diff options
author | Rajkumar Veer <rveer@mvista.com> | 2017-11-03 22:33:41 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:43:54 +0000 |
commit | c505c12a07b4240713c09b418be948d25d04a9ad (patch) | |
tree | b3c2dc22c9268446a1de7c6486bf4856f20d3d25 /meta/recipes-multimedia/libtiff/files | |
parent | 9e658d2462fa766dc33f56c495656d365c4f5cd0 (diff) | |
download | poky-c505c12a07b4240713c09b418be948d25d04a9ad.tar.gz |
tiff: Security fix for CVE-2017-7602
(From OE-Core rev: 12325a8ebb5cab1837a6f6092eaa623a1a784eb6)
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch new file mode 100644 index 0000000000..9ed97e2467 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Wed, 11 Jan 2017 16:33:34 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on | ||
5 | signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes | ||
6 | http://bugzilla.maptools.org/show_bug.cgi?id=2650 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | CVE: CVE-2017-7602 | ||
11 | Signed-off-by: Rajkumar Veer <rveer@mvista.com> | ||
12 | |||
13 | Index: tiff-4.0.7/ChangeLog | ||
14 | =================================================================== | ||
15 | --- tiff-4.0.7.orig/ChangeLog 2017-04-25 18:42:07.656135638 +0530 | ||
16 | +++ tiff-4.0.7/ChangeLog 2017-04-25 18:54:36.812147299 +0530 | ||
17 | @@ -8,6 +8,12 @@ | ||
18 | |||
19 | 2017-01-11 Even Rouault <even.rouault at spatialys.com> | ||
20 | |||
21 | + * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer | ||
22 | + addition in TIFFReadRawStrip1() in isMapped() case. | ||
23 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 | ||
24 | + | ||
25 | +2017-01-11 Even Rouault <even.rouault at spatialys.com> | ||
26 | + | ||
27 | * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid | ||
28 | undefined behaviour caused by invalid shift exponent. | ||
29 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 | ||
30 | Index: tiff-4.0.7/libtiff/tif_read.c | ||
31 | =================================================================== | ||
32 | --- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 18:42:07.132135629 +0530 | ||
33 | +++ tiff-4.0.7/libtiff/tif_read.c 2017-04-25 18:58:25.272150855 +0530 | ||
34 | @@ -420,16 +420,26 @@ | ||
35 | return ((tmsize_t)(-1)); | ||
36 | } | ||
37 | } else { | ||
38 | - tmsize_t ma,mb; | ||
39 | + tmsize_t ma; | ||
40 | tmsize_t n; | ||
41 | - ma=(tmsize_t)td->td_stripoffset[strip]; | ||
42 | - mb=ma+size; | ||
43 | - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) | ||
44 | - n=0; | ||
45 | - else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) | ||
46 | - n=tif->tif_size-ma; | ||
47 | - else | ||
48 | - n=size; | ||
49 | + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| | ||
50 | + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) | ||
51 | + { | ||
52 | + n=0; | ||
53 | + } | ||
54 | + else if( ma > TIFF_TMSIZE_T_MAX - size ) | ||
55 | + { | ||
56 | + n=0; | ||
57 | + } | ||
58 | + else | ||
59 | + { | ||
60 | + tmsize_t mb=ma+size; | ||
61 | + if (mb>tif->tif_size) | ||
62 | + n=tif->tif_size-ma; | ||
63 | + else | ||
64 | + n=size; | ||
65 | + } | ||
66 | + | ||
67 | if (n!=size) { | ||
68 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
69 | TIFFErrorExt(tif->tif_clientdata, module, | ||