diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2016-10-26 16:26:44 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:32 +0000 |
commit | 4db0424120129367f22ce55c42196eff8c98c624 (patch) | |
tree | 58404fb32d59e9ba1b37321245548933d0bc0a25 /meta/recipes-multimedia/libtiff | |
parent | 92d604ca28acfaf2c2a1db8332d9ed938c6bebd6 (diff) | |
download | poky-4db0424120129367f22ce55c42196eff8c98c624.tar.gz |
tiff: Security fix CVE-2016-3945
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
http://bugzilla.maptools.org/show_bug.cgi?id=2545
Patch from:
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
(From OE-Core rev: 04b9405c7e980d7655c2fd601aeeae89c0d83131)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch | 118 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch new file mode 100644 index 0000000000..4d965be9ff --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch | |||
@@ -0,0 +1,118 @@ | |||
1 | From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 15 Aug 2016 20:06:40 +0000 | ||
4 | Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of | ||
5 | allocated buffer, when -b mode is enabled, that could result in out-of-bounds | ||
6 | write. Based initially on patch tiff-CVE-2016-3945.patch from | ||
7 | libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid | ||
8 | tests that rejected valid files. | ||
9 | |||
10 | CVE: CVE-2016-3945 | ||
11 | Upstream-Status: Backport | ||
12 | https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
15 | --- | ||
16 | ChangeLog | 8 ++++++++ | ||
17 | tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- | ||
18 | 2 files changed, 38 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/ChangeLog b/ChangeLog | ||
21 | index 62dc1b5..9c0ab29 100644 | ||
22 | --- a/ChangeLog | ||
23 | +++ b/ChangeLog | ||
24 | @@ -1,3 +1,11 @@ | ||
25 | +2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
26 | + | ||
27 | + * tools/tiff2rgba.c: Fix integer overflow in size of allocated | ||
28 | + buffer, when -b mode is enabled, that could result in out-of-bounds | ||
29 | + write. Based initially on patch tiff-CVE-2016-3945.patch from | ||
30 | + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for | ||
31 | + invalid tests that rejected valid files. | ||
32 | + | ||
33 | 2016-07-11 Even Rouault <even.rouault at spatialys.com> | ||
34 | |||
35 | * tools/tiffcrop.c: Avoid access outside of stack allocated array | ||
36 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
37 | index b7a81eb..16e3dc4 100644 | ||
38 | --- a/tools/tiff2rgba.c | ||
39 | +++ b/tools/tiff2rgba.c | ||
40 | @@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
41 | uint32 row, col; | ||
42 | uint32 *wrk_line; | ||
43 | int ok = 1; | ||
44 | + uint32 rastersize, wrk_linesize; | ||
45 | |||
46 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
47 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
48 | @@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
49 | /* | ||
50 | * Allocate tile buffer | ||
51 | */ | ||
52 | - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); | ||
53 | + rastersize = tile_width * tile_height * sizeof (uint32); | ||
54 | + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) | ||
55 | + { | ||
56 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
57 | + exit(-1); | ||
58 | + } | ||
59 | + raster = (uint32*)_TIFFmalloc(rastersize); | ||
60 | if (raster == 0) { | ||
61 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
62 | return (0); | ||
63 | @@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
64 | * Allocate a scanline buffer for swapping during the vertical | ||
65 | * mirroring pass. | ||
66 | */ | ||
67 | - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); | ||
68 | + wrk_linesize = tile_width * sizeof (uint32); | ||
69 | + if (tile_width != wrk_linesize / sizeof (uint32)) | ||
70 | + { | ||
71 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
72 | + exit(-1); | ||
73 | + } | ||
74 | + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
75 | if (!wrk_line) { | ||
76 | TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); | ||
77 | ok = 0; | ||
78 | @@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
79 | uint32 row; | ||
80 | uint32 *wrk_line; | ||
81 | int ok = 1; | ||
82 | + uint32 rastersize, wrk_linesize; | ||
83 | |||
84 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
85 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
86 | @@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
87 | /* | ||
88 | * Allocate strip buffer | ||
89 | */ | ||
90 | - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); | ||
91 | + rastersize = width * rowsperstrip * sizeof (uint32); | ||
92 | + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) | ||
93 | + { | ||
94 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
95 | + exit(-1); | ||
96 | + } | ||
97 | + raster = (uint32*)_TIFFmalloc(rastersize); | ||
98 | if (raster == 0) { | ||
99 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
100 | return (0); | ||
101 | @@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
102 | * Allocate a scanline buffer for swapping during the vertical | ||
103 | * mirroring pass. | ||
104 | */ | ||
105 | - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); | ||
106 | + wrk_linesize = width * sizeof (uint32); | ||
107 | + if (width != wrk_linesize / sizeof (uint32)) | ||
108 | + { | ||
109 | + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
110 | + exit(-1); | ||
111 | + } | ||
112 | + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
113 | if (!wrk_line) { | ||
114 | TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); | ||
115 | ok = 0; | ||
116 | -- | ||
117 | 2.7.4 | ||
118 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 8147bc4fb0..b9785288ad 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
10 | file://CVE-2016-3186.patch \ | 10 | file://CVE-2016-3186.patch \ |
11 | file://CVE-2016-5321.patch \ | 11 | file://CVE-2016-5321.patch \ |
12 | file://CVE-2016-5323.patch \ | 12 | file://CVE-2016-5323.patch \ |
13 | file://CVE-2016-3945.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 16 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |