
++
++ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
++ fprintf(stderr, "Too large length size specified.\n");
++ return (EXIT_FAILURE);
++ }
++ temp_limit_check = temp_limit_check * length;
++
++ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
++ fprintf(stderr, "Too large width size specified.\n");
++ return (EXIT_FAILURE);
++ }
++ temp_limit_check = temp_limit_check * width;
++
++ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
++ fprintf(stderr, "Too large header size specified.\n");
++ return (EXIT_FAILURE);
++ }
++
+ if (outfilename == NULL)
+ outfilename = argv[optind + 1];
+ out = TIFFOpen(outfilename, "w");
+--
+2.35.5
@@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-40745.patch \
+ file://CVE-2023-41175.patch \
"
SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"