summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files
diff options
context:
space:
mode:
authorMing Liu <ming.liu@windriver.com>2013-12-05 17:52:14 -0600
committerRichard Purdie <richard.purdie@linuxfoundation.org>2013-12-10 17:42:44 +0000
commit6e89d269e5f753c44655c166769a26a93b9b977d (patch)
tree3485ad8080a5b760552e624556b9fda38a57ea22 /meta/recipes-multimedia/libtiff/files
parente7d1921fb8251f11027e8cdaed31f072797c30eb (diff)
downloadpoky-6e89d269e5f753c44655c166769a26a93b9b977d.tar.gz
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960 (From OE-Core rev: 9db7a897d216a8293152c1a3b96c72b699d469c7) Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r--meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch151
1 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000000..e4348f1d2c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
1This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
2
3Upstream-Status: Pending
4
5Signed-off-by: Ming Liu <ming.liu@windriver.com>
6
7diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
8--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
9+++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
10@@ -3341,33 +3341,56 @@
11 uint32 height){
12
13 tsize_t i=0;
14- uint16 ri =0;
15- uint16 v_samp=1;
16- uint16 h_samp=1;
17- int j=0;
18-
19- i++;
20-
21- while(i<(*striplength)){
22+
23+ while (i < *striplength) {
24+ tsize_t datalen;
25+ uint16 ri;
26+ uint16 v_samp;
27+ uint16 h_samp;
28+ int j;
29+ int ncomp;
30+
31+ /* marker header: one or more FFs */
32+ if (strip[i] != 0xff)
33+ return(0);
34+ i++;
35+ while (i < *striplength && strip[i] == 0xff)
36+ i++;
37+ if (i >= *striplength)
38+ return(0);
39+ /* SOI is the only pre-SOS marker without a length word */
40+ if (strip[i] == 0xd8)
41+ datalen = 0;
42+ else {
43+ if ((*striplength - i) <= 2)
44+ return(0);
45+ datalen = (strip[i+1] << 8) | strip[i+2];
46+ if (datalen < 2 || datalen >= (*striplength - i))
47+ return(0);
48+ }
49 switch( strip[i] ){
50- case 0xd8:
51- /* SOI - start of image */
52+ case 0xd8: /* SOI - start of image */
53 _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
54 *bufferoffset+=2;
55- i+=2;
56 break;
57- case 0xc0:
58- case 0xc1:
59- case 0xc3:
60- case 0xc9:
61- case 0xca:
62+ case 0xc0: /* SOF0 */
63+ case 0xc1: /* SOF1 */
64+ case 0xc3: /* SOF3 */
65+ case 0xc9: /* SOF9 */
66+ case 0xca: /* SOF10 */
67 if(no==0){
68- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
69- for(j=0;j<buffer[*bufferoffset+9];j++){
70- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
71- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
72- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
73- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
74+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
75+ ncomp = buffer[*bufferoffset+9];
76+ if (ncomp < 1 || ncomp > 4)
77+ return(0);
78+ v_samp=1;
79+ h_samp=1;
80+ for(j=0;j<ncomp;j++){
81+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
82+ if( (samp>>4) > h_samp)
83+ h_samp = (samp>>4);
84+ if( (samp & 0x0f) > v_samp)
85+ v_samp = (samp & 0x0f);
86 }
87 v_samp*=8;
88 h_samp*=8;
89@@ -3381,45 +3404,43 @@
90 (unsigned char) ((height>>8) & 0xff);
91 buffer[*bufferoffset+6]=
92 (unsigned char) (height & 0xff);
93- *bufferoffset+=strip[i+2]+2;
94- i+=strip[i+2]+2;
95-
96+ *bufferoffset+=datalen+2;
97+ /* insert a DRI marker */
98 buffer[(*bufferoffset)++]=0xff;
99 buffer[(*bufferoffset)++]=0xdd;
100 buffer[(*bufferoffset)++]=0x00;
101 buffer[(*bufferoffset)++]=0x04;
102 buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
103 buffer[(*bufferoffset)++]= ri & 0xff;
104- } else {
105- i+=strip[i+2]+2;
106 }
107 break;
108- case 0xc4:
109- case 0xdb:
110- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
111- *bufferoffset+=strip[i+2]+2;
112- i+=strip[i+2]+2;
113+ case 0xc4: /* DHT */
114+ case 0xdb: /* DQT */
115+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
116+ *bufferoffset+=datalen+2;
117 break;
118- case 0xda:
119+ case 0xda: /* SOS */
120 if(no==0){
121- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
122- *bufferoffset+=strip[i+2]+2;
123- i+=strip[i+2]+2;
124+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
125+ *bufferoffset+=datalen+2;
126 } else {
127 buffer[(*bufferoffset)++]=0xff;
128 buffer[(*bufferoffset)++]=
129 (unsigned char)(0xd0 | ((no-1)%8));
130- i+=strip[i+2]+2;
131 }
132- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
133- *bufferoffset+=(*striplength)-i-1;
134+ i += datalen + 1;
135+ /* copy remainder of strip */
136+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
137+ *bufferoffset+= *striplength - i;
138 return(1);
139 default:
140- i+=strip[i+2]+2;
141+ /* ignore any other marker */
142+ break;
143 }
144+ i += datalen + 1;
145 }
146-
147
148+ /* failed to find SOS marker */
149 return(0);
150 }
151 #endif