summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-29 17:39:36 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-30 12:13:09 +0000
commitc6ae9c1fae18b7efbc028f04315690fd3544ee49 (patch)
tree1343302473c599a140e853da3f849e43a939e4bf /meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
parent049b7db30c51c25006f914cdb502982d733e0bb1 (diff)
downloadpoky-c6ae9c1fae18b7efbc028f04315690fd3544ee49.tar.gz
tiff: Security fix CVE-2015-8781
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch196
1 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644
index 0000000000..bdbe69695c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,196 @@
1From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sun, 27 Dec 2015 16:25:11 +0000
4Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
5 decode functions in non debug builds by replacing assert()s by regular if
6 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
7 input data.
8
9Upstream-Status: Backport
10
11https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
12hand applied Changelog changes
13
14CVE: CVE-2015-8781
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 ChangeLog | 7 +++++++
19 libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
20 2 files changed, 51 insertions(+), 11 deletions(-)
21
22Index: tiff-4.0.4/ChangeLog
23===================================================================
24--- tiff-4.0.4.orig/ChangeLog
25+++ tiff-4.0.4/ChangeLog
26@@ -1,3 +1,11 @@
27+2015-12-27 Even Rouault <even.rouault at spatialys.com>
28+
29+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
30+ functions in non debug builds by replacing assert()s by regular if
31+ checks (bugzilla #2522).
32+ Fix potential out-of-bound reads in case of short input data.
33+
34+
35 2015-06-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
36
37 * libtiff 4.0.4 released.
38Index: tiff-4.0.4/libtiff/tif_luv.c
39===================================================================
40--- tiff-4.0.4.orig/libtiff/tif_luv.c
41+++ tiff-4.0.4/libtiff/tif_luv.c
42@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
43 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
44 tp = (int16*) op;
45 else {
46- assert(sp->tbuflen >= npixels);
47+ if(sp->tbuflen < npixels) {
48+ TIFFErrorExt(tif->tif_clientdata, module,
49+ "Translation buffer too short");
50+ return (0);
51+ }
52 tp = (int16*) sp->tbuf;
53 }
54 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
55@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
56 cc = tif->tif_rawcc;
57 /* get each byte string */
58 for (shft = 2*8; (shft -= 8) >= 0; ) {
59- for (i = 0; i < npixels && cc > 0; )
60+ for (i = 0; i < npixels && cc > 0; ) {
61 if (*bp >= 128) { /* run */
62- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
63+ if( cc < 2 )
64+ break;
65+ rc = *bp++ + (2-128);
66 b = (int16)(*bp++ << shft);
67 cc -= 2;
68 while (rc-- && i < npixels)
69@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
70 while (--cc && rc-- && i < npixels)
71 tp[i++] |= (int16)*bp++ << shft;
72 }
73+ }
74 if (i != npixels) {
75 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
76 TIFFErrorExt(tif->tif_clientdata, module,
77@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
78 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
79 tp = (uint32 *)op;
80 else {
81- assert(sp->tbuflen >= npixels);
82+ if(sp->tbuflen < npixels) {
83+ TIFFErrorExt(tif->tif_clientdata, module,
84+ "Translation buffer too short");
85+ return (0);
86+ }
87 tp = (uint32 *) sp->tbuf;
88 }
89 /* copy to array of uint32 */
90 bp = (unsigned char*) tif->tif_rawcp;
91 cc = tif->tif_rawcc;
92- for (i = 0; i < npixels && cc > 0; i++) {
93+ for (i = 0; i < npixels && cc >= 3; i++) {
94 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
95 bp += 3;
96 cc -= 3;
97@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
98 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
99 tp = (uint32*) op;
100 else {
101- assert(sp->tbuflen >= npixels);
102+ if(sp->tbuflen < npixels) {
103+ TIFFErrorExt(tif->tif_clientdata, module,
104+ "Translation buffer too short");
105+ return (0);
106+ }
107 tp = (uint32*) sp->tbuf;
108 }
109 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
110@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
111 cc = tif->tif_rawcc;
112 /* get each byte string */
113 for (shft = 4*8; (shft -= 8) >= 0; ) {
114- for (i = 0; i < npixels && cc > 0; )
115+ for (i = 0; i < npixels && cc > 0; ) {
116 if (*bp >= 128) { /* run */
117+ if( cc < 2 )
118+ break;
119 rc = *bp++ + (2-128);
120 b = (uint32)*bp++ << shft;
121- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
122+ cc -= 2;
123 while (rc-- && i < npixels)
124 tp[i++] |= b;
125 } else { /* non-run */
126@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
127 while (--cc && rc-- && i < npixels)
128 tp[i++] |= (uint32)*bp++ << shft;
129 }
130+ }
131 if (i != npixels) {
132 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
133 TIFFErrorExt(tif->tif_clientdata, module,
134@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
135 static int
136 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
137 {
138+ static const char module[] = "LogL16Encode";
139 LogLuvState* sp = EncoderState(tif);
140 int shft;
141 tmsize_t i;
142@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
143 tp = (int16*) bp;
144 else {
145 tp = (int16*) sp->tbuf;
146- assert(sp->tbuflen >= npixels);
147+ if(sp->tbuflen < npixels) {
148+ TIFFErrorExt(tif->tif_clientdata, module,
149+ "Translation buffer too short");
150+ return (0);
151+ }
152 (*sp->tfunc)(sp, bp, npixels);
153 }
154 /* compress each byte string */
155@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
156 static int
157 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
158 {
159+ static const char module[] = "LogLuvEncode24";
160 LogLuvState* sp = EncoderState(tif);
161 tmsize_t i;
162 tmsize_t npixels;
163@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
164 tp = (uint32*) bp;
165 else {
166 tp = (uint32*) sp->tbuf;
167- assert(sp->tbuflen >= npixels);
168+ if(sp->tbuflen < npixels) {
169+ TIFFErrorExt(tif->tif_clientdata, module,
170+ "Translation buffer too short");
171+ return (0);
172+ }
173 (*sp->tfunc)(sp, bp, npixels);
174 }
175 /* write out encoded pixels */
176@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
177 static int
178 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
179 {
180+ static const char module[] = "LogLuvEncode32";
181 LogLuvState* sp = EncoderState(tif);
182 int shft;
183 tmsize_t i;
184@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
185 tp = (uint32*) bp;
186 else {
187 tp = (uint32*) sp->tbuf;
188- assert(sp->tbuflen >= npixels);
189+ if(sp->tbuflen < npixels) {
190+ TIFFErrorExt(tif->tif_clientdata, module,
191+ "Translation buffer too short");
192+ return (0);
193+ }
194 (*sp->tfunc)(sp, bp, npixels);
195 }
196 /* compress each byte string */