tiff: Security fix CVE-2016-9535

* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Mingli Yu <Mingli.Yu@windriver.com> 2016-12-07 16:01:11 +0800
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-10 12:21:39 +0100
commit: a7301f1b499a971f6b208865f1241aaffa4b1dde (patch)
tree: 659cdf9713981297e17167d6df6ac4fa5da6d5af
parent: 6c6fedcb239a188807cdf228a3e0ed116523bf1b (diff)
download: poky-a7301f1b499a971f6b208865f1241aaffa4b1dde.tar.gz
3 files changed, 492 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
new file mode 100644
index 0000000000..26fd0df11c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
+From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 31 Oct 2016 17:24:26 +0000
+Subject: [PATCH 1/2] Fix CVE-2016-9535
+* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
+ assertions by runtime checks to avoid assertions in debug mode, or buffer
+ overflows in release mode. Can happen when dealing with unusual tile size
+ like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet    &
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+CVE: CVE-2016-9535
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
+ libtiff/tif_predict.h |   6 +-
+ 2 files changed, 121 insertions(+), 47 deletions(-)
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 555f2f9..b829259 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -34,18 +34,18 @@
+ 
+ #define        PredictorState(tif)     ((TIFFPredictorState*) (tif)->tif_data)
+ 
+-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+ static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
+@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
+ /* - when storing into the byte stream, we explicitly mask with 0xff so */
+ /*   as to make icc -check=conversions happy (not necessary by the standard) */
+ 
+-static void
+static int
+ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+ 
+        unsigned char* cp = (unsigned char*) cp0;
+-       assert((cc%stride)==0);
+    if((cc%stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc8",
+                     "%s", "(cc%stride)!=0");
+        return 0;
+    }
+
+        if (cc > stride) {
+                /*
+                 * Pipeline the most common cases.
+@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        } while (cc>0);
+                }
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        uint16* wp = (uint16*) cp0;
+        tmsize_t wc = cc / 2;
+ 
+         TIFFSwabArrayOfShort(wp, wc);
+-        horAcc16(tif, cp0, cc);
+        return horAcc16(tif, cp0, cc);
+ }
+ 
+-static void
+static int
+ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+        uint16* wp = (uint16*) cp0;
+        tmsize_t wc = cc / 2;
+ 
+-       assert((cc%(2*stride))==0);
+    if((cc%(2*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc16",
+                     "%s", "cc%(2*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        uint32* wp = (uint32*) cp0;
+        tmsize_t wc = cc / 4;
+ 
+         TIFFSwabArrayOfLong(wp, wc);
+-       horAcc32(tif, cp0, cc);
+       return horAcc32(tif, cp0, cc);
+ }
+ 
+-static void
+static int
+ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+        uint32* wp = (uint32*) cp0;
+        tmsize_t wc = cc / 4;
+ 
+-       assert((cc%(4*stride))==0);
+    if((cc%(4*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc32",
+                     "%s", "cc%(4*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+ /*
+  * Floating point predictor accumulation routine.
+  */
+-static void
+static int
+ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint8 *cp = (uint8 *) cp0;
+        uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ 
+-       assert((cc%(bps*stride))==0);
+    if(cc%(bps*stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "fpAcc",
+                     "%s", "cc%(bps*stride))!=0");
+        return 0;
+    }
+ 
+        if (!tmp)
+-               return;
+               return 0;
+ 
+        while (count > stride) {
+                REPEAT4(stride, cp[stride] =
+@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+                }
+        }
+        _TIFFfree(tmp);
+    return 1;
+ }
+ 
+ /*
+@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+        assert(sp->decodepfunc != NULL);  
+ 
+        if ((*sp->decoderow)(tif, op0, occ0, s)) {
+-               (*sp->decodepfunc)(tif, op0, occ0);
+-               return 1;
+               return (*sp->decodepfunc)(tif, op0, occ0);
+        } else
+                return 0;
+ }
+@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+        if ((*sp->decodetile)(tif, op0, occ0, s)) {
+                tmsize_t rowsize = sp->rowsize;
+                assert(rowsize > 0);
+-               assert((occ0%rowsize)==0);
+               if((occ0%rowsize) !=0)
+        {
+            TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
+                         "%s", "occ0%rowsize != 0");
+            return 0;
+        }
+                assert(sp->decodepfunc != NULL);
+                while (occ0 > 0) {
+-                       (*sp->decodepfunc)(tif, op0, rowsize);
+                       if( !(*sp->decodepfunc)(tif, op0, rowsize) )
+                return 0;
+                        occ0 -= rowsize;
+                        op0 += rowsize;
+                }
+@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+                return 0;
+ }
+ 
+-static void
+static int
+ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+        tmsize_t stride = sp->stride;
+        unsigned char* cp = (unsigned char*) cp0;
+ 
+-       assert((cc%stride)==0);
+    if((cc%stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+                     "%s", "(cc%stride)!=0");
+        return 0;
+    }
+ 
+        if (cc > stride) {
+                cc -= stride;
+@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        } while ((cc -= stride) > 0);
+                }
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint16 *wp = (uint16*) cp0;
+        tmsize_t wc = cc/2;
+ 
+-       assert((cc%(2*stride))==0);
+    if((cc%(2*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+                     "%s", "(cc%(2*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+     uint16* wp = (uint16*) cp0;
+     tmsize_t wc = cc / 2;
+ 
+-    horDiff16(tif, cp0, cc);
+    if( !horDiff16(tif, cp0, cc) )
+        return 0;
+ 
+     TIFFSwabArrayOfShort(wp, wc);
+    return 1;
+ }
+ 
+-static void
+static int
+ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint32 *wp = (uint32*) cp0;
+        tmsize_t wc = cc/4;
+ 
+-       assert((cc%(4*stride))==0);
+    if((cc%(4*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff32",
+                     "%s", "(cc%(4*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+     uint32* wp = (uint32*) cp0;
+     tmsize_t wc = cc / 4;
+ 
+-    horDiff32(tif, cp0, cc);
+    if( !horDiff32(tif, cp0, cc) )
+        return 0;
+ 
+     TIFFSwabArrayOfLong(wp, wc);
+    return 1;
+ }
+ 
+ /*
+  * Floating point predictor differencing routine.
+  */
+-static void
+static int
+ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint8 *cp = (uint8 *) cp0;
+        uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ 
+-       assert((cc%(bps*stride))==0);
+-
+    if((cc%(bps*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "fpDiff",
+                     "%s", "(cc%(bps*stride))!=0");
+        return 0;
+    }
+        if (!tmp)
+-               return;
+               return 0;
+ 
+        _TIFFmemcpy(tmp, cp0, cc);
+        for (count = 0; count < wc; count++) {
+@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        cp += cc - stride - 1;
+        for (count = cc; count > stride; count -= stride)
+                REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
+    return 1;
+ }
+ 
+ static int
+@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+        assert(sp->encoderow != NULL);
+ 
+        /* XXX horizontal differencing alters user's data XXX */
+-       (*sp->encodepfunc)(tif, bp, cc);
+       if( !(*sp->encodepfunc)(tif, bp, cc) )
+        return 0;
+        return (*sp->encoderow)(tif, bp, cc, s);
+ }
+ 
+@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+ 
+        rowsize = sp->rowsize;
+        assert(rowsize > 0);
+-       assert((cc0%rowsize)==0);
+       if((cc0%rowsize)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+                     "%s", "(cc0%rowsize)!=0");
+        return 0;
+    }
+        while (cc > 0) {
+                (*sp->encodepfunc)(tif, bp, rowsize);
+                cc -= rowsize;
+diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
+index 91330cc..9e485a4 100644
+--- a/libtiff/tif_predict.h
+++ b/libtiff/tif_predict.h
+@@ -30,6 +30,8 @@
+  * ``Library-private'' Support for the Predictor Tag
+  */
+ 
+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
+
+ /*
+  * Codecs that want to support the Predictor tag must place
+  * this structure first in their private state block so that
+@@ -43,12 +45,12 @@ typedef struct {
+        TIFFCodeMethod  encoderow;      /* parent codec encode/decode row */
+        TIFFCodeMethod  encodestrip;    /* parent codec encode/decode strip */
+        TIFFCodeMethod  encodetile;     /* parent codec encode/decode tile */ 
+-       TIFFPostMethod  encodepfunc;    /* horizontal differencer */
+       TIFFEncodeDecodeMethod  encodepfunc;    /* horizontal differencer */
+ 
+        TIFFCodeMethod  decoderow;      /* parent codec encode/decode row */
+        TIFFCodeMethod  decodestrip;    /* parent codec encode/decode strip */
+        TIFFCodeMethod  decodetile;     /* parent codec encode/decode tile */ 
+-       TIFFPostMethod  decodepfunc;    /* horizontal accumulator */
+       TIFFEncodeDecodeMethod  decodepfunc;    /* horizontal accumulator */
+ 
+        TIFFVGetMethod  vgetparent;     /* super-class method */
+        TIFFVSetMethod  vsetparent;     /* super-class method */
+-- 
+2.9.3
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
new file mode 100644
index 0000000000..977dbf6c87
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
+From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 4 Nov 2016 09:19:13 +0000
+Subject: [PATCH 2/2] Fix CVE-2016-9535
+* libtiff/tif_predic.c: fix memory leaks in error code
+ paths added in previous commit (fix for MSVR 35105)
+CVE: CVE-2016-9535
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ libtiff/tif_predict.c | 8 ++++++--
+ 1 files changed, 11 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index b829259..3f42f3b 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count = cc;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if(cc%(bps*stride)!=0)
+     {
+@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+         return 0;
+     }
+ 
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if((cc%(bps*stride))!=0)
+     {
+@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+                      "%s", "(cc%(bps*stride))!=0");
+         return 0;
+     }
+
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+     {
+         TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+                      "%s", "(cc0%rowsize)!=0");
+        _TIFFfree( working_copy );
+         return 0;
+     }
+        while (cc > 0) {
+-- 
+2.9.3
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 3a7906a98d..7b5dd9cc91 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-3632.patch \
           file://CVE-2016-9540.patch \
           file://CVE-2016-9539.patch \
+           file://CVE-2016-9535-1.patch \
+           file://CVE-2016-9535-2.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
author	Mingli Yu <Mingli.Yu@windriver.com>	2016-12-07 16:01:11 +0800
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-10 12:21:39 +0100
commit	a7301f1b499a971f6b208865f1241aaffa4b1dde (patch)
tree	659cdf9713981297e17167d6df6ac4fa5da6d5af
parent	6c6fedcb239a188807cdf228a3e0ed116523bf1b (diff)
download	poky-a7301f1b499a971f6b208865f1241aaffa4b1dde.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch new file mode 100644 index 0000000000..26fd0df11c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
		1	From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Mon, 31 Oct 2016 17:24:26 +0000
		4	Subject: [PATCH 1/2] Fix CVE-2016-9535
		5
		6	* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
		7	assertions by runtime checks to avoid assertions in debug mode, or buffer
		8	overflows in release mode. Can happen when dealing with unusual tile size
		9	like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
		10	Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
		11
		12	CVE: CVE-2016-9535
		13	Upstream-Status: Backport
		14	https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
		15
		16	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		17
		18	---
		19	libtiff/tif_predict.c \| 153 +++++++++++++++++++++++++++++++++++---------------
		20	libtiff/tif_predict.h \| 6 +-
		21	2 files changed, 121 insertions(+), 47 deletions(-)
		22
		23	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
		24	index 555f2f9..b829259 100644
		25	--- a/libtiff/tif_predict.c
		26	+++ b/libtiff/tif_predict.c
		27	@@ -34,18 +34,18 @@
		28
		29	#define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
		30
		31	-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
		32	-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		33	-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		34	-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		35	-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		36	-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
		37	-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		38	-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		39	-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		40	-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		41	-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
		42	-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
		43	+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
		44	+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		45	+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		46	+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		47	+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		48	+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
		49	+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		50	+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		51	+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		52	+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		53	+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
		54	+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
		55	static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
		56	static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
		57	static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
		58	@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
		59	/* - when storing into the byte stream, we explicitly mask with 0xff so */
		60	/* as to make icc -check=conversions happy (not necessary by the standard) */
		61
		62	-static void
		63	+static int
		64	horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
		65	{
		66	tmsize_t stride = PredictorState(tif)->stride;
		67
		68	unsigned char* cp = (unsigned char*) cp0;
		69	- assert((cc%stride)==0);
		70	+ if((cc%stride)!=0)
		71	+ {
		72	+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
		73	+ "%s", "(cc%stride)!=0");
		74	+ return 0;
		75	+ }
		76	+
		77	if (cc > stride) {
		78	/*
		79	* Pipeline the most common cases.
		80	@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
		81	} while (cc>0);
		82	}
		83	}
		84	+ return 1;
		85	}
		86
		87	-static void
		88	+static int
		89	swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		90	{
		91	uint16* wp = (uint16*) cp0;
		92	tmsize_t wc = cc / 2;
		93
		94	TIFFSwabArrayOfShort(wp, wc);
		95	- horAcc16(tif, cp0, cc);
		96	+ return horAcc16(tif, cp0, cc);
		97	}
		98
		99	-static void
		100	+static int
		101	horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		102	{
		103	tmsize_t stride = PredictorState(tif)->stride;
		104	uint16* wp = (uint16*) cp0;
		105	tmsize_t wc = cc / 2;
		106
		107	- assert((cc%(2*stride))==0);
		108	+ if((cc%(2*stride))!=0)
		109	+ {
		110	+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
		111	+ "%s", "cc%(2*stride))!=0");
		112	+ return 0;
		113	+ }
		114
		115	if (wc > stride) {
		116	wc -= stride;
		117	@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		118	wc -= stride;
		119	} while (wc > 0);
		120	}
		121	+ return 1;
		122	}
		123
		124	-static void
		125	+static int
		126	swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		127	{
		128	uint32* wp = (uint32*) cp0;
		129	tmsize_t wc = cc / 4;
		130
		131	TIFFSwabArrayOfLong(wp, wc);
		132	- horAcc32(tif, cp0, cc);
		133	+ return horAcc32(tif, cp0, cc);
		134	}
		135
		136	-static void
		137	+static int
		138	horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		139	{
		140	tmsize_t stride = PredictorState(tif)->stride;
		141	uint32* wp = (uint32*) cp0;
		142	tmsize_t wc = cc / 4;
		143
		144	- assert((cc%(4*stride))==0);
		145	+ if((cc%(4*stride))!=0)
		146	+ {
		147	+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
		148	+ "%s", "cc%(4*stride))!=0");
		149	+ return 0;
		150	+ }
		151
		152	if (wc > stride) {
		153	wc -= stride;
		154	@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		155	wc -= stride;
		156	} while (wc > 0);
		157	}
		158	+ return 1;
		159	}
		160
		161	/*
		162	* Floating point predictor accumulation routine.
		163	*/
		164	-static void
		165	+static int
		166	fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		167	{
		168	tmsize_t stride = PredictorState(tif)->stride;
		169	@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		170	uint8 cp = (uint8 ) cp0;
		171	uint8 tmp = (uint8 )_TIFFmalloc(cc);
		172
		173	- assert((cc%(bps*stride))==0);
		174	+ if(cc%(bps*stride)!=0)
		175	+ {
		176	+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
		177	+ "%s", "cc%(bps*stride))!=0");
		178	+ return 0;
		179	+ }
		180
		181	if (!tmp)
		182	- return;
		183	+ return 0;
		184
		185	while (count > stride) {
		186	REPEAT4(stride, cp[stride] =
		187	@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		188	}
		189	}
		190	_TIFFfree(tmp);
		191	+ return 1;
		192	}
		193
		194	/*
		195	@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		196	assert(sp->decodepfunc != NULL);
		197
		198	if ((*sp->decoderow)(tif, op0, occ0, s)) {
		199	- (*sp->decodepfunc)(tif, op0, occ0);
		200	- return 1;
		201	+ return (*sp->decodepfunc)(tif, op0, occ0);
		202	} else
		203	return 0;
		204	}
		205	@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		206	if ((*sp->decodetile)(tif, op0, occ0, s)) {
		207	tmsize_t rowsize = sp->rowsize;
		208	assert(rowsize > 0);
		209	- assert((occ0%rowsize)==0);
		210	+ if((occ0%rowsize) !=0)
		211	+ {
		212	+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
		213	+ "%s", "occ0%rowsize != 0");
		214	+ return 0;
		215	+ }
		216	assert(sp->decodepfunc != NULL);
		217	while (occ0 > 0) {
		218	- (*sp->decodepfunc)(tif, op0, rowsize);
		219	+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
		220	+ return 0;
		221	occ0 -= rowsize;
		222	op0 += rowsize;
		223	}
		224	@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		225	return 0;
		226	}
		227
		228	-static void
		229	+static int
		230	horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
		231	{
		232	TIFFPredictorState* sp = PredictorState(tif);
		233	tmsize_t stride = sp->stride;
		234	unsigned char* cp = (unsigned char*) cp0;
		235
		236	- assert((cc%stride)==0);
		237	+ if((cc%stride)!=0)
		238	+ {
		239	+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
		240	+ "%s", "(cc%stride)!=0");
		241	+ return 0;
		242	+ }
		243
		244	if (cc > stride) {
		245	cc -= stride;
		246	@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
		247	} while ((cc -= stride) > 0);
		248	}
		249	}
		250	+ return 1;
		251	}
		252
		253	-static void
		254	+static int
		255	horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		256	{
		257	TIFFPredictorState* sp = PredictorState(tif);
		258	@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		259	uint16 wp = (uint16) cp0;
		260	tmsize_t wc = cc/2;
		261
		262	- assert((cc%(2*stride))==0);
		263	+ if((cc%(2*stride))!=0)
		264	+ {
		265	+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
		266	+ "%s", "(cc%(2*stride))!=0");
		267	+ return 0;
		268	+ }
		269
		270	if (wc > stride) {
		271	wc -= stride;
		272	@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		273	wc -= stride;
		274	} while (wc > 0);
		275	}
		276	+ return 1;
		277	}
		278
		279	-static void
		280	+static int
		281	swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		282	{
		283	uint16* wp = (uint16*) cp0;
		284	tmsize_t wc = cc / 2;
		285
		286	- horDiff16(tif, cp0, cc);
		287	+ if( !horDiff16(tif, cp0, cc) )
		288	+ return 0;
		289
		290	TIFFSwabArrayOfShort(wp, wc);
		291	+ return 1;
		292	}
		293
		294	-static void
		295	+static int
		296	horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		297	{
		298	TIFFPredictorState* sp = PredictorState(tif);
		299	@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		300	uint32 wp = (uint32) cp0;
		301	tmsize_t wc = cc/4;
		302
		303	- assert((cc%(4*stride))==0);
		304	+ if((cc%(4*stride))!=0)
		305	+ {
		306	+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
		307	+ "%s", "(cc%(4*stride))!=0");
		308	+ return 0;
		309	+ }
		310
		311	if (wc > stride) {
		312	wc -= stride;
		313	@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		314	wc -= stride;
		315	} while (wc > 0);
		316	}
		317	+ return 1;
		318	}
		319
		320	-static void
		321	+static int
		322	swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		323	{
		324	uint32* wp = (uint32*) cp0;
		325	tmsize_t wc = cc / 4;
		326
		327	- horDiff32(tif, cp0, cc);
		328	+ if( !horDiff32(tif, cp0, cc) )
		329	+ return 0;
		330
		331	TIFFSwabArrayOfLong(wp, wc);
		332	+ return 1;
		333	}
		334
		335	/*
		336	* Floating point predictor differencing routine.
		337	*/
		338	-static void
		339	+static int
		340	fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		341	{
		342	tmsize_t stride = PredictorState(tif)->stride;
		343	@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		344	uint8 cp = (uint8 ) cp0;
		345	uint8 tmp = (uint8 )_TIFFmalloc(cc);
		346
		347	- assert((cc%(bps*stride))==0);
		348	-
		349	+ if((cc%(bps*stride))!=0)
		350	+ {
		351	+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
		352	+ "%s", "(cc%(bps*stride))!=0");
		353	+ return 0;
		354	+ }
		355	if (!tmp)
		356	- return;
		357	+ return 0;
		358
		359	_TIFFmemcpy(tmp, cp0, cc);
		360	for (count = 0; count < wc; count++) {
		361	@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		362	cp += cc - stride - 1;
		363	for (count = cc; count > stride; count -= stride)
		364	REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
		365	+ return 1;
		366	}
		367
		368	static int
		369	@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		370	assert(sp->encoderow != NULL);
		371
		372	/* XXX horizontal differencing alters user's data XXX */
		373	- (*sp->encodepfunc)(tif, bp, cc);
		374	+ if( !(*sp->encodepfunc)(tif, bp, cc) )
		375	+ return 0;
		376	return (*sp->encoderow)(tif, bp, cc, s);
		377	}
		378
		379	@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
		380
		381	rowsize = sp->rowsize;
		382	assert(rowsize > 0);
		383	- assert((cc0%rowsize)==0);
		384	+ if((cc0%rowsize)!=0)
		385	+ {
		386	+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
		387	+ "%s", "(cc0%rowsize)!=0");
		388	+ return 0;
		389	+ }
		390	while (cc > 0) {
		391	(*sp->encodepfunc)(tif, bp, rowsize);
		392	cc -= rowsize;
		393	diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
		394	index 91330cc..9e485a4 100644
		395	--- a/libtiff/tif_predict.h
		396	+++ b/libtiff/tif_predict.h
		397	@@ -30,6 +30,8 @@
		398	* ``Library-private'' Support for the Predictor Tag
		399	*/
		400
		401	+typedef int (TIFFEncodeDecodeMethod)(TIFF tif, uint8* buf, tmsize_t size);
		402	+
		403	/*
		404	* Codecs that want to support the Predictor tag must place
		405	* this structure first in their private state block so that
		406	@@ -43,12 +45,12 @@ typedef struct {
		407	TIFFCodeMethod encoderow; /* parent codec encode/decode row */
		408	TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
		409	TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
		410	- TIFFPostMethod encodepfunc; /* horizontal differencer */
		411	+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
		412
		413	TIFFCodeMethod decoderow; /* parent codec encode/decode row */
		414	TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
		415	TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
		416	- TIFFPostMethod decodepfunc; /* horizontal accumulator */
		417	+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
		418
		419	TIFFVGetMethod vgetparent; /* super-class method */
		420	TIFFVSetMethod vsetparent; /* super-class method */
		421	--
		422	2.9.3
		423


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
		1	From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Fri, 4 Nov 2016 09:19:13 +0000
		4	Subject: [PATCH 2/2] Fix CVE-2016-9535
		5	* libtiff/tif_predic.c: fix memory leaks in error code
		6	paths added in previous commit (fix for MSVR 35105)
		7
		8	CVE: CVE-2016-9535
		9	Upstream-Status: Backport
		10	https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
		11
		12	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		13
		14	---
		15	libtiff/tif_predict.c \| 8 ++++++--
		16	1 files changed, 11 insertions(+), 2 deletions(-)
		17
		18	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
		19	index b829259..3f42f3b 100644
		20	--- a/libtiff/tif_predict.c
		21	+++ b/libtiff/tif_predict.c
		22	@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		23	tmsize_t wc = cc / bps;
		24	tmsize_t count = cc;
		25	uint8 cp = (uint8 ) cp0;
		26	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
		27	+ uint8 *tmp;
		28
		29	if(cc%(bps*stride)!=0)
		30	{
		31	@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		32	return 0;
		33	}
		34
		35	+ tmp = (uint8 *)_TIFFmalloc(cc);
		36	if (!tmp)
		37	return 0;
		38
		39	@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		40	tmsize_t wc = cc / bps;
		41	tmsize_t count;
		42	uint8 cp = (uint8 ) cp0;
		43	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
		44	+ uint8 *tmp;
		45
		46	if((cc%(bps*stride))!=0)
		47	{
		48	@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		49	"%s", "(cc%(bps*stride))!=0");
		50	return 0;
		51	}
		52	+
		53	+ tmp = (uint8 *)_TIFFmalloc(cc);
		54	if (!tmp)
		55	return 0;
		56
		57	@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
		58	{
		59	TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
		60	"%s", "(cc0%rowsize)!=0");
		61	+ _TIFFfree( working_copy );
		62	return 0;
		63	}
		64	while (cc > 0) {
		65	--
		66	2.9.3
		67


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 3a7906a98d..7b5dd9cc91 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
19	file://CVE-2016-3632.patch \	19	file://CVE-2016-3632.patch \
20	file://CVE-2016-9540.patch \	20	file://CVE-2016-9540.patch \
21	file://CVE-2016-9539.patch \	21	file://CVE-2016-9539.patch \
		22	file://CVE-2016-9535-1.patch \
		23	file://CVE-2016-9535-2.patch \
22	"	24	"
23		25
24	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	26	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"