tiff: Security fix CVE-2016-9535

* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Mingli Yu <Mingli.Yu@windriver.com> 2016-12-07 16:01:11 +0800
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-10 12:21:39 +0100
commit: a7301f1b499a971f6b208865f1241aaffa4b1dde (patch)
tree: 659cdf9713981297e17167d6df6ac4fa5da6d5af /meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
parent: 6c6fedcb239a188807cdf228a3e0ed116523bf1b (diff)
download: poky-a7301f1b499a971f6b208865f1241aaffa4b1dde.tar.gz
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
new file mode 100644
index 0000000000..977dbf6c87
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
+From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 4 Nov 2016 09:19:13 +0000
+Subject: [PATCH 2/2] Fix CVE-2016-9535
+* libtiff/tif_predic.c: fix memory leaks in error code
+ paths added in previous commit (fix for MSVR 35105)
+CVE: CVE-2016-9535
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ libtiff/tif_predict.c | 8 ++++++--
+ 1 files changed, 11 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index b829259..3f42f3b 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count = cc;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if(cc%(bps*stride)!=0)
+     {
+@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+         return 0;
+     }
+ 
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if((cc%(bps*stride))!=0)
+     {
+@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+                      "%s", "(cc%(bps*stride))!=0");
+         return 0;
+     }
+
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+     {
+         TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+                      "%s", "(cc0%rowsize)!=0");
+        _TIFFfree( working_copy );
+         return 0;
+     }
+        while (cc > 0) {
+-- 
+2.9.3
author	Mingli Yu <Mingli.Yu@windriver.com>	2016-12-07 16:01:11 +0800
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-10 12:21:39 +0100
commit	a7301f1b499a971f6b208865f1241aaffa4b1dde (patch)
tree	659cdf9713981297e17167d6df6ac4fa5da6d5af /meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
parent	6c6fedcb239a188807cdf228a3e0ed116523bf1b (diff)
download	poky-a7301f1b499a971f6b208865f1241aaffa4b1dde.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
	1	From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
	2	From: erouault <erouault>
	3	Date: Fri, 4 Nov 2016 09:19:13 +0000
	4	Subject: [PATCH 2/2] Fix CVE-2016-9535
	5	* libtiff/tif_predic.c: fix memory leaks in error code
	6	paths added in previous commit (fix for MSVR 35105)
	7
	8	CVE: CVE-2016-9535
	9	Upstream-Status: Backport
	10	https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
	11
	12	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
	13
	14	---
	15	libtiff/tif_predict.c \| 8 ++++++--
	16	1 files changed, 11 insertions(+), 2 deletions(-)
	17
	18	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
	19	index b829259..3f42f3b 100644
	20	--- a/libtiff/tif_predict.c
	21	+++ b/libtiff/tif_predict.c
	22	@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
	23	tmsize_t wc = cc / bps;
	24	tmsize_t count = cc;
	25	uint8 cp = (uint8 ) cp0;
	26	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
	27	+ uint8 *tmp;
	28
	29	if(cc%(bps*stride)!=0)
	30	{
	31	@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
	32	return 0;
	33	}
	34
	35	+ tmp = (uint8 *)_TIFFmalloc(cc);
	36	if (!tmp)
	37	return 0;
	38
	39	@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
	40	tmsize_t wc = cc / bps;
	41	tmsize_t count;
	42	uint8 cp = (uint8 ) cp0;
	43	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
	44	+ uint8 *tmp;
	45
	46	if((cc%(bps*stride))!=0)
	47	{
	48	@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
	49	"%s", "(cc%(bps*stride))!=0");
	50	return 0;
	51	}
	52	+
	53	+ tmp = (uint8 *)_TIFFmalloc(cc);
	54	if (!tmp)
	55	return 0;
	56
	57	@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
	58	{
	59	TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
	60	"%s", "(cc0%rowsize)!=0");
	61	+ _TIFFfree( working_copy );
	62	return 0;
	63	}
	64	while (cc > 0) {
	65	--
	66	2.9.3
	67