diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch | 137 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch new file mode 100644 index 0000000000..39c5059c75 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch | |||
@@ -0,0 +1,137 @@ | |||
1 | From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sat, 26 Dec 2015 17:32:03 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in | ||
5 | TIFFRGBAImage interface in case of unsupported values of | ||
6 | SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to | ||
7 | TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by | ||
8 | limingxing and CVE-2015-8683 reported by zzf of Alibaba. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2015-8665 | ||
12 | CVE: CVE-2015-8683 | ||
13 | https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | ChangeLog | 8 ++++++++ | ||
19 | libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- | ||
20 | 2 files changed, 30 insertions(+), 13 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.6/libtiff/tif_getimage.c | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.6.orig/libtiff/tif_getimage.c | ||
25 | +++ tiff-4.0.6/libtiff/tif_getimage.c | ||
26 | @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 | ||
27 | "Planarconfiguration", td->td_planarconfig); | ||
28 | return (0); | ||
29 | } | ||
30 | - if( td->td_samplesperpixel != 3 ) | ||
31 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) | ||
32 | { | ||
33 | sprintf(emsg, | ||
34 | - "Sorry, can not handle image with %s=%d", | ||
35 | - "Samples/pixel", td->td_samplesperpixel); | ||
36 | + "Sorry, can not handle image with %s=%d, %s=%d", | ||
37 | + "Samples/pixel", td->td_samplesperpixel, | ||
38 | + "colorchannels", colorchannels); | ||
39 | return 0; | ||
40 | } | ||
41 | break; | ||
42 | case PHOTOMETRIC_CIELAB: | ||
43 | - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) | ||
44 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) | ||
45 | { | ||
46 | sprintf(emsg, | ||
47 | - "Sorry, can not handle image with %s=%d and %s=%d", | ||
48 | + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
49 | "Samples/pixel", td->td_samplesperpixel, | ||
50 | + "colorchannels", colorchannels, | ||
51 | "Bits/sample", td->td_bitspersample); | ||
52 | return 0; | ||
53 | } | ||
54 | @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T | ||
55 | int colorchannels; | ||
56 | uint16 *red_orig, *green_orig, *blue_orig; | ||
57 | int n_color; | ||
58 | + | ||
59 | + if( !TIFFRGBAImageOK(tif, emsg) ) | ||
60 | + return 0; | ||
61 | |||
62 | /* Initialize to normal values */ | ||
63 | img->row_offset = 0; | ||
64 | @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) | ||
65 | case PHOTOMETRIC_RGB: | ||
66 | switch (img->bitspersample) { | ||
67 | case 8: | ||
68 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) | ||
69 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && | ||
70 | + img->samplesperpixel >= 4) | ||
71 | img->put.contig = putRGBAAcontig8bittile; | ||
72 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) | ||
73 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && | ||
74 | + img->samplesperpixel >= 4) | ||
75 | { | ||
76 | if (BuildMapUaToAa(img)) | ||
77 | img->put.contig = putRGBUAcontig8bittile; | ||
78 | } | ||
79 | - else | ||
80 | + else if( img->samplesperpixel >= 3 ) | ||
81 | img->put.contig = putRGBcontig8bittile; | ||
82 | break; | ||
83 | case 16: | ||
84 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) | ||
85 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && | ||
86 | + img->samplesperpixel >=4 ) | ||
87 | { | ||
88 | if (BuildMapBitdepth16To8(img)) | ||
89 | img->put.contig = putRGBAAcontig16bittile; | ||
90 | } | ||
91 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) | ||
92 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && | ||
93 | + img->samplesperpixel >=4 ) | ||
94 | { | ||
95 | if (BuildMapBitdepth16To8(img) && | ||
96 | BuildMapUaToAa(img)) | ||
97 | img->put.contig = putRGBUAcontig16bittile; | ||
98 | } | ||
99 | - else | ||
100 | + else if( img->samplesperpixel >=3 ) | ||
101 | { | ||
102 | if (BuildMapBitdepth16To8(img)) | ||
103 | img->put.contig = putRGBcontig16bittile; | ||
104 | @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) | ||
105 | } | ||
106 | break; | ||
107 | case PHOTOMETRIC_SEPARATED: | ||
108 | - if (buildMap(img)) { | ||
109 | + if (img->samplesperpixel >=4 && buildMap(img)) { | ||
110 | if (img->bitspersample == 8) { | ||
111 | if (!img->Map) | ||
112 | img->put.contig = putRGBcontig8bitCMYKtile; | ||
113 | @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) | ||
114 | } | ||
115 | break; | ||
116 | case PHOTOMETRIC_CIELAB: | ||
117 | - if (buildMap(img)) { | ||
118 | + if (img->samplesperpixel == 3 && buildMap(img)) { | ||
119 | if (img->bitspersample == 8) | ||
120 | img->put.contig = initCIELabConversion(img); | ||
121 | break; | ||
122 | Index: tiff-4.0.6/ChangeLog | ||
123 | =================================================================== | ||
124 | --- tiff-4.0.6.orig/ChangeLog | ||
125 | +++ tiff-4.0.6/ChangeLog | ||
126 | @@ -1,3 +1,11 @@ | ||
127 | +2015-12-26 Even Rouault <even.rouault at spatialys.com> | ||
128 | + | ||
129 | + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage | ||
130 | + interface in case of unsupported values of SamplesPerPixel/ExtraSamples | ||
131 | + for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in | ||
132 | + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and | ||
133 | + CVE-2015-8683 reported by zzf of Alibaba. | ||
134 | + | ||
135 | 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
136 | |||
137 | * libtiff 4.0.6 released. | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index e2e24e0fb2..810a5e4c7d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/" | |||
5 | 5 | ||
6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | 6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ |
7 | file://libtool2.patch \ | 7 | file://libtool2.patch \ |
8 | file://CVE-2015-8665_8683.patch \ | ||
8 | " | 9 | " |
9 | 10 | ||
10 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 11 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |