tiff: Security fix for CVE-2017-7602

(From OE-Core rev: 957e9f92b17c6b268e6c037666d2f32ef23f7bf9) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:33:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-05 22:39:49 +0000
commit: 2aed68963f5c73985d02f3d378a7614169e09602 (patch)
tree: e6eb4ad0b89e6fb795940b602196d92dd4b346b6 /meta/recipes-multimedia
parent: a05828ec79f0930fa247a2a4caecbfc521792eb3 (diff)
download: poky-2aed68963f5c73985d02f3d378a7614169e09602.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch
new file mode 100644
index 0000000000..9ed97e2467
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch
@@ -0,0 +1,69 @@
+From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 16:33:34 +0000
+Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
+ signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2650
+Upstream-Status: Backport
+CVE: CVE-2017-7602
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-25 18:42:07.656135638 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-25 18:54:36.812147299 +0530
+@@ -8,6 +8,12 @@
+ 
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
+       addition in TIFFReadRawStrip1() in isMapped() case.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
+        undefined behaviour caused by invalid shift exponent.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c  2017-04-25 18:42:07.132135629 +0530
+++ tiff-4.0.7/libtiff/tif_read.c       2017-04-25 18:58:25.272150855 +0530
+@@ -420,16 +420,26 @@
+                        return ((tmsize_t)(-1));
+                }
+        } else {
+-               tmsize_t ma,mb;
+               tmsize_t ma;
+                tmsize_t n;
+-               ma=(tmsize_t)td->td_stripoffset[strip];
+-               mb=ma+size;
+-               if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+-                       n=0;
+-               else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+-                       n=tif->tif_size-ma;
+-               else
+-                       n=size;
+                if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
+                     ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
+                {
+                    n=0;
+                }
+                else if( ma > TIFF_TMSIZE_T_MAX - size )
+                {
+                    n=0;
+                }
+                else
+                {
+                    tmsize_t mb=ma+size;
+                    if (mb>tif->tif_size)
+                            n=tif->tif_size-ma;
+                    else
+                            n=size;
+                }
+
+                if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 7f438dad9a..126cad13fd 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2017-7596.patch \
           file://CVE-2017-7598.patch \
           file://CVE-2017-7601.patch \
+           file://CVE-2017-7602.patch \
        "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:33:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-05 22:39:49 +0000
commit	2aed68963f5c73985d02f3d378a7614169e09602 (patch)
tree	e6eb4ad0b89e6fb795940b602196d92dd4b346b6 /meta/recipes-multimedia
parent	a05828ec79f0930fa247a2a4caecbfc521792eb3 (diff)
download	poky-2aed68963f5c73985d02f3d378a7614169e09602.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch new file mode 100644 index 0000000000..9ed97e2467 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7602.patch
@@ -0,0 +1,69 @@
		1	From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Wed, 11 Jan 2017 16:33:34 +0000
		4	Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
		5	signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
		6	http://bugzilla.maptools.org/show_bug.cgi?id=2650
		7
		8	Upstream-Status: Backport
		9
		10	CVE: CVE-2017-7602
		11	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		12
		13	Index: tiff-4.0.7/ChangeLog
		14	===================================================================
		15	--- tiff-4.0.7.orig/ChangeLog 2017-04-25 18:42:07.656135638 +0530
		16	+++ tiff-4.0.7/ChangeLog 2017-04-25 18:54:36.812147299 +0530
		17	@@ -8,6 +8,12 @@
		18
		19	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		20
		21	+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
		22	+ addition in TIFFReadRawStrip1() in isMapped() case.
		23	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
		24	+
		25	+2017-01-11 Even Rouault <even.rouault at spatialys.com>
		26	+
		27	* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
		28	undefined behaviour caused by invalid shift exponent.
		29	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
		30	Index: tiff-4.0.7/libtiff/tif_read.c
		31	===================================================================
		32	--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 18:42:07.132135629 +0530
		33	+++ tiff-4.0.7/libtiff/tif_read.c 2017-04-25 18:58:25.272150855 +0530
		34	@@ -420,16 +420,26 @@
		35	return ((tmsize_t)(-1));
		36	}
		37	} else {
		38	- tmsize_t ma,mb;
		39	+ tmsize_t ma;
		40	tmsize_t n;
		41	- ma=(tmsize_t)td->td_stripoffset[strip];
		42	- mb=ma+size;
		43	- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)\|\|(ma>tif->tif_size))
		44	- n=0;
		45	- else if ((mb<ma)\|\|(mb<size)\|\|(mb>tif->tif_size))
		46	- n=tif->tif_size-ma;
		47	- else
		48	- n=size;
		49	+ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)\|\|
		50	+ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
		51	+ {
		52	+ n=0;
		53	+ }
		54	+ else if( ma > TIFF_TMSIZE_T_MAX - size )
		55	+ {
		56	+ n=0;
		57	+ }
		58	+ else
		59	+ {
		60	+ tmsize_t mb=ma+size;
		61	+ if (mb>tif->tif_size)
		62	+ n=tif->tif_size-ma;
		63	+ else
		64	+ n=size;
		65	+ }
		66	+
		67	if (n!=size) {
		68	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		69	TIFFErrorExt(tif->tif_clientdata, module,


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 7f438dad9a..126cad13fd 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
25	file://CVE-2017-7596.patch \	25	file://CVE-2017-7596.patch \
26	file://CVE-2017-7598.patch \	26	file://CVE-2017-7598.patch \
27	file://CVE-2017-7601.patch \	27	file://CVE-2017-7601.patch \
		28	file://CVE-2017-7602.patch \
28	"	29	"
29		30
30	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	31	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"