summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch308
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.7.bb1
2 files changed, 309 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch
new file mode 100644
index 0000000000..1945c3d316
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch
@@ -0,0 +1,308 @@
1From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Wed, 11 Jan 2017 16:09:02 +0000
4Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
5 various clampings of double to other data types to avoid undefined behaviour
6 if the output range isn't big enough to hold the input value. Fixes
7 http://bugzilla.maptools.org/show_bug.cgi?id=2643
8 http://bugzilla.maptools.org/show_bug.cgi?id=2642
9 http://bugzilla.maptools.org/show_bug.cgi?id=2646
10 http://bugzilla.maptools.org/show_bug.cgi?id=2647
11
12Upstream-Status: Backport
13
14CVE: CVE-2017-7596
15Signed-off-by: Rajkumar Veer <rveer@mvista.com>
16
17Index: tiff-4.0.7/ChangeLog
18===================================================================
19--- tiff-4.0.7.orig/ChangeLog 2017-04-25 15:53:40.294592812 +0530
20+++ tiff-4.0.7/ChangeLog 2017-04-25 16:02:03.238600641 +0530
21@@ -6,6 +6,16 @@
22 Patch by Nicolás Peña.
23 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
24
25+2017-01-11 Even Rouault <even.rouault at spatialys.com>
26+
27+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
28+ of double to other data types to avoid undefined behaviour if the output range
29+ isn't big enough to hold the input value.
30+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
31+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
32+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
33+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
34+
35 2017-01-11 Even Rouault <even.rouault at spatialys.com>
36
37 * libtiff/tif_jpeg.c: avoid integer division by zero in
38Index: tiff-4.0.7/libtiff/tif_dir.c
39===================================================================
40--- tiff-4.0.7.orig/libtiff/tif_dir.c 2016-10-30 04:33:18.856598072 +0530
41+++ tiff-4.0.7/libtiff/tif_dir.c 2017-04-25 16:02:03.238600641 +0530
42@@ -31,6 +31,7 @@
43 * (and also some miscellaneous stuff)
44 */
45 #include "tiffiop.h"
46+#include <float.h>
47
48 /*
49 * These are used in the backwards compatibility code...
50@@ -154,6 +155,15 @@
51 return (0);
52 }
53
54+static float TIFFClampDoubleToFloat( double val )
55+{
56+ if( val > FLT_MAX )
57+ return FLT_MAX;
58+ if( val < -FLT_MAX )
59+ return -FLT_MAX;
60+ return (float)val;
61+}
62+
63 static int
64 _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
65 {
66@@ -312,13 +322,13 @@
67 dblval = va_arg(ap, double);
68 if( dblval < 0 )
69 goto badvaluedouble;
70- td->td_xresolution = (float) dblval;
71+ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
72 break;
73 case TIFFTAG_YRESOLUTION:
74 dblval = va_arg(ap, double);
75 if( dblval < 0 )
76 goto badvaluedouble;
77- td->td_yresolution = (float) dblval;
78+ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
79 break;
80 case TIFFTAG_PLANARCONFIG:
81 v = (uint16) va_arg(ap, uint16_vap);
82@@ -327,10 +337,10 @@
83 td->td_planarconfig = (uint16) v;
84 break;
85 case TIFFTAG_XPOSITION:
86- td->td_xposition = (float) va_arg(ap, double);
87+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
88 break;
89 case TIFFTAG_YPOSITION:
90- td->td_yposition = (float) va_arg(ap, double);
91+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
92 break;
93 case TIFFTAG_RESOLUTIONUNIT:
94 v = (uint16) va_arg(ap, uint16_vap);
95Index: tiff-4.0.7/libtiff/tif_dirread.c
96===================================================================
97--- tiff-4.0.7.orig/libtiff/tif_dirread.c 2017-04-25 15:53:40.134592810 +0530
98+++ tiff-4.0.7/libtiff/tif_dirread.c 2017-04-25 16:02:03.242600641 +0530
99@@ -40,6 +40,7 @@
100 */
101
102 #include "tiffiop.h"
103+#include <float.h>
104
105 #define IGNORE 0 /* tag placeholder used below */
106 #define FAILED_FII ((uint32) -1)
107@@ -2406,7 +2407,14 @@
108 ma=(double*)origdata;
109 mb=data;
110 for (n=0; n<count; n++)
111- *mb++=(float)(*ma++);
112+ {
113+ double val = *ma++;
114+ if( val > FLT_MAX )
115+ val = FLT_MAX;
116+ else if( val < -FLT_MAX )
117+ val = -FLT_MAX;
118+ *mb++=(float)val;
119+ }
120 }
121 break;
122 }
123Index: tiff-4.0.7/libtiff/tif_dirwrite.c
124===================================================================
125--- tiff-4.0.7.orig/libtiff/tif_dirwrite.c 2016-10-30 04:33:18.876854501 +0530
126+++ tiff-4.0.7/libtiff/tif_dirwrite.c 2017-04-25 16:07:48.670606018 +0530
127@@ -30,6 +30,7 @@
128 * Directory Write Support Routines.
129 */
130 #include "tiffiop.h"
131+#include <float.h>
132
133 #ifdef HAVE_IEEEFP
134 #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
135@@ -939,6 +940,69 @@
136 return(0);
137 }
138
139+static float TIFFClampDoubleToFloat( double val )
140+{
141+ if( val > FLT_MAX )
142+ return FLT_MAX;
143+ if( val < -FLT_MAX )
144+ return -FLT_MAX;
145+ return (float)val;
146+}
147+
148+static int8 TIFFClampDoubleToInt8( double val )
149+{
150+ if( val > 127 )
151+ return 127;
152+ if( val < -128 || val != val )
153+ return -128;
154+ return (int8)val;
155+}
156+
157+static int16 TIFFClampDoubleToInt16( double val )
158+{
159+ if( val > 32767 )
160+ return 32767;
161+ if( val < -32768 || val != val )
162+ return -32768;
163+ return (int16)val;
164+}
165+
166+static int32 TIFFClampDoubleToInt32( double val )
167+{
168+ if( val > 0x7FFFFFFF )
169+ return 0x7FFFFFFF;
170+ if( val < -0x7FFFFFFF-1 || val != val )
171+ return -0x7FFFFFFF-1;
172+ return (int32)val;
173+}
174+
175+static uint8 TIFFClampDoubleToUInt8( double val )
176+{
177+ if( val < 0 )
178+ return 0;
179+ if( val > 255 || val != val )
180+ return 255;
181+ return (uint8)val;
182+}
183+
184+static uint16 TIFFClampDoubleToUInt16( double val )
185+{
186+ if( val < 0 )
187+ return 0;
188+ if( val > 65535 || val != val )
189+ return 65535;
190+ return (uint16)val;
191+}
192+
193+static uint32 TIFFClampDoubleToUInt32( double val )
194+{
195+ if( val < 0 )
196+ return 0;
197+ if( val > 0xFFFFFFFFU || val != val )
198+ return 0xFFFFFFFFU;
199+ return (uint32)val;
200+}
201+
202 static int
203 TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
204 {
205@@ -959,7 +1023,7 @@
206 if (tif->tif_dir.td_bitspersample<=32)
207 {
208 for (i = 0; i < count; ++i)
209- ((float*)conv)[i] = (float)value[i];
210+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
211 ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
212 }
213 else
214@@ -971,19 +1035,19 @@
215 if (tif->tif_dir.td_bitspersample<=8)
216 {
217 for (i = 0; i < count; ++i)
218- ((int8*)conv)[i] = (int8)value[i];
219+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
220 ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
221 }
222 else if (tif->tif_dir.td_bitspersample<=16)
223 {
224 for (i = 0; i < count; ++i)
225- ((int16*)conv)[i] = (int16)value[i];
226+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
227 ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
228 }
229 else
230 {
231 for (i = 0; i < count; ++i)
232- ((int32*)conv)[i] = (int32)value[i];
233+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
234 ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
235 }
236 break;
237@@ -991,19 +1055,19 @@
238 if (tif->tif_dir.td_bitspersample<=8)
239 {
240 for (i = 0; i < count; ++i)
241- ((uint8*)conv)[i] = (uint8)value[i];
242+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
243 ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
244 }
245 else if (tif->tif_dir.td_bitspersample<=16)
246 {
247 for (i = 0; i < count; ++i)
248- ((uint16*)conv)[i] = (uint16)value[i];
249+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
250 ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
251 }
252 else
253 {
254 for (i = 0; i < count; ++i)
255- ((uint32*)conv)[i] = (uint32)value[i];
256+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
257 ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
258 }
259 break;
260@@ -2094,15 +2158,25 @@
261 static int
262 TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
263 {
264+ static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
265 uint32 m[2];
266- assert(value>=0.0);
267 assert(sizeof(uint32)==4);
268- if (value<=0.0)
269+ if (value<0)
270+ {
271+ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
272+ return 0;
273+ }
274+ else if( value != value )
275+ {
276+ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
277+ return 0;
278+ }
279+ else if (value==0.0)
280 {
281 m[0]=0;
282 m[1]=1;
283- }
284- else if (value==(double)(uint32)value)
285+ }
286+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
287 {
288 m[0]=(uint32)value;
289 m[1]=1;
290@@ -2143,7 +2217,7 @@
291 }
292 for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
293 {
294- if (*na<=0.0)
295+ if (*na<=0.0 || *na != *na)
296 {
297 nb[0]=0;
298 nb[1]=1;
299@@ -2153,7 +2227,8 @@
300 nb[0]=(uint32)(*na);
301 nb[1]=1;
302 }
303- else if (*na<1.0)
304+ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
305+ *na==(float)(uint32)(*na))
306 {
307 nb[0]=(uint32)((double)(*na)*0xFFFFFFFF);
308 nb[1]=0xFFFFFFFF;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 6881c2456f..77de0be1e7 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
22 file://CVE-2017-7594-p1.patch \ 22 file://CVE-2017-7594-p1.patch \
23 file://CVE-2017-7594-p2.patch \ 23 file://CVE-2017-7594-p2.patch \
24 file://CVE-2017-7595.patch \ 24 file://CVE-2017-7595.patch \
25 file://CVE-2017-7596.patch \
25 " 26 "
26 27
27SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" 28SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"