diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-06-17 04:25:20 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-06-17 10:23:53 +0100 |
commit | c44d7b5cdedf5cd32f3223da50909351465a8afe (patch) | |
tree | 295dc9e7ce022cf06b560ede6dd579d097990a69 /meta/recipes-multimedia/libtiff | |
parent | 9d40ce5dd1ea563f64869e27cda6db9254478145 (diff) | |
download | poky-c44d7b5cdedf5cd32f3223da50909351465a8afe.tar.gz |
libtiff: Security Advisory - CVE-2012-4564
v2 changes:
* update format for commit log
* add Upstream-Status for patch
ppm2tiff does not check the return value of the TIFFScanlineSize
function, which allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted PPM image that
triggers an integer overflow, a zero-memory allocation, and a heap-based
buffer overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564
(From OE-Core rev: 9f02922d44de483ef4d02ce95b55efe79a8b09a2)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch | 99 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 |
2 files changed, 101 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch new file mode 100644 index 0000000000..23649790c4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
4 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
5 | |||
6 | Index: tools/ppm2tiff.c | ||
7 | =================================================================== | ||
8 | RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v | ||
9 | retrieving revision 1.16 | ||
10 | retrieving revision 1.18 | ||
11 | diff -u -r1.16 -r1.18 | ||
12 | --- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 | ||
13 | +++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18 | ||
14 | @@ -1,4 +1,4 @@ | ||
15 | -/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */ | ||
16 | +/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */ | ||
17 | |||
18 | /* | ||
19 | * Copyright (c) 1991-1997 Sam Leffler | ||
20 | @@ -72,6 +72,17 @@ | ||
21 | exit(-2); | ||
22 | } | ||
23 | |||
24 | +static tmsize_t | ||
25 | +multiply_ms(tmsize_t m1, tmsize_t m2) | ||
26 | +{ | ||
27 | + tmsize_t bytes = m1 * m2; | ||
28 | + | ||
29 | + if (m1 && bytes / m1 != m2) | ||
30 | + bytes = 0; | ||
31 | + | ||
32 | + return bytes; | ||
33 | +} | ||
34 | + | ||
35 | int | ||
36 | main(int argc, char* argv[]) | ||
37 | { | ||
38 | @@ -79,7 +90,7 @@ | ||
39 | uint32 rowsperstrip = (uint32) -1; | ||
40 | double resolution = -1; | ||
41 | unsigned char *buf = NULL; | ||
42 | - tsize_t linebytes = 0; | ||
43 | + tmsize_t linebytes = 0; | ||
44 | uint16 spp = 1; | ||
45 | uint16 bpp = 8; | ||
46 | TIFF *out; | ||
47 | @@ -89,6 +100,7 @@ | ||
48 | int c; | ||
49 | extern int optind; | ||
50 | extern char* optarg; | ||
51 | + tmsize_t scanline_size; | ||
52 | |||
53 | if (argc < 2) { | ||
54 | fprintf(stderr, "%s: Too few arguments\n", argv[0]); | ||
55 | @@ -221,7 +233,8 @@ | ||
56 | } | ||
57 | switch (bpp) { | ||
58 | case 1: | ||
59 | - linebytes = (spp * w + (8 - 1)) / 8; | ||
60 | + /* if round-up overflows, result will be zero, OK */ | ||
61 | + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; | ||
62 | if (rowsperstrip == (uint32) -1) { | ||
63 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); | ||
64 | } else { | ||
65 | @@ -230,15 +243,31 @@ | ||
66 | } | ||
67 | break; | ||
68 | case 8: | ||
69 | - linebytes = spp * w; | ||
70 | + linebytes = multiply_ms(spp, w); | ||
71 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, | ||
72 | TIFFDefaultStripSize(out, rowsperstrip)); | ||
73 | break; | ||
74 | } | ||
75 | - if (TIFFScanlineSize(out) > linebytes) | ||
76 | + if (linebytes == 0) { | ||
77 | + fprintf(stderr, "%s: scanline size overflow\n", infile); | ||
78 | + (void) TIFFClose(out); | ||
79 | + exit(-2); | ||
80 | + } | ||
81 | + scanline_size = TIFFScanlineSize(out); | ||
82 | + if (scanline_size == 0) { | ||
83 | + /* overflow - TIFFScanlineSize already printed a message */ | ||
84 | + (void) TIFFClose(out); | ||
85 | + exit(-2); | ||
86 | + } | ||
87 | + if (scanline_size < linebytes) | ||
88 | buf = (unsigned char *)_TIFFmalloc(linebytes); | ||
89 | else | ||
90 | - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); | ||
91 | + buf = (unsigned char *)_TIFFmalloc(scanline_size); | ||
92 | + if (buf == NULL) { | ||
93 | + fprintf(stderr, "%s: Not enough memory\n", infile); | ||
94 | + (void) TIFFClose(out); | ||
95 | + exit(-2); | ||
96 | + } | ||
97 | if (resolution > 0) { | ||
98 | TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); | ||
99 | TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index 6483655ccc..af1f2b6ad8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | |||
@@ -9,7 +9,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | |||
9 | file://libtiff-CVE-2013-4232.patch \ | 9 | file://libtiff-CVE-2013-4232.patch \ |
10 | file://libtiff-CVE-2013-4243.patch \ | 10 | file://libtiff-CVE-2013-4243.patch \ |
11 | file://libtiff-CVE-2013-4244.patch \ | 11 | file://libtiff-CVE-2013-4244.patch \ |
12 | file://libtiff-CVE-2013-4231.patch " | 12 | file://libtiff-CVE-2013-4231.patch \ |
13 | file://tiff-CVE-2012-4564.patch " | ||
13 | 14 | ||
14 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" | 15 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" |
15 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" | 16 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" |