1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch
new file mode 100644
index 0000000000..e09bb7fd21
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch
@@ -0,0 +1,47 @@
+From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 16:40:01 +0000
+Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
+ cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2610
+Upstream-Status: Backport
+CVE: CVE-2016-10093
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+---
+ ChangeLog      | 7 +++++++
+ tools/tiffcp.c | 6 +++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+Index: tiff-4.0.7/tools/tiffcp.c
+===================================================================
+--- tiff-4.0.7.orig/tools/tiffcp.c
+++ tiff-4.0.7/tools/tiffcp.c
+@@ -1163,7 +1163,7 @@ bad:
+ 
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+-    uint32 rows, uint32 cols, int outskew, int inskew)
+    uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+        while (rows-- > 0) {
+                uint32 j = cols;
+@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+        tdata_t tilebuf;
+        uint32 imagew = TIFFScanlineSize(in);
+        uint32 tilew  = TIFFTileRowSize(in);
+-       int iskew = imagew - tilew;
+       int64 iskew = (int64)imagew - (int64)tilew;
+        uint8* bufp = (uint8*) buf;
+        uint32 tw, tl;
+        uint32 row;
+@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+                                status = 0;
+                                goto done;
+                        }
+-                       if (colb + tilew > imagew) {
+                       if (colb > iskew) {
+                                uint32 width = imagew - colb;
+                                uint32 oskew = tilew - width;
+                                cpStripToTile(bufp + colb,

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch new file mode 100644 index 0000000000..e09bb7fd21 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch
@@ -0,0 +1,47 @@
	1	From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001
	2	From: erouault <erouault>
	3	Date: Sat, 3 Dec 2016 16:40:01 +0000
	4	Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
	5	cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
	6	http://bugzilla.maptools.org/show_bug.cgi?id=2610
	7
	8	Upstream-Status: Backport
	9	CVE: CVE-2016-10093
	10	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
	11
	12	---
	13	ChangeLog \| 7 +++++++
	14	tools/tiffcp.c \| 6 +++---
	15	2 files changed, 10 insertions(+), 3 deletions(-)
	16
	17	Index: tiff-4.0.7/tools/tiffcp.c
	18	===================================================================
	19	--- tiff-4.0.7.orig/tools/tiffcp.c
	20	+++ tiff-4.0.7/tools/tiffcp.c
	21	@@ -1163,7 +1163,7 @@ bad:
	22
	23	static void
	24	cpStripToTile(uint8* out, uint8* in,
	25	- uint32 rows, uint32 cols, int outskew, int inskew)
	26	+ uint32 rows, uint32 cols, int outskew, int64 inskew)
	27	{
	28	while (rows-- > 0) {
	29	uint32 j = cols;
	30	@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
	31	tdata_t tilebuf;
	32	uint32 imagew = TIFFScanlineSize(in);
	33	uint32 tilew = TIFFTileRowSize(in);
	34	- int iskew = imagew - tilew;
	35	+ int64 iskew = (int64)imagew - (int64)tilew;
	36	uint8* bufp = (uint8*) buf;
	37	uint32 tw, tl;
	38	uint32 row;
	39	@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
	40	status = 0;
	41	goto done;
	42	}
	43	- if (colb + tilew > imagew) {
	44	+ if (colb > iskew) {
	45	uint32 width = imagew - colb;
	46	uint32 oskew = tilew - width;
	47	cpStripToTile(bufp + colb,