tiff: Security fix for CVE-2016-10270

(From OE-Core rev: 9600bca011fe5fd2837606ab05e64325b3f12114) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:18:19 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-05 22:39:48 +0000
commit: 7af530d449554785b194c3b6a2f91f2ea5c3d853 (patch)
tree: 50d503cf4c91ef6a3b1cd13f2a158a90c6fe2890 /meta
parent: 6a2f7581c5a2f9f996e73caacdf71bd878c6545d (diff)
download: poky-7af530d449554785b194c3b6a2f91f2ea5c3d853.tar.gz
2 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
new file mode 100644
index 0000000000..43ad6eda9f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
@@ -0,0 +1,134 @@
+From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:02:15 +0000
+Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify
+ ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
+ TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
+ the total size of data. Which is faulty is the total size of data is not
+ sufficient to fill the whole image, and thus results in reading outside of
+ the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+the above change is a better fix that makes it unnecessary.
+Upstream-Status: Backport
+CVE: CVE-2016-10270
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+---
+ ChangeLog             | 15 +++++++++++++++
+ libtiff/tif_dirread.c | 22 ++++++++++------------
+ libtiff/tif_strip.c   |  9 ---------
+ 3 files changed, 25 insertions(+), 21 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 0a2c2a7..6e30e41 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,5 +1,20 @@
+ 2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+       instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
+       instead of a logic based on the total size of data. Which is faulty is
+       the total size of data is not sufficient to fill the whole image, and thus
+       results in reading outside of the StripByCounts/StripOffsets arrays when
+       using TIFFReadScanline().
+       Reported by Agostino Sarubbo.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+       * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+       for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+       the above change is a better fix that makes it unnecessary.
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+        overflow on generation of PixarLog / LUV compressed files, with
+        ColorMap, TransferFunction attached and nasty plays with bitspersample.
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 3eec79c..570d0c3 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+        uint64 rowblockbytes;
+        uint64 stripbytes;
+        uint32 strip;
+-       uint64 nstrips64;
+-       uint32 nstrips32;
+       uint32 nstrips;
+        uint32 rowsperstrip;
+        uint64* newcounts;
+        uint64* newoffsets;
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+            return;
+ 
+        /*
+-        * never increase the number of strips in an image
+        * never increase the number of rows per strip
+         */
+        if (rowsperstrip >= td->td_rowsperstrip)
+                return;
+-       nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-       if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-           return;
+-       nstrips32 = (uint32)nstrips64;
+        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+        if( nstrips == 0 )
+            return;
+ 
+-       newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+       newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                                "for chopped \"StripByteCounts\" array");
+-       newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+       newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                                "for chopped \"StripOffsets\" array");
+        if (newcounts == NULL || newoffsets == NULL) {
+                /*
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         * Fill the strip information arrays with new bytecounts and offsets
+         * that reflect the broken-up format.
+         */
+-       for (strip = 0; strip < nstrips32; strip++) {
+       for (strip = 0; strip < nstrips; strip++) {
+                if (stripbytes > bytecount)
+                        stripbytes = bytecount;
+                newcounts[strip] = stripbytes;
+-               newoffsets[strip] = offset;
+               newoffsets[strip] = stripbytes ? offset : 0;
+                offset += stripbytes;
+                bytecount -= stripbytes;
+        }
+        /*
+         * Replace old single strip info with multi-strip info.
+         */
+-       td->td_stripsperimage = td->td_nstrips = nstrips32;
+       td->td_stripsperimage = td->td_nstrips = nstrips;
+        TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+        _TIFFfree(td->td_stripbytecount);
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 4c46ecf..1676e47 100644
+--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+        TIFFDirectory *td = &tif->tif_dir;
+        uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+        nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+             TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+        if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+-- 
+1.9.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 0878e0014a..4efe4c2db6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-10266.patch \
           file://CVE-2016-10267.patch \
           file://CVE-2016-10269.patch \
+           file://CVE-2016-10270.patch \
          "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:18:19 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-05 22:39:48 +0000
commit	7af530d449554785b194c3b6a2f91f2ea5c3d853 (patch)
tree	50d503cf4c91ef6a3b1cd13f2a158a90c6fe2890 /meta
parent	6a2f7581c5a2f9f996e73caacdf71bd878c6545d (diff)
download	poky-7af530d449554785b194c3b6a2f91f2ea5c3d853.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch new file mode 100644 index 0000000000..43ad6eda9f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
@@ -0,0 +1,134 @@
		1	From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Sat, 3 Dec 2016 11:02:15 +0000
		4	Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify
		5	ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
		6	TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
		7	the total size of data. Which is faulty is the total size of data is not
		8	sufficient to fill the whole image, and thus results in reading outside of
		9	the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
		10	by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
		11
		12	* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
		13	for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
		14	the above change is a better fix that makes it unnecessary.
		15
		16	Upstream-Status: Backport
		17
		18	CVE: CVE-2016-10270
		19	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		20	---
		21	ChangeLog \| 15 +++++++++++++++
		22	libtiff/tif_dirread.c \| 22 ++++++++++------------
		23	libtiff/tif_strip.c \| 9 ---------
		24	3 files changed, 25 insertions(+), 21 deletions(-)
		25
		26	diff --git a/ChangeLog b/ChangeLog
		27	index 0a2c2a7..6e30e41 100644
		28	--- a/ChangeLog
		29	+++ b/ChangeLog
		30	@@ -1,5 +1,20 @@
		31	2016-12-03 Even Rouault <even.rouault at spatialys.com>
		32
		33	+ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
		34	+ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
		35	+ instead of a logic based on the total size of data. Which is faulty is
		36	+ the total size of data is not sufficient to fill the whole image, and thus
		37	+ results in reading outside of the StripByCounts/StripOffsets arrays when
		38	+ using TIFFReadScanline().
		39	+ Reported by Agostino Sarubbo.
		40	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
		41	+
		42	+ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
		43	+ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
		44	+ the above change is a better fix that makes it unnecessary.
		45	+
		46	+2016-12-03 Even Rouault <even.rouault at spatialys.com>
		47	+
		48	* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
		49	overflow on generation of PixarLog / LUV compressed files, with
		50	ColorMap, TransferFunction attached and nasty plays with bitspersample.
		51	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		52	index 3eec79c..570d0c3 100644
		53	--- a/libtiff/tif_dirread.c
		54	+++ b/libtiff/tif_dirread.c
		55	@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
		56	uint64 rowblockbytes;
		57	uint64 stripbytes;
		58	uint32 strip;
		59	- uint64 nstrips64;
		60	- uint32 nstrips32;
		61	+ uint32 nstrips;
		62	uint32 rowsperstrip;
		63	uint64* newcounts;
		64	uint64* newoffsets;
		65	@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
		66	return;
		67
		68	/*
		69	- * never increase the number of strips in an image
		70	+ * never increase the number of rows per strip
		71	*/
		72	if (rowsperstrip >= td->td_rowsperstrip)
		73	return;
		74	- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
		75	- if ((nstrips64==0)\|\|(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
		76	- return;
		77	- nstrips32 = (uint32)nstrips64;
		78	+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
		79	+ if( nstrips == 0 )
		80	+ return;
		81
		82	- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
		83	+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
		84	"for chopped \"StripByteCounts\" array");
		85	- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
		86	+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
		87	"for chopped \"StripOffsets\" array");
		88	if (newcounts == NULL \|\| newoffsets == NULL) {
		89	/*
		90	@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
		91	* Fill the strip information arrays with new bytecounts and offsets
		92	* that reflect the broken-up format.
		93	*/
		94	- for (strip = 0; strip < nstrips32; strip++) {
		95	+ for (strip = 0; strip < nstrips; strip++) {
		96	if (stripbytes > bytecount)
		97	stripbytes = bytecount;
		98	newcounts[strip] = stripbytes;
		99	- newoffsets[strip] = offset;
		100	+ newoffsets[strip] = stripbytes ? offset : 0;
		101	offset += stripbytes;
		102	bytecount -= stripbytes;
		103	}
		104	/*
		105	* Replace old single strip info with multi-strip info.
		106	*/
		107	- td->td_stripsperimage = td->td_nstrips = nstrips32;
		108	+ td->td_stripsperimage = td->td_nstrips = nstrips;
		109	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
		110
		111	_TIFFfree(td->td_stripbytecount);
		112	diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
		113	index 4c46ecf..1676e47 100644
		114	--- a/libtiff/tif_strip.c
		115	+++ b/libtiff/tif_strip.c
		116	@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
		117	TIFFDirectory *td = &tif->tif_dir;
		118	uint32 nstrips;
		119
		120	- /* If the value was already computed and store in td_nstrips, then return it,
		121	- since ChopUpSingleUncompressedStrip might have altered and resized the
		122	- since the td_stripbytecount and td_stripoffset arrays to the new value
		123	- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
		124	- tif_dirread.c ~line 3612.
		125	- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
		126	- if( td->td_nstrips )
		127	- return td->td_nstrips;
		128	-
		129	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
		130	TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
		131	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
		132	--
		133	1.9.1
		134


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 0878e0014a..4efe4c2db6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
17	file://CVE-2016-10266.patch \	17	file://CVE-2016-10266.patch \
18	file://CVE-2016-10267.patch \	18	file://CVE-2016-10267.patch \
19	file://CVE-2016-10269.patch \	19	file://CVE-2016-10269.patch \
		20	file://CVE-2016-10270.patch \
20	"	21	"
21		22
22	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	23	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"