summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-29 17:39:36 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:39 +0000
commitd9a3e4a5cf5736b7dcbf2a3c126bdd0f73925b15 (patch)
tree3d7b0f21f0480f4abe31298d09787b78da79b2e2
parent83af960b7d9596b5355d1b8cf757ff14d087d0dc (diff)
downloadpoky-d9a3e4a5cf5736b7dcbf2a3c126bdd0f73925b15.tar.gz
tiff: Security fix CVE-2015-8781
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) minor tweek to get Changelog changes to apply (From OE-Core rev: fa7fac56be40fdb519d426e9465436415e3f5527) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch196
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.3.bb4
2 files changed, 199 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644
index 0000000000..c148add5d1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,196 @@
1From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sun, 27 Dec 2015 16:25:11 +0000
4Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
5 decode functions in non debug builds by replacing assert()s by regular if
6 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
7 input data.
8
9Upstream-Status: Backport
10
11https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
12hand applied Changelog changes
13
14CVE: CVE-2015-8781
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 ChangeLog | 7 +++++++
19 libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
20 2 files changed, 51 insertions(+), 11 deletions(-)
21
22Index: tiff-4.0.3/libtiff/tif_luv.c
23===================================================================
24--- tiff-4.0.3.orig/libtiff/tif_luv.c
25+++ tiff-4.0.3/libtiff/tif_luv.c
26@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
27 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
28 tp = (int16*) op;
29 else {
30- assert(sp->tbuflen >= npixels);
31+ if(sp->tbuflen < npixels) {
32+ TIFFErrorExt(tif->tif_clientdata, module,
33+ "Translation buffer too short");
34+ return (0);
35+ }
36 tp = (int16*) sp->tbuf;
37 }
38 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
39@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
40 cc = tif->tif_rawcc;
41 /* get each byte string */
42 for (shft = 2*8; (shft -= 8) >= 0; ) {
43- for (i = 0; i < npixels && cc > 0; )
44+ for (i = 0; i < npixels && cc > 0; ) {
45 if (*bp >= 128) { /* run */
46- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
47+ if( cc < 2 )
48+ break;
49+ rc = *bp++ + (2-128);
50 b = (int16)(*bp++ << shft);
51 cc -= 2;
52 while (rc-- && i < npixels)
53@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
54 while (--cc && rc-- && i < npixels)
55 tp[i++] |= (int16)*bp++ << shft;
56 }
57+ }
58 if (i != npixels) {
59 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
60 TIFFErrorExt(tif->tif_clientdata, module,
61@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
62 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
63 tp = (uint32 *)op;
64 else {
65- assert(sp->tbuflen >= npixels);
66+ if(sp->tbuflen < npixels) {
67+ TIFFErrorExt(tif->tif_clientdata, module,
68+ "Translation buffer too short");
69+ return (0);
70+ }
71 tp = (uint32 *) sp->tbuf;
72 }
73 /* copy to array of uint32 */
74 bp = (unsigned char*) tif->tif_rawcp;
75 cc = tif->tif_rawcc;
76- for (i = 0; i < npixels && cc > 0; i++) {
77+ for (i = 0; i < npixels && cc >= 3; i++) {
78 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
79 bp += 3;
80 cc -= 3;
81@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
82 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
83 tp = (uint32*) op;
84 else {
85- assert(sp->tbuflen >= npixels);
86+ if(sp->tbuflen < npixels) {
87+ TIFFErrorExt(tif->tif_clientdata, module,
88+ "Translation buffer too short");
89+ return (0);
90+ }
91 tp = (uint32*) sp->tbuf;
92 }
93 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
94@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
95 cc = tif->tif_rawcc;
96 /* get each byte string */
97 for (shft = 4*8; (shft -= 8) >= 0; ) {
98- for (i = 0; i < npixels && cc > 0; )
99+ for (i = 0; i < npixels && cc > 0; ) {
100 if (*bp >= 128) { /* run */
101+ if( cc < 2 )
102+ break;
103 rc = *bp++ + (2-128);
104 b = (uint32)*bp++ << shft;
105- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
106+ cc -= 2;
107 while (rc-- && i < npixels)
108 tp[i++] |= b;
109 } else { /* non-run */
110@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
111 while (--cc && rc-- && i < npixels)
112 tp[i++] |= (uint32)*bp++ << shft;
113 }
114+ }
115 if (i != npixels) {
116 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
117 TIFFErrorExt(tif->tif_clientdata, module,
118@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
119 static int
120 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
121 {
122+ static const char module[] = "LogL16Encode";
123 LogLuvState* sp = EncoderState(tif);
124 int shft;
125 tmsize_t i;
126@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
127 tp = (int16*) bp;
128 else {
129 tp = (int16*) sp->tbuf;
130- assert(sp->tbuflen >= npixels);
131+ if(sp->tbuflen < npixels) {
132+ TIFFErrorExt(tif->tif_clientdata, module,
133+ "Translation buffer too short");
134+ return (0);
135+ }
136 (*sp->tfunc)(sp, bp, npixels);
137 }
138 /* compress each byte string */
139@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
140 static int
141 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
142 {
143+ static const char module[] = "LogLuvEncode24";
144 LogLuvState* sp = EncoderState(tif);
145 tmsize_t i;
146 tmsize_t npixels;
147@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
148 tp = (uint32*) bp;
149 else {
150 tp = (uint32*) sp->tbuf;
151- assert(sp->tbuflen >= npixels);
152+ if(sp->tbuflen < npixels) {
153+ TIFFErrorExt(tif->tif_clientdata, module,
154+ "Translation buffer too short");
155+ return (0);
156+ }
157 (*sp->tfunc)(sp, bp, npixels);
158 }
159 /* write out encoded pixels */
160@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
161 static int
162 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
163 {
164+ static const char module[] = "LogLuvEncode32";
165 LogLuvState* sp = EncoderState(tif);
166 int shft;
167 tmsize_t i;
168@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
169 tp = (uint32*) bp;
170 else {
171 tp = (uint32*) sp->tbuf;
172- assert(sp->tbuflen >= npixels);
173+ if(sp->tbuflen < npixels) {
174+ TIFFErrorExt(tif->tif_clientdata, module,
175+ "Translation buffer too short");
176+ return (0);
177+ }
178 (*sp->tfunc)(sp, bp, npixels);
179 }
180 /* compress each byte string */
181Index: tiff-4.0.3/ChangeLog
182===================================================================
183--- tiff-4.0.3.orig/ChangeLog
184+++ tiff-4.0.3/ChangeLog
185@@ -1,3 +1,11 @@
186+2015-12-27 Even Rouault <even.rouault at spatialys.com>
187+
188+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
189+ functions in non debug builds by replacing assert()s by regular if
190+ checks (bugzilla #2522).
191+ Fix potential out-of-bound reads in case of short input data.
192+
193+
194 2012-09-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
195
196 * libtiff 4.0.3 released.
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index b7d1129ad6..070065b188 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -11,7 +11,9 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
11 file://libtiff-CVE-2013-4243.patch \ 11 file://libtiff-CVE-2013-4243.patch \
12 file://libtiff-CVE-2013-4244.patch \ 12 file://libtiff-CVE-2013-4244.patch \
13 file://libtiff-CVE-2013-4231.patch \ 13 file://libtiff-CVE-2013-4231.patch \
14 file://tiff-CVE-2012-4564.patch " 14 file://tiff-CVE-2012-4564.patch \
15 file://CVE-2015-8781.patch \
16 "
15 17
16SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" 18SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
17SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" 19SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"