diff options
author | Rajkumar Veer <rveer@mvista.com> | 2017-11-03 22:18:19 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-05 22:39:48 +0000 |
commit | 7af530d449554785b194c3b6a2f91f2ea5c3d853 (patch) | |
tree | 50d503cf4c91ef6a3b1cd13f2a158a90c6fe2890 /meta/recipes-multimedia/libtiff/files | |
parent | 6a2f7581c5a2f9f996e73caacdf71bd878c6545d (diff) | |
download | poky-7af530d449554785b194c3b6a2f91f2ea5c3d853.tar.gz |
tiff: Security fix for CVE-2016-10270
(From OE-Core rev: 9600bca011fe5fd2837606ab05e64325b3f12114)
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch new file mode 100644 index 0000000000..43ad6eda9f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch | |||
@@ -0,0 +1,134 @@ | |||
1 | From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sat, 3 Dec 2016 11:02:15 +0000 | ||
4 | Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify | ||
5 | ChopUpSingleUncompressedStrip() to instanciate compute ntrips as | ||
6 | TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on | ||
7 | the total size of data. Which is faulty is the total size of data is not | ||
8 | sufficient to fill the whole image, and thus results in reading outside of | ||
9 | the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported | ||
10 | by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. | ||
11 | |||
12 | * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done | ||
13 | for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since | ||
14 | the above change is a better fix that makes it unnecessary. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | CVE: CVE-2016-10270 | ||
19 | Signed-off-by: Rajkumar Veer <rveer@mvista.com> | ||
20 | --- | ||
21 | ChangeLog | 15 +++++++++++++++ | ||
22 | libtiff/tif_dirread.c | 22 ++++++++++------------ | ||
23 | libtiff/tif_strip.c | 9 --------- | ||
24 | 3 files changed, 25 insertions(+), 21 deletions(-) | ||
25 | |||
26 | diff --git a/ChangeLog b/ChangeLog | ||
27 | index 0a2c2a7..6e30e41 100644 | ||
28 | --- a/ChangeLog | ||
29 | +++ b/ChangeLog | ||
30 | @@ -1,5 +1,20 @@ | ||
31 | 2016-12-03 Even Rouault <even.rouault at spatialys.com> | ||
32 | |||
33 | + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to | ||
34 | + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), | ||
35 | + instead of a logic based on the total size of data. Which is faulty is | ||
36 | + the total size of data is not sufficient to fill the whole image, and thus | ||
37 | + results in reading outside of the StripByCounts/StripOffsets arrays when | ||
38 | + using TIFFReadScanline(). | ||
39 | + Reported by Agostino Sarubbo. | ||
40 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. | ||
41 | + | ||
42 | + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done | ||
43 | + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since | ||
44 | + the above change is a better fix that makes it unnecessary. | ||
45 | + | ||
46 | +2016-12-03 Even Rouault <even.rouault at spatialys.com> | ||
47 | + | ||
48 | * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer | ||
49 | overflow on generation of PixarLog / LUV compressed files, with | ||
50 | ColorMap, TransferFunction attached and nasty plays with bitspersample. | ||
51 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
52 | index 3eec79c..570d0c3 100644 | ||
53 | --- a/libtiff/tif_dirread.c | ||
54 | +++ b/libtiff/tif_dirread.c | ||
55 | @@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
56 | uint64 rowblockbytes; | ||
57 | uint64 stripbytes; | ||
58 | uint32 strip; | ||
59 | - uint64 nstrips64; | ||
60 | - uint32 nstrips32; | ||
61 | + uint32 nstrips; | ||
62 | uint32 rowsperstrip; | ||
63 | uint64* newcounts; | ||
64 | uint64* newoffsets; | ||
65 | @@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
66 | return; | ||
67 | |||
68 | /* | ||
69 | - * never increase the number of strips in an image | ||
70 | + * never increase the number of rows per strip | ||
71 | */ | ||
72 | if (rowsperstrip >= td->td_rowsperstrip) | ||
73 | return; | ||
74 | - nstrips64 = TIFFhowmany_64(bytecount, stripbytes); | ||
75 | - if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ | ||
76 | - return; | ||
77 | - nstrips32 = (uint32)nstrips64; | ||
78 | + nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); | ||
79 | + if( nstrips == 0 ) | ||
80 | + return; | ||
81 | |||
82 | - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), | ||
83 | + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
84 | "for chopped \"StripByteCounts\" array"); | ||
85 | - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), | ||
86 | + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
87 | "for chopped \"StripOffsets\" array"); | ||
88 | if (newcounts == NULL || newoffsets == NULL) { | ||
89 | /* | ||
90 | @@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
91 | * Fill the strip information arrays with new bytecounts and offsets | ||
92 | * that reflect the broken-up format. | ||
93 | */ | ||
94 | - for (strip = 0; strip < nstrips32; strip++) { | ||
95 | + for (strip = 0; strip < nstrips; strip++) { | ||
96 | if (stripbytes > bytecount) | ||
97 | stripbytes = bytecount; | ||
98 | newcounts[strip] = stripbytes; | ||
99 | - newoffsets[strip] = offset; | ||
100 | + newoffsets[strip] = stripbytes ? offset : 0; | ||
101 | offset += stripbytes; | ||
102 | bytecount -= stripbytes; | ||
103 | } | ||
104 | /* | ||
105 | * Replace old single strip info with multi-strip info. | ||
106 | */ | ||
107 | - td->td_stripsperimage = td->td_nstrips = nstrips32; | ||
108 | + td->td_stripsperimage = td->td_nstrips = nstrips; | ||
109 | TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); | ||
110 | |||
111 | _TIFFfree(td->td_stripbytecount); | ||
112 | diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c | ||
113 | index 4c46ecf..1676e47 100644 | ||
114 | --- a/libtiff/tif_strip.c | ||
115 | +++ b/libtiff/tif_strip.c | ||
116 | @@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) | ||
117 | TIFFDirectory *td = &tif->tif_dir; | ||
118 | uint32 nstrips; | ||
119 | |||
120 | - /* If the value was already computed and store in td_nstrips, then return it, | ||
121 | - since ChopUpSingleUncompressedStrip might have altered and resized the | ||
122 | - since the td_stripbytecount and td_stripoffset arrays to the new value | ||
123 | - after the initial affectation of td_nstrips = TIFFNumberOfStrips() in | ||
124 | - tif_dirread.c ~line 3612. | ||
125 | - See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ | ||
126 | - if( td->td_nstrips ) | ||
127 | - return td->td_nstrips; | ||
128 | - | ||
129 | nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : | ||
130 | TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); | ||
131 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) | ||
132 | -- | ||
133 | 1.9.1 | ||
134 | |||