diff options
author | Joe Slater <joe.slater@windriver.com> | 2019-11-06 10:45:53 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-18 14:42:13 +0000 |
commit | 3b86def5ed2a07d765ce7530afd4b8d7af7cba15 (patch) | |
tree | 938e19ad00baa7595c058258c4a3089f169cd146 /meta/recipes-multimedia | |
parent | ee860651e9eefcc7f210c8f6147b118881be740f (diff) | |
download | poky-3b86def5ed2a07d765ce7530afd4b8d7af7cba15.tar.gz |
libtiff: fix CVE-2019-17546
Apply unmodified patch from upstream.
(From OE-Core rev: 9cba3d02d00df23a3d0f830cb7d11752142f7d82)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch | 103 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 1 |
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch new file mode 100644 index 0000000000..04c5410930 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | libtiff: fix CVE-2019-17546 | ||
2 | |||
3 | Added after 4.0.10 release. | ||
4 | |||
5 | CVE: CVE-2019-17546 | ||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff] | ||
7 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
8 | |||
9 | commit 4bb584a35f87af42d6cf09d15e9ce8909a839145 | ||
10 | Author: Even Rouault <even.rouault@spatialys.com> | ||
11 | Date: Thu Aug 15 15:05:28 2019 +0200 | ||
12 | |||
13 | RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz | ||
14 | |||
15 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
16 | index c88b5fa..4da785d 100644 | ||
17 | --- a/libtiff/tif_getimage.c | ||
18 | +++ b/libtiff/tif_getimage.c | ||
19 | @@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
20 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
21 | for (row = 0; row < h; row += nrow) | ||
22 | { | ||
23 | + uint32 temp; | ||
24 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
25 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
26 | nrowsub = nrow; | ||
27 | if ((nrowsub%subsamplingver)!=0) | ||
28 | nrowsub+=subsamplingver-nrowsub%subsamplingver; | ||
29 | + temp = (row + img->row_offset)%rowsperstrip + nrowsub; | ||
30 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
31 | + { | ||
32 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); | ||
33 | + return 0; | ||
34 | + } | ||
35 | if (_TIFFReadEncodedStripAndAllocBuffer(tif, | ||
36 | TIFFComputeStrip(tif,row+img->row_offset, 0), | ||
37 | (void**)(&buf), | ||
38 | maxstripsize, | ||
39 | - ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) | ||
40 | + temp * scanline)==(tmsize_t)(-1) | ||
41 | && (buf == NULL || img->stoponerr)) | ||
42 | { | ||
43 | ret = 0; | ||
44 | @@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
45 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
46 | for (row = 0; row < h; row += nrow) | ||
47 | { | ||
48 | + uint32 temp; | ||
49 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
50 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
51 | offset_row = row + img->row_offset; | ||
52 | + temp = (row + img->row_offset)%rowsperstrip + nrow; | ||
53 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
54 | + { | ||
55 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); | ||
56 | + return 0; | ||
57 | + } | ||
58 | if( buf == NULL ) | ||
59 | { | ||
60 | if (_TIFFReadEncodedStripAndAllocBuffer( | ||
61 | tif, TIFFComputeStrip(tif, offset_row, 0), | ||
62 | (void**) &buf, bufsize, | ||
63 | - ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
64 | + temp * scanline)==(tmsize_t)(-1) | ||
65 | && (buf == NULL || img->stoponerr)) | ||
66 | { | ||
67 | ret = 0; | ||
68 | @@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
69 | } | ||
70 | } | ||
71 | else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), | ||
72 | - p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
73 | + p0, temp * scanline)==(tmsize_t)(-1) | ||
74 | && img->stoponerr) | ||
75 | { | ||
76 | ret = 0; | ||
77 | @@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
78 | } | ||
79 | if (colorchannels > 1 | ||
80 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), | ||
81 | - p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
82 | + p1, temp * scanline) == (tmsize_t)(-1) | ||
83 | && img->stoponerr) | ||
84 | { | ||
85 | ret = 0; | ||
86 | @@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
87 | } | ||
88 | if (colorchannels > 1 | ||
89 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), | ||
90 | - p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
91 | + p2, temp * scanline) == (tmsize_t)(-1) | ||
92 | && img->stoponerr) | ||
93 | { | ||
94 | ret = 0; | ||
95 | @@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
96 | if (alpha) | ||
97 | { | ||
98 | if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), | ||
99 | - pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
100 | + pa, temp * scanline)==(tmsize_t)(-1) | ||
101 | && img->stoponerr) | ||
102 | { | ||
103 | ret = 0; | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index a526fc06a2..08d9cad28a 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | |||
@@ -9,6 +9,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
9 | file://CVE-2019-6128.patch \ | 9 | file://CVE-2019-6128.patch \ |
10 | file://CVE-2019-7663.patch \ | 10 | file://CVE-2019-7663.patch \ |
11 | file://CVE-2019-14973.patch \ | 11 | file://CVE-2019-14973.patch \ |
12 | file://CVE-2019-17546.patch \ | ||
12 | " | 13 | " |
13 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" | 14 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" |
14 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" | 15 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" |