summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Slater <joe.slater@windriver.com>2019-11-06 10:45:53 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-18 14:42:13 +0000
commit3b86def5ed2a07d765ce7530afd4b8d7af7cba15 (patch)
tree938e19ad00baa7595c058258c4a3089f169cd146
parentee860651e9eefcc7f210c8f6147b118881be740f (diff)
downloadpoky-3b86def5ed2a07d765ce7530afd4b8d7af7cba15.tar.gz
libtiff: fix CVE-2019-17546
Apply unmodified patch from upstream. (From OE-Core rev: 9cba3d02d00df23a3d0f830cb7d11752142f7d82) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch103
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.10.bb1
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
new file mode 100644
index 0000000000..04c5410930
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
@@ -0,0 +1,103 @@
1libtiff: fix CVE-2019-17546
2
3Added after 4.0.10 release.
4
5CVE: CVE-2019-17546
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
7Signed-off-by: Joe Slater <joe.slater@windriver.com>
8
9commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
10Author: Even Rouault <even.rouault@spatialys.com>
11Date: Thu Aug 15 15:05:28 2019 +0200
12
13 RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
14
15diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
16index c88b5fa..4da785d 100644
17--- a/libtiff/tif_getimage.c
18+++ b/libtiff/tif_getimage.c
19@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
20 fromskew = (w < imagewidth ? imagewidth - w : 0);
21 for (row = 0; row < h; row += nrow)
22 {
23+ uint32 temp;
24 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
25 nrow = (row + rowstoread > h ? h - row : rowstoread);
26 nrowsub = nrow;
27 if ((nrowsub%subsamplingver)!=0)
28 nrowsub+=subsamplingver-nrowsub%subsamplingver;
29+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
30+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
31+ {
32+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
33+ return 0;
34+ }
35 if (_TIFFReadEncodedStripAndAllocBuffer(tif,
36 TIFFComputeStrip(tif,row+img->row_offset, 0),
37 (void**)(&buf),
38 maxstripsize,
39- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
40+ temp * scanline)==(tmsize_t)(-1)
41 && (buf == NULL || img->stoponerr))
42 {
43 ret = 0;
44@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
45 fromskew = (w < imagewidth ? imagewidth - w : 0);
46 for (row = 0; row < h; row += nrow)
47 {
48+ uint32 temp;
49 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
50 nrow = (row + rowstoread > h ? h - row : rowstoread);
51 offset_row = row + img->row_offset;
52+ temp = (row + img->row_offset)%rowsperstrip + nrow;
53+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
54+ {
55+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
56+ return 0;
57+ }
58 if( buf == NULL )
59 {
60 if (_TIFFReadEncodedStripAndAllocBuffer(
61 tif, TIFFComputeStrip(tif, offset_row, 0),
62 (void**) &buf, bufsize,
63- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
64+ temp * scanline)==(tmsize_t)(-1)
65 && (buf == NULL || img->stoponerr))
66 {
67 ret = 0;
68@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
69 }
70 }
71 else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
72- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
73+ p0, temp * scanline)==(tmsize_t)(-1)
74 && img->stoponerr)
75 {
76 ret = 0;
77@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
78 }
79 if (colorchannels > 1
80 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
81- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
82+ p1, temp * scanline) == (tmsize_t)(-1)
83 && img->stoponerr)
84 {
85 ret = 0;
86@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
87 }
88 if (colorchannels > 1
89 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
90- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
91+ p2, temp * scanline) == (tmsize_t)(-1)
92 && img->stoponerr)
93 {
94 ret = 0;
95@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
96 if (alpha)
97 {
98 if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
99- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
100+ pa, temp * scanline)==(tmsize_t)(-1)
101 && img->stoponerr)
102 {
103 ret = 0;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index a526fc06a2..08d9cad28a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
9 file://CVE-2019-6128.patch \ 9 file://CVE-2019-6128.patch \
10 file://CVE-2019-7663.patch \ 10 file://CVE-2019-7663.patch \
11 file://CVE-2019-14973.patch \ 11 file://CVE-2019-14973.patch \
12 file://CVE-2019-17546.patch \
12" 13"
13SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" 14SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
14SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" 15SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"