libtiff: Update to 4.0.7

Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html (From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed) (From OE-Core rev: 009b330591b27bd14d4c8ceb767c78fd7eb924fd) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2016-12-10 09:38:43 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-01-11 17:21:45 +0000
commit: baf73313b3f63537853278992fa7c00775a6eff4 (patch)
tree: d5983f67c33f88b81df914f0cfbf5883d4de4877 /meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
parent: 985beaaa1309a97d42aa0f886096db041060a95e (diff)
download: poky-baf73313b3f63537853278992fa7c00775a6eff4.tar.gz
1 files changed, 0 insertions, 118 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
deleted file mode 100644
index 4d965be9ff..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 20:06:40 +0000
-Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
- allocated buffer, when -b mode is enabled, that could result in out-of-bounds
- write. Based initially on patch tiff-CVE-2016-3945.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
- tests that rejected valid files.
-CVE: CVE-2016-3945
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
-Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
- ChangeLog         |  8 ++++++++
- tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
- 2 files changed, 38 insertions(+), 4 deletions(-)
-diff --git a/ChangeLog b/ChangeLog
-index 62dc1b5..9c0ab29 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,11 @@
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
-+       * tools/tiff2rgba.c: Fix integer overflow in size of allocated
-+       buffer, when -b mode is enabled, that could result in out-of-bounds
-+       write. Based initially on patch tiff-CVE-2016-3945.patch from
-+       libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
-+       invalid tests that rejected valid files.
-+
- 2016-07-11 Even Rouault <even.rouault at spatialys.com>
- 
-        * tools/tiffcrop.c: Avoid access outside of stack allocated array
-diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
-index b7a81eb..16e3dc4 100644
--- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     uint32  row, col;
-     uint32  *wrk_line;
-     int            ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     /*
-      * Allocate tile buffer
-      */
-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    rastersize = tile_width * tile_height * sizeof (uint32);
-+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+    {
-+       TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+       exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+    wrk_linesize = tile_width * sizeof (uint32);
-+    if (tile_width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+       exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
-@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     uint32  row;
-     uint32  *wrk_line;
-     int            ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     /*
-      * Allocate strip buffer
-      */
-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    rastersize = width * rowsperstrip * sizeof (uint32);
-+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+    {
-+       TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+       exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+    wrk_linesize = width * sizeof (uint32);
-+    if (width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+       exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
-- 
-2.7.4
author	Armin Kuster <akuster808@gmail.com>	2016-12-10 09:38:43 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-01-11 17:21:45 +0000
commit	baf73313b3f63537853278992fa7c00775a6eff4 (patch)
tree	d5983f67c33f88b81df914f0cfbf5883d4de4877 /meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
parent	985beaaa1309a97d42aa0f886096db041060a95e (diff)
download	poky-baf73313b3f63537853278992fa7c00775a6eff4.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch deleted file mode 100644 index 4d965be9ff..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch +++ /dev/null
@@ -1,118 +0,0 @@
1	From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
2	From: erouault <erouault>
3	Date: Mon, 15 Aug 2016 20:06:40 +0000
4	Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
5	allocated buffer, when -b mode is enabled, that could result in out-of-bounds
6	write. Based initially on patch tiff-CVE-2016-3945.patch from
7	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
8	tests that rejected valid files.
9
10	CVE: CVE-2016-3945
11	Upstream-Status: Backport
12	https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
13
14	Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
15	---
16	ChangeLog \| 8 ++++++++
17	tools/tiff2rgba.c \| 34 ++++++++++++++++++++++++++++++----
18	2 files changed, 38 insertions(+), 4 deletions(-)
19
20	diff --git a/ChangeLog b/ChangeLog
21	index 62dc1b5..9c0ab29 100644
22	--- a/ChangeLog
23	+++ b/ChangeLog
24	@@ -1,3 +1,11 @@
25	+2016-08-15 Even Rouault <even.rouault at spatialys.com>
26	+
27	+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
28	+ buffer, when -b mode is enabled, that could result in out-of-bounds
29	+ write. Based initially on patch tiff-CVE-2016-3945.patch from
30	+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
31	+ invalid tests that rejected valid files.
32	+
33	2016-07-11 Even Rouault <even.rouault at spatialys.com>
34
35	* tools/tiffcrop.c: Avoid access outside of stack allocated array
36	diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
37	index b7a81eb..16e3dc4 100644
38	--- a/tools/tiff2rgba.c
39	+++ b/tools/tiff2rgba.c
40	@@ -147,6 +147,7 @@ cvt_by_tile( TIFF in, TIFF out )
41	uint32 row, col;
42	uint32 *wrk_line;
43	int ok = 1;
44	+ uint32 rastersize, wrk_linesize;
45
46	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
47	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
48	@@ -163,7 +164,13 @@ cvt_by_tile( TIFF in, TIFF out )
49	/*
50	* Allocate tile buffer
51	*/
52	- raster = (uint32)_TIFFmalloc(tile_width tile_height * sizeof (uint32));
53	+ rastersize = tile_width * tile_height * sizeof (uint32);
54	+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
55	+ {
56	+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
57	+ exit(-1);
58	+ }
59	+ raster = (uint32*)_TIFFmalloc(rastersize);
60	if (raster == 0) {
61	TIFFError(TIFFFileName(in), "No space for raster buffer");
62	return (0);
63	@@ -173,7 +180,13 @@ cvt_by_tile( TIFF in, TIFF out )
64	* Allocate a scanline buffer for swapping during the vertical
65	* mirroring pass.
66	*/
67	- wrk_line = (uint32)_TIFFmalloc(tile_width sizeof (uint32));
68	+ wrk_linesize = tile_width * sizeof (uint32);
69	+ if (tile_width != wrk_linesize / sizeof (uint32))
70	+ {
71	+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
72	+ exit(-1);
73	+ }
74	+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
75	if (!wrk_line) {
76	TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
77	ok = 0;
78	@@ -249,6 +262,7 @@ cvt_by_strip( TIFF in, TIFF out )
79	uint32 row;
80	uint32 *wrk_line;
81	int ok = 1;
82	+ uint32 rastersize, wrk_linesize;
83
84	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
85	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
86	@@ -263,7 +277,13 @@ cvt_by_strip( TIFF in, TIFF out )
87	/*
88	* Allocate strip buffer
89	*/
90	- raster = (uint32)_TIFFmalloc(width rowsperstrip * sizeof (uint32));
91	+ rastersize = width * rowsperstrip * sizeof (uint32);
92	+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
93	+ {
94	+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
95	+ exit(-1);
96	+ }
97	+ raster = (uint32*)_TIFFmalloc(rastersize);
98	if (raster == 0) {
99	TIFFError(TIFFFileName(in), "No space for raster buffer");
100	return (0);
101	@@ -273,7 +293,13 @@ cvt_by_strip( TIFF in, TIFF out )
102	* Allocate a scanline buffer for swapping during the vertical
103	* mirroring pass.
104	*/
105	- wrk_line = (uint32)_TIFFmalloc(width sizeof (uint32));
106	+ wrk_linesize = width * sizeof (uint32);
107	+ if (width != wrk_linesize / sizeof (uint32))
108	+ {
109	+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
110	+ exit(-1);
111	+ }
112	+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
113	if (!wrk_line) {
114	TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
115	ok = 0;
116	--
117	2.7.4
118