tiff: Security fix for CVE-2017-7596

(From OE-Core rev: 94daee02cad9930d4ada648fd4bfdb63510643c0) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:28:49 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:54 +0000
commit: 3c0fab47bc02e5c7b8cd506a08f9136728df4a24 (patch)
tree: 3c6f443ae18f593e2f13bf4104df89836ca27d92 /meta/recipes-multimedia
parent: dc293a78fc7770e4678f8d8e11d9da9f51990819 (diff)
download: poky-3c0fab47bc02e5c7b8cd506a08f9136728df4a24.tar.gz
2 files changed, 309 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch
new file mode 100644
index 0000000000..1945c3d316
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch
@@ -0,0 +1,308 @@
+From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 16:09:02 +0000
+Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
+ various clampings of double to other data types to avoid undefined behaviour
+ if the output range isn't big enough to hold the input value. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+Upstream-Status: Backport
+CVE: CVE-2017-7596
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-25 15:53:40.294592812 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-25 16:02:03.238600641 +0530
+@@ -6,6 +6,16 @@
+        Patch by Nicolás Peña.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+ 
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
+       of double to other data types to avoid undefined behaviour if the output range
+       isn't big enough to hold the input value.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+       http://bugzilla.maptools.org/show_bug.cgi?id=2642
+       http://bugzilla.maptools.org/show_bug.cgi?id=2646
+       http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_jpeg.c: avoid integer division by zero in
+Index: tiff-4.0.7/libtiff/tif_dir.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dir.c   2016-10-30 04:33:18.856598072 +0530
+++ tiff-4.0.7/libtiff/tif_dir.c        2017-04-25 16:02:03.238600641 +0530
+@@ -31,6 +31,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
+#include <float.h>
+ 
+ /*
+  * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+        return (0);
+ }
+ 
+static float TIFFClampDoubleToFloat( double val )
+{
+    if( val > FLT_MAX )
+        return FLT_MAX;
+    if( val < -FLT_MAX )
+        return -FLT_MAX;
+    return (float)val;
+}
+
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-               td->td_xresolution = (float) dblval;
+               td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+                break;
+        case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-               td->td_yresolution = (float) dblval;
+               td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+                break;
+        case TIFFTAG_PLANARCONFIG:
+                v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+                td->td_planarconfig = (uint16) v;
+                break;
+        case TIFFTAG_XPOSITION:
+-               td->td_xposition = (float) va_arg(ap, double);
+               td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+                break;
+        case TIFFTAG_YPOSITION:
+-               td->td_yposition = (float) va_arg(ap, double);
+               td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+                break;
+        case TIFFTAG_RESOLUTIONUNIT:
+                v = (uint16) va_arg(ap, uint16_vap);
+Index: tiff-4.0.7/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dirread.c       2017-04-25 15:53:40.134592810 +0530
+++ tiff-4.0.7/libtiff/tif_dirread.c    2017-04-25 16:02:03.242600641 +0530
+@@ -40,6 +40,7 @@
+  */
+ 
+ #include "tiffiop.h"
+#include <float.h>
+ 
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+                                ma=(double*)origdata;
+                                mb=data;
+                                for (n=0; n<count; n++)
+-                                       *mb++=(float)(*ma++);
+                                {
+                                    double val = *ma++;
+                                    if( val > FLT_MAX )
+                                        val = FLT_MAX;
+                                    else if( val < -FLT_MAX )
+                                        val = -FLT_MAX;
+                                    *mb++=(float)val;
+                                }
+                        }
+                        break;
+        }
+Index: tiff-4.0.7/libtiff/tif_dirwrite.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dirwrite.c      2016-10-30 04:33:18.876854501 +0530
+++ tiff-4.0.7/libtiff/tif_dirwrite.c   2017-04-25 16:07:48.670606018 +0530
+@@ -30,6 +30,7 @@
+  * Directory Write Support Routines.
+  */
+ #include "tiffiop.h"
+#include <float.h>
+ 
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+        return(0);
+ }
+ 
+static float TIFFClampDoubleToFloat( double val )
+{
+    if( val > FLT_MAX )
+        return FLT_MAX;
+    if( val < -FLT_MAX )
+        return -FLT_MAX;
+    return (float)val;
+}
+
+static int8 TIFFClampDoubleToInt8( double val )
+{
+    if( val > 127 )
+        return 127;
+    if( val < -128 || val != val )
+        return -128;
+    return (int8)val;
+}
+
+static int16 TIFFClampDoubleToInt16( double val )
+{
+    if( val > 32767 )
+        return 32767;
+    if( val < -32768 || val != val )
+        return -32768;
+    return (int16)val;
+}
+
+static int32 TIFFClampDoubleToInt32( double val )
+{
+    if( val > 0x7FFFFFFF )
+        return 0x7FFFFFFF;
+    if( val < -0x7FFFFFFF-1 || val != val )
+        return -0x7FFFFFFF-1;
+    return (int32)val;
+}
+
+static uint8 TIFFClampDoubleToUInt8( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 255 || val != val )
+        return 255;
+    return (uint8)val;
+}
+
+static uint16 TIFFClampDoubleToUInt16( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 65535 || val != val )
+        return 65535;
+    return (uint16)val;
+}
+
+static uint32 TIFFClampDoubleToUInt32( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 0xFFFFFFFFU || val != val )
+        return 0xFFFFFFFFU;
+    return (uint32)val;
+}
+
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+                        if (tif->tif_dir.td_bitspersample<=32)
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((float*)conv)[i] = (float)value[i];
+                                       ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+                                ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+                        }
+                        else
+@@ -971,19 +1035,19 @@
+                        if (tif->tif_dir.td_bitspersample<=8)
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((int8*)conv)[i] = (int8)value[i];
+                                       ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+                                ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+                        }
+                        else if (tif->tif_dir.td_bitspersample<=16)
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((int16*)conv)[i] = (int16)value[i];
+                                       ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+                                ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+                        }
+                        else
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((int32*)conv)[i] = (int32)value[i];
+                                       ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+                                ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+                        }
+                        break;
+@@ -991,19 +1055,19 @@
+                        if (tif->tif_dir.td_bitspersample<=8)
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((uint8*)conv)[i] = (uint8)value[i];
+                                       ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+                                ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+                        }
+                        else if (tif->tif_dir.td_bitspersample<=16)
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((uint16*)conv)[i] = (uint16)value[i];
+                                       ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+                                ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+                        }
+                        else
+                        {
+                                for (i = 0; i < count; ++i)
+-                                       ((uint32*)conv)[i] = (uint32)value[i];
+                                       ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+                                ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+                        }
+                        break;
+@@ -2094,15 +2158,25 @@
+ static int
+ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
+ {
+        static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
+        uint32 m[2];
+-       assert(value>=0.0);
+        assert(sizeof(uint32)==4);
+-       if (value<=0.0)
+       if (value<0)
+       {
+            TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
+            return 0;
+       }
+        else if( value != value )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
+            return 0;
+        }
+        else if (value==0.0)
+        {
+                m[0]=0;
+                m[1]=1;
+-       }
+-       else if (value==(double)(uint32)value)
+        }
+        else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+        {
+                m[0]=(uint32)value;
+                m[1]=1;
+@@ -2143,7 +2217,7 @@
+        }
+        for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+        {
+-               if (*na<=0.0)
+                if (*na<=0.0 || *na != *na)
+                {
+                        nb[0]=0;
+                        nb[1]=1;
+@@ -2153,7 +2227,8 @@
+                        nb[0]=(uint32)(*na);
+                        nb[1]=1;
+                }
+-               else if (*na<1.0)
+               else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
+                         *na==(float)(uint32)(*na))
+                {
+                        nb[0]=(uint32)((double)(*na)*0xFFFFFFFF);
+                        nb[1]=0xFFFFFFFF;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 6881c2456f..77de0be1e7 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2017-7594-p1.patch \
           file://CVE-2017-7594-p2.patch \
           file://CVE-2017-7595.patch \
+           file://CVE-2017-7596.patch \
        "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:28:49 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:54 +0000
commit	3c0fab47bc02e5c7b8cd506a08f9136728df4a24 (patch)
tree	3c6f443ae18f593e2f13bf4104df89836ca27d92 /meta/recipes-multimedia
parent	dc293a78fc7770e4678f8d8e11d9da9f51990819 (diff)
download	poky-3c0fab47bc02e5c7b8cd506a08f9136728df4a24.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch new file mode 100644 index 0000000000..1945c3d316 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch
@@ -0,0 +1,308 @@
		1	From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Wed, 11 Jan 2017 16:09:02 +0000
		4	Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
		5	various clampings of double to other data types to avoid undefined behaviour
		6	if the output range isn't big enough to hold the input value. Fixes
		7	http://bugzilla.maptools.org/show_bug.cgi?id=2643
		8	http://bugzilla.maptools.org/show_bug.cgi?id=2642
		9	http://bugzilla.maptools.org/show_bug.cgi?id=2646
		10	http://bugzilla.maptools.org/show_bug.cgi?id=2647
		11
		12	Upstream-Status: Backport
		13
		14	CVE: CVE-2017-7596
		15	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		16
		17	Index: tiff-4.0.7/ChangeLog
		18	===================================================================
		19	--- tiff-4.0.7.orig/ChangeLog 2017-04-25 15:53:40.294592812 +0530
		20	+++ tiff-4.0.7/ChangeLog 2017-04-25 16:02:03.238600641 +0530
		21	@@ -6,6 +6,16 @@
		22	Patch by Nicolás Peña.
		23	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
		24
		25	+2017-01-11 Even Rouault <even.rouault at spatialys.com>
		26	+
		27	+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
		28	+ of double to other data types to avoid undefined behaviour if the output range
		29	+ isn't big enough to hold the input value.
		30	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
		31	+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
		32	+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
		33	+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
		34	+
		35	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		36
		37	* libtiff/tif_jpeg.c: avoid integer division by zero in
		38	Index: tiff-4.0.7/libtiff/tif_dir.c
		39	===================================================================
		40	--- tiff-4.0.7.orig/libtiff/tif_dir.c 2016-10-30 04:33:18.856598072 +0530
		41	+++ tiff-4.0.7/libtiff/tif_dir.c 2017-04-25 16:02:03.238600641 +0530
		42	@@ -31,6 +31,7 @@
		43	* (and also some miscellaneous stuff)
		44	*/
		45	#include "tiffiop.h"
		46	+#include <float.h>
		47
		48	/*
		49	* These are used in the backwards compatibility code...
		50	@@ -154,6 +155,15 @@
		51	return (0);
		52	}
		53
		54	+static float TIFFClampDoubleToFloat( double val )
		55	+{
		56	+ if( val > FLT_MAX )
		57	+ return FLT_MAX;
		58	+ if( val < -FLT_MAX )
		59	+ return -FLT_MAX;
		60	+ return (float)val;
		61	+}
		62	+
		63	static int
		64	_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
		65	{
		66	@@ -312,13 +322,13 @@
		67	dblval = va_arg(ap, double);
		68	if( dblval < 0 )
		69	goto badvaluedouble;
		70	- td->td_xresolution = (float) dblval;
		71	+ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
		72	break;
		73	case TIFFTAG_YRESOLUTION:
		74	dblval = va_arg(ap, double);
		75	if( dblval < 0 )
		76	goto badvaluedouble;
		77	- td->td_yresolution = (float) dblval;
		78	+ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
		79	break;
		80	case TIFFTAG_PLANARCONFIG:
		81	v = (uint16) va_arg(ap, uint16_vap);
		82	@@ -327,10 +337,10 @@
		83	td->td_planarconfig = (uint16) v;
		84	break;
		85	case TIFFTAG_XPOSITION:
		86	- td->td_xposition = (float) va_arg(ap, double);
		87	+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
		88	break;
		89	case TIFFTAG_YPOSITION:
		90	- td->td_yposition = (float) va_arg(ap, double);
		91	+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
		92	break;
		93	case TIFFTAG_RESOLUTIONUNIT:
		94	v = (uint16) va_arg(ap, uint16_vap);
		95	Index: tiff-4.0.7/libtiff/tif_dirread.c
		96	===================================================================
		97	--- tiff-4.0.7.orig/libtiff/tif_dirread.c 2017-04-25 15:53:40.134592810 +0530
		98	+++ tiff-4.0.7/libtiff/tif_dirread.c 2017-04-25 16:02:03.242600641 +0530
		99	@@ -40,6 +40,7 @@
		100	*/
		101
		102	#include "tiffiop.h"
		103	+#include <float.h>
		104
		105	#define IGNORE 0 /* tag placeholder used below */
		106	#define FAILED_FII ((uint32) -1)
		107	@@ -2406,7 +2407,14 @@
		108	ma=(double*)origdata;
		109	mb=data;
		110	for (n=0; n<count; n++)
		111	- mb++=(float)(ma++);
		112	+ {
		113	+ double val = *ma++;
		114	+ if( val > FLT_MAX )
		115	+ val = FLT_MAX;
		116	+ else if( val < -FLT_MAX )
		117	+ val = -FLT_MAX;
		118	+ *mb++=(float)val;
		119	+ }
		120	}
		121	break;
		122	}
		123	Index: tiff-4.0.7/libtiff/tif_dirwrite.c
		124	===================================================================
		125	--- tiff-4.0.7.orig/libtiff/tif_dirwrite.c 2016-10-30 04:33:18.876854501 +0530
		126	+++ tiff-4.0.7/libtiff/tif_dirwrite.c 2017-04-25 16:07:48.670606018 +0530
		127	@@ -30,6 +30,7 @@
		128	* Directory Write Support Routines.
		129	*/
		130	#include "tiffiop.h"
		131	+#include <float.h>
		132
		133	#ifdef HAVE_IEEEFP
		134	#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
		135	@@ -939,6 +940,69 @@
		136	return(0);
		137	}
		138
		139	+static float TIFFClampDoubleToFloat( double val )
		140	+{
		141	+ if( val > FLT_MAX )
		142	+ return FLT_MAX;
		143	+ if( val < -FLT_MAX )
		144	+ return -FLT_MAX;
		145	+ return (float)val;
		146	+}
		147	+
		148	+static int8 TIFFClampDoubleToInt8( double val )
		149	+{
		150	+ if( val > 127 )
		151	+ return 127;
		152	+ if( val < -128 \|\| val != val )
		153	+ return -128;
		154	+ return (int8)val;
		155	+}
		156	+
		157	+static int16 TIFFClampDoubleToInt16( double val )
		158	+{
		159	+ if( val > 32767 )
		160	+ return 32767;
		161	+ if( val < -32768 \|\| val != val )
		162	+ return -32768;
		163	+ return (int16)val;
		164	+}
		165	+
		166	+static int32 TIFFClampDoubleToInt32( double val )
		167	+{
		168	+ if( val > 0x7FFFFFFF )
		169	+ return 0x7FFFFFFF;
		170	+ if( val < -0x7FFFFFFF-1 \|\| val != val )
		171	+ return -0x7FFFFFFF-1;
		172	+ return (int32)val;
		173	+}
		174	+
		175	+static uint8 TIFFClampDoubleToUInt8( double val )
		176	+{
		177	+ if( val < 0 )
		178	+ return 0;
		179	+ if( val > 255 \|\| val != val )
		180	+ return 255;
		181	+ return (uint8)val;
		182	+}
		183	+
		184	+static uint16 TIFFClampDoubleToUInt16( double val )
		185	+{
		186	+ if( val < 0 )
		187	+ return 0;
		188	+ if( val > 65535 \|\| val != val )
		189	+ return 65535;
		190	+ return (uint16)val;
		191	+}
		192	+
		193	+static uint32 TIFFClampDoubleToUInt32( double val )
		194	+{
		195	+ if( val < 0 )
		196	+ return 0;
		197	+ if( val > 0xFFFFFFFFU \|\| val != val )
		198	+ return 0xFFFFFFFFU;
		199	+ return (uint32)val;
		200	+}
		201	+
		202	static int
		203	TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
		204	{
		205	@@ -959,7 +1023,7 @@
		206	if (tif->tif_dir.td_bitspersample<=32)
		207	{
		208	for (i = 0; i < count; ++i)
		209	- ((float*)conv)[i] = (float)value[i];
		210	+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
		211	ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
		212	}
		213	else
		214	@@ -971,19 +1035,19 @@
		215	if (tif->tif_dir.td_bitspersample<=8)
		216	{
		217	for (i = 0; i < count; ++i)
		218	- ((int8*)conv)[i] = (int8)value[i];
		219	+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
		220	ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
		221	}
		222	else if (tif->tif_dir.td_bitspersample<=16)
		223	{
		224	for (i = 0; i < count; ++i)
		225	- ((int16*)conv)[i] = (int16)value[i];
		226	+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
		227	ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
		228	}
		229	else
		230	{
		231	for (i = 0; i < count; ++i)
		232	- ((int32*)conv)[i] = (int32)value[i];
		233	+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
		234	ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
		235	}
		236	break;
		237	@@ -991,19 +1055,19 @@
		238	if (tif->tif_dir.td_bitspersample<=8)
		239	{
		240	for (i = 0; i < count; ++i)
		241	- ((uint8*)conv)[i] = (uint8)value[i];
		242	+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
		243	ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
		244	}
		245	else if (tif->tif_dir.td_bitspersample<=16)
		246	{
		247	for (i = 0; i < count; ++i)
		248	- ((uint16*)conv)[i] = (uint16)value[i];
		249	+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
		250	ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
		251	}
		252	else
		253	{
		254	for (i = 0; i < count; ++i)
		255	- ((uint32*)conv)[i] = (uint32)value[i];
		256	+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
		257	ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
		258	}
		259	break;
		260	@@ -2094,15 +2158,25 @@
		261	static int
		262	TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
		263	{
		264	+ static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
		265	uint32 m[2];
		266	- assert(value>=0.0);
		267	assert(sizeof(uint32)==4);
		268	- if (value<=0.0)
		269	+ if (value<0)
		270	+ {
		271	+ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
		272	+ return 0;
		273	+ }
		274	+ else if( value != value )
		275	+ {
		276	+ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
		277	+ return 0;
		278	+ }
		279	+ else if (value==0.0)
		280	{
		281	m[0]=0;
		282	m[1]=1;
		283	- }
		284	- else if (value==(double)(uint32)value)
		285	+ }
		286	+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
		287	{
		288	m[0]=(uint32)value;
		289	m[1]=1;
		290	@@ -2143,7 +2217,7 @@
		291	}
		292	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
		293	{
		294	- if (*na<=0.0)
		295	+ if (na<=0.0 \|\| na != *na)
		296	{
		297	nb[0]=0;
		298	nb[1]=1;
		299	@@ -2153,7 +2227,8 @@
		300	nb[0]=(uint32)(*na);
		301	nb[1]=1;
		302	}
		303	- else if (*na<1.0)
		304	+ else if (na >= 0 && na <= (float)0xFFFFFFFFU &&
		305	+ na==(float)(uint32)(na))
		306	{
		307	nb[0]=(uint32)((double)(na)0xFFFFFFFF);
		308	nb[1]=0xFFFFFFFF;


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 6881c2456f..77de0be1e7 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
22	file://CVE-2017-7594-p1.patch \	22	file://CVE-2017-7594-p1.patch \
23	file://CVE-2017-7594-p2.patch \	23	file://CVE-2017-7594-p2.patch \
24	file://CVE-2017-7595.patch \	24	file://CVE-2017-7595.patch \
		25	file://CVE-2017-7596.patch \
25	"	26	"
26		27
27	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	28	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"