tiff: Security fixes

Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9935 https://nvd.nist.gov/vuln/detail/CVE-2017-18013 https://nvd.nist.gov/vuln/detail/CVE-2018-5784 Patches from: CVE-2017-9935: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-18013: https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 CVE-2018-5784: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef (From OE-Core rev: 798b6b4b3ce370264d036e555185a99ce3aa97b7) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2018-03-20 07:53:20 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-03-25 09:40:41 +0100
commit: 7a8099635534a1c7991eb3e1da26398482f54a7c (patch)
tree: 2cfaa49c74b7a7de5cb38a915710bd4bf2799106 /meta/recipes-multimedia/libtiff
parent: f49ee61422c867516db252054e993df29f775136 (diff)
download: poky-7a8099635534a1c7991eb3e1da26398482f54a7c.tar.gz
4 files changed, 340 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
new file mode 100644
index 0000000000..878e0de959
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
@@ -0,0 +1,42 @@
+From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01]
+CVE: CVE-2017-18013
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 24d4b98..f494cfb 100644
+--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
+@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+                            (unsigned long) s,
+-                           (unsigned __int64) td->td_stripoffset[s],
+-                           (unsigned __int64) td->td_stripbytecount[s]);
+                           td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+                           td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+                        fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+                            (unsigned long) s,
+-                           (unsigned long long) td->td_stripoffset[s],
+-                           (unsigned long long) td->td_stripbytecount[s]);
+                           td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+                           td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+        }
+ }
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
new file mode 100644
index 0000000000..60684dd2a6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
@@ -0,0 +1,160 @@
+From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940]
+CVE: CVE-2017-9935
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ libtiff/tif_dir.c |  3 +++
+ tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index f00f808..c36a5f3 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+                        if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+                                *va_arg(ap, uint16**) = td->td_transferfunction[1];
+                                *va_arg(ap, uint16**) = td->td_transferfunction[2];
+                       } else {
+                               *va_arg(ap, uint16**) = NULL;
+                               *va_arg(ap, uint16**) = NULL;
+                        }
+                        break;
+                case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 454befb..0b5973e 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+        uint16 pagen=0;
+        uint16 paged=0;
+        uint16 xuint16=0;
+       uint16 tiff_transferfunctioncount=0;
+       float* tiff_transferfunction[3];
+ 
+        directorycount=TIFFNumberOfDirectories(input);
+        t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                 }
+ #endif
+                if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+-                                 &(t2p->tiff_transferfunction[0]),
+-                                 &(t2p->tiff_transferfunction[1]),
+-                                 &(t2p->tiff_transferfunction[2]))) {
+-                       if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[1] !=
+-                            t2p->tiff_transferfunction[0])) {
+-                               t2p->tiff_transferfunctioncount = 3;
+-                               t2p->tiff_pages[i].page_extra += 4;
+-                               t2p->pdf_xrefcount += 4;
+-                       } else {
+-                               t2p->tiff_transferfunctioncount = 1;
+-                               t2p->tiff_pages[i].page_extra += 2;
+-                               t2p->pdf_xrefcount += 2;
+-                       }
+-                       if(t2p->pdf_minorversion < 2)
+-                               t2p->pdf_minorversion = 2;
+                                 &(tiff_transferfunction[0]),
+                                 &(tiff_transferfunction[1]),
+                                 &(tiff_transferfunction[2]))) {
+
+                        if((tiff_transferfunction[1] != (float*) NULL) &&
+                           (tiff_transferfunction[2] != (float*) NULL)
+                          ) {
+                            tiff_transferfunctioncount=3;
+                        } else {
+                            tiff_transferfunctioncount=1;
+                        }
+                 } else {
+-                       t2p->tiff_transferfunctioncount=0;
+                       tiff_transferfunctioncount=0;
+                }
+
+                if (i > 0){
+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+                        TIFFError(
+                            TIFF2PDF_MODULE,
+                            "Different transfer function on page %d",
+                            i);
+                        t2p->t2p_error = T2P_ERR_ERROR;
+                        return;
+                    }
+                }
+
+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+                if(tiff_transferfunctioncount == 3){
+                        t2p->tiff_pages[i].page_extra += 4;
+                        t2p->pdf_xrefcount += 4;
+                        if(t2p->pdf_minorversion < 2)
+                                t2p->pdf_minorversion = 2;
+                } else if (tiff_transferfunctioncount == 1){
+                        t2p->tiff_pages[i].page_extra += 2;
+                        t2p->pdf_xrefcount += 2;
+                        if(t2p->pdf_minorversion < 2)
+                                t2p->pdf_minorversion = 2;
+                }
+
+                if( TIFFGetField(
+                        input, 
+                        TIFFTAG_ICCPROFILE, 
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+                         &(t2p->tiff_transferfunction[1]),
+                         &(t2p->tiff_transferfunction[2]))) {
+                if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[1] !=
+-                    t2p->tiff_transferfunction[0])) {
+                   (t2p->tiff_transferfunction[2] != (float*) NULL)
+                  ) {
+                        t2p->tiff_transferfunctioncount=3;
+                } else {
+                        t2p->tiff_transferfunctioncount=1;
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
new file mode 100644
index 0000000000..406001d579
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
@@ -0,0 +1,135 @@
+From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001
+From: Nathan Baker <nathanb@lenovo-chrome.com>
+Date: Tue, 6 Feb 2018 10:13:57 -0500
+Subject: [PATCH] Fix for bug 2772
+It is possible to craft a TIFF document where the IFD list is circular,
+leading to an infinite loop while traversing the chain. The libtiff
+directory reader has a failsafe that will break out of this loop after
+reading 65535 directory entries, but it will continue processing,
+consuming time and resources to process what is essentially a bogus TIFF
+document.
+This change fixes the above behavior by breaking out of processing when
+a TIFF document has >= 65535 directories and terminating with an error.
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef]
+CVE: CVE-2018-5784
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
+ tools/tiff2pdf.c                | 10 ++++++++++
+ tools/tiffcrop.c                | 13 +++++++++++--
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
+index c61ffbb..03b3573 100644
+--- a/contrib/addtiffo/tif_overview.c
+++ b/contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ #  define MAX(a,b)      ((a>b) ? a : b)
+ #endif
+ 
+#define TIFF_DIR_MAX  65534
+
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+                          int (*)(double,void*), void * );
+ 
+@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+ {
+     toff_t     nBaseDirOffset;
+     toff_t     nOffset;
+    tdir_t     iNumDir;
+ 
+     (void) bUseSubIFDs;
+ 
+@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+         return 0;
+ 
+     TIFFWriteDirectory( hTIFF );
+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
+    iNumDir = TIFFNumberOfDirectories(hTIFF);
+    if( iNumDir > TIFF_DIR_MAX )
+    {
+        TIFFErrorExt( TIFFClientdata(hTIFF),
+                      "TIFF_WriteOverview",
+                      "File `%s' has too many directories.\n",
+                      TIFFFileName(hTIFF) );
+        exit(-1);
+    }
+    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+ 
+     nOffset = TIFFCurrentDirOffset( hTIFF );
+ 
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 0b5973e..ef5d6a0 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+ 
+ #define PS_UNIT_SIZE   72.0F
+ 
+#define TIFF_DIR_MAX    65534
+
+ /* This type is of PDF color spaces. */
+ typedef enum {
+        T2P_CS_BILEVEL = 0x01,  /* Bilevel, black and white */
+@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+        float* tiff_transferfunction[3];
+ 
+        directorycount=TIFFNumberOfDirectories(input);
+       if(directorycount > TIFF_DIR_MAX) {
+               TIFFError(
+                       TIFF2PDF_MODULE,
+                       "TIFF contains too many directories, %s",
+                       TIFFFileName(input));
+               t2p->t2p_error = T2P_ERR_ERROR;
+               return;
+       }
+        t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+        if(t2p->tiff_pages==NULL){
+                TIFFError(
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c69177e..c60cb38 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ #define DUMP_TEXT   1
+ #define DUMP_RAW    2
+ 
+#define TIFF_DIR_MAX  65534
+
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+     pageNum = -1;
+   else
+     total_images = 0;
+-  /* read multiple input files and write to output file(s) */
+  /* Read multiple input files and write to output file(s) */
+   while (optind < argc - 1)
+     {
+     in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+       return (-3);
+ 
+     /* If only one input file is specified, we can use directory count */
+-    total_images = TIFFNumberOfDirectories(in); 
+    total_images = TIFFNumberOfDirectories(in);
+    if (total_images > TIFF_DIR_MAX)
+      {
+      TIFFError (TIFFFileName(in), "File contains too many directories");
+      if (out != NULL)
+        (void) TIFFClose(out);
+      return (1);
+      }
+     if (image_count == 0)
+       {
+       dirnum = 0;
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index b8f895b143..8c3bba5c64 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -6,6 +6,9 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://libtool2.patch \
+           file://CVE-2017-9935.patch \
+           file://CVE-2017-18013.patch \
+           file://CVE-2018-5784.patch \
          "
 SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"
author	Yi Zhao <yi.zhao@windriver.com>	2018-03-20 07:53:20 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-03-25 09:40:41 +0100
commit	7a8099635534a1c7991eb3e1da26398482f54a7c (patch)
tree	2cfaa49c74b7a7de5cb38a915710bd4bf2799106 /meta/recipes-multimedia/libtiff
parent	f49ee61422c867516db252054e993df29f775136 (diff)
download	poky-7a8099635534a1c7991eb3e1da26398482f54a7c.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch new file mode 100644 index 0000000000..878e0de959 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
@@ -0,0 +1,42 @@
		1	From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sun, 31 Dec 2017 15:09:41 +0100
		4	Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
		5	dereference on corrupted file. Fixes
		6	http://bugzilla.maptools.org/show_bug.cgi?id=2770
		7
		8	Upstream-Status: Backport
		9	[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01]
		10
		11	CVE: CVE-2017-18013
		12
		13	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		14	---
		15	libtiff/tif_print.c \| 8 ++++----
		16	1 file changed, 4 insertions(+), 4 deletions(-)
		17
		18	diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
		19	index 24d4b98..f494cfb 100644
		20	--- a/libtiff/tif_print.c
		21	+++ b/libtiff/tif_print.c
		22	@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
		23	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		24	fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
		25	(unsigned long) s,
		26	- (unsigned __int64) td->td_stripoffset[s],
		27	- (unsigned __int64) td->td_stripbytecount[s]);
		28	+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
		29	+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
		30	#else
		31	fprintf(fd, " %3lu: [%8llu, %8llu]\n",
		32	(unsigned long) s,
		33	- (unsigned long long) td->td_stripoffset[s],
		34	- (unsigned long long) td->td_stripbytecount[s]);
		35	+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
		36	+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
		37	#endif
		38	}
		39	}
		40	--
		41	2.7.4
		42


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch new file mode 100644 index 0000000000..60684dd2a6 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
@@ -0,0 +1,160 @@
		1	From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001
		2	From: Brian May <brian@linuxpenguins.xyz>
		3	Date: Thu, 7 Dec 2017 07:46:47 +1100
		4	Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
		5
		6	Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
		7
		8	This vulnerability - at least for the supplied test case - is because we
		9	assume that a tiff will only have one transfer function that is the same
		10	for all pages. This is not required by the TIFF standards.
		11
		12	We than read the transfer function for every page. Depending on the
		13	transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
		14	We allocate this memory after we read in the transfer function for the
		15	page.
		16
		17	For the first exploit - POC1, this file has 3 pages. For the first page
		18	we allocate 2 extra extra XREF entries. Then for the next page 2 more
		19	entries. Then for the last page the transfer function changes and we
		20	allocate 4 more entries.
		21
		22	When we read the file into memory, we assume we have 4 bytes extra for
		23	each and every page (as per the last transfer function we read). Which
		24	is not correct, we only have 2 bytes extra for the first 2 pages. As a
		25	result, we end up writing past the end of the buffer.
		26
		27	There are also some related issues that this also fixes. For example,
		28	TIFFGetField can return uninitalized pointer values, and the logic to
		29	detect a N=3 vs N=1 transfer function seemed rather strange.
		30
		31	It is also strange that we declare the transfer functions to be of type
		32	float, when the standard says they are unsigned 16 bit values. This is
		33	fixed in another patch.
		34
		35	This patch will check to ensure that the N value for every transfer
		36	function is the same for every page. If this changes, we abort with an
		37	error. In theory, we should perhaps check that the transfer function
		38	itself is identical for every page, however we don't do that due to the
		39	confusion of the type of the data in the transfer function.
		40
		41	Upstream-Status: Backport
		42	[https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940]
		43
		44	CVE: CVE-2017-9935
		45
		46	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		47	---
		48	libtiff/tif_dir.c \| 3 +++
		49	tools/tiff2pdf.c \| 65 +++++++++++++++++++++++++++++++++++++------------------
		50	2 files changed, 47 insertions(+), 21 deletions(-)
		51
		52	diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
		53	index f00f808..c36a5f3 100644
		54	--- a/libtiff/tif_dir.c
		55	+++ b/libtiff/tif_dir.c
		56	@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
		57	if (td->td_samplesperpixel - td->td_extrasamples > 1) {
		58	va_arg(ap, uint16*) = td->td_transferfunction[1];
		59	va_arg(ap, uint16*) = td->td_transferfunction[2];
		60	+ } else {
		61	+ va_arg(ap, uint16*) = NULL;
		62	+ va_arg(ap, uint16*) = NULL;
		63	}
		64	break;
		65	case TIFFTAG_REFERENCEBLACKWHITE:
		66	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		67	index 454befb..0b5973e 100644
		68	--- a/tools/tiff2pdf.c
		69	+++ b/tools/tiff2pdf.c
		70	@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
		71	uint16 pagen=0;
		72	uint16 paged=0;
		73	uint16 xuint16=0;
		74	+ uint16 tiff_transferfunctioncount=0;
		75	+ float* tiff_transferfunction[3];
		76
		77	directorycount=TIFFNumberOfDirectories(input);
		78	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
		79	@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
		80	}
		81	#endif
		82	if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
		83	- &(t2p->tiff_transferfunction[0]),
		84	- &(t2p->tiff_transferfunction[1]),
		85	- &(t2p->tiff_transferfunction[2]))) {
		86	- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
		87	- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
		88	- (t2p->tiff_transferfunction[1] !=
		89	- t2p->tiff_transferfunction[0])) {
		90	- t2p->tiff_transferfunctioncount = 3;
		91	- t2p->tiff_pages[i].page_extra += 4;
		92	- t2p->pdf_xrefcount += 4;
		93	- } else {
		94	- t2p->tiff_transferfunctioncount = 1;
		95	- t2p->tiff_pages[i].page_extra += 2;
		96	- t2p->pdf_xrefcount += 2;
		97	- }
		98	- if(t2p->pdf_minorversion < 2)
		99	- t2p->pdf_minorversion = 2;
		100	+ &(tiff_transferfunction[0]),
		101	+ &(tiff_transferfunction[1]),
		102	+ &(tiff_transferfunction[2]))) {
		103	+
		104	+ if((tiff_transferfunction[1] != (float*) NULL) &&
		105	+ (tiff_transferfunction[2] != (float*) NULL)
		106	+ ) {
		107	+ tiff_transferfunctioncount=3;
		108	+ } else {
		109	+ tiff_transferfunctioncount=1;
		110	+ }
		111	} else {
		112	- t2p->tiff_transferfunctioncount=0;
		113	+ tiff_transferfunctioncount=0;
		114	}
		115	+
		116	+ if (i > 0){
		117	+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
		118	+ TIFFError(
		119	+ TIFF2PDF_MODULE,
		120	+ "Different transfer function on page %d",
		121	+ i);
		122	+ t2p->t2p_error = T2P_ERR_ERROR;
		123	+ return;
		124	+ }
		125	+ }
		126	+
		127	+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
		128	+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
		129	+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
		130	+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
		131	+ if(tiff_transferfunctioncount == 3){
		132	+ t2p->tiff_pages[i].page_extra += 4;
		133	+ t2p->pdf_xrefcount += 4;
		134	+ if(t2p->pdf_minorversion < 2)
		135	+ t2p->pdf_minorversion = 2;
		136	+ } else if (tiff_transferfunctioncount == 1){
		137	+ t2p->tiff_pages[i].page_extra += 2;
		138	+ t2p->pdf_xrefcount += 2;
		139	+ if(t2p->pdf_minorversion < 2)
		140	+ t2p->pdf_minorversion = 2;
		141	+ }
		142	+
		143	if( TIFFGetField(
		144	input,
		145	TIFFTAG_ICCPROFILE,
		146	@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
		147	&(t2p->tiff_transferfunction[1]),
		148	&(t2p->tiff_transferfunction[2]))) {
		149	if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
		150	- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
		151	- (t2p->tiff_transferfunction[1] !=
		152	- t2p->tiff_transferfunction[0])) {
		153	+ (t2p->tiff_transferfunction[2] != (float*) NULL)
		154	+ ) {
		155	t2p->tiff_transferfunctioncount=3;
		156	} else {
		157	t2p->tiff_transferfunctioncount=1;
		158	--
		159	2.7.4
		160


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch new file mode 100644 index 0000000000..406001d579 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
@@ -0,0 +1,135 @@
		1	From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001
		2	From: Nathan Baker <nathanb@lenovo-chrome.com>
		3	Date: Tue, 6 Feb 2018 10:13:57 -0500
		4	Subject: [PATCH] Fix for bug 2772
		5
		6	It is possible to craft a TIFF document where the IFD list is circular,
		7	leading to an infinite loop while traversing the chain. The libtiff
		8	directory reader has a failsafe that will break out of this loop after
		9	reading 65535 directory entries, but it will continue processing,
		10	consuming time and resources to process what is essentially a bogus TIFF
		11	document.
		12
		13	This change fixes the above behavior by breaking out of processing when
		14	a TIFF document has >= 65535 directories and terminating with an error.
		15
		16	Upstream-Status: Backport
		17	[https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef]
		18
		19	CVE: CVE-2018-5784
		20
		21	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		22	---
		23	contrib/addtiffo/tif_overview.c \| 14 +++++++++++++-
		24	tools/tiff2pdf.c \| 10 ++++++++++
		25	tools/tiffcrop.c \| 13 +++++++++++--
		26	3 files changed, 34 insertions(+), 3 deletions(-)
		27
		28	diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
		29	index c61ffbb..03b3573 100644
		30	--- a/contrib/addtiffo/tif_overview.c
		31	+++ b/contrib/addtiffo/tif_overview.c
		32	@@ -65,6 +65,8 @@
		33	# define MAX(a,b) ((a>b) ? a : b)
		34	#endif
		35
		36	+#define TIFF_DIR_MAX 65534
		37	+
		38	void TIFFBuildOverviews( TIFF , int, int , int, const char *,
		39	int ()(double,void), void * );
		40
		41	@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
		42	{
		43	toff_t nBaseDirOffset;
		44	toff_t nOffset;
		45	+ tdir_t iNumDir;
		46
		47	(void) bUseSubIFDs;
		48
		49	@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
		50	return 0;
		51
		52	TIFFWriteDirectory( hTIFF );
		53	- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
		54	+ iNumDir = TIFFNumberOfDirectories(hTIFF);
		55	+ if( iNumDir > TIFF_DIR_MAX )
		56	+ {
		57	+ TIFFErrorExt( TIFFClientdata(hTIFF),
		58	+ "TIFF_WriteOverview",
		59	+ "File `%s' has too many directories.\n",
		60	+ TIFFFileName(hTIFF) );
		61	+ exit(-1);
		62	+ }
		63	+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
		64
		65	nOffset = TIFFCurrentDirOffset( hTIFF );
		66
		67	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		68	index 0b5973e..ef5d6a0 100644
		69	--- a/tools/tiff2pdf.c
		70	+++ b/tools/tiff2pdf.c
		71	@@ -68,6 +68,8 @@ extern int getopt(int, char*, char);
		72
		73	#define PS_UNIT_SIZE 72.0F
		74
		75	+#define TIFF_DIR_MAX 65534
		76	+
		77	/* This type is of PDF color spaces. */
		78	typedef enum {
		79	T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
		80	@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
		81	float* tiff_transferfunction[3];
		82
		83	directorycount=TIFFNumberOfDirectories(input);
		84	+ if(directorycount > TIFF_DIR_MAX) {
		85	+ TIFFError(
		86	+ TIFF2PDF_MODULE,
		87	+ "TIFF contains too many directories, %s",
		88	+ TIFFFileName(input));
		89	+ t2p->t2p_error = T2P_ERR_ERROR;
		90	+ return;
		91	+ }
		92	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
		93	if(t2p->tiff_pages==NULL){
		94	TIFFError(
		95	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		96	index c69177e..c60cb38 100644
		97	--- a/tools/tiffcrop.c
		98	+++ b/tools/tiffcrop.c
		99	@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
		100	#define DUMP_TEXT 1
		101	#define DUMP_RAW 2
		102
		103	+#define TIFF_DIR_MAX 65534
		104	+
		105	/* Offsets into buffer for margins and fixed width and length segments */
		106	struct offset {
		107	uint32 tmargin;
		108	@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
		109	pageNum = -1;
		110	else
		111	total_images = 0;
		112	- /* read multiple input files and write to output file(s) */
		113	+ /* Read multiple input files and write to output file(s) */
		114	while (optind < argc - 1)
		115	{
		116	in = TIFFOpen (argv[optind], "r");
		117	@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
		118	return (-3);
		119
		120	/* If only one input file is specified, we can use directory count */
		121	- total_images = TIFFNumberOfDirectories(in);
		122	+ total_images = TIFFNumberOfDirectories(in);
		123	+ if (total_images > TIFF_DIR_MAX)
		124	+ {
		125	+ TIFFError (TIFFFileName(in), "File contains too many directories");
		126	+ if (out != NULL)
		127	+ (void) TIFFClose(out);
		128	+ return (1);
		129	+ }
		130	if (image_count == 0)
		131	{
		132	dirnum = 0;
		133	--
		134	2.7.4
		135


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index b8f895b143..8c3bba5c64 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -6,6 +6,9 @@ CVE_PRODUCT = "libtiff"
6		6
7	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	7	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8	file://libtool2.patch \	8	file://libtool2.patch \
		9	file://CVE-2017-9935.patch \
		10	file://CVE-2017-18013.patch \
		11	file://CVE-2018-5784.patch \
9	"	12	"
10		13
11	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"	14	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"