summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRajkumar Veer <rveer@mvista.com>2017-11-03 22:15:53 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-21 14:43:53 +0000
commitdcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8 (patch)
tree77abc0053c8ec9871ed78cef98a2d8da501b649e
parent7b108a757b82b417db04ab86809ca266d4a9c229 (diff)
downloadpoky-dcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8.tar.gz
tiff: Security fix for CVE-2016-10269
(From OE-Core rev: 46504a224a9f33f1f8752bbcd51a285d19920524) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch131
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.7.bb1
2 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch
new file mode 100644
index 0000000000..d9f4a15022
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10269.patch
@@ -0,0 +1,131 @@
1From 10f72dd232849d0142a0688bcc9aa71025f120a3 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Fri, 2 Dec 2016 23:05:51 +0000
4Subject: [PATCH 2/4] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix
5 heap-based buffer overflow on generation of PixarLog / LUV compressed files,
6 with ColorMap, TransferFunction attached and nasty plays with bitspersample.
7 The fix for LUV has not been tested, but suffers from the same kind of issue
8 of PixarLog. Reported by Agostino Sarubbo. Fixes
9 http://bugzilla.maptools.org/show_bug.cgi?id=2604
10
11Upstream-Status: Backport
12
13CVE: CVE-2016-10269
14Signed-off-by: Rajkumar Veer <rveer@mvista.com>
15---
16 ChangeLog | 10 ++++++++++
17 libtiff/tif_luv.c | 18 ++++++++++++++----
18 libtiff/tif_pixarlog.c | 17 +++++++++++++++--
19 3 files changed, 39 insertions(+), 6 deletions(-)
20
21diff --git a/ChangeLog b/ChangeLog
22index 2e913b6..0a2c2a7 100644
23--- a/ChangeLog
24+++ b/ChangeLog
25@@ -1,4 +1,14 @@
26 2016-12-03 Even Rouault <even.rouault at spatialys.com>
27+
28+ * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
29+ overflow on generation of PixarLog / LUV compressed files, with
30+ ColorMap, TransferFunction attached and nasty plays with bitspersample.
31+ The fix for LUV has not been tested, but suffers from the same kind
32+ of issue of PixarLog.
33+ Reported by Agostino Sarubbo.
34+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
35+
36+2016-12-03 Even Rouault <even.rouault at spatialys.com>
37
38 * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
39 OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
40diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
41index f68a9b1..e6783db 100644
42--- a/libtiff/tif_luv.c
43+++ b/libtiff/tif_luv.c
44@@ -158,6 +158,7 @@
45 typedef struct logLuvState LogLuvState;
46
47 struct logLuvState {
48+ int encoder_state; /* 1 if encoder correctly initialized */
49 int user_datafmt; /* user data format */
50 int encode_meth; /* encoding method */
51 int pixel_size; /* bytes per pixel */
52@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
53 td->td_photometric, "must be either LogLUV or LogL");
54 break;
55 }
56+ sp->encoder_state = 1;
57 return (1);
58 notsupported:
59 TIFFErrorExt(tif->tif_clientdata, module,
60@@ -1563,19 +1565,27 @@ notsupported:
61 static void
62 LogLuvClose(TIFF* tif)
63 {
64+ LogLuvState* sp = (LogLuvState*) tif->tif_data;
65 TIFFDirectory *td = &tif->tif_dir;
66
67+ assert(sp != 0);
68 /*
69 * For consistency, we always want to write out the same
70 * bitspersample and sampleformat for our TIFF file,
71 * regardless of the data format being used by the application.
72 * Since this routine is called after tags have been set but
73 * before they have been recorded in the file, we reset them here.
74+ * Note: this is really a nasty approach. See PixarLogClose
75 */
76- td->td_samplesperpixel =
77- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
78- td->td_bitspersample = 16;
79- td->td_sampleformat = SAMPLEFORMAT_INT;
80+ if( sp->encoder_state )
81+ {
82+ /* See PixarLogClose. Might avoid issues with tags whose size depends
83+ * on those below, but not completely sure this is enough. */
84+ td->td_samplesperpixel =
85+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
86+ td->td_bitspersample = 16;
87+ td->td_sampleformat = SAMPLEFORMAT_INT;
88+ }
89 }
90
91 static void
92diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
93index d1246c3..aa99bc9 100644
94--- a/libtiff/tif_pixarlog.c
95+++ b/libtiff/tif_pixarlog.c
96@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
97 static void
98 PixarLogClose(TIFF* tif)
99 {
100+ PixarLogState* sp = (PixarLogState*) tif->tif_data;
101 TIFFDirectory *td = &tif->tif_dir;
102
103+ assert(sp != 0);
104 /* In a really sneaky (and really incorrect, and untruthful, and
105 * troublesome, and error-prone) maneuver that completely goes against
106 * the spirit of TIFF, and breaks TIFF, on close, we covertly
107@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
108 * readers that don't know about PixarLog, or how to set
109 * the PIXARLOGDATFMT pseudo-tag.
110 */
111- td->td_bitspersample = 8;
112- td->td_sampleformat = SAMPLEFORMAT_UINT;
113+
114+ if (sp->state&PLSTATE_INIT) {
115+ /* We test the state to avoid an issue such as in
116+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
117+ * What appends in that case is that the bitspersample is 1 and
118+ * a TransferFunction is set. The size of the TransferFunction
119+ * depends on 1<<bitspersample. So if we increase it, an access
120+ * out of the buffer will happen at directory flushing.
121+ * Another option would be to clear those targs.
122+ */
123+ td->td_bitspersample = 8;
124+ td->td_sampleformat = SAMPLEFORMAT_UINT;
125+ }
126 }
127
128 static void
129--
1301.9.1
131
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index d60c7fed13..0878e0014a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
16 file://CVE-2016-10268.patch \ 16 file://CVE-2016-10268.patch \
17 file://CVE-2016-10266.patch \ 17 file://CVE-2016-10266.patch \
18 file://CVE-2016-10267.patch \ 18 file://CVE-2016-10267.patch \
19 file://CVE-2016-10269.patch \
19 " 20 "
20 21
21SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" 22SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"