summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch46
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch42
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch160
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch39
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch135
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch178
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch61
-rw-r--r--meta/recipes-multimedia/libtiff/files/libtool2.patch19
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.10.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.9.bb)15
9 files changed, 16 insertions, 679 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
deleted file mode 100644
index 9b9962ed35..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
2From: Nathan Baker <elitebadger@gmail.com>
3Date: Thu, 25 Jan 2018 21:28:15 +0000
4Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
5
6CVE: CVE-2017-17095
7
8Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...]
9
10Signed-off-by: Joe Slater <joe.slater@windriver.com.
11
12---
13 tools/pal2rgb.c | 17 +++++++++++++++--
14 1 file changed, 15 insertions(+), 2 deletions(-)
15
16diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
17index 0423598..01fcf94 100644
18--- a/tools/pal2rgb.c
19+++ b/tools/pal2rgb.c
20@@ -182,8 +182,21 @@ main(int argc, char* argv[])
21 { unsigned char *ibuf, *obuf;
22 register unsigned char* pp;
23 register uint32 x;
24- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
25- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
26+ tmsize_t tss_in = TIFFScanlineSize(in);
27+ tmsize_t tss_out = TIFFScanlineSize(out);
28+ if (tss_out / tss_in < 3) {
29+ /*
30+ * BUG 2750: The following code does not know about chroma
31+ * subsampling of JPEG data. It assumes that the output buffer is 3x
32+ * the length of the input buffer due to exploding the palette into
33+ * RGB tuples. If this assumption is incorrect, it could lead to a
34+ * buffer overflow. Go ahead and fail now to prevent that.
35+ */
36+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
37+ return -1;
38+ }
39+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
40+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
41 switch (config) {
42 case PLANARCONFIG_CONTIG:
43 for (row = 0; row < imagelength; row++) {
44--
451.7.9.5
46
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
deleted file mode 100644
index 878e0de959..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 31 Dec 2017 15:09:41 +0100
4Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
5 dereference on corrupted file. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2770
7
8Upstream-Status: Backport
9[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01]
10
11CVE: CVE-2017-18013
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 libtiff/tif_print.c | 8 ++++----
16 1 file changed, 4 insertions(+), 4 deletions(-)
17
18diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
19index 24d4b98..f494cfb 100644
20--- a/libtiff/tif_print.c
21+++ b/libtiff/tif_print.c
22@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
23 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
24 fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
25 (unsigned long) s,
26- (unsigned __int64) td->td_stripoffset[s],
27- (unsigned __int64) td->td_stripbytecount[s]);
28+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
29+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
30 #else
31 fprintf(fd, " %3lu: [%8llu, %8llu]\n",
32 (unsigned long) s,
33- (unsigned long long) td->td_stripoffset[s],
34- (unsigned long long) td->td_stripbytecount[s]);
35+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
36+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
37 #endif
38 }
39 }
40--
412.7.4
42
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
deleted file mode 100644
index 60684dd2a6..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
+++ /dev/null
@@ -1,160 +0,0 @@
1From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001
2From: Brian May <brian@linuxpenguins.xyz>
3Date: Thu, 7 Dec 2017 07:46:47 +1100
4Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
5
6Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
7
8This vulnerability - at least for the supplied test case - is because we
9assume that a tiff will only have one transfer function that is the same
10for all pages. This is not required by the TIFF standards.
11
12We than read the transfer function for every page. Depending on the
13transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
14We allocate this memory after we read in the transfer function for the
15page.
16
17For the first exploit - POC1, this file has 3 pages. For the first page
18we allocate 2 extra extra XREF entries. Then for the next page 2 more
19entries. Then for the last page the transfer function changes and we
20allocate 4 more entries.
21
22When we read the file into memory, we assume we have 4 bytes extra for
23each and every page (as per the last transfer function we read). Which
24is not correct, we only have 2 bytes extra for the first 2 pages. As a
25result, we end up writing past the end of the buffer.
26
27There are also some related issues that this also fixes. For example,
28TIFFGetField can return uninitalized pointer values, and the logic to
29detect a N=3 vs N=1 transfer function seemed rather strange.
30
31It is also strange that we declare the transfer functions to be of type
32float, when the standard says they are unsigned 16 bit values. This is
33fixed in another patch.
34
35This patch will check to ensure that the N value for every transfer
36function is the same for every page. If this changes, we abort with an
37error. In theory, we should perhaps check that the transfer function
38itself is identical for every page, however we don't do that due to the
39confusion of the type of the data in the transfer function.
40
41Upstream-Status: Backport
42[https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940]
43
44CVE: CVE-2017-9935
45
46Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
47---
48 libtiff/tif_dir.c | 3 +++
49 tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
50 2 files changed, 47 insertions(+), 21 deletions(-)
51
52diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
53index f00f808..c36a5f3 100644
54--- a/libtiff/tif_dir.c
55+++ b/libtiff/tif_dir.c
56@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
57 if (td->td_samplesperpixel - td->td_extrasamples > 1) {
58 *va_arg(ap, uint16**) = td->td_transferfunction[1];
59 *va_arg(ap, uint16**) = td->td_transferfunction[2];
60+ } else {
61+ *va_arg(ap, uint16**) = NULL;
62+ *va_arg(ap, uint16**) = NULL;
63 }
64 break;
65 case TIFFTAG_REFERENCEBLACKWHITE:
66diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
67index 454befb..0b5973e 100644
68--- a/tools/tiff2pdf.c
69+++ b/tools/tiff2pdf.c
70@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
71 uint16 pagen=0;
72 uint16 paged=0;
73 uint16 xuint16=0;
74+ uint16 tiff_transferfunctioncount=0;
75+ float* tiff_transferfunction[3];
76
77 directorycount=TIFFNumberOfDirectories(input);
78 t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
79@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
80 }
81 #endif
82 if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
83- &(t2p->tiff_transferfunction[0]),
84- &(t2p->tiff_transferfunction[1]),
85- &(t2p->tiff_transferfunction[2]))) {
86- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
87- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
88- (t2p->tiff_transferfunction[1] !=
89- t2p->tiff_transferfunction[0])) {
90- t2p->tiff_transferfunctioncount = 3;
91- t2p->tiff_pages[i].page_extra += 4;
92- t2p->pdf_xrefcount += 4;
93- } else {
94- t2p->tiff_transferfunctioncount = 1;
95- t2p->tiff_pages[i].page_extra += 2;
96- t2p->pdf_xrefcount += 2;
97- }
98- if(t2p->pdf_minorversion < 2)
99- t2p->pdf_minorversion = 2;
100+ &(tiff_transferfunction[0]),
101+ &(tiff_transferfunction[1]),
102+ &(tiff_transferfunction[2]))) {
103+
104+ if((tiff_transferfunction[1] != (float*) NULL) &&
105+ (tiff_transferfunction[2] != (float*) NULL)
106+ ) {
107+ tiff_transferfunctioncount=3;
108+ } else {
109+ tiff_transferfunctioncount=1;
110+ }
111 } else {
112- t2p->tiff_transferfunctioncount=0;
113+ tiff_transferfunctioncount=0;
114 }
115+
116+ if (i > 0){
117+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
118+ TIFFError(
119+ TIFF2PDF_MODULE,
120+ "Different transfer function on page %d",
121+ i);
122+ t2p->t2p_error = T2P_ERR_ERROR;
123+ return;
124+ }
125+ }
126+
127+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
128+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
129+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
130+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
131+ if(tiff_transferfunctioncount == 3){
132+ t2p->tiff_pages[i].page_extra += 4;
133+ t2p->pdf_xrefcount += 4;
134+ if(t2p->pdf_minorversion < 2)
135+ t2p->pdf_minorversion = 2;
136+ } else if (tiff_transferfunctioncount == 1){
137+ t2p->tiff_pages[i].page_extra += 2;
138+ t2p->pdf_xrefcount += 2;
139+ if(t2p->pdf_minorversion < 2)
140+ t2p->pdf_minorversion = 2;
141+ }
142+
143 if( TIFFGetField(
144 input,
145 TIFFTAG_ICCPROFILE,
146@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
147 &(t2p->tiff_transferfunction[1]),
148 &(t2p->tiff_transferfunction[2]))) {
149 if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
150- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
151- (t2p->tiff_transferfunction[1] !=
152- t2p->tiff_transferfunction[0])) {
153+ (t2p->tiff_transferfunction[2] != (float*) NULL)
154+ ) {
155 t2p->tiff_transferfunctioncount=3;
156 } else {
157 t2p->tiff_transferfunctioncount=1;
158--
1592.7.4
160
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch
deleted file mode 100644
index 7252298b52..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 12 May 2018 14:24:15 +0200
4Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
5 http://bugzilla.maptools.org/show_bug.cgi?id=2795.
6 CVE-2018-10963
7
8---
9CVE: CVE-2018-10963
10
11Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/de144f...]
12
13Signed-off-by: Joe Slater <joe.slater@windriver.com>
14
15---
16 libtiff/tif_dirwrite.c | 7 +++++--
17 1 file changed, 5 insertions(+), 2 deletions(-)
18
19diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
20index 2430de6..c15a28d 100644
21--- a/libtiff/tif_dirwrite.c
22+++ b/libtiff/tif_dirwrite.c
23@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
24 }
25 break;
26 default:
27- assert(0); /* we should never get here */
28- break;
29+ TIFFErrorExt(tif->tif_clientdata,module,
30+ "Cannot write tag %d (%s)",
31+ TIFFFieldTag(o),
32+ o->field_name ? o->field_name : "unknown");
33+ goto bad;
34 }
35 }
36 }
37--
381.7.9.5
39
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
deleted file mode 100644
index 406001d579..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
+++ /dev/null
@@ -1,135 +0,0 @@
1From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001
2From: Nathan Baker <nathanb@lenovo-chrome.com>
3Date: Tue, 6 Feb 2018 10:13:57 -0500
4Subject: [PATCH] Fix for bug 2772
5
6It is possible to craft a TIFF document where the IFD list is circular,
7leading to an infinite loop while traversing the chain. The libtiff
8directory reader has a failsafe that will break out of this loop after
9reading 65535 directory entries, but it will continue processing,
10consuming time and resources to process what is essentially a bogus TIFF
11document.
12
13This change fixes the above behavior by breaking out of processing when
14a TIFF document has >= 65535 directories and terminating with an error.
15
16Upstream-Status: Backport
17[https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef]
18
19CVE: CVE-2018-5784
20
21Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
22---
23 contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
24 tools/tiff2pdf.c | 10 ++++++++++
25 tools/tiffcrop.c | 13 +++++++++++--
26 3 files changed, 34 insertions(+), 3 deletions(-)
27
28diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
29index c61ffbb..03b3573 100644
30--- a/contrib/addtiffo/tif_overview.c
31+++ b/contrib/addtiffo/tif_overview.c
32@@ -65,6 +65,8 @@
33 # define MAX(a,b) ((a>b) ? a : b)
34 #endif
35
36+#define TIFF_DIR_MAX 65534
37+
38 void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
39 int (*)(double,void*), void * );
40
41@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
42 {
43 toff_t nBaseDirOffset;
44 toff_t nOffset;
45+ tdir_t iNumDir;
46
47 (void) bUseSubIFDs;
48
49@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
50 return 0;
51
52 TIFFWriteDirectory( hTIFF );
53- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
54+ iNumDir = TIFFNumberOfDirectories(hTIFF);
55+ if( iNumDir > TIFF_DIR_MAX )
56+ {
57+ TIFFErrorExt( TIFFClientdata(hTIFF),
58+ "TIFF_WriteOverview",
59+ "File `%s' has too many directories.\n",
60+ TIFFFileName(hTIFF) );
61+ exit(-1);
62+ }
63+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
64
65 nOffset = TIFFCurrentDirOffset( hTIFF );
66
67diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
68index 0b5973e..ef5d6a0 100644
69--- a/tools/tiff2pdf.c
70+++ b/tools/tiff2pdf.c
71@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
72
73 #define PS_UNIT_SIZE 72.0F
74
75+#define TIFF_DIR_MAX 65534
76+
77 /* This type is of PDF color spaces. */
78 typedef enum {
79 T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
80@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
81 float* tiff_transferfunction[3];
82
83 directorycount=TIFFNumberOfDirectories(input);
84+ if(directorycount > TIFF_DIR_MAX) {
85+ TIFFError(
86+ TIFF2PDF_MODULE,
87+ "TIFF contains too many directories, %s",
88+ TIFFFileName(input));
89+ t2p->t2p_error = T2P_ERR_ERROR;
90+ return;
91+ }
92 t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
93 if(t2p->tiff_pages==NULL){
94 TIFFError(
95diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
96index c69177e..c60cb38 100644
97--- a/tools/tiffcrop.c
98+++ b/tools/tiffcrop.c
99@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
100 #define DUMP_TEXT 1
101 #define DUMP_RAW 2
102
103+#define TIFF_DIR_MAX 65534
104+
105 /* Offsets into buffer for margins and fixed width and length segments */
106 struct offset {
107 uint32 tmargin;
108@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
109 pageNum = -1;
110 else
111 total_images = 0;
112- /* read multiple input files and write to output file(s) */
113+ /* Read multiple input files and write to output file(s) */
114 while (optind < argc - 1)
115 {
116 in = TIFFOpen (argv[optind], "r");
117@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
118 return (-3);
119
120 /* If only one input file is specified, we can use directory count */
121- total_images = TIFFNumberOfDirectories(in);
122+ total_images = TIFFNumberOfDirectories(in);
123+ if (total_images > TIFF_DIR_MAX)
124+ {
125+ TIFFError (TIFFFileName(in), "File contains too many directories");
126+ if (out != NULL)
127+ (void) TIFFClose(out);
128+ return (1);
129+ }
130 if (image_count == 0)
131 {
132 dirnum = 0;
133--
1342.7.4
135
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
deleted file mode 100644
index 2c11f93d13..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
+++ /dev/null
@@ -1,178 +0,0 @@
1From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
2From: Hugo Lefeuvre <hle@debian.org>
3Date: Sun, 8 Apr 2018 14:07:08 -0400
4Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
5
6The TIFFPrintDirectory function relies on the following assumptions,
7supposed to be guaranteed by the specification:
8
9(a) A Transfer Function field is only present if the TIFF file has
10 photometric type < 3.
11
12(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
13 has count SamplesPerPixel - (Color Channels) and contains
14 information about supplementary channels.
15
16While respect of (a) and (b) are essential for the well functioning of
17TIFFPrintDirectory, no checks are realized neither by the callee nor
18by TIFFPrintDirectory itself. Hence, following scenarios might happen
19and trigger the NULL pointer dereference:
20
21(1) TIFF File of photometric type 4 or more has illegal Transfer
22 Function field.
23
24(2) TIFF File has photometric type 3 or less and defines a
25 SamplesPerPixel field such that SamplesPerPixel > Color Channels
26 without defining all extra samples in the ExtraSamples fields.
27
28In this patch, we address both issues with respect of the following
29principles:
30
31(A) In the case of (1), the defined transfer table should be printed
32 safely even if it isn't 'legal'. This allows us to avoid expensive
33 checks in TIFFPrintDirectory. Also, it is quite possible that
34 an alternative photometric type would be developed (not part of the
35 standard) and would allow definition of Transfer Table. We want
36 libtiff to be able to handle this scenario out of the box.
37
38(B) In the case of (2), the transfer table should be printed at its
39 right size, that is if TIFF file has photometric type Palette
40 then the transfer table should have one row and not three, even
41 if two extra samples are declared.
42
43In order to fulfill (A) we simply add a new 'i < 3' end condition to
44the broken TIFFPrintDirectory loop. This makes sure that in any case
45where (b) would be respected but not (a), everything stays fine.
46
47(B) is fulfilled by the loop condition
48'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
49long as (b) is respected.
50
51Naturally, we also make sure (b) is respected. This is done in the
52TIFFReadDirectory function by making sure any non-color channel is
53counted in ExtraSamples.
54
55This commit addresses CVE-2018-7456.
56
57---
58CVE: CVE-2018-7456
59
60Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...]
61
62Signed-off-by: Joe Slater <joe.slater@windriver.com>
63
64---
65 libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++
66 libtiff/tif_print.c | 2 +-
67 2 files changed, 63 insertions(+), 1 deletion(-)
68
69diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
70index 6baa7b3..af5b84a 100644
71--- a/libtiff/tif_dirread.c
72+++ b/libtiff/tif_dirread.c
73@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
74 static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
75 static void ChopUpSingleUncompressedStrip(TIFF*);
76 static uint64 TIFFReadUInt64(const uint8 *value);
77+static int _TIFFGetMaxColorChannels(uint16 photometric);
78
79 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
80
81@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
82 }
83
84 /*
85+ * Return the maximum number of color channels specified for a given photometric
86+ * type. 0 is returned if photometric type isn't supported or no default value
87+ * is defined by the specification.
88+ */
89+static int _TIFFGetMaxColorChannels( uint16 photometric )
90+{
91+ switch (photometric) {
92+ case PHOTOMETRIC_PALETTE:
93+ case PHOTOMETRIC_MINISWHITE:
94+ case PHOTOMETRIC_MINISBLACK:
95+ return 1;
96+ case PHOTOMETRIC_YCBCR:
97+ case PHOTOMETRIC_RGB:
98+ case PHOTOMETRIC_CIELAB:
99+ return 3;
100+ case PHOTOMETRIC_SEPARATED:
101+ case PHOTOMETRIC_MASK:
102+ return 4;
103+ case PHOTOMETRIC_LOGL:
104+ case PHOTOMETRIC_LOGLUV:
105+ case PHOTOMETRIC_CFA:
106+ case PHOTOMETRIC_ITULAB:
107+ case PHOTOMETRIC_ICCLAB:
108+ default:
109+ return 0;
110+ }
111+}
112+
113+/*
114 * Read the next TIFF directory from a file and convert it to the internal
115 * format. We read directories sequentially.
116 */
117@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
118 uint32 fii=FAILED_FII;
119 toff_t nextdiroff;
120 int bitspersample_read = FALSE;
121+ int color_channels;
122
123 tif->tif_diroff=tif->tif_nextdiroff;
124 if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
125@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
126 }
127 }
128 }
129+
130+ /*
131+ * Make sure all non-color channels are extrasamples.
132+ * If it's not the case, define them as such.
133+ */
134+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
135+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
136+ uint16 old_extrasamples;
137+ uint16 *new_sampleinfo;
138+
139+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
140+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
141+ "Defining non-color channels as ExtraSamples.");
142+
143+ old_extrasamples = tif->tif_dir.td_extrasamples;
144+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
145+
146+ // sampleinfo should contain information relative to these new extra samples
147+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
148+ if (!new_sampleinfo) {
149+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
150+ "temporary new sampleinfo array (%d 16 bit elements)",
151+ tif->tif_dir.td_extrasamples);
152+ goto bad;
153+ }
154+
155+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
156+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
157+ _TIFFfree(new_sampleinfo);
158+ }
159+
160 /*
161 * Verify Palette image has a Colormap.
162 */
163diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
164index 8deceb2..1d86adb 100644
165--- a/libtiff/tif_print.c
166+++ b/libtiff/tif_print.c
167@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
168 uint16 i;
169 fprintf(fd, " %2ld: %5u",
170 l, td->td_transferfunction[0][l]);
171- for (i = 1; i < td->td_samplesperpixel; i++)
172+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
173 fprintf(fd, " %5u",
174 td->td_transferfunction[i][l]);
175 fputc('\n', fd);
176--
1771.7.9.5
178
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
deleted file mode 100644
index 962646dbe0..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
+++ /dev/null
@@ -1,61 +0,0 @@
1From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 12 May 2018 15:32:31 +0200
4Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
5 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
6 CVE-2018-8905
7
8The fix consists in using the similar code LZWDecode() to validate we
9don't write outside of the output buffer.
10
11---
12CVE: CVE-2018-8905
13
14Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]
15
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17
18---
19 libtiff/tif_lzw.c | 18 ++++++++++++------
20 1 file changed, 12 insertions(+), 6 deletions(-)
21
22diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
23index 4ccb443..94d85e3 100644
24--- a/libtiff/tif_lzw.c
25+++ b/libtiff/tif_lzw.c
26@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
27 char *tp;
28 unsigned char *bp;
29 int code, nbits;
30+ int len;
31 long nextbits, nextdata, nbitsmask;
32 code_t *codep, *free_entp, *maxcodep, *oldcodep;
33
34@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
35 } while (--occ);
36 break;
37 }
38- assert(occ >= codep->length);
39- op += codep->length;
40- occ -= codep->length;
41- tp = op;
42+ len = codep->length;
43+ tp = op + len;
44 do {
45- *--tp = codep->value;
46- } while( (codep = codep->next) != NULL );
47+ int t;
48+ --tp;
49+ t = codep->value;
50+ codep = codep->next;
51+ *tp = (char)t;
52+ } while (codep && tp > op);
53+ assert(occ >= len);
54+ op += len;
55+ occ -= len;
56 } else {
57 *op++ = (char)code;
58 occ--;
59--
601.7.9.5
61
diff --git a/meta/recipes-multimedia/libtiff/files/libtool2.patch b/meta/recipes-multimedia/libtiff/files/libtool2.patch
index a84c688962..96233b46c9 100644
--- a/meta/recipes-multimedia/libtiff/files/libtool2.patch
+++ b/meta/recipes-multimedia/libtiff/files/libtool2.patch
@@ -1,16 +1,21 @@
1From 5b893206e0a0d529ba2d0caf58cfffc03bccb598 Mon Sep 17 00:00:00 2001
2From: Marcin Juszkiewicz <hrw@openedhand.com>
3Date: Sat, 14 Jun 2008 13:42:22 +0000
4Subject: [PATCH] tiff: make it work after libtool upgrade
5
1Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Inappropriate [configuration]
2 7
3--- 8---
4 configure.ac | 2 +- 9 configure.ac | 2 +-
5 1 file changed, 1 insertion(+), 1 deletion(-) 10 1 file changed, 1 insertion(+), 1 deletion(-)
6 11
7Index: tiff-4.0.9/configure.ac 12diff --git a/configure.ac b/configure.ac
8=================================================================== 13index c7b02e2..ae1c964 100644
9--- tiff-4.0.9.orig/configure.ac 14--- a/configure.ac
10+++ tiff-4.0.9/configure.ac 15+++ b/configure.ac
11@@ -27,7 +27,7 @@ dnl Process this file with autoconf to p 16@@ -27,7 +27,7 @@ dnl Process this file with autoconf to produce a configure script.
12 AC_PREREQ(2.64) 17 AC_PREREQ(2.64)
13 AC_INIT([LibTIFF Software],[4.0.9],[tiff@lists.maptools.org],[tiff]) 18 AC_INIT([LibTIFF Software],[4.0.10],[tiff@lists.maptools.org],[tiff])
14 AC_CONFIG_AUX_DIR(config) 19 AC_CONFIG_AUX_DIR(config)
15-AC_CONFIG_MACRO_DIR(m4) 20-AC_CONFIG_MACRO_DIR(m4)
16+dnl AC_CONFIG_MACRO_DIR(m4) 21+dnl AC_CONFIG_MACRO_DIR(m4)
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index 93beddb4da..152fa819a5 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -6,17 +6,10 @@ CVE_PRODUCT = "libtiff"
6 6
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8 file://libtool2.patch \ 8 file://libtool2.patch \
9 file://CVE-2017-9935.patch \ 9 "
10 file://CVE-2017-18013.patch \ 10
11 file://CVE-2018-5784.patch \ 11SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
12 file://CVE-2018-10963.patch \ 12SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
13 file://CVE-2018-8905.patch \
14 file://CVE-2018-7456.patch \
15 file://CVE-2017-17095.patch \
16 "
17
18SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"
19SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd"
20 13
21# exclude betas 14# exclude betas
22UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" 15UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"