diff options
author | Armin Kuster <akuster@mvista.com> | 2016-01-29 17:39:36 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-30 12:13:09 +0000 |
commit | c6ae9c1fae18b7efbc028f04315690fd3544ee49 (patch) | |
tree | 1343302473c599a140e853da3f849e43a939e4bf /meta | |
parent | 049b7db30c51c25006f914cdb502982d733e0bb1 (diff) | |
download | poky-c6ae9c1fae18b7efbc028f04315690fd3544ee49.tar.gz |
tiff: Security fix CVE-2015-8781
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images
(From OE-Core rev: 29c80024bdb67477dae47d8fb903feda2efe75d4)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | 196 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.4.bb | 1 |
2 files changed, 197 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..bdbe69695c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | |||
@@ -0,0 +1,196 @@ | |||
1 | From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:25:11 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in | ||
5 | decode functions in non debug builds by replacing assert()s by regular if | ||
6 | checks (bugzilla #2522). Fix potential out-of-bound reads in case of short | ||
7 | input data. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 | ||
12 | hand applied Changelog changes | ||
13 | |||
14 | CVE: CVE-2015-8781 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | ChangeLog | 7 +++++++ | ||
19 | libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- | ||
20 | 2 files changed, 51 insertions(+), 11 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.4/ChangeLog | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.4.orig/ChangeLog | ||
25 | +++ tiff-4.0.4/ChangeLog | ||
26 | @@ -1,3 +1,11 @@ | ||
27 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
28 | + | ||
29 | + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
30 | + functions in non debug builds by replacing assert()s by regular if | ||
31 | + checks (bugzilla #2522). | ||
32 | + Fix potential out-of-bound reads in case of short input data. | ||
33 | + | ||
34 | + | ||
35 | 2015-06-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
36 | |||
37 | * libtiff 4.0.4 released. | ||
38 | Index: tiff-4.0.4/libtiff/tif_luv.c | ||
39 | =================================================================== | ||
40 | --- tiff-4.0.4.orig/libtiff/tif_luv.c | ||
41 | +++ tiff-4.0.4/libtiff/tif_luv.c | ||
42 | @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
43 | if (sp->user_datafmt == SGILOGDATAFMT_16BIT) | ||
44 | tp = (int16*) op; | ||
45 | else { | ||
46 | - assert(sp->tbuflen >= npixels); | ||
47 | + if(sp->tbuflen < npixels) { | ||
48 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
49 | + "Translation buffer too short"); | ||
50 | + return (0); | ||
51 | + } | ||
52 | tp = (int16*) sp->tbuf; | ||
53 | } | ||
54 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
55 | @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
56 | cc = tif->tif_rawcc; | ||
57 | /* get each byte string */ | ||
58 | for (shft = 2*8; (shft -= 8) >= 0; ) { | ||
59 | - for (i = 0; i < npixels && cc > 0; ) | ||
60 | + for (i = 0; i < npixels && cc > 0; ) { | ||
61 | if (*bp >= 128) { /* run */ | ||
62 | - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
63 | + if( cc < 2 ) | ||
64 | + break; | ||
65 | + rc = *bp++ + (2-128); | ||
66 | b = (int16)(*bp++ << shft); | ||
67 | cc -= 2; | ||
68 | while (rc-- && i < npixels) | ||
69 | @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
70 | while (--cc && rc-- && i < npixels) | ||
71 | tp[i++] |= (int16)*bp++ << shft; | ||
72 | } | ||
73 | + } | ||
74 | if (i != npixels) { | ||
75 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
76 | TIFFErrorExt(tif->tif_clientdata, module, | ||
77 | @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms | ||
78 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
79 | tp = (uint32 *)op; | ||
80 | else { | ||
81 | - assert(sp->tbuflen >= npixels); | ||
82 | + if(sp->tbuflen < npixels) { | ||
83 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
84 | + "Translation buffer too short"); | ||
85 | + return (0); | ||
86 | + } | ||
87 | tp = (uint32 *) sp->tbuf; | ||
88 | } | ||
89 | /* copy to array of uint32 */ | ||
90 | bp = (unsigned char*) tif->tif_rawcp; | ||
91 | cc = tif->tif_rawcc; | ||
92 | - for (i = 0; i < npixels && cc > 0; i++) { | ||
93 | + for (i = 0; i < npixels && cc >= 3; i++) { | ||
94 | tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; | ||
95 | bp += 3; | ||
96 | cc -= 3; | ||
97 | @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
98 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
99 | tp = (uint32*) op; | ||
100 | else { | ||
101 | - assert(sp->tbuflen >= npixels); | ||
102 | + if(sp->tbuflen < npixels) { | ||
103 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
104 | + "Translation buffer too short"); | ||
105 | + return (0); | ||
106 | + } | ||
107 | tp = (uint32*) sp->tbuf; | ||
108 | } | ||
109 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
110 | @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
111 | cc = tif->tif_rawcc; | ||
112 | /* get each byte string */ | ||
113 | for (shft = 4*8; (shft -= 8) >= 0; ) { | ||
114 | - for (i = 0; i < npixels && cc > 0; ) | ||
115 | + for (i = 0; i < npixels && cc > 0; ) { | ||
116 | if (*bp >= 128) { /* run */ | ||
117 | + if( cc < 2 ) | ||
118 | + break; | ||
119 | rc = *bp++ + (2-128); | ||
120 | b = (uint32)*bp++ << shft; | ||
121 | - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
122 | + cc -= 2; | ||
123 | while (rc-- && i < npixels) | ||
124 | tp[i++] |= b; | ||
125 | } else { /* non-run */ | ||
126 | @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
127 | while (--cc && rc-- && i < npixels) | ||
128 | tp[i++] |= (uint32)*bp++ << shft; | ||
129 | } | ||
130 | + } | ||
131 | if (i != npixels) { | ||
132 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
133 | TIFFErrorExt(tif->tif_clientdata, module, | ||
134 | @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t | ||
135 | static int | ||
136 | LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
137 | { | ||
138 | + static const char module[] = "LogL16Encode"; | ||
139 | LogLuvState* sp = EncoderState(tif); | ||
140 | int shft; | ||
141 | tmsize_t i; | ||
142 | @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
143 | tp = (int16*) bp; | ||
144 | else { | ||
145 | tp = (int16*) sp->tbuf; | ||
146 | - assert(sp->tbuflen >= npixels); | ||
147 | + if(sp->tbuflen < npixels) { | ||
148 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
149 | + "Translation buffer too short"); | ||
150 | + return (0); | ||
151 | + } | ||
152 | (*sp->tfunc)(sp, bp, npixels); | ||
153 | } | ||
154 | /* compress each byte string */ | ||
155 | @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
156 | static int | ||
157 | LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
158 | { | ||
159 | + static const char module[] = "LogLuvEncode24"; | ||
160 | LogLuvState* sp = EncoderState(tif); | ||
161 | tmsize_t i; | ||
162 | tmsize_t npixels; | ||
163 | @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
164 | tp = (uint32*) bp; | ||
165 | else { | ||
166 | tp = (uint32*) sp->tbuf; | ||
167 | - assert(sp->tbuflen >= npixels); | ||
168 | + if(sp->tbuflen < npixels) { | ||
169 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
170 | + "Translation buffer too short"); | ||
171 | + return (0); | ||
172 | + } | ||
173 | (*sp->tfunc)(sp, bp, npixels); | ||
174 | } | ||
175 | /* write out encoded pixels */ | ||
176 | @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
177 | static int | ||
178 | LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
179 | { | ||
180 | + static const char module[] = "LogLuvEncode32"; | ||
181 | LogLuvState* sp = EncoderState(tif); | ||
182 | int shft; | ||
183 | tmsize_t i; | ||
184 | @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms | ||
185 | tp = (uint32*) bp; | ||
186 | else { | ||
187 | tp = (uint32*) sp->tbuf; | ||
188 | - assert(sp->tbuflen >= npixels); | ||
189 | + if(sp->tbuflen < npixels) { | ||
190 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
191 | + "Translation buffer too short"); | ||
192 | + return (0); | ||
193 | + } | ||
194 | (*sp->tfunc)(sp, bp, npixels); | ||
195 | } | ||
196 | /* compress each byte string */ | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb index cf3a5f04c5..6166663fca 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb | |||
@@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/" | |||
5 | 5 | ||
6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | 6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ |
7 | file://libtool2.patch \ | 7 | file://libtool2.patch \ |
8 | file://CVE-2015-8781.patch \ | ||
8 | " | 9 | " |
9 | 10 | ||
10 | SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900" | 11 | SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900" |