summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-07-15 12:04:13 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-16 13:53:17 +0100
commit8e63ec13b408c2fe64acc512a6a6eeebf56c51af (patch)
tree47fb9759e2d415fcfda8752490842e3d9fa612ad /meta/recipes-multimedia
parentd3e9a9b2a0bbde00bc5e47b654cc8e9493fafd0c (diff)
downloadpoky-8e63ec13b408c2fe64acc512a6a6eeebf56c51af.tar.gz
tiff: fix CVE-2019-7663
(From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch77
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.10.bb3
2 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
new file mode 100644
index 0000000000..f244fb2f32
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
@@ -0,0 +1,77 @@
1CVE: CVE-2019-7663
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
6From: Thomas Bernard <miniupnp@free.fr>
7Date: Mon, 11 Feb 2019 10:05:33 +0100
8Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
9
10fixes bug 2833
11---
12 tools/tiffcp.c | 8 +++++++-
13 1 file changed, 7 insertions(+), 1 deletion(-)
14
15diff --git a/tools/tiffcp.c b/tools/tiffcp.c
16index 2f406e2d..f0ee2c02 100644
17--- a/tools/tiffcp.c
18+++ b/tools/tiffcp.c
19@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
20 int status = 1;
21 uint32 imagew = TIFFRasterScanlineSize(in);
22 uint32 tilew = TIFFTileRowSize(in);
23- int iskew = imagew - tilew*spp;
24+ int iskew;
25 tsize_t tilesize = TIFFTileSize(in);
26 tdata_t tilebuf;
27 uint8* bufp = (uint8*) buf;
28@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
29 uint32 row;
30 uint16 bps = 0, bytes_per_sample;
31
32+ if (spp > (0x7fffffff / tilew))
33+ {
34+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
35+ return 0;
36+ }
37+ iskew = imagew - tilew*spp;
38 tilebuf = _TIFFmalloc(tilesize);
39 if (tilebuf == 0)
40 return 0;
41--
422.20.1
43
44
45From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
46From: Thomas Bernard <miniupnp@free.fr>
47Date: Mon, 11 Feb 2019 21:42:03 +0100
48Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
49
50---
51 tools/tiffcp.c | 3 ++-
52 1 file changed, 2 insertions(+), 1 deletion(-)
53
54diff --git a/tools/tiffcp.c b/tools/tiffcp.c
55index f0ee2c02..8c81aa4f 100644
56--- a/tools/tiffcp.c
57+++ b/tools/tiffcp.c
58@@ -41,6 +41,7 @@
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62+#include <limits.h>
63
64 #include <ctype.h>
65
66@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
67 uint32 row;
68 uint16 bps = 0, bytes_per_sample;
69
70- if (spp > (0x7fffffff / tilew))
71+ if (spp > (INT_MAX / tilew))
72 {
73 TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
74 return 0;
75--
762.20.1
77
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index 3c055a15dc..999496273c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
5CVE_PRODUCT = "libtiff" 5CVE_PRODUCT = "libtiff"
6 6
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8 file://CVE-2019-6128.patch" 8 file://CVE-2019-6128.patch \
9 file://CVE-2019-7663.patch"
9SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" 10SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
10SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" 11SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
11 12