summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-08-10 15:11:16 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:04 +0100
commitb6f4d24fbc405da02c7814338600e2e44e47186a (patch)
tree15969083726c37f7e640ee668c2f1ead380ecb81 /meta/recipes-multimedia/libtiff
parentab4f42608a962f5f4768ca8188b424dedd20320e (diff)
downloadpoky-b6f4d24fbc405da02c7814338600e2e44e47186a.tar.gz
tiff: Security fix CVE-2015-8781
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images External Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8781 (From OE-Core rev: 9e97ff5582fab9f157ecd970c7c3559265210131) (From OE-Core rev: 18d8f81c16cbf165183f5deda71fef0763386a21) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch195
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.6.bb1
2 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644
index 0000000000..0846f0f68e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,195 @@
1From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Sun, 27 Dec 2015 16:25:11 +0000
4Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
5 decode functions in non debug builds by replacing assert()s by regular if
6 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
7 input data.
8
9Upstream-Status: Backport
10
11https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
12hand applied Changelog changes
13
14CVE: CVE-2015-8781
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 ChangeLog | 7 +++++++
19 libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
20 2 files changed, 51 insertions(+), 11 deletions(-)
21
22Index: tiff-4.0.4/ChangeLog
23===================================================================
24--- tiff-4.0.4.orig/ChangeLog
25+++ tiff-4.0.4/ChangeLog
26@@ -1,3 +1,10 @@
27+2015-12-27 Even Rouault <even.rouault at spatialys.com>
28+
29+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
30+ functions in non debug builds by replacing assert()s by regular if
31+ checks (bugzilla #2522).
32+ Fix potential out-of-bound reads in case of short input data.
33+
34 2015-12-26 Even Rouault <even.rouault at spatialys.com>
35
36 * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
37Index: tiff-4.0.4/libtiff/tif_luv.c
38===================================================================
39--- tiff-4.0.4.orig/libtiff/tif_luv.c
40+++ tiff-4.0.4/libtiff/tif_luv.c
41@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
42 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
43 tp = (int16*) op;
44 else {
45- assert(sp->tbuflen >= npixels);
46+ if(sp->tbuflen < npixels) {
47+ TIFFErrorExt(tif->tif_clientdata, module,
48+ "Translation buffer too short");
49+ return (0);
50+ }
51 tp = (int16*) sp->tbuf;
52 }
53 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
54@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
55 cc = tif->tif_rawcc;
56 /* get each byte string */
57 for (shft = 2*8; (shft -= 8) >= 0; ) {
58- for (i = 0; i < npixels && cc > 0; )
59+ for (i = 0; i < npixels && cc > 0; ) {
60 if (*bp >= 128) { /* run */
61- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
62+ if( cc < 2 )
63+ break;
64+ rc = *bp++ + (2-128);
65 b = (int16)(*bp++ << shft);
66 cc -= 2;
67 while (rc-- && i < npixels)
68@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
69 while (--cc && rc-- && i < npixels)
70 tp[i++] |= (int16)*bp++ << shft;
71 }
72+ }
73 if (i != npixels) {
74 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
75 TIFFErrorExt(tif->tif_clientdata, module,
76@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
77 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
78 tp = (uint32 *)op;
79 else {
80- assert(sp->tbuflen >= npixels);
81+ if(sp->tbuflen < npixels) {
82+ TIFFErrorExt(tif->tif_clientdata, module,
83+ "Translation buffer too short");
84+ return (0);
85+ }
86 tp = (uint32 *) sp->tbuf;
87 }
88 /* copy to array of uint32 */
89 bp = (unsigned char*) tif->tif_rawcp;
90 cc = tif->tif_rawcc;
91- for (i = 0; i < npixels && cc > 0; i++) {
92+ for (i = 0; i < npixels && cc >= 3; i++) {
93 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
94 bp += 3;
95 cc -= 3;
96@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
97 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
98 tp = (uint32*) op;
99 else {
100- assert(sp->tbuflen >= npixels);
101+ if(sp->tbuflen < npixels) {
102+ TIFFErrorExt(tif->tif_clientdata, module,
103+ "Translation buffer too short");
104+ return (0);
105+ }
106 tp = (uint32*) sp->tbuf;
107 }
108 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
109@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
110 cc = tif->tif_rawcc;
111 /* get each byte string */
112 for (shft = 4*8; (shft -= 8) >= 0; ) {
113- for (i = 0; i < npixels && cc > 0; )
114+ for (i = 0; i < npixels && cc > 0; ) {
115 if (*bp >= 128) { /* run */
116+ if( cc < 2 )
117+ break;
118 rc = *bp++ + (2-128);
119 b = (uint32)*bp++ << shft;
120- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
121+ cc -= 2;
122 while (rc-- && i < npixels)
123 tp[i++] |= b;
124 } else { /* non-run */
125@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
126 while (--cc && rc-- && i < npixels)
127 tp[i++] |= (uint32)*bp++ << shft;
128 }
129+ }
130 if (i != npixels) {
131 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
132 TIFFErrorExt(tif->tif_clientdata, module,
133@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
134 static int
135 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
136 {
137+ static const char module[] = "LogL16Encode";
138 LogLuvState* sp = EncoderState(tif);
139 int shft;
140 tmsize_t i;
141@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
142 tp = (int16*) bp;
143 else {
144 tp = (int16*) sp->tbuf;
145- assert(sp->tbuflen >= npixels);
146+ if(sp->tbuflen < npixels) {
147+ TIFFErrorExt(tif->tif_clientdata, module,
148+ "Translation buffer too short");
149+ return (0);
150+ }
151 (*sp->tfunc)(sp, bp, npixels);
152 }
153 /* compress each byte string */
154@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
155 static int
156 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
157 {
158+ static const char module[] = "LogLuvEncode24";
159 LogLuvState* sp = EncoderState(tif);
160 tmsize_t i;
161 tmsize_t npixels;
162@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
163 tp = (uint32*) bp;
164 else {
165 tp = (uint32*) sp->tbuf;
166- assert(sp->tbuflen >= npixels);
167+ if(sp->tbuflen < npixels) {
168+ TIFFErrorExt(tif->tif_clientdata, module,
169+ "Translation buffer too short");
170+ return (0);
171+ }
172 (*sp->tfunc)(sp, bp, npixels);
173 }
174 /* write out encoded pixels */
175@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
176 static int
177 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
178 {
179+ static const char module[] = "LogLuvEncode32";
180 LogLuvState* sp = EncoderState(tif);
181 int shft;
182 tmsize_t i;
183@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
184 tp = (uint32*) bp;
185 else {
186 tp = (uint32*) sp->tbuf;
187- assert(sp->tbuflen >= npixels);
188+ if(sp->tbuflen < npixels) {
189+ TIFFErrorExt(tif->tif_clientdata, module,
190+ "Translation buffer too short");
191+ return (0);
192+ }
193 (*sp->tfunc)(sp, bp, npixels);
194 }
195 /* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 810a5e4c7d..9879c8bfab 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
6SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ 6SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
7 file://libtool2.patch \ 7 file://libtool2.patch \
8 file://CVE-2015-8665_8683.patch \ 8 file://CVE-2015-8665_8683.patch \
9 file://CVE-2015-8781.patch \
9 " 10 "
10 11
11SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" 12SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"