summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch71
1 files changed, 26 insertions, 45 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
index f244fb2f32..94e4e33e83 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
@@ -1,22 +1,37 @@
1CVE: CVE-2019-7663 1CVE: CVE-2019-7663
2Upstream-Status: Backport 2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com> 3Signed-off-by:
4Ross Burton <ross.burton@intel.com>
4 5
5From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 6From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
6From: Thomas Bernard <miniupnp@free.fr> 7From: Thomas Bernard <miniupnp@free.fr>
7Date: Mon, 11 Feb 2019 10:05:33 +0100 8Date: Mon, 11 Feb 2019 10:05:33 +0100
8Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow 9Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
9 10
10fixes bug 2833 11From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
12From: Thomas Bernard <miniupnp@free.fr>
13Date: Mon, 11 Feb 2019 21:42:03 +0100
14Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
15
16Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
17Refresh this patch as it can't be applyed when using PATCHTOOL = "patch".
11--- 18---
12 tools/tiffcp.c | 8 +++++++- 19 tools/tiffcp.c | 9 ++++++++-
13 1 file changed, 7 insertions(+), 1 deletion(-) 20 1 file changed, 8 insertions(+), 1 deletion(-)
14 21
15diff --git a/tools/tiffcp.c b/tools/tiffcp.c 22diff --git a/tools/tiffcp.c b/tools/tiffcp.c
16index 2f406e2d..f0ee2c02 100644 23index 2f406e2..8c81aa4 100644
17--- a/tools/tiffcp.c 24--- a/tools/tiffcp.c
18+++ b/tools/tiffcp.c 25+++ b/tools/tiffcp.c
19@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) 26@@ -41,6 +41,7 @@
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30+#include <limits.h>
31
32 #include <ctype.h>
33
34@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
20 int status = 1; 35 int status = 1;
21 uint32 imagew = TIFFRasterScanlineSize(in); 36 uint32 imagew = TIFFRasterScanlineSize(in);
22 uint32 tilew = TIFFTileRowSize(in); 37 uint32 tilew = TIFFTileRowSize(in);
@@ -25,11 +40,11 @@ index 2f406e2d..f0ee2c02 100644
25 tsize_t tilesize = TIFFTileSize(in); 40 tsize_t tilesize = TIFFTileSize(in);
26 tdata_t tilebuf; 41 tdata_t tilebuf;
27 uint8* bufp = (uint8*) buf; 42 uint8* bufp = (uint8*) buf;
28@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) 43@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
29 uint32 row; 44 uint32 row;
30 uint16 bps = 0, bytes_per_sample; 45 uint16 bps = 0, bytes_per_sample;
31 46
32+ if (spp > (0x7fffffff / tilew)) 47+ if (spp > (INT_MAX / tilew))
33+ { 48+ {
34+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); 49+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
35+ return 0; 50+ return 0;
@@ -39,39 +54,5 @@ index 2f406e2d..f0ee2c02 100644
39 if (tilebuf == 0) 54 if (tilebuf == 0)
40 return 0; 55 return 0;
41-- 56--
422.20.1 572.7.4
43
44
45From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
46From: Thomas Bernard <miniupnp@free.fr>
47Date: Mon, 11 Feb 2019 21:42:03 +0100
48Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
49
50---
51 tools/tiffcp.c | 3 ++-
52 1 file changed, 2 insertions(+), 1 deletion(-)
53
54diff --git a/tools/tiffcp.c b/tools/tiffcp.c
55index f0ee2c02..8c81aa4f 100644
56--- a/tools/tiffcp.c
57+++ b/tools/tiffcp.c
58@@ -41,6 +41,7 @@
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62+#include <limits.h>
63
64 #include <ctype.h>
65
66@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
67 uint32 row;
68 uint16 bps = 0, bytes_per_sample;
69
70- if (spp > (0x7fffffff / tilew))
71+ if (spp > (INT_MAX / tilew))
72 {
73 TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
74 return 0;
75--
762.20.1
77 58