diff options
author | Mingli Yu <Mingli.Yu@windriver.com> | 2016-12-07 16:01:13 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-12-08 10:31:29 +0000 |
commit | 416e4d33fa96213f4755664096b11f96049ae52b (patch) | |
tree | 3957ad4e99cadb09734f883821828a5fcc58fae5 /meta/recipes-multimedia | |
parent | b229874a8821ebbb0e5a25d2b9e5295d2df44cd8 (diff) | |
download | poky-416e4d33fa96213f4755664096b11f96049ae52b.tar.gz |
tiff: Fix several CVE issues
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and
CVE-2016-9537
External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537
Patch from:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f
(From OE-Core rev: f75ecefee21ef89b147fff9afae01a6f09c93198)
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch | 281 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 282 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch new file mode 100644 index 0000000000..bd587e6d07 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch | |||
@@ -0,0 +1,281 @@ | |||
1 | From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Fri, 23 Sep 2016 22:12:18 +0000 | ||
4 | Subject: [PATCH] Fix several CVE issues | ||
5 | |||
6 | Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 | ||
7 | |||
8 | * tools/tiffcrop.c: fix various out-of-bounds write | ||
9 | vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093, | ||
10 | MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from | ||
11 | the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix | ||
12 | out-of-bounds write vulnerabilities in heap allocate buffer in | ||
13 | t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet | ||
14 | and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * | ||
15 | libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap | ||
16 | allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and | ||
17 | Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * | ||
18 | libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that | ||
19 | didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if | ||
20 | that could happen in practice outside of the odd behaviour of t2p_seekproc() | ||
21 | of tiff2pdf). The report points that a better fix could be to check the | ||
22 | return value of TIFFFlushData1() in places where it isn't done currently, but | ||
23 | it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel | ||
24 | Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities & | ||
25 | Mitigations team. | ||
26 | |||
27 | CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537 | ||
28 | Upstream-Status: Backport | ||
29 | https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef | ||
30 | |||
31 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
32 | |||
33 | --- | ||
34 | libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++----------------------------- | ||
35 | libtiff/tif_write.c | 7 +++++++ | ||
36 | tools/tiff2pdf.c | 22 ++++++++++++++++++-- | ||
37 | tools/tiffcrop.c | 20 +++++++++++++++++- | ||
38 | 4 files changed, 92 insertions(+), 35 deletions(-) | ||
39 | |||
40 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
41 | index 1fb8f3b..d1246c3 100644 | ||
42 | --- a/libtiff/tif_pixarlog.c | ||
43 | +++ b/libtiff/tif_pixarlog.c | ||
44 | @@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2) | ||
45 | a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; | ||
46 | } | ||
47 | } else { | ||
48 | - ip += n - 1; /* point to last one */ | ||
49 | - wp += n - 1; /* point to last one */ | ||
50 | - n -= stride; | ||
51 | - while (n > 0) { | ||
52 | - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); | ||
53 | - wp[stride] -= wp[0]; | ||
54 | - wp[stride] &= mask; | ||
55 | - wp--; ip--) | ||
56 | - n -= stride; | ||
57 | - } | ||
58 | - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) | ||
59 | + REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) | ||
60 | + n -= stride; | ||
61 | + while (n > 0) { | ||
62 | + REPEAT(stride, | ||
63 | + wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); | ||
64 | + wp++; ip++) | ||
65 | + n -= stride; | ||
66 | + } | ||
67 | } | ||
68 | } | ||
69 | } | ||
70 | @@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride, | ||
71 | a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; | ||
72 | } | ||
73 | } else { | ||
74 | - ip += n - 1; /* point to last one */ | ||
75 | - wp += n - 1; /* point to last one */ | ||
76 | + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) | ||
77 | n -= stride; | ||
78 | while (n > 0) { | ||
79 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); | ||
80 | - wp[stride] -= wp[0]; | ||
81 | - wp[stride] &= mask; | ||
82 | - wp--; ip--) | ||
83 | - n -= stride; | ||
84 | - } | ||
85 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) | ||
86 | + REPEAT(stride, | ||
87 | + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); | ||
88 | + wp++; ip++) | ||
89 | + n -= stride; | ||
90 | + } | ||
91 | } | ||
92 | } | ||
93 | } | ||
94 | @@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride, | ||
95 | ip += 4; | ||
96 | } | ||
97 | } else { | ||
98 | - wp += n + stride - 1; /* point to last one */ | ||
99 | - ip += n + stride - 1; /* point to last one */ | ||
100 | - n -= stride; | ||
101 | - while (n > 0) { | ||
102 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); | ||
103 | - wp[stride] -= wp[0]; | ||
104 | - wp[stride] &= mask; | ||
105 | - wp--; ip--) | ||
106 | - n -= stride; | ||
107 | - } | ||
108 | - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) | ||
109 | - } | ||
110 | + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) | ||
111 | + n -= stride; | ||
112 | + while (n > 0) { | ||
113 | + REPEAT(stride, | ||
114 | + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); | ||
115 | + wp++; ip++) | ||
116 | + n -= stride; | ||
117 | + } | ||
118 | + } | ||
119 | } | ||
120 | } | ||
121 | |||
122 | diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c | ||
123 | index f9a3fc0..d8fa802 100644 | ||
124 | --- a/libtiff/tif_write.c | ||
125 | +++ b/libtiff/tif_write.c | ||
126 | @@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif) | ||
127 | if (!TIFFAppendToStrip(tif, | ||
128 | isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, | ||
129 | tif->tif_rawdata, tif->tif_rawcc)) | ||
130 | + { | ||
131 | + /* We update those variables even in case of error since there's */ | ||
132 | + /* code that doesn't really check the return code of this */ | ||
133 | + /* function */ | ||
134 | + tif->tif_rawcc = 0; | ||
135 | + tif->tif_rawcp = tif->tif_rawdata; | ||
136 | return (0); | ||
137 | + } | ||
138 | tif->tif_rawcc = 0; | ||
139 | tif->tif_rawcp = tif->tif_rawdata; | ||
140 | } | ||
141 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
142 | index dcd5a7e..f8df6b5 100644 | ||
143 | --- a/tools/tiff2pdf.c | ||
144 | +++ b/tools/tiff2pdf.c | ||
145 | @@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t); | ||
146 | int t2p_process_ojpeg_tables(T2P*, TIFF*); | ||
147 | #endif | ||
148 | #ifdef JPEG_SUPPORT | ||
149 | -int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); | ||
150 | +int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); | ||
151 | #endif | ||
152 | void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); | ||
153 | void t2p_write_advance_directory(T2P*, TIFF*); | ||
154 | @@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ | ||
155 | if(!t2p_process_jpeg_strip( | ||
156 | stripbuffer, | ||
157 | &striplength, | ||
158 | - buffer, | ||
159 | + buffer, | ||
160 | + t2p->tiff_datasize, | ||
161 | &bufferoffset, | ||
162 | i, | ||
163 | t2p->tiff_length)){ | ||
164 | @@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip( | ||
165 | unsigned char* strip, | ||
166 | tsize_t* striplength, | ||
167 | unsigned char* buffer, | ||
168 | + tsize_t buffersize, | ||
169 | tsize_t* bufferoffset, | ||
170 | tstrip_t no, | ||
171 | uint32 height){ | ||
172 | @@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip( | ||
173 | } | ||
174 | switch( strip[i] ){ | ||
175 | case 0xd8: /* SOI - start of image */ | ||
176 | + if( *bufferoffset + 2 > buffersize ) | ||
177 | + return(0); | ||
178 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
179 | *bufferoffset+=2; | ||
180 | break; | ||
181 | @@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip( | ||
182 | case 0xc9: /* SOF9 */ | ||
183 | case 0xca: /* SOF10 */ | ||
184 | if(no==0){ | ||
185 | + if( *bufferoffset + datalen + 2 + 6 > buffersize ) | ||
186 | + return(0); | ||
187 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
188 | + if( *bufferoffset + 9 >= buffersize ) | ||
189 | + return(0); | ||
190 | ncomp = buffer[*bufferoffset+9]; | ||
191 | if (ncomp < 1 || ncomp > 4) | ||
192 | return(0); | ||
193 | v_samp=1; | ||
194 | h_samp=1; | ||
195 | + if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) | ||
196 | + return(0); | ||
197 | for(j=0;j<ncomp;j++){ | ||
198 | uint16 samp = buffer[*bufferoffset+11+(3*j)]; | ||
199 | if( (samp>>4) > h_samp) | ||
200 | @@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip( | ||
201 | break; | ||
202 | case 0xc4: /* DHT */ | ||
203 | case 0xdb: /* DQT */ | ||
204 | + if( *bufferoffset + datalen + 2 > buffersize ) | ||
205 | + return(0); | ||
206 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
207 | *bufferoffset+=datalen+2; | ||
208 | break; | ||
209 | case 0xda: /* SOS */ | ||
210 | if(no==0){ | ||
211 | + if( *bufferoffset + datalen + 2 > buffersize ) | ||
212 | + return(0); | ||
213 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
214 | *bufferoffset+=datalen+2; | ||
215 | } else { | ||
216 | + if( *bufferoffset + 2 > buffersize ) | ||
217 | + return(0); | ||
218 | buffer[(*bufferoffset)++]=0xff; | ||
219 | buffer[(*bufferoffset)++]= | ||
220 | (unsigned char)(0xd0 | ((no-1)%8)); | ||
221 | } | ||
222 | i += datalen + 1; | ||
223 | /* copy remainder of strip */ | ||
224 | + if( *bufferoffset + *striplength - i > buffersize ) | ||
225 | + return(0); | ||
226 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); | ||
227 | *bufferoffset+= *striplength - i; | ||
228 | return(1); | ||
229 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
230 | index ebc4aba..7685566 100644 | ||
231 | --- a/tools/tiffcrop.c | ||
232 | +++ b/tools/tiffcrop.c | ||
233 | @@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
234 | { | ||
235 | uint32 i; | ||
236 | float xres = 0.0, yres = 0.0; | ||
237 | - uint16 nstrips = 0, ntiles = 0, planar = 0; | ||
238 | + uint32 nstrips = 0, ntiles = 0; | ||
239 | + uint16 planar = 0; | ||
240 | uint16 bps = 0, spp = 0, res_unit = 0; | ||
241 | uint16 orientation = 0; | ||
242 | uint16 input_compression = 0, input_photometric = 0; | ||
243 | @@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
244 | /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
245 | /* outside buffer */ | ||
246 | if (!read_buff) | ||
247 | + { | ||
248 | + if( buffsize > 0xFFFFFFFFU - 3 ) | ||
249 | + { | ||
250 | + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
251 | + return (-1); | ||
252 | + } | ||
253 | read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); | ||
254 | + } | ||
255 | else | ||
256 | { | ||
257 | if (prev_readsize < buffsize) | ||
258 | + { | ||
259 | + if( buffsize > 0xFFFFFFFFU - 3 ) | ||
260 | { | ||
261 | + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
262 | + return (-1); | ||
263 | + } | ||
264 | new_buff = _TIFFrealloc(read_buff, buffsize+3); | ||
265 | if (!new_buff) | ||
266 | { | ||
267 | @@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width, | ||
268 | } | ||
269 | |||
270 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
271 | + if( bytes_per_pixel > sizeof(swapbuff) ) | ||
272 | + { | ||
273 | + TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); | ||
274 | + return (1); | ||
275 | + } | ||
276 | switch (bps / 8) | ||
277 | { | ||
278 | case 8: /* Use memcpy for multiple bytes per sample data */ | ||
279 | -- | ||
280 | 2.9.3 | ||
281 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index e0f91b8390..450927d93c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
24 | file://CVE-2016-9535-1.patch \ | 24 | file://CVE-2016-9535-1.patch \ |
25 | file://CVE-2016-9535-2.patch \ | 25 | file://CVE-2016-9535-2.patch \ |
26 | file://CVE-2016-9538.patch \ | 26 | file://CVE-2016-9538.patch \ |
27 | file://Fix_several_CVE_issues.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 30 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |