diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2018-11-22 16:41:25 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-11-23 23:35:18 +0000 |
commit | 691e3069941db750261a85ed8c7f8a506bbe9b3e (patch) | |
tree | 88df05bf89ed2e9ee1d565bf4cb64cd25321cd87 /meta | |
parent | 71c0092d16c97fcd5869dc85714ca56fab173ed2 (diff) | |
download | poky-691e3069941db750261a85ed8c7f8a506bbe9b3e.tar.gz |
tiff: update to 4.0.10
(From OE-Core rev: 92a2e6dc73085ccb5482986c6b61d40992fb4f50)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch | 46 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch | 42 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch | 160 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch | 39 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch | 135 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch | 178 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch | 61 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/libtool2.patch | 19 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.10.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.9.bb) | 15 |
9 files changed, 16 insertions, 679 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch deleted file mode 100644 index 9b9962ed35..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Baker <elitebadger@gmail.com> | ||
3 | Date: Thu, 25 Jan 2018 21:28:15 +0000 | ||
4 | Subject: [PATCH] Add workaround to pal2rgb buffer overflow. | ||
5 | |||
6 | CVE: CVE-2017-17095 | ||
7 | |||
8 | Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...] | ||
9 | |||
10 | Signed-off-by: Joe Slater <joe.slater@windriver.com. | ||
11 | |||
12 | --- | ||
13 | tools/pal2rgb.c | 17 +++++++++++++++-- | ||
14 | 1 file changed, 15 insertions(+), 2 deletions(-) | ||
15 | |||
16 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
17 | index 0423598..01fcf94 100644 | ||
18 | --- a/tools/pal2rgb.c | ||
19 | +++ b/tools/pal2rgb.c | ||
20 | @@ -182,8 +182,21 @@ main(int argc, char* argv[]) | ||
21 | { unsigned char *ibuf, *obuf; | ||
22 | register unsigned char* pp; | ||
23 | register uint32 x; | ||
24 | - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); | ||
25 | - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); | ||
26 | + tmsize_t tss_in = TIFFScanlineSize(in); | ||
27 | + tmsize_t tss_out = TIFFScanlineSize(out); | ||
28 | + if (tss_out / tss_in < 3) { | ||
29 | + /* | ||
30 | + * BUG 2750: The following code does not know about chroma | ||
31 | + * subsampling of JPEG data. It assumes that the output buffer is 3x | ||
32 | + * the length of the input buffer due to exploding the palette into | ||
33 | + * RGB tuples. If this assumption is incorrect, it could lead to a | ||
34 | + * buffer overflow. Go ahead and fail now to prevent that. | ||
35 | + */ | ||
36 | + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); | ||
37 | + return -1; | ||
38 | + } | ||
39 | + ibuf = (unsigned char*)_TIFFmalloc(tss_in); | ||
40 | + obuf = (unsigned char*)_TIFFmalloc(tss_out); | ||
41 | switch (config) { | ||
42 | case PLANARCONFIG_CONTIG: | ||
43 | for (row = 0; row < imagelength; row++) { | ||
44 | -- | ||
45 | 1.7.9.5 | ||
46 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch deleted file mode 100644 index 878e0de959..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 31 Dec 2017 15:09:41 +0100 | ||
4 | Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer | ||
5 | dereference on corrupted file. Fixes | ||
6 | http://bugzilla.maptools.org/show_bug.cgi?id=2770 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01] | ||
10 | |||
11 | CVE: CVE-2017-18013 | ||
12 | |||
13 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
14 | --- | ||
15 | libtiff/tif_print.c | 8 ++++---- | ||
16 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
19 | index 24d4b98..f494cfb 100644 | ||
20 | --- a/libtiff/tif_print.c | ||
21 | +++ b/libtiff/tif_print.c | ||
22 | @@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
23 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
24 | fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", | ||
25 | (unsigned long) s, | ||
26 | - (unsigned __int64) td->td_stripoffset[s], | ||
27 | - (unsigned __int64) td->td_stripbytecount[s]); | ||
28 | + td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, | ||
29 | + td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); | ||
30 | #else | ||
31 | fprintf(fd, " %3lu: [%8llu, %8llu]\n", | ||
32 | (unsigned long) s, | ||
33 | - (unsigned long long) td->td_stripoffset[s], | ||
34 | - (unsigned long long) td->td_stripbytecount[s]); | ||
35 | + td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, | ||
36 | + td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); | ||
37 | #endif | ||
38 | } | ||
39 | } | ||
40 | -- | ||
41 | 2.7.4 | ||
42 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch deleted file mode 100644 index 60684dd2a6..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch +++ /dev/null | |||
@@ -1,160 +0,0 @@ | |||
1 | From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001 | ||
2 | From: Brian May <brian@linuxpenguins.xyz> | ||
3 | Date: Thu, 7 Dec 2017 07:46:47 +1100 | ||
4 | Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 | ||
5 | |||
6 | Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 | ||
7 | |||
8 | This vulnerability - at least for the supplied test case - is because we | ||
9 | assume that a tiff will only have one transfer function that is the same | ||
10 | for all pages. This is not required by the TIFF standards. | ||
11 | |||
12 | We than read the transfer function for every page. Depending on the | ||
13 | transfer function, we allocate either 2 or 4 bytes to the XREF buffer. | ||
14 | We allocate this memory after we read in the transfer function for the | ||
15 | page. | ||
16 | |||
17 | For the first exploit - POC1, this file has 3 pages. For the first page | ||
18 | we allocate 2 extra extra XREF entries. Then for the next page 2 more | ||
19 | entries. Then for the last page the transfer function changes and we | ||
20 | allocate 4 more entries. | ||
21 | |||
22 | When we read the file into memory, we assume we have 4 bytes extra for | ||
23 | each and every page (as per the last transfer function we read). Which | ||
24 | is not correct, we only have 2 bytes extra for the first 2 pages. As a | ||
25 | result, we end up writing past the end of the buffer. | ||
26 | |||
27 | There are also some related issues that this also fixes. For example, | ||
28 | TIFFGetField can return uninitalized pointer values, and the logic to | ||
29 | detect a N=3 vs N=1 transfer function seemed rather strange. | ||
30 | |||
31 | It is also strange that we declare the transfer functions to be of type | ||
32 | float, when the standard says they are unsigned 16 bit values. This is | ||
33 | fixed in another patch. | ||
34 | |||
35 | This patch will check to ensure that the N value for every transfer | ||
36 | function is the same for every page. If this changes, we abort with an | ||
37 | error. In theory, we should perhaps check that the transfer function | ||
38 | itself is identical for every page, however we don't do that due to the | ||
39 | confusion of the type of the data in the transfer function. | ||
40 | |||
41 | Upstream-Status: Backport | ||
42 | [https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940] | ||
43 | |||
44 | CVE: CVE-2017-9935 | ||
45 | |||
46 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
47 | --- | ||
48 | libtiff/tif_dir.c | 3 +++ | ||
49 | tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ | ||
50 | 2 files changed, 47 insertions(+), 21 deletions(-) | ||
51 | |||
52 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
53 | index f00f808..c36a5f3 100644 | ||
54 | --- a/libtiff/tif_dir.c | ||
55 | +++ b/libtiff/tif_dir.c | ||
56 | @@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
57 | if (td->td_samplesperpixel - td->td_extrasamples > 1) { | ||
58 | *va_arg(ap, uint16**) = td->td_transferfunction[1]; | ||
59 | *va_arg(ap, uint16**) = td->td_transferfunction[2]; | ||
60 | + } else { | ||
61 | + *va_arg(ap, uint16**) = NULL; | ||
62 | + *va_arg(ap, uint16**) = NULL; | ||
63 | } | ||
64 | break; | ||
65 | case TIFFTAG_REFERENCEBLACKWHITE: | ||
66 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
67 | index 454befb..0b5973e 100644 | ||
68 | --- a/tools/tiff2pdf.c | ||
69 | +++ b/tools/tiff2pdf.c | ||
70 | @@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
71 | uint16 pagen=0; | ||
72 | uint16 paged=0; | ||
73 | uint16 xuint16=0; | ||
74 | + uint16 tiff_transferfunctioncount=0; | ||
75 | + float* tiff_transferfunction[3]; | ||
76 | |||
77 | directorycount=TIFFNumberOfDirectories(input); | ||
78 | t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); | ||
79 | @@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
80 | } | ||
81 | #endif | ||
82 | if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, | ||
83 | - &(t2p->tiff_transferfunction[0]), | ||
84 | - &(t2p->tiff_transferfunction[1]), | ||
85 | - &(t2p->tiff_transferfunction[2]))) { | ||
86 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
87 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
88 | - (t2p->tiff_transferfunction[1] != | ||
89 | - t2p->tiff_transferfunction[0])) { | ||
90 | - t2p->tiff_transferfunctioncount = 3; | ||
91 | - t2p->tiff_pages[i].page_extra += 4; | ||
92 | - t2p->pdf_xrefcount += 4; | ||
93 | - } else { | ||
94 | - t2p->tiff_transferfunctioncount = 1; | ||
95 | - t2p->tiff_pages[i].page_extra += 2; | ||
96 | - t2p->pdf_xrefcount += 2; | ||
97 | - } | ||
98 | - if(t2p->pdf_minorversion < 2) | ||
99 | - t2p->pdf_minorversion = 2; | ||
100 | + &(tiff_transferfunction[0]), | ||
101 | + &(tiff_transferfunction[1]), | ||
102 | + &(tiff_transferfunction[2]))) { | ||
103 | + | ||
104 | + if((tiff_transferfunction[1] != (float*) NULL) && | ||
105 | + (tiff_transferfunction[2] != (float*) NULL) | ||
106 | + ) { | ||
107 | + tiff_transferfunctioncount=3; | ||
108 | + } else { | ||
109 | + tiff_transferfunctioncount=1; | ||
110 | + } | ||
111 | } else { | ||
112 | - t2p->tiff_transferfunctioncount=0; | ||
113 | + tiff_transferfunctioncount=0; | ||
114 | } | ||
115 | + | ||
116 | + if (i > 0){ | ||
117 | + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ | ||
118 | + TIFFError( | ||
119 | + TIFF2PDF_MODULE, | ||
120 | + "Different transfer function on page %d", | ||
121 | + i); | ||
122 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
123 | + return; | ||
124 | + } | ||
125 | + } | ||
126 | + | ||
127 | + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; | ||
128 | + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; | ||
129 | + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; | ||
130 | + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; | ||
131 | + if(tiff_transferfunctioncount == 3){ | ||
132 | + t2p->tiff_pages[i].page_extra += 4; | ||
133 | + t2p->pdf_xrefcount += 4; | ||
134 | + if(t2p->pdf_minorversion < 2) | ||
135 | + t2p->pdf_minorversion = 2; | ||
136 | + } else if (tiff_transferfunctioncount == 1){ | ||
137 | + t2p->tiff_pages[i].page_extra += 2; | ||
138 | + t2p->pdf_xrefcount += 2; | ||
139 | + if(t2p->pdf_minorversion < 2) | ||
140 | + t2p->pdf_minorversion = 2; | ||
141 | + } | ||
142 | + | ||
143 | if( TIFFGetField( | ||
144 | input, | ||
145 | TIFFTAG_ICCPROFILE, | ||
146 | @@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ | ||
147 | &(t2p->tiff_transferfunction[1]), | ||
148 | &(t2p->tiff_transferfunction[2]))) { | ||
149 | if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
150 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
151 | - (t2p->tiff_transferfunction[1] != | ||
152 | - t2p->tiff_transferfunction[0])) { | ||
153 | + (t2p->tiff_transferfunction[2] != (float*) NULL) | ||
154 | + ) { | ||
155 | t2p->tiff_transferfunctioncount=3; | ||
156 | } else { | ||
157 | t2p->tiff_transferfunctioncount=1; | ||
158 | -- | ||
159 | 2.7.4 | ||
160 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch deleted file mode 100644 index 7252298b52..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 14:24:15 +0200 | ||
4 | Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes | ||
5 | http://bugzilla.maptools.org/show_bug.cgi?id=2795. | ||
6 | CVE-2018-10963 | ||
7 | |||
8 | --- | ||
9 | CVE: CVE-2018-10963 | ||
10 | |||
11 | Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/de144f...] | ||
12 | |||
13 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
14 | |||
15 | --- | ||
16 | libtiff/tif_dirwrite.c | 7 +++++-- | ||
17 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
20 | index 2430de6..c15a28d 100644 | ||
21 | --- a/libtiff/tif_dirwrite.c | ||
22 | +++ b/libtiff/tif_dirwrite.c | ||
23 | @@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
24 | } | ||
25 | break; | ||
26 | default: | ||
27 | - assert(0); /* we should never get here */ | ||
28 | - break; | ||
29 | + TIFFErrorExt(tif->tif_clientdata,module, | ||
30 | + "Cannot write tag %d (%s)", | ||
31 | + TIFFFieldTag(o), | ||
32 | + o->field_name ? o->field_name : "unknown"); | ||
33 | + goto bad; | ||
34 | } | ||
35 | } | ||
36 | } | ||
37 | -- | ||
38 | 1.7.9.5 | ||
39 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch deleted file mode 100644 index 406001d579..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch +++ /dev/null | |||
@@ -1,135 +0,0 @@ | |||
1 | From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Baker <nathanb@lenovo-chrome.com> | ||
3 | Date: Tue, 6 Feb 2018 10:13:57 -0500 | ||
4 | Subject: [PATCH] Fix for bug 2772 | ||
5 | |||
6 | It is possible to craft a TIFF document where the IFD list is circular, | ||
7 | leading to an infinite loop while traversing the chain. The libtiff | ||
8 | directory reader has a failsafe that will break out of this loop after | ||
9 | reading 65535 directory entries, but it will continue processing, | ||
10 | consuming time and resources to process what is essentially a bogus TIFF | ||
11 | document. | ||
12 | |||
13 | This change fixes the above behavior by breaking out of processing when | ||
14 | a TIFF document has >= 65535 directories and terminating with an error. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | [https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef] | ||
18 | |||
19 | CVE: CVE-2018-5784 | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | contrib/addtiffo/tif_overview.c | 14 +++++++++++++- | ||
24 | tools/tiff2pdf.c | 10 ++++++++++ | ||
25 | tools/tiffcrop.c | 13 +++++++++++-- | ||
26 | 3 files changed, 34 insertions(+), 3 deletions(-) | ||
27 | |||
28 | diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c | ||
29 | index c61ffbb..03b3573 100644 | ||
30 | --- a/contrib/addtiffo/tif_overview.c | ||
31 | +++ b/contrib/addtiffo/tif_overview.c | ||
32 | @@ -65,6 +65,8 @@ | ||
33 | # define MAX(a,b) ((a>b) ? a : b) | ||
34 | #endif | ||
35 | |||
36 | +#define TIFF_DIR_MAX 65534 | ||
37 | + | ||
38 | void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, | ||
39 | int (*)(double,void*), void * ); | ||
40 | |||
41 | @@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, | ||
42 | { | ||
43 | toff_t nBaseDirOffset; | ||
44 | toff_t nOffset; | ||
45 | + tdir_t iNumDir; | ||
46 | |||
47 | (void) bUseSubIFDs; | ||
48 | |||
49 | @@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, | ||
50 | return 0; | ||
51 | |||
52 | TIFFWriteDirectory( hTIFF ); | ||
53 | - TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); | ||
54 | + iNumDir = TIFFNumberOfDirectories(hTIFF); | ||
55 | + if( iNumDir > TIFF_DIR_MAX ) | ||
56 | + { | ||
57 | + TIFFErrorExt( TIFFClientdata(hTIFF), | ||
58 | + "TIFF_WriteOverview", | ||
59 | + "File `%s' has too many directories.\n", | ||
60 | + TIFFFileName(hTIFF) ); | ||
61 | + exit(-1); | ||
62 | + } | ||
63 | + TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); | ||
64 | |||
65 | nOffset = TIFFCurrentDirOffset( hTIFF ); | ||
66 | |||
67 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
68 | index 0b5973e..ef5d6a0 100644 | ||
69 | --- a/tools/tiff2pdf.c | ||
70 | +++ b/tools/tiff2pdf.c | ||
71 | @@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); | ||
72 | |||
73 | #define PS_UNIT_SIZE 72.0F | ||
74 | |||
75 | +#define TIFF_DIR_MAX 65534 | ||
76 | + | ||
77 | /* This type is of PDF color spaces. */ | ||
78 | typedef enum { | ||
79 | T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ | ||
80 | @@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
81 | float* tiff_transferfunction[3]; | ||
82 | |||
83 | directorycount=TIFFNumberOfDirectories(input); | ||
84 | + if(directorycount > TIFF_DIR_MAX) { | ||
85 | + TIFFError( | ||
86 | + TIFF2PDF_MODULE, | ||
87 | + "TIFF contains too many directories, %s", | ||
88 | + TIFFFileName(input)); | ||
89 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
90 | + return; | ||
91 | + } | ||
92 | t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); | ||
93 | if(t2p->tiff_pages==NULL){ | ||
94 | TIFFError( | ||
95 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
96 | index c69177e..c60cb38 100644 | ||
97 | --- a/tools/tiffcrop.c | ||
98 | +++ b/tools/tiffcrop.c | ||
99 | @@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); | ||
100 | #define DUMP_TEXT 1 | ||
101 | #define DUMP_RAW 2 | ||
102 | |||
103 | +#define TIFF_DIR_MAX 65534 | ||
104 | + | ||
105 | /* Offsets into buffer for margins and fixed width and length segments */ | ||
106 | struct offset { | ||
107 | uint32 tmargin; | ||
108 | @@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) | ||
109 | pageNum = -1; | ||
110 | else | ||
111 | total_images = 0; | ||
112 | - /* read multiple input files and write to output file(s) */ | ||
113 | + /* Read multiple input files and write to output file(s) */ | ||
114 | while (optind < argc - 1) | ||
115 | { | ||
116 | in = TIFFOpen (argv[optind], "r"); | ||
117 | @@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) | ||
118 | return (-3); | ||
119 | |||
120 | /* If only one input file is specified, we can use directory count */ | ||
121 | - total_images = TIFFNumberOfDirectories(in); | ||
122 | + total_images = TIFFNumberOfDirectories(in); | ||
123 | + if (total_images > TIFF_DIR_MAX) | ||
124 | + { | ||
125 | + TIFFError (TIFFFileName(in), "File contains too many directories"); | ||
126 | + if (out != NULL) | ||
127 | + (void) TIFFClose(out); | ||
128 | + return (1); | ||
129 | + } | ||
130 | if (image_count == 0) | ||
131 | { | ||
132 | dirnum = 0; | ||
133 | -- | ||
134 | 2.7.4 | ||
135 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch deleted file mode 100644 index 2c11f93d13..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch +++ /dev/null | |||
@@ -1,178 +0,0 @@ | |||
1 | From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001 | ||
2 | From: Hugo Lefeuvre <hle@debian.org> | ||
3 | Date: Sun, 8 Apr 2018 14:07:08 -0400 | ||
4 | Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory | ||
5 | |||
6 | The TIFFPrintDirectory function relies on the following assumptions, | ||
7 | supposed to be guaranteed by the specification: | ||
8 | |||
9 | (a) A Transfer Function field is only present if the TIFF file has | ||
10 | photometric type < 3. | ||
11 | |||
12 | (b) If SamplesPerPixel > Color Channels, then the ExtraSamples field | ||
13 | has count SamplesPerPixel - (Color Channels) and contains | ||
14 | information about supplementary channels. | ||
15 | |||
16 | While respect of (a) and (b) are essential for the well functioning of | ||
17 | TIFFPrintDirectory, no checks are realized neither by the callee nor | ||
18 | by TIFFPrintDirectory itself. Hence, following scenarios might happen | ||
19 | and trigger the NULL pointer dereference: | ||
20 | |||
21 | (1) TIFF File of photometric type 4 or more has illegal Transfer | ||
22 | Function field. | ||
23 | |||
24 | (2) TIFF File has photometric type 3 or less and defines a | ||
25 | SamplesPerPixel field such that SamplesPerPixel > Color Channels | ||
26 | without defining all extra samples in the ExtraSamples fields. | ||
27 | |||
28 | In this patch, we address both issues with respect of the following | ||
29 | principles: | ||
30 | |||
31 | (A) In the case of (1), the defined transfer table should be printed | ||
32 | safely even if it isn't 'legal'. This allows us to avoid expensive | ||
33 | checks in TIFFPrintDirectory. Also, it is quite possible that | ||
34 | an alternative photometric type would be developed (not part of the | ||
35 | standard) and would allow definition of Transfer Table. We want | ||
36 | libtiff to be able to handle this scenario out of the box. | ||
37 | |||
38 | (B) In the case of (2), the transfer table should be printed at its | ||
39 | right size, that is if TIFF file has photometric type Palette | ||
40 | then the transfer table should have one row and not three, even | ||
41 | if two extra samples are declared. | ||
42 | |||
43 | In order to fulfill (A) we simply add a new 'i < 3' end condition to | ||
44 | the broken TIFFPrintDirectory loop. This makes sure that in any case | ||
45 | where (b) would be respected but not (a), everything stays fine. | ||
46 | |||
47 | (B) is fulfilled by the loop condition | ||
48 | 'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as | ||
49 | long as (b) is respected. | ||
50 | |||
51 | Naturally, we also make sure (b) is respected. This is done in the | ||
52 | TIFFReadDirectory function by making sure any non-color channel is | ||
53 | counted in ExtraSamples. | ||
54 | |||
55 | This commit addresses CVE-2018-7456. | ||
56 | |||
57 | --- | ||
58 | CVE: CVE-2018-7456 | ||
59 | |||
60 | Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...] | ||
61 | |||
62 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
63 | |||
64 | --- | ||
65 | libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ | ||
66 | libtiff/tif_print.c | 2 +- | ||
67 | 2 files changed, 63 insertions(+), 1 deletion(-) | ||
68 | |||
69 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
70 | index 6baa7b3..af5b84a 100644 | ||
71 | --- a/libtiff/tif_dirread.c | ||
72 | +++ b/libtiff/tif_dirread.c | ||
73 | @@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin | ||
74 | static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); | ||
75 | static void ChopUpSingleUncompressedStrip(TIFF*); | ||
76 | static uint64 TIFFReadUInt64(const uint8 *value); | ||
77 | +static int _TIFFGetMaxColorChannels(uint16 photometric); | ||
78 | |||
79 | static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); | ||
80 | |||
81 | @@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c | ||
82 | } | ||
83 | |||
84 | /* | ||
85 | + * Return the maximum number of color channels specified for a given photometric | ||
86 | + * type. 0 is returned if photometric type isn't supported or no default value | ||
87 | + * is defined by the specification. | ||
88 | + */ | ||
89 | +static int _TIFFGetMaxColorChannels( uint16 photometric ) | ||
90 | +{ | ||
91 | + switch (photometric) { | ||
92 | + case PHOTOMETRIC_PALETTE: | ||
93 | + case PHOTOMETRIC_MINISWHITE: | ||
94 | + case PHOTOMETRIC_MINISBLACK: | ||
95 | + return 1; | ||
96 | + case PHOTOMETRIC_YCBCR: | ||
97 | + case PHOTOMETRIC_RGB: | ||
98 | + case PHOTOMETRIC_CIELAB: | ||
99 | + return 3; | ||
100 | + case PHOTOMETRIC_SEPARATED: | ||
101 | + case PHOTOMETRIC_MASK: | ||
102 | + return 4; | ||
103 | + case PHOTOMETRIC_LOGL: | ||
104 | + case PHOTOMETRIC_LOGLUV: | ||
105 | + case PHOTOMETRIC_CFA: | ||
106 | + case PHOTOMETRIC_ITULAB: | ||
107 | + case PHOTOMETRIC_ICCLAB: | ||
108 | + default: | ||
109 | + return 0; | ||
110 | + } | ||
111 | +} | ||
112 | + | ||
113 | +/* | ||
114 | * Read the next TIFF directory from a file and convert it to the internal | ||
115 | * format. We read directories sequentially. | ||
116 | */ | ||
117 | @@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) | ||
118 | uint32 fii=FAILED_FII; | ||
119 | toff_t nextdiroff; | ||
120 | int bitspersample_read = FALSE; | ||
121 | + int color_channels; | ||
122 | |||
123 | tif->tif_diroff=tif->tif_nextdiroff; | ||
124 | if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) | ||
125 | @@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) | ||
126 | } | ||
127 | } | ||
128 | } | ||
129 | + | ||
130 | + /* | ||
131 | + * Make sure all non-color channels are extrasamples. | ||
132 | + * If it's not the case, define them as such. | ||
133 | + */ | ||
134 | + color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); | ||
135 | + if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { | ||
136 | + uint16 old_extrasamples; | ||
137 | + uint16 *new_sampleinfo; | ||
138 | + | ||
139 | + TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " | ||
140 | + "color channels and ExtraSamples doesn't match SamplesPerPixel. " | ||
141 | + "Defining non-color channels as ExtraSamples."); | ||
142 | + | ||
143 | + old_extrasamples = tif->tif_dir.td_extrasamples; | ||
144 | + tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); | ||
145 | + | ||
146 | + // sampleinfo should contain information relative to these new extra samples | ||
147 | + new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); | ||
148 | + if (!new_sampleinfo) { | ||
149 | + TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " | ||
150 | + "temporary new sampleinfo array (%d 16 bit elements)", | ||
151 | + tif->tif_dir.td_extrasamples); | ||
152 | + goto bad; | ||
153 | + } | ||
154 | + | ||
155 | + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); | ||
156 | + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); | ||
157 | + _TIFFfree(new_sampleinfo); | ||
158 | + } | ||
159 | + | ||
160 | /* | ||
161 | * Verify Palette image has a Colormap. | ||
162 | */ | ||
163 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
164 | index 8deceb2..1d86adb 100644 | ||
165 | --- a/libtiff/tif_print.c | ||
166 | +++ b/libtiff/tif_print.c | ||
167 | @@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
168 | uint16 i; | ||
169 | fprintf(fd, " %2ld: %5u", | ||
170 | l, td->td_transferfunction[0][l]); | ||
171 | - for (i = 1; i < td->td_samplesperpixel; i++) | ||
172 | + for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) | ||
173 | fprintf(fd, " %5u", | ||
174 | td->td_transferfunction[i][l]); | ||
175 | fputc('\n', fd); | ||
176 | -- | ||
177 | 1.7.9.5 | ||
178 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch deleted file mode 100644 index 962646dbe0..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 15:32:31 +0200 | ||
4 | Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. | ||
5 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / | ||
6 | CVE-2018-8905 | ||
7 | |||
8 | The fix consists in using the similar code LZWDecode() to validate we | ||
9 | don't write outside of the output buffer. | ||
10 | |||
11 | --- | ||
12 | CVE: CVE-2018-8905 | ||
13 | |||
14 | Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | --- | ||
19 | libtiff/tif_lzw.c | 18 ++++++++++++------ | ||
20 | 1 file changed, 12 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c | ||
23 | index 4ccb443..94d85e3 100644 | ||
24 | --- a/libtiff/tif_lzw.c | ||
25 | +++ b/libtiff/tif_lzw.c | ||
26 | @@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
27 | char *tp; | ||
28 | unsigned char *bp; | ||
29 | int code, nbits; | ||
30 | + int len; | ||
31 | long nextbits, nextdata, nbitsmask; | ||
32 | code_t *codep, *free_entp, *maxcodep, *oldcodep; | ||
33 | |||
34 | @@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
35 | } while (--occ); | ||
36 | break; | ||
37 | } | ||
38 | - assert(occ >= codep->length); | ||
39 | - op += codep->length; | ||
40 | - occ -= codep->length; | ||
41 | - tp = op; | ||
42 | + len = codep->length; | ||
43 | + tp = op + len; | ||
44 | do { | ||
45 | - *--tp = codep->value; | ||
46 | - } while( (codep = codep->next) != NULL ); | ||
47 | + int t; | ||
48 | + --tp; | ||
49 | + t = codep->value; | ||
50 | + codep = codep->next; | ||
51 | + *tp = (char)t; | ||
52 | + } while (codep && tp > op); | ||
53 | + assert(occ >= len); | ||
54 | + op += len; | ||
55 | + occ -= len; | ||
56 | } else { | ||
57 | *op++ = (char)code; | ||
58 | occ--; | ||
59 | -- | ||
60 | 1.7.9.5 | ||
61 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/libtool2.patch b/meta/recipes-multimedia/libtiff/files/libtool2.patch index a84c688962..96233b46c9 100644 --- a/meta/recipes-multimedia/libtiff/files/libtool2.patch +++ b/meta/recipes-multimedia/libtiff/files/libtool2.patch | |||
@@ -1,16 +1,21 @@ | |||
1 | From 5b893206e0a0d529ba2d0caf58cfffc03bccb598 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcin Juszkiewicz <hrw@openedhand.com> | ||
3 | Date: Sat, 14 Jun 2008 13:42:22 +0000 | ||
4 | Subject: [PATCH] tiff: make it work after libtool upgrade | ||
5 | |||
1 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
2 | 7 | ||
3 | --- | 8 | --- |
4 | configure.ac | 2 +- | 9 | configure.ac | 2 +- |
5 | 1 file changed, 1 insertion(+), 1 deletion(-) | 10 | 1 file changed, 1 insertion(+), 1 deletion(-) |
6 | 11 | ||
7 | Index: tiff-4.0.9/configure.ac | 12 | diff --git a/configure.ac b/configure.ac |
8 | =================================================================== | 13 | index c7b02e2..ae1c964 100644 |
9 | --- tiff-4.0.9.orig/configure.ac | 14 | --- a/configure.ac |
10 | +++ tiff-4.0.9/configure.ac | 15 | +++ b/configure.ac |
11 | @@ -27,7 +27,7 @@ dnl Process this file with autoconf to p | 16 | @@ -27,7 +27,7 @@ dnl Process this file with autoconf to produce a configure script. |
12 | AC_PREREQ(2.64) | 17 | AC_PREREQ(2.64) |
13 | AC_INIT([LibTIFF Software],[4.0.9],[tiff@lists.maptools.org],[tiff]) | 18 | AC_INIT([LibTIFF Software],[4.0.10],[tiff@lists.maptools.org],[tiff]) |
14 | AC_CONFIG_AUX_DIR(config) | 19 | AC_CONFIG_AUX_DIR(config) |
15 | -AC_CONFIG_MACRO_DIR(m4) | 20 | -AC_CONFIG_MACRO_DIR(m4) |
16 | +dnl AC_CONFIG_MACRO_DIR(m4) | 21 | +dnl AC_CONFIG_MACRO_DIR(m4) |
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 93beddb4da..152fa819a5 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | |||
@@ -6,17 +6,10 @@ CVE_PRODUCT = "libtiff" | |||
6 | 6 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
8 | file://libtool2.patch \ | 8 | file://libtool2.patch \ |
9 | file://CVE-2017-9935.patch \ | 9 | " |
10 | file://CVE-2017-18013.patch \ | 10 | |
11 | file://CVE-2018-5784.patch \ | 11 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" |
12 | file://CVE-2018-10963.patch \ | 12 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" |
13 | file://CVE-2018-8905.patch \ | ||
14 | file://CVE-2018-7456.patch \ | ||
15 | file://CVE-2017-17095.patch \ | ||
16 | " | ||
17 | |||
18 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" | ||
19 | SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd" | ||
20 | 13 | ||
21 | # exclude betas | 14 | # exclude betas |
22 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 15 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |