diff options
author | Joe Slater <joe.slater@windriver.com> | 2018-09-26 15:51:25 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-04 14:21:41 +0100 |
commit | 205d75ddb3b686eafa442a971247488c91950066 (patch) | |
tree | 7553ea06070e4e33ff9c3bb9030a0d94bb49fa2a /meta | |
parent | cd158dd197a3a41a91679107a94c6f213476921c (diff) | |
download | poky-205d75ddb3b686eafa442a971247488c91950066.tar.gz |
libtiff: fix CVE-2017-17095
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.
(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch | 46 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch new file mode 100644 index 0000000000..9b9962ed35 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Baker <elitebadger@gmail.com> | ||
3 | Date: Thu, 25 Jan 2018 21:28:15 +0000 | ||
4 | Subject: [PATCH] Add workaround to pal2rgb buffer overflow. | ||
5 | |||
6 | CVE: CVE-2017-17095 | ||
7 | |||
8 | Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...] | ||
9 | |||
10 | Signed-off-by: Joe Slater <joe.slater@windriver.com. | ||
11 | |||
12 | --- | ||
13 | tools/pal2rgb.c | 17 +++++++++++++++-- | ||
14 | 1 file changed, 15 insertions(+), 2 deletions(-) | ||
15 | |||
16 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
17 | index 0423598..01fcf94 100644 | ||
18 | --- a/tools/pal2rgb.c | ||
19 | +++ b/tools/pal2rgb.c | ||
20 | @@ -182,8 +182,21 @@ main(int argc, char* argv[]) | ||
21 | { unsigned char *ibuf, *obuf; | ||
22 | register unsigned char* pp; | ||
23 | register uint32 x; | ||
24 | - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); | ||
25 | - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); | ||
26 | + tmsize_t tss_in = TIFFScanlineSize(in); | ||
27 | + tmsize_t tss_out = TIFFScanlineSize(out); | ||
28 | + if (tss_out / tss_in < 3) { | ||
29 | + /* | ||
30 | + * BUG 2750: The following code does not know about chroma | ||
31 | + * subsampling of JPEG data. It assumes that the output buffer is 3x | ||
32 | + * the length of the input buffer due to exploding the palette into | ||
33 | + * RGB tuples. If this assumption is incorrect, it could lead to a | ||
34 | + * buffer overflow. Go ahead and fail now to prevent that. | ||
35 | + */ | ||
36 | + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); | ||
37 | + return -1; | ||
38 | + } | ||
39 | + ibuf = (unsigned char*)_TIFFmalloc(tss_in); | ||
40 | + obuf = (unsigned char*)_TIFFmalloc(tss_out); | ||
41 | switch (config) { | ||
42 | case PLANARCONFIG_CONTIG: | ||
43 | for (row = 0; row < imagelength; row++) { | ||
44 | -- | ||
45 | 1.7.9.5 | ||
46 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index fa64d11216..93beddb4da 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | |||
@@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
12 | file://CVE-2018-10963.patch \ | 12 | file://CVE-2018-10963.patch \ |
13 | file://CVE-2018-8905.patch \ | 13 | file://CVE-2018-8905.patch \ |
14 | file://CVE-2018-7456.patch \ | 14 | file://CVE-2018-7456.patch \ |
15 | file://CVE-2017-17095.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" | 18 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" |