diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch | 73 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch new file mode 100644 index 0000000000..0caf800e23 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:55:20 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in | ||
5 | NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
6 | (bugzilla #2508) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c | ||
10 | hand applied Changelog changes | ||
11 | |||
12 | CVE: CVE-2015-8784 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | ChangeLog | 6 ++++++ | ||
17 | libtiff/tif_next.c | 10 ++++++++-- | ||
18 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
19 | |||
20 | Index: tiff-4.0.4/ChangeLog | ||
21 | =================================================================== | ||
22 | --- tiff-4.0.4.orig/ChangeLog | ||
23 | +++ tiff-4.0.4/ChangeLog | ||
24 | @@ -1,5 +1,11 @@ | ||
25 | 2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
26 | |||
27 | + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() | ||
28 | + triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
29 | + (bugzilla #2508) | ||
30 | + | ||
31 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
32 | + | ||
33 | * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
34 | functions in non debug builds by replacing assert()s by regular if | ||
35 | checks (bugzilla #2522). | ||
36 | Index: tiff-4.0.4/libtiff/tif_next.c | ||
37 | =================================================================== | ||
38 | --- tiff-4.0.4.orig/libtiff/tif_next.c | ||
39 | +++ tiff-4.0.4/libtiff/tif_next.c | ||
40 | @@ -37,7 +37,7 @@ | ||
41 | case 0: op[0] = (unsigned char) ((v) << 6); break; \ | ||
42 | case 1: op[0] |= (v) << 4; break; \ | ||
43 | case 2: op[0] |= (v) << 2; break; \ | ||
44 | - case 3: *op++ |= (v); break; \ | ||
45 | + case 3: *op++ |= (v); op_offset++; break; \ | ||
46 | } \ | ||
47 | } | ||
48 | |||
49 | @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
50 | uint32 imagewidth = tif->tif_dir.td_imagewidth; | ||
51 | if( isTiled(tif) ) | ||
52 | imagewidth = tif->tif_dir.td_tilewidth; | ||
53 | + tmsize_t op_offset = 0; | ||
54 | |||
55 | /* | ||
56 | * The scanline is composed of a sequence of constant | ||
57 | @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
58 | * bounds, potentially resulting in a security | ||
59 | * issue. | ||
60 | */ | ||
61 | - while (n-- > 0 && npixels < imagewidth) | ||
62 | + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) | ||
63 | SETPIXEL(op, grey); | ||
64 | if (npixels >= imagewidth) | ||
65 | break; | ||
66 | + if (op_offset >= scanline ) { | ||
67 | + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", | ||
68 | + (long) tif->tif_row); | ||
69 | + return (0); | ||
70 | + } | ||
71 | if (cc == 0) | ||
72 | goto bad; | ||
73 | n = *bp++, cc--; | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 9879c8bfab..05064753eb 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | |||
7 | file://libtool2.patch \ | 7 | file://libtool2.patch \ |
8 | file://CVE-2015-8665_8683.patch \ | 8 | file://CVE-2015-8665_8683.patch \ |
9 | file://CVE-2015-8781.patch \ | 9 | file://CVE-2015-8781.patch \ |
10 | file://CVE-2015-8784.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 13 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |