libtiff: fix CVE-2019-17546

Apply unmodified patch from upstream. (From OE-Core rev: 9cba3d02d00df23a3d0f830cb7d11752142f7d82) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2019-11-06 10:45:53 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-18 14:42:13 +0000
commit: 3b86def5ed2a07d765ce7530afd4b8d7af7cba15 (patch)
tree: 938e19ad00baa7595c058258c4a3089f169cd146
parent: ee860651e9eefcc7f210c8f6147b118881be740f (diff)
download: poky-3b86def5ed2a07d765ce7530afd4b8d7af7cba15.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
new file mode 100644
index 0000000000..04c5410930
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
@@ -0,0 +1,103 @@
+libtiff: fix CVE-2019-17546
+Added after 4.0.10 release.
+CVE: CVE-2019-17546
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
+Author: Even Rouault <even.rouault@spatialys.com>
+Date:   Thu Aug 15 15:05:28 2019 +0200
+    RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c88b5fa..4da785d 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+        fromskew = (w < imagewidth ? imagewidth - w : 0);
+        for (row = 0; row < h; row += nrow)
+        {
+               uint32 temp;
+                rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+                nrow = (row + rowstoread > h ? h - row : rowstoread);
+                nrowsub = nrow;
+                if ((nrowsub%subsamplingver)!=0)
+                        nrowsub+=subsamplingver-nrowsub%subsamplingver;
+               temp = (row + img->row_offset)%rowsperstrip + nrowsub;
+               if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
+               {
+                       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
+                       return 0;
+               }
+                if (_TIFFReadEncodedStripAndAllocBuffer(tif,
+                    TIFFComputeStrip(tif,row+img->row_offset, 0),
+                    (void**)(&buf),
+                     maxstripsize,
+-                   ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
+                   temp * scanline)==(tmsize_t)(-1)
+                    && (buf == NULL || img->stoponerr))
+                {
+                        ret = 0;
+@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+        fromskew = (w < imagewidth ? imagewidth - w : 0);
+        for (row = 0; row < h; row += nrow)
+        {
+                uint32 temp;
+                rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+                nrow = (row + rowstoread > h ? h - row : rowstoread);
+                offset_row = row + img->row_offset;
+                temp = (row + img->row_offset)%rowsperstrip + nrow;
+                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
+                {
+                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
+                        return 0;
+                }
+                 if( buf == NULL )
+                 {
+                     if (_TIFFReadEncodedStripAndAllocBuffer(
+                             tif, TIFFComputeStrip(tif, offset_row, 0),
+                             (void**) &buf, bufsize,
+-                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+                            temp * scanline)==(tmsize_t)(-1)
+                         && (buf == NULL || img->stoponerr))
+                     {
+                             ret = 0;
+@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                     }
+                 }
+                else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
+-                   p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+                   p0, temp * scanline)==(tmsize_t)(-1)
+                    && img->stoponerr)
+                {
+                        ret = 0;
+@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                }
+                if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
+-                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
+                                            p1, temp * scanline) == (tmsize_t)(-1)
+                    && img->stoponerr)
+                {
+                        ret = 0;
+@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                }
+                if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
+-                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
+                                            p2, temp * scanline) == (tmsize_t)(-1)
+                    && img->stoponerr)
+                {
+                        ret = 0;
+@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                if (alpha)
+                {
+                        if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
+-                           pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+                           pa, temp * scanline)==(tmsize_t)(-1)
+                            && img->stoponerr)
+                        {
+                                ret = 0;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index a526fc06a2..08d9cad28a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2019-6128.patch \
           file://CVE-2019-7663.patch \
           file://CVE-2019-14973.patch \
+           file://CVE-2019-17546.patch \
 "
 SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
 SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
author	Joe Slater <joe.slater@windriver.com>	2019-11-06 10:45:53 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-18 14:42:13 +0000
commit	3b86def5ed2a07d765ce7530afd4b8d7af7cba15 (patch)
tree	938e19ad00baa7595c058258c4a3089f169cd146
parent	ee860651e9eefcc7f210c8f6147b118881be740f (diff)
download	poky-3b86def5ed2a07d765ce7530afd4b8d7af7cba15.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch new file mode 100644 index 0000000000..04c5410930 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
@@ -0,0 +1,103 @@
		1	libtiff: fix CVE-2019-17546
		2
		3	Added after 4.0.10 release.
		4
		5	CVE: CVE-2019-17546
		6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
		7	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		8
		9	commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
		10	Author: Even Rouault <even.rouault@spatialys.com>
		11	Date: Thu Aug 15 15:05:28 2019 +0200
		12
		13	RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
		14
		15	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
		16	index c88b5fa..4da785d 100644
		17	--- a/libtiff/tif_getimage.c
		18	+++ b/libtiff/tif_getimage.c
		19	@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		20	fromskew = (w < imagewidth ? imagewidth - w : 0);
		21	for (row = 0; row < h; row += nrow)
		22	{
		23	+ uint32 temp;
		24	rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
		25	nrow = (row + rowstoread > h ? h - row : rowstoread);
		26	nrowsub = nrow;
		27	if ((nrowsub%subsamplingver)!=0)
		28	nrowsub+=subsamplingver-nrowsub%subsamplingver;
		29	+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
		30	+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
		31	+ {
		32	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
		33	+ return 0;
		34	+ }
		35	if (_TIFFReadEncodedStripAndAllocBuffer(tif,
		36	TIFFComputeStrip(tif,row+img->row_offset, 0),
		37	(void**)(&buf),
		38	maxstripsize,
		39	- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
		40	+ temp * scanline)==(tmsize_t)(-1)
		41	&& (buf == NULL \|\| img->stoponerr))
		42	{
		43	ret = 0;
		44	@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		45	fromskew = (w < imagewidth ? imagewidth - w : 0);
		46	for (row = 0; row < h; row += nrow)
		47	{
		48	+ uint32 temp;
		49	rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
		50	nrow = (row + rowstoread > h ? h - row : rowstoread);
		51	offset_row = row + img->row_offset;
		52	+ temp = (row + img->row_offset)%rowsperstrip + nrow;
		53	+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
		54	+ {
		55	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
		56	+ return 0;
		57	+ }
		58	if( buf == NULL )
		59	{
		60	if (_TIFFReadEncodedStripAndAllocBuffer(
		61	tif, TIFFComputeStrip(tif, offset_row, 0),
		62	(void**) &buf, bufsize,
		63	- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
		64	+ temp * scanline)==(tmsize_t)(-1)
		65	&& (buf == NULL \|\| img->stoponerr))
		66	{
		67	ret = 0;
		68	@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		69	}
		70	}
		71	else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
		72	- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
		73	+ p0, temp * scanline)==(tmsize_t)(-1)
		74	&& img->stoponerr)
		75	{
		76	ret = 0;
		77	@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		78	}
		79	if (colorchannels > 1
		80	&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
		81	- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
		82	+ p1, temp * scanline) == (tmsize_t)(-1)
		83	&& img->stoponerr)
		84	{
		85	ret = 0;
		86	@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		87	}
		88	if (colorchannels > 1
		89	&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
		90	- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
		91	+ p2, temp * scanline) == (tmsize_t)(-1)
		92	&& img->stoponerr)
		93	{
		94	ret = 0;
		95	@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		96	if (alpha)
		97	{
		98	if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
		99	- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
		100	+ pa, temp * scanline)==(tmsize_t)(-1)
		101	&& img->stoponerr)
		102	{
		103	ret = 0;


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index a526fc06a2..08d9cad28a 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
9	file://CVE-2019-6128.patch \	9	file://CVE-2019-6128.patch \
10	file://CVE-2019-7663.patch \	10	file://CVE-2019-7663.patch \
11	file://CVE-2019-14973.patch \	11	file://CVE-2019-14973.patch \
		12	file://CVE-2019-17546.patch \
12	"	13	"
13	SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"	14	SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
14	SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"	15	SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"