6 files changed, 0 insertions, 519 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
deleted file mode 100644
index b0db96949f..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Fri, 30 Jun 2017 17:29:44 +0000
-Subject: [PATCH] * libtiff/tif_dirwrite.c: in
- TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
- data type, replace assertion that the file is BigTIFF, by a non-fatal error.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
- OWL337
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
-CVE: CVE-2017-10688
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog              |  8 ++++++++
- libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
- 2 files changed, 24 insertions(+), 4 deletions(-)
-diff --git a/ChangeLog b/ChangeLog
-index 0240f0b..42eaeb7 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,11 @@
-+2017-06-30  Even Rouault <even.rouault at spatialys.com>
-+
-+       * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
-+       functions associated with LONG8/SLONG8 data type, replace assertion that
-+       the file is BigTIFF, by a non-fatal error.
-+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
-+       Reported by team OWL337
-+
- 2017-06-26  Even Rouault <even.rouault at spatialys.com>
- 
-        * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 2967da5..8d6686b 100644
--- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
- {
-        uint64 m;
-        assert(sizeof(uint64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
-+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
-+               return(0);
-+       }
-        m=value;
-        if (tif->tif_flags&TIFF_SWAB)
-                TIFFSwabLong8(&m);
-@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
- {
-        assert(count<0x20000000);
-        assert(sizeof(uint64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
-+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
-+               return(0);
-+       }
-        if (tif->tif_flags&TIFF_SWAB)
-                TIFFSwabArrayOfLong8(value,count);
-        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
-@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
- {
-        int64 m;
-        assert(sizeof(int64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
-+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
-+               return(0);
-+       }
-        m=value;
-        if (tif->tif_flags&TIFF_SWAB)
-                TIFFSwabLong8((uint64*)(&m));
-@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
- {
-        assert(count<0x20000000);
-        assert(sizeof(int64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
-+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
-+               return(0);
-+       }
-        if (tif->tif_flags&TIFF_SWAB)
-                TIFFSwabArrayOfLong8((uint64*)value,count);
-        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
-- 
-2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
deleted file mode 100644
index d08e7612b7..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 15 Jul 2017 11:13:46 +0000
-Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
- "Raw" mode on PlanarConfig=Contig input images. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
-CVE: CVE-2017-11355
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog        | 7 +++++++
- tools/tiff2pdf.c | 7 ++++++-
- 2 files changed, 13 insertions(+), 1 deletion(-)
-diff --git a/ChangeLog b/ChangeLog
-index 42eaeb7..6980da8 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,10 @@
-+2017-07-15  Even Rouault <even.rouault at spatialys.com>
-+
-+       * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
-+       mode on PlanarConfig=Contig input images.
-+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
-+       Reported by team OWL337
-+
- 2017-06-30  Even Rouault <even.rouault at spatialys.com>
- 
-        * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index db196e0..cd1e235 100644
--- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
-            return;
- 
-        t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
-       if(t2p->pdf_nopassthrough==0){
-+        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
-+        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
-+        /* do not take into account the number of samples, and thus */
-+        /* that can cause heap buffer overflows such as in */
-+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
-+       if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
- #ifdef CCITT_SUPPORT
-                if(t2p->tiff_compression==COMPRESSION_CCITTFAX4  
-                        ){
-- 
-2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
deleted file mode 100644
index c60ffa698d..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Wed, 23 Aug 2017 13:21:41 +0000
-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
- finding the SubIFD tag by runtime check. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
-CVE: CVE-2017-13726
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog              | 7 +++++++
- libtiff/tif_dirwrite.c | 7 ++++++-
- 2 files changed, 13 insertions(+), 1 deletion(-)
-diff --git a/ChangeLog b/ChangeLog
-index 6980da8..3e299d9 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,10 @@
-+2017-08-23  Even Rouault <even.rouault at spatialys.com>
-+
-+       * libtiff/tif_dirwrite.c: replace assertion related to not finding the
-+       SubIFD tag by runtime check.
-+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
-+       Reported by team OWL337
-+
- 2017-07-15  Even Rouault <even.rouault at spatialys.com>
- 
-        * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 8d6686b..14090ae 100644
--- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
-                        TIFFDirEntry* nb;
-                        for (na=0, nb=dir; ; na++, nb++)
-                        {
-                               assert(na<ndir);
-+                               if( na == ndir )
-+                                {
-+                                    TIFFErrorExt(tif->tif_clientdata,module,
-+                                                 "Cannot find SubIFD tag");
-+                                    goto bad;
-+                                }
-                                if (nb->tdir_tag==TIFFTAG_SUBIFD)
-                                        break;
-                        }
-- 
-2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
deleted file mode 100644
index e228c2f17c..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Wed, 23 Aug 2017 13:33:42 +0000
-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
- fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
- TIFFWriteDirectoryTagSubifd()). Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
-SubIFD tag by runtime check (in TIFFWriteDirectorySec())
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
-CVE: CVE-2017-13727
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog              | 10 +++++++++-
- libtiff/tif_dirwrite.c |  9 ++++++++-
- 2 files changed, 17 insertions(+), 2 deletions(-)
-diff --git a/ChangeLog b/ChangeLog
-index 3e299d9..8f5efe9 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,7 +1,15 @@
- 2017-08-23  Even Rouault <even.rouault at spatialys.com>
- 
-+       * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
-+       on uint32 when selecting the value of SubIFD tag by runtime check
-+       (in TIFFWriteDirectoryTagSubifd()).
-+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
-+       Reported by team OWL337
-+
-+2017-08-23  Even Rouault <even.rouault at spatialys.com>
-+
-        * libtiff/tif_dirwrite.c: replace assertion related to not finding the
-       SubIFD tag by runtime check.
-+       SubIFD tag by runtime check (in TIFFWriteDirectorySec())
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
-        Reported by team OWL337
- 
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 14090ae..f0a4baa 100644
--- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
-                for (p=0; p < tif->tif_dir.td_nsubifd; p++)
-                {
-                         assert(pa != 0);
-                       assert(*pa <= 0xFFFFFFFFUL);
-+
-+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
-+                        if( *pa > 0xFFFFFFFFUL)
-+                        {
-+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
-+                            _TIFFfree(o);
-+                            return(0);
-+                        }
-                        *pb++=(uint32)(*pa++);
-                }
-                n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
-- 
-2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
deleted file mode 100644
index 3392285901..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Thu, 1 Jun 2017 12:44:04 +0000
-Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
-and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
-codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
-to behave differently depending on whether the codec is enabled or not, and
-thus can avoid stack based buffer overflows in a number of TIFF utilities
-such as tiffsplit, tiffcmp, thumbnail, etc.
-Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
-(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
-Fixes:
-http://bugzilla.maptools.org/show_bug.cgi?id=2580
-http://bugzilla.maptools.org/show_bug.cgi?id=2693
-http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
-http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
-http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
-http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
-http://bugzilla.maptools.org/show_bug.cgi?id=2441
-http://bugzilla.maptools.org/show_bug.cgi?id=2433
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
-CVE: CVE-2017-9147
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog             |  20 ++++++++++
- libtiff/tif_dir.h     |   1 +
- libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
- libtiff/tif_dirread.c |   4 ++
- 4 files changed, 128 insertions(+)
-diff --git a/ChangeLog b/ChangeLog
-index ee8d9d0..5739292 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,23 @@
-+2017-06-01  Even Rouault <even.rouault at spatialys.com>
-+
-+       * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
-+       and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
-+       codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
-+       to behave differently depending on whether the codec is enabled or not, and
-+       thus can avoid stack based buffer overflows in a number of TIFF utilities
-+       such as tiffsplit, tiffcmp, thumbnail, etc.
-+       Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
-+       (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
-+       Fixes:
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2580
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2693
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2441
-+       http://bugzilla.maptools.org/show_bug.cgi?id=2433
-+
- 2017-05-21  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
- 
-        * configure.ac: libtiff 4.0.8 released.
-diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
-index e12b44b..5206be4 100644
--- a/libtiff/tif_dir.h
-+++ b/libtiff/tif_dir.h
-@@ -291,6 +291,7 @@ struct _TIFFField {
- extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
- extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
- extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
-+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
- 
- #if defined(__cplusplus)
- }
-diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
-index 0c8ef42..97c0df0 100644
--- a/libtiff/tif_dirinfo.c
-+++ b/libtiff/tif_dirinfo.c
-@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
-        return 0;
- }
- 
-+int
-+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
-+{
-+       /* Filter out non-codec specific tags */
-+       switch (tag) {
-+           /* Shared tags */
-+           case TIFFTAG_PREDICTOR:
-+           /* JPEG tags */
-+           case TIFFTAG_JPEGTABLES:
-+           /* OJPEG tags */
-+           case TIFFTAG_JPEGIFOFFSET:
-+           case TIFFTAG_JPEGIFBYTECOUNT:
-+           case TIFFTAG_JPEGQTABLES:
-+           case TIFFTAG_JPEGDCTABLES:
-+           case TIFFTAG_JPEGACTABLES:
-+           case TIFFTAG_JPEGPROC:
-+           case TIFFTAG_JPEGRESTARTINTERVAL:
-+           /* CCITT* */
-+           case TIFFTAG_BADFAXLINES:
-+           case TIFFTAG_CLEANFAXDATA:
-+           case TIFFTAG_CONSECUTIVEBADFAXLINES:
-+           case TIFFTAG_GROUP3OPTIONS:
-+           case TIFFTAG_GROUP4OPTIONS:
-+               break;
-+           default:
-+               return 1;
-+       }
-+       /* Check if codec specific tags are allowed for the current
-+        * compression scheme (codec) */
-+       switch (tif->tif_dir.td_compression) {
-+           case COMPRESSION_LZW:
-+               if (tag == TIFFTAG_PREDICTOR)
-+                   return 1;
-+               break;
-+           case COMPRESSION_PACKBITS:
-+               /* No codec-specific tags */
-+               break;
-+           case COMPRESSION_THUNDERSCAN:
-+               /* No codec-specific tags */
-+               break;
-+           case COMPRESSION_NEXT:
-+               /* No codec-specific tags */
-+               break;
-+           case COMPRESSION_JPEG:
-+               if (tag == TIFFTAG_JPEGTABLES)
-+                   return 1;
-+               break;
-+           case COMPRESSION_OJPEG:
-+               switch (tag) {
-+                   case TIFFTAG_JPEGIFOFFSET:
-+                   case TIFFTAG_JPEGIFBYTECOUNT:
-+                   case TIFFTAG_JPEGQTABLES:
-+                   case TIFFTAG_JPEGDCTABLES:
-+                   case TIFFTAG_JPEGACTABLES:
-+                   case TIFFTAG_JPEGPROC:
-+                   case TIFFTAG_JPEGRESTARTINTERVAL:
-+                       return 1;
-+               }
-+               break;
-+           case COMPRESSION_CCITTRLE:
-+           case COMPRESSION_CCITTRLEW:
-+           case COMPRESSION_CCITTFAX3:
-+           case COMPRESSION_CCITTFAX4:
-+               switch (tag) {
-+                   case TIFFTAG_BADFAXLINES:
-+                   case TIFFTAG_CLEANFAXDATA:
-+                   case TIFFTAG_CONSECUTIVEBADFAXLINES:
-+                       return 1;
-+                   case TIFFTAG_GROUP3OPTIONS:
-+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
-+                           return 1;
-+                       break;
-+                   case TIFFTAG_GROUP4OPTIONS:
-+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
-+                           return 1;
-+                       break;
-+               }
-+               break;
-+           case COMPRESSION_JBIG:
-+               /* No codec-specific tags */
-+               break;
-+           case COMPRESSION_DEFLATE:
-+           case COMPRESSION_ADOBE_DEFLATE:
-+               if (tag == TIFFTAG_PREDICTOR)
-+                   return 1;
-+               break;
-+          case COMPRESSION_PIXARLOG:
-+               if (tag == TIFFTAG_PREDICTOR)
-+                   return 1;
-+               break;
-+           case COMPRESSION_SGILOG:
-+           case COMPRESSION_SGILOG24:
-+               /* No codec-specific tags */
-+               break;
-+           case COMPRESSION_LZMA:
-+               if (tag == TIFFTAG_PREDICTOR)
-+                   return 1;
-+               break;
-+
-+       }
-+       return 0;
-+}
-+
- /* vim: set ts=8 sts=8 sw=8 noet: */
- 
- /*
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 1d4f0b9..f1dc3d7 100644
--- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
-                                                        goto bad;
-                                                dp->tdir_tag=IGNORE;
-                                                break;
-+                                        default:
-+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
-+                                                dp->tdir_tag=IGNORE;
-+                                            break;
-                                }
-                        }
-                }
-- 
-2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
deleted file mode 100644
index fc99363284..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 26 Jun 2017 15:19:59 +0000
-Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
- JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
- by team OWL337
-* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
-Upstream-Status: Backport
-[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
-CVE: CVE-2017-9936
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- ChangeLog          | 6 ++++++
- libtiff/tif_jbig.c | 1 +
- 2 files changed, 7 insertions(+)
-diff --git a/ChangeLog b/ChangeLog
-index 5739292..0240f0b 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,9 @@
-+2017-06-26  Even Rouault <even.rouault at spatialys.com>
-+
-+       * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
-+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
-+       Reported by team OWL337
-+
- 2017-06-01  Even Rouault <even.rouault at spatialys.com>
- 
-        * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 5f5f75e..c75f31d 100644
--- a/libtiff/tif_jbig.c
-+++ b/libtiff/tif_jbig.c
-@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
-                             jbg_strerror(decodeStatus)
- #endif
-                             );
-+               jbg_dec_free(&decoder);
-                return 0;
-        }
- 
-- 
-2.7.4

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch deleted file mode 100644 index b0db96949f..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch +++ /dev/null
@@ -1,91 +0,0 @@
1	From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Fri, 30 Jun 2017 17:29:44 +0000
4	Subject: [PATCH] * libtiff/tif_dirwrite.c: in
5	TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
6	data type, replace assertion that the file is BigTIFF, by a non-fatal error.
7	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
8	OWL337
9
10	Upstream-Status: Backport
11	[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
12
13	CVE: CVE-2017-10688
14
15	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16	---
17	ChangeLog \| 8 ++++++++
18	libtiff/tif_dirwrite.c \| 20 ++++++++++++++++----
19	2 files changed, 24 insertions(+), 4 deletions(-)
20
21	diff --git a/ChangeLog b/ChangeLog
22	index 0240f0b..42eaeb7 100644
23	--- a/ChangeLog
24	+++ b/ChangeLog
25	@@ -1,3 +1,11 @@
26	+2017-06-30 Even Rouault <even.rouault at spatialys.com>
27	+
28	+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
29	+ functions associated with LONG8/SLONG8 data type, replace assertion that
30	+ the file is BigTIFF, by a non-fatal error.
31	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
32	+ Reported by team OWL337
33	+
34	2017-06-26 Even Rouault <even.rouault at spatialys.com>
35
36	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
37	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
38	index 2967da5..8d6686b 100644
39	--- a/libtiff/tif_dirwrite.c
40	+++ b/libtiff/tif_dirwrite.c
41	@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
42	{
43	uint64 m;
44	assert(sizeof(uint64)==8);
45	- assert(tif->tif_flags&TIFF_BIGTIFF);
46	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
47	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
48	+ return(0);
49	+ }
50	m=value;
51	if (tif->tif_flags&TIFF_SWAB)
52	TIFFSwabLong8(&m);
53	@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
54	{
55	assert(count<0x20000000);
56	assert(sizeof(uint64)==8);
57	- assert(tif->tif_flags&TIFF_BIGTIFF);
58	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
59	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
60	+ return(0);
61	+ }
62	if (tif->tif_flags&TIFF_SWAB)
63	TIFFSwabArrayOfLong8(value,count);
64	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
65	@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
66	{
67	int64 m;
68	assert(sizeof(int64)==8);
69	- assert(tif->tif_flags&TIFF_BIGTIFF);
70	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
71	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
72	+ return(0);
73	+ }
74	m=value;
75	if (tif->tif_flags&TIFF_SWAB)
76	TIFFSwabLong8((uint64*)(&m));
77	@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
78	{
79	assert(count<0x20000000);
80	assert(sizeof(int64)==8);
81	- assert(tif->tif_flags&TIFF_BIGTIFF);
82	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
83	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
84	+ return(0);
85	+ }
86	if (tif->tif_flags&TIFF_SWAB)
87	TIFFSwabArrayOfLong8((uint64*)value,count);
88	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
89	--
90	2.7.4
91


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch deleted file mode 100644 index d08e7612b7..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch +++ /dev/null
@@ -1,54 +0,0 @@
1	From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Sat, 15 Jul 2017 11:13:46 +0000
4	Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
5	"Raw" mode on PlanarConfig=Contig input images. Fixes
6	http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
7
8	Upstream-Status: Backport
9	[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
10
11	CVE: CVE-2017-11355
12
13	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14	---
15	ChangeLog \| 7 +++++++
16	tools/tiff2pdf.c \| 7 ++++++-
17	2 files changed, 13 insertions(+), 1 deletion(-)
18
19	diff --git a/ChangeLog b/ChangeLog
20	index 42eaeb7..6980da8 100644
21	--- a/ChangeLog
22	+++ b/ChangeLog
23	@@ -1,3 +1,10 @@
24	+2017-07-15 Even Rouault <even.rouault at spatialys.com>
25	+
26	+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
27	+ mode on PlanarConfig=Contig input images.
28	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
29	+ Reported by team OWL337
30	+
31	2017-06-30 Even Rouault <even.rouault at spatialys.com>
32
33	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
34	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
35	index db196e0..cd1e235 100644
36	--- a/tools/tiff2pdf.c
37	+++ b/tools/tiff2pdf.c
38	@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
39	return;
40
41	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
42	- if(t2p->pdf_nopassthrough==0){
43	+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
44	+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
45	+ /* do not take into account the number of samples, and thus */
46	+ /* that can cause heap buffer overflows such as in */
47	+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
48	+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
49	#ifdef CCITT_SUPPORT
50	if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
51	){
52	--
53	2.7.4
54


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch deleted file mode 100644 index c60ffa698d..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch +++ /dev/null
@@ -1,54 +0,0 @@
1	From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Wed, 23 Aug 2017 13:21:41 +0000
4	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
5	finding the SubIFD tag by runtime check. Fixes
6	http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
7
8	Upstream-Status: Backport
9	[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
10
11	CVE: CVE-2017-13726
12
13	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14	---
15	ChangeLog \| 7 +++++++
16	libtiff/tif_dirwrite.c \| 7 ++++++-
17	2 files changed, 13 insertions(+), 1 deletion(-)
18
19	diff --git a/ChangeLog b/ChangeLog
20	index 6980da8..3e299d9 100644
21	--- a/ChangeLog
22	+++ b/ChangeLog
23	@@ -1,3 +1,10 @@
24	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
25	+
26	+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the
27	+ SubIFD tag by runtime check.
28	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
29	+ Reported by team OWL337
30	+
31	2017-07-15 Even Rouault <even.rouault at spatialys.com>
32
33	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
34	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
35	index 8d6686b..14090ae 100644
36	--- a/libtiff/tif_dirwrite.c
37	+++ b/libtiff/tif_dirwrite.c
38	@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
39	TIFFDirEntry* nb;
40	for (na=0, nb=dir; ; na++, nb++)
41	{
42	- assert(na<ndir);
43	+ if( na == ndir )
44	+ {
45	+ TIFFErrorExt(tif->tif_clientdata,module,
46	+ "Cannot find SubIFD tag");
47	+ goto bad;
48	+ }
49	if (nb->tdir_tag==TIFFTAG_SUBIFD)
50	break;
51	}
52	--
53	2.7.4
54


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch deleted file mode 100644 index e228c2f17c..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch +++ /dev/null
@@ -1,65 +0,0 @@
1	From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Wed, 23 Aug 2017 13:33:42 +0000
4	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
5	fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
6	TIFFWriteDirectoryTagSubifd()). Fixes
7	http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
8
9	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
10
11	Upstream-Status: Backport
12	[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
13
14	CVE: CVE-2017-13727
15
16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
17	---
18	ChangeLog \| 10 +++++++++-
19	libtiff/tif_dirwrite.c \| 9 ++++++++-
20	2 files changed, 17 insertions(+), 2 deletions(-)
21
22	diff --git a/ChangeLog b/ChangeLog
23	index 3e299d9..8f5efe9 100644
24	--- a/ChangeLog
25	+++ b/ChangeLog
26	@@ -1,7 +1,15 @@
27	2017-08-23 Even Rouault <even.rouault at spatialys.com>
28
29	+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
30	+ on uint32 when selecting the value of SubIFD tag by runtime check
31	+ (in TIFFWriteDirectoryTagSubifd()).
32	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
33	+ Reported by team OWL337
34	+
35	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
36	+
37	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
38	- SubIFD tag by runtime check.
39	+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
40	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
41	Reported by team OWL337
42
43	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
44	index 14090ae..f0a4baa 100644
45	--- a/libtiff/tif_dirwrite.c
46	+++ b/libtiff/tif_dirwrite.c
47	@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
48	for (p=0; p < tif->tif_dir.td_nsubifd; p++)
49	{
50	assert(pa != 0);
51	- assert(*pa <= 0xFFFFFFFFUL);
52	+
53	+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
54	+ if( *pa > 0xFFFFFFFFUL)
55	+ {
56	+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
57	+ _TIFFfree(o);
58	+ return(0);
59	+ }
60	pb++=(uint32)(pa++);
61	}
62	n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
63	--
64	2.7.4
65


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch deleted file mode 100644 index 3392285901..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch +++ /dev/null
@@ -1,206 +0,0 @@
1	From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
2	From: erouault <erouault>
3	Date: Thu, 1 Jun 2017 12:44:04 +0000
4	Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
5	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
6	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
7	to behave differently depending on whether the codec is enabled or not, and
8	thus can avoid stack based buffer overflows in a number of TIFF utilities
9	such as tiffsplit, tiffcmp, thumbnail, etc.
10	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
11	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
12	Fixes:
13	http://bugzilla.maptools.org/show_bug.cgi?id=2580
14	http://bugzilla.maptools.org/show_bug.cgi?id=2693
15	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
16	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
17	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
18	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
19	http://bugzilla.maptools.org/show_bug.cgi?id=2441
20	http://bugzilla.maptools.org/show_bug.cgi?id=2433
21
22	Upstream-Status: Backport
23	[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
24
25	CVE: CVE-2017-9147
26
27	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28	---
29	ChangeLog \| 20 ++++++++++
30	libtiff/tif_dir.h \| 1 +
31	libtiff/tif_dirinfo.c \| 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
32	libtiff/tif_dirread.c \| 4 ++
33	4 files changed, 128 insertions(+)
34
35	diff --git a/ChangeLog b/ChangeLog
36	index ee8d9d0..5739292 100644
37	--- a/ChangeLog
38	+++ b/ChangeLog
39	@@ -1,3 +1,23 @@
40	+2017-06-01 Even Rouault <even.rouault at spatialys.com>
41	+
42	+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
43	+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
44	+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
45	+ to behave differently depending on whether the codec is enabled or not, and
46	+ thus can avoid stack based buffer overflows in a number of TIFF utilities
47	+ such as tiffsplit, tiffcmp, thumbnail, etc.
48	+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
49	+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
50	+ Fixes:
51	+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
52	+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
53	+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
54	+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
55	+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
56	+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
57	+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
58	+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
59	+
60	2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
61
62	* configure.ac: libtiff 4.0.8 released.
63	diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
64	index e12b44b..5206be4 100644
65	--- a/libtiff/tif_dir.h
66	+++ b/libtiff/tif_dir.h
67	@@ -291,6 +291,7 @@ struct _TIFFField {
68	extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
69	extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
70	extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
71	+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
72
73	#if defined(__cplusplus)
74	}
75	diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
76	index 0c8ef42..97c0df0 100644
77	--- a/libtiff/tif_dirinfo.c
78	+++ b/libtiff/tif_dirinfo.c
79	@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
80	return 0;
81	}
82
83	+int
84	+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
85	+{
86	+ /* Filter out non-codec specific tags */
87	+ switch (tag) {
88	+ /* Shared tags */
89	+ case TIFFTAG_PREDICTOR:
90	+ /* JPEG tags */
91	+ case TIFFTAG_JPEGTABLES:
92	+ /* OJPEG tags */
93	+ case TIFFTAG_JPEGIFOFFSET:
94	+ case TIFFTAG_JPEGIFBYTECOUNT:
95	+ case TIFFTAG_JPEGQTABLES:
96	+ case TIFFTAG_JPEGDCTABLES:
97	+ case TIFFTAG_JPEGACTABLES:
98	+ case TIFFTAG_JPEGPROC:
99	+ case TIFFTAG_JPEGRESTARTINTERVAL:
100	+ /* CCITT* */
101	+ case TIFFTAG_BADFAXLINES:
102	+ case TIFFTAG_CLEANFAXDATA:
103	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
104	+ case TIFFTAG_GROUP3OPTIONS:
105	+ case TIFFTAG_GROUP4OPTIONS:
106	+ break;
107	+ default:
108	+ return 1;
109	+ }
110	+ /* Check if codec specific tags are allowed for the current
111	+ * compression scheme (codec) */
112	+ switch (tif->tif_dir.td_compression) {
113	+ case COMPRESSION_LZW:
114	+ if (tag == TIFFTAG_PREDICTOR)
115	+ return 1;
116	+ break;
117	+ case COMPRESSION_PACKBITS:
118	+ /* No codec-specific tags */
119	+ break;
120	+ case COMPRESSION_THUNDERSCAN:
121	+ /* No codec-specific tags */
122	+ break;
123	+ case COMPRESSION_NEXT:
124	+ /* No codec-specific tags */
125	+ break;
126	+ case COMPRESSION_JPEG:
127	+ if (tag == TIFFTAG_JPEGTABLES)
128	+ return 1;
129	+ break;
130	+ case COMPRESSION_OJPEG:
131	+ switch (tag) {
132	+ case TIFFTAG_JPEGIFOFFSET:
133	+ case TIFFTAG_JPEGIFBYTECOUNT:
134	+ case TIFFTAG_JPEGQTABLES:
135	+ case TIFFTAG_JPEGDCTABLES:
136	+ case TIFFTAG_JPEGACTABLES:
137	+ case TIFFTAG_JPEGPROC:
138	+ case TIFFTAG_JPEGRESTARTINTERVAL:
139	+ return 1;
140	+ }
141	+ break;
142	+ case COMPRESSION_CCITTRLE:
143	+ case COMPRESSION_CCITTRLEW:
144	+ case COMPRESSION_CCITTFAX3:
145	+ case COMPRESSION_CCITTFAX4:
146	+ switch (tag) {
147	+ case TIFFTAG_BADFAXLINES:
148	+ case TIFFTAG_CLEANFAXDATA:
149	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
150	+ return 1;
151	+ case TIFFTAG_GROUP3OPTIONS:
152	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
153	+ return 1;
154	+ break;
155	+ case TIFFTAG_GROUP4OPTIONS:
156	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
157	+ return 1;
158	+ break;
159	+ }
160	+ break;
161	+ case COMPRESSION_JBIG:
162	+ /* No codec-specific tags */
163	+ break;
164	+ case COMPRESSION_DEFLATE:
165	+ case COMPRESSION_ADOBE_DEFLATE:
166	+ if (tag == TIFFTAG_PREDICTOR)
167	+ return 1;
168	+ break;
169	+ case COMPRESSION_PIXARLOG:
170	+ if (tag == TIFFTAG_PREDICTOR)
171	+ return 1;
172	+ break;
173	+ case COMPRESSION_SGILOG:
174	+ case COMPRESSION_SGILOG24:
175	+ /* No codec-specific tags */
176	+ break;
177	+ case COMPRESSION_LZMA:
178	+ if (tag == TIFFTAG_PREDICTOR)
179	+ return 1;
180	+ break;
181	+
182	+ }
183	+ return 0;
184	+}
185	+
186	/* vim: set ts=8 sts=8 sw=8 noet: */
187
188	/*
189	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
190	index 1d4f0b9..f1dc3d7 100644
191	--- a/libtiff/tif_dirread.c
192	+++ b/libtiff/tif_dirread.c
193	@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
194	goto bad;
195	dp->tdir_tag=IGNORE;
196	break;
197	+ default:
198	+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
199	+ dp->tdir_tag=IGNORE;
200	+ break;
201	}
202	}
203	}
204	--
205	2.7.4
206


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch deleted file mode 100644 index fc99363284..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch +++ /dev/null
@@ -1,49 +0,0 @@
1	From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Mon, 26 Jun 2017 15:19:59 +0000
4	Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
5	JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
6	by team OWL337
7
8	* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
9
10	Upstream-Status: Backport
11	[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
12
13	CVE: CVE-2017-9936
14
15	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16	---
17	ChangeLog \| 6 ++++++
18	libtiff/tif_jbig.c \| 1 +
19	2 files changed, 7 insertions(+)
20
21	diff --git a/ChangeLog b/ChangeLog
22	index 5739292..0240f0b 100644
23	--- a/ChangeLog
24	+++ b/ChangeLog
25	@@ -1,3 +1,9 @@
26	+2017-06-26 Even Rouault <even.rouault at spatialys.com>
27	+
28	+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
29	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
30	+ Reported by team OWL337
31	+
32	2017-06-01 Even Rouault <even.rouault at spatialys.com>
33
34	* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
35	diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
36	index 5f5f75e..c75f31d 100644
37	--- a/libtiff/tif_jbig.c
38	+++ b/libtiff/tif_jbig.c
39	@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
40	jbg_strerror(decodeStatus)
41	#endif
42	);
43	+ jbg_dec_free(&decoder);
44	return 0;
45	}
46
47	--
48	2.7.4
49