diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch | 73 |
1 files changed, 0 insertions, 73 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch deleted file mode 100644 index 0caf800e23..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch +++ /dev/null | |||
@@ -1,73 +0,0 @@ | |||
1 | From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:55:20 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in | ||
5 | NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
6 | (bugzilla #2508) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c | ||
10 | hand applied Changelog changes | ||
11 | |||
12 | CVE: CVE-2015-8784 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | ChangeLog | 6 ++++++ | ||
17 | libtiff/tif_next.c | 10 ++++++++-- | ||
18 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
19 | |||
20 | Index: tiff-4.0.4/ChangeLog | ||
21 | =================================================================== | ||
22 | --- tiff-4.0.4.orig/ChangeLog | ||
23 | +++ tiff-4.0.4/ChangeLog | ||
24 | @@ -1,5 +1,11 @@ | ||
25 | 2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
26 | |||
27 | + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() | ||
28 | + triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif | ||
29 | + (bugzilla #2508) | ||
30 | + | ||
31 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
32 | + | ||
33 | * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
34 | functions in non debug builds by replacing assert()s by regular if | ||
35 | checks (bugzilla #2522). | ||
36 | Index: tiff-4.0.4/libtiff/tif_next.c | ||
37 | =================================================================== | ||
38 | --- tiff-4.0.4.orig/libtiff/tif_next.c | ||
39 | +++ tiff-4.0.4/libtiff/tif_next.c | ||
40 | @@ -37,7 +37,7 @@ | ||
41 | case 0: op[0] = (unsigned char) ((v) << 6); break; \ | ||
42 | case 1: op[0] |= (v) << 4; break; \ | ||
43 | case 2: op[0] |= (v) << 2; break; \ | ||
44 | - case 3: *op++ |= (v); break; \ | ||
45 | + case 3: *op++ |= (v); op_offset++; break; \ | ||
46 | } \ | ||
47 | } | ||
48 | |||
49 | @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
50 | uint32 imagewidth = tif->tif_dir.td_imagewidth; | ||
51 | if( isTiled(tif) ) | ||
52 | imagewidth = tif->tif_dir.td_tilewidth; | ||
53 | + tmsize_t op_offset = 0; | ||
54 | |||
55 | /* | ||
56 | * The scanline is composed of a sequence of constant | ||
57 | @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize | ||
58 | * bounds, potentially resulting in a security | ||
59 | * issue. | ||
60 | */ | ||
61 | - while (n-- > 0 && npixels < imagewidth) | ||
62 | + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) | ||
63 | SETPIXEL(op, grey); | ||
64 | if (npixels >= imagewidth) | ||
65 | break; | ||
66 | + if (op_offset >= scanline ) { | ||
67 | + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", | ||
68 | + (long) tif->tif_row); | ||
69 | + return (0); | ||
70 | + } | ||
71 | if (cc == 0) | ||
72 | goto bad; | ||
73 | n = *bp++, cc--; | ||