1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
new file mode 100644
index 0000000000..e228c2f17c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
+From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 23 Aug 2017 13:33:42 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
+ fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
+ TIFFWriteDirectoryTagSubifd()). Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
+SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
+CVE: CVE-2017-13727
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              | 10 +++++++++-
+ libtiff/tif_dirwrite.c |  9 ++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 3e299d9..8f5efe9 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,7 +1,15 @@
+ 2017-08-23  Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+       on uint32 when selecting the value of SubIFD tag by runtime check
+       (in TIFFWriteDirectoryTagSubifd()).
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+       Reported by team OWL337
+
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dirwrite.c: replace assertion related to not finding the
+-       SubIFD tag by runtime check.
+       SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+        Reported by team OWL337
+ 
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 14090ae..f0a4baa 100644
+--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
+@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
+                for (p=0; p < tif->tif_dir.td_nsubifd; p++)
+                {
+                         assert(pa != 0);
+-                       assert(*pa <= 0xFFFFFFFFUL);
+
+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+                        if( *pa > 0xFFFFFFFFUL)
+                        {
+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+                            _TIFFfree(o);
+                            return(0);
+                        }
+                        *pb++=(uint32)(*pa++);
+                }
+                n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
+-- 
+2.7.4

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch new file mode 100644 index 0000000000..e228c2f17c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
	1	From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
	2	From: Even Rouault <even.rouault@spatialys.com>
	3	Date: Wed, 23 Aug 2017 13:33:42 +0000
	4	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
	5	fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
	6	TIFFWriteDirectoryTagSubifd()). Fixes
	7	http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
	8
	9	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
	10
	11	Upstream-Status: Backport
	12	[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
	13
	14	CVE: CVE-2017-13727
	15
	16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	17	---
	18	ChangeLog \| 10 +++++++++-
	19	libtiff/tif_dirwrite.c \| 9 ++++++++-
	20	2 files changed, 17 insertions(+), 2 deletions(-)
	21
	22	diff --git a/ChangeLog b/ChangeLog
	23	index 3e299d9..8f5efe9 100644
	24	--- a/ChangeLog
	25	+++ b/ChangeLog
	26	@@ -1,7 +1,15 @@
	27	2017-08-23 Even Rouault <even.rouault at spatialys.com>
	28
	29	+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
	30	+ on uint32 when selecting the value of SubIFD tag by runtime check
	31	+ (in TIFFWriteDirectoryTagSubifd()).
	32	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
	33	+ Reported by team OWL337
	34	+
	35	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
	36	+
	37	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
	38	- SubIFD tag by runtime check.
	39	+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
	40	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
	41	Reported by team OWL337
	42
	43	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
	44	index 14090ae..f0a4baa 100644
	45	--- a/libtiff/tif_dirwrite.c
	46	+++ b/libtiff/tif_dirwrite.c
	47	@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
	48	for (p=0; p < tif->tif_dir.td_nsubifd; p++)
	49	{
	50	assert(pa != 0);
	51	- assert(*pa <= 0xFFFFFFFFUL);
	52	+
	53	+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
	54	+ if( *pa > 0xFFFFFFFFUL)
	55	+ {
	56	+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
	57	+ _TIFFfree(o);
	58	+ return(0);
	59	+ }
	60	pb++=(uint32)(pa++);
	61	}
	62	n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
	63	--
	64	2.7.4
	65