tiff: Security fix for CVE-2016-10269

(From OE-Core rev: 46504a224a9f33f1f8752bbcd51a285d19920524) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:15:53 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:53 +0000
commit: dcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8 (patch)
tree: 77abc0053c8ec9871ed78cef98a2d8da501b649e
parent: 7b108a757b82b417db04ab86809ca266d4a9c229 (diff)
download: poky-dcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8.tar.gz
2 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch
new file mode 100644
index 0000000000..d9f4a15022
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch
@@ -0,0 +1,131 @@
+From 10f72dd232849d0142a0688bcc9aa71025f120a3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 23:05:51 +0000
+Subject: [PATCH 2/4] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix
+ heap-based buffer overflow on generation of PixarLog / LUV compressed files,
+ with ColorMap, TransferFunction attached and nasty plays with bitspersample.
+ The fix for LUV has not been tested, but suffers from the same kind of issue
+ of PixarLog. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2604
+Upstream-Status: Backport
+CVE: CVE-2016-10269
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+---
+ ChangeLog              | 10 ++++++++++
+ libtiff/tif_luv.c      | 18 ++++++++++++++----
+ libtiff/tif_pixarlog.c | 17 +++++++++++++++--
+ 3 files changed, 39 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 2e913b6..0a2c2a7 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,4 +1,14 @@
+ 2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+       overflow on generation of PixarLog / LUV compressed files, with
+       ColorMap, TransferFunction attached and nasty plays with bitspersample.
+       The fix for LUV has not been tested, but suffers from the same kind
+       of issue of PixarLog.
+       Reported by Agostino Sarubbo.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+  
+        * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
+        OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index f68a9b1..e6783db 100644
+--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
+        int                     encoder_state;  /* 1 if encoder correctly initialized */
+        int                     user_datafmt;   /* user data format */
+        int                     encode_meth;    /* encoding method */
+        int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+                    td->td_photometric, "must be either LogLUV or LogL");
+                break;
+        }
+       sp->encoder_state = 1;
+        return (1);
+ notsupported:
+        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
+        LogLuvState* sp = (LogLuvState*) tif->tif_data;
+        TIFFDirectory *td = &tif->tif_dir;
+ 
+       assert(sp != 0);
+        /*
+         * For consistency, we always want to write out the same
+         * bitspersample and sampleformat for our TIFF file,
+         * regardless of the data format being used by the application.
+         * Since this routine is called after tags have been set but
+         * before they have been recorded in the file, we reset them here.
+         * Note: this is really a nasty approach. See PixarLogClose
+         */
+-       td->td_samplesperpixel =
+-           (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-       td->td_bitspersample = 16;
+-       td->td_sampleformat = SAMPLEFORMAT_INT;
+        if( sp->encoder_state )
+        {
+            /* See PixarLogClose. Might avoid issues with tags whose size depends
+             * on those below, but not completely sure this is enough. */
+            td->td_samplesperpixel =
+                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+            td->td_bitspersample = 16;
+            td->td_sampleformat = SAMPLEFORMAT_INT;
+        }
+ }
+ 
+ static void
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index d1246c3..aa99bc9 100644
+--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
+        PixarLogState* sp = (PixarLogState*) tif->tif_data;
+        TIFFDirectory *td = &tif->tif_dir;
+ 
+       assert(sp != 0);
+        /* In a really sneaky (and really incorrect, and untruthful, and
+         * troublesome, and error-prone) maneuver that completely goes against
+         * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+         * readers that don't know about PixarLog, or how to set
+         * the PIXARLOGDATFMT pseudo-tag.
+         */
+-       td->td_bitspersample = 8;
+-       td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+        if (sp->state&PLSTATE_INIT) {
+            /* We test the state to avoid an issue such as in
+             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+             * What appends in that case is that the bitspersample is 1 and
+             * a TransferFunction is set. The size of the TransferFunction
+             * depends on 1<<bitspersample. So if we increase it, an access
+             * out of the buffer will happen at directory flushing.
+             * Another option would be to clear those targs. 
+             */
+            td->td_bitspersample = 8;
+            td->td_sampleformat = SAMPLEFORMAT_UINT;
+        }
+ }
+ 
+ static void
+-- 
+1.9.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index d60c7fed13..0878e0014a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-10268.patch \
           file://CVE-2016-10266.patch \
           file://CVE-2016-10267.patch \
+           file://CVE-2016-10269.patch \
          "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:15:53 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:53 +0000
commit	dcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8 (patch)
tree	77abc0053c8ec9871ed78cef98a2d8da501b649e
parent	7b108a757b82b417db04ab86809ca266d4a9c229 (diff)
download	poky-dcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch new file mode 100644 index 0000000000..d9f4a15022 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch
@@ -0,0 +1,131 @@
		1	From 10f72dd232849d0142a0688bcc9aa71025f120a3 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Fri, 2 Dec 2016 23:05:51 +0000
		4	Subject: [PATCH 2/4] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix
		5	heap-based buffer overflow on generation of PixarLog / LUV compressed files,
		6	with ColorMap, TransferFunction attached and nasty plays with bitspersample.
		7	The fix for LUV has not been tested, but suffers from the same kind of issue
		8	of PixarLog. Reported by Agostino Sarubbo. Fixes
		9	http://bugzilla.maptools.org/show_bug.cgi?id=2604
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2016-10269
		14	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		15	---
		16	ChangeLog \| 10 ++++++++++
		17	libtiff/tif_luv.c \| 18 ++++++++++++++----
		18	libtiff/tif_pixarlog.c \| 17 +++++++++++++++--
		19	3 files changed, 39 insertions(+), 6 deletions(-)
		20
		21	diff --git a/ChangeLog b/ChangeLog
		22	index 2e913b6..0a2c2a7 100644
		23	--- a/ChangeLog
		24	+++ b/ChangeLog
		25	@@ -1,4 +1,14 @@
		26	2016-12-03 Even Rouault <even.rouault at spatialys.com>
		27	+
		28	+ * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
		29	+ overflow on generation of PixarLog / LUV compressed files, with
		30	+ ColorMap, TransferFunction attached and nasty plays with bitspersample.
		31	+ The fix for LUV has not been tested, but suffers from the same kind
		32	+ of issue of PixarLog.
		33	+ Reported by Agostino Sarubbo.
		34	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
		35	+
		36	+2016-12-03 Even Rouault <even.rouault at spatialys.com>
		37
		38	* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
		39	OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
		40	diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
		41	index f68a9b1..e6783db 100644
		42	--- a/libtiff/tif_luv.c
		43	+++ b/libtiff/tif_luv.c
		44	@@ -158,6 +158,7 @@
		45	typedef struct logLuvState LogLuvState;
		46
		47	struct logLuvState {
		48	+ int encoder_state; /* 1 if encoder correctly initialized */
		49	int user_datafmt; /* user data format */
		50	int encode_meth; /* encoding method */
		51	int pixel_size; /* bytes per pixel */
		52	@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
		53	td->td_photometric, "must be either LogLUV or LogL");
		54	break;
		55	}
		56	+ sp->encoder_state = 1;
		57	return (1);
		58	notsupported:
		59	TIFFErrorExt(tif->tif_clientdata, module,
		60	@@ -1563,19 +1565,27 @@ notsupported:
		61	static void
		62	LogLuvClose(TIFF* tif)
		63	{
		64	+ LogLuvState* sp = (LogLuvState*) tif->tif_data;
		65	TIFFDirectory *td = &tif->tif_dir;
		66
		67	+ assert(sp != 0);
		68	/*
		69	* For consistency, we always want to write out the same
		70	* bitspersample and sampleformat for our TIFF file,
		71	* regardless of the data format being used by the application.
		72	* Since this routine is called after tags have been set but
		73	* before they have been recorded in the file, we reset them here.
		74	+ * Note: this is really a nasty approach. See PixarLogClose
		75	*/
		76	- td->td_samplesperpixel =
		77	- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
		78	- td->td_bitspersample = 16;
		79	- td->td_sampleformat = SAMPLEFORMAT_INT;
		80	+ if( sp->encoder_state )
		81	+ {
		82	+ /* See PixarLogClose. Might avoid issues with tags whose size depends
		83	+ * on those below, but not completely sure this is enough. */
		84	+ td->td_samplesperpixel =
		85	+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
		86	+ td->td_bitspersample = 16;
		87	+ td->td_sampleformat = SAMPLEFORMAT_INT;
		88	+ }
		89	}
		90
		91	static void
		92	diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
		93	index d1246c3..aa99bc9 100644
		94	--- a/libtiff/tif_pixarlog.c
		95	+++ b/libtiff/tif_pixarlog.c
		96	@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
		97	static void
		98	PixarLogClose(TIFF* tif)
		99	{
		100	+ PixarLogState* sp = (PixarLogState*) tif->tif_data;
		101	TIFFDirectory *td = &tif->tif_dir;
		102
		103	+ assert(sp != 0);
		104	/* In a really sneaky (and really incorrect, and untruthful, and
		105	* troublesome, and error-prone) maneuver that completely goes against
		106	* the spirit of TIFF, and breaks TIFF, on close, we covertly
		107	@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
		108	* readers that don't know about PixarLog, or how to set
		109	* the PIXARLOGDATFMT pseudo-tag.
		110	*/
		111	- td->td_bitspersample = 8;
		112	- td->td_sampleformat = SAMPLEFORMAT_UINT;
		113	+
		114	+ if (sp->state&PLSTATE_INIT) {
		115	+ /* We test the state to avoid an issue such as in
		116	+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
		117	+ * What appends in that case is that the bitspersample is 1 and
		118	+ * a TransferFunction is set. The size of the TransferFunction
		119	+ * depends on 1<<bitspersample. So if we increase it, an access
		120	+ * out of the buffer will happen at directory flushing.
		121	+ * Another option would be to clear those targs.
		122	+ */
		123	+ td->td_bitspersample = 8;
		124	+ td->td_sampleformat = SAMPLEFORMAT_UINT;
		125	+ }
		126	}
		127
		128	static void
		129	--
		130	1.9.1
		131


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index d60c7fed13..0878e0014a 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
16	file://CVE-2016-10268.patch \	16	file://CVE-2016-10268.patch \
17	file://CVE-2016-10266.patch \	17	file://CVE-2016-10266.patch \
18	file://CVE-2016-10267.patch \	18	file://CVE-2016-10267.patch \
		19	file://CVE-2016-10269.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	22	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"