1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
new file mode 100644
index 0000000000..962646dbe0
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
@@ -0,0 +1,61 @@
+From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
+ CVE-2018-8905
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+---
+CVE: CVE-2018-8905
+Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ libtiff/tif_lzw.c |   18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index 4ccb443..94d85e3 100644
+--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+        char *tp;
+        unsigned char *bp;
+        int code, nbits;
+       int len;
+        long nextbits, nextdata, nbitsmask;
+        code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ 
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+                                }  while (--occ);
+                                break;
+                        }
+-                       assert(occ >= codep->length);
+-                       op += codep->length;
+-                       occ -= codep->length;
+-                       tp = op;
+                       len = codep->length;
+                       tp = op + len;
+                        do {
+-                               *--tp = codep->value;
+-                       } while( (codep = codep->next) != NULL );
+                               int t;
+                               --tp;
+                               t = codep->value;
+                               codep = codep->next;
+                               *tp = (char)t;
+                       } while (codep && tp > op);
+                       assert(occ >= len);
+                       op += len;
+                       occ -= len;
+                } else {
+                        *op++ = (char)code;
+                        occ--;
+-- 
+1.7.9.5

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch new file mode 100644 index 0000000000..962646dbe0 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
@@ -0,0 +1,61 @@
	1	From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
	2	From: Even Rouault <even.rouault@spatialys.com>
	3	Date: Sat, 12 May 2018 15:32:31 +0200
	4	Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
	5	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
	6	CVE-2018-8905
	7
	8	The fix consists in using the similar code LZWDecode() to validate we
	9	don't write outside of the output buffer.
	10
	11	---
	12	CVE: CVE-2018-8905
	13
	14	Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]
	15
	16	Signed-off-by: Joe Slater <joe.slater@windriver.com>
	17
	18	---
	19	libtiff/tif_lzw.c \| 18 ++++++++++++------
	20	1 file changed, 12 insertions(+), 6 deletions(-)
	21
	22	diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
	23	index 4ccb443..94d85e3 100644
	24	--- a/libtiff/tif_lzw.c
	25	+++ b/libtiff/tif_lzw.c
	26	@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
	27	char *tp;
	28	unsigned char *bp;
	29	int code, nbits;
	30	+ int len;
	31	long nextbits, nextdata, nbitsmask;
	32	code_t codep, free_entp, maxcodep, oldcodep;
	33
	34	@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
	35	} while (--occ);
	36	break;
	37	}
	38	- assert(occ >= codep->length);
	39	- op += codep->length;
	40	- occ -= codep->length;
	41	- tp = op;
	42	+ len = codep->length;
	43	+ tp = op + len;
	44	do {
	45	- *--tp = codep->value;
	46	- } while( (codep = codep->next) != NULL );
	47	+ int t;
	48	+ --tp;
	49	+ t = codep->value;
	50	+ codep = codep->next;
	51	+ *tp = (char)t;
	52	+ } while (codep && tp > op);
	53	+ assert(occ >= len);
	54	+ op += len;
	55	+ occ -= len;
	56	} else {
	57	*op++ = (char)code;
	58	occ--;
	59	--
	60	1.7.9.5
	61