summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRajkumar Veer <rveer@mvista.com>2017-11-03 22:18:19 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-21 14:43:53 +0000
commitde7d5146bcb19f7df6ef18755c8771c2d7578f53 (patch)
tree78ead15883f7c856b2c2a0f1542a14537e77919a
parentdcb2fc9d7c538e86ef9db5df493ebc0f0d2ccba8 (diff)
downloadpoky-de7d5146bcb19f7df6ef18755c8771c2d7578f53.tar.gz
tiff: Security fix for CVE-2016-10270
(From OE-Core rev: eeb7197d85435ec73be8b77accc0feea7e1536bb) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch134
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.7.bb1
2 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
new file mode 100644
index 0000000000..43ad6eda9f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
@@ -0,0 +1,134 @@
1From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sat, 3 Dec 2016 11:02:15 +0000
4Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify
5 ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
6 TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
7 the total size of data. Which is faulty is the total size of data is not
8 sufficient to fill the whole image, and thus results in reading outside of
9 the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
10 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
11
12* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
13for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
14the above change is a better fix that makes it unnecessary.
15
16Upstream-Status: Backport
17
18CVE: CVE-2016-10270
19Signed-off-by: Rajkumar Veer <rveer@mvista.com>
20---
21 ChangeLog | 15 +++++++++++++++
22 libtiff/tif_dirread.c | 22 ++++++++++------------
23 libtiff/tif_strip.c | 9 ---------
24 3 files changed, 25 insertions(+), 21 deletions(-)
25
26diff --git a/ChangeLog b/ChangeLog
27index 0a2c2a7..6e30e41 100644
28--- a/ChangeLog
29+++ b/ChangeLog
30@@ -1,5 +1,20 @@
31 2016-12-03 Even Rouault <even.rouault at spatialys.com>
32
33+ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
34+ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
35+ instead of a logic based on the total size of data. Which is faulty is
36+ the total size of data is not sufficient to fill the whole image, and thus
37+ results in reading outside of the StripByCounts/StripOffsets arrays when
38+ using TIFFReadScanline().
39+ Reported by Agostino Sarubbo.
40+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
41+
42+ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
43+ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
44+ the above change is a better fix that makes it unnecessary.
45+
46+2016-12-03 Even Rouault <even.rouault at spatialys.com>
47+
48 * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
49 overflow on generation of PixarLog / LUV compressed files, with
50 ColorMap, TransferFunction attached and nasty plays with bitspersample.
51diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
52index 3eec79c..570d0c3 100644
53--- a/libtiff/tif_dirread.c
54+++ b/libtiff/tif_dirread.c
55@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
56 uint64 rowblockbytes;
57 uint64 stripbytes;
58 uint32 strip;
59- uint64 nstrips64;
60- uint32 nstrips32;
61+ uint32 nstrips;
62 uint32 rowsperstrip;
63 uint64* newcounts;
64 uint64* newoffsets;
65@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
66 return;
67
68 /*
69- * never increase the number of strips in an image
70+ * never increase the number of rows per strip
71 */
72 if (rowsperstrip >= td->td_rowsperstrip)
73 return;
74- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
75- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
76- return;
77- nstrips32 = (uint32)nstrips64;
78+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
79+ if( nstrips == 0 )
80+ return;
81
82- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
83+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
84 "for chopped \"StripByteCounts\" array");
85- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
86+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
87 "for chopped \"StripOffsets\" array");
88 if (newcounts == NULL || newoffsets == NULL) {
89 /*
90@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
91 * Fill the strip information arrays with new bytecounts and offsets
92 * that reflect the broken-up format.
93 */
94- for (strip = 0; strip < nstrips32; strip++) {
95+ for (strip = 0; strip < nstrips; strip++) {
96 if (stripbytes > bytecount)
97 stripbytes = bytecount;
98 newcounts[strip] = stripbytes;
99- newoffsets[strip] = offset;
100+ newoffsets[strip] = stripbytes ? offset : 0;
101 offset += stripbytes;
102 bytecount -= stripbytes;
103 }
104 /*
105 * Replace old single strip info with multi-strip info.
106 */
107- td->td_stripsperimage = td->td_nstrips = nstrips32;
108+ td->td_stripsperimage = td->td_nstrips = nstrips;
109 TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
110
111 _TIFFfree(td->td_stripbytecount);
112diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
113index 4c46ecf..1676e47 100644
114--- a/libtiff/tif_strip.c
115+++ b/libtiff/tif_strip.c
116@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
117 TIFFDirectory *td = &tif->tif_dir;
118 uint32 nstrips;
119
120- /* If the value was already computed and store in td_nstrips, then return it,
121- since ChopUpSingleUncompressedStrip might have altered and resized the
122- since the td_stripbytecount and td_stripoffset arrays to the new value
123- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
124- tif_dirread.c ~line 3612.
125- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
126- if( td->td_nstrips )
127- return td->td_nstrips;
128-
129 nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
130 TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
131 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
132--
1331.9.1
134
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 0878e0014a..4efe4c2db6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
17 file://CVE-2016-10266.patch \ 17 file://CVE-2016-10266.patch \
18 file://CVE-2016-10267.patch \ 18 file://CVE-2016-10267.patch \
19 file://CVE-2016-10269.patch \ 19 file://CVE-2016-10269.patch \
20 file://CVE-2016-10270.patch \
20 " 21 "
21 22
22SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" 23SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"