summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorAlexander Kanavin <alex.kanavin@gmail.com>2019-11-18 15:28:43 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-21 23:08:19 +0000
commitf931a332d1db0730b4edc05ce19105b9d7909ec3 (patch)
treeb887c970077204594a71a3e01e6cb8fab62f543a /meta
parentf681fd3b2fd69b6ecf71c317bc4a8e8786c0a38f (diff)
downloadpoky-f931a332d1db0730b4edc05ce19105b9d7909ec3.tar.gz
tiff: update to 4.1.0
Drop backported patches. (From OE-Core rev: e5ecf2604e5b8c957eb3bae21fb3c9b2b1b7e12f) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch415
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch103
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch52
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch77
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.1.0.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.10.bb)10
5 files changed, 3 insertions, 654 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
deleted file mode 100644
index 8345295d07..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
+++ /dev/null
@@ -1,415 +0,0 @@
1From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001
2From: Trevor Gamblin <trevor.gamblin@windriver.com>
3Date: Fri, 20 Sep 2019 09:33:22 -0400
4Subject: [PATCH] libtiff-fix-CVE-2019-14973
5
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c]
7CVE: CVE-2019-14973
8
9Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
10---
11 libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
12 libtiff/tif_getimage.c | 6 ++----
13 libtiff/tif_luv.c | 8 +------
14 libtiff/tif_pixarlog.c | 7 +-----
15 libtiff/tif_read.c | 38 +++++++++-----------------------
16 libtiff/tif_strip.c | 35 ++++--------------------------
17 libtiff/tif_tile.c | 27 +++--------------------
18 libtiff/tiffiop.h | 7 +++++-
19 8 files changed, 71 insertions(+), 106 deletions(-)
20
21diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
22index 4ece162f..33fb8a44 100644
23--- a/libtiff/tif_aux.c
24+++ b/libtiff/tif_aux.c
25@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
26 return bytes;
27 }
28
29+tmsize_t
30+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
31+{
32+ if( first <= 0 || second <= 0 )
33+ {
34+ if( tif != NULL && where != NULL )
35+ {
36+ TIFFErrorExt(tif->tif_clientdata, where,
37+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
38+ }
39+ return 0;
40+ }
41+
42+ if( first > TIFF_TMSIZE_T_MAX / second )
43+ {
44+ if( tif != NULL && where != NULL )
45+ {
46+ TIFFErrorExt(tif->tif_clientdata, where,
47+ "Integer overflow in %s", where);
48+ }
49+ return 0;
50+ }
51+ return first * second;
52+}
53+
54+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
55+{
56+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
57+ {
58+ if( tif != NULL && module != NULL )
59+ {
60+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
61+ }
62+ return 0;
63+ }
64+ return (tmsize_t)val;
65+}
66+
67 void*
68 _TIFFCheckRealloc(TIFF* tif, void* buffer,
69 tmsize_t nmemb, tmsize_t elem_size, const char* what)
70 {
71 void* cp = NULL;
72- tmsize_t bytes = nmemb * elem_size;
73-
74+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
75 /*
76- * XXX: Check for integer overflow.
77+ * Check for integer overflow.
78 */
79- if (nmemb && elem_size && bytes / elem_size == nmemb)
80- cp = _TIFFrealloc(buffer, bytes);
81+ if (count != 0)
82+ {
83+ cp = _TIFFrealloc(buffer, count);
84+ }
85
86 if (cp == NULL) {
87 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
88diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
89index 6a9d5a7c..2106ca21 100644
90--- a/libtiff/tif_getimage.c
91+++ b/libtiff/tif_getimage.c
92@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
93 uint32 leftmost_tw;
94
95 tilesize = TIFFTileSize(tif);
96- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
97+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
98 if (bufsize == 0) {
99- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
100 return (0);
101 }
102
103@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
104 uint16 colorchannels;
105
106 stripsize = TIFFStripSize(tif);
107- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
108+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
109 if (bufsize == 0) {
110- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
111 return (0);
112 }
113
114diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
115index aa35ea07..46d2dff2 100644
116--- a/libtiff/tif_luv.c
117+++ b/libtiff/tif_luv.c
118@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
119 return (SGILOGDATAFMT_UNKNOWN);
120 }
121
122-
123-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
124-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
125-
126 static tmsize_t
127 multiply_ms(tmsize_t m1, tmsize_t m2)
128 {
129- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
130- return 0;
131- return m1 * m2;
132+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
133 }
134
135 static int
136diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
137index 7438d692..b52a3ee4 100644
138--- a/libtiff/tif_pixarlog.c
139+++ b/libtiff/tif_pixarlog.c
140@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
141 return guess;
142 }
143
144-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
145-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
146-
147 static tmsize_t
148 multiply_ms(tmsize_t m1, tmsize_t m2)
149 {
150- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
151- return 0;
152- return m1 * m2;
153+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
154 }
155
156 static tmsize_t
157diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
158index e63810cc..8db39d7a 100644
159--- a/libtiff/tif_read.c
160+++ b/libtiff/tif_read.c
161@@ -29,9 +29,6 @@
162 #include "tiffiop.h"
163 #include <stdio.h>
164
165-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
166-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
167-
168 int TIFFFillStrip(TIFF* tif, uint32 strip);
169 int TIFFFillTile(TIFF* tif, uint32 tile);
170 static int TIFFStartStrip(TIFF* tif, uint32 strip);
171@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
172 #define THRESHOLD_MULTIPLIER 10
173 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
174
175+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
176+
177 /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
178 * Returns 1 in case of success, 0 otherwise. */
179 static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
180@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
181 return ((tmsize_t)(-1));
182 }
183 bytecount = td->td_stripbytecount[strip];
184- if ((int64)bytecount <= 0) {
185-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
186- TIFFErrorExt(tif->tif_clientdata, module,
187- "%I64u: Invalid strip byte count, strip %lu",
188- (unsigned __int64) bytecount,
189- (unsigned long) strip);
190-#else
191- TIFFErrorExt(tif->tif_clientdata, module,
192- "%llu: Invalid strip byte count, strip %lu",
193- (unsigned long long) bytecount,
194- (unsigned long) strip);
195-#endif
196- return ((tmsize_t)(-1));
197- }
198- bytecountm = (tmsize_t)bytecount;
199- if ((uint64)bytecountm!=bytecount) {
200- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
201+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
202+ if (bytecountm == 0) {
203 return ((tmsize_t)(-1));
204 }
205 if (size != (tmsize_t)(-1) && size < bytecountm)
206@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
207 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
208 {
209 uint64 bytecount = td->td_stripbytecount[strip];
210- if ((int64)bytecount <= 0) {
211+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
212 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
213 TIFFErrorExt(tif->tif_clientdata, module,
214 "Invalid strip byte count %I64u, strip %lu",
215@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
216 (bytecount - 4096) / 10 > (uint64)stripsize )
217 {
218 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
219- if( (int64)newbytecount >= 0 )
220+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
221 {
222 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
223 TIFFWarningExt(tif->tif_clientdata, module,
224@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
225 bytecount64 = td->td_stripbytecount[tile];
226 if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
227 bytecount64 = (uint64)size;
228- bytecountm = (tmsize_t)bytecount64;
229- if ((uint64)bytecountm!=bytecount64)
230- {
231- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
232+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
233+ if( bytecountm == 0 ) {
234 return ((tmsize_t)(-1));
235 }
236 return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
237@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
238 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
239 {
240 uint64 bytecount = td->td_stripbytecount[tile];
241- if ((int64)bytecount <= 0) {
242+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
243 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
244 TIFFErrorExt(tif->tif_clientdata, module,
245 "%I64u: Invalid tile byte count, tile %lu",
246@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
247 (bytecount - 4096) / 10 > (uint64)stripsize )
248 {
249 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
250- if( (int64)newbytecount >= 0 )
251+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
252 {
253 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
254 TIFFWarningExt(tif->tif_clientdata, module,
255diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
256index 5b76fba5..2366acf0 100644
257--- a/libtiff/tif_strip.c
258+++ b/libtiff/tif_strip.c
259@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
260 {
261 static const char module[] = "TIFFVStripSize";
262 uint64 m;
263- tmsize_t n;
264 m=TIFFVStripSize64(tif,nrows);
265- n=(tmsize_t)m;
266- if ((uint64)n!=m)
267- {
268- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
269- n=0;
270- }
271- return(n);
272+ return _TIFFCastUInt64ToSSize(tif, m, module);
273 }
274
275 /*
276@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
277 {
278 static const char module[] = "TIFFStripSize";
279 uint64 m;
280- tmsize_t n;
281 m=TIFFStripSize64(tif);
282- n=(tmsize_t)m;
283- if ((uint64)n!=m)
284- {
285- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
286- n=0;
287- }
288- return(n);
289+ return _TIFFCastUInt64ToSSize(tif, m, module);
290 }
291
292 /*
293@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
294 {
295 static const char module[] = "TIFFScanlineSize";
296 uint64 m;
297- tmsize_t n;
298 m=TIFFScanlineSize64(tif);
299- n=(tmsize_t)m;
300- if ((uint64)n!=m) {
301- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
302- n=0;
303- }
304- return(n);
305+ return _TIFFCastUInt64ToSSize(tif, m, module);
306 }
307
308 /*
309@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
310 {
311 static const char module[] = "TIFFRasterScanlineSize";
312 uint64 m;
313- tmsize_t n;
314 m=TIFFRasterScanlineSize64(tif);
315- n=(tmsize_t)m;
316- if ((uint64)n!=m)
317- {
318- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
319- n=0;
320- }
321- return(n);
322+ return _TIFFCastUInt64ToSSize(tif, m, module);
323 }
324
325 /* vim: set ts=8 sts=8 sw=8 noet: */
326diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
327index 58fe9354..661cc771 100644
328--- a/libtiff/tif_tile.c
329+++ b/libtiff/tif_tile.c
330@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
331 {
332 static const char module[] = "TIFFTileRowSize";
333 uint64 m;
334- tmsize_t n;
335 m=TIFFTileRowSize64(tif);
336- n=(tmsize_t)m;
337- if ((uint64)n!=m)
338- {
339- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
340- n=0;
341- }
342- return(n);
343+ return _TIFFCastUInt64ToSSize(tif, m, module);
344 }
345
346 /*
347@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
348 {
349 static const char module[] = "TIFFVTileSize";
350 uint64 m;
351- tmsize_t n;
352 m=TIFFVTileSize64(tif,nrows);
353- n=(tmsize_t)m;
354- if ((uint64)n!=m)
355- {
356- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
357- n=0;
358- }
359- return(n);
360+ return _TIFFCastUInt64ToSSize(tif, m, module);
361 }
362
363 /*
364@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
365 {
366 static const char module[] = "TIFFTileSize";
367 uint64 m;
368- tmsize_t n;
369 m=TIFFTileSize64(tif);
370- n=(tmsize_t)m;
371- if ((uint64)n!=m)
372- {
373- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
374- n=0;
375- }
376- return(n);
377+ return _TIFFCastUInt64ToSSize(tif, m, module);
378 }
379
380 /*
381diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
382index 186c291f..558484fe 100644
383--- a/libtiff/tiffiop.h
384+++ b/libtiff/tiffiop.h
385@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
386 #define FALSE 0
387 #endif
388
389+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
390+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
391+
392 typedef struct client_info {
393 struct client_info *next;
394 void *data;
395@@ -258,7 +261,7 @@ struct tiff {
396 #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
397 #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
398
399-/* Safe multiply which returns zero if there is an integer overflow */
400+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
401 #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
402
403 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
404@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
405
406 extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
407 extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
408+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
409+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
410 extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
411 extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
412
413--
4142.17.1
415
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
deleted file mode 100644
index 04c5410930..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
+++ /dev/null
@@ -1,103 +0,0 @@
1libtiff: fix CVE-2019-17546
2
3Added after 4.0.10 release.
4
5CVE: CVE-2019-17546
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
7Signed-off-by: Joe Slater <joe.slater@windriver.com>
8
9commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
10Author: Even Rouault <even.rouault@spatialys.com>
11Date: Thu Aug 15 15:05:28 2019 +0200
12
13 RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
14
15diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
16index c88b5fa..4da785d 100644
17--- a/libtiff/tif_getimage.c
18+++ b/libtiff/tif_getimage.c
19@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
20 fromskew = (w < imagewidth ? imagewidth - w : 0);
21 for (row = 0; row < h; row += nrow)
22 {
23+ uint32 temp;
24 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
25 nrow = (row + rowstoread > h ? h - row : rowstoread);
26 nrowsub = nrow;
27 if ((nrowsub%subsamplingver)!=0)
28 nrowsub+=subsamplingver-nrowsub%subsamplingver;
29+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
30+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
31+ {
32+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
33+ return 0;
34+ }
35 if (_TIFFReadEncodedStripAndAllocBuffer(tif,
36 TIFFComputeStrip(tif,row+img->row_offset, 0),
37 (void**)(&buf),
38 maxstripsize,
39- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
40+ temp * scanline)==(tmsize_t)(-1)
41 && (buf == NULL || img->stoponerr))
42 {
43 ret = 0;
44@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
45 fromskew = (w < imagewidth ? imagewidth - w : 0);
46 for (row = 0; row < h; row += nrow)
47 {
48+ uint32 temp;
49 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
50 nrow = (row + rowstoread > h ? h - row : rowstoread);
51 offset_row = row + img->row_offset;
52+ temp = (row + img->row_offset)%rowsperstrip + nrow;
53+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
54+ {
55+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
56+ return 0;
57+ }
58 if( buf == NULL )
59 {
60 if (_TIFFReadEncodedStripAndAllocBuffer(
61 tif, TIFFComputeStrip(tif, offset_row, 0),
62 (void**) &buf, bufsize,
63- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
64+ temp * scanline)==(tmsize_t)(-1)
65 && (buf == NULL || img->stoponerr))
66 {
67 ret = 0;
68@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
69 }
70 }
71 else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
72- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
73+ p0, temp * scanline)==(tmsize_t)(-1)
74 && img->stoponerr)
75 {
76 ret = 0;
77@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
78 }
79 if (colorchannels > 1
80 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
81- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
82+ p1, temp * scanline) == (tmsize_t)(-1)
83 && img->stoponerr)
84 {
85 ret = 0;
86@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
87 }
88 if (colorchannels > 1
89 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
90- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
91+ p2, temp * scanline) == (tmsize_t)(-1)
92 && img->stoponerr)
93 {
94 ret = 0;
95@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
96 if (alpha)
97 {
98 if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
99- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
100+ pa, temp * scanline)==(tmsize_t)(-1)
101 && img->stoponerr)
102 {
103 ret = 0;
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
deleted file mode 100644
index 6f1fd4d447..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
+++ /dev/null
@@ -1,52 +0,0 @@
1CVE: CVE-2019-6128
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
6From: Scott Gayou <github.scott@gmail.com>
7Date: Wed, 23 Jan 2019 15:03:53 -0500
8Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
9
10pal2rgb failed to free memory on a few errors. This was reported
11here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
12---
13 tools/pal2rgb.c | 7 ++++++-
14 1 file changed, 6 insertions(+), 1 deletion(-)
15
16diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
17index 01d8502ec..9492f1cf1 100644
18--- a/tools/pal2rgb.c
19+++ b/tools/pal2rgb.c
20@@ -118,12 +118,14 @@ main(int argc, char* argv[])
21 shortv != PHOTOMETRIC_PALETTE) {
22 fprintf(stderr, "%s: Expecting a palette image.\n",
23 argv[optind]);
24+ (void) TIFFClose(in);
25 return (-1);
26 }
27 if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
28 fprintf(stderr,
29 "%s: No colormap (not a valid palette image).\n",
30 argv[optind]);
31+ (void) TIFFClose(in);
32 return (-1);
33 }
34 bitspersample = 0;
35@@ -131,11 +133,14 @@ main(int argc, char* argv[])
36 if (bitspersample != 8) {
37 fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
38 argv[optind]);
39+ (void) TIFFClose(in);
40 return (-1);
41 }
42 out = TIFFOpen(argv[optind+1], "w");
43- if (out == NULL)
44+ if (out == NULL) {
45+ (void) TIFFClose(in);
46 return (-2);
47+ }
48 cpTags(in, out);
49 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
50 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
51--
522.21.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
deleted file mode 100644
index f244fb2f32..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1CVE: CVE-2019-7663
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
6From: Thomas Bernard <miniupnp@free.fr>
7Date: Mon, 11 Feb 2019 10:05:33 +0100
8Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
9
10fixes bug 2833
11---
12 tools/tiffcp.c | 8 +++++++-
13 1 file changed, 7 insertions(+), 1 deletion(-)
14
15diff --git a/tools/tiffcp.c b/tools/tiffcp.c
16index 2f406e2d..f0ee2c02 100644
17--- a/tools/tiffcp.c
18+++ b/tools/tiffcp.c
19@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
20 int status = 1;
21 uint32 imagew = TIFFRasterScanlineSize(in);
22 uint32 tilew = TIFFTileRowSize(in);
23- int iskew = imagew - tilew*spp;
24+ int iskew;
25 tsize_t tilesize = TIFFTileSize(in);
26 tdata_t tilebuf;
27 uint8* bufp = (uint8*) buf;
28@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
29 uint32 row;
30 uint16 bps = 0, bytes_per_sample;
31
32+ if (spp > (0x7fffffff / tilew))
33+ {
34+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
35+ return 0;
36+ }
37+ iskew = imagew - tilew*spp;
38 tilebuf = _TIFFmalloc(tilesize);
39 if (tilebuf == 0)
40 return 0;
41--
422.20.1
43
44
45From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
46From: Thomas Bernard <miniupnp@free.fr>
47Date: Mon, 11 Feb 2019 21:42:03 +0100
48Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
49
50---
51 tools/tiffcp.c | 3 ++-
52 1 file changed, 2 insertions(+), 1 deletion(-)
53
54diff --git a/tools/tiffcp.c b/tools/tiffcp.c
55index f0ee2c02..8c81aa4f 100644
56--- a/tools/tiffcp.c
57+++ b/tools/tiffcp.c
58@@ -41,6 +41,7 @@
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62+#include <limits.h>
63
64 #include <ctype.h>
65
66@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
67 uint32 row;
68 uint16 bps = 0, bytes_per_sample;
69
70- if (spp > (0x7fffffff / tilew))
71+ if (spp > (INT_MAX / tilew))
72 {
73 TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
74 return 0;
75--
762.20.1
77
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 5c008c53fe..1f92c18513 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -5,13 +5,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
5CVE_PRODUCT = "libtiff" 5CVE_PRODUCT = "libtiff"
6 6
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8 file://CVE-2019-6128.patch \ 8 "
9 file://CVE-2019-7663.patch \ 9SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
10 file://CVE-2019-14973.patch \ 10SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
11 file://CVE-2019-17546.patch \
12"
13SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
14SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
15 11
16# exclude betas 12# exclude betas
17UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" 13UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"