summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-04-26 13:19:44 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-05-14 09:40:16 +0100
commit2ef5feeb3d50203a5754308c2e1c16a9388802bf (patch)
tree70194332e4894620933e3ff2107ea4f77834f9e1 /meta/recipes-multimedia/libtiff
parenta201edefaecaa87eaf7e5f265c2317f7d12202a9 (diff)
downloadpoky-2ef5feeb3d50203a5754308c2e1c16a9388802bf.tar.gz
libtiff: Security fix CVE-2015-8664 and 8683
CVE-2015-8665 CVE-2015-8683 (From OE-Core rev: 49008750ece710201701a6f413537c857190798a) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch137
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.4.bb1
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
new file mode 100644
index 0000000000..9814d24137
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
@@ -0,0 +1,137 @@
1From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sat, 26 Dec 2015 17:32:03 +0000
4Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
5 TIFFRGBAImage interface in case of unsupported values of
6 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
7 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
8 limingxing and CVE-2015-8683 reported by zzf of Alibaba.
9
10Upstream-Status: Backport
11CVE: CVE-2015-8665
12CVE: CVE-2015-8683
13https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 ChangeLog | 8 ++++++++
19 libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
20 2 files changed, 30 insertions(+), 13 deletions(-)
21
22Index: tiff-4.0.4/libtiff/tif_getimage.c
23===================================================================
24--- tiff-4.0.4.orig/libtiff/tif_getimage.c
25+++ tiff-4.0.4/libtiff/tif_getimage.c
26@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
27 "Planarconfiguration", td->td_planarconfig);
28 return (0);
29 }
30- if( td->td_samplesperpixel != 3 )
31+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
32 {
33 sprintf(emsg,
34- "Sorry, can not handle image with %s=%d",
35- "Samples/pixel", td->td_samplesperpixel);
36+ "Sorry, can not handle image with %s=%d, %s=%d",
37+ "Samples/pixel", td->td_samplesperpixel,
38+ "colorchannels", colorchannels);
39 return 0;
40 }
41 break;
42 case PHOTOMETRIC_CIELAB:
43- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
44+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
45 {
46 sprintf(emsg,
47- "Sorry, can not handle image with %s=%d and %s=%d",
48+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
49 "Samples/pixel", td->td_samplesperpixel,
50+ "colorchannels", colorchannels,
51 "Bits/sample", td->td_bitspersample);
52 return 0;
53 }
54@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
55 int colorchannels;
56 uint16 *red_orig, *green_orig, *blue_orig;
57 int n_color;
58+
59+ if( !TIFFRGBAImageOK(tif, emsg) )
60+ return 0;
61
62 /* Initialize to normal values */
63 img->row_offset = 0;
64@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
65 case PHOTOMETRIC_RGB:
66 switch (img->bitspersample) {
67 case 8:
68- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
69+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
70+ img->samplesperpixel >= 4)
71 img->put.contig = putRGBAAcontig8bittile;
72- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
73+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
74+ img->samplesperpixel >= 4)
75 {
76 if (BuildMapUaToAa(img))
77 img->put.contig = putRGBUAcontig8bittile;
78 }
79- else
80+ else if( img->samplesperpixel >= 3 )
81 img->put.contig = putRGBcontig8bittile;
82 break;
83 case 16:
84- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
85+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
86+ img->samplesperpixel >=4 )
87 {
88 if (BuildMapBitdepth16To8(img))
89 img->put.contig = putRGBAAcontig16bittile;
90 }
91- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
92+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
93+ img->samplesperpixel >=4 )
94 {
95 if (BuildMapBitdepth16To8(img) &&
96 BuildMapUaToAa(img))
97 img->put.contig = putRGBUAcontig16bittile;
98 }
99- else
100+ else if( img->samplesperpixel >=3 )
101 {
102 if (BuildMapBitdepth16To8(img))
103 img->put.contig = putRGBcontig16bittile;
104@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
105 }
106 break;
107 case PHOTOMETRIC_SEPARATED:
108- if (buildMap(img)) {
109+ if (img->samplesperpixel >=4 && buildMap(img)) {
110 if (img->bitspersample == 8) {
111 if (!img->Map)
112 img->put.contig = putRGBcontig8bitCMYKtile;
113@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
114 }
115 break;
116 case PHOTOMETRIC_CIELAB:
117- if (buildMap(img)) {
118+ if (img->samplesperpixel == 3 && buildMap(img)) {
119 if (img->bitspersample == 8)
120 img->put.contig = initCIELabConversion(img);
121 break;
122Index: tiff-4.0.4/ChangeLog
123===================================================================
124--- tiff-4.0.4.orig/ChangeLog
125+++ tiff-4.0.4/ChangeLog
126@@ -1,3 +1,11 @@
127+2015-12-26 Even Rouault <even.rouault at spatialys.com>
128+
129+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
130+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
131+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
132+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
133+ CVE-2015-8683 reported by zzf of Alibaba.
134+
135 2015-12-27 Even Rouault <even.rouault at spatialys.com>
136
137 * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
index f1f5a7e8e0..69bcb2c930 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
7 file://libtool2.patch \ 7 file://libtool2.patch \
8 file://CVE-2015-8781.patch \ 8 file://CVE-2015-8781.patch \
9 file://CVE-2015-8784.patch \ 9 file://CVE-2015-8784.patch \
10 file://CVE-2015-8665_8683.patch \
10 " 11 "
11 12
12SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900" 13SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"