diff options
author | Armin Kuster <akuster808@gmail.com> | 2016-12-10 09:38:43 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-12-13 22:55:21 +0000 |
commit | a63b53841b2d7d0c360d3c6813a19317216f85d0 (patch) | |
tree | 570c0c5d47a4643e0361594855153b53157381af /meta/recipes-multimedia/libtiff/files | |
parent | 840ea755f2a2b39719e4af6bea0160cd2008cfe9 (diff) | |
download | poky-a63b53841b2d7d0c360d3c6813a19317216f85d0.tar.gz |
libtiff: Update to 4.0.7
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.
CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632
plus more that are not identified in the changelog.
removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html
(From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
19 files changed, 0 insertions, 2200 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch deleted file mode 100644 index 39c5059c75..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch +++ /dev/null | |||
@@ -1,137 +0,0 @@ | |||
1 | From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sat, 26 Dec 2015 17:32:03 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in | ||
5 | TIFFRGBAImage interface in case of unsupported values of | ||
6 | SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to | ||
7 | TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by | ||
8 | limingxing and CVE-2015-8683 reported by zzf of Alibaba. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2015-8665 | ||
12 | CVE: CVE-2015-8683 | ||
13 | https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | ChangeLog | 8 ++++++++ | ||
19 | libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- | ||
20 | 2 files changed, 30 insertions(+), 13 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.6/libtiff/tif_getimage.c | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.6.orig/libtiff/tif_getimage.c | ||
25 | +++ tiff-4.0.6/libtiff/tif_getimage.c | ||
26 | @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 | ||
27 | "Planarconfiguration", td->td_planarconfig); | ||
28 | return (0); | ||
29 | } | ||
30 | - if( td->td_samplesperpixel != 3 ) | ||
31 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) | ||
32 | { | ||
33 | sprintf(emsg, | ||
34 | - "Sorry, can not handle image with %s=%d", | ||
35 | - "Samples/pixel", td->td_samplesperpixel); | ||
36 | + "Sorry, can not handle image with %s=%d, %s=%d", | ||
37 | + "Samples/pixel", td->td_samplesperpixel, | ||
38 | + "colorchannels", colorchannels); | ||
39 | return 0; | ||
40 | } | ||
41 | break; | ||
42 | case PHOTOMETRIC_CIELAB: | ||
43 | - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) | ||
44 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) | ||
45 | { | ||
46 | sprintf(emsg, | ||
47 | - "Sorry, can not handle image with %s=%d and %s=%d", | ||
48 | + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
49 | "Samples/pixel", td->td_samplesperpixel, | ||
50 | + "colorchannels", colorchannels, | ||
51 | "Bits/sample", td->td_bitspersample); | ||
52 | return 0; | ||
53 | } | ||
54 | @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T | ||
55 | int colorchannels; | ||
56 | uint16 *red_orig, *green_orig, *blue_orig; | ||
57 | int n_color; | ||
58 | + | ||
59 | + if( !TIFFRGBAImageOK(tif, emsg) ) | ||
60 | + return 0; | ||
61 | |||
62 | /* Initialize to normal values */ | ||
63 | img->row_offset = 0; | ||
64 | @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) | ||
65 | case PHOTOMETRIC_RGB: | ||
66 | switch (img->bitspersample) { | ||
67 | case 8: | ||
68 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) | ||
69 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && | ||
70 | + img->samplesperpixel >= 4) | ||
71 | img->put.contig = putRGBAAcontig8bittile; | ||
72 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) | ||
73 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && | ||
74 | + img->samplesperpixel >= 4) | ||
75 | { | ||
76 | if (BuildMapUaToAa(img)) | ||
77 | img->put.contig = putRGBUAcontig8bittile; | ||
78 | } | ||
79 | - else | ||
80 | + else if( img->samplesperpixel >= 3 ) | ||
81 | img->put.contig = putRGBcontig8bittile; | ||
82 | break; | ||
83 | case 16: | ||
84 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) | ||
85 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && | ||
86 | + img->samplesperpixel >=4 ) | ||
87 | { | ||
88 | if (BuildMapBitdepth16To8(img)) | ||
89 | img->put.contig = putRGBAAcontig16bittile; | ||
90 | } | ||
91 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) | ||
92 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && | ||
93 | + img->samplesperpixel >=4 ) | ||
94 | { | ||
95 | if (BuildMapBitdepth16To8(img) && | ||
96 | BuildMapUaToAa(img)) | ||
97 | img->put.contig = putRGBUAcontig16bittile; | ||
98 | } | ||
99 | - else | ||
100 | + else if( img->samplesperpixel >=3 ) | ||
101 | { | ||
102 | if (BuildMapBitdepth16To8(img)) | ||
103 | img->put.contig = putRGBcontig16bittile; | ||
104 | @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) | ||
105 | } | ||
106 | break; | ||
107 | case PHOTOMETRIC_SEPARATED: | ||
108 | - if (buildMap(img)) { | ||
109 | + if (img->samplesperpixel >=4 && buildMap(img)) { | ||
110 | if (img->bitspersample == 8) { | ||
111 | if (!img->Map) | ||
112 | img->put.contig = putRGBcontig8bitCMYKtile; | ||
113 | @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) | ||
114 | } | ||
115 | break; | ||
116 | case PHOTOMETRIC_CIELAB: | ||
117 | - if (buildMap(img)) { | ||
118 | + if (img->samplesperpixel == 3 && buildMap(img)) { | ||
119 | if (img->bitspersample == 8) | ||
120 | img->put.contig = initCIELabConversion(img); | ||
121 | break; | ||
122 | Index: tiff-4.0.6/ChangeLog | ||
123 | =================================================================== | ||
124 | --- tiff-4.0.6.orig/ChangeLog | ||
125 | +++ tiff-4.0.6/ChangeLog | ||
126 | @@ -1,3 +1,11 @@ | ||
127 | +2015-12-26 Even Rouault <even.rouault at spatialys.com> | ||
128 | + | ||
129 | + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage | ||
130 | + interface in case of unsupported values of SamplesPerPixel/ExtraSamples | ||
131 | + for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in | ||
132 | + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and | ||
133 | + CVE-2015-8683 reported by zzf of Alibaba. | ||
134 | + | ||
135 | 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
136 | |||
137 | * libtiff 4.0.6 released. | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch deleted file mode 100644 index 0846f0f68e..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch +++ /dev/null | |||
@@ -1,195 +0,0 @@ | |||
1 | From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:25:11 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in | ||
5 | decode functions in non debug builds by replacing assert()s by regular if | ||
6 | checks (bugzilla #2522). Fix potential out-of-bound reads in case of short | ||
7 | input data. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 | ||
12 | hand applied Changelog changes | ||
13 | |||
14 | CVE: CVE-2015-8781 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | ChangeLog | 7 +++++++ | ||
19 | libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- | ||
20 | 2 files changed, 51 insertions(+), 11 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.4/ChangeLog | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.4.orig/ChangeLog | ||
25 | +++ tiff-4.0.4/ChangeLog | ||
26 | @@ -1,3 +1,10 @@ | ||
27 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
28 | + | ||
29 | + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
30 | + functions in non debug builds by replacing assert()s by regular if | ||
31 | + checks (bugzilla #2522). | ||
32 | + Fix potential out-of-bound reads in case of short input data. | ||
33 | + | ||
34 | 2015-12-26 Even Rouault <even.rouault at spatialys.com> | ||
35 | |||
36 | * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage | ||
37 | Index: tiff-4.0.4/libtiff/tif_luv.c | ||
38 | =================================================================== | ||
39 | --- tiff-4.0.4.orig/libtiff/tif_luv.c | ||
40 | +++ tiff-4.0.4/libtiff/tif_luv.c | ||
41 | @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
42 | if (sp->user_datafmt == SGILOGDATAFMT_16BIT) | ||
43 | tp = (int16*) op; | ||
44 | else { | ||
45 | - assert(sp->tbuflen >= npixels); | ||
46 | + if(sp->tbuflen < npixels) { | ||
47 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
48 | + "Translation buffer too short"); | ||
49 | + return (0); | ||
50 | + } | ||
51 | tp = (int16*) sp->tbuf; | ||
52 | } | ||
53 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
54 | @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
55 | cc = tif->tif_rawcc; | ||
56 | /* get each byte string */ | ||
57 | for (shft = 2*8; (shft -= 8) >= 0; ) { | ||
58 | - for (i = 0; i < npixels && cc > 0; ) | ||
59 | + for (i = 0; i < npixels && cc > 0; ) { | ||
60 | if (*bp >= 128) { /* run */ | ||
61 | - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
62 | + if( cc < 2 ) | ||
63 | + break; | ||
64 | + rc = *bp++ + (2-128); | ||
65 | b = (int16)(*bp++ << shft); | ||
66 | cc -= 2; | ||
67 | while (rc-- && i < npixels) | ||
68 | @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
69 | while (--cc && rc-- && i < npixels) | ||
70 | tp[i++] |= (int16)*bp++ << shft; | ||
71 | } | ||
72 | + } | ||
73 | if (i != npixels) { | ||
74 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
75 | TIFFErrorExt(tif->tif_clientdata, module, | ||
76 | @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms | ||
77 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
78 | tp = (uint32 *)op; | ||
79 | else { | ||
80 | - assert(sp->tbuflen >= npixels); | ||
81 | + if(sp->tbuflen < npixels) { | ||
82 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
83 | + "Translation buffer too short"); | ||
84 | + return (0); | ||
85 | + } | ||
86 | tp = (uint32 *) sp->tbuf; | ||
87 | } | ||
88 | /* copy to array of uint32 */ | ||
89 | bp = (unsigned char*) tif->tif_rawcp; | ||
90 | cc = tif->tif_rawcc; | ||
91 | - for (i = 0; i < npixels && cc > 0; i++) { | ||
92 | + for (i = 0; i < npixels && cc >= 3; i++) { | ||
93 | tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; | ||
94 | bp += 3; | ||
95 | cc -= 3; | ||
96 | @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
97 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
98 | tp = (uint32*) op; | ||
99 | else { | ||
100 | - assert(sp->tbuflen >= npixels); | ||
101 | + if(sp->tbuflen < npixels) { | ||
102 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
103 | + "Translation buffer too short"); | ||
104 | + return (0); | ||
105 | + } | ||
106 | tp = (uint32*) sp->tbuf; | ||
107 | } | ||
108 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
109 | @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
110 | cc = tif->tif_rawcc; | ||
111 | /* get each byte string */ | ||
112 | for (shft = 4*8; (shft -= 8) >= 0; ) { | ||
113 | - for (i = 0; i < npixels && cc > 0; ) | ||
114 | + for (i = 0; i < npixels && cc > 0; ) { | ||
115 | if (*bp >= 128) { /* run */ | ||
116 | + if( cc < 2 ) | ||
117 | + break; | ||
118 | rc = *bp++ + (2-128); | ||
119 | b = (uint32)*bp++ << shft; | ||
120 | - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
121 | + cc -= 2; | ||
122 | while (rc-- && i < npixels) | ||
123 | tp[i++] |= b; | ||
124 | } else { /* non-run */ | ||
125 | @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
126 | while (--cc && rc-- && i < npixels) | ||
127 | tp[i++] |= (uint32)*bp++ << shft; | ||
128 | } | ||
129 | + } | ||
130 | if (i != npixels) { | ||
131 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
132 | TIFFErrorExt(tif->tif_clientdata, module, | ||
133 | @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t | ||
134 | static int | ||
135 | LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
136 | { | ||
137 | + static const char module[] = "LogL16Encode"; | ||
138 | LogLuvState* sp = EncoderState(tif); | ||
139 | int shft; | ||
140 | tmsize_t i; | ||
141 | @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
142 | tp = (int16*) bp; | ||
143 | else { | ||
144 | tp = (int16*) sp->tbuf; | ||
145 | - assert(sp->tbuflen >= npixels); | ||
146 | + if(sp->tbuflen < npixels) { | ||
147 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
148 | + "Translation buffer too short"); | ||
149 | + return (0); | ||
150 | + } | ||
151 | (*sp->tfunc)(sp, bp, npixels); | ||
152 | } | ||
153 | /* compress each byte string */ | ||
154 | @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
155 | static int | ||
156 | LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
157 | { | ||
158 | + static const char module[] = "LogLuvEncode24"; | ||
159 | LogLuvState* sp = EncoderState(tif); | ||
160 | tmsize_t i; | ||
161 | tmsize_t npixels; | ||
162 | @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
163 | tp = (uint32*) bp; | ||
164 | else { | ||
165 | tp = (uint32*) sp->tbuf; | ||
166 | - assert(sp->tbuflen >= npixels); | ||
167 | + if(sp->tbuflen < npixels) { | ||
168 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
169 | + "Translation buffer too short"); | ||
170 | + return (0); | ||
171 | + } | ||
172 | (*sp->tfunc)(sp, bp, npixels); | ||
173 | } | ||
174 | /* write out encoded pixels */ | ||
175 | @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
176 | static int | ||
177 | LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
178 | { | ||
179 | + static const char module[] = "LogLuvEncode32"; | ||
180 | LogLuvState* sp = EncoderState(tif); | ||
181 | int shft; | ||
182 | tmsize_t i; | ||
183 | @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms | ||
184 | tp = (uint32*) bp; | ||
185 | else { | ||
186 | tp = (uint32*) sp->tbuf; | ||
187 | - assert(sp->tbuflen >= npixels); | ||
188 | + if(sp->tbuflen < npixels) { | ||
189 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
190 | + "Translation buffer too short"); | ||
191 | + return (0); | ||
192 | + } | ||
193 | (*sp->tfunc)(sp, bp, npixels); | ||
194 | } | ||
195 | /* compress each byte string */ | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch deleted file mode 100644 index 0caf800e23..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch +++ /dev/null | |||
@@ -1,73 +0,0 @@ | |||
1 | From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:55:20 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in | ||
5 | NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
6 | (bugzilla #2508) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c | ||
10 | hand applied Changelog changes | ||
11 | |||
12 | CVE: CVE-2015-8784 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | ChangeLog | 6 ++++++ | ||
17 | libtiff/tif_next.c | 10 ++++++++-- | ||
18 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
19 | |||
20 | Index: tiff-4.0.4/ChangeLog | ||
21 | =================================================================== | ||
22 | --- tiff-4.0.4.orig/ChangeLog | ||
23 | +++ tiff-4.0.4/ChangeLog | ||
24 | @@ -1,5 +1,11 @@ | ||
25 | 2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
26 | |||
27 | + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() | ||
28 | + triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
29 | + (bugzilla #2508) | ||
30 | + | ||
31 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
32 | + | ||
33 | * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
34 | functions in non debug builds by replacing assert()s by regular if | ||
35 | checks (bugzilla #2522). | ||
36 | Index: tiff-4.0.4/libtiff/tif_next.c | ||
37 | =================================================================== | ||
38 | --- tiff-4.0.4.orig/libtiff/tif_next.c | ||
39 | +++ tiff-4.0.4/libtiff/tif_next.c | ||
40 | @@ -37,7 +37,7 @@ | ||
41 | case 0: op[0] = (unsigned char) ((v) << 6); break; \ | ||
42 | case 1: op[0] |= (v) << 4; break; \ | ||
43 | case 2: op[0] |= (v) << 2; break; \ | ||
44 | - case 3: *op++ |= (v); break; \ | ||
45 | + case 3: *op++ |= (v); op_offset++; break; \ | ||
46 | } \ | ||
47 | } | ||
48 | |||
49 | @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
50 | uint32 imagewidth = tif->tif_dir.td_imagewidth; | ||
51 | if( isTiled(tif) ) | ||
52 | imagewidth = tif->tif_dir.td_tilewidth; | ||
53 | + tmsize_t op_offset = 0; | ||
54 | |||
55 | /* | ||
56 | * The scanline is composed of a sequence of constant | ||
57 | @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
58 | * bounds, potentially resulting in a security | ||
59 | * issue. | ||
60 | */ | ||
61 | - while (n-- > 0 && npixels < imagewidth) | ||
62 | + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) | ||
63 | SETPIXEL(op, grey); | ||
64 | if (npixels >= imagewidth) | ||
65 | break; | ||
66 | + if (op_offset >= scanline ) { | ||
67 | + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", | ||
68 | + (long) tif->tif_row); | ||
69 | + return (0); | ||
70 | + } | ||
71 | if (cc == 0) | ||
72 | goto bad; | ||
73 | n = *bp++, cc--; | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch deleted file mode 100644 index 4a08aba211..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Buffer overflow in the readextension function in gif2tiff.c | ||
2 | allows remote attackers to cause a denial of service via a crafted GIF file. | ||
3 | |||
4 | External References: | ||
5 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 | ||
6 | https://bugzilla.redhat.com/show_bug.cgi?id=1319503 | ||
7 | |||
8 | CVE: CVE-2016-3186 | ||
9 | Upstream-Status: Backport (RedHat) | ||
10 | https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
13 | |||
14 | --- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 | ||
15 | +++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 | ||
16 | @@ -349,7 +349,7 @@ | ||
17 | int status = 1; | ||
18 | |||
19 | (void) getc(infile); | ||
20 | - while ((count = getc(infile)) && count <= 255) | ||
21 | + while ((count = getc(infile)) && count >= 0 && count <= 255) | ||
22 | if (fread(buf, 1, count, infile) != (size_t) count) { | ||
23 | fprintf(stderr, "short read from file %s (%s)\n", | ||
24 | filename, strerror(errno)); | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch deleted file mode 100644 index 0c8b7164e5..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch +++ /dev/null | |||
@@ -1,129 +0,0 @@ | |||
1 | From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 | ||
2 | From: bfriesen <bfriesen> | ||
3 | Date: Sat, 24 Sep 2016 23:11:55 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts | ||
5 | to read floating point images. | ||
6 | |||
7 | * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample | ||
8 | requirements of floating point predictor (3). Fixes CVE-2016-3622 | ||
9 | "Divide By Zero in the tiff2rgba tool." | ||
10 | |||
11 | CVE: CVE-2016-3622 | ||
12 | Upstream-Status: Backport | ||
13 | https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
16 | --- | ||
17 | ChangeLog | 11 ++++++++++- | ||
18 | libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ | ||
19 | libtiff/tif_predict.c | 11 ++++++++++- | ||
20 | 3 files changed, 40 insertions(+), 20 deletions(-) | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index 26d6f47..a628277 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,3 +1,12 @@ | ||
27 | +2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
28 | + | ||
29 | + * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to | ||
30 | + read floating point images. | ||
31 | + | ||
32 | + * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample | ||
33 | + requirements of floating point predictor (3). Fixes CVE-2016-3622 | ||
34 | + "Divide By Zero in the tiff2rgba tool." | ||
35 | + | ||
36 | 2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
37 | |||
38 | * tools/rgb2ycbcr.c: validate values of -v and -h parameters to | ||
39 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
40 | index 386cee0..3e689ee 100644 | ||
41 | --- a/libtiff/tif_getimage.c | ||
42 | +++ b/libtiff/tif_getimage.c | ||
43 | @@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) | ||
44 | td->td_bitspersample); | ||
45 | return (0); | ||
46 | } | ||
47 | + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { | ||
48 | + sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); | ||
49 | + return (0); | ||
50 | + } | ||
51 | colorchannels = td->td_samplesperpixel - td->td_extrasamples; | ||
52 | if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { | ||
53 | switch (colorchannels) { | ||
54 | @@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) | ||
55 | "Planarconfiguration", td->td_planarconfig); | ||
56 | return (0); | ||
57 | } | ||
58 | - if( td->td_samplesperpixel != 3 || colorchannels != 3 ) | ||
59 | - { | ||
60 | - sprintf(emsg, | ||
61 | - "Sorry, can not handle image with %s=%d, %s=%d", | ||
62 | - "Samples/pixel", td->td_samplesperpixel, | ||
63 | - "colorchannels", colorchannels); | ||
64 | - return 0; | ||
65 | - } | ||
66 | + if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { | ||
67 | + sprintf(emsg, | ||
68 | + "Sorry, can not handle image with %s=%d, %s=%d", | ||
69 | + "Samples/pixel", td->td_samplesperpixel, | ||
70 | + "colorchannels", colorchannels); | ||
71 | + return 0; | ||
72 | + } | ||
73 | break; | ||
74 | case PHOTOMETRIC_CIELAB: | ||
75 | - if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) | ||
76 | - { | ||
77 | - sprintf(emsg, | ||
78 | - "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
79 | - "Samples/pixel", td->td_samplesperpixel, | ||
80 | - "colorchannels", colorchannels, | ||
81 | - "Bits/sample", td->td_bitspersample); | ||
82 | - return 0; | ||
83 | - } | ||
84 | + if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { | ||
85 | + sprintf(emsg, | ||
86 | + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
87 | + "Samples/pixel", td->td_samplesperpixel, | ||
88 | + "colorchannels", colorchannels, | ||
89 | + "Bits/sample", td->td_bitspersample); | ||
90 | + return 0; | ||
91 | + } | ||
92 | break; | ||
93 | - default: | ||
94 | + default: | ||
95 | sprintf(emsg, "Sorry, can not handle image with %s=%d", | ||
96 | photoTag, photometric); | ||
97 | return (0); | ||
98 | diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c | ||
99 | index 081eb11..555f2f9 100644 | ||
100 | --- a/libtiff/tif_predict.c | ||
101 | +++ b/libtiff/tif_predict.c | ||
102 | @@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif) | ||
103 | td->td_sampleformat); | ||
104 | return 0; | ||
105 | } | ||
106 | + if (td->td_bitspersample != 16 | ||
107 | + && td->td_bitspersample != 24 | ||
108 | + && td->td_bitspersample != 32 | ||
109 | + && td->td_bitspersample != 64) { /* Should 64 be allowed? */ | ||
110 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
111 | + "Floating point \"Predictor\" not supported with %d-bit samples", | ||
112 | + td->td_bitspersample); | ||
113 | + return 0; | ||
114 | + } | ||
115 | break; | ||
116 | default: | ||
117 | TIFFErrorExt(tif->tif_clientdata, module, | ||
118 | @@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif) | ||
119 | } | ||
120 | /* | ||
121 | * Allocate buffer to keep the decoded bytes before | ||
122 | - * rearranging in the ight order | ||
123 | + * rearranging in the right order | ||
124 | */ | ||
125 | } | ||
126 | |||
127 | -- | ||
128 | 2.7.4 | ||
129 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch deleted file mode 100644 index f554ac5464..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 15 Aug 2016 21:26:56 +0000 | ||
4 | Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters | ||
5 | to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) | ||
6 | |||
7 | CVE: CVE-2016-3623 | ||
8 | Upstream-Status: Backport | ||
9 | https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
12 | --- | ||
13 | ChangeLog | 5 +++++ | ||
14 | tools/rgb2ycbcr.c | 4 ++++ | ||
15 | 2 files changed, 9 insertions(+) | ||
16 | |||
17 | diff --git a/ChangeLog b/ChangeLog | ||
18 | index 5d60608..3e6642a 100644 | ||
19 | --- a/ChangeLog | ||
20 | +++ b/ChangeLog | ||
21 | @@ -1,5 +1,10 @@ | ||
22 | 2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
23 | |||
24 | + * tools/rgb2ycbcr.c: validate values of -v and -h parameters to | ||
25 | + avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) | ||
26 | + | ||
27 | +2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
28 | + | ||
29 | * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). | ||
30 | From patch libtiff-CVE-2016-3991.patch from | ||
31 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) | ||
32 | diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c | ||
33 | index 3829d6b..51f4259 100644 | ||
34 | --- a/tools/rgb2ycbcr.c | ||
35 | +++ b/tools/rgb2ycbcr.c | ||
36 | @@ -95,9 +95,13 @@ main(int argc, char* argv[]) | ||
37 | break; | ||
38 | case 'h': | ||
39 | horizSubSampling = atoi(optarg); | ||
40 | + if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) | ||
41 | + usage(-1); | ||
42 | break; | ||
43 | case 'v': | ||
44 | vertSubSampling = atoi(optarg); | ||
45 | + if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) | ||
46 | + usage(-1); | ||
47 | break; | ||
48 | case 'r': | ||
49 | rowsperstrip = atoi(optarg); | ||
50 | -- | ||
51 | 2.7.4 | ||
52 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch deleted file mode 100644 index a8392509e6..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com> | ||
3 | Date: Mon, 11 Jul 2016 16:04:34 +0200 | ||
4 | Subject: [PATCH 4/8] Fix CVE-2016-3632 | ||
5 | |||
6 | CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in | ||
7 | LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service | ||
8 | (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. | ||
9 | |||
10 | CVE: CVE-2016-3632 | ||
11 | Upstream-Status: Backport [RedHat RHEL7] | ||
12 | |||
13 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
14 | --- | ||
15 | tools/thumbnail.c | 3 ++- | ||
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/tools/thumbnail.c b/tools/thumbnail.c | ||
19 | index fd1cba5..75e7009 100644 | ||
20 | --- a/tools/thumbnail.c | ||
21 | +++ b/tools/thumbnail.c | ||
22 | @@ -253,7 +253,8 @@ static struct cpTag { | ||
23 | { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, | ||
24 | { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, | ||
25 | { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, | ||
26 | - { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, | ||
27 | + // disable BADFAXLINES, CVE-2016-3632 | ||
28 | + //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, | ||
29 | { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, | ||
30 | { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, | ||
31 | { TIFFTAG_INKSET, 1, TIFF_SHORT }, | ||
32 | -- | ||
33 | 2.7.4 | ||
34 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch deleted file mode 100644 index 6cb12f2907..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch +++ /dev/null | |||
@@ -1,111 +0,0 @@ | |||
1 | From: 45c68450bef8ad876f310b495165c513cad8b67d | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | |||
4 | * libtiff/tif_dir.c: discard values of SMinSampleValue and | ||
5 | SMaxSampleValue when they have been read and the value of | ||
6 | SamplesPerPixel is changed afterwards (like when reading a | ||
7 | OJPEG compressed image with a missing SamplesPerPixel tag, | ||
8 | and whose photometric is RGB or YCbCr, forcing SamplesPerPixel | ||
9 | being 3). Otherwise when rewriting the directory (for example | ||
10 | with tiffset, we will expect 3 values whereas the array had been | ||
11 | allocated with just one), thus causing a out of bound read access. | ||
12 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
13 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
14 | |||
15 | * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset | ||
16 | when writing directory, if FIELD_STRIPOFFSETS was artificially set | ||
17 | for a hack case in OJPEG case. | ||
18 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
19 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
20 | |||
21 | CVE: CVE-2016-3658 | ||
22 | Upstream-Status: Backport | ||
23 | https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d | ||
24 | |||
25 | Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com> | ||
26 | |||
27 | Index: tiff-4.0.6/ChangeLog | ||
28 | =================================================================== | ||
29 | --- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 | ||
30 | +++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 | ||
31 | @@ -1,3 +1,22 @@ | ||
32 | +2016-10-25 Even Rouault <even.rouault at spatialys.com> | ||
33 | + | ||
34 | + * libtiff/tif_dir.c: discard values of SMinSampleValue and | ||
35 | + SMaxSampleValue when they have been read and the value of | ||
36 | + SamplesPerPixel is changed afterwards (like when reading a | ||
37 | + OJPEG compressed image with a missing SamplesPerPixel tag, | ||
38 | + and whose photometric is RGB or YCbCr, forcing SamplesPerPixel | ||
39 | + being 3). Otherwise when rewriting the directory (for example | ||
40 | + with tiffset, we will expect 3 values whereas the array had been | ||
41 | + allocated with just one), thus causing a out of bound read access. | ||
42 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
43 | + (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
44 | + | ||
45 | + * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset | ||
46 | + when writing directory, if FIELD_STRIPOFFSETS was artificially set | ||
47 | + for a hack case in OJPEG case. | ||
48 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
49 | + (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
50 | + | ||
51 | 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
52 | |||
53 | * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to | ||
54 | Index: tiff-4.0.6/libtiff/tif_dir.c | ||
55 | =================================================================== | ||
56 | --- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 | ||
57 | +++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 | ||
58 | @@ -254,6 +254,28 @@ | ||
59 | v = (uint16) va_arg(ap, uint16_vap); | ||
60 | if (v == 0) | ||
61 | goto badvalue; | ||
62 | + if( v != td->td_samplesperpixel ) | ||
63 | + { | ||
64 | + /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ | ||
65 | + if( td->td_sminsamplevalue != NULL ) | ||
66 | + { | ||
67 | + TIFFWarningExt(tif->tif_clientdata,module, | ||
68 | + "SamplesPerPixel tag value is changing, " | ||
69 | + "but SMinSampleValue tag was read with a different value. Cancelling it"); | ||
70 | + TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); | ||
71 | + _TIFFfree(td->td_sminsamplevalue); | ||
72 | + td->td_sminsamplevalue = NULL; | ||
73 | + } | ||
74 | + if( td->td_smaxsamplevalue != NULL ) | ||
75 | + { | ||
76 | + TIFFWarningExt(tif->tif_clientdata,module, | ||
77 | + "SamplesPerPixel tag value is changing, " | ||
78 | + "but SMaxSampleValue tag was read with a different value. Cancelling it"); | ||
79 | + TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); | ||
80 | + _TIFFfree(td->td_smaxsamplevalue); | ||
81 | + td->td_smaxsamplevalue = NULL; | ||
82 | + } | ||
83 | + } | ||
84 | td->td_samplesperpixel = (uint16) v; | ||
85 | break; | ||
86 | case TIFFTAG_ROWSPERSTRIP: | ||
87 | Index: tiff-4.0.6/libtiff/tif_dirwrite.c | ||
88 | =================================================================== | ||
89 | --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 | ||
90 | +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 | ||
91 | @@ -542,7 +542,19 @@ | ||
92 | { | ||
93 | if (!isTiled(tif)) | ||
94 | { | ||
95 | - if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) | ||
96 | + /* td_stripoffset might be NULL in an odd OJPEG case. See | ||
97 | + * tif_dirread.c around line 3634. | ||
98 | + * XXX: OJPEG hack. | ||
99 | + * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
100 | + * and c) the number of strips is 1, | ||
101 | + * then we tolerate the absence of stripoffsets tag, | ||
102 | + * because, presumably, all required data is in the | ||
103 | + * JpegInterchangeFormat stream. | ||
104 | + * We can get here when using tiffset on such a file. | ||
105 | + * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
106 | + */ | ||
107 | + if (tif->tif_dir.td_stripoffset != NULL && | ||
108 | + !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) | ||
109 | goto bad; | ||
110 | } | ||
111 | else | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch deleted file mode 100644 index 4d965be9ff..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch +++ /dev/null | |||
@@ -1,118 +0,0 @@ | |||
1 | From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 15 Aug 2016 20:06:40 +0000 | ||
4 | Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of | ||
5 | allocated buffer, when -b mode is enabled, that could result in out-of-bounds | ||
6 | write. Based initially on patch tiff-CVE-2016-3945.patch from | ||
7 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid | ||
8 | tests that rejected valid files. | ||
9 | |||
10 | CVE: CVE-2016-3945 | ||
11 | Upstream-Status: Backport | ||
12 | https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
15 | --- | ||
16 | ChangeLog | 8 ++++++++ | ||
17 | tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- | ||
18 | 2 files changed, 38 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/ChangeLog b/ChangeLog | ||
21 | index 62dc1b5..9c0ab29 100644 | ||
22 | --- a/ChangeLog | ||
23 | +++ b/ChangeLog | ||
24 | @@ -1,3 +1,11 @@ | ||
25 | +2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
26 | + | ||
27 | + * tools/tiff2rgba.c: Fix integer overflow in size of allocated | ||
28 | + buffer, when -b mode is enabled, that could result in out-of-bounds | ||
29 | + write. Based initially on patch tiff-CVE-2016-3945.patch from | ||
30 | + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for | ||
31 | + invalid tests that rejected valid files. | ||
32 | + | ||
33 | 2016-07-11 Even Rouault <even.rouault at spatialys.com> | ||
34 | |||
35 | * tools/tiffcrop.c: Avoid access outside of stack allocated array | ||
36 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
37 | index b7a81eb..16e3dc4 100644 | ||
38 | --- a/tools/tiff2rgba.c | ||
39 | +++ b/tools/tiff2rgba.c | ||
40 | @@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
41 | uint32 row, col; | ||
42 | uint32 *wrk_line; | ||
43 | int ok = 1; | ||
44 | + uint32 rastersize, wrk_linesize; | ||
45 | |||
46 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
47 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
48 | @@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
49 | /* | ||
50 | * Allocate tile buffer | ||
51 | */ | ||
52 | - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); | ||
53 | + rastersize = tile_width * tile_height * sizeof (uint32); | ||
54 | + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) | ||
55 | + { | ||
56 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
57 | + exit(-1); | ||
58 | + } | ||
59 | + raster = (uint32*)_TIFFmalloc(rastersize); | ||
60 | if (raster == 0) { | ||
61 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
62 | return (0); | ||
63 | @@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
64 | * Allocate a scanline buffer for swapping during the vertical | ||
65 | * mirroring pass. | ||
66 | */ | ||
67 | - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); | ||
68 | + wrk_linesize = tile_width * sizeof (uint32); | ||
69 | + if (tile_width != wrk_linesize / sizeof (uint32)) | ||
70 | + { | ||
71 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
72 | + exit(-1); | ||
73 | + } | ||
74 | + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
75 | if (!wrk_line) { | ||
76 | TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); | ||
77 | ok = 0; | ||
78 | @@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
79 | uint32 row; | ||
80 | uint32 *wrk_line; | ||
81 | int ok = 1; | ||
82 | + uint32 rastersize, wrk_linesize; | ||
83 | |||
84 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
85 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
86 | @@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
87 | /* | ||
88 | * Allocate strip buffer | ||
89 | */ | ||
90 | - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); | ||
91 | + rastersize = width * rowsperstrip * sizeof (uint32); | ||
92 | + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) | ||
93 | + { | ||
94 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
95 | + exit(-1); | ||
96 | + } | ||
97 | + raster = (uint32*)_TIFFmalloc(rastersize); | ||
98 | if (raster == 0) { | ||
99 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
100 | return (0); | ||
101 | @@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
102 | * Allocate a scanline buffer for swapping during the vertical | ||
103 | * mirroring pass. | ||
104 | */ | ||
105 | - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); | ||
106 | + wrk_linesize = width * sizeof (uint32); | ||
107 | + if (width != wrk_linesize / sizeof (uint32)) | ||
108 | + { | ||
109 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
110 | + exit(-1); | ||
111 | + } | ||
112 | + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
113 | if (!wrk_line) { | ||
114 | TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); | ||
115 | ok = 0; | ||
116 | -- | ||
117 | 2.7.4 | ||
118 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch deleted file mode 100644 index 7bf52ee5dc..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch +++ /dev/null | |||
@@ -1,66 +0,0 @@ | |||
1 | From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 15 Aug 2016 20:49:48 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in | ||
5 | PixarLogEncode if more input samples are provided than expected by | ||
6 | PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from | ||
7 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and | ||
8 | simpler check. (bugzilla #2544) | ||
9 | |||
10 | invalid tests that rejected valid files. (bugzilla #2545) | ||
11 | |||
12 | CVE: CVE-2016-3990 | ||
13 | Upstream-Status: Backport | ||
14 | https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
17 | --- | ||
18 | ChangeLog | 10 +++++++++- | ||
19 | libtiff/tif_pixarlog.c | 7 +++++++ | ||
20 | 2 files changed, 16 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index 9c0ab29..db4ea18 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,10 +1,18 @@ | ||
27 | 2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
28 | |||
29 | + * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode | ||
30 | + if more input samples are provided than expected by PixarLogSetupEncode. | ||
31 | + Idea based on libtiff-CVE-2016-3990.patch from | ||
32 | + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and | ||
33 | + simpler check. (bugzilla #2544) | ||
34 | + | ||
35 | +2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
36 | + | ||
37 | * tools/tiff2rgba.c: Fix integer overflow in size of allocated | ||
38 | buffer, when -b mode is enabled, that could result in out-of-bounds | ||
39 | write. Based initially on patch tiff-CVE-2016-3945.patch from | ||
40 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for | ||
41 | - invalid tests that rejected valid files. | ||
42 | + invalid tests that rejected valid files. (bugzilla #2545) | ||
43 | |||
44 | 2016-07-11 Even Rouault <even.rouault at spatialys.com> | ||
45 | |||
46 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
47 | index e78f788..28329d1 100644 | ||
48 | --- a/libtiff/tif_pixarlog.c | ||
49 | +++ b/libtiff/tif_pixarlog.c | ||
50 | @@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
51 | } | ||
52 | |||
53 | llen = sp->stride * td->td_imagewidth; | ||
54 | + /* Check against the number of elements (of size uint16) of sp->tbuf */ | ||
55 | + if( n > td->td_rowsperstrip * llen ) | ||
56 | + { | ||
57 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
58 | + "Too many input bytes provided"); | ||
59 | + return 0; | ||
60 | + } | ||
61 | |||
62 | for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { | ||
63 | switch (sp->user_datafmt) { | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch deleted file mode 100644 index 27dfd37d25..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch +++ /dev/null | |||
@@ -1,147 +0,0 @@ | |||
1 | From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 15 Aug 2016 21:05:40 +0000 | ||
4 | Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in | ||
5 | loadImage(). From patch libtiff-CVE-2016-3991.patch from | ||
6 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) | ||
7 | |||
8 | CVE: CVE-2016-3991 | ||
9 | Upstream-Status: Backport | ||
10 | https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
13 | --- | ||
14 | ChangeLog | 6 ++++++ | ||
15 | tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- | ||
16 | 2 files changed, 62 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/ChangeLog b/ChangeLog | ||
19 | index db4ea18..5d60608 100644 | ||
20 | --- a/ChangeLog | ||
21 | +++ b/ChangeLog | ||
22 | @@ -1,5 +1,11 @@ | ||
23 | 2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
24 | |||
25 | + * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). | ||
26 | + From patch libtiff-CVE-2016-3991.patch from | ||
27 | + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) | ||
28 | + | ||
29 | +2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
30 | + | ||
31 | * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode | ||
32 | if more input samples are provided than expected by PixarLogSetupEncode. | ||
33 | Idea based on libtiff-CVE-2016-3990.patch from | ||
34 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
35 | index 27abc0b..ddba7b9 100644 | ||
36 | --- a/tools/tiffcrop.c | ||
37 | +++ b/tools/tiffcrop.c | ||
38 | @@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, | ||
39 | } | ||
40 | |||
41 | tile_buffsize = tilesize; | ||
42 | + if (tilesize == 0 || tile_rowsize == 0) | ||
43 | + { | ||
44 | + TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); | ||
45 | + exit(-1); | ||
46 | + } | ||
47 | |||
48 | if (tilesize < (tsize_t)(tl * tile_rowsize)) | ||
49 | { | ||
50 | @@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, | ||
51 | tilesize, tl * tile_rowsize); | ||
52 | #endif | ||
53 | tile_buffsize = tl * tile_rowsize; | ||
54 | - } | ||
55 | + if (tl != (tile_buffsize / tile_rowsize)) | ||
56 | + { | ||
57 | + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); | ||
58 | + exit(-1); | ||
59 | + } | ||
60 | + } | ||
61 | |||
62 | tilebuf = _TIFFmalloc(tile_buffsize); | ||
63 | if (tilebuf == 0) | ||
64 | @@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, | ||
65 | !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) | ||
66 | return 1; | ||
67 | |||
68 | + if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) | ||
69 | + { | ||
70 | + TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); | ||
71 | + exit(-1); | ||
72 | + } | ||
73 | + | ||
74 | tile_buffsize = tilesize; | ||
75 | if (tilesize < (tsize_t)(tl * tile_rowsize)) | ||
76 | { | ||
77 | @@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, | ||
78 | tilesize, tl * tile_rowsize); | ||
79 | #endif | ||
80 | tile_buffsize = tl * tile_rowsize; | ||
81 | + if (tl != tile_buffsize / tile_rowsize) | ||
82 | + { | ||
83 | + TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); | ||
84 | + exit(-1); | ||
85 | + } | ||
86 | } | ||
87 | |||
88 | tilebuf = _TIFFmalloc(tile_buffsize); | ||
89 | @@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
90 | TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); | ||
91 | |||
92 | tile_rowsize = TIFFTileRowSize(in); | ||
93 | + if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) | ||
94 | + { | ||
95 | + TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); | ||
96 | + exit(-1); | ||
97 | + } | ||
98 | buffsize = tlsize * ntiles; | ||
99 | + if (tlsize != (buffsize / ntiles)) | ||
100 | + { | ||
101 | + TIFFError("loadImage", "Integer overflow when calculating buffer size"); | ||
102 | + exit(-1); | ||
103 | + } | ||
104 | |||
105 | - | ||
106 | if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) | ||
107 | { | ||
108 | buffsize = ntiles * tl * tile_rowsize; | ||
109 | + if (ntiles != (buffsize / tl / tile_rowsize)) | ||
110 | + { | ||
111 | + TIFFError("loadImage", "Integer overflow when calculating buffer size"); | ||
112 | + exit(-1); | ||
113 | + } | ||
114 | + | ||
115 | #ifdef DEBUG2 | ||
116 | TIFFError("loadImage", | ||
117 | "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", | ||
118 | @@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
119 | TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
120 | stsize = TIFFStripSize(in); | ||
121 | nstrips = TIFFNumberOfStrips(in); | ||
122 | + if (nstrips == 0 || stsize == 0) | ||
123 | + { | ||
124 | + TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); | ||
125 | + exit(-1); | ||
126 | + } | ||
127 | + | ||
128 | buffsize = stsize * nstrips; | ||
129 | - | ||
130 | + if (stsize != (buffsize / nstrips)) | ||
131 | + { | ||
132 | + TIFFError("loadImage", "Integer overflow when calculating buffer size"); | ||
133 | + exit(-1); | ||
134 | + } | ||
135 | + uint32 buffsize_check; | ||
136 | + buffsize_check = ((length * width * spp * bps) + 7); | ||
137 | + if (length != ((buffsize_check - 7) / width / spp / bps)) | ||
138 | + { | ||
139 | + TIFFError("loadImage", "Integer overflow detected."); | ||
140 | + exit(-1); | ||
141 | + } | ||
142 | if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) | ||
143 | { | ||
144 | buffsize = ((length * width * spp * bps) + 7) / 8; | ||
145 | -- | ||
146 | 2.7.4 | ||
147 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch deleted file mode 100644 index 63c665024b..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 11 Jul 2016 21:26:03 +0000 | ||
4 | Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack | ||
5 | allocated array on a tiled separate TIFF with more than 8 samples per pixel. | ||
6 | Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 | ||
7 | (CVE-2016-5321, bugzilla #2558) | ||
8 | |||
9 | CVE: CVE-2016-5321 | ||
10 | Upstream-Status: Backport | ||
11 | https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0 | ||
12 | |||
13 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
14 | --- | ||
15 | ChangeLog | 7 +++++++ | ||
16 | tools/tiffcrop.c | 2 +- | ||
17 | 2 files changed, 8 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/ChangeLog b/ChangeLog | ||
20 | index e98d54d..4e0302f 100644 | ||
21 | --- a/ChangeLog | ||
22 | +++ b/ChangeLog | ||
23 | @@ -1,3 +1,10 @@ | ||
24 | +2016-07-11 Even Rouault <even.rouault at spatialys.com> | ||
25 | + | ||
26 | + * tools/tiffcrop.c: Avoid access outside of stack allocated array | ||
27 | + on a tiled separate TIFF with more than 8 samples per pixel. | ||
28 | + Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 | ||
29 | + (CVE-2016-5321, bugzilla #2558) | ||
30 | + | ||
31 | 2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
32 | |||
33 | * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() | ||
34 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
35 | index d959ae3..6fc8fc1 100644 | ||
36 | --- a/tools/tiffcrop.c | ||
37 | +++ b/tools/tiffcrop.c | ||
38 | @@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, | ||
39 | nrow = (row + tl > imagelength) ? imagelength - row : tl; | ||
40 | for (col = 0; col < imagewidth; col += tw) | ||
41 | { | ||
42 | - for (s = 0; s < spp; s++) | ||
43 | + for (s = 0; s < spp && s < MAX_SAMPLES; s++) | ||
44 | { /* Read each plane of a tile set into srcbuffs[s] */ | ||
45 | tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); | ||
46 | if (tbytes < 0 && !ignore) | ||
47 | -- | ||
48 | 2.7.4 | ||
49 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch deleted file mode 100644 index 41eab91ab4..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch +++ /dev/null | |||
@@ -1,107 +0,0 @@ | |||
1 | From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 11 Jul 2016 21:38:31 +0000 | ||
4 | Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) | ||
5 | |||
6 | CVE: CVE-2016-5323 | ||
7 | Upstream-Status: Backport | ||
8 | https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 | ||
9 | |||
10 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
11 | --- | ||
12 | ChangeLog | 2 +- | ||
13 | tools/tiffcrop.c | 16 ++++++++-------- | ||
14 | 2 files changed, 9 insertions(+), 9 deletions(-) | ||
15 | |||
16 | diff --git a/ChangeLog b/ChangeLog | ||
17 | index 4e0302f..62dc1b5 100644 | ||
18 | --- a/ChangeLog | ||
19 | +++ b/ChangeLog | ||
20 | @@ -3,7 +3,7 @@ | ||
21 | * tools/tiffcrop.c: Avoid access outside of stack allocated array | ||
22 | on a tiled separate TIFF with more than 8 samples per pixel. | ||
23 | Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 | ||
24 | - (CVE-2016-5321, bugzilla #2558) | ||
25 | + (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) | ||
26 | |||
27 | 2016-07-10 Even Rouault <even.rouault at spatialys.com> | ||
28 | |||
29 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
30 | index 6fc8fc1..27abc0b 100644 | ||
31 | --- a/tools/tiffcrop.c | ||
32 | +++ b/tools/tiffcrop.c | ||
33 | @@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, | ||
34 | |||
35 | matchbits = maskbits << (8 - src_bit - bps); | ||
36 | /* load up next sample from each plane */ | ||
37 | - for (s = 0; s < spp; s++) | ||
38 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
39 | { | ||
40 | src = in[s] + src_offset + src_byte; | ||
41 | buff1 = ((*src) & matchbits) << (src_bit); | ||
42 | @@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, | ||
43 | src_bit = bit_offset % 8; | ||
44 | |||
45 | matchbits = maskbits << (16 - src_bit - bps); | ||
46 | - for (s = 0; s < spp; s++) | ||
47 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
48 | { | ||
49 | src = in[s] + src_offset + src_byte; | ||
50 | if (little_endian) | ||
51 | @@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, | ||
52 | src_bit = bit_offset % 8; | ||
53 | |||
54 | matchbits = maskbits << (32 - src_bit - bps); | ||
55 | - for (s = 0; s < spp; s++) | ||
56 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
57 | { | ||
58 | src = in[s] + src_offset + src_byte; | ||
59 | if (little_endian) | ||
60 | @@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
61 | src_bit = bit_offset % 8; | ||
62 | |||
63 | matchbits = maskbits << (64 - src_bit - bps); | ||
64 | - for (s = 0; s < spp; s++) | ||
65 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
66 | { | ||
67 | src = in[s] + src_offset + src_byte; | ||
68 | if (little_endian) | ||
69 | @@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, | ||
70 | |||
71 | matchbits = maskbits << (8 - src_bit - bps); | ||
72 | /* load up next sample from each plane */ | ||
73 | - for (s = 0; s < spp; s++) | ||
74 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
75 | { | ||
76 | src = in[s] + src_offset + src_byte; | ||
77 | buff1 = ((*src) & matchbits) << (src_bit); | ||
78 | @@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, | ||
79 | src_bit = bit_offset % 8; | ||
80 | |||
81 | matchbits = maskbits << (16 - src_bit - bps); | ||
82 | - for (s = 0; s < spp; s++) | ||
83 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
84 | { | ||
85 | src = in[s] + src_offset + src_byte; | ||
86 | if (little_endian) | ||
87 | @@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, | ||
88 | src_bit = bit_offset % 8; | ||
89 | |||
90 | matchbits = maskbits << (32 - src_bit - bps); | ||
91 | - for (s = 0; s < spp; s++) | ||
92 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
93 | { | ||
94 | src = in[s] + src_offset + src_byte; | ||
95 | if (little_endian) | ||
96 | @@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
97 | src_bit = bit_offset % 8; | ||
98 | |||
99 | matchbits = maskbits << (64 - src_bit - bps); | ||
100 | - for (s = 0; s < spp; s++) | ||
101 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
102 | { | ||
103 | src = in[s] + src_offset + src_byte; | ||
104 | if (little_endian) | ||
105 | -- | ||
106 | 2.7.4 | ||
107 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch deleted file mode 100644 index 26fd0df11c..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch +++ /dev/null | |||
@@ -1,423 +0,0 @@ | |||
1 | From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 31 Oct 2016 17:24:26 +0000 | ||
4 | Subject: [PATCH 1/2] Fix CVE-2016-9535 | ||
5 | |||
6 | * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace | ||
7 | assertions by runtime checks to avoid assertions in debug mode, or buffer | ||
8 | overflows in release mode. Can happen when dealing with unusual tile size | ||
9 | like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet & | ||
10 | Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. | ||
11 | |||
12 | CVE: CVE-2016-9535 | ||
13 | Upstream-Status: Backport | ||
14 | https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 | ||
15 | |||
16 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
17 | |||
18 | --- | ||
19 | libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++--------------- | ||
20 | libtiff/tif_predict.h | 6 +- | ||
21 | 2 files changed, 121 insertions(+), 47 deletions(-) | ||
22 | |||
23 | diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c | ||
24 | index 555f2f9..b829259 100644 | ||
25 | --- a/libtiff/tif_predict.c | ||
26 | +++ b/libtiff/tif_predict.c | ||
27 | @@ -34,18 +34,18 @@ | ||
28 | |||
29 | #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data) | ||
30 | |||
31 | -static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
32 | -static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
33 | -static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
34 | -static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
35 | -static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
36 | -static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
37 | -static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
38 | -static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
39 | -static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
40 | -static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
41 | -static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
42 | -static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
43 | +static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
44 | +static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
45 | +static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
46 | +static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
47 | +static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
48 | +static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
49 | +static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
50 | +static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
51 | +static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
52 | +static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
53 | +static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
54 | +static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
55 | static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); | ||
56 | static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); | ||
57 | static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s); | ||
58 | @@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif) | ||
59 | /* - when storing into the byte stream, we explicitly mask with 0xff so */ | ||
60 | /* as to make icc -check=conversions happy (not necessary by the standard) */ | ||
61 | |||
62 | -static void | ||
63 | +static int | ||
64 | horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
65 | { | ||
66 | tmsize_t stride = PredictorState(tif)->stride; | ||
67 | |||
68 | unsigned char* cp = (unsigned char*) cp0; | ||
69 | - assert((cc%stride)==0); | ||
70 | + if((cc%stride)!=0) | ||
71 | + { | ||
72 | + TIFFErrorExt(tif->tif_clientdata, "horAcc8", | ||
73 | + "%s", "(cc%stride)!=0"); | ||
74 | + return 0; | ||
75 | + } | ||
76 | + | ||
77 | if (cc > stride) { | ||
78 | /* | ||
79 | * Pipeline the most common cases. | ||
80 | @@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
81 | } while (cc>0); | ||
82 | } | ||
83 | } | ||
84 | + return 1; | ||
85 | } | ||
86 | |||
87 | -static void | ||
88 | +static int | ||
89 | swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
90 | { | ||
91 | uint16* wp = (uint16*) cp0; | ||
92 | tmsize_t wc = cc / 2; | ||
93 | |||
94 | TIFFSwabArrayOfShort(wp, wc); | ||
95 | - horAcc16(tif, cp0, cc); | ||
96 | + return horAcc16(tif, cp0, cc); | ||
97 | } | ||
98 | |||
99 | -static void | ||
100 | +static int | ||
101 | horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
102 | { | ||
103 | tmsize_t stride = PredictorState(tif)->stride; | ||
104 | uint16* wp = (uint16*) cp0; | ||
105 | tmsize_t wc = cc / 2; | ||
106 | |||
107 | - assert((cc%(2*stride))==0); | ||
108 | + if((cc%(2*stride))!=0) | ||
109 | + { | ||
110 | + TIFFErrorExt(tif->tif_clientdata, "horAcc16", | ||
111 | + "%s", "cc%(2*stride))!=0"); | ||
112 | + return 0; | ||
113 | + } | ||
114 | |||
115 | if (wc > stride) { | ||
116 | wc -= stride; | ||
117 | @@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
118 | wc -= stride; | ||
119 | } while (wc > 0); | ||
120 | } | ||
121 | + return 1; | ||
122 | } | ||
123 | |||
124 | -static void | ||
125 | +static int | ||
126 | swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
127 | { | ||
128 | uint32* wp = (uint32*) cp0; | ||
129 | tmsize_t wc = cc / 4; | ||
130 | |||
131 | TIFFSwabArrayOfLong(wp, wc); | ||
132 | - horAcc32(tif, cp0, cc); | ||
133 | + return horAcc32(tif, cp0, cc); | ||
134 | } | ||
135 | |||
136 | -static void | ||
137 | +static int | ||
138 | horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
139 | { | ||
140 | tmsize_t stride = PredictorState(tif)->stride; | ||
141 | uint32* wp = (uint32*) cp0; | ||
142 | tmsize_t wc = cc / 4; | ||
143 | |||
144 | - assert((cc%(4*stride))==0); | ||
145 | + if((cc%(4*stride))!=0) | ||
146 | + { | ||
147 | + TIFFErrorExt(tif->tif_clientdata, "horAcc32", | ||
148 | + "%s", "cc%(4*stride))!=0"); | ||
149 | + return 0; | ||
150 | + } | ||
151 | |||
152 | if (wc > stride) { | ||
153 | wc -= stride; | ||
154 | @@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
155 | wc -= stride; | ||
156 | } while (wc > 0); | ||
157 | } | ||
158 | + return 1; | ||
159 | } | ||
160 | |||
161 | /* | ||
162 | * Floating point predictor accumulation routine. | ||
163 | */ | ||
164 | -static void | ||
165 | +static int | ||
166 | fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
167 | { | ||
168 | tmsize_t stride = PredictorState(tif)->stride; | ||
169 | @@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
170 | uint8 *cp = (uint8 *) cp0; | ||
171 | uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
172 | |||
173 | - assert((cc%(bps*stride))==0); | ||
174 | + if(cc%(bps*stride)!=0) | ||
175 | + { | ||
176 | + TIFFErrorExt(tif->tif_clientdata, "fpAcc", | ||
177 | + "%s", "cc%(bps*stride))!=0"); | ||
178 | + return 0; | ||
179 | + } | ||
180 | |||
181 | if (!tmp) | ||
182 | - return; | ||
183 | + return 0; | ||
184 | |||
185 | while (count > stride) { | ||
186 | REPEAT4(stride, cp[stride] = | ||
187 | @@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
188 | } | ||
189 | } | ||
190 | _TIFFfree(tmp); | ||
191 | + return 1; | ||
192 | } | ||
193 | |||
194 | /* | ||
195 | @@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
196 | assert(sp->decodepfunc != NULL); | ||
197 | |||
198 | if ((*sp->decoderow)(tif, op0, occ0, s)) { | ||
199 | - (*sp->decodepfunc)(tif, op0, occ0); | ||
200 | - return 1; | ||
201 | + return (*sp->decodepfunc)(tif, op0, occ0); | ||
202 | } else | ||
203 | return 0; | ||
204 | } | ||
205 | @@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
206 | if ((*sp->decodetile)(tif, op0, occ0, s)) { | ||
207 | tmsize_t rowsize = sp->rowsize; | ||
208 | assert(rowsize > 0); | ||
209 | - assert((occ0%rowsize)==0); | ||
210 | + if((occ0%rowsize) !=0) | ||
211 | + { | ||
212 | + TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile", | ||
213 | + "%s", "occ0%rowsize != 0"); | ||
214 | + return 0; | ||
215 | + } | ||
216 | assert(sp->decodepfunc != NULL); | ||
217 | while (occ0 > 0) { | ||
218 | - (*sp->decodepfunc)(tif, op0, rowsize); | ||
219 | + if( !(*sp->decodepfunc)(tif, op0, rowsize) ) | ||
220 | + return 0; | ||
221 | occ0 -= rowsize; | ||
222 | op0 += rowsize; | ||
223 | } | ||
224 | @@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
225 | return 0; | ||
226 | } | ||
227 | |||
228 | -static void | ||
229 | +static int | ||
230 | horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
231 | { | ||
232 | TIFFPredictorState* sp = PredictorState(tif); | ||
233 | tmsize_t stride = sp->stride; | ||
234 | unsigned char* cp = (unsigned char*) cp0; | ||
235 | |||
236 | - assert((cc%stride)==0); | ||
237 | + if((cc%stride)!=0) | ||
238 | + { | ||
239 | + TIFFErrorExt(tif->tif_clientdata, "horDiff8", | ||
240 | + "%s", "(cc%stride)!=0"); | ||
241 | + return 0; | ||
242 | + } | ||
243 | |||
244 | if (cc > stride) { | ||
245 | cc -= stride; | ||
246 | @@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
247 | } while ((cc -= stride) > 0); | ||
248 | } | ||
249 | } | ||
250 | + return 1; | ||
251 | } | ||
252 | |||
253 | -static void | ||
254 | +static int | ||
255 | horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
256 | { | ||
257 | TIFFPredictorState* sp = PredictorState(tif); | ||
258 | @@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
259 | uint16 *wp = (uint16*) cp0; | ||
260 | tmsize_t wc = cc/2; | ||
261 | |||
262 | - assert((cc%(2*stride))==0); | ||
263 | + if((cc%(2*stride))!=0) | ||
264 | + { | ||
265 | + TIFFErrorExt(tif->tif_clientdata, "horDiff8", | ||
266 | + "%s", "(cc%(2*stride))!=0"); | ||
267 | + return 0; | ||
268 | + } | ||
269 | |||
270 | if (wc > stride) { | ||
271 | wc -= stride; | ||
272 | @@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
273 | wc -= stride; | ||
274 | } while (wc > 0); | ||
275 | } | ||
276 | + return 1; | ||
277 | } | ||
278 | |||
279 | -static void | ||
280 | +static int | ||
281 | swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
282 | { | ||
283 | uint16* wp = (uint16*) cp0; | ||
284 | tmsize_t wc = cc / 2; | ||
285 | |||
286 | - horDiff16(tif, cp0, cc); | ||
287 | + if( !horDiff16(tif, cp0, cc) ) | ||
288 | + return 0; | ||
289 | |||
290 | TIFFSwabArrayOfShort(wp, wc); | ||
291 | + return 1; | ||
292 | } | ||
293 | |||
294 | -static void | ||
295 | +static int | ||
296 | horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
297 | { | ||
298 | TIFFPredictorState* sp = PredictorState(tif); | ||
299 | @@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
300 | uint32 *wp = (uint32*) cp0; | ||
301 | tmsize_t wc = cc/4; | ||
302 | |||
303 | - assert((cc%(4*stride))==0); | ||
304 | + if((cc%(4*stride))!=0) | ||
305 | + { | ||
306 | + TIFFErrorExt(tif->tif_clientdata, "horDiff32", | ||
307 | + "%s", "(cc%(4*stride))!=0"); | ||
308 | + return 0; | ||
309 | + } | ||
310 | |||
311 | if (wc > stride) { | ||
312 | wc -= stride; | ||
313 | @@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
314 | wc -= stride; | ||
315 | } while (wc > 0); | ||
316 | } | ||
317 | + return 1; | ||
318 | } | ||
319 | |||
320 | -static void | ||
321 | +static int | ||
322 | swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
323 | { | ||
324 | uint32* wp = (uint32*) cp0; | ||
325 | tmsize_t wc = cc / 4; | ||
326 | |||
327 | - horDiff32(tif, cp0, cc); | ||
328 | + if( !horDiff32(tif, cp0, cc) ) | ||
329 | + return 0; | ||
330 | |||
331 | TIFFSwabArrayOfLong(wp, wc); | ||
332 | + return 1; | ||
333 | } | ||
334 | |||
335 | /* | ||
336 | * Floating point predictor differencing routine. | ||
337 | */ | ||
338 | -static void | ||
339 | +static int | ||
340 | fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
341 | { | ||
342 | tmsize_t stride = PredictorState(tif)->stride; | ||
343 | @@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
344 | uint8 *cp = (uint8 *) cp0; | ||
345 | uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
346 | |||
347 | - assert((cc%(bps*stride))==0); | ||
348 | - | ||
349 | + if((cc%(bps*stride))!=0) | ||
350 | + { | ||
351 | + TIFFErrorExt(tif->tif_clientdata, "fpDiff", | ||
352 | + "%s", "(cc%(bps*stride))!=0"); | ||
353 | + return 0; | ||
354 | + } | ||
355 | if (!tmp) | ||
356 | - return; | ||
357 | + return 0; | ||
358 | |||
359 | _TIFFmemcpy(tmp, cp0, cc); | ||
360 | for (count = 0; count < wc; count++) { | ||
361 | @@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
362 | cp += cc - stride - 1; | ||
363 | for (count = cc; count > stride; count -= stride) | ||
364 | REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--) | ||
365 | + return 1; | ||
366 | } | ||
367 | |||
368 | static int | ||
369 | @@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
370 | assert(sp->encoderow != NULL); | ||
371 | |||
372 | /* XXX horizontal differencing alters user's data XXX */ | ||
373 | - (*sp->encodepfunc)(tif, bp, cc); | ||
374 | + if( !(*sp->encodepfunc)(tif, bp, cc) ) | ||
375 | + return 0; | ||
376 | return (*sp->encoderow)(tif, bp, cc, s); | ||
377 | } | ||
378 | |||
379 | @@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) | ||
380 | |||
381 | rowsize = sp->rowsize; | ||
382 | assert(rowsize > 0); | ||
383 | - assert((cc0%rowsize)==0); | ||
384 | + if((cc0%rowsize)!=0) | ||
385 | + { | ||
386 | + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", | ||
387 | + "%s", "(cc0%rowsize)!=0"); | ||
388 | + return 0; | ||
389 | + } | ||
390 | while (cc > 0) { | ||
391 | (*sp->encodepfunc)(tif, bp, rowsize); | ||
392 | cc -= rowsize; | ||
393 | diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h | ||
394 | index 91330cc..9e485a4 100644 | ||
395 | --- a/libtiff/tif_predict.h | ||
396 | +++ b/libtiff/tif_predict.h | ||
397 | @@ -30,6 +30,8 @@ | ||
398 | * ``Library-private'' Support for the Predictor Tag | ||
399 | */ | ||
400 | |||
401 | +typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size); | ||
402 | + | ||
403 | /* | ||
404 | * Codecs that want to support the Predictor tag must place | ||
405 | * this structure first in their private state block so that | ||
406 | @@ -43,12 +45,12 @@ typedef struct { | ||
407 | TIFFCodeMethod encoderow; /* parent codec encode/decode row */ | ||
408 | TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */ | ||
409 | TIFFCodeMethod encodetile; /* parent codec encode/decode tile */ | ||
410 | - TIFFPostMethod encodepfunc; /* horizontal differencer */ | ||
411 | + TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */ | ||
412 | |||
413 | TIFFCodeMethod decoderow; /* parent codec encode/decode row */ | ||
414 | TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */ | ||
415 | TIFFCodeMethod decodetile; /* parent codec encode/decode tile */ | ||
416 | - TIFFPostMethod decodepfunc; /* horizontal accumulator */ | ||
417 | + TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */ | ||
418 | |||
419 | TIFFVGetMethod vgetparent; /* super-class method */ | ||
420 | TIFFVSetMethod vsetparent; /* super-class method */ | ||
421 | -- | ||
422 | 2.9.3 | ||
423 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch deleted file mode 100644 index 977dbf6c87..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Fri, 4 Nov 2016 09:19:13 +0000 | ||
4 | Subject: [PATCH 2/2] Fix CVE-2016-9535 | ||
5 | * libtiff/tif_predic.c: fix memory leaks in error code | ||
6 | paths added in previous commit (fix for MSVR 35105) | ||
7 | |||
8 | CVE: CVE-2016-9535 | ||
9 | Upstream-Status: Backport | ||
10 | https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 | ||
11 | |||
12 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
13 | |||
14 | --- | ||
15 | libtiff/tif_predict.c | 8 ++++++-- | ||
16 | 1 files changed, 11 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c | ||
19 | index b829259..3f42f3b 100644 | ||
20 | --- a/libtiff/tif_predict.c | ||
21 | +++ b/libtiff/tif_predict.c | ||
22 | @@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
23 | tmsize_t wc = cc / bps; | ||
24 | tmsize_t count = cc; | ||
25 | uint8 *cp = (uint8 *) cp0; | ||
26 | - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
27 | + uint8 *tmp; | ||
28 | |||
29 | if(cc%(bps*stride)!=0) | ||
30 | { | ||
31 | @@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
32 | return 0; | ||
33 | } | ||
34 | |||
35 | + tmp = (uint8 *)_TIFFmalloc(cc); | ||
36 | if (!tmp) | ||
37 | return 0; | ||
38 | |||
39 | @@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
40 | tmsize_t wc = cc / bps; | ||
41 | tmsize_t count; | ||
42 | uint8 *cp = (uint8 *) cp0; | ||
43 | - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
44 | + uint8 *tmp; | ||
45 | |||
46 | if((cc%(bps*stride))!=0) | ||
47 | { | ||
48 | @@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
49 | "%s", "(cc%(bps*stride))!=0"); | ||
50 | return 0; | ||
51 | } | ||
52 | + | ||
53 | + tmp = (uint8 *)_TIFFmalloc(cc); | ||
54 | if (!tmp) | ||
55 | return 0; | ||
56 | |||
57 | @@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) | ||
58 | { | ||
59 | TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", | ||
60 | "%s", "(cc0%rowsize)!=0"); | ||
61 | + _TIFFfree( working_copy ); | ||
62 | return 0; | ||
63 | } | ||
64 | while (cc > 0) { | ||
65 | -- | ||
66 | 2.9.3 | ||
67 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch deleted file mode 100644 index e1141dfb69..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sat, 8 Oct 2016 15:04:31 +0000 | ||
4 | Subject: [PATCH] Fix CVE-2016-9538 | ||
5 | * tools/tiffcp.c: fix read of undefined variable in case of | ||
6 | missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c: | ||
7 | fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 | ||
8 | overflow. Probably not a security issue but I can be wrong. Reported as MSVR | ||
9 | 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team. | ||
10 | |||
11 | CVE: CVE-2016-9538 | ||
12 | Upstream-Status: Backport | ||
13 | https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f | ||
14 | |||
15 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
16 | |||
17 | --- | ||
18 | tools/tiffcp.c | 4 ++-- | ||
19 | tools/tiffcrop.c | 9 ++++++--- | ||
20 | 2 files changed, 17 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
23 | index ba2b715..4ad74d3 100644 | ||
24 | --- a/tools/tiffcp.c | ||
25 | +++ b/tools/tiffcp.c | ||
26 | @@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); | ||
27 | static int | ||
28 | tiffcp(TIFF* in, TIFF* out) | ||
29 | { | ||
30 | - uint16 bitspersample, samplesperpixel; | ||
31 | - uint16 input_compression, input_photometric; | ||
32 | + uint16 bitspersample, samplesperpixel = 1; | ||
33 | + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; | ||
34 | copyFunc cf; | ||
35 | uint32 width, length; | ||
36 | struct cpTag* p; | ||
37 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
38 | index 7685566..eb6de77 100644 | ||
39 | --- a/tools/tiffcrop.c | ||
40 | +++ b/tools/tiffcrop.c | ||
41 | @@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) | ||
42 | { | ||
43 | uint8* bufp = buf; | ||
44 | int32 bytes_read = 0; | ||
45 | - uint16 strip, nstrips = TIFFNumberOfStrips(in); | ||
46 | + uint32 strip, nstrips = TIFFNumberOfStrips(in); | ||
47 | uint32 stripsize = TIFFStripSize(in); | ||
48 | uint32 rows = 0; | ||
49 | uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); | ||
50 | @@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, | ||
51 | uint32 width, uint16 spp, | ||
52 | struct dump_opts *dump) | ||
53 | { | ||
54 | - int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; | ||
55 | + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; | ||
56 | + uint32 j; | ||
57 | int32 bytes_read = 0; | ||
58 | - uint16 bps, nstrips, planar, strips_per_sample; | ||
59 | + uint16 bps, planar; | ||
60 | + uint32 nstrips; | ||
61 | + uint32 strips_per_sample; | ||
62 | uint32 src_rowsize, dst_rowsize, rows_processed, rps; | ||
63 | uint32 rows_this_strip = 0; | ||
64 | tsample_t s; | ||
65 | -- | ||
66 | 2.9.3 | ||
67 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch deleted file mode 100644 index 1d9be423a7..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Fri, 14 Oct 2016 19:13:20 +0000 | ||
4 | Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes | ||
5 | in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet | ||
6 | & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. | ||
7 | |||
8 | CVE: CVE-2016-9539 | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 | ||
12 | |||
13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
14 | |||
15 | --- | ||
16 | ChangeLog | 6 ++++++ | ||
17 | tools/tiffcrop.c | 11 ++++++++++- | ||
18 | 2 files changed, 16 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: tiff-4.0.6/ChangeLog | ||
21 | =================================================================== | ||
22 | --- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800 | ||
23 | +++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800 | ||
24 | @@ -17,6 +17,12 @@ | ||
25 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
26 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
27 | |||
28 | +2016-10-14 Even Rouault <even.rouault at spatialys.com> | ||
29 | + | ||
30 | + * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in | ||
31 | + readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet | ||
32 | + & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. | ||
33 | + | ||
34 | 2016-10-08 Even Rouault <even.rouault at spatialys.com> | ||
35 | |||
36 | * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd | ||
37 | Index: tiff-4.0.6/tools/tiffcrop.c | ||
38 | =================================================================== | ||
39 | --- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800 | ||
40 | +++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800 | ||
41 | @@ -819,9 +819,18 @@ | ||
42 | } | ||
43 | } | ||
44 | |||
45 | - tilebuf = _TIFFmalloc(tile_buffsize); | ||
46 | + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ | ||
47 | + if( tile_buffsize > 0xFFFFFFFFU - 3 ) | ||
48 | + { | ||
49 | + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); | ||
50 | + exit(-1); | ||
51 | + } | ||
52 | + tilebuf = _TIFFmalloc(tile_buffsize + 3); | ||
53 | if (tilebuf == 0) | ||
54 | return 0; | ||
55 | + tilebuf[tile_buffsize] = 0; | ||
56 | + tilebuf[tile_buffsize+1] = 0; | ||
57 | + tilebuf[tile_buffsize+2] = 0; | ||
58 | |||
59 | dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; | ||
60 | for (row = 0; row < imagelength; row += tl) | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch deleted file mode 100644 index dddaa0c87e..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sat, 8 Oct 2016 15:54:56 +0000 | ||
4 | Subject: [PATCH] fix CVE-2016-9540 | ||
5 | * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd | ||
6 | tile width vs image width. Reported as MSVR 35103 | ||
7 | by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & | ||
8 | Mitigations team. | ||
9 | |||
10 | CVE: CVE-2016-9540 | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 | ||
14 | |||
15 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
16 | --- | ||
17 | ChangeLog | 7 +++++++ | ||
18 | tools/tiffcp.c | 4 ++-- | ||
19 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
20 | |||
21 | Index: tiff-4.0.4/ChangeLog | ||
22 | =================================================================== | ||
23 | --- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800 | ||
24 | +++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800 | ||
25 | @@ -17,6 +17,13 @@ | ||
26 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
27 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
28 | |||
29 | +2016-10-08 Even Rouault <even.rouault at spatialys.com> | ||
30 | + | ||
31 | + * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd | ||
32 | + tile width vs image width. Reported as MSVR 35103 | ||
33 | + by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & | ||
34 | + Mitigations team. | ||
35 | + | ||
36 | 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
37 | |||
38 | * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to | ||
39 | Index: tiff-4.0.4/tools/tiffcp.c | ||
40 | =================================================================== | ||
41 | --- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800 | ||
42 | +++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800 | ||
43 | @@ -1338,7 +1338,7 @@ | ||
44 | uint32 colb = 0; | ||
45 | uint32 col; | ||
46 | |||
47 | - for (col = 0; col < imagewidth; col += tw) { | ||
48 | + for (col = 0; col < imagewidth && colb < imagew; col += tw) { | ||
49 | if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0 | ||
50 | && !ignore) { | ||
51 | TIFFError(TIFFFileName(in), | ||
52 | @@ -1523,7 +1523,7 @@ | ||
53 | uint32 colb = 0; | ||
54 | uint32 col; | ||
55 | |||
56 | - for (col = 0; col < imagewidth; col += tw) { | ||
57 | + for (col = 0; col < imagewidth && colb < imagew; col += tw) { | ||
58 | /* | ||
59 | * Tile is clipped horizontally. Calculate | ||
60 | * visible portion and skewing factors. | ||
diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch deleted file mode 100644 index bd587e6d07..0000000000 --- a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch +++ /dev/null | |||
@@ -1,281 +0,0 @@ | |||
1 | From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Fri, 23 Sep 2016 22:12:18 +0000 | ||
4 | Subject: [PATCH] Fix several CVE issues | ||
5 | |||
6 | Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 | ||
7 | |||
8 | * tools/tiffcrop.c: fix various out-of-bounds write | ||
9 | vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093, | ||
10 | MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from | ||
11 | the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix | ||
12 | out-of-bounds write vulnerabilities in heap allocate buffer in | ||
13 | t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet | ||
14 | and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * | ||
15 | libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap | ||
16 | allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and | ||
17 | Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * | ||
18 | libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that | ||
19 | didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if | ||
20 | that could happen in practice outside of the odd behaviour of t2p_seekproc() | ||
21 | of tiff2pdf). The report points that a better fix could be to check the | ||
22 | return value of TIFFFlushData1() in places where it isn't done currently, but | ||
23 | it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel | ||
24 | Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities & | ||
25 | Mitigations team. | ||
26 | |||
27 | CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537 | ||
28 | Upstream-Status: Backport | ||
29 | https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef | ||
30 | |||
31 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
32 | |||
33 | --- | ||
34 | libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++----------------------------- | ||
35 | libtiff/tif_write.c | 7 +++++++ | ||
36 | tools/tiff2pdf.c | 22 ++++++++++++++++++-- | ||
37 | tools/tiffcrop.c | 20 +++++++++++++++++- | ||
38 | 4 files changed, 92 insertions(+), 35 deletions(-) | ||
39 | |||
40 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
41 | index 1fb8f3b..d1246c3 100644 | ||
42 | --- a/libtiff/tif_pixarlog.c | ||
43 | +++ b/libtiff/tif_pixarlog.c | ||
44 | @@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2) | ||
45 | a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; | ||
46 | } | ||
47 | } else { | ||
48 | - ip += n - 1; /* point to last one */ | ||
49 | - wp += n - 1; /* point to last one */ | ||
50 | - n -= stride; | ||
51 | - while (n > 0) { | ||
52 | - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); | ||
53 | - wp[stride] -= wp[0]; | ||
54 | - wp[stride] &= mask; | ||
55 | - wp--; ip--) | ||
56 | - n -= stride; | ||
57 | - } | ||
58 | - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) | ||
59 | + REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) | ||
60 | + n -= stride; | ||
61 | + while (n > 0) { | ||
62 | + REPEAT(stride, | ||
63 | + wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); | ||
64 | + wp++; ip++) | ||
65 | + n -= stride; | ||
66 | + } | ||
67 | } | ||
68 | } | ||
69 | } | ||
70 | @@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride, | ||
71 | a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; | ||
72 | } | ||
73 | } else { | ||
74 | - ip += n - 1; /* point to last one */ | ||
75 | - wp += n - 1; /* point to last one */ | ||
76 | + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) | ||
77 | n -= stride; | ||
78 | while (n > 0) { | ||
79 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); | ||
80 | - wp[stride] -= wp[0]; | ||
81 | - wp[stride] &= mask; | ||
82 | - wp--; ip--) | ||
83 | - n -= stride; | ||
84 | - } | ||
85 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) | ||
86 | + REPEAT(stride, | ||
87 | + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); | ||
88 | + wp++; ip++) | ||
89 | + n -= stride; | ||
90 | + } | ||
91 | } | ||
92 | } | ||
93 | } | ||
94 | @@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride, | ||
95 | ip += 4; | ||
96 | } | ||
97 | } else { | ||
98 | - wp += n + stride - 1; /* point to last one */ | ||
99 | - ip += n + stride - 1; /* point to last one */ | ||
100 | - n -= stride; | ||
101 | - while (n > 0) { | ||
102 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); | ||
103 | - wp[stride] -= wp[0]; | ||
104 | - wp[stride] &= mask; | ||
105 | - wp--; ip--) | ||
106 | - n -= stride; | ||
107 | - } | ||
108 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) | ||
109 | - } | ||
110 | + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) | ||
111 | + n -= stride; | ||
112 | + while (n > 0) { | ||
113 | + REPEAT(stride, | ||
114 | + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); | ||
115 | + wp++; ip++) | ||
116 | + n -= stride; | ||
117 | + } | ||
118 | + } | ||
119 | } | ||
120 | } | ||
121 | |||
122 | diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c | ||
123 | index f9a3fc0..d8fa802 100644 | ||
124 | --- a/libtiff/tif_write.c | ||
125 | +++ b/libtiff/tif_write.c | ||
126 | @@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif) | ||
127 | if (!TIFFAppendToStrip(tif, | ||
128 | isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, | ||
129 | tif->tif_rawdata, tif->tif_rawcc)) | ||
130 | + { | ||
131 | + /* We update those variables even in case of error since there's */ | ||
132 | + /* code that doesn't really check the return code of this */ | ||
133 | + /* function */ | ||
134 | + tif->tif_rawcc = 0; | ||
135 | + tif->tif_rawcp = tif->tif_rawdata; | ||
136 | return (0); | ||
137 | + } | ||
138 | tif->tif_rawcc = 0; | ||
139 | tif->tif_rawcp = tif->tif_rawdata; | ||
140 | } | ||
141 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
142 | index dcd5a7e..f8df6b5 100644 | ||
143 | --- a/tools/tiff2pdf.c | ||
144 | +++ b/tools/tiff2pdf.c | ||
145 | @@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t); | ||
146 | int t2p_process_ojpeg_tables(T2P*, TIFF*); | ||
147 | #endif | ||
148 | #ifdef JPEG_SUPPORT | ||
149 | -int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); | ||
150 | +int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); | ||
151 | #endif | ||
152 | void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); | ||
153 | void t2p_write_advance_directory(T2P*, TIFF*); | ||
154 | @@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ | ||
155 | if(!t2p_process_jpeg_strip( | ||
156 | stripbuffer, | ||
157 | &striplength, | ||
158 | - buffer, | ||
159 | + buffer, | ||
160 | + t2p->tiff_datasize, | ||
161 | &bufferoffset, | ||
162 | i, | ||
163 | t2p->tiff_length)){ | ||
164 | @@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip( | ||
165 | unsigned char* strip, | ||
166 | tsize_t* striplength, | ||
167 | unsigned char* buffer, | ||
168 | + tsize_t buffersize, | ||
169 | tsize_t* bufferoffset, | ||
170 | tstrip_t no, | ||
171 | uint32 height){ | ||
172 | @@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip( | ||
173 | } | ||
174 | switch( strip[i] ){ | ||
175 | case 0xd8: /* SOI - start of image */ | ||
176 | + if( *bufferoffset + 2 > buffersize ) | ||
177 | + return(0); | ||
178 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
179 | *bufferoffset+=2; | ||
180 | break; | ||
181 | @@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip( | ||
182 | case 0xc9: /* SOF9 */ | ||
183 | case 0xca: /* SOF10 */ | ||
184 | if(no==0){ | ||
185 | + if( *bufferoffset + datalen + 2 + 6 > buffersize ) | ||
186 | + return(0); | ||
187 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
188 | + if( *bufferoffset + 9 >= buffersize ) | ||
189 | + return(0); | ||
190 | ncomp = buffer[*bufferoffset+9]; | ||
191 | if (ncomp < 1 || ncomp > 4) | ||
192 | return(0); | ||
193 | v_samp=1; | ||
194 | h_samp=1; | ||
195 | + if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) | ||
196 | + return(0); | ||
197 | for(j=0;j<ncomp;j++){ | ||
198 | uint16 samp = buffer[*bufferoffset+11+(3*j)]; | ||
199 | if( (samp>>4) > h_samp) | ||
200 | @@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip( | ||
201 | break; | ||
202 | case 0xc4: /* DHT */ | ||
203 | case 0xdb: /* DQT */ | ||
204 | + if( *bufferoffset + datalen + 2 > buffersize ) | ||
205 | + return(0); | ||
206 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
207 | *bufferoffset+=datalen+2; | ||
208 | break; | ||
209 | case 0xda: /* SOS */ | ||
210 | if(no==0){ | ||
211 | + if( *bufferoffset + datalen + 2 > buffersize ) | ||
212 | + return(0); | ||
213 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
214 | *bufferoffset+=datalen+2; | ||
215 | } else { | ||
216 | + if( *bufferoffset + 2 > buffersize ) | ||
217 | + return(0); | ||
218 | buffer[(*bufferoffset)++]=0xff; | ||
219 | buffer[(*bufferoffset)++]= | ||
220 | (unsigned char)(0xd0 | ((no-1)%8)); | ||
221 | } | ||
222 | i += datalen + 1; | ||
223 | /* copy remainder of strip */ | ||
224 | + if( *bufferoffset + *striplength - i > buffersize ) | ||
225 | + return(0); | ||
226 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); | ||
227 | *bufferoffset+= *striplength - i; | ||
228 | return(1); | ||
229 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
230 | index ebc4aba..7685566 100644 | ||
231 | --- a/tools/tiffcrop.c | ||
232 | +++ b/tools/tiffcrop.c | ||
233 | @@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
234 | { | ||
235 | uint32 i; | ||
236 | float xres = 0.0, yres = 0.0; | ||
237 | - uint16 nstrips = 0, ntiles = 0, planar = 0; | ||
238 | + uint32 nstrips = 0, ntiles = 0; | ||
239 | + uint16 planar = 0; | ||
240 | uint16 bps = 0, spp = 0, res_unit = 0; | ||
241 | uint16 orientation = 0; | ||
242 | uint16 input_compression = 0, input_photometric = 0; | ||
243 | @@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
244 | /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
245 | /* outside buffer */ | ||
246 | if (!read_buff) | ||
247 | + { | ||
248 | + if( buffsize > 0xFFFFFFFFU - 3 ) | ||
249 | + { | ||
250 | + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
251 | + return (-1); | ||
252 | + } | ||
253 | read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); | ||
254 | + } | ||
255 | else | ||
256 | { | ||
257 | if (prev_readsize < buffsize) | ||
258 | + { | ||
259 | + if( buffsize > 0xFFFFFFFFU - 3 ) | ||
260 | { | ||
261 | + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
262 | + return (-1); | ||
263 | + } | ||
264 | new_buff = _TIFFrealloc(read_buff, buffsize+3); | ||
265 | if (!new_buff) | ||
266 | { | ||
267 | @@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width, | ||
268 | } | ||
269 | |||
270 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
271 | + if( bytes_per_pixel > sizeof(swapbuff) ) | ||
272 | + { | ||
273 | + TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); | ||
274 | + return (1); | ||
275 | + } | ||
276 | switch (bps / 8) | ||
277 | { | ||
278 | case 8: /* Use memcpy for multiple bytes per sample data */ | ||
279 | -- | ||
280 | 2.9.3 | ||
281 | |||