diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2019-09-20 14:25:11 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-02 10:09:47 +0100 |
commit | c855f55a7dc1a3d44114aca9f13cec7bae83f03f (patch) | |
tree | c6c085bb45392b23e698a75bfa4e0a9ab9aff2a9 /meta/recipes-multimedia/libtiff | |
parent | 2657837f72f06966ed681c6e91e781134e990f75 (diff) | |
download | poky-c855f55a7dc1a3d44114aca9f13cec7bae83f03f.tar.gz |
tiff: fix CVE-2019-14973
CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973
Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c
(From OE-Core rev: b57304c1afb73a698a1c40a017d433e4d81a8df2)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch | 415 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 4 |
2 files changed, 418 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch new file mode 100644 index 0000000000..8345295d07 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch | |||
@@ -0,0 +1,415 @@ | |||
1 | From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001 | ||
2 | From: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
3 | Date: Fri, 20 Sep 2019 09:33:22 -0400 | ||
4 | Subject: [PATCH] libtiff-fix-CVE-2019-14973 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c] | ||
7 | CVE: CVE-2019-14973 | ||
8 | |||
9 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
10 | --- | ||
11 | libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- | ||
12 | libtiff/tif_getimage.c | 6 ++---- | ||
13 | libtiff/tif_luv.c | 8 +------ | ||
14 | libtiff/tif_pixarlog.c | 7 +----- | ||
15 | libtiff/tif_read.c | 38 +++++++++----------------------- | ||
16 | libtiff/tif_strip.c | 35 ++++-------------------------- | ||
17 | libtiff/tif_tile.c | 27 +++-------------------- | ||
18 | libtiff/tiffiop.h | 7 +++++- | ||
19 | 8 files changed, 71 insertions(+), 106 deletions(-) | ||
20 | |||
21 | diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c | ||
22 | index 4ece162f..33fb8a44 100644 | ||
23 | --- a/libtiff/tif_aux.c | ||
24 | +++ b/libtiff/tif_aux.c | ||
25 | @@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) | ||
26 | return bytes; | ||
27 | } | ||
28 | |||
29 | +tmsize_t | ||
30 | +_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) | ||
31 | +{ | ||
32 | + if( first <= 0 || second <= 0 ) | ||
33 | + { | ||
34 | + if( tif != NULL && where != NULL ) | ||
35 | + { | ||
36 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
37 | + "Invalid argument to _TIFFMultiplySSize() in %s", where); | ||
38 | + } | ||
39 | + return 0; | ||
40 | + } | ||
41 | + | ||
42 | + if( first > TIFF_TMSIZE_T_MAX / second ) | ||
43 | + { | ||
44 | + if( tif != NULL && where != NULL ) | ||
45 | + { | ||
46 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
47 | + "Integer overflow in %s", where); | ||
48 | + } | ||
49 | + return 0; | ||
50 | + } | ||
51 | + return first * second; | ||
52 | +} | ||
53 | + | ||
54 | +tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) | ||
55 | +{ | ||
56 | + if( val > (uint64)TIFF_TMSIZE_T_MAX ) | ||
57 | + { | ||
58 | + if( tif != NULL && module != NULL ) | ||
59 | + { | ||
60 | + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
61 | + } | ||
62 | + return 0; | ||
63 | + } | ||
64 | + return (tmsize_t)val; | ||
65 | +} | ||
66 | + | ||
67 | void* | ||
68 | _TIFFCheckRealloc(TIFF* tif, void* buffer, | ||
69 | tmsize_t nmemb, tmsize_t elem_size, const char* what) | ||
70 | { | ||
71 | void* cp = NULL; | ||
72 | - tmsize_t bytes = nmemb * elem_size; | ||
73 | - | ||
74 | + tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); | ||
75 | /* | ||
76 | - * XXX: Check for integer overflow. | ||
77 | + * Check for integer overflow. | ||
78 | */ | ||
79 | - if (nmemb && elem_size && bytes / elem_size == nmemb) | ||
80 | - cp = _TIFFrealloc(buffer, bytes); | ||
81 | + if (count != 0) | ||
82 | + { | ||
83 | + cp = _TIFFrealloc(buffer, count); | ||
84 | + } | ||
85 | |||
86 | if (cp == NULL) { | ||
87 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
88 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
89 | index 6a9d5a7c..2106ca21 100644 | ||
90 | --- a/libtiff/tif_getimage.c | ||
91 | +++ b/libtiff/tif_getimage.c | ||
92 | @@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
93 | uint32 leftmost_tw; | ||
94 | |||
95 | tilesize = TIFFTileSize(tif); | ||
96 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); | ||
97 | + bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); | ||
98 | if (bufsize == 0) { | ||
99 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); | ||
100 | return (0); | ||
101 | } | ||
102 | |||
103 | @@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
104 | uint16 colorchannels; | ||
105 | |||
106 | stripsize = TIFFStripSize(tif); | ||
107 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); | ||
108 | + bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); | ||
109 | if (bufsize == 0) { | ||
110 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); | ||
111 | return (0); | ||
112 | } | ||
113 | |||
114 | diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c | ||
115 | index aa35ea07..46d2dff2 100644 | ||
116 | --- a/libtiff/tif_luv.c | ||
117 | +++ b/libtiff/tif_luv.c | ||
118 | @@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) | ||
119 | return (SGILOGDATAFMT_UNKNOWN); | ||
120 | } | ||
121 | |||
122 | - | ||
123 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
124 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
125 | - | ||
126 | static tmsize_t | ||
127 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
128 | { | ||
129 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
130 | - return 0; | ||
131 | - return m1 * m2; | ||
132 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
133 | } | ||
134 | |||
135 | static int | ||
136 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
137 | index 7438d692..b52a3ee4 100644 | ||
138 | --- a/libtiff/tif_pixarlog.c | ||
139 | +++ b/libtiff/tif_pixarlog.c | ||
140 | @@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) | ||
141 | return guess; | ||
142 | } | ||
143 | |||
144 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
145 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
146 | - | ||
147 | static tmsize_t | ||
148 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
149 | { | ||
150 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
151 | - return 0; | ||
152 | - return m1 * m2; | ||
153 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
154 | } | ||
155 | |||
156 | static tmsize_t | ||
157 | diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c | ||
158 | index e63810cc..8db39d7a 100644 | ||
159 | --- a/libtiff/tif_read.c | ||
160 | +++ b/libtiff/tif_read.c | ||
161 | @@ -29,9 +29,6 @@ | ||
162 | #include "tiffiop.h" | ||
163 | #include <stdio.h> | ||
164 | |||
165 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
166 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
167 | - | ||
168 | int TIFFFillStrip(TIFF* tif, uint32 strip); | ||
169 | int TIFFFillTile(TIFF* tif, uint32 tile); | ||
170 | static int TIFFStartStrip(TIFF* tif, uint32 strip); | ||
171 | @@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m | ||
172 | #define THRESHOLD_MULTIPLIER 10 | ||
173 | #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) | ||
174 | |||
175 | +#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) | ||
176 | + | ||
177 | /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' | ||
178 | * Returns 1 in case of success, 0 otherwise. */ | ||
179 | static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, | ||
180 | @@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) | ||
181 | return ((tmsize_t)(-1)); | ||
182 | } | ||
183 | bytecount = td->td_stripbytecount[strip]; | ||
184 | - if ((int64)bytecount <= 0) { | ||
185 | -#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
186 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
187 | - "%I64u: Invalid strip byte count, strip %lu", | ||
188 | - (unsigned __int64) bytecount, | ||
189 | - (unsigned long) strip); | ||
190 | -#else | ||
191 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
192 | - "%llu: Invalid strip byte count, strip %lu", | ||
193 | - (unsigned long long) bytecount, | ||
194 | - (unsigned long) strip); | ||
195 | -#endif | ||
196 | - return ((tmsize_t)(-1)); | ||
197 | - } | ||
198 | - bytecountm = (tmsize_t)bytecount; | ||
199 | - if ((uint64)bytecountm!=bytecount) { | ||
200 | - TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); | ||
201 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); | ||
202 | + if (bytecountm == 0) { | ||
203 | return ((tmsize_t)(-1)); | ||
204 | } | ||
205 | if (size != (tmsize_t)(-1) && size < bytecountm) | ||
206 | @@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
207 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
208 | { | ||
209 | uint64 bytecount = td->td_stripbytecount[strip]; | ||
210 | - if ((int64)bytecount <= 0) { | ||
211 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
212 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
213 | TIFFErrorExt(tif->tif_clientdata, module, | ||
214 | "Invalid strip byte count %I64u, strip %lu", | ||
215 | @@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
216 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
217 | { | ||
218 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
219 | - if( (int64)newbytecount >= 0 ) | ||
220 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
221 | { | ||
222 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
223 | TIFFWarningExt(tif->tif_clientdata, module, | ||
224 | @@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) | ||
225 | bytecount64 = td->td_stripbytecount[tile]; | ||
226 | if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) | ||
227 | bytecount64 = (uint64)size; | ||
228 | - bytecountm = (tmsize_t)bytecount64; | ||
229 | - if ((uint64)bytecountm!=bytecount64) | ||
230 | - { | ||
231 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
232 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); | ||
233 | + if( bytecountm == 0 ) { | ||
234 | return ((tmsize_t)(-1)); | ||
235 | } | ||
236 | return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); | ||
237 | @@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
238 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
239 | { | ||
240 | uint64 bytecount = td->td_stripbytecount[tile]; | ||
241 | - if ((int64)bytecount <= 0) { | ||
242 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
243 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
244 | TIFFErrorExt(tif->tif_clientdata, module, | ||
245 | "%I64u: Invalid tile byte count, tile %lu", | ||
246 | @@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
247 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
248 | { | ||
249 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
250 | - if( (int64)newbytecount >= 0 ) | ||
251 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
252 | { | ||
253 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
254 | TIFFWarningExt(tif->tif_clientdata, module, | ||
255 | diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c | ||
256 | index 5b76fba5..2366acf0 100644 | ||
257 | --- a/libtiff/tif_strip.c | ||
258 | +++ b/libtiff/tif_strip.c | ||
259 | @@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) | ||
260 | { | ||
261 | static const char module[] = "TIFFVStripSize"; | ||
262 | uint64 m; | ||
263 | - tmsize_t n; | ||
264 | m=TIFFVStripSize64(tif,nrows); | ||
265 | - n=(tmsize_t)m; | ||
266 | - if ((uint64)n!=m) | ||
267 | - { | ||
268 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
269 | - n=0; | ||
270 | - } | ||
271 | - return(n); | ||
272 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
273 | } | ||
274 | |||
275 | /* | ||
276 | @@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif) | ||
277 | { | ||
278 | static const char module[] = "TIFFStripSize"; | ||
279 | uint64 m; | ||
280 | - tmsize_t n; | ||
281 | m=TIFFStripSize64(tif); | ||
282 | - n=(tmsize_t)m; | ||
283 | - if ((uint64)n!=m) | ||
284 | - { | ||
285 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
286 | - n=0; | ||
287 | - } | ||
288 | - return(n); | ||
289 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
290 | } | ||
291 | |||
292 | /* | ||
293 | @@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif) | ||
294 | { | ||
295 | static const char module[] = "TIFFScanlineSize"; | ||
296 | uint64 m; | ||
297 | - tmsize_t n; | ||
298 | m=TIFFScanlineSize64(tif); | ||
299 | - n=(tmsize_t)m; | ||
300 | - if ((uint64)n!=m) { | ||
301 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
302 | - n=0; | ||
303 | - } | ||
304 | - return(n); | ||
305 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
306 | } | ||
307 | |||
308 | /* | ||
309 | @@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif) | ||
310 | { | ||
311 | static const char module[] = "TIFFRasterScanlineSize"; | ||
312 | uint64 m; | ||
313 | - tmsize_t n; | ||
314 | m=TIFFRasterScanlineSize64(tif); | ||
315 | - n=(tmsize_t)m; | ||
316 | - if ((uint64)n!=m) | ||
317 | - { | ||
318 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
319 | - n=0; | ||
320 | - } | ||
321 | - return(n); | ||
322 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
323 | } | ||
324 | |||
325 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
326 | diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c | ||
327 | index 58fe9354..661cc771 100644 | ||
328 | --- a/libtiff/tif_tile.c | ||
329 | +++ b/libtiff/tif_tile.c | ||
330 | @@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) | ||
331 | { | ||
332 | static const char module[] = "TIFFTileRowSize"; | ||
333 | uint64 m; | ||
334 | - tmsize_t n; | ||
335 | m=TIFFTileRowSize64(tif); | ||
336 | - n=(tmsize_t)m; | ||
337 | - if ((uint64)n!=m) | ||
338 | - { | ||
339 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
340 | - n=0; | ||
341 | - } | ||
342 | - return(n); | ||
343 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
344 | } | ||
345 | |||
346 | /* | ||
347 | @@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) | ||
348 | { | ||
349 | static const char module[] = "TIFFVTileSize"; | ||
350 | uint64 m; | ||
351 | - tmsize_t n; | ||
352 | m=TIFFVTileSize64(tif,nrows); | ||
353 | - n=(tmsize_t)m; | ||
354 | - if ((uint64)n!=m) | ||
355 | - { | ||
356 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
357 | - n=0; | ||
358 | - } | ||
359 | - return(n); | ||
360 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
361 | } | ||
362 | |||
363 | /* | ||
364 | @@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) | ||
365 | { | ||
366 | static const char module[] = "TIFFTileSize"; | ||
367 | uint64 m; | ||
368 | - tmsize_t n; | ||
369 | m=TIFFTileSize64(tif); | ||
370 | - n=(tmsize_t)m; | ||
371 | - if ((uint64)n!=m) | ||
372 | - { | ||
373 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
374 | - n=0; | ||
375 | - } | ||
376 | - return(n); | ||
377 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
378 | } | ||
379 | |||
380 | /* | ||
381 | diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h | ||
382 | index 186c291f..558484fe 100644 | ||
383 | --- a/libtiff/tiffiop.h | ||
384 | +++ b/libtiff/tiffiop.h | ||
385 | @@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); | ||
386 | #define FALSE 0 | ||
387 | #endif | ||
388 | |||
389 | +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
390 | +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
391 | + | ||
392 | typedef struct client_info { | ||
393 | struct client_info *next; | ||
394 | void *data; | ||
395 | @@ -258,7 +261,7 @@ struct tiff { | ||
396 | #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) | ||
397 | #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) | ||
398 | |||
399 | -/* Safe multiply which returns zero if there is an integer overflow */ | ||
400 | +/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ | ||
401 | #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) | ||
402 | |||
403 | #define TIFFmax(A,B) ((A)>(B)?(A):(B)) | ||
404 | @@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; | ||
405 | |||
406 | extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); | ||
407 | extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); | ||
408 | +extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); | ||
409 | +extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); | ||
410 | extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); | ||
411 | extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); | ||
412 | |||
413 | -- | ||
414 | 2.17.1 | ||
415 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 999496273c..0432763cce 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | |||
@@ -6,7 +6,9 @@ CVE_PRODUCT = "libtiff" | |||
6 | 6 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
8 | file://CVE-2019-6128.patch \ | 8 | file://CVE-2019-6128.patch \ |
9 | file://CVE-2019-7663.patch" | 9 | file://CVE-2019-7663.patch \ |
10 | file://CVE-2019-14973.patch \ | ||
11 | " | ||
10 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" | 12 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" |
11 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" | 13 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" |
12 | 14 | ||