summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch423
1 files changed, 423 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
new file mode 100644
index 0000000000..26fd0df11c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
1From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 31 Oct 2016 17:24:26 +0000
4Subject: [PATCH 1/2] Fix CVE-2016-9535
5
6* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
7 assertions by runtime checks to avoid assertions in debug mode, or buffer
8 overflows in release mode. Can happen when dealing with unusual tile size
9 like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
10 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
11
12CVE: CVE-2016-9535
13Upstream-Status: Backport
14https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
15
16Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
17
18---
19 libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
20 libtiff/tif_predict.h | 6 +-
21 2 files changed, 121 insertions(+), 47 deletions(-)
22
23diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
24index 555f2f9..b829259 100644
25--- a/libtiff/tif_predict.c
26+++ b/libtiff/tif_predict.c
27@@ -34,18 +34,18 @@
28
29 #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
30
31-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
32-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
33-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
34-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
35-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
36-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
37-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
38-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
39-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
40-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
41-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
42-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
43+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
44+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
45+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
46+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
47+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
48+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
49+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
50+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
51+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
52+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
53+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
54+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
55 static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
56 static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
57 static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
58@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
59 /* - when storing into the byte stream, we explicitly mask with 0xff so */
60 /* as to make icc -check=conversions happy (not necessary by the standard) */
61
62-static void
63+static int
64 horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
65 {
66 tmsize_t stride = PredictorState(tif)->stride;
67
68 unsigned char* cp = (unsigned char*) cp0;
69- assert((cc%stride)==0);
70+ if((cc%stride)!=0)
71+ {
72+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
73+ "%s", "(cc%stride)!=0");
74+ return 0;
75+ }
76+
77 if (cc > stride) {
78 /*
79 * Pipeline the most common cases.
80@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
81 } while (cc>0);
82 }
83 }
84+ return 1;
85 }
86
87-static void
88+static int
89 swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
90 {
91 uint16* wp = (uint16*) cp0;
92 tmsize_t wc = cc / 2;
93
94 TIFFSwabArrayOfShort(wp, wc);
95- horAcc16(tif, cp0, cc);
96+ return horAcc16(tif, cp0, cc);
97 }
98
99-static void
100+static int
101 horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
102 {
103 tmsize_t stride = PredictorState(tif)->stride;
104 uint16* wp = (uint16*) cp0;
105 tmsize_t wc = cc / 2;
106
107- assert((cc%(2*stride))==0);
108+ if((cc%(2*stride))!=0)
109+ {
110+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
111+ "%s", "cc%(2*stride))!=0");
112+ return 0;
113+ }
114
115 if (wc > stride) {
116 wc -= stride;
117@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
118 wc -= stride;
119 } while (wc > 0);
120 }
121+ return 1;
122 }
123
124-static void
125+static int
126 swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
127 {
128 uint32* wp = (uint32*) cp0;
129 tmsize_t wc = cc / 4;
130
131 TIFFSwabArrayOfLong(wp, wc);
132- horAcc32(tif, cp0, cc);
133+ return horAcc32(tif, cp0, cc);
134 }
135
136-static void
137+static int
138 horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
139 {
140 tmsize_t stride = PredictorState(tif)->stride;
141 uint32* wp = (uint32*) cp0;
142 tmsize_t wc = cc / 4;
143
144- assert((cc%(4*stride))==0);
145+ if((cc%(4*stride))!=0)
146+ {
147+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
148+ "%s", "cc%(4*stride))!=0");
149+ return 0;
150+ }
151
152 if (wc > stride) {
153 wc -= stride;
154@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
155 wc -= stride;
156 } while (wc > 0);
157 }
158+ return 1;
159 }
160
161 /*
162 * Floating point predictor accumulation routine.
163 */
164-static void
165+static int
166 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
167 {
168 tmsize_t stride = PredictorState(tif)->stride;
169@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
170 uint8 *cp = (uint8 *) cp0;
171 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
172
173- assert((cc%(bps*stride))==0);
174+ if(cc%(bps*stride)!=0)
175+ {
176+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
177+ "%s", "cc%(bps*stride))!=0");
178+ return 0;
179+ }
180
181 if (!tmp)
182- return;
183+ return 0;
184
185 while (count > stride) {
186 REPEAT4(stride, cp[stride] =
187@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
188 }
189 }
190 _TIFFfree(tmp);
191+ return 1;
192 }
193
194 /*
195@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
196 assert(sp->decodepfunc != NULL);
197
198 if ((*sp->decoderow)(tif, op0, occ0, s)) {
199- (*sp->decodepfunc)(tif, op0, occ0);
200- return 1;
201+ return (*sp->decodepfunc)(tif, op0, occ0);
202 } else
203 return 0;
204 }
205@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
206 if ((*sp->decodetile)(tif, op0, occ0, s)) {
207 tmsize_t rowsize = sp->rowsize;
208 assert(rowsize > 0);
209- assert((occ0%rowsize)==0);
210+ if((occ0%rowsize) !=0)
211+ {
212+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
213+ "%s", "occ0%rowsize != 0");
214+ return 0;
215+ }
216 assert(sp->decodepfunc != NULL);
217 while (occ0 > 0) {
218- (*sp->decodepfunc)(tif, op0, rowsize);
219+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
220+ return 0;
221 occ0 -= rowsize;
222 op0 += rowsize;
223 }
224@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
225 return 0;
226 }
227
228-static void
229+static int
230 horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
231 {
232 TIFFPredictorState* sp = PredictorState(tif);
233 tmsize_t stride = sp->stride;
234 unsigned char* cp = (unsigned char*) cp0;
235
236- assert((cc%stride)==0);
237+ if((cc%stride)!=0)
238+ {
239+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
240+ "%s", "(cc%stride)!=0");
241+ return 0;
242+ }
243
244 if (cc > stride) {
245 cc -= stride;
246@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
247 } while ((cc -= stride) > 0);
248 }
249 }
250+ return 1;
251 }
252
253-static void
254+static int
255 horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
256 {
257 TIFFPredictorState* sp = PredictorState(tif);
258@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
259 uint16 *wp = (uint16*) cp0;
260 tmsize_t wc = cc/2;
261
262- assert((cc%(2*stride))==0);
263+ if((cc%(2*stride))!=0)
264+ {
265+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
266+ "%s", "(cc%(2*stride))!=0");
267+ return 0;
268+ }
269
270 if (wc > stride) {
271 wc -= stride;
272@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
273 wc -= stride;
274 } while (wc > 0);
275 }
276+ return 1;
277 }
278
279-static void
280+static int
281 swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
282 {
283 uint16* wp = (uint16*) cp0;
284 tmsize_t wc = cc / 2;
285
286- horDiff16(tif, cp0, cc);
287+ if( !horDiff16(tif, cp0, cc) )
288+ return 0;
289
290 TIFFSwabArrayOfShort(wp, wc);
291+ return 1;
292 }
293
294-static void
295+static int
296 horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
297 {
298 TIFFPredictorState* sp = PredictorState(tif);
299@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
300 uint32 *wp = (uint32*) cp0;
301 tmsize_t wc = cc/4;
302
303- assert((cc%(4*stride))==0);
304+ if((cc%(4*stride))!=0)
305+ {
306+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
307+ "%s", "(cc%(4*stride))!=0");
308+ return 0;
309+ }
310
311 if (wc > stride) {
312 wc -= stride;
313@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
314 wc -= stride;
315 } while (wc > 0);
316 }
317+ return 1;
318 }
319
320-static void
321+static int
322 swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
323 {
324 uint32* wp = (uint32*) cp0;
325 tmsize_t wc = cc / 4;
326
327- horDiff32(tif, cp0, cc);
328+ if( !horDiff32(tif, cp0, cc) )
329+ return 0;
330
331 TIFFSwabArrayOfLong(wp, wc);
332+ return 1;
333 }
334
335 /*
336 * Floating point predictor differencing routine.
337 */
338-static void
339+static int
340 fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
341 {
342 tmsize_t stride = PredictorState(tif)->stride;
343@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
344 uint8 *cp = (uint8 *) cp0;
345 uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
346
347- assert((cc%(bps*stride))==0);
348-
349+ if((cc%(bps*stride))!=0)
350+ {
351+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
352+ "%s", "(cc%(bps*stride))!=0");
353+ return 0;
354+ }
355 if (!tmp)
356- return;
357+ return 0;
358
359 _TIFFmemcpy(tmp, cp0, cc);
360 for (count = 0; count < wc; count++) {
361@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
362 cp += cc - stride - 1;
363 for (count = cc; count > stride; count -= stride)
364 REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
365+ return 1;
366 }
367
368 static int
369@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
370 assert(sp->encoderow != NULL);
371
372 /* XXX horizontal differencing alters user's data XXX */
373- (*sp->encodepfunc)(tif, bp, cc);
374+ if( !(*sp->encodepfunc)(tif, bp, cc) )
375+ return 0;
376 return (*sp->encoderow)(tif, bp, cc, s);
377 }
378
379@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
380
381 rowsize = sp->rowsize;
382 assert(rowsize > 0);
383- assert((cc0%rowsize)==0);
384+ if((cc0%rowsize)!=0)
385+ {
386+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
387+ "%s", "(cc0%rowsize)!=0");
388+ return 0;
389+ }
390 while (cc > 0) {
391 (*sp->encodepfunc)(tif, bp, rowsize);
392 cc -= rowsize;
393diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
394index 91330cc..9e485a4 100644
395--- a/libtiff/tif_predict.h
396+++ b/libtiff/tif_predict.h
397@@ -30,6 +30,8 @@
398 * ``Library-private'' Support for the Predictor Tag
399 */
400
401+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
402+
403 /*
404 * Codecs that want to support the Predictor tag must place
405 * this structure first in their private state block so that
406@@ -43,12 +45,12 @@ typedef struct {
407 TIFFCodeMethod encoderow; /* parent codec encode/decode row */
408 TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
409 TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
410- TIFFPostMethod encodepfunc; /* horizontal differencer */
411+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
412
413 TIFFCodeMethod decoderow; /* parent codec encode/decode row */
414 TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
415 TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
416- TIFFPostMethod decodepfunc; /* horizontal accumulator */
417+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
418
419 TIFFVGetMethod vgetparent; /* super-class method */
420 TIFFVSetMethod vsetparent; /* super-class method */
421--
4222.9.3
423