summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2016-12-10 09:38:43 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-13 22:55:21 +0000
commita63b53841b2d7d0c360d3c6813a19317216f85d0 (patch)
tree570c0c5d47a4643e0361594855153b53157381af /meta/recipes-multimedia/libtiff/files
parent840ea755f2a2b39719e4af6bea0160cd2008cfe9 (diff)
downloadpoky-a63b53841b2d7d0c360d3c6813a19317216f85d0.tar.gz
libtiff: Update to 4.0.7
Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html (From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch137
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch195
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch73
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch24
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch129
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch52
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch34
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch111
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch118
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch66
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch147
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch49
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch107
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch423
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch67
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch67
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch60
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch60
-rw-r--r--meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch281
19 files changed, 0 insertions, 2200 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
deleted file mode 100644
index 39c5059c75..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
+++ /dev/null
@@ -1,137 +0,0 @@
1From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sat, 26 Dec 2015 17:32:03 +0000
4Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
5 TIFFRGBAImage interface in case of unsupported values of
6 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
7 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
8 limingxing and CVE-2015-8683 reported by zzf of Alibaba.
9
10Upstream-Status: Backport
11CVE: CVE-2015-8665
12CVE: CVE-2015-8683
13https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 ChangeLog | 8 ++++++++
19 libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
20 2 files changed, 30 insertions(+), 13 deletions(-)
21
22Index: tiff-4.0.6/libtiff/tif_getimage.c
23===================================================================
24--- tiff-4.0.6.orig/libtiff/tif_getimage.c
25+++ tiff-4.0.6/libtiff/tif_getimage.c
26@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
27 "Planarconfiguration", td->td_planarconfig);
28 return (0);
29 }
30- if( td->td_samplesperpixel != 3 )
31+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
32 {
33 sprintf(emsg,
34- "Sorry, can not handle image with %s=%d",
35- "Samples/pixel", td->td_samplesperpixel);
36+ "Sorry, can not handle image with %s=%d, %s=%d",
37+ "Samples/pixel", td->td_samplesperpixel,
38+ "colorchannels", colorchannels);
39 return 0;
40 }
41 break;
42 case PHOTOMETRIC_CIELAB:
43- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
44+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
45 {
46 sprintf(emsg,
47- "Sorry, can not handle image with %s=%d and %s=%d",
48+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
49 "Samples/pixel", td->td_samplesperpixel,
50+ "colorchannels", colorchannels,
51 "Bits/sample", td->td_bitspersample);
52 return 0;
53 }
54@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
55 int colorchannels;
56 uint16 *red_orig, *green_orig, *blue_orig;
57 int n_color;
58+
59+ if( !TIFFRGBAImageOK(tif, emsg) )
60+ return 0;
61
62 /* Initialize to normal values */
63 img->row_offset = 0;
64@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
65 case PHOTOMETRIC_RGB:
66 switch (img->bitspersample) {
67 case 8:
68- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
69+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
70+ img->samplesperpixel >= 4)
71 img->put.contig = putRGBAAcontig8bittile;
72- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
73+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
74+ img->samplesperpixel >= 4)
75 {
76 if (BuildMapUaToAa(img))
77 img->put.contig = putRGBUAcontig8bittile;
78 }
79- else
80+ else if( img->samplesperpixel >= 3 )
81 img->put.contig = putRGBcontig8bittile;
82 break;
83 case 16:
84- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
85+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
86+ img->samplesperpixel >=4 )
87 {
88 if (BuildMapBitdepth16To8(img))
89 img->put.contig = putRGBAAcontig16bittile;
90 }
91- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
92+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
93+ img->samplesperpixel >=4 )
94 {
95 if (BuildMapBitdepth16To8(img) &&
96 BuildMapUaToAa(img))
97 img->put.contig = putRGBUAcontig16bittile;
98 }
99- else
100+ else if( img->samplesperpixel >=3 )
101 {
102 if (BuildMapBitdepth16To8(img))
103 img->put.contig = putRGBcontig16bittile;
104@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
105 }
106 break;
107 case PHOTOMETRIC_SEPARATED:
108- if (buildMap(img)) {
109+ if (img->samplesperpixel >=4 && buildMap(img)) {
110 if (img->bitspersample == 8) {
111 if (!img->Map)
112 img->put.contig = putRGBcontig8bitCMYKtile;
113@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
114 }
115 break;
116 case PHOTOMETRIC_CIELAB:
117- if (buildMap(img)) {
118+ if (img->samplesperpixel == 3 && buildMap(img)) {
119 if (img->bitspersample == 8)
120 img->put.contig = initCIELabConversion(img);
121 break;
122Index: tiff-4.0.6/ChangeLog
123===================================================================
124--- tiff-4.0.6.orig/ChangeLog
125+++ tiff-4.0.6/ChangeLog
126@@ -1,3 +1,11 @@
127+2015-12-26 Even Rouault <even.rouault at spatialys.com>
128+
129+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
130+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
131+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
132+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
133+ CVE-2015-8683 reported by zzf of Alibaba.
134+
135 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
136
137 * libtiff 4.0.6 released.
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
deleted file mode 100644
index 0846f0f68e..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
+++ /dev/null
@@ -1,195 +0,0 @@
1From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sun, 27 Dec 2015 16:25:11 +0000
4Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
5 decode functions in non debug builds by replacing assert()s by regular if
6 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
7 input data.
8
9Upstream-Status: Backport
10
11https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
12hand applied Changelog changes
13
14CVE: CVE-2015-8781
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 ChangeLog | 7 +++++++
19 libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
20 2 files changed, 51 insertions(+), 11 deletions(-)
21
22Index: tiff-4.0.4/ChangeLog
23===================================================================
24--- tiff-4.0.4.orig/ChangeLog
25+++ tiff-4.0.4/ChangeLog
26@@ -1,3 +1,10 @@
27+2015-12-27 Even Rouault <even.rouault at spatialys.com>
28+
29+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
30+ functions in non debug builds by replacing assert()s by regular if
31+ checks (bugzilla #2522).
32+ Fix potential out-of-bound reads in case of short input data.
33+
34 2015-12-26 Even Rouault <even.rouault at spatialys.com>
35
36 * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
37Index: tiff-4.0.4/libtiff/tif_luv.c
38===================================================================
39--- tiff-4.0.4.orig/libtiff/tif_luv.c
40+++ tiff-4.0.4/libtiff/tif_luv.c
41@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
42 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
43 tp = (int16*) op;
44 else {
45- assert(sp->tbuflen >= npixels);
46+ if(sp->tbuflen < npixels) {
47+ TIFFErrorExt(tif->tif_clientdata, module,
48+ "Translation buffer too short");
49+ return (0);
50+ }
51 tp = (int16*) sp->tbuf;
52 }
53 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
54@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
55 cc = tif->tif_rawcc;
56 /* get each byte string */
57 for (shft = 2*8; (shft -= 8) >= 0; ) {
58- for (i = 0; i < npixels && cc > 0; )
59+ for (i = 0; i < npixels && cc > 0; ) {
60 if (*bp >= 128) { /* run */
61- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
62+ if( cc < 2 )
63+ break;
64+ rc = *bp++ + (2-128);
65 b = (int16)(*bp++ << shft);
66 cc -= 2;
67 while (rc-- && i < npixels)
68@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
69 while (--cc && rc-- && i < npixels)
70 tp[i++] |= (int16)*bp++ << shft;
71 }
72+ }
73 if (i != npixels) {
74 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
75 TIFFErrorExt(tif->tif_clientdata, module,
76@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
77 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
78 tp = (uint32 *)op;
79 else {
80- assert(sp->tbuflen >= npixels);
81+ if(sp->tbuflen < npixels) {
82+ TIFFErrorExt(tif->tif_clientdata, module,
83+ "Translation buffer too short");
84+ return (0);
85+ }
86 tp = (uint32 *) sp->tbuf;
87 }
88 /* copy to array of uint32 */
89 bp = (unsigned char*) tif->tif_rawcp;
90 cc = tif->tif_rawcc;
91- for (i = 0; i < npixels && cc > 0; i++) {
92+ for (i = 0; i < npixels && cc >= 3; i++) {
93 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
94 bp += 3;
95 cc -= 3;
96@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
97 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
98 tp = (uint32*) op;
99 else {
100- assert(sp->tbuflen >= npixels);
101+ if(sp->tbuflen < npixels) {
102+ TIFFErrorExt(tif->tif_clientdata, module,
103+ "Translation buffer too short");
104+ return (0);
105+ }
106 tp = (uint32*) sp->tbuf;
107 }
108 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
109@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
110 cc = tif->tif_rawcc;
111 /* get each byte string */
112 for (shft = 4*8; (shft -= 8) >= 0; ) {
113- for (i = 0; i < npixels && cc > 0; )
114+ for (i = 0; i < npixels && cc > 0; ) {
115 if (*bp >= 128) { /* run */
116+ if( cc < 2 )
117+ break;
118 rc = *bp++ + (2-128);
119 b = (uint32)*bp++ << shft;
120- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
121+ cc -= 2;
122 while (rc-- && i < npixels)
123 tp[i++] |= b;
124 } else { /* non-run */
125@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
126 while (--cc && rc-- && i < npixels)
127 tp[i++] |= (uint32)*bp++ << shft;
128 }
129+ }
130 if (i != npixels) {
131 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
132 TIFFErrorExt(tif->tif_clientdata, module,
133@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
134 static int
135 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
136 {
137+ static const char module[] = "LogL16Encode";
138 LogLuvState* sp = EncoderState(tif);
139 int shft;
140 tmsize_t i;
141@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
142 tp = (int16*) bp;
143 else {
144 tp = (int16*) sp->tbuf;
145- assert(sp->tbuflen >= npixels);
146+ if(sp->tbuflen < npixels) {
147+ TIFFErrorExt(tif->tif_clientdata, module,
148+ "Translation buffer too short");
149+ return (0);
150+ }
151 (*sp->tfunc)(sp, bp, npixels);
152 }
153 /* compress each byte string */
154@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
155 static int
156 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
157 {
158+ static const char module[] = "LogLuvEncode24";
159 LogLuvState* sp = EncoderState(tif);
160 tmsize_t i;
161 tmsize_t npixels;
162@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
163 tp = (uint32*) bp;
164 else {
165 tp = (uint32*) sp->tbuf;
166- assert(sp->tbuflen >= npixels);
167+ if(sp->tbuflen < npixels) {
168+ TIFFErrorExt(tif->tif_clientdata, module,
169+ "Translation buffer too short");
170+ return (0);
171+ }
172 (*sp->tfunc)(sp, bp, npixels);
173 }
174 /* write out encoded pixels */
175@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
176 static int
177 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
178 {
179+ static const char module[] = "LogLuvEncode32";
180 LogLuvState* sp = EncoderState(tif);
181 int shft;
182 tmsize_t i;
183@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
184 tp = (uint32*) bp;
185 else {
186 tp = (uint32*) sp->tbuf;
187- assert(sp->tbuflen >= npixels);
188+ if(sp->tbuflen < npixels) {
189+ TIFFErrorExt(tif->tif_clientdata, module,
190+ "Translation buffer too short");
191+ return (0);
192+ }
193 (*sp->tfunc)(sp, bp, npixels);
194 }
195 /* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
deleted file mode 100644
index 0caf800e23..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sun, 27 Dec 2015 16:55:20 +0000
4Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
5 NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
6 (bugzilla #2508)
7
8Upstream-Status: Backport
9https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
10hand applied Changelog changes
11
12CVE: CVE-2015-8784
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 ChangeLog | 6 ++++++
17 libtiff/tif_next.c | 10 ++++++++--
18 2 files changed, 14 insertions(+), 2 deletions(-)
19
20Index: tiff-4.0.4/ChangeLog
21===================================================================
22--- tiff-4.0.4.orig/ChangeLog
23+++ tiff-4.0.4/ChangeLog
24@@ -1,5 +1,11 @@
25 2015-12-27 Even Rouault <even.rouault at spatialys.com>
26
27+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
28+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
29+ (bugzilla #2508)
30+
31+2015-12-27 Even Rouault <even.rouault at spatialys.com>
32+
33 * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
34 functions in non debug builds by replacing assert()s by regular if
35 checks (bugzilla #2522).
36Index: tiff-4.0.4/libtiff/tif_next.c
37===================================================================
38--- tiff-4.0.4.orig/libtiff/tif_next.c
39+++ tiff-4.0.4/libtiff/tif_next.c
40@@ -37,7 +37,7 @@
41 case 0: op[0] = (unsigned char) ((v) << 6); break; \
42 case 1: op[0] |= (v) << 4; break; \
43 case 2: op[0] |= (v) << 2; break; \
44- case 3: *op++ |= (v); break; \
45+ case 3: *op++ |= (v); op_offset++; break; \
46 } \
47 }
48
49@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
50 uint32 imagewidth = tif->tif_dir.td_imagewidth;
51 if( isTiled(tif) )
52 imagewidth = tif->tif_dir.td_tilewidth;
53+ tmsize_t op_offset = 0;
54
55 /*
56 * The scanline is composed of a sequence of constant
57@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
58 * bounds, potentially resulting in a security
59 * issue.
60 */
61- while (n-- > 0 && npixels < imagewidth)
62+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
63 SETPIXEL(op, grey);
64 if (npixels >= imagewidth)
65 break;
66+ if (op_offset >= scanline ) {
67+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
68+ (long) tif->tif_row);
69+ return (0);
70+ }
71 if (cc == 0)
72 goto bad;
73 n = *bp++, cc--;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
deleted file mode 100644
index 4a08aba211..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Buffer overflow in the readextension function in gif2tiff.c
2allows remote attackers to cause a denial of service via a crafted GIF file.
3
4External References:
5https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
6https://bugzilla.redhat.com/show_bug.cgi?id=1319503
7
8CVE: CVE-2016-3186
9Upstream-Status: Backport (RedHat)
10https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
11
12Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
13
14--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
15+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
16@@ -349,7 +349,7 @@
17 int status = 1;
18
19 (void) getc(infile);
20- while ((count = getc(infile)) && count <= 255)
21+ while ((count = getc(infile)) && count >= 0 && count <= 255)
22 if (fread(buf, 1, count, infile) != (size_t) count) {
23 fprintf(stderr, "short read from file %s (%s)\n",
24 filename, strerror(errno));
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
deleted file mode 100644
index 0c8b7164e5..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
+++ /dev/null
@@ -1,129 +0,0 @@
1From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
2From: bfriesen <bfriesen>
3Date: Sat, 24 Sep 2016 23:11:55 +0000
4Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
5 to read floating point images.
6
7* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
8requirements of floating point predictor (3). Fixes CVE-2016-3622
9"Divide By Zero in the tiff2rgba tool."
10
11CVE: CVE-2016-3622
12Upstream-Status: Backport
13https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
14
15Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
16---
17 ChangeLog | 11 ++++++++++-
18 libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
19 libtiff/tif_predict.c | 11 ++++++++++-
20 3 files changed, 40 insertions(+), 20 deletions(-)
21
22diff --git a/ChangeLog b/ChangeLog
23index 26d6f47..a628277 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,3 +1,12 @@
27+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
28+
29+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
30+ read floating point images.
31+
32+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
33+ requirements of floating point predictor (3). Fixes CVE-2016-3622
34+ "Divide By Zero in the tiff2rgba tool."
35+
36 2016-08-15 Even Rouault <even.rouault at spatialys.com>
37
38 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
39diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
40index 386cee0..3e689ee 100644
41--- a/libtiff/tif_getimage.c
42+++ b/libtiff/tif_getimage.c
43@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
44 td->td_bitspersample);
45 return (0);
46 }
47+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
48+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
49+ return (0);
50+ }
51 colorchannels = td->td_samplesperpixel - td->td_extrasamples;
52 if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
53 switch (colorchannels) {
54@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
55 "Planarconfiguration", td->td_planarconfig);
56 return (0);
57 }
58- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
59- {
60- sprintf(emsg,
61- "Sorry, can not handle image with %s=%d, %s=%d",
62- "Samples/pixel", td->td_samplesperpixel,
63- "colorchannels", colorchannels);
64- return 0;
65- }
66+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
67+ sprintf(emsg,
68+ "Sorry, can not handle image with %s=%d, %s=%d",
69+ "Samples/pixel", td->td_samplesperpixel,
70+ "colorchannels", colorchannels);
71+ return 0;
72+ }
73 break;
74 case PHOTOMETRIC_CIELAB:
75- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
76- {
77- sprintf(emsg,
78- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
79- "Samples/pixel", td->td_samplesperpixel,
80- "colorchannels", colorchannels,
81- "Bits/sample", td->td_bitspersample);
82- return 0;
83- }
84+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
85+ sprintf(emsg,
86+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
87+ "Samples/pixel", td->td_samplesperpixel,
88+ "colorchannels", colorchannels,
89+ "Bits/sample", td->td_bitspersample);
90+ return 0;
91+ }
92 break;
93- default:
94+ default:
95 sprintf(emsg, "Sorry, can not handle image with %s=%d",
96 photoTag, photometric);
97 return (0);
98diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
99index 081eb11..555f2f9 100644
100--- a/libtiff/tif_predict.c
101+++ b/libtiff/tif_predict.c
102@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
103 td->td_sampleformat);
104 return 0;
105 }
106+ if (td->td_bitspersample != 16
107+ && td->td_bitspersample != 24
108+ && td->td_bitspersample != 32
109+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
110+ TIFFErrorExt(tif->tif_clientdata, module,
111+ "Floating point \"Predictor\" not supported with %d-bit samples",
112+ td->td_bitspersample);
113+ return 0;
114+ }
115 break;
116 default:
117 TIFFErrorExt(tif->tif_clientdata, module,
118@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
119 }
120 /*
121 * Allocate buffer to keep the decoded bytes before
122- * rearranging in the ight order
123+ * rearranging in the right order
124 */
125 }
126
127--
1282.7.4
129
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
deleted file mode 100644
index f554ac5464..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
+++ /dev/null
@@ -1,52 +0,0 @@
1From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 15 Aug 2016 21:26:56 +0000
4Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
5 to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
6
7CVE: CVE-2016-3623
8Upstream-Status: Backport
9https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
10
11Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
12---
13 ChangeLog | 5 +++++
14 tools/rgb2ycbcr.c | 4 ++++
15 2 files changed, 9 insertions(+)
16
17diff --git a/ChangeLog b/ChangeLog
18index 5d60608..3e6642a 100644
19--- a/ChangeLog
20+++ b/ChangeLog
21@@ -1,5 +1,10 @@
22 2016-08-15 Even Rouault <even.rouault at spatialys.com>
23
24+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
25+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
26+
27+2016-08-15 Even Rouault <even.rouault at spatialys.com>
28+
29 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
30 From patch libtiff-CVE-2016-3991.patch from
31 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
32diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
33index 3829d6b..51f4259 100644
34--- a/tools/rgb2ycbcr.c
35+++ b/tools/rgb2ycbcr.c
36@@ -95,9 +95,13 @@ main(int argc, char* argv[])
37 break;
38 case 'h':
39 horizSubSampling = atoi(optarg);
40+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
41+ usage(-1);
42 break;
43 case 'v':
44 vertSubSampling = atoi(optarg);
45+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
46+ usage(-1);
47 break;
48 case 'r':
49 rowsperstrip = atoi(optarg);
50--
512.7.4
52
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
deleted file mode 100644
index a8392509e6..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
3Date: Mon, 11 Jul 2016 16:04:34 +0200
4Subject: [PATCH 4/8] Fix CVE-2016-3632
5
6CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
7LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service
8(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
9
10CVE: CVE-2016-3632
11Upstream-Status: Backport [RedHat RHEL7]
12
13Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
14---
15 tools/thumbnail.c | 3 ++-
16 1 file changed, 2 insertions(+), 1 deletion(-)
17
18diff --git a/tools/thumbnail.c b/tools/thumbnail.c
19index fd1cba5..75e7009 100644
20--- a/tools/thumbnail.c
21+++ b/tools/thumbnail.c
22@@ -253,7 +253,8 @@ static struct cpTag {
23 { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
24 { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
25 { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
26- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
27+ // disable BADFAXLINES, CVE-2016-3632
28+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
29 { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
30 { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
31 { TIFFTAG_INKSET, 1, TIFF_SHORT },
32--
332.7.4
34
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
deleted file mode 100644
index 6cb12f2907..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
+++ /dev/null
@@ -1,111 +0,0 @@
1From: 45c68450bef8ad876f310b495165c513cad8b67d
2From: Even Rouault <even.rouault@spatialys.com>
3
4* libtiff/tif_dir.c: discard values of SMinSampleValue and
5SMaxSampleValue when they have been read and the value of
6SamplesPerPixel is changed afterwards (like when reading a
7OJPEG compressed image with a missing SamplesPerPixel tag,
8and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
9being 3). Otherwise when rewriting the directory (for example
10with tiffset, we will expect 3 values whereas the array had been
11allocated with just one), thus causing a out of bound read access.
12Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
13(CVE-2014-8127, duplicate: CVE-2016-3658)
14
15* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
16when writing directory, if FIELD_STRIPOFFSETS was artificially set
17for a hack case in OJPEG case.
18Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
19(CVE-2014-8127, duplicate: CVE-2016-3658)
20
21CVE: CVE-2016-3658
22Upstream-Status: Backport
23https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
24
25Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
26
27Index: tiff-4.0.6/ChangeLog
28===================================================================
29--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
30+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
31@@ -1,3 +1,22 @@
32+2016-10-25 Even Rouault <even.rouault at spatialys.com>
33+
34+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
35+ SMaxSampleValue when they have been read and the value of
36+ SamplesPerPixel is changed afterwards (like when reading a
37+ OJPEG compressed image with a missing SamplesPerPixel tag,
38+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
39+ being 3). Otherwise when rewriting the directory (for example
40+ with tiffset, we will expect 3 values whereas the array had been
41+ allocated with just one), thus causing a out of bound read access.
42+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
43+ (CVE-2014-8127, duplicate: CVE-2016-3658)
44+
45+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
46+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
47+ for a hack case in OJPEG case.
48+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
49+ (CVE-2014-8127, duplicate: CVE-2016-3658)
50+
51 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
52
53 * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
54Index: tiff-4.0.6/libtiff/tif_dir.c
55===================================================================
56--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
57+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
58@@ -254,6 +254,28 @@
59 v = (uint16) va_arg(ap, uint16_vap);
60 if (v == 0)
61 goto badvalue;
62+ if( v != td->td_samplesperpixel )
63+ {
64+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
65+ if( td->td_sminsamplevalue != NULL )
66+ {
67+ TIFFWarningExt(tif->tif_clientdata,module,
68+ "SamplesPerPixel tag value is changing, "
69+ "but SMinSampleValue tag was read with a different value. Cancelling it");
70+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
71+ _TIFFfree(td->td_sminsamplevalue);
72+ td->td_sminsamplevalue = NULL;
73+ }
74+ if( td->td_smaxsamplevalue != NULL )
75+ {
76+ TIFFWarningExt(tif->tif_clientdata,module,
77+ "SamplesPerPixel tag value is changing, "
78+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
79+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
80+ _TIFFfree(td->td_smaxsamplevalue);
81+ td->td_smaxsamplevalue = NULL;
82+ }
83+ }
84 td->td_samplesperpixel = (uint16) v;
85 break;
86 case TIFFTAG_ROWSPERSTRIP:
87Index: tiff-4.0.6/libtiff/tif_dirwrite.c
88===================================================================
89--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
90+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
91@@ -542,7 +542,19 @@
92 {
93 if (!isTiled(tif))
94 {
95- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
96+ /* td_stripoffset might be NULL in an odd OJPEG case. See
97+ * tif_dirread.c around line 3634.
98+ * XXX: OJPEG hack.
99+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
100+ * and c) the number of strips is 1,
101+ * then we tolerate the absence of stripoffsets tag,
102+ * because, presumably, all required data is in the
103+ * JpegInterchangeFormat stream.
104+ * We can get here when using tiffset on such a file.
105+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
106+ */
107+ if (tif->tif_dir.td_stripoffset != NULL &&
108+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
109 goto bad;
110 }
111 else
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
deleted file mode 100644
index 4d965be9ff..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
+++ /dev/null
@@ -1,118 +0,0 @@
1From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 15 Aug 2016 20:06:40 +0000
4Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
5 allocated buffer, when -b mode is enabled, that could result in out-of-bounds
6 write. Based initially on patch tiff-CVE-2016-3945.patch from
7 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
8 tests that rejected valid files.
9
10CVE: CVE-2016-3945
11Upstream-Status: Backport
12https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
13
14Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
15---
16 ChangeLog | 8 ++++++++
17 tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
18 2 files changed, 38 insertions(+), 4 deletions(-)
19
20diff --git a/ChangeLog b/ChangeLog
21index 62dc1b5..9c0ab29 100644
22--- a/ChangeLog
23+++ b/ChangeLog
24@@ -1,3 +1,11 @@
25+2016-08-15 Even Rouault <even.rouault at spatialys.com>
26+
27+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
28+ buffer, when -b mode is enabled, that could result in out-of-bounds
29+ write. Based initially on patch tiff-CVE-2016-3945.patch from
30+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
31+ invalid tests that rejected valid files.
32+
33 2016-07-11 Even Rouault <even.rouault at spatialys.com>
34
35 * tools/tiffcrop.c: Avoid access outside of stack allocated array
36diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
37index b7a81eb..16e3dc4 100644
38--- a/tools/tiff2rgba.c
39+++ b/tools/tiff2rgba.c
40@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
41 uint32 row, col;
42 uint32 *wrk_line;
43 int ok = 1;
44+ uint32 rastersize, wrk_linesize;
45
46 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
47 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
48@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
49 /*
50 * Allocate tile buffer
51 */
52- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
53+ rastersize = tile_width * tile_height * sizeof (uint32);
54+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
55+ {
56+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
57+ exit(-1);
58+ }
59+ raster = (uint32*)_TIFFmalloc(rastersize);
60 if (raster == 0) {
61 TIFFError(TIFFFileName(in), "No space for raster buffer");
62 return (0);
63@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
64 * Allocate a scanline buffer for swapping during the vertical
65 * mirroring pass.
66 */
67- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
68+ wrk_linesize = tile_width * sizeof (uint32);
69+ if (tile_width != wrk_linesize / sizeof (uint32))
70+ {
71+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
72+ exit(-1);
73+ }
74+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
75 if (!wrk_line) {
76 TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
77 ok = 0;
78@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
79 uint32 row;
80 uint32 *wrk_line;
81 int ok = 1;
82+ uint32 rastersize, wrk_linesize;
83
84 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
85 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
86@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
87 /*
88 * Allocate strip buffer
89 */
90- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
91+ rastersize = width * rowsperstrip * sizeof (uint32);
92+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
93+ {
94+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
95+ exit(-1);
96+ }
97+ raster = (uint32*)_TIFFmalloc(rastersize);
98 if (raster == 0) {
99 TIFFError(TIFFFileName(in), "No space for raster buffer");
100 return (0);
101@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
102 * Allocate a scanline buffer for swapping during the vertical
103 * mirroring pass.
104 */
105- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
106+ wrk_linesize = width * sizeof (uint32);
107+ if (width != wrk_linesize / sizeof (uint32))
108+ {
109+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
110+ exit(-1);
111+ }
112+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
113 if (!wrk_line) {
114 TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
115 ok = 0;
116--
1172.7.4
118
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
deleted file mode 100644
index 7bf52ee5dc..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
+++ /dev/null
@@ -1,66 +0,0 @@
1From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 15 Aug 2016 20:49:48 +0000
4Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
5 PixarLogEncode if more input samples are provided than expected by
6 PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
7 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
8 simpler check. (bugzilla #2544)
9
10invalid tests that rejected valid files. (bugzilla #2545)
11
12CVE: CVE-2016-3990
13Upstream-Status: Backport
14https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
15
16Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
17---
18 ChangeLog | 10 +++++++++-
19 libtiff/tif_pixarlog.c | 7 +++++++
20 2 files changed, 16 insertions(+), 1 deletion(-)
21
22diff --git a/ChangeLog b/ChangeLog
23index 9c0ab29..db4ea18 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,10 +1,18 @@
27 2016-08-15 Even Rouault <even.rouault at spatialys.com>
28
29+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
30+ if more input samples are provided than expected by PixarLogSetupEncode.
31+ Idea based on libtiff-CVE-2016-3990.patch from
32+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
33+ simpler check. (bugzilla #2544)
34+
35+2016-08-15 Even Rouault <even.rouault at spatialys.com>
36+
37 * tools/tiff2rgba.c: Fix integer overflow in size of allocated
38 buffer, when -b mode is enabled, that could result in out-of-bounds
39 write. Based initially on patch tiff-CVE-2016-3945.patch from
40 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
41- invalid tests that rejected valid files.
42+ invalid tests that rejected valid files. (bugzilla #2545)
43
44 2016-07-11 Even Rouault <even.rouault at spatialys.com>
45
46diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
47index e78f788..28329d1 100644
48--- a/libtiff/tif_pixarlog.c
49+++ b/libtiff/tif_pixarlog.c
50@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
51 }
52
53 llen = sp->stride * td->td_imagewidth;
54+ /* Check against the number of elements (of size uint16) of sp->tbuf */
55+ if( n > td->td_rowsperstrip * llen )
56+ {
57+ TIFFErrorExt(tif->tif_clientdata, module,
58+ "Too many input bytes provided");
59+ return 0;
60+ }
61
62 for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
63 switch (sp->user_datafmt) {
64--
652.7.4
66
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
deleted file mode 100644
index 27dfd37d25..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
+++ /dev/null
@@ -1,147 +0,0 @@
1From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 15 Aug 2016 21:05:40 +0000
4Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
5 loadImage(). From patch libtiff-CVE-2016-3991.patch from
6 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
7
8CVE: CVE-2016-3991
9Upstream-Status: Backport
10https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
11
12Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
13---
14 ChangeLog | 6 ++++++
15 tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
16 2 files changed, 62 insertions(+), 3 deletions(-)
17
18diff --git a/ChangeLog b/ChangeLog
19index db4ea18..5d60608 100644
20--- a/ChangeLog
21+++ b/ChangeLog
22@@ -1,5 +1,11 @@
23 2016-08-15 Even Rouault <even.rouault at spatialys.com>
24
25+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
26+ From patch libtiff-CVE-2016-3991.patch from
27+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
28+
29+2016-08-15 Even Rouault <even.rouault at spatialys.com>
30+
31 * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
32 if more input samples are provided than expected by PixarLogSetupEncode.
33 Idea based on libtiff-CVE-2016-3990.patch from
34diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
35index 27abc0b..ddba7b9 100644
36--- a/tools/tiffcrop.c
37+++ b/tools/tiffcrop.c
38@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
39 }
40
41 tile_buffsize = tilesize;
42+ if (tilesize == 0 || tile_rowsize == 0)
43+ {
44+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
45+ exit(-1);
46+ }
47
48 if (tilesize < (tsize_t)(tl * tile_rowsize))
49 {
50@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
51 tilesize, tl * tile_rowsize);
52 #endif
53 tile_buffsize = tl * tile_rowsize;
54- }
55+ if (tl != (tile_buffsize / tile_rowsize))
56+ {
57+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
58+ exit(-1);
59+ }
60+ }
61
62 tilebuf = _TIFFmalloc(tile_buffsize);
63 if (tilebuf == 0)
64@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
65 !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
66 return 1;
67
68+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
69+ {
70+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
71+ exit(-1);
72+ }
73+
74 tile_buffsize = tilesize;
75 if (tilesize < (tsize_t)(tl * tile_rowsize))
76 {
77@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
78 tilesize, tl * tile_rowsize);
79 #endif
80 tile_buffsize = tl * tile_rowsize;
81+ if (tl != tile_buffsize / tile_rowsize)
82+ {
83+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
84+ exit(-1);
85+ }
86 }
87
88 tilebuf = _TIFFmalloc(tile_buffsize);
89@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
90 TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
91
92 tile_rowsize = TIFFTileRowSize(in);
93+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
94+ {
95+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
96+ exit(-1);
97+ }
98 buffsize = tlsize * ntiles;
99+ if (tlsize != (buffsize / ntiles))
100+ {
101+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
102+ exit(-1);
103+ }
104
105-
106 if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
107 {
108 buffsize = ntiles * tl * tile_rowsize;
109+ if (ntiles != (buffsize / tl / tile_rowsize))
110+ {
111+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
112+ exit(-1);
113+ }
114+
115 #ifdef DEBUG2
116 TIFFError("loadImage",
117 "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
118@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
119 TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
120 stsize = TIFFStripSize(in);
121 nstrips = TIFFNumberOfStrips(in);
122+ if (nstrips == 0 || stsize == 0)
123+ {
124+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
125+ exit(-1);
126+ }
127+
128 buffsize = stsize * nstrips;
129-
130+ if (stsize != (buffsize / nstrips))
131+ {
132+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
133+ exit(-1);
134+ }
135+ uint32 buffsize_check;
136+ buffsize_check = ((length * width * spp * bps) + 7);
137+ if (length != ((buffsize_check - 7) / width / spp / bps))
138+ {
139+ TIFFError("loadImage", "Integer overflow detected.");
140+ exit(-1);
141+ }
142 if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
143 {
144 buffsize = ((length * width * spp * bps) + 7) / 8;
145--
1462.7.4
147
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
deleted file mode 100644
index 63c665024b..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 11 Jul 2016 21:26:03 +0000
4Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
5 allocated array on a tiled separate TIFF with more than 8 samples per pixel.
6 Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
7 (CVE-2016-5321, bugzilla #2558)
8
9CVE: CVE-2016-5321
10Upstream-Status: Backport
11https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
12
13Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
14---
15 ChangeLog | 7 +++++++
16 tools/tiffcrop.c | 2 +-
17 2 files changed, 8 insertions(+), 1 deletion(-)
18
19diff --git a/ChangeLog b/ChangeLog
20index e98d54d..4e0302f 100644
21--- a/ChangeLog
22+++ b/ChangeLog
23@@ -1,3 +1,10 @@
24+2016-07-11 Even Rouault <even.rouault at spatialys.com>
25+
26+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
27+ on a tiled separate TIFF with more than 8 samples per pixel.
28+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
29+ (CVE-2016-5321, bugzilla #2558)
30+
31 2015-12-27 Even Rouault <even.rouault at spatialys.com>
32
33 * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
34diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
35index d959ae3..6fc8fc1 100644
36--- a/tools/tiffcrop.c
37+++ b/tools/tiffcrop.c
38@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
39 nrow = (row + tl > imagelength) ? imagelength - row : tl;
40 for (col = 0; col < imagewidth; col += tw)
41 {
42- for (s = 0; s < spp; s++)
43+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
44 { /* Read each plane of a tile set into srcbuffs[s] */
45 tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
46 if (tbytes < 0 && !ignore)
47--
482.7.4
49
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
deleted file mode 100644
index 41eab91ab4..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
+++ /dev/null
@@ -1,107 +0,0 @@
1From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 11 Jul 2016 21:38:31 +0000
4Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
5
6CVE: CVE-2016-5323
7Upstream-Status: Backport
8https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
9
10Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
11---
12 ChangeLog | 2 +-
13 tools/tiffcrop.c | 16 ++++++++--------
14 2 files changed, 9 insertions(+), 9 deletions(-)
15
16diff --git a/ChangeLog b/ChangeLog
17index 4e0302f..62dc1b5 100644
18--- a/ChangeLog
19+++ b/ChangeLog
20@@ -3,7 +3,7 @@
21 * tools/tiffcrop.c: Avoid access outside of stack allocated array
22 on a tiled separate TIFF with more than 8 samples per pixel.
23 Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
24- (CVE-2016-5321, bugzilla #2558)
25+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
26
27 2016-07-10 Even Rouault <even.rouault at spatialys.com>
28
29diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
30index 6fc8fc1..27abc0b 100644
31--- a/tools/tiffcrop.c
32+++ b/tools/tiffcrop.c
33@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
34
35 matchbits = maskbits << (8 - src_bit - bps);
36 /* load up next sample from each plane */
37- for (s = 0; s < spp; s++)
38+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
39 {
40 src = in[s] + src_offset + src_byte;
41 buff1 = ((*src) & matchbits) << (src_bit);
42@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
43 src_bit = bit_offset % 8;
44
45 matchbits = maskbits << (16 - src_bit - bps);
46- for (s = 0; s < spp; s++)
47+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
48 {
49 src = in[s] + src_offset + src_byte;
50 if (little_endian)
51@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
52 src_bit = bit_offset % 8;
53
54 matchbits = maskbits << (32 - src_bit - bps);
55- for (s = 0; s < spp; s++)
56+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
57 {
58 src = in[s] + src_offset + src_byte;
59 if (little_endian)
60@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
61 src_bit = bit_offset % 8;
62
63 matchbits = maskbits << (64 - src_bit - bps);
64- for (s = 0; s < spp; s++)
65+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
66 {
67 src = in[s] + src_offset + src_byte;
68 if (little_endian)
69@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
70
71 matchbits = maskbits << (8 - src_bit - bps);
72 /* load up next sample from each plane */
73- for (s = 0; s < spp; s++)
74+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
75 {
76 src = in[s] + src_offset + src_byte;
77 buff1 = ((*src) & matchbits) << (src_bit);
78@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
79 src_bit = bit_offset % 8;
80
81 matchbits = maskbits << (16 - src_bit - bps);
82- for (s = 0; s < spp; s++)
83+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
84 {
85 src = in[s] + src_offset + src_byte;
86 if (little_endian)
87@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
88 src_bit = bit_offset % 8;
89
90 matchbits = maskbits << (32 - src_bit - bps);
91- for (s = 0; s < spp; s++)
92+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
93 {
94 src = in[s] + src_offset + src_byte;
95 if (little_endian)
96@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
97 src_bit = bit_offset % 8;
98
99 matchbits = maskbits << (64 - src_bit - bps);
100- for (s = 0; s < spp; s++)
101+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
102 {
103 src = in[s] + src_offset + src_byte;
104 if (little_endian)
105--
1062.7.4
107
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
deleted file mode 100644
index 26fd0df11c..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
+++ /dev/null
@@ -1,423 +0,0 @@
1From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 31 Oct 2016 17:24:26 +0000
4Subject: [PATCH 1/2] Fix CVE-2016-9535
5
6* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
7 assertions by runtime checks to avoid assertions in debug mode, or buffer
8 overflows in release mode. Can happen when dealing with unusual tile size
9 like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
10 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
11
12CVE: CVE-2016-9535
13Upstream-Status: Backport
14https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
15
16Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
17
18---
19 libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
20 libtiff/tif_predict.h | 6 +-
21 2 files changed, 121 insertions(+), 47 deletions(-)
22
23diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
24index 555f2f9..b829259 100644
25--- a/libtiff/tif_predict.c
26+++ b/libtiff/tif_predict.c
27@@ -34,18 +34,18 @@
28
29 #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
30
31-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
32-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
33-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
34-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
35-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
36-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
37-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
38-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
39-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
40-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
41-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
42-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
43+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
44+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
45+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
46+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
47+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
48+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
49+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
50+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
51+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
52+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
53+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
54+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
55 static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
56 static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
57 static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
58@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
59 /* - when storing into the byte stream, we explicitly mask with 0xff so */
60 /* as to make icc -check=conversions happy (not necessary by the standard) */
61
62-static void
63+static int
64 horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
65 {
66 tmsize_t stride = PredictorState(tif)->stride;
67
68 unsigned char* cp = (unsigned char*) cp0;
69- assert((cc%stride)==0);
70+ if((cc%stride)!=0)
71+ {
72+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
73+ "%s", "(cc%stride)!=0");
74+ return 0;
75+ }
76+
77 if (cc > stride) {
78 /*
79 * Pipeline the most common cases.
80@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
81 } while (cc>0);
82 }
83 }
84+ return 1;
85 }
86
87-static void
88+static int
89 swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
90 {
91 uint16* wp = (uint16*) cp0;
92 tmsize_t wc = cc / 2;
93
94 TIFFSwabArrayOfShort(wp, wc);
95- horAcc16(tif, cp0, cc);
96+ return horAcc16(tif, cp0, cc);
97 }
98
99-static void
100+static int
101 horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
102 {
103 tmsize_t stride = PredictorState(tif)->stride;
104 uint16* wp = (uint16*) cp0;
105 tmsize_t wc = cc / 2;
106
107- assert((cc%(2*stride))==0);
108+ if((cc%(2*stride))!=0)
109+ {
110+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
111+ "%s", "cc%(2*stride))!=0");
112+ return 0;
113+ }
114
115 if (wc > stride) {
116 wc -= stride;
117@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
118 wc -= stride;
119 } while (wc > 0);
120 }
121+ return 1;
122 }
123
124-static void
125+static int
126 swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
127 {
128 uint32* wp = (uint32*) cp0;
129 tmsize_t wc = cc / 4;
130
131 TIFFSwabArrayOfLong(wp, wc);
132- horAcc32(tif, cp0, cc);
133+ return horAcc32(tif, cp0, cc);
134 }
135
136-static void
137+static int
138 horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
139 {
140 tmsize_t stride = PredictorState(tif)->stride;
141 uint32* wp = (uint32*) cp0;
142 tmsize_t wc = cc / 4;
143
144- assert((cc%(4*stride))==0);
145+ if((cc%(4*stride))!=0)
146+ {
147+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
148+ "%s", "cc%(4*stride))!=0");
149+ return 0;
150+ }
151
152 if (wc > stride) {
153 wc -= stride;
154@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
155 wc -= stride;
156 } while (wc > 0);
157 }
158+ return 1;
159 }
160
161 /*
162 * Floating point predictor accumulation routine.
163 */
164-static void
165+static int
166 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
167 {
168 tmsize_t stride = PredictorState(tif)->stride;
169@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
170 uint8 *cp = (uint8 *) cp0;
171 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
172
173- assert((cc%(bps*stride))==0);
174+ if(cc%(bps*stride)!=0)
175+ {
176+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
177+ "%s", "cc%(bps*stride))!=0");
178+ return 0;
179+ }
180
181 if (!tmp)
182- return;
183+ return 0;
184
185 while (count > stride) {
186 REPEAT4(stride, cp[stride] =
187@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
188 }
189 }
190 _TIFFfree(tmp);
191+ return 1;
192 }
193
194 /*
195@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
196 assert(sp->decodepfunc != NULL);
197
198 if ((*sp->decoderow)(tif, op0, occ0, s)) {
199- (*sp->decodepfunc)(tif, op0, occ0);
200- return 1;
201+ return (*sp->decodepfunc)(tif, op0, occ0);
202 } else
203 return 0;
204 }
205@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
206 if ((*sp->decodetile)(tif, op0, occ0, s)) {
207 tmsize_t rowsize = sp->rowsize;
208 assert(rowsize > 0);
209- assert((occ0%rowsize)==0);
210+ if((occ0%rowsize) !=0)
211+ {
212+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
213+ "%s", "occ0%rowsize != 0");
214+ return 0;
215+ }
216 assert(sp->decodepfunc != NULL);
217 while (occ0 > 0) {
218- (*sp->decodepfunc)(tif, op0, rowsize);
219+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
220+ return 0;
221 occ0 -= rowsize;
222 op0 += rowsize;
223 }
224@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
225 return 0;
226 }
227
228-static void
229+static int
230 horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
231 {
232 TIFFPredictorState* sp = PredictorState(tif);
233 tmsize_t stride = sp->stride;
234 unsigned char* cp = (unsigned char*) cp0;
235
236- assert((cc%stride)==0);
237+ if((cc%stride)!=0)
238+ {
239+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
240+ "%s", "(cc%stride)!=0");
241+ return 0;
242+ }
243
244 if (cc > stride) {
245 cc -= stride;
246@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
247 } while ((cc -= stride) > 0);
248 }
249 }
250+ return 1;
251 }
252
253-static void
254+static int
255 horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
256 {
257 TIFFPredictorState* sp = PredictorState(tif);
258@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
259 uint16 *wp = (uint16*) cp0;
260 tmsize_t wc = cc/2;
261
262- assert((cc%(2*stride))==0);
263+ if((cc%(2*stride))!=0)
264+ {
265+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
266+ "%s", "(cc%(2*stride))!=0");
267+ return 0;
268+ }
269
270 if (wc > stride) {
271 wc -= stride;
272@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
273 wc -= stride;
274 } while (wc > 0);
275 }
276+ return 1;
277 }
278
279-static void
280+static int
281 swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
282 {
283 uint16* wp = (uint16*) cp0;
284 tmsize_t wc = cc / 2;
285
286- horDiff16(tif, cp0, cc);
287+ if( !horDiff16(tif, cp0, cc) )
288+ return 0;
289
290 TIFFSwabArrayOfShort(wp, wc);
291+ return 1;
292 }
293
294-static void
295+static int
296 horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
297 {
298 TIFFPredictorState* sp = PredictorState(tif);
299@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
300 uint32 *wp = (uint32*) cp0;
301 tmsize_t wc = cc/4;
302
303- assert((cc%(4*stride))==0);
304+ if((cc%(4*stride))!=0)
305+ {
306+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
307+ "%s", "(cc%(4*stride))!=0");
308+ return 0;
309+ }
310
311 if (wc > stride) {
312 wc -= stride;
313@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
314 wc -= stride;
315 } while (wc > 0);
316 }
317+ return 1;
318 }
319
320-static void
321+static int
322 swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
323 {
324 uint32* wp = (uint32*) cp0;
325 tmsize_t wc = cc / 4;
326
327- horDiff32(tif, cp0, cc);
328+ if( !horDiff32(tif, cp0, cc) )
329+ return 0;
330
331 TIFFSwabArrayOfLong(wp, wc);
332+ return 1;
333 }
334
335 /*
336 * Floating point predictor differencing routine.
337 */
338-static void
339+static int
340 fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
341 {
342 tmsize_t stride = PredictorState(tif)->stride;
343@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
344 uint8 *cp = (uint8 *) cp0;
345 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
346
347- assert((cc%(bps*stride))==0);
348-
349+ if((cc%(bps*stride))!=0)
350+ {
351+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
352+ "%s", "(cc%(bps*stride))!=0");
353+ return 0;
354+ }
355 if (!tmp)
356- return;
357+ return 0;
358
359 _TIFFmemcpy(tmp, cp0, cc);
360 for (count = 0; count < wc; count++) {
361@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
362 cp += cc - stride - 1;
363 for (count = cc; count > stride; count -= stride)
364 REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
365+ return 1;
366 }
367
368 static int
369@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
370 assert(sp->encoderow != NULL);
371
372 /* XXX horizontal differencing alters user's data XXX */
373- (*sp->encodepfunc)(tif, bp, cc);
374+ if( !(*sp->encodepfunc)(tif, bp, cc) )
375+ return 0;
376 return (*sp->encoderow)(tif, bp, cc, s);
377 }
378
379@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
380
381 rowsize = sp->rowsize;
382 assert(rowsize > 0);
383- assert((cc0%rowsize)==0);
384+ if((cc0%rowsize)!=0)
385+ {
386+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
387+ "%s", "(cc0%rowsize)!=0");
388+ return 0;
389+ }
390 while (cc > 0) {
391 (*sp->encodepfunc)(tif, bp, rowsize);
392 cc -= rowsize;
393diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
394index 91330cc..9e485a4 100644
395--- a/libtiff/tif_predict.h
396+++ b/libtiff/tif_predict.h
397@@ -30,6 +30,8 @@
398 * ``Library-private'' Support for the Predictor Tag
399 */
400
401+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
402+
403 /*
404 * Codecs that want to support the Predictor tag must place
405 * this structure first in their private state block so that
406@@ -43,12 +45,12 @@ typedef struct {
407 TIFFCodeMethod encoderow; /* parent codec encode/decode row */
408 TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
409 TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
410- TIFFPostMethod encodepfunc; /* horizontal differencer */
411+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
412
413 TIFFCodeMethod decoderow; /* parent codec encode/decode row */
414 TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
415 TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
416- TIFFPostMethod decodepfunc; /* horizontal accumulator */
417+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
418
419 TIFFVGetMethod vgetparent; /* super-class method */
420 TIFFVSetMethod vsetparent; /* super-class method */
421--
4222.9.3
423
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
deleted file mode 100644
index 977dbf6c87..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
+++ /dev/null
@@ -1,67 +0,0 @@
1From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Fri, 4 Nov 2016 09:19:13 +0000
4Subject: [PATCH 2/2] Fix CVE-2016-9535
5* libtiff/tif_predic.c: fix memory leaks in error code
6 paths added in previous commit (fix for MSVR 35105)
7
8CVE: CVE-2016-9535
9Upstream-Status: Backport
10https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
11
12Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
13
14---
15 libtiff/tif_predict.c | 8 ++++++--
16 1 files changed, 11 insertions(+), 2 deletions(-)
17
18diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
19index b829259..3f42f3b 100644
20--- a/libtiff/tif_predict.c
21+++ b/libtiff/tif_predict.c
22@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
23 tmsize_t wc = cc / bps;
24 tmsize_t count = cc;
25 uint8 *cp = (uint8 *) cp0;
26- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
27+ uint8 *tmp;
28
29 if(cc%(bps*stride)!=0)
30 {
31@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
32 return 0;
33 }
34
35+ tmp = (uint8 *)_TIFFmalloc(cc);
36 if (!tmp)
37 return 0;
38
39@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
40 tmsize_t wc = cc / bps;
41 tmsize_t count;
42 uint8 *cp = (uint8 *) cp0;
43- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
44+ uint8 *tmp;
45
46 if((cc%(bps*stride))!=0)
47 {
48@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
49 "%s", "(cc%(bps*stride))!=0");
50 return 0;
51 }
52+
53+ tmp = (uint8 *)_TIFFmalloc(cc);
54 if (!tmp)
55 return 0;
56
57@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
58 {
59 TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
60 "%s", "(cc0%rowsize)!=0");
61+ _TIFFfree( working_copy );
62 return 0;
63 }
64 while (cc > 0) {
65--
662.9.3
67
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
deleted file mode 100644
index e1141dfb69..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
+++ /dev/null
@@ -1,67 +0,0 @@
1From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sat, 8 Oct 2016 15:04:31 +0000
4Subject: [PATCH] Fix CVE-2016-9538
5* tools/tiffcp.c: fix read of undefined variable in case of
6 missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
7 fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
8 overflow. Probably not a security issue but I can be wrong. Reported as MSVR
9 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
10
11CVE: CVE-2016-9538
12Upstream-Status: Backport
13https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
14
15Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
16
17---
18 tools/tiffcp.c | 4 ++--
19 tools/tiffcrop.c | 9 ++++++---
20 2 files changed, 17 insertions(+), 5 deletions(-)
21
22diff --git a/tools/tiffcp.c b/tools/tiffcp.c
23index ba2b715..4ad74d3 100644
24--- a/tools/tiffcp.c
25+++ b/tools/tiffcp.c
26@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
27 static int
28 tiffcp(TIFF* in, TIFF* out)
29 {
30- uint16 bitspersample, samplesperpixel;
31- uint16 input_compression, input_photometric;
32+ uint16 bitspersample, samplesperpixel = 1;
33+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
34 copyFunc cf;
35 uint32 width, length;
36 struct cpTag* p;
37diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
38index 7685566..eb6de77 100644
39--- a/tools/tiffcrop.c
40+++ b/tools/tiffcrop.c
41@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
42 {
43 uint8* bufp = buf;
44 int32 bytes_read = 0;
45- uint16 strip, nstrips = TIFFNumberOfStrips(in);
46+ uint32 strip, nstrips = TIFFNumberOfStrips(in);
47 uint32 stripsize = TIFFStripSize(in);
48 uint32 rows = 0;
49 uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
50@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
51 uint32 width, uint16 spp,
52 struct dump_opts *dump)
53 {
54- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
55+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
56+ uint32 j;
57 int32 bytes_read = 0;
58- uint16 bps, nstrips, planar, strips_per_sample;
59+ uint16 bps, planar;
60+ uint32 nstrips;
61+ uint32 strips_per_sample;
62 uint32 src_rowsize, dst_rowsize, rows_processed, rps;
63 uint32 rows_this_strip = 0;
64 tsample_t s;
65--
662.9.3
67
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
deleted file mode 100644
index 1d9be423a7..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Fri, 14 Oct 2016 19:13:20 +0000
4Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes
5 in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
6 & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
7
8CVE: CVE-2016-9539
9
10Upstream-Status: Backport
11https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
12
13Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
14
15---
16 ChangeLog | 6 ++++++
17 tools/tiffcrop.c | 11 ++++++++++-
18 2 files changed, 16 insertions(+), 1 deletion(-)
19
20Index: tiff-4.0.6/ChangeLog
21===================================================================
22--- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800
23+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800
24@@ -17,6 +17,12 @@
25 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
26 (CVE-2014-8127, duplicate: CVE-2016-3658)
27
28+2016-10-14 Even Rouault <even.rouault at spatialys.com>
29+
30+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
31+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
32+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
33+
34 2016-10-08 Even Rouault <even.rouault at spatialys.com>
35
36 * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
37Index: tiff-4.0.6/tools/tiffcrop.c
38===================================================================
39--- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800
40+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800
41@@ -819,9 +819,18 @@
42 }
43 }
44
45- tilebuf = _TIFFmalloc(tile_buffsize);
46+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
47+ if( tile_buffsize > 0xFFFFFFFFU - 3 )
48+ {
49+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
50+ exit(-1);
51+ }
52+ tilebuf = _TIFFmalloc(tile_buffsize + 3);
53 if (tilebuf == 0)
54 return 0;
55+ tilebuf[tile_buffsize] = 0;
56+ tilebuf[tile_buffsize+1] = 0;
57+ tilebuf[tile_buffsize+2] = 0;
58
59 dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;
60 for (row = 0; row < imagelength; row += tl)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
deleted file mode 100644
index dddaa0c87e..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sat, 8 Oct 2016 15:54:56 +0000
4Subject: [PATCH] fix CVE-2016-9540
5 * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
6 tile width vs image width. Reported as MSVR 35103
7 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
8 Mitigations team.
9
10CVE: CVE-2016-9540
11
12Upstream-Status: Backport
13https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
14
15Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
16---
17 ChangeLog | 7 +++++++
18 tools/tiffcp.c | 4 ++--
19 2 files changed, 9 insertions(+), 2 deletions(-)
20
21Index: tiff-4.0.4/ChangeLog
22===================================================================
23--- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800
24+++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800
25@@ -17,6 +17,13 @@
26 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
27 (CVE-2014-8127, duplicate: CVE-2016-3658)
28
29+2016-10-08 Even Rouault <even.rouault at spatialys.com>
30+
31+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
32+ tile width vs image width. Reported as MSVR 35103
33+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
34+ Mitigations team.
35+
36 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
37
38 * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
39Index: tiff-4.0.4/tools/tiffcp.c
40===================================================================
41--- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800
42+++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800
43@@ -1338,7 +1338,7 @@
44 uint32 colb = 0;
45 uint32 col;
46
47- for (col = 0; col < imagewidth; col += tw) {
48+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
49 if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
50 && !ignore) {
51 TIFFError(TIFFFileName(in),
52@@ -1523,7 +1523,7 @@
53 uint32 colb = 0;
54 uint32 col;
55
56- for (col = 0; col < imagewidth; col += tw) {
57+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
58 /*
59 * Tile is clipped horizontally. Calculate
60 * visible portion and skewing factors.
diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
deleted file mode 100644
index bd587e6d07..0000000000
--- a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
+++ /dev/null
@@ -1,281 +0,0 @@
1From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Fri, 23 Sep 2016 22:12:18 +0000
4Subject: [PATCH] Fix several CVE issues
5
6Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537
7
8* tools/tiffcrop.c: fix various out-of-bounds write
9 vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
10 MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
11 the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
12 out-of-bounds write vulnerabilities in heap allocate buffer in
13 t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
14 and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
15 libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
16 allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
17 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
18 libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
19 didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
20 that could happen in practice outside of the odd behaviour of t2p_seekproc()
21 of tiff2pdf). The report points that a better fix could be to check the
22 return value of TIFFFlushData1() in places where it isn't done currently, but
23 it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
24 Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
25 Mitigations team.
26
27CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537
28Upstream-Status: Backport
29https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
30
31Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
32
33---
34 libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
35 libtiff/tif_write.c | 7 +++++++
36 tools/tiff2pdf.c | 22 ++++++++++++++++++--
37 tools/tiffcrop.c | 20 +++++++++++++++++-
38 4 files changed, 92 insertions(+), 35 deletions(-)
39
40diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
41index 1fb8f3b..d1246c3 100644
42--- a/libtiff/tif_pixarlog.c
43+++ b/libtiff/tif_pixarlog.c
44@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
45 a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
46 }
47 } else {
48- ip += n - 1; /* point to last one */
49- wp += n - 1; /* point to last one */
50- n -= stride;
51- while (n > 0) {
52- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
53- wp[stride] -= wp[0];
54- wp[stride] &= mask;
55- wp--; ip--)
56- n -= stride;
57- }
58- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
59+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
60+ n -= stride;
61+ while (n > 0) {
62+ REPEAT(stride,
63+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
64+ wp++; ip++)
65+ n -= stride;
66+ }
67 }
68 }
69 }
70@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
71 a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
72 }
73 } else {
74- ip += n - 1; /* point to last one */
75- wp += n - 1; /* point to last one */
76+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
77 n -= stride;
78 while (n > 0) {
79- REPEAT(stride, wp[0] = CLAMP(ip[0]);
80- wp[stride] -= wp[0];
81- wp[stride] &= mask;
82- wp--; ip--)
83- n -= stride;
84- }
85- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
86+ REPEAT(stride,
87+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
88+ wp++; ip++)
89+ n -= stride;
90+ }
91 }
92 }
93 }
94@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
95 ip += 4;
96 }
97 } else {
98- wp += n + stride - 1; /* point to last one */
99- ip += n + stride - 1; /* point to last one */
100- n -= stride;
101- while (n > 0) {
102- REPEAT(stride, wp[0] = CLAMP(ip[0]);
103- wp[stride] -= wp[0];
104- wp[stride] &= mask;
105- wp--; ip--)
106- n -= stride;
107- }
108- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
109- }
110+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
111+ n -= stride;
112+ while (n > 0) {
113+ REPEAT(stride,
114+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
115+ wp++; ip++)
116+ n -= stride;
117+ }
118+ }
119 }
120 }
121
122diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
123index f9a3fc0..d8fa802 100644
124--- a/libtiff/tif_write.c
125+++ b/libtiff/tif_write.c
126@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif)
127 if (!TIFFAppendToStrip(tif,
128 isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
129 tif->tif_rawdata, tif->tif_rawcc))
130+ {
131+ /* We update those variables even in case of error since there's */
132+ /* code that doesn't really check the return code of this */
133+ /* function */
134+ tif->tif_rawcc = 0;
135+ tif->tif_rawcp = tif->tif_rawdata;
136 return (0);
137+ }
138 tif->tif_rawcc = 0;
139 tif->tif_rawcp = tif->tif_rawdata;
140 }
141diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
142index dcd5a7e..f8df6b5 100644
143--- a/tools/tiff2pdf.c
144+++ b/tools/tiff2pdf.c
145@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
146 int t2p_process_ojpeg_tables(T2P*, TIFF*);
147 #endif
148 #ifdef JPEG_SUPPORT
149-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
150+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
151 #endif
152 void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
153 void t2p_write_advance_directory(T2P*, TIFF*);
154@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
155 if(!t2p_process_jpeg_strip(
156 stripbuffer,
157 &striplength,
158- buffer,
159+ buffer,
160+ t2p->tiff_datasize,
161 &bufferoffset,
162 i,
163 t2p->tiff_length)){
164@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip(
165 unsigned char* strip,
166 tsize_t* striplength,
167 unsigned char* buffer,
168+ tsize_t buffersize,
169 tsize_t* bufferoffset,
170 tstrip_t no,
171 uint32 height){
172@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip(
173 }
174 switch( strip[i] ){
175 case 0xd8: /* SOI - start of image */
176+ if( *bufferoffset + 2 > buffersize )
177+ return(0);
178 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
179 *bufferoffset+=2;
180 break;
181@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip(
182 case 0xc9: /* SOF9 */
183 case 0xca: /* SOF10 */
184 if(no==0){
185+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
186+ return(0);
187 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
188+ if( *bufferoffset + 9 >= buffersize )
189+ return(0);
190 ncomp = buffer[*bufferoffset+9];
191 if (ncomp < 1 || ncomp > 4)
192 return(0);
193 v_samp=1;
194 h_samp=1;
195+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
196+ return(0);
197 for(j=0;j<ncomp;j++){
198 uint16 samp = buffer[*bufferoffset+11+(3*j)];
199 if( (samp>>4) > h_samp)
200@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip(
201 break;
202 case 0xc4: /* DHT */
203 case 0xdb: /* DQT */
204+ if( *bufferoffset + datalen + 2 > buffersize )
205+ return(0);
206 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
207 *bufferoffset+=datalen+2;
208 break;
209 case 0xda: /* SOS */
210 if(no==0){
211+ if( *bufferoffset + datalen + 2 > buffersize )
212+ return(0);
213 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
214 *bufferoffset+=datalen+2;
215 } else {
216+ if( *bufferoffset + 2 > buffersize )
217+ return(0);
218 buffer[(*bufferoffset)++]=0xff;
219 buffer[(*bufferoffset)++]=
220 (unsigned char)(0xd0 | ((no-1)%8));
221 }
222 i += datalen + 1;
223 /* copy remainder of strip */
224+ if( *bufferoffset + *striplength - i > buffersize )
225+ return(0);
226 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
227 *bufferoffset+= *striplength - i;
228 return(1);
229diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
230index ebc4aba..7685566 100644
231--- a/tools/tiffcrop.c
232+++ b/tools/tiffcrop.c
233@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
234 {
235 uint32 i;
236 float xres = 0.0, yres = 0.0;
237- uint16 nstrips = 0, ntiles = 0, planar = 0;
238+ uint32 nstrips = 0, ntiles = 0;
239+ uint16 planar = 0;
240 uint16 bps = 0, spp = 0, res_unit = 0;
241 uint16 orientation = 0;
242 uint16 input_compression = 0, input_photometric = 0;
243@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
244 /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
245 /* outside buffer */
246 if (!read_buff)
247+ {
248+ if( buffsize > 0xFFFFFFFFU - 3 )
249+ {
250+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
251+ return (-1);
252+ }
253 read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
254+ }
255 else
256 {
257 if (prev_readsize < buffsize)
258+ {
259+ if( buffsize > 0xFFFFFFFFU - 3 )
260 {
261+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
262+ return (-1);
263+ }
264 new_buff = _TIFFrealloc(read_buff, buffsize+3);
265 if (!new_buff)
266 {
267@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
268 }
269
270 bytes_per_pixel = ((bps * spp) + 7) / 8;
271+ if( bytes_per_pixel > sizeof(swapbuff) )
272+ {
273+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
274+ return (1);
275+ }
276 switch (bps / 8)
277 {
278 case 8: /* Use memcpy for multiple bytes per sample data */
279--
2802.9.3
281