diff options
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch | 71 |
1 files changed, 26 insertions, 45 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch index f244fb2f32..94e4e33e83 100644 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch | |||
| @@ -1,22 +1,37 @@ | |||
| 1 | CVE: CVE-2019-7663 | 1 | CVE: CVE-2019-7663 |
| 2 | Upstream-Status: Backport | 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 3 | Signed-off-by: |
| 4 | Ross Burton <ross.burton@intel.com> | ||
| 4 | 5 | ||
| 5 | From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 | 6 | From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 |
| 6 | From: Thomas Bernard <miniupnp@free.fr> | 7 | From: Thomas Bernard <miniupnp@free.fr> |
| 7 | Date: Mon, 11 Feb 2019 10:05:33 +0100 | 8 | Date: Mon, 11 Feb 2019 10:05:33 +0100 |
| 8 | Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow | 9 | Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow |
| 9 | 10 | ||
| 10 | fixes bug 2833 | 11 | From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 |
| 12 | From: Thomas Bernard <miniupnp@free.fr> | ||
| 13 | Date: Mon, 11 Feb 2019 21:42:03 +0100 | ||
| 14 | Subject: [PATCH 2/2] tiffcp.c: use INT_MAX | ||
| 15 | |||
| 16 | Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
| 17 | Refresh this patch as it can't be applyed when using PATCHTOOL = "patch". | ||
| 11 | --- | 18 | --- |
| 12 | tools/tiffcp.c | 8 +++++++- | 19 | tools/tiffcp.c | 9 ++++++++- |
| 13 | 1 file changed, 7 insertions(+), 1 deletion(-) | 20 | 1 file changed, 8 insertions(+), 1 deletion(-) |
| 14 | 21 | ||
| 15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | 22 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
| 16 | index 2f406e2d..f0ee2c02 100644 | 23 | index 2f406e2..8c81aa4 100644 |
| 17 | --- a/tools/tiffcp.c | 24 | --- a/tools/tiffcp.c |
| 18 | +++ b/tools/tiffcp.c | 25 | +++ b/tools/tiffcp.c |
| 19 | @@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | 26 | @@ -41,6 +41,7 @@ |
| 27 | #include <stdio.h> | ||
| 28 | #include <stdlib.h> | ||
| 29 | #include <string.h> | ||
| 30 | +#include <limits.h> | ||
| 31 | |||
| 32 | #include <ctype.h> | ||
| 33 | |||
| 34 | @@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
| 20 | int status = 1; | 35 | int status = 1; |
| 21 | uint32 imagew = TIFFRasterScanlineSize(in); | 36 | uint32 imagew = TIFFRasterScanlineSize(in); |
| 22 | uint32 tilew = TIFFTileRowSize(in); | 37 | uint32 tilew = TIFFTileRowSize(in); |
| @@ -25,11 +40,11 @@ index 2f406e2d..f0ee2c02 100644 | |||
| 25 | tsize_t tilesize = TIFFTileSize(in); | 40 | tsize_t tilesize = TIFFTileSize(in); |
| 26 | tdata_t tilebuf; | 41 | tdata_t tilebuf; |
| 27 | uint8* bufp = (uint8*) buf; | 42 | uint8* bufp = (uint8*) buf; |
| 28 | @@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | 43 | @@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) |
| 29 | uint32 row; | 44 | uint32 row; |
| 30 | uint16 bps = 0, bytes_per_sample; | 45 | uint16 bps = 0, bytes_per_sample; |
| 31 | 46 | ||
| 32 | + if (spp > (0x7fffffff / tilew)) | 47 | + if (spp > (INT_MAX / tilew)) |
| 33 | + { | 48 | + { |
| 34 | + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | 49 | + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); |
| 35 | + return 0; | 50 | + return 0; |
| @@ -39,39 +54,5 @@ index 2f406e2d..f0ee2c02 100644 | |||
| 39 | if (tilebuf == 0) | 54 | if (tilebuf == 0) |
| 40 | return 0; | 55 | return 0; |
| 41 | -- | 56 | -- |
| 42 | 2.20.1 | 57 | 2.7.4 |
| 43 | |||
| 44 | |||
| 45 | From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 | ||
| 46 | From: Thomas Bernard <miniupnp@free.fr> | ||
| 47 | Date: Mon, 11 Feb 2019 21:42:03 +0100 | ||
| 48 | Subject: [PATCH 2/2] tiffcp.c: use INT_MAX | ||
| 49 | |||
| 50 | --- | ||
| 51 | tools/tiffcp.c | 3 ++- | ||
| 52 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 53 | |||
| 54 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
| 55 | index f0ee2c02..8c81aa4f 100644 | ||
| 56 | --- a/tools/tiffcp.c | ||
| 57 | +++ b/tools/tiffcp.c | ||
| 58 | @@ -41,6 +41,7 @@ | ||
| 59 | #include <stdio.h> | ||
| 60 | #include <stdlib.h> | ||
| 61 | #include <string.h> | ||
| 62 | +#include <limits.h> | ||
| 63 | |||
| 64 | #include <ctype.h> | ||
| 65 | |||
| 66 | @@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
| 67 | uint32 row; | ||
| 68 | uint16 bps = 0, bytes_per_sample; | ||
| 69 | |||
| 70 | - if (spp > (0x7fffffff / tilew)) | ||
| 71 | + if (spp > (INT_MAX / tilew)) | ||
| 72 | { | ||
| 73 | TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
| 74 | return 0; | ||
| 75 | -- | ||
| 76 | 2.20.1 | ||
| 77 | 58 | ||