diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2019-11-18 15:28:43 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-21 23:08:19 +0000 |
commit | f931a332d1db0730b4edc05ce19105b9d7909ec3 (patch) | |
tree | b887c970077204594a71a3e01e6cb8fab62f543a /meta/recipes-multimedia/libtiff | |
parent | f681fd3b2fd69b6ecf71c317bc4a8e8786c0a38f (diff) | |
download | poky-f931a332d1db0730b4edc05ce19105b9d7909ec3.tar.gz |
tiff: update to 4.1.0
Drop backported patches.
(From OE-Core rev: e5ecf2604e5b8c957eb3bae21fb3c9b2b1b7e12f)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch | 415 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch | 103 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch | 52 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch | 77 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.1.0.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.10.bb) | 10 |
5 files changed, 3 insertions, 654 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch deleted file mode 100644 index 8345295d07..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch +++ /dev/null | |||
@@ -1,415 +0,0 @@ | |||
1 | From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001 | ||
2 | From: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
3 | Date: Fri, 20 Sep 2019 09:33:22 -0400 | ||
4 | Subject: [PATCH] libtiff-fix-CVE-2019-14973 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c] | ||
7 | CVE: CVE-2019-14973 | ||
8 | |||
9 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
10 | --- | ||
11 | libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- | ||
12 | libtiff/tif_getimage.c | 6 ++---- | ||
13 | libtiff/tif_luv.c | 8 +------ | ||
14 | libtiff/tif_pixarlog.c | 7 +----- | ||
15 | libtiff/tif_read.c | 38 +++++++++----------------------- | ||
16 | libtiff/tif_strip.c | 35 ++++-------------------------- | ||
17 | libtiff/tif_tile.c | 27 +++-------------------- | ||
18 | libtiff/tiffiop.h | 7 +++++- | ||
19 | 8 files changed, 71 insertions(+), 106 deletions(-) | ||
20 | |||
21 | diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c | ||
22 | index 4ece162f..33fb8a44 100644 | ||
23 | --- a/libtiff/tif_aux.c | ||
24 | +++ b/libtiff/tif_aux.c | ||
25 | @@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) | ||
26 | return bytes; | ||
27 | } | ||
28 | |||
29 | +tmsize_t | ||
30 | +_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) | ||
31 | +{ | ||
32 | + if( first <= 0 || second <= 0 ) | ||
33 | + { | ||
34 | + if( tif != NULL && where != NULL ) | ||
35 | + { | ||
36 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
37 | + "Invalid argument to _TIFFMultiplySSize() in %s", where); | ||
38 | + } | ||
39 | + return 0; | ||
40 | + } | ||
41 | + | ||
42 | + if( first > TIFF_TMSIZE_T_MAX / second ) | ||
43 | + { | ||
44 | + if( tif != NULL && where != NULL ) | ||
45 | + { | ||
46 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
47 | + "Integer overflow in %s", where); | ||
48 | + } | ||
49 | + return 0; | ||
50 | + } | ||
51 | + return first * second; | ||
52 | +} | ||
53 | + | ||
54 | +tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) | ||
55 | +{ | ||
56 | + if( val > (uint64)TIFF_TMSIZE_T_MAX ) | ||
57 | + { | ||
58 | + if( tif != NULL && module != NULL ) | ||
59 | + { | ||
60 | + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
61 | + } | ||
62 | + return 0; | ||
63 | + } | ||
64 | + return (tmsize_t)val; | ||
65 | +} | ||
66 | + | ||
67 | void* | ||
68 | _TIFFCheckRealloc(TIFF* tif, void* buffer, | ||
69 | tmsize_t nmemb, tmsize_t elem_size, const char* what) | ||
70 | { | ||
71 | void* cp = NULL; | ||
72 | - tmsize_t bytes = nmemb * elem_size; | ||
73 | - | ||
74 | + tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); | ||
75 | /* | ||
76 | - * XXX: Check for integer overflow. | ||
77 | + * Check for integer overflow. | ||
78 | */ | ||
79 | - if (nmemb && elem_size && bytes / elem_size == nmemb) | ||
80 | - cp = _TIFFrealloc(buffer, bytes); | ||
81 | + if (count != 0) | ||
82 | + { | ||
83 | + cp = _TIFFrealloc(buffer, count); | ||
84 | + } | ||
85 | |||
86 | if (cp == NULL) { | ||
87 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
88 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
89 | index 6a9d5a7c..2106ca21 100644 | ||
90 | --- a/libtiff/tif_getimage.c | ||
91 | +++ b/libtiff/tif_getimage.c | ||
92 | @@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
93 | uint32 leftmost_tw; | ||
94 | |||
95 | tilesize = TIFFTileSize(tif); | ||
96 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); | ||
97 | + bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); | ||
98 | if (bufsize == 0) { | ||
99 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); | ||
100 | return (0); | ||
101 | } | ||
102 | |||
103 | @@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
104 | uint16 colorchannels; | ||
105 | |||
106 | stripsize = TIFFStripSize(tif); | ||
107 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); | ||
108 | + bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); | ||
109 | if (bufsize == 0) { | ||
110 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); | ||
111 | return (0); | ||
112 | } | ||
113 | |||
114 | diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c | ||
115 | index aa35ea07..46d2dff2 100644 | ||
116 | --- a/libtiff/tif_luv.c | ||
117 | +++ b/libtiff/tif_luv.c | ||
118 | @@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) | ||
119 | return (SGILOGDATAFMT_UNKNOWN); | ||
120 | } | ||
121 | |||
122 | - | ||
123 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
124 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
125 | - | ||
126 | static tmsize_t | ||
127 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
128 | { | ||
129 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
130 | - return 0; | ||
131 | - return m1 * m2; | ||
132 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
133 | } | ||
134 | |||
135 | static int | ||
136 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
137 | index 7438d692..b52a3ee4 100644 | ||
138 | --- a/libtiff/tif_pixarlog.c | ||
139 | +++ b/libtiff/tif_pixarlog.c | ||
140 | @@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) | ||
141 | return guess; | ||
142 | } | ||
143 | |||
144 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
145 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
146 | - | ||
147 | static tmsize_t | ||
148 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
149 | { | ||
150 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
151 | - return 0; | ||
152 | - return m1 * m2; | ||
153 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
154 | } | ||
155 | |||
156 | static tmsize_t | ||
157 | diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c | ||
158 | index e63810cc..8db39d7a 100644 | ||
159 | --- a/libtiff/tif_read.c | ||
160 | +++ b/libtiff/tif_read.c | ||
161 | @@ -29,9 +29,6 @@ | ||
162 | #include "tiffiop.h" | ||
163 | #include <stdio.h> | ||
164 | |||
165 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
166 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
167 | - | ||
168 | int TIFFFillStrip(TIFF* tif, uint32 strip); | ||
169 | int TIFFFillTile(TIFF* tif, uint32 tile); | ||
170 | static int TIFFStartStrip(TIFF* tif, uint32 strip); | ||
171 | @@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m | ||
172 | #define THRESHOLD_MULTIPLIER 10 | ||
173 | #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) | ||
174 | |||
175 | +#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) | ||
176 | + | ||
177 | /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' | ||
178 | * Returns 1 in case of success, 0 otherwise. */ | ||
179 | static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, | ||
180 | @@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) | ||
181 | return ((tmsize_t)(-1)); | ||
182 | } | ||
183 | bytecount = td->td_stripbytecount[strip]; | ||
184 | - if ((int64)bytecount <= 0) { | ||
185 | -#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
186 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
187 | - "%I64u: Invalid strip byte count, strip %lu", | ||
188 | - (unsigned __int64) bytecount, | ||
189 | - (unsigned long) strip); | ||
190 | -#else | ||
191 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
192 | - "%llu: Invalid strip byte count, strip %lu", | ||
193 | - (unsigned long long) bytecount, | ||
194 | - (unsigned long) strip); | ||
195 | -#endif | ||
196 | - return ((tmsize_t)(-1)); | ||
197 | - } | ||
198 | - bytecountm = (tmsize_t)bytecount; | ||
199 | - if ((uint64)bytecountm!=bytecount) { | ||
200 | - TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); | ||
201 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); | ||
202 | + if (bytecountm == 0) { | ||
203 | return ((tmsize_t)(-1)); | ||
204 | } | ||
205 | if (size != (tmsize_t)(-1) && size < bytecountm) | ||
206 | @@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
207 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
208 | { | ||
209 | uint64 bytecount = td->td_stripbytecount[strip]; | ||
210 | - if ((int64)bytecount <= 0) { | ||
211 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
212 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
213 | TIFFErrorExt(tif->tif_clientdata, module, | ||
214 | "Invalid strip byte count %I64u, strip %lu", | ||
215 | @@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
216 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
217 | { | ||
218 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
219 | - if( (int64)newbytecount >= 0 ) | ||
220 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
221 | { | ||
222 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
223 | TIFFWarningExt(tif->tif_clientdata, module, | ||
224 | @@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) | ||
225 | bytecount64 = td->td_stripbytecount[tile]; | ||
226 | if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) | ||
227 | bytecount64 = (uint64)size; | ||
228 | - bytecountm = (tmsize_t)bytecount64; | ||
229 | - if ((uint64)bytecountm!=bytecount64) | ||
230 | - { | ||
231 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
232 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); | ||
233 | + if( bytecountm == 0 ) { | ||
234 | return ((tmsize_t)(-1)); | ||
235 | } | ||
236 | return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); | ||
237 | @@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
238 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
239 | { | ||
240 | uint64 bytecount = td->td_stripbytecount[tile]; | ||
241 | - if ((int64)bytecount <= 0) { | ||
242 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
243 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
244 | TIFFErrorExt(tif->tif_clientdata, module, | ||
245 | "%I64u: Invalid tile byte count, tile %lu", | ||
246 | @@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
247 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
248 | { | ||
249 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
250 | - if( (int64)newbytecount >= 0 ) | ||
251 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
252 | { | ||
253 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
254 | TIFFWarningExt(tif->tif_clientdata, module, | ||
255 | diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c | ||
256 | index 5b76fba5..2366acf0 100644 | ||
257 | --- a/libtiff/tif_strip.c | ||
258 | +++ b/libtiff/tif_strip.c | ||
259 | @@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) | ||
260 | { | ||
261 | static const char module[] = "TIFFVStripSize"; | ||
262 | uint64 m; | ||
263 | - tmsize_t n; | ||
264 | m=TIFFVStripSize64(tif,nrows); | ||
265 | - n=(tmsize_t)m; | ||
266 | - if ((uint64)n!=m) | ||
267 | - { | ||
268 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
269 | - n=0; | ||
270 | - } | ||
271 | - return(n); | ||
272 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
273 | } | ||
274 | |||
275 | /* | ||
276 | @@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif) | ||
277 | { | ||
278 | static const char module[] = "TIFFStripSize"; | ||
279 | uint64 m; | ||
280 | - tmsize_t n; | ||
281 | m=TIFFStripSize64(tif); | ||
282 | - n=(tmsize_t)m; | ||
283 | - if ((uint64)n!=m) | ||
284 | - { | ||
285 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
286 | - n=0; | ||
287 | - } | ||
288 | - return(n); | ||
289 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
290 | } | ||
291 | |||
292 | /* | ||
293 | @@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif) | ||
294 | { | ||
295 | static const char module[] = "TIFFScanlineSize"; | ||
296 | uint64 m; | ||
297 | - tmsize_t n; | ||
298 | m=TIFFScanlineSize64(tif); | ||
299 | - n=(tmsize_t)m; | ||
300 | - if ((uint64)n!=m) { | ||
301 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
302 | - n=0; | ||
303 | - } | ||
304 | - return(n); | ||
305 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
306 | } | ||
307 | |||
308 | /* | ||
309 | @@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif) | ||
310 | { | ||
311 | static const char module[] = "TIFFRasterScanlineSize"; | ||
312 | uint64 m; | ||
313 | - tmsize_t n; | ||
314 | m=TIFFRasterScanlineSize64(tif); | ||
315 | - n=(tmsize_t)m; | ||
316 | - if ((uint64)n!=m) | ||
317 | - { | ||
318 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
319 | - n=0; | ||
320 | - } | ||
321 | - return(n); | ||
322 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
323 | } | ||
324 | |||
325 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
326 | diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c | ||
327 | index 58fe9354..661cc771 100644 | ||
328 | --- a/libtiff/tif_tile.c | ||
329 | +++ b/libtiff/tif_tile.c | ||
330 | @@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) | ||
331 | { | ||
332 | static const char module[] = "TIFFTileRowSize"; | ||
333 | uint64 m; | ||
334 | - tmsize_t n; | ||
335 | m=TIFFTileRowSize64(tif); | ||
336 | - n=(tmsize_t)m; | ||
337 | - if ((uint64)n!=m) | ||
338 | - { | ||
339 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
340 | - n=0; | ||
341 | - } | ||
342 | - return(n); | ||
343 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
344 | } | ||
345 | |||
346 | /* | ||
347 | @@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) | ||
348 | { | ||
349 | static const char module[] = "TIFFVTileSize"; | ||
350 | uint64 m; | ||
351 | - tmsize_t n; | ||
352 | m=TIFFVTileSize64(tif,nrows); | ||
353 | - n=(tmsize_t)m; | ||
354 | - if ((uint64)n!=m) | ||
355 | - { | ||
356 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
357 | - n=0; | ||
358 | - } | ||
359 | - return(n); | ||
360 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
361 | } | ||
362 | |||
363 | /* | ||
364 | @@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) | ||
365 | { | ||
366 | static const char module[] = "TIFFTileSize"; | ||
367 | uint64 m; | ||
368 | - tmsize_t n; | ||
369 | m=TIFFTileSize64(tif); | ||
370 | - n=(tmsize_t)m; | ||
371 | - if ((uint64)n!=m) | ||
372 | - { | ||
373 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
374 | - n=0; | ||
375 | - } | ||
376 | - return(n); | ||
377 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
378 | } | ||
379 | |||
380 | /* | ||
381 | diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h | ||
382 | index 186c291f..558484fe 100644 | ||
383 | --- a/libtiff/tiffiop.h | ||
384 | +++ b/libtiff/tiffiop.h | ||
385 | @@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); | ||
386 | #define FALSE 0 | ||
387 | #endif | ||
388 | |||
389 | +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
390 | +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
391 | + | ||
392 | typedef struct client_info { | ||
393 | struct client_info *next; | ||
394 | void *data; | ||
395 | @@ -258,7 +261,7 @@ struct tiff { | ||
396 | #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) | ||
397 | #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) | ||
398 | |||
399 | -/* Safe multiply which returns zero if there is an integer overflow */ | ||
400 | +/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ | ||
401 | #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) | ||
402 | |||
403 | #define TIFFmax(A,B) ((A)>(B)?(A):(B)) | ||
404 | @@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; | ||
405 | |||
406 | extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); | ||
407 | extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); | ||
408 | +extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); | ||
409 | +extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); | ||
410 | extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); | ||
411 | extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); | ||
412 | |||
413 | -- | ||
414 | 2.17.1 | ||
415 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch deleted file mode 100644 index 04c5410930..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch +++ /dev/null | |||
@@ -1,103 +0,0 @@ | |||
1 | libtiff: fix CVE-2019-17546 | ||
2 | |||
3 | Added after 4.0.10 release. | ||
4 | |||
5 | CVE: CVE-2019-17546 | ||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff] | ||
7 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
8 | |||
9 | commit 4bb584a35f87af42d6cf09d15e9ce8909a839145 | ||
10 | Author: Even Rouault <even.rouault@spatialys.com> | ||
11 | Date: Thu Aug 15 15:05:28 2019 +0200 | ||
12 | |||
13 | RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz | ||
14 | |||
15 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
16 | index c88b5fa..4da785d 100644 | ||
17 | --- a/libtiff/tif_getimage.c | ||
18 | +++ b/libtiff/tif_getimage.c | ||
19 | @@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
20 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
21 | for (row = 0; row < h; row += nrow) | ||
22 | { | ||
23 | + uint32 temp; | ||
24 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
25 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
26 | nrowsub = nrow; | ||
27 | if ((nrowsub%subsamplingver)!=0) | ||
28 | nrowsub+=subsamplingver-nrowsub%subsamplingver; | ||
29 | + temp = (row + img->row_offset)%rowsperstrip + nrowsub; | ||
30 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
31 | + { | ||
32 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); | ||
33 | + return 0; | ||
34 | + } | ||
35 | if (_TIFFReadEncodedStripAndAllocBuffer(tif, | ||
36 | TIFFComputeStrip(tif,row+img->row_offset, 0), | ||
37 | (void**)(&buf), | ||
38 | maxstripsize, | ||
39 | - ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) | ||
40 | + temp * scanline)==(tmsize_t)(-1) | ||
41 | && (buf == NULL || img->stoponerr)) | ||
42 | { | ||
43 | ret = 0; | ||
44 | @@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
45 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
46 | for (row = 0; row < h; row += nrow) | ||
47 | { | ||
48 | + uint32 temp; | ||
49 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
50 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
51 | offset_row = row + img->row_offset; | ||
52 | + temp = (row + img->row_offset)%rowsperstrip + nrow; | ||
53 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
54 | + { | ||
55 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); | ||
56 | + return 0; | ||
57 | + } | ||
58 | if( buf == NULL ) | ||
59 | { | ||
60 | if (_TIFFReadEncodedStripAndAllocBuffer( | ||
61 | tif, TIFFComputeStrip(tif, offset_row, 0), | ||
62 | (void**) &buf, bufsize, | ||
63 | - ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
64 | + temp * scanline)==(tmsize_t)(-1) | ||
65 | && (buf == NULL || img->stoponerr)) | ||
66 | { | ||
67 | ret = 0; | ||
68 | @@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
69 | } | ||
70 | } | ||
71 | else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), | ||
72 | - p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
73 | + p0, temp * scanline)==(tmsize_t)(-1) | ||
74 | && img->stoponerr) | ||
75 | { | ||
76 | ret = 0; | ||
77 | @@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
78 | } | ||
79 | if (colorchannels > 1 | ||
80 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), | ||
81 | - p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
82 | + p1, temp * scanline) == (tmsize_t)(-1) | ||
83 | && img->stoponerr) | ||
84 | { | ||
85 | ret = 0; | ||
86 | @@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
87 | } | ||
88 | if (colorchannels > 1 | ||
89 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), | ||
90 | - p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
91 | + p2, temp * scanline) == (tmsize_t)(-1) | ||
92 | && img->stoponerr) | ||
93 | { | ||
94 | ret = 0; | ||
95 | @@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
96 | if (alpha) | ||
97 | { | ||
98 | if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), | ||
99 | - pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
100 | + pa, temp * scanline)==(tmsize_t)(-1) | ||
101 | && img->stoponerr) | ||
102 | { | ||
103 | ret = 0; | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch deleted file mode 100644 index 6f1fd4d447..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | CVE: CVE-2019-6128 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 | ||
6 | From: Scott Gayou <github.scott@gmail.com> | ||
7 | Date: Wed, 23 Jan 2019 15:03:53 -0500 | ||
8 | Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. | ||
9 | |||
10 | pal2rgb failed to free memory on a few errors. This was reported | ||
11 | here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. | ||
12 | --- | ||
13 | tools/pal2rgb.c | 7 ++++++- | ||
14 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
17 | index 01d8502ec..9492f1cf1 100644 | ||
18 | --- a/tools/pal2rgb.c | ||
19 | +++ b/tools/pal2rgb.c | ||
20 | @@ -118,12 +118,14 @@ main(int argc, char* argv[]) | ||
21 | shortv != PHOTOMETRIC_PALETTE) { | ||
22 | fprintf(stderr, "%s: Expecting a palette image.\n", | ||
23 | argv[optind]); | ||
24 | + (void) TIFFClose(in); | ||
25 | return (-1); | ||
26 | } | ||
27 | if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { | ||
28 | fprintf(stderr, | ||
29 | "%s: No colormap (not a valid palette image).\n", | ||
30 | argv[optind]); | ||
31 | + (void) TIFFClose(in); | ||
32 | return (-1); | ||
33 | } | ||
34 | bitspersample = 0; | ||
35 | @@ -131,11 +133,14 @@ main(int argc, char* argv[]) | ||
36 | if (bitspersample != 8) { | ||
37 | fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", | ||
38 | argv[optind]); | ||
39 | + (void) TIFFClose(in); | ||
40 | return (-1); | ||
41 | } | ||
42 | out = TIFFOpen(argv[optind+1], "w"); | ||
43 | - if (out == NULL) | ||
44 | + if (out == NULL) { | ||
45 | + (void) TIFFClose(in); | ||
46 | return (-2); | ||
47 | + } | ||
48 | cpTags(in, out); | ||
49 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); | ||
50 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); | ||
51 | -- | ||
52 | 2.21.0 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch deleted file mode 100644 index f244fb2f32..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | CVE: CVE-2019-7663 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 | ||
6 | From: Thomas Bernard <miniupnp@free.fr> | ||
7 | Date: Mon, 11 Feb 2019 10:05:33 +0100 | ||
8 | Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow | ||
9 | |||
10 | fixes bug 2833 | ||
11 | --- | ||
12 | tools/tiffcp.c | 8 +++++++- | ||
13 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 2f406e2d..f0ee2c02 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
20 | int status = 1; | ||
21 | uint32 imagew = TIFFRasterScanlineSize(in); | ||
22 | uint32 tilew = TIFFTileRowSize(in); | ||
23 | - int iskew = imagew - tilew*spp; | ||
24 | + int iskew; | ||
25 | tsize_t tilesize = TIFFTileSize(in); | ||
26 | tdata_t tilebuf; | ||
27 | uint8* bufp = (uint8*) buf; | ||
28 | @@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
29 | uint32 row; | ||
30 | uint16 bps = 0, bytes_per_sample; | ||
31 | |||
32 | + if (spp > (0x7fffffff / tilew)) | ||
33 | + { | ||
34 | + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
35 | + return 0; | ||
36 | + } | ||
37 | + iskew = imagew - tilew*spp; | ||
38 | tilebuf = _TIFFmalloc(tilesize); | ||
39 | if (tilebuf == 0) | ||
40 | return 0; | ||
41 | -- | ||
42 | 2.20.1 | ||
43 | |||
44 | |||
45 | From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 | ||
46 | From: Thomas Bernard <miniupnp@free.fr> | ||
47 | Date: Mon, 11 Feb 2019 21:42:03 +0100 | ||
48 | Subject: [PATCH 2/2] tiffcp.c: use INT_MAX | ||
49 | |||
50 | --- | ||
51 | tools/tiffcp.c | 3 ++- | ||
52 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
53 | |||
54 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
55 | index f0ee2c02..8c81aa4f 100644 | ||
56 | --- a/tools/tiffcp.c | ||
57 | +++ b/tools/tiffcp.c | ||
58 | @@ -41,6 +41,7 @@ | ||
59 | #include <stdio.h> | ||
60 | #include <stdlib.h> | ||
61 | #include <string.h> | ||
62 | +#include <limits.h> | ||
63 | |||
64 | #include <ctype.h> | ||
65 | |||
66 | @@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
67 | uint32 row; | ||
68 | uint16 bps = 0, bytes_per_sample; | ||
69 | |||
70 | - if (spp > (0x7fffffff / tilew)) | ||
71 | + if (spp > (INT_MAX / tilew)) | ||
72 | { | ||
73 | TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
74 | return 0; | ||
75 | -- | ||
76 | 2.20.1 | ||
77 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 5c008c53fe..1f92c18513 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -5,13 +5,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" | |||
5 | CVE_PRODUCT = "libtiff" | 5 | CVE_PRODUCT = "libtiff" |
6 | 6 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
8 | file://CVE-2019-6128.patch \ | 8 | " |
9 | file://CVE-2019-7663.patch \ | 9 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
10 | file://CVE-2019-14973.patch \ | 10 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |
11 | file://CVE-2019-17546.patch \ | ||
12 | " | ||
13 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" | ||
14 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" | ||
15 | 11 | ||
16 | # exclude betas | 12 | # exclude betas |
17 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 13 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |