diff options
author | Ming Liu <ming.liu@windriver.com> | 2013-12-05 17:52:14 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-12-10 17:42:44 +0000 |
commit | 6e89d269e5f753c44655c166769a26a93b9b977d (patch) | |
tree | 3485ad8080a5b760552e624556b9fda38a57ea22 /meta/recipes-multimedia/libtiff/files | |
parent | e7d1921fb8251f11027e8cdaed31f072797c30eb (diff) | |
download | poky-6e89d269e5f753c44655c166769a26a93b9b977d.tar.gz |
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
(From OE-Core rev: 9db7a897d216a8293152c1a3b96c72b699d469c7)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000000..e4348f1d2c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
6 | |||
7 | diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
8 | --- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 | ||
9 | +++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 | ||
10 | @@ -3341,33 +3341,56 @@ | ||
11 | uint32 height){ | ||
12 | |||
13 | tsize_t i=0; | ||
14 | - uint16 ri =0; | ||
15 | - uint16 v_samp=1; | ||
16 | - uint16 h_samp=1; | ||
17 | - int j=0; | ||
18 | - | ||
19 | - i++; | ||
20 | - | ||
21 | - while(i<(*striplength)){ | ||
22 | + | ||
23 | + while (i < *striplength) { | ||
24 | + tsize_t datalen; | ||
25 | + uint16 ri; | ||
26 | + uint16 v_samp; | ||
27 | + uint16 h_samp; | ||
28 | + int j; | ||
29 | + int ncomp; | ||
30 | + | ||
31 | + /* marker header: one or more FFs */ | ||
32 | + if (strip[i] != 0xff) | ||
33 | + return(0); | ||
34 | + i++; | ||
35 | + while (i < *striplength && strip[i] == 0xff) | ||
36 | + i++; | ||
37 | + if (i >= *striplength) | ||
38 | + return(0); | ||
39 | + /* SOI is the only pre-SOS marker without a length word */ | ||
40 | + if (strip[i] == 0xd8) | ||
41 | + datalen = 0; | ||
42 | + else { | ||
43 | + if ((*striplength - i) <= 2) | ||
44 | + return(0); | ||
45 | + datalen = (strip[i+1] << 8) | strip[i+2]; | ||
46 | + if (datalen < 2 || datalen >= (*striplength - i)) | ||
47 | + return(0); | ||
48 | + } | ||
49 | switch( strip[i] ){ | ||
50 | - case 0xd8: | ||
51 | - /* SOI - start of image */ | ||
52 | + case 0xd8: /* SOI - start of image */ | ||
53 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
54 | *bufferoffset+=2; | ||
55 | - i+=2; | ||
56 | break; | ||
57 | - case 0xc0: | ||
58 | - case 0xc1: | ||
59 | - case 0xc3: | ||
60 | - case 0xc9: | ||
61 | - case 0xca: | ||
62 | + case 0xc0: /* SOF0 */ | ||
63 | + case 0xc1: /* SOF1 */ | ||
64 | + case 0xc3: /* SOF3 */ | ||
65 | + case 0xc9: /* SOF9 */ | ||
66 | + case 0xca: /* SOF10 */ | ||
67 | if(no==0){ | ||
68 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
69 | - for(j=0;j<buffer[*bufferoffset+9];j++){ | ||
70 | - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) | ||
71 | - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); | ||
72 | - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) | ||
73 | - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); | ||
74 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
75 | + ncomp = buffer[*bufferoffset+9]; | ||
76 | + if (ncomp < 1 || ncomp > 4) | ||
77 | + return(0); | ||
78 | + v_samp=1; | ||
79 | + h_samp=1; | ||
80 | + for(j=0;j<ncomp;j++){ | ||
81 | + uint16 samp = buffer[*bufferoffset+11+(3*j)]; | ||
82 | + if( (samp>>4) > h_samp) | ||
83 | + h_samp = (samp>>4); | ||
84 | + if( (samp & 0x0f) > v_samp) | ||
85 | + v_samp = (samp & 0x0f); | ||
86 | } | ||
87 | v_samp*=8; | ||
88 | h_samp*=8; | ||
89 | @@ -3381,45 +3404,43 @@ | ||
90 | (unsigned char) ((height>>8) & 0xff); | ||
91 | buffer[*bufferoffset+6]= | ||
92 | (unsigned char) (height & 0xff); | ||
93 | - *bufferoffset+=strip[i+2]+2; | ||
94 | - i+=strip[i+2]+2; | ||
95 | - | ||
96 | + *bufferoffset+=datalen+2; | ||
97 | + /* insert a DRI marker */ | ||
98 | buffer[(*bufferoffset)++]=0xff; | ||
99 | buffer[(*bufferoffset)++]=0xdd; | ||
100 | buffer[(*bufferoffset)++]=0x00; | ||
101 | buffer[(*bufferoffset)++]=0x04; | ||
102 | buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; | ||
103 | buffer[(*bufferoffset)++]= ri & 0xff; | ||
104 | - } else { | ||
105 | - i+=strip[i+2]+2; | ||
106 | } | ||
107 | break; | ||
108 | - case 0xc4: | ||
109 | - case 0xdb: | ||
110 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
111 | - *bufferoffset+=strip[i+2]+2; | ||
112 | - i+=strip[i+2]+2; | ||
113 | + case 0xc4: /* DHT */ | ||
114 | + case 0xdb: /* DQT */ | ||
115 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
116 | + *bufferoffset+=datalen+2; | ||
117 | break; | ||
118 | - case 0xda: | ||
119 | + case 0xda: /* SOS */ | ||
120 | if(no==0){ | ||
121 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
122 | - *bufferoffset+=strip[i+2]+2; | ||
123 | - i+=strip[i+2]+2; | ||
124 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
125 | + *bufferoffset+=datalen+2; | ||
126 | } else { | ||
127 | buffer[(*bufferoffset)++]=0xff; | ||
128 | buffer[(*bufferoffset)++]= | ||
129 | (unsigned char)(0xd0 | ((no-1)%8)); | ||
130 | - i+=strip[i+2]+2; | ||
131 | } | ||
132 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); | ||
133 | - *bufferoffset+=(*striplength)-i-1; | ||
134 | + i += datalen + 1; | ||
135 | + /* copy remainder of strip */ | ||
136 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); | ||
137 | + *bufferoffset+= *striplength - i; | ||
138 | return(1); | ||
139 | default: | ||
140 | - i+=strip[i+2]+2; | ||
141 | + /* ignore any other marker */ | ||
142 | + break; | ||
143 | } | ||
144 | + i += datalen + 1; | ||
145 | } | ||
146 | - | ||
147 | |||
148 | + /* failed to find SOS marker */ | ||
149 | return(0); | ||
150 | } | ||
151 | #endif | ||