diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch | 60 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | 1 |
2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch new file mode 100644 index 0000000000..e1c90c630c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 1855407c4e5a27ade006b26c2dec8a31745c356e Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Fri, 2 Dec 2016 21:56:56 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow | ||
5 | in TIFFReadEncodedStrip() that caused an integer division by zero. Reported | ||
6 | by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | CVE: CVE-2016-10266 | ||
11 | Signed-off-by: Rajkumar Veer <rveer@mvista.com> | ||
12 | --- | ||
13 | ChangeLog | 7 +++++++ | ||
14 | libtiff/tif_read.c | 2 +- | ||
15 | libtiff/tiffiop.h | 4 ++++ | ||
16 | 3 files changed, 12 insertions(+), 1 deletion(-) | ||
17 | |||
18 | Index: tiff-4.0.7/ChangeLog | ||
19 | =================================================================== | ||
20 | --- tiff-4.0.7.orig/ChangeLog | ||
21 | +++ tiff-4.0.7/ChangeLog | ||
22 | @@ -1,3 +1,10 @@ | ||
23 | +2016-12-02 Even Rouault <even.rouault at spatialys.com> | ||
24 | + | ||
25 | + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in | ||
26 | + TIFFReadEncodedStrip() that caused an integer division by zero. | ||
27 | + Reported by Agostino Sarubbo. | ||
28 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 | ||
29 | + | ||
30 | 2017-07-15 Even Rouault <even.rouault at spatialys.com> | ||
31 | |||
32 | * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" | ||
33 | Index: tiff-4.0.7/libtiff/tif_read.c | ||
34 | =================================================================== | ||
35 | --- tiff-4.0.7.orig/libtiff/tif_read.c | ||
36 | +++ tiff-4.0.7/libtiff/tif_read.c | ||
37 | @@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s | ||
38 | rowsperstrip=td->td_rowsperstrip; | ||
39 | if (rowsperstrip>td->td_imagelength) | ||
40 | rowsperstrip=td->td_imagelength; | ||
41 | - stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); | ||
42 | + stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); | ||
43 | stripinplane=(strip%stripsperplane); | ||
44 | plane=(uint16)(strip/stripsperplane); | ||
45 | rows=td->td_imagelength-stripinplane*rowsperstrip; | ||
46 | Index: tiff-4.0.7/libtiff/tiffiop.h | ||
47 | =================================================================== | ||
48 | --- tiff-4.0.7.orig/libtiff/tiffiop.h | ||
49 | +++ tiff-4.0.7/libtiff/tiffiop.h | ||
50 | @@ -250,6 +250,10 @@ struct tiff { | ||
51 | #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ | ||
52 | ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ | ||
53 | 0U) | ||
54 | +/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ | ||
55 | +/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ | ||
56 | +#define TIFFhowmany_32_maxuint_compat(x, y) \ | ||
57 | + (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) | ||
58 | #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) | ||
59 | #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) | ||
60 | #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 9432074d5a..cb7c4949cd 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | |||
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
14 | file://CVE-2016-10271.patch \ | 14 | file://CVE-2016-10271.patch \ |
15 | file://CVE-2016-10093.patch \ | 15 | file://CVE-2016-10093.patch \ |
16 | file://CVE-2016-10268.patch \ | 16 | file://CVE-2016-10268.patch \ |
17 | file://CVE-2016-10266.patch \ | ||
17 | " | 18 | " |
18 | 19 | ||
19 | SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" | 20 | SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" |