diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch | 423 |
1 files changed, 423 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch new file mode 100644 index 0000000000..26fd0df11c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch | |||
@@ -0,0 +1,423 @@ | |||
1 | From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Mon, 31 Oct 2016 17:24:26 +0000 | ||
4 | Subject: [PATCH 1/2] Fix CVE-2016-9535 | ||
5 | |||
6 | * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace | ||
7 | assertions by runtime checks to avoid assertions in debug mode, or buffer | ||
8 | overflows in release mode. Can happen when dealing with unusual tile size | ||
9 | like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet & | ||
10 | Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. | ||
11 | |||
12 | CVE: CVE-2016-9535 | ||
13 | Upstream-Status: Backport | ||
14 | https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 | ||
15 | |||
16 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
17 | |||
18 | --- | ||
19 | libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++--------------- | ||
20 | libtiff/tif_predict.h | 6 +- | ||
21 | 2 files changed, 121 insertions(+), 47 deletions(-) | ||
22 | |||
23 | diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c | ||
24 | index 555f2f9..b829259 100644 | ||
25 | --- a/libtiff/tif_predict.c | ||
26 | +++ b/libtiff/tif_predict.c | ||
27 | @@ -34,18 +34,18 @@ | ||
28 | |||
29 | #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data) | ||
30 | |||
31 | -static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
32 | -static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
33 | -static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
34 | -static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
35 | -static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
36 | -static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
37 | -static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
38 | -static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
39 | -static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
40 | -static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
41 | -static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
42 | -static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
43 | +static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
44 | +static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
45 | +static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
46 | +static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
47 | +static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
48 | +static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
49 | +static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
50 | +static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
51 | +static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
52 | +static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
53 | +static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
54 | +static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); | ||
55 | static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); | ||
56 | static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); | ||
57 | static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s); | ||
58 | @@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif) | ||
59 | /* - when storing into the byte stream, we explicitly mask with 0xff so */ | ||
60 | /* as to make icc -check=conversions happy (not necessary by the standard) */ | ||
61 | |||
62 | -static void | ||
63 | +static int | ||
64 | horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
65 | { | ||
66 | tmsize_t stride = PredictorState(tif)->stride; | ||
67 | |||
68 | unsigned char* cp = (unsigned char*) cp0; | ||
69 | - assert((cc%stride)==0); | ||
70 | + if((cc%stride)!=0) | ||
71 | + { | ||
72 | + TIFFErrorExt(tif->tif_clientdata, "horAcc8", | ||
73 | + "%s", "(cc%stride)!=0"); | ||
74 | + return 0; | ||
75 | + } | ||
76 | + | ||
77 | if (cc > stride) { | ||
78 | /* | ||
79 | * Pipeline the most common cases. | ||
80 | @@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
81 | } while (cc>0); | ||
82 | } | ||
83 | } | ||
84 | + return 1; | ||
85 | } | ||
86 | |||
87 | -static void | ||
88 | +static int | ||
89 | swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
90 | { | ||
91 | uint16* wp = (uint16*) cp0; | ||
92 | tmsize_t wc = cc / 2; | ||
93 | |||
94 | TIFFSwabArrayOfShort(wp, wc); | ||
95 | - horAcc16(tif, cp0, cc); | ||
96 | + return horAcc16(tif, cp0, cc); | ||
97 | } | ||
98 | |||
99 | -static void | ||
100 | +static int | ||
101 | horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
102 | { | ||
103 | tmsize_t stride = PredictorState(tif)->stride; | ||
104 | uint16* wp = (uint16*) cp0; | ||
105 | tmsize_t wc = cc / 2; | ||
106 | |||
107 | - assert((cc%(2*stride))==0); | ||
108 | + if((cc%(2*stride))!=0) | ||
109 | + { | ||
110 | + TIFFErrorExt(tif->tif_clientdata, "horAcc16", | ||
111 | + "%s", "cc%(2*stride))!=0"); | ||
112 | + return 0; | ||
113 | + } | ||
114 | |||
115 | if (wc > stride) { | ||
116 | wc -= stride; | ||
117 | @@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
118 | wc -= stride; | ||
119 | } while (wc > 0); | ||
120 | } | ||
121 | + return 1; | ||
122 | } | ||
123 | |||
124 | -static void | ||
125 | +static int | ||
126 | swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
127 | { | ||
128 | uint32* wp = (uint32*) cp0; | ||
129 | tmsize_t wc = cc / 4; | ||
130 | |||
131 | TIFFSwabArrayOfLong(wp, wc); | ||
132 | - horAcc32(tif, cp0, cc); | ||
133 | + return horAcc32(tif, cp0, cc); | ||
134 | } | ||
135 | |||
136 | -static void | ||
137 | +static int | ||
138 | horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
139 | { | ||
140 | tmsize_t stride = PredictorState(tif)->stride; | ||
141 | uint32* wp = (uint32*) cp0; | ||
142 | tmsize_t wc = cc / 4; | ||
143 | |||
144 | - assert((cc%(4*stride))==0); | ||
145 | + if((cc%(4*stride))!=0) | ||
146 | + { | ||
147 | + TIFFErrorExt(tif->tif_clientdata, "horAcc32", | ||
148 | + "%s", "cc%(4*stride))!=0"); | ||
149 | + return 0; | ||
150 | + } | ||
151 | |||
152 | if (wc > stride) { | ||
153 | wc -= stride; | ||
154 | @@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
155 | wc -= stride; | ||
156 | } while (wc > 0); | ||
157 | } | ||
158 | + return 1; | ||
159 | } | ||
160 | |||
161 | /* | ||
162 | * Floating point predictor accumulation routine. | ||
163 | */ | ||
164 | -static void | ||
165 | +static int | ||
166 | fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
167 | { | ||
168 | tmsize_t stride = PredictorState(tif)->stride; | ||
169 | @@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
170 | uint8 *cp = (uint8 *) cp0; | ||
171 | uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
172 | |||
173 | - assert((cc%(bps*stride))==0); | ||
174 | + if(cc%(bps*stride)!=0) | ||
175 | + { | ||
176 | + TIFFErrorExt(tif->tif_clientdata, "fpAcc", | ||
177 | + "%s", "cc%(bps*stride))!=0"); | ||
178 | + return 0; | ||
179 | + } | ||
180 | |||
181 | if (!tmp) | ||
182 | - return; | ||
183 | + return 0; | ||
184 | |||
185 | while (count > stride) { | ||
186 | REPEAT4(stride, cp[stride] = | ||
187 | @@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
188 | } | ||
189 | } | ||
190 | _TIFFfree(tmp); | ||
191 | + return 1; | ||
192 | } | ||
193 | |||
194 | /* | ||
195 | @@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
196 | assert(sp->decodepfunc != NULL); | ||
197 | |||
198 | if ((*sp->decoderow)(tif, op0, occ0, s)) { | ||
199 | - (*sp->decodepfunc)(tif, op0, occ0); | ||
200 | - return 1; | ||
201 | + return (*sp->decodepfunc)(tif, op0, occ0); | ||
202 | } else | ||
203 | return 0; | ||
204 | } | ||
205 | @@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
206 | if ((*sp->decodetile)(tif, op0, occ0, s)) { | ||
207 | tmsize_t rowsize = sp->rowsize; | ||
208 | assert(rowsize > 0); | ||
209 | - assert((occ0%rowsize)==0); | ||
210 | + if((occ0%rowsize) !=0) | ||
211 | + { | ||
212 | + TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile", | ||
213 | + "%s", "occ0%rowsize != 0"); | ||
214 | + return 0; | ||
215 | + } | ||
216 | assert(sp->decodepfunc != NULL); | ||
217 | while (occ0 > 0) { | ||
218 | - (*sp->decodepfunc)(tif, op0, rowsize); | ||
219 | + if( !(*sp->decodepfunc)(tif, op0, rowsize) ) | ||
220 | + return 0; | ||
221 | occ0 -= rowsize; | ||
222 | op0 += rowsize; | ||
223 | } | ||
224 | @@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
225 | return 0; | ||
226 | } | ||
227 | |||
228 | -static void | ||
229 | +static int | ||
230 | horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
231 | { | ||
232 | TIFFPredictorState* sp = PredictorState(tif); | ||
233 | tmsize_t stride = sp->stride; | ||
234 | unsigned char* cp = (unsigned char*) cp0; | ||
235 | |||
236 | - assert((cc%stride)==0); | ||
237 | + if((cc%stride)!=0) | ||
238 | + { | ||
239 | + TIFFErrorExt(tif->tif_clientdata, "horDiff8", | ||
240 | + "%s", "(cc%stride)!=0"); | ||
241 | + return 0; | ||
242 | + } | ||
243 | |||
244 | if (cc > stride) { | ||
245 | cc -= stride; | ||
246 | @@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
247 | } while ((cc -= stride) > 0); | ||
248 | } | ||
249 | } | ||
250 | + return 1; | ||
251 | } | ||
252 | |||
253 | -static void | ||
254 | +static int | ||
255 | horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
256 | { | ||
257 | TIFFPredictorState* sp = PredictorState(tif); | ||
258 | @@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
259 | uint16 *wp = (uint16*) cp0; | ||
260 | tmsize_t wc = cc/2; | ||
261 | |||
262 | - assert((cc%(2*stride))==0); | ||
263 | + if((cc%(2*stride))!=0) | ||
264 | + { | ||
265 | + TIFFErrorExt(tif->tif_clientdata, "horDiff8", | ||
266 | + "%s", "(cc%(2*stride))!=0"); | ||
267 | + return 0; | ||
268 | + } | ||
269 | |||
270 | if (wc > stride) { | ||
271 | wc -= stride; | ||
272 | @@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
273 | wc -= stride; | ||
274 | } while (wc > 0); | ||
275 | } | ||
276 | + return 1; | ||
277 | } | ||
278 | |||
279 | -static void | ||
280 | +static int | ||
281 | swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
282 | { | ||
283 | uint16* wp = (uint16*) cp0; | ||
284 | tmsize_t wc = cc / 2; | ||
285 | |||
286 | - horDiff16(tif, cp0, cc); | ||
287 | + if( !horDiff16(tif, cp0, cc) ) | ||
288 | + return 0; | ||
289 | |||
290 | TIFFSwabArrayOfShort(wp, wc); | ||
291 | + return 1; | ||
292 | } | ||
293 | |||
294 | -static void | ||
295 | +static int | ||
296 | horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
297 | { | ||
298 | TIFFPredictorState* sp = PredictorState(tif); | ||
299 | @@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
300 | uint32 *wp = (uint32*) cp0; | ||
301 | tmsize_t wc = cc/4; | ||
302 | |||
303 | - assert((cc%(4*stride))==0); | ||
304 | + if((cc%(4*stride))!=0) | ||
305 | + { | ||
306 | + TIFFErrorExt(tif->tif_clientdata, "horDiff32", | ||
307 | + "%s", "(cc%(4*stride))!=0"); | ||
308 | + return 0; | ||
309 | + } | ||
310 | |||
311 | if (wc > stride) { | ||
312 | wc -= stride; | ||
313 | @@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
314 | wc -= stride; | ||
315 | } while (wc > 0); | ||
316 | } | ||
317 | + return 1; | ||
318 | } | ||
319 | |||
320 | -static void | ||
321 | +static int | ||
322 | swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
323 | { | ||
324 | uint32* wp = (uint32*) cp0; | ||
325 | tmsize_t wc = cc / 4; | ||
326 | |||
327 | - horDiff32(tif, cp0, cc); | ||
328 | + if( !horDiff32(tif, cp0, cc) ) | ||
329 | + return 0; | ||
330 | |||
331 | TIFFSwabArrayOfLong(wp, wc); | ||
332 | + return 1; | ||
333 | } | ||
334 | |||
335 | /* | ||
336 | * Floating point predictor differencing routine. | ||
337 | */ | ||
338 | -static void | ||
339 | +static int | ||
340 | fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
341 | { | ||
342 | tmsize_t stride = PredictorState(tif)->stride; | ||
343 | @@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
344 | uint8 *cp = (uint8 *) cp0; | ||
345 | uint8 *tmp = (uint8 *)_TIFFmalloc(cc); | ||
346 | |||
347 | - assert((cc%(bps*stride))==0); | ||
348 | - | ||
349 | + if((cc%(bps*stride))!=0) | ||
350 | + { | ||
351 | + TIFFErrorExt(tif->tif_clientdata, "fpDiff", | ||
352 | + "%s", "(cc%(bps*stride))!=0"); | ||
353 | + return 0; | ||
354 | + } | ||
355 | if (!tmp) | ||
356 | - return; | ||
357 | + return 0; | ||
358 | |||
359 | _TIFFmemcpy(tmp, cp0, cc); | ||
360 | for (count = 0; count < wc; count++) { | ||
361 | @@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) | ||
362 | cp += cc - stride - 1; | ||
363 | for (count = cc; count > stride; count -= stride) | ||
364 | REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--) | ||
365 | + return 1; | ||
366 | } | ||
367 | |||
368 | static int | ||
369 | @@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
370 | assert(sp->encoderow != NULL); | ||
371 | |||
372 | /* XXX horizontal differencing alters user's data XXX */ | ||
373 | - (*sp->encodepfunc)(tif, bp, cc); | ||
374 | + if( !(*sp->encodepfunc)(tif, bp, cc) ) | ||
375 | + return 0; | ||
376 | return (*sp->encoderow)(tif, bp, cc, s); | ||
377 | } | ||
378 | |||
379 | @@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) | ||
380 | |||
381 | rowsize = sp->rowsize; | ||
382 | assert(rowsize > 0); | ||
383 | - assert((cc0%rowsize)==0); | ||
384 | + if((cc0%rowsize)!=0) | ||
385 | + { | ||
386 | + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", | ||
387 | + "%s", "(cc0%rowsize)!=0"); | ||
388 | + return 0; | ||
389 | + } | ||
390 | while (cc > 0) { | ||
391 | (*sp->encodepfunc)(tif, bp, rowsize); | ||
392 | cc -= rowsize; | ||
393 | diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h | ||
394 | index 91330cc..9e485a4 100644 | ||
395 | --- a/libtiff/tif_predict.h | ||
396 | +++ b/libtiff/tif_predict.h | ||
397 | @@ -30,6 +30,8 @@ | ||
398 | * ``Library-private'' Support for the Predictor Tag | ||
399 | */ | ||
400 | |||
401 | +typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size); | ||
402 | + | ||
403 | /* | ||
404 | * Codecs that want to support the Predictor tag must place | ||
405 | * this structure first in their private state block so that | ||
406 | @@ -43,12 +45,12 @@ typedef struct { | ||
407 | TIFFCodeMethod encoderow; /* parent codec encode/decode row */ | ||
408 | TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */ | ||
409 | TIFFCodeMethod encodetile; /* parent codec encode/decode tile */ | ||
410 | - TIFFPostMethod encodepfunc; /* horizontal differencer */ | ||
411 | + TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */ | ||
412 | |||
413 | TIFFCodeMethod decoderow; /* parent codec encode/decode row */ | ||
414 | TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */ | ||
415 | TIFFCodeMethod decodetile; /* parent codec encode/decode tile */ | ||
416 | - TIFFPostMethod decodepfunc; /* horizontal accumulator */ | ||
417 | + TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */ | ||
418 | |||
419 | TIFFVGetMethod vgetparent; /* super-class method */ | ||
420 | TIFFVSetMethod vsetparent; /* super-class method */ | ||
421 | -- | ||
422 | 2.9.3 | ||
423 | |||