diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | 196 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 4 |
2 files changed, 199 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..c148add5d1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | |||
@@ -0,0 +1,196 @@ | |||
1 | From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:25:11 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in | ||
5 | decode functions in non debug builds by replacing assert()s by regular if | ||
6 | checks (bugzilla #2522). Fix potential out-of-bound reads in case of short | ||
7 | input data. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 | ||
12 | hand applied Changelog changes | ||
13 | |||
14 | CVE: CVE-2015-8781 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | ChangeLog | 7 +++++++ | ||
19 | libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- | ||
20 | 2 files changed, 51 insertions(+), 11 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.3/libtiff/tif_luv.c | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.3.orig/libtiff/tif_luv.c | ||
25 | +++ tiff-4.0.3/libtiff/tif_luv.c | ||
26 | @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
27 | if (sp->user_datafmt == SGILOGDATAFMT_16BIT) | ||
28 | tp = (int16*) op; | ||
29 | else { | ||
30 | - assert(sp->tbuflen >= npixels); | ||
31 | + if(sp->tbuflen < npixels) { | ||
32 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
33 | + "Translation buffer too short"); | ||
34 | + return (0); | ||
35 | + } | ||
36 | tp = (int16*) sp->tbuf; | ||
37 | } | ||
38 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
39 | @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
40 | cc = tif->tif_rawcc; | ||
41 | /* get each byte string */ | ||
42 | for (shft = 2*8; (shft -= 8) >= 0; ) { | ||
43 | - for (i = 0; i < npixels && cc > 0; ) | ||
44 | + for (i = 0; i < npixels && cc > 0; ) { | ||
45 | if (*bp >= 128) { /* run */ | ||
46 | - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
47 | + if( cc < 2 ) | ||
48 | + break; | ||
49 | + rc = *bp++ + (2-128); | ||
50 | b = (int16)(*bp++ << shft); | ||
51 | cc -= 2; | ||
52 | while (rc-- && i < npixels) | ||
53 | @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
54 | while (--cc && rc-- && i < npixels) | ||
55 | tp[i++] |= (int16)*bp++ << shft; | ||
56 | } | ||
57 | + } | ||
58 | if (i != npixels) { | ||
59 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
60 | TIFFErrorExt(tif->tif_clientdata, module, | ||
61 | @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms | ||
62 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
63 | tp = (uint32 *)op; | ||
64 | else { | ||
65 | - assert(sp->tbuflen >= npixels); | ||
66 | + if(sp->tbuflen < npixels) { | ||
67 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
68 | + "Translation buffer too short"); | ||
69 | + return (0); | ||
70 | + } | ||
71 | tp = (uint32 *) sp->tbuf; | ||
72 | } | ||
73 | /* copy to array of uint32 */ | ||
74 | bp = (unsigned char*) tif->tif_rawcp; | ||
75 | cc = tif->tif_rawcc; | ||
76 | - for (i = 0; i < npixels && cc > 0; i++) { | ||
77 | + for (i = 0; i < npixels && cc >= 3; i++) { | ||
78 | tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; | ||
79 | bp += 3; | ||
80 | cc -= 3; | ||
81 | @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
82 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
83 | tp = (uint32*) op; | ||
84 | else { | ||
85 | - assert(sp->tbuflen >= npixels); | ||
86 | + if(sp->tbuflen < npixels) { | ||
87 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
88 | + "Translation buffer too short"); | ||
89 | + return (0); | ||
90 | + } | ||
91 | tp = (uint32*) sp->tbuf; | ||
92 | } | ||
93 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
94 | @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
95 | cc = tif->tif_rawcc; | ||
96 | /* get each byte string */ | ||
97 | for (shft = 4*8; (shft -= 8) >= 0; ) { | ||
98 | - for (i = 0; i < npixels && cc > 0; ) | ||
99 | + for (i = 0; i < npixels && cc > 0; ) { | ||
100 | if (*bp >= 128) { /* run */ | ||
101 | + if( cc < 2 ) | ||
102 | + break; | ||
103 | rc = *bp++ + (2-128); | ||
104 | b = (uint32)*bp++ << shft; | ||
105 | - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
106 | + cc -= 2; | ||
107 | while (rc-- && i < npixels) | ||
108 | tp[i++] |= b; | ||
109 | } else { /* non-run */ | ||
110 | @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
111 | while (--cc && rc-- && i < npixels) | ||
112 | tp[i++] |= (uint32)*bp++ << shft; | ||
113 | } | ||
114 | + } | ||
115 | if (i != npixels) { | ||
116 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
117 | TIFFErrorExt(tif->tif_clientdata, module, | ||
118 | @@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t | ||
119 | static int | ||
120 | LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
121 | { | ||
122 | + static const char module[] = "LogL16Encode"; | ||
123 | LogLuvState* sp = EncoderState(tif); | ||
124 | int shft; | ||
125 | tmsize_t i; | ||
126 | @@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
127 | tp = (int16*) bp; | ||
128 | else { | ||
129 | tp = (int16*) sp->tbuf; | ||
130 | - assert(sp->tbuflen >= npixels); | ||
131 | + if(sp->tbuflen < npixels) { | ||
132 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
133 | + "Translation buffer too short"); | ||
134 | + return (0); | ||
135 | + } | ||
136 | (*sp->tfunc)(sp, bp, npixels); | ||
137 | } | ||
138 | /* compress each byte string */ | ||
139 | @@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
140 | static int | ||
141 | LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
142 | { | ||
143 | + static const char module[] = "LogLuvEncode24"; | ||
144 | LogLuvState* sp = EncoderState(tif); | ||
145 | tmsize_t i; | ||
146 | tmsize_t npixels; | ||
147 | @@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
148 | tp = (uint32*) bp; | ||
149 | else { | ||
150 | tp = (uint32*) sp->tbuf; | ||
151 | - assert(sp->tbuflen >= npixels); | ||
152 | + if(sp->tbuflen < npixels) { | ||
153 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
154 | + "Translation buffer too short"); | ||
155 | + return (0); | ||
156 | + } | ||
157 | (*sp->tfunc)(sp, bp, npixels); | ||
158 | } | ||
159 | /* write out encoded pixels */ | ||
160 | @@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
161 | static int | ||
162 | LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
163 | { | ||
164 | + static const char module[] = "LogLuvEncode32"; | ||
165 | LogLuvState* sp = EncoderState(tif); | ||
166 | int shft; | ||
167 | tmsize_t i; | ||
168 | @@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms | ||
169 | tp = (uint32*) bp; | ||
170 | else { | ||
171 | tp = (uint32*) sp->tbuf; | ||
172 | - assert(sp->tbuflen >= npixels); | ||
173 | + if(sp->tbuflen < npixels) { | ||
174 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
175 | + "Translation buffer too short"); | ||
176 | + return (0); | ||
177 | + } | ||
178 | (*sp->tfunc)(sp, bp, npixels); | ||
179 | } | ||
180 | /* compress each byte string */ | ||
181 | Index: tiff-4.0.3/ChangeLog | ||
182 | =================================================================== | ||
183 | --- tiff-4.0.3.orig/ChangeLog | ||
184 | +++ tiff-4.0.3/ChangeLog | ||
185 | @@ -1,3 +1,11 @@ | ||
186 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
187 | + | ||
188 | + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
189 | + functions in non debug builds by replacing assert()s by regular if | ||
190 | + checks (bugzilla #2522). | ||
191 | + Fix potential out-of-bound reads in case of short input data. | ||
192 | + | ||
193 | + | ||
194 | 2012-09-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
195 | |||
196 | * libtiff 4.0.3 released. | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index b7d1129ad6..070065b188 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | |||
@@ -11,7 +11,9 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | |||
11 | file://libtiff-CVE-2013-4243.patch \ | 11 | file://libtiff-CVE-2013-4243.patch \ |
12 | file://libtiff-CVE-2013-4244.patch \ | 12 | file://libtiff-CVE-2013-4244.patch \ |
13 | file://libtiff-CVE-2013-4231.patch \ | 13 | file://libtiff-CVE-2013-4231.patch \ |
14 | file://tiff-CVE-2012-4564.patch " | 14 | file://tiff-CVE-2012-4564.patch \ |
15 | file://CVE-2015-8781.patch \ | ||
16 | " | ||
15 | 17 | ||
16 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" | 18 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" |
17 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" | 19 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" |