summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-06-17 04:25:20 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-06-17 10:23:53 +0100
commitc44d7b5cdedf5cd32f3223da50909351465a8afe (patch)
tree295dc9e7ce022cf06b560ede6dd579d097990a69
parent9d40ce5dd1ea563f64869e27cda6db9254478145 (diff)
downloadpoky-c44d7b5cdedf5cd32f3223da50909351465a8afe.tar.gz
libtiff: Security Advisory - CVE-2012-4564
v2 changes: * update format for commit log * add Upstream-Status for patch ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564 (From OE-Core rev: 9f02922d44de483ef4d02ce95b55efe79a8b09a2) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch99
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.3.bb3
2 files changed, 101 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch
new file mode 100644
index 0000000000..23649790c4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch
@@ -0,0 +1,99 @@
1Upstream-Status: Backport
2
3Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
4Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
5
6Index: tools/ppm2tiff.c
7===================================================================
8RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v
9retrieving revision 1.16
10retrieving revision 1.18
11diff -u -r1.16 -r1.18
12--- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16
13+++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18
14@@ -1,4 +1,4 @@
15-/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */
16+/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */
17
18 /*
19 * Copyright (c) 1991-1997 Sam Leffler
20@@ -72,6 +72,17 @@
21 exit(-2);
22 }
23
24+static tmsize_t
25+multiply_ms(tmsize_t m1, tmsize_t m2)
26+{
27+ tmsize_t bytes = m1 * m2;
28+
29+ if (m1 && bytes / m1 != m2)
30+ bytes = 0;
31+
32+ return bytes;
33+}
34+
35 int
36 main(int argc, char* argv[])
37 {
38@@ -79,7 +90,7 @@
39 uint32 rowsperstrip = (uint32) -1;
40 double resolution = -1;
41 unsigned char *buf = NULL;
42- tsize_t linebytes = 0;
43+ tmsize_t linebytes = 0;
44 uint16 spp = 1;
45 uint16 bpp = 8;
46 TIFF *out;
47@@ -89,6 +100,7 @@
48 int c;
49 extern int optind;
50 extern char* optarg;
51+ tmsize_t scanline_size;
52
53 if (argc < 2) {
54 fprintf(stderr, "%s: Too few arguments\n", argv[0]);
55@@ -221,7 +233,8 @@
56 }
57 switch (bpp) {
58 case 1:
59- linebytes = (spp * w + (8 - 1)) / 8;
60+ /* if round-up overflows, result will be zero, OK */
61+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
62 if (rowsperstrip == (uint32) -1) {
63 TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
64 } else {
65@@ -230,15 +243,31 @@
66 }
67 break;
68 case 8:
69- linebytes = spp * w;
70+ linebytes = multiply_ms(spp, w);
71 TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
72 TIFFDefaultStripSize(out, rowsperstrip));
73 break;
74 }
75- if (TIFFScanlineSize(out) > linebytes)
76+ if (linebytes == 0) {
77+ fprintf(stderr, "%s: scanline size overflow\n", infile);
78+ (void) TIFFClose(out);
79+ exit(-2);
80+ }
81+ scanline_size = TIFFScanlineSize(out);
82+ if (scanline_size == 0) {
83+ /* overflow - TIFFScanlineSize already printed a message */
84+ (void) TIFFClose(out);
85+ exit(-2);
86+ }
87+ if (scanline_size < linebytes)
88 buf = (unsigned char *)_TIFFmalloc(linebytes);
89 else
90- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
91+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
92+ if (buf == NULL) {
93+ fprintf(stderr, "%s: Not enough memory\n", infile);
94+ (void) TIFFClose(out);
95+ exit(-2);
96+ }
97 if (resolution > 0) {
98 TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
99 TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 6483655ccc..af1f2b6ad8 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -9,7 +9,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
9 file://libtiff-CVE-2013-4232.patch \ 9 file://libtiff-CVE-2013-4232.patch \
10 file://libtiff-CVE-2013-4243.patch \ 10 file://libtiff-CVE-2013-4243.patch \
11 file://libtiff-CVE-2013-4244.patch \ 11 file://libtiff-CVE-2013-4244.patch \
12 file://libtiff-CVE-2013-4231.patch " 12 file://libtiff-CVE-2013-4231.patch \
13 file://tiff-CVE-2012-4564.patch "
13 14
14SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" 15SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
15SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" 16SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"