diff options
| author | Ming Liu <ming.liu@windriver.com> | 2013-12-05 17:52:14 -0600 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-12-10 17:42:44 +0000 |
| commit | 6e89d269e5f753c44655c166769a26a93b9b977d (patch) | |
| tree | 3485ad8080a5b760552e624556b9fda38a57ea22 /meta | |
| parent | e7d1921fb8251f11027e8cdaed31f072797c30eb (diff) | |
| download | poky-6e89d269e5f753c44655c166769a26a93b9b977d.tar.gz | |
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
(From OE-Core rev: 9db7a897d216a8293152c1a3b96c72b699d469c7)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch | 151 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 |
2 files changed, 153 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000000..e4348f1d2c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch | |||
| @@ -0,0 +1,151 @@ | |||
| 1 | This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch | ||
| 2 | |||
| 3 | Upstream-Status: Pending | ||
| 4 | |||
| 5 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
| 6 | |||
| 7 | diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
| 8 | --- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 | ||
| 9 | +++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 | ||
| 10 | @@ -3341,33 +3341,56 @@ | ||
| 11 | uint32 height){ | ||
| 12 | |||
| 13 | tsize_t i=0; | ||
| 14 | - uint16 ri =0; | ||
| 15 | - uint16 v_samp=1; | ||
| 16 | - uint16 h_samp=1; | ||
| 17 | - int j=0; | ||
| 18 | - | ||
| 19 | - i++; | ||
| 20 | - | ||
| 21 | - while(i<(*striplength)){ | ||
| 22 | + | ||
| 23 | + while (i < *striplength) { | ||
| 24 | + tsize_t datalen; | ||
| 25 | + uint16 ri; | ||
| 26 | + uint16 v_samp; | ||
| 27 | + uint16 h_samp; | ||
| 28 | + int j; | ||
| 29 | + int ncomp; | ||
| 30 | + | ||
| 31 | + /* marker header: one or more FFs */ | ||
| 32 | + if (strip[i] != 0xff) | ||
| 33 | + return(0); | ||
| 34 | + i++; | ||
| 35 | + while (i < *striplength && strip[i] == 0xff) | ||
| 36 | + i++; | ||
| 37 | + if (i >= *striplength) | ||
| 38 | + return(0); | ||
| 39 | + /* SOI is the only pre-SOS marker without a length word */ | ||
| 40 | + if (strip[i] == 0xd8) | ||
| 41 | + datalen = 0; | ||
| 42 | + else { | ||
| 43 | + if ((*striplength - i) <= 2) | ||
| 44 | + return(0); | ||
| 45 | + datalen = (strip[i+1] << 8) | strip[i+2]; | ||
| 46 | + if (datalen < 2 || datalen >= (*striplength - i)) | ||
| 47 | + return(0); | ||
| 48 | + } | ||
| 49 | switch( strip[i] ){ | ||
| 50 | - case 0xd8: | ||
| 51 | - /* SOI - start of image */ | ||
| 52 | + case 0xd8: /* SOI - start of image */ | ||
| 53 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
| 54 | *bufferoffset+=2; | ||
| 55 | - i+=2; | ||
| 56 | break; | ||
| 57 | - case 0xc0: | ||
| 58 | - case 0xc1: | ||
| 59 | - case 0xc3: | ||
| 60 | - case 0xc9: | ||
| 61 | - case 0xca: | ||
| 62 | + case 0xc0: /* SOF0 */ | ||
| 63 | + case 0xc1: /* SOF1 */ | ||
| 64 | + case 0xc3: /* SOF3 */ | ||
| 65 | + case 0xc9: /* SOF9 */ | ||
| 66 | + case 0xca: /* SOF10 */ | ||
| 67 | if(no==0){ | ||
| 68 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
| 69 | - for(j=0;j<buffer[*bufferoffset+9];j++){ | ||
| 70 | - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) | ||
| 71 | - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); | ||
| 72 | - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) | ||
| 73 | - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); | ||
| 74 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
| 75 | + ncomp = buffer[*bufferoffset+9]; | ||
| 76 | + if (ncomp < 1 || ncomp > 4) | ||
| 77 | + return(0); | ||
| 78 | + v_samp=1; | ||
| 79 | + h_samp=1; | ||
| 80 | + for(j=0;j<ncomp;j++){ | ||
| 81 | + uint16 samp = buffer[*bufferoffset+11+(3*j)]; | ||
| 82 | + if( (samp>>4) > h_samp) | ||
| 83 | + h_samp = (samp>>4); | ||
| 84 | + if( (samp & 0x0f) > v_samp) | ||
| 85 | + v_samp = (samp & 0x0f); | ||
| 86 | } | ||
| 87 | v_samp*=8; | ||
| 88 | h_samp*=8; | ||
| 89 | @@ -3381,45 +3404,43 @@ | ||
| 90 | (unsigned char) ((height>>8) & 0xff); | ||
| 91 | buffer[*bufferoffset+6]= | ||
| 92 | (unsigned char) (height & 0xff); | ||
| 93 | - *bufferoffset+=strip[i+2]+2; | ||
| 94 | - i+=strip[i+2]+2; | ||
| 95 | - | ||
| 96 | + *bufferoffset+=datalen+2; | ||
| 97 | + /* insert a DRI marker */ | ||
| 98 | buffer[(*bufferoffset)++]=0xff; | ||
| 99 | buffer[(*bufferoffset)++]=0xdd; | ||
| 100 | buffer[(*bufferoffset)++]=0x00; | ||
| 101 | buffer[(*bufferoffset)++]=0x04; | ||
| 102 | buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; | ||
| 103 | buffer[(*bufferoffset)++]= ri & 0xff; | ||
| 104 | - } else { | ||
| 105 | - i+=strip[i+2]+2; | ||
| 106 | } | ||
| 107 | break; | ||
| 108 | - case 0xc4: | ||
| 109 | - case 0xdb: | ||
| 110 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
| 111 | - *bufferoffset+=strip[i+2]+2; | ||
| 112 | - i+=strip[i+2]+2; | ||
| 113 | + case 0xc4: /* DHT */ | ||
| 114 | + case 0xdb: /* DQT */ | ||
| 115 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
| 116 | + *bufferoffset+=datalen+2; | ||
| 117 | break; | ||
| 118 | - case 0xda: | ||
| 119 | + case 0xda: /* SOS */ | ||
| 120 | if(no==0){ | ||
| 121 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
| 122 | - *bufferoffset+=strip[i+2]+2; | ||
| 123 | - i+=strip[i+2]+2; | ||
| 124 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
| 125 | + *bufferoffset+=datalen+2; | ||
| 126 | } else { | ||
| 127 | buffer[(*bufferoffset)++]=0xff; | ||
| 128 | buffer[(*bufferoffset)++]= | ||
| 129 | (unsigned char)(0xd0 | ((no-1)%8)); | ||
| 130 | - i+=strip[i+2]+2; | ||
| 131 | } | ||
| 132 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); | ||
| 133 | - *bufferoffset+=(*striplength)-i-1; | ||
| 134 | + i += datalen + 1; | ||
| 135 | + /* copy remainder of strip */ | ||
| 136 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); | ||
| 137 | + *bufferoffset+= *striplength - i; | ||
| 138 | return(1); | ||
| 139 | default: | ||
| 140 | - i+=strip[i+2]+2; | ||
| 141 | + /* ignore any other marker */ | ||
| 142 | + break; | ||
| 143 | } | ||
| 144 | + i += datalen + 1; | ||
| 145 | } | ||
| 146 | - | ||
| 147 | |||
| 148 | + /* failed to find SOS marker */ | ||
| 149 | return(0); | ||
| 150 | } | ||
| 151 | #endif | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index c90b4b29ac..def408e574 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | |||
| @@ -5,7 +5,8 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/" | |||
| 5 | DEPENDS = "zlib jpeg xz" | 5 | DEPENDS = "zlib jpeg xz" |
| 6 | 6 | ||
| 7 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ |
| 8 | file://libtool2.patch" | 8 | file://libtool2.patch \ |
| 9 | file://libtiff-CVE-2013-1960.patch" | ||
| 9 | 10 | ||
| 10 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" | 11 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" |
| 11 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" | 12 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" |