libtiff: Security Advisory - CVE-2012-4564

v2 changes: * update format for commit log * add Upstream-Status for patch ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564 (From OE-Core rev: 9f02922d44de483ef4d02ce95b55efe79a8b09a2) (From OE-Core rev: ff60c490c4fdb9f89d2b8e8fe7f2e7c4f2ff631f) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-06-17 04:25:20 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:06 +0100
commit: 452619ba41700dc166ce1a65b15a71ff7fa3c838 (patch)
tree: c85b3cb0a6daf69822c36fa6de00f2f444c673bc
parent: 8d28013312ee035343bc3d89814e7d59f964231c (diff)
download: poky-452619ba41700dc166ce1a65b15a71ff7fa3c838.tar.gz
2 files changed, 101 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch
new file mode 100644
index 0000000000..23649790c4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch
@@ -0,0 +1,99 @@
+Upstream-Status: Backport
+Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Index: tools/ppm2tiff.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- a/tools/ppm2tiff.c  10 Apr 2010 19:22:34 -0000      1.16
+++ b/tools/ppm2tiff.c  10 Dec 2012 18:19:11 -0000      1.18
+@@ -1,4 +1,4 @@
+-/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */
+/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */
+ 
+ /*
+  * Copyright (c) 1991-1997 Sam Leffler
+@@ -72,6 +72,17 @@
+        exit(-2);
+ }
+ 
+static tmsize_t
+multiply_ms(tmsize_t m1, tmsize_t m2)
+{
+       tmsize_t bytes = m1 * m2;
+
+       if (m1 && bytes / m1 != m2)
+               bytes = 0;
+
+       return bytes;
+}
+
+ int
+ main(int argc, char* argv[])
+ {
+@@ -79,7 +90,7 @@
+        uint32 rowsperstrip = (uint32) -1;
+        double resolution = -1;
+        unsigned char *buf = NULL;
+-       tsize_t linebytes = 0;
+       tmsize_t linebytes = 0;
+        uint16 spp = 1;
+        uint16 bpp = 8;
+        TIFF *out;
+@@ -89,6 +100,7 @@
+        int c;
+        extern int optind;
+        extern char* optarg;
+       tmsize_t scanline_size;
+ 
+        if (argc < 2) {
+            fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -221,7 +233,8 @@
+        }
+        switch (bpp) {
+                case 1:
+-                       linebytes = (spp * w + (8 - 1)) / 8;
+                       /* if round-up overflows, result will be zero, OK */
+                       linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+                        if (rowsperstrip == (uint32) -1) {
+                                TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+                        } else {
+@@ -230,15 +243,31 @@
+                        }
+                        break;
+                case 8:
+-                       linebytes = spp * w;
+                       linebytes = multiply_ms(spp, w);
+                        TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+                            TIFFDefaultStripSize(out, rowsperstrip));
+                        break;
+        }
+-       if (TIFFScanlineSize(out) > linebytes)
+       if (linebytes == 0) {
+               fprintf(stderr, "%s: scanline size overflow\n", infile);
+               (void) TIFFClose(out);
+               exit(-2);                                       
+       }
+       scanline_size = TIFFScanlineSize(out);
+       if (scanline_size == 0) {
+               /* overflow - TIFFScanlineSize already printed a message */
+               (void) TIFFClose(out);
+               exit(-2);                                       
+       }
+       if (scanline_size < linebytes)
+                buf = (unsigned char *)_TIFFmalloc(linebytes);
+        else
+-               buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+               buf = (unsigned char *)_TIFFmalloc(scanline_size);
+       if (buf == NULL) {
+               fprintf(stderr, "%s: Not enough memory\n", infile);
+               (void) TIFFClose(out);
+               exit(-2);
+       }
+        if (resolution > 0) {
+                TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+                TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index c2822ca5e1..b7d1129ad6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -10,7 +10,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
           file://libtiff-CVE-2013-4232.patch \
           file://libtiff-CVE-2013-4243.patch \
           file://libtiff-CVE-2013-4244.patch \
-           file://libtiff-CVE-2013-4231.patch "
+           file://libtiff-CVE-2013-4231.patch \
+           file://tiff-CVE-2012-4564.patch "
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
author	Yue Tao <Yue.Tao@windriver.com>	2014-06-17 04:25:20 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:06 +0100
commit	452619ba41700dc166ce1a65b15a71ff7fa3c838 (patch)
tree	c85b3cb0a6daf69822c36fa6de00f2f444c673bc
parent	8d28013312ee035343bc3d89814e7d59f964231c (diff)
download	poky-452619ba41700dc166ce1a65b15a71ff7fa3c838.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch new file mode 100644 index 0000000000..23649790c4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch
@@ -0,0 +1,99 @@
		1	Upstream-Status: Backport
		2
		3	Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
		4	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		5
		6	Index: tools/ppm2tiff.c
		7	===================================================================
		8	RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v
		9	retrieving revision 1.16
		10	retrieving revision 1.18
		11	diff -u -r1.16 -r1.18
		12	--- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16
		13	+++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18
		14	@@ -1,4 +1,4 @@
		15	-/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */
		16	+/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */
		17
		18	/*
		19	* Copyright (c) 1991-1997 Sam Leffler
		20	@@ -72,6 +72,17 @@
		21	exit(-2);
		22	}
		23
		24	+static tmsize_t
		25	+multiply_ms(tmsize_t m1, tmsize_t m2)
		26	+{
		27	+ tmsize_t bytes = m1 * m2;
		28	+
		29	+ if (m1 && bytes / m1 != m2)
		30	+ bytes = 0;
		31	+
		32	+ return bytes;
		33	+}
		34	+
		35	int
		36	main(int argc, char* argv[])
		37	{
		38	@@ -79,7 +90,7 @@
		39	uint32 rowsperstrip = (uint32) -1;
		40	double resolution = -1;
		41	unsigned char *buf = NULL;
		42	- tsize_t linebytes = 0;
		43	+ tmsize_t linebytes = 0;
		44	uint16 spp = 1;
		45	uint16 bpp = 8;
		46	TIFF *out;
		47	@@ -89,6 +100,7 @@
		48	int c;
		49	extern int optind;
		50	extern char* optarg;
		51	+ tmsize_t scanline_size;
		52
		53	if (argc < 2) {
		54	fprintf(stderr, "%s: Too few arguments\n", argv[0]);
		55	@@ -221,7 +233,8 @@
		56	}
		57	switch (bpp) {
		58	case 1:
		59	- linebytes = (spp * w + (8 - 1)) / 8;
		60	+ /* if round-up overflows, result will be zero, OK */
		61	+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
		62	if (rowsperstrip == (uint32) -1) {
		63	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
		64	} else {
		65	@@ -230,15 +243,31 @@
		66	}
		67	break;
		68	case 8:
		69	- linebytes = spp * w;
		70	+ linebytes = multiply_ms(spp, w);
		71	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
		72	TIFFDefaultStripSize(out, rowsperstrip));
		73	break;
		74	}
		75	- if (TIFFScanlineSize(out) > linebytes)
		76	+ if (linebytes == 0) {
		77	+ fprintf(stderr, "%s: scanline size overflow\n", infile);
		78	+ (void) TIFFClose(out);
		79	+ exit(-2);
		80	+ }
		81	+ scanline_size = TIFFScanlineSize(out);
		82	+ if (scanline_size == 0) {
		83	+ /* overflow - TIFFScanlineSize already printed a message */
		84	+ (void) TIFFClose(out);
		85	+ exit(-2);
		86	+ }
		87	+ if (scanline_size < linebytes)
		88	buf = (unsigned char *)_TIFFmalloc(linebytes);
		89	else
		90	- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
		91	+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
		92	+ if (buf == NULL) {
		93	+ fprintf(stderr, "%s: Not enough memory\n", infile);
		94	+ (void) TIFFClose(out);
		95	+ exit(-2);
		96	+ }
		97	if (resolution > 0) {
		98	TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
		99	TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index c2822ca5e1..b7d1129ad6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -10,7 +10,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
10	file://libtiff-CVE-2013-4232.patch \	10	file://libtiff-CVE-2013-4232.patch \
11	file://libtiff-CVE-2013-4243.patch \	11	file://libtiff-CVE-2013-4243.patch \
12	file://libtiff-CVE-2013-4244.patch \	12	file://libtiff-CVE-2013-4244.patch \
13	file://libtiff-CVE-2013-4231.patch "	13	file://libtiff-CVE-2013-4231.patch \
		14	file://tiff-CVE-2012-4564.patch "
14		15
15	SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"	16	SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
16	SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"	17	SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"