diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch | 308 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | 1 |
2 files changed, 309 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch new file mode 100644 index 0000000000..1945c3d316 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7596.patch | |||
@@ -0,0 +1,308 @@ | |||
1 | From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Wed, 11 Jan 2017 16:09:02 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement | ||
5 | various clampings of double to other data types to avoid undefined behaviour | ||
6 | if the output range isn't big enough to hold the input value. Fixes | ||
7 | http://bugzilla.maptools.org/show_bug.cgi?id=2643 | ||
8 | http://bugzilla.maptools.org/show_bug.cgi?id=2642 | ||
9 | http://bugzilla.maptools.org/show_bug.cgi?id=2646 | ||
10 | http://bugzilla.maptools.org/show_bug.cgi?id=2647 | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | CVE: CVE-2017-7596 | ||
15 | Signed-off-by: Rajkumar Veer <rveer@mvista.com> | ||
16 | |||
17 | Index: tiff-4.0.7/ChangeLog | ||
18 | =================================================================== | ||
19 | --- tiff-4.0.7.orig/ChangeLog 2017-04-25 15:53:40.294592812 +0530 | ||
20 | +++ tiff-4.0.7/ChangeLog 2017-04-25 16:02:03.238600641 +0530 | ||
21 | @@ -6,6 +6,16 @@ | ||
22 | Patch by Nicolás Peña. | ||
23 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 | ||
24 | |||
25 | +2017-01-11 Even Rouault <even.rouault at spatialys.com> | ||
26 | + | ||
27 | + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings | ||
28 | + of double to other data types to avoid undefined behaviour if the output range | ||
29 | + isn't big enough to hold the input value. | ||
30 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 | ||
31 | + http://bugzilla.maptools.org/show_bug.cgi?id=2642 | ||
32 | + http://bugzilla.maptools.org/show_bug.cgi?id=2646 | ||
33 | + http://bugzilla.maptools.org/show_bug.cgi?id=2647 | ||
34 | + | ||
35 | 2017-01-11 Even Rouault <even.rouault at spatialys.com> | ||
36 | |||
37 | * libtiff/tif_jpeg.c: avoid integer division by zero in | ||
38 | Index: tiff-4.0.7/libtiff/tif_dir.c | ||
39 | =================================================================== | ||
40 | --- tiff-4.0.7.orig/libtiff/tif_dir.c 2016-10-30 04:33:18.856598072 +0530 | ||
41 | +++ tiff-4.0.7/libtiff/tif_dir.c 2017-04-25 16:02:03.238600641 +0530 | ||
42 | @@ -31,6 +31,7 @@ | ||
43 | * (and also some miscellaneous stuff) | ||
44 | */ | ||
45 | #include "tiffiop.h" | ||
46 | +#include <float.h> | ||
47 | |||
48 | /* | ||
49 | * These are used in the backwards compatibility code... | ||
50 | @@ -154,6 +155,15 @@ | ||
51 | return (0); | ||
52 | } | ||
53 | |||
54 | +static float TIFFClampDoubleToFloat( double val ) | ||
55 | +{ | ||
56 | + if( val > FLT_MAX ) | ||
57 | + return FLT_MAX; | ||
58 | + if( val < -FLT_MAX ) | ||
59 | + return -FLT_MAX; | ||
60 | + return (float)val; | ||
61 | +} | ||
62 | + | ||
63 | static int | ||
64 | _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) | ||
65 | { | ||
66 | @@ -312,13 +322,13 @@ | ||
67 | dblval = va_arg(ap, double); | ||
68 | if( dblval < 0 ) | ||
69 | goto badvaluedouble; | ||
70 | - td->td_xresolution = (float) dblval; | ||
71 | + td->td_xresolution = TIFFClampDoubleToFloat( dblval ); | ||
72 | break; | ||
73 | case TIFFTAG_YRESOLUTION: | ||
74 | dblval = va_arg(ap, double); | ||
75 | if( dblval < 0 ) | ||
76 | goto badvaluedouble; | ||
77 | - td->td_yresolution = (float) dblval; | ||
78 | + td->td_yresolution = TIFFClampDoubleToFloat( dblval ); | ||
79 | break; | ||
80 | case TIFFTAG_PLANARCONFIG: | ||
81 | v = (uint16) va_arg(ap, uint16_vap); | ||
82 | @@ -327,10 +337,10 @@ | ||
83 | td->td_planarconfig = (uint16) v; | ||
84 | break; | ||
85 | case TIFFTAG_XPOSITION: | ||
86 | - td->td_xposition = (float) va_arg(ap, double); | ||
87 | + td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); | ||
88 | break; | ||
89 | case TIFFTAG_YPOSITION: | ||
90 | - td->td_yposition = (float) va_arg(ap, double); | ||
91 | + td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); | ||
92 | break; | ||
93 | case TIFFTAG_RESOLUTIONUNIT: | ||
94 | v = (uint16) va_arg(ap, uint16_vap); | ||
95 | Index: tiff-4.0.7/libtiff/tif_dirread.c | ||
96 | =================================================================== | ||
97 | --- tiff-4.0.7.orig/libtiff/tif_dirread.c 2017-04-25 15:53:40.134592810 +0530 | ||
98 | +++ tiff-4.0.7/libtiff/tif_dirread.c 2017-04-25 16:02:03.242600641 +0530 | ||
99 | @@ -40,6 +40,7 @@ | ||
100 | */ | ||
101 | |||
102 | #include "tiffiop.h" | ||
103 | +#include <float.h> | ||
104 | |||
105 | #define IGNORE 0 /* tag placeholder used below */ | ||
106 | #define FAILED_FII ((uint32) -1) | ||
107 | @@ -2406,7 +2407,14 @@ | ||
108 | ma=(double*)origdata; | ||
109 | mb=data; | ||
110 | for (n=0; n<count; n++) | ||
111 | - *mb++=(float)(*ma++); | ||
112 | + { | ||
113 | + double val = *ma++; | ||
114 | + if( val > FLT_MAX ) | ||
115 | + val = FLT_MAX; | ||
116 | + else if( val < -FLT_MAX ) | ||
117 | + val = -FLT_MAX; | ||
118 | + *mb++=(float)val; | ||
119 | + } | ||
120 | } | ||
121 | break; | ||
122 | } | ||
123 | Index: tiff-4.0.7/libtiff/tif_dirwrite.c | ||
124 | =================================================================== | ||
125 | --- tiff-4.0.7.orig/libtiff/tif_dirwrite.c 2016-10-30 04:33:18.876854501 +0530 | ||
126 | +++ tiff-4.0.7/libtiff/tif_dirwrite.c 2017-04-25 16:07:48.670606018 +0530 | ||
127 | @@ -30,6 +30,7 @@ | ||
128 | * Directory Write Support Routines. | ||
129 | */ | ||
130 | #include "tiffiop.h" | ||
131 | +#include <float.h> | ||
132 | |||
133 | #ifdef HAVE_IEEEFP | ||
134 | #define TIFFCvtNativeToIEEEFloat(tif, n, fp) | ||
135 | @@ -939,6 +940,69 @@ | ||
136 | return(0); | ||
137 | } | ||
138 | |||
139 | +static float TIFFClampDoubleToFloat( double val ) | ||
140 | +{ | ||
141 | + if( val > FLT_MAX ) | ||
142 | + return FLT_MAX; | ||
143 | + if( val < -FLT_MAX ) | ||
144 | + return -FLT_MAX; | ||
145 | + return (float)val; | ||
146 | +} | ||
147 | + | ||
148 | +static int8 TIFFClampDoubleToInt8( double val ) | ||
149 | +{ | ||
150 | + if( val > 127 ) | ||
151 | + return 127; | ||
152 | + if( val < -128 || val != val ) | ||
153 | + return -128; | ||
154 | + return (int8)val; | ||
155 | +} | ||
156 | + | ||
157 | +static int16 TIFFClampDoubleToInt16( double val ) | ||
158 | +{ | ||
159 | + if( val > 32767 ) | ||
160 | + return 32767; | ||
161 | + if( val < -32768 || val != val ) | ||
162 | + return -32768; | ||
163 | + return (int16)val; | ||
164 | +} | ||
165 | + | ||
166 | +static int32 TIFFClampDoubleToInt32( double val ) | ||
167 | +{ | ||
168 | + if( val > 0x7FFFFFFF ) | ||
169 | + return 0x7FFFFFFF; | ||
170 | + if( val < -0x7FFFFFFF-1 || val != val ) | ||
171 | + return -0x7FFFFFFF-1; | ||
172 | + return (int32)val; | ||
173 | +} | ||
174 | + | ||
175 | +static uint8 TIFFClampDoubleToUInt8( double val ) | ||
176 | +{ | ||
177 | + if( val < 0 ) | ||
178 | + return 0; | ||
179 | + if( val > 255 || val != val ) | ||
180 | + return 255; | ||
181 | + return (uint8)val; | ||
182 | +} | ||
183 | + | ||
184 | +static uint16 TIFFClampDoubleToUInt16( double val ) | ||
185 | +{ | ||
186 | + if( val < 0 ) | ||
187 | + return 0; | ||
188 | + if( val > 65535 || val != val ) | ||
189 | + return 65535; | ||
190 | + return (uint16)val; | ||
191 | +} | ||
192 | + | ||
193 | +static uint32 TIFFClampDoubleToUInt32( double val ) | ||
194 | +{ | ||
195 | + if( val < 0 ) | ||
196 | + return 0; | ||
197 | + if( val > 0xFFFFFFFFU || val != val ) | ||
198 | + return 0xFFFFFFFFU; | ||
199 | + return (uint32)val; | ||
200 | +} | ||
201 | + | ||
202 | static int | ||
203 | TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) | ||
204 | { | ||
205 | @@ -959,7 +1023,7 @@ | ||
206 | if (tif->tif_dir.td_bitspersample<=32) | ||
207 | { | ||
208 | for (i = 0; i < count; ++i) | ||
209 | - ((float*)conv)[i] = (float)value[i]; | ||
210 | + ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); | ||
211 | ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); | ||
212 | } | ||
213 | else | ||
214 | @@ -971,19 +1035,19 @@ | ||
215 | if (tif->tif_dir.td_bitspersample<=8) | ||
216 | { | ||
217 | for (i = 0; i < count; ++i) | ||
218 | - ((int8*)conv)[i] = (int8)value[i]; | ||
219 | + ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); | ||
220 | ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); | ||
221 | } | ||
222 | else if (tif->tif_dir.td_bitspersample<=16) | ||
223 | { | ||
224 | for (i = 0; i < count; ++i) | ||
225 | - ((int16*)conv)[i] = (int16)value[i]; | ||
226 | + ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); | ||
227 | ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); | ||
228 | } | ||
229 | else | ||
230 | { | ||
231 | for (i = 0; i < count; ++i) | ||
232 | - ((int32*)conv)[i] = (int32)value[i]; | ||
233 | + ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); | ||
234 | ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); | ||
235 | } | ||
236 | break; | ||
237 | @@ -991,19 +1055,19 @@ | ||
238 | if (tif->tif_dir.td_bitspersample<=8) | ||
239 | { | ||
240 | for (i = 0; i < count; ++i) | ||
241 | - ((uint8*)conv)[i] = (uint8)value[i]; | ||
242 | + ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); | ||
243 | ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); | ||
244 | } | ||
245 | else if (tif->tif_dir.td_bitspersample<=16) | ||
246 | { | ||
247 | for (i = 0; i < count; ++i) | ||
248 | - ((uint16*)conv)[i] = (uint16)value[i]; | ||
249 | + ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); | ||
250 | ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); | ||
251 | } | ||
252 | else | ||
253 | { | ||
254 | for (i = 0; i < count; ++i) | ||
255 | - ((uint32*)conv)[i] = (uint32)value[i]; | ||
256 | + ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); | ||
257 | ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); | ||
258 | } | ||
259 | break; | ||
260 | @@ -2094,15 +2158,25 @@ | ||
261 | static int | ||
262 | TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value) | ||
263 | { | ||
264 | + static const char module[] = "TIFFWriteDirectoryTagCheckedRational"; | ||
265 | uint32 m[2]; | ||
266 | - assert(value>=0.0); | ||
267 | assert(sizeof(uint32)==4); | ||
268 | - if (value<=0.0) | ||
269 | + if (value<0) | ||
270 | + { | ||
271 | + TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); | ||
272 | + return 0; | ||
273 | + } | ||
274 | + else if( value != value ) | ||
275 | + { | ||
276 | + TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal"); | ||
277 | + return 0; | ||
278 | + } | ||
279 | + else if (value==0.0) | ||
280 | { | ||
281 | m[0]=0; | ||
282 | m[1]=1; | ||
283 | - } | ||
284 | - else if (value==(double)(uint32)value) | ||
285 | + } | ||
286 | + else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) | ||
287 | { | ||
288 | m[0]=(uint32)value; | ||
289 | m[1]=1; | ||
290 | @@ -2143,7 +2217,7 @@ | ||
291 | } | ||
292 | for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++) | ||
293 | { | ||
294 | - if (*na<=0.0) | ||
295 | + if (*na<=0.0 || *na != *na) | ||
296 | { | ||
297 | nb[0]=0; | ||
298 | nb[1]=1; | ||
299 | @@ -2153,7 +2227,8 @@ | ||
300 | nb[0]=(uint32)(*na); | ||
301 | nb[1]=1; | ||
302 | } | ||
303 | - else if (*na<1.0) | ||
304 | + else if (*na >= 0 && *na <= (float)0xFFFFFFFFU && | ||
305 | + *na==(float)(uint32)(*na)) | ||
306 | { | ||
307 | nb[0]=(uint32)((double)(*na)*0xFFFFFFFF); | ||
308 | nb[1]=0xFFFFFFFF; | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 6881c2456f..77de0be1e7 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
22 | file://CVE-2017-7594-p1.patch \ | 22 | file://CVE-2017-7594-p1.patch \ |
23 | file://CVE-2017-7594-p2.patch \ | 23 | file://CVE-2017-7594-p2.patch \ |
24 | file://CVE-2017-7595.patch \ | 24 | file://CVE-2017-7595.patch \ |
25 | file://CVE-2017-7596.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" | 28 | SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" |