summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMingli Yu <Mingli.Yu@windriver.com>2016-12-07 08:01:11 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:39 (GMT)
commita7301f1b499a971f6b208865f1241aaffa4b1dde (patch)
tree659cdf9713981297e17167d6df6ac4fa5da6d5af
parent6c6fedcb239a188807cdf228a3e0ed116523bf1b (diff)
downloadpoky-a7301f1b499a971f6b208865f1241aaffa4b1dde.tar.gz
tiff: Security fix CVE-2016-9535
* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch423
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch67
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.6.bb2
3 files changed, 492 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
new file mode 100644
index 0000000..26fd0df
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
1From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 31 Oct 2016 17:24:26 +0000
4Subject: [PATCH 1/2] Fix CVE-2016-9535
5
6* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
7 assertions by runtime checks to avoid assertions in debug mode, or buffer
8 overflows in release mode. Can happen when dealing with unusual tile size
9 like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
10 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
11
12CVE: CVE-2016-9535
13Upstream-Status: Backport
14https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
15
16Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
17
18---
19 libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
20 libtiff/tif_predict.h | 6 +-
21 2 files changed, 121 insertions(+), 47 deletions(-)
22
23diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
24index 555f2f9..b829259 100644
25--- a/libtiff/tif_predict.c
26+++ b/libtiff/tif_predict.c
27@@ -34,18 +34,18 @@
28
29 #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
30
31-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
32-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
33-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
34-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
35-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
36-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
37-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
38-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
39-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
40-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
41-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
42-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
43+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
44+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
45+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
46+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
47+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
48+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
49+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
50+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
51+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
52+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
53+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
54+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
55 static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
56 static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
57 static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
58@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
59 /* - when storing into the byte stream, we explicitly mask with 0xff so */
60 /* as to make icc -check=conversions happy (not necessary by the standard) */
61
62-static void
63+static int
64 horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
65 {
66 tmsize_t stride = PredictorState(tif)->stride;
67
68 unsigned char* cp = (unsigned char*) cp0;
69- assert((cc%stride)==0);
70+ if((cc%stride)!=0)
71+ {
72+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
73+ "%s", "(cc%stride)!=0");
74+ return 0;
75+ }
76+
77 if (cc > stride) {
78 /*
79 * Pipeline the most common cases.
80@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
81 } while (cc>0);
82 }
83 }
84+ return 1;
85 }
86
87-static void
88+static int
89 swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
90 {
91 uint16* wp = (uint16*) cp0;
92 tmsize_t wc = cc / 2;
93
94 TIFFSwabArrayOfShort(wp, wc);
95- horAcc16(tif, cp0, cc);
96+ return horAcc16(tif, cp0, cc);
97 }
98
99-static void
100+static int
101 horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
102 {
103 tmsize_t stride = PredictorState(tif)->stride;
104 uint16* wp = (uint16*) cp0;
105 tmsize_t wc = cc / 2;
106
107- assert((cc%(2*stride))==0);
108+ if((cc%(2*stride))!=0)
109+ {
110+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
111+ "%s", "cc%(2*stride))!=0");
112+ return 0;
113+ }
114
115 if (wc > stride) {
116 wc -= stride;
117@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
118 wc -= stride;
119 } while (wc > 0);
120 }
121+ return 1;
122 }
123
124-static void
125+static int
126 swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
127 {
128 uint32* wp = (uint32*) cp0;
129 tmsize_t wc = cc / 4;
130
131 TIFFSwabArrayOfLong(wp, wc);
132- horAcc32(tif, cp0, cc);
133+ return horAcc32(tif, cp0, cc);
134 }
135
136-static void
137+static int
138 horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
139 {
140 tmsize_t stride = PredictorState(tif)->stride;
141 uint32* wp = (uint32*) cp0;
142 tmsize_t wc = cc / 4;
143
144- assert((cc%(4*stride))==0);
145+ if((cc%(4*stride))!=0)
146+ {
147+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
148+ "%s", "cc%(4*stride))!=0");
149+ return 0;
150+ }
151
152 if (wc > stride) {
153 wc -= stride;
154@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
155 wc -= stride;
156 } while (wc > 0);
157 }
158+ return 1;
159 }
160
161 /*
162 * Floating point predictor accumulation routine.
163 */
164-static void
165+static int
166 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
167 {
168 tmsize_t stride = PredictorState(tif)->stride;
169@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
170 uint8 *cp = (uint8 *) cp0;
171 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
172
173- assert((cc%(bps*stride))==0);
174+ if(cc%(bps*stride)!=0)
175+ {
176+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
177+ "%s", "cc%(bps*stride))!=0");
178+ return 0;
179+ }
180
181 if (!tmp)
182- return;
183+ return 0;
184
185 while (count > stride) {
186 REPEAT4(stride, cp[stride] =
187@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
188 }
189 }
190 _TIFFfree(tmp);
191+ return 1;
192 }
193
194 /*
195@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
196 assert(sp->decodepfunc != NULL);
197
198 if ((*sp->decoderow)(tif, op0, occ0, s)) {
199- (*sp->decodepfunc)(tif, op0, occ0);
200- return 1;
201+ return (*sp->decodepfunc)(tif, op0, occ0);
202 } else
203 return 0;
204 }
205@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
206 if ((*sp->decodetile)(tif, op0, occ0, s)) {
207 tmsize_t rowsize = sp->rowsize;
208 assert(rowsize > 0);
209- assert((occ0%rowsize)==0);
210+ if((occ0%rowsize) !=0)
211+ {
212+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
213+ "%s", "occ0%rowsize != 0");
214+ return 0;
215+ }
216 assert(sp->decodepfunc != NULL);
217 while (occ0 > 0) {
218- (*sp->decodepfunc)(tif, op0, rowsize);
219+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
220+ return 0;
221 occ0 -= rowsize;
222 op0 += rowsize;
223 }
224@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
225 return 0;
226 }
227
228-static void
229+static int
230 horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
231 {
232 TIFFPredictorState* sp = PredictorState(tif);
233 tmsize_t stride = sp->stride;
234 unsigned char* cp = (unsigned char*) cp0;
235
236- assert((cc%stride)==0);
237+ if((cc%stride)!=0)
238+ {
239+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
240+ "%s", "(cc%stride)!=0");
241+ return 0;
242+ }
243
244 if (cc > stride) {
245 cc -= stride;
246@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
247 } while ((cc -= stride) > 0);
248 }
249 }
250+ return 1;
251 }
252
253-static void
254+static int
255 horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
256 {
257 TIFFPredictorState* sp = PredictorState(tif);
258@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
259 uint16 *wp = (uint16*) cp0;
260 tmsize_t wc = cc/2;
261
262- assert((cc%(2*stride))==0);
263+ if((cc%(2*stride))!=0)
264+ {
265+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
266+ "%s", "(cc%(2*stride))!=0");
267+ return 0;
268+ }
269
270 if (wc > stride) {
271 wc -= stride;
272@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
273 wc -= stride;
274 } while (wc > 0);
275 }
276+ return 1;
277 }
278
279-static void
280+static int
281 swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
282 {
283 uint16* wp = (uint16*) cp0;
284 tmsize_t wc = cc / 2;
285
286- horDiff16(tif, cp0, cc);
287+ if( !horDiff16(tif, cp0, cc) )
288+ return 0;
289
290 TIFFSwabArrayOfShort(wp, wc);
291+ return 1;
292 }
293
294-static void
295+static int
296 horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
297 {
298 TIFFPredictorState* sp = PredictorState(tif);
299@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
300 uint32 *wp = (uint32*) cp0;
301 tmsize_t wc = cc/4;
302
303- assert((cc%(4*stride))==0);
304+ if((cc%(4*stride))!=0)
305+ {
306+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
307+ "%s", "(cc%(4*stride))!=0");
308+ return 0;
309+ }
310
311 if (wc > stride) {
312 wc -= stride;
313@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
314 wc -= stride;
315 } while (wc > 0);
316 }
317+ return 1;
318 }
319
320-static void
321+static int
322 swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
323 {
324 uint32* wp = (uint32*) cp0;
325 tmsize_t wc = cc / 4;
326
327- horDiff32(tif, cp0, cc);
328+ if( !horDiff32(tif, cp0, cc) )
329+ return 0;
330
331 TIFFSwabArrayOfLong(wp, wc);
332+ return 1;
333 }
334
335 /*
336 * Floating point predictor differencing routine.
337 */
338-static void
339+static int
340 fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
341 {
342 tmsize_t stride = PredictorState(tif)->stride;
343@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
344 uint8 *cp = (uint8 *) cp0;
345 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
346
347- assert((cc%(bps*stride))==0);
348-
349+ if((cc%(bps*stride))!=0)
350+ {
351+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
352+ "%s", "(cc%(bps*stride))!=0");
353+ return 0;
354+ }
355 if (!tmp)
356- return;
357+ return 0;
358
359 _TIFFmemcpy(tmp, cp0, cc);
360 for (count = 0; count < wc; count++) {
361@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
362 cp += cc - stride - 1;
363 for (count = cc; count > stride; count -= stride)
364 REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
365+ return 1;
366 }
367
368 static int
369@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
370 assert(sp->encoderow != NULL);
371
372 /* XXX horizontal differencing alters user's data XXX */
373- (*sp->encodepfunc)(tif, bp, cc);
374+ if( !(*sp->encodepfunc)(tif, bp, cc) )
375+ return 0;
376 return (*sp->encoderow)(tif, bp, cc, s);
377 }
378
379@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
380
381 rowsize = sp->rowsize;
382 assert(rowsize > 0);
383- assert((cc0%rowsize)==0);
384+ if((cc0%rowsize)!=0)
385+ {
386+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
387+ "%s", "(cc0%rowsize)!=0");
388+ return 0;
389+ }
390 while (cc > 0) {
391 (*sp->encodepfunc)(tif, bp, rowsize);
392 cc -= rowsize;
393diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
394index 91330cc..9e485a4 100644
395--- a/libtiff/tif_predict.h
396+++ b/libtiff/tif_predict.h
397@@ -30,6 +30,8 @@
398 * ``Library-private'' Support for the Predictor Tag
399 */
400
401+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
402+
403 /*
404 * Codecs that want to support the Predictor tag must place
405 * this structure first in their private state block so that
406@@ -43,12 +45,12 @@ typedef struct {
407 TIFFCodeMethod encoderow; /* parent codec encode/decode row */
408 TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
409 TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
410- TIFFPostMethod encodepfunc; /* horizontal differencer */
411+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
412
413 TIFFCodeMethod decoderow; /* parent codec encode/decode row */
414 TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
415 TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
416- TIFFPostMethod decodepfunc; /* horizontal accumulator */
417+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
418
419 TIFFVGetMethod vgetparent; /* super-class method */
420 TIFFVSetMethod vsetparent; /* super-class method */
421--
4222.9.3
423
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
new file mode 100644
index 0000000..977dbf6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
1From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Fri, 4 Nov 2016 09:19:13 +0000
4Subject: [PATCH 2/2] Fix CVE-2016-9535
5* libtiff/tif_predic.c: fix memory leaks in error code
6 paths added in previous commit (fix for MSVR 35105)
7
8CVE: CVE-2016-9535
9Upstream-Status: Backport
10https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
11
12Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
13
14---
15 libtiff/tif_predict.c | 8 ++++++--
16 1 files changed, 11 insertions(+), 2 deletions(-)
17
18diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
19index b829259..3f42f3b 100644
20--- a/libtiff/tif_predict.c
21+++ b/libtiff/tif_predict.c
22@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
23 tmsize_t wc = cc / bps;
24 tmsize_t count = cc;
25 uint8 *cp = (uint8 *) cp0;
26- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
27+ uint8 *tmp;
28
29 if(cc%(bps*stride)!=0)
30 {
31@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
32 return 0;
33 }
34
35+ tmp = (uint8 *)_TIFFmalloc(cc);
36 if (!tmp)
37 return 0;
38
39@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
40 tmsize_t wc = cc / bps;
41 tmsize_t count;
42 uint8 *cp = (uint8 *) cp0;
43- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
44+ uint8 *tmp;
45
46 if((cc%(bps*stride))!=0)
47 {
48@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
49 "%s", "(cc%(bps*stride))!=0");
50 return 0;
51 }
52+
53+ tmp = (uint8 *)_TIFFmalloc(cc);
54 if (!tmp)
55 return 0;
56
57@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
58 {
59 TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
60 "%s", "(cc0%rowsize)!=0");
61+ _TIFFfree( working_copy );
62 return 0;
63 }
64 while (cc > 0) {
65--
662.9.3
67
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 3a7906a..7b5dd9c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
19 file://CVE-2016-3632.patch \ 19 file://CVE-2016-3632.patch \
20 file://CVE-2016-9540.patch \ 20 file://CVE-2016-9540.patch \
21 file://CVE-2016-9539.patch \ 21 file://CVE-2016-9539.patch \
22 file://CVE-2016-9535-1.patch \
23 file://CVE-2016-9535-2.patch \
22 " 24 "
23 25
24SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" 26SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"