1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
new file mode 100644
index 0000000000..380dfcbbba
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
+From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:02:49 +0000
+Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+initialize tif_rawdata.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+Upstream-Status: Backport
+CVE: CVE-2017-7593
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-26 12:09:41.986866896 +0530
+@@ -44,6 +44,14 @@
+ 
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
+
+       * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+       initialize tif_rawdata.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+        avoid UndefinedBehaviorSanitizer warning.
+        Patch by Nicolas Pena.
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c  2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/libtiff/tif_read.c       2017-04-26 12:11:42.814863729 +0530
+@@ -986,7 +986,9 @@
+                                 "Invalid buffer size");
+                    return (0);
+                }
+-               tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+                /* Initialize to zero to avoid uninitialized buffers in case of */
+                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+                tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+                tif->tif_flags |= TIFF_MYBUFFER;
+        }
+        if (tif->tif_rawdata == NULL) {
+Index: tiff-4.0.7/libtiff/tif_unix.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_unix.c  2015-08-29 03:46:22.707817041 +0530
+++ tiff-4.0.7/libtiff/tif_unix.c       2017-04-26 12:13:07.442861510 +0530
+@@ -316,6 +316,14 @@
+        return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tif_win32.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
+++ tiff-4.0.7/libtiff/tif_win32.c      2017-04-26 12:14:12.918859794 +0530
+@@ -360,6 +360,14 @@
+        return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tiffio.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tiffio.h    2016-01-24 21:09:51.894442042 +0530
+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
+@@ -293,6 +293,7 @@
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch new file mode 100644 index 0000000000..380dfcbbba --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
	1	From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
	2	From: erouault <erouault>
	3	Date: Wed, 11 Jan 2017 19:02:49 +0000
	4	Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
	5	_TIFFcalloc()
	6
	7	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
	8	initialize tif_rawdata.
	9	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
	10
	11	Upstream-Status: Backport
	12
	13	CVE: CVE-2017-7593
	14	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
	15	Index: tiff-4.0.7/ChangeLog
	16	===================================================================
	17	--- tiff-4.0.7.orig/ChangeLog 2017-04-25 19:03:20.584155452 +0530
	18	+++ tiff-4.0.7/ChangeLog 2017-04-26 12:09:41.986866896 +0530
	19	@@ -44,6 +44,14 @@
	20
	21	2017-01-11 Even Rouault <even.rouault at spatialys.com>
	22
	23	+ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
	24	+
	25	+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
	26	+ initialize tif_rawdata.
	27	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
	28	+
	29	+2017-01-11 Even Rouault <even.rouault at spatialys.com>
	30	+
	31	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
	32	avoid UndefinedBehaviorSanitizer warning.
	33	Patch by Nicolas Pena.
	34	Index: tiff-4.0.7/libtiff/tif_read.c
	35	===================================================================
	36	--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 19:03:20.584155452 +0530
	37	+++ tiff-4.0.7/libtiff/tif_read.c 2017-04-26 12:11:42.814863729 +0530
	38	@@ -986,7 +986,9 @@
	39	"Invalid buffer size");
	40	return (0);
	41	}
	42	- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
	43	+ /* Initialize to zero to avoid uninitialized buffers in case of */
	44	+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
	45	+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
	46	tif->tif_flags \|= TIFF_MYBUFFER;
	47	}
	48	if (tif->tif_rawdata == NULL) {
	49	Index: tiff-4.0.7/libtiff/tif_unix.c
	50	===================================================================
	51	--- tiff-4.0.7.orig/libtiff/tif_unix.c 2015-08-29 03:46:22.707817041 +0530
	52	+++ tiff-4.0.7/libtiff/tif_unix.c 2017-04-26 12:13:07.442861510 +0530
	53	@@ -316,6 +316,14 @@
	54	return (malloc((size_t) s));
	55	}
	56
	57	+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
	58	+{
	59	+ if( nmemb == 0 \|\| siz == 0 )
	60	+ return ((void *) NULL);
	61	+
	62	+ return calloc((size_t) nmemb, (size_t)siz);
	63	+}
	64	+
	65	void
	66	_TIFFfree(void* p)
	67	{
	68	Index: tiff-4.0.7/libtiff/tif_win32.c
	69	===================================================================
	70	--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
	71	+++ tiff-4.0.7/libtiff/tif_win32.c 2017-04-26 12:14:12.918859794 +0530
	72	@@ -360,6 +360,14 @@
	73	return (malloc((size_t) s));
	74	}
	75
	76	+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
	77	+{
	78	+ if( nmemb == 0 \|\| siz == 0 )
	79	+ return ((void *) NULL);
	80	+
	81	+ return calloc((size_t) nmemb, (size_t)siz);
	82	+}
	83	+
	84	void
	85	_TIFFfree(void* p)
	86	{
	87	Index: tiff-4.0.7/libtiff/tiffio.h
	88	===================================================================
	89	--- tiff-4.0.7.orig/libtiff/tiffio.h 2016-01-24 21:09:51.894442042 +0530
	90	+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
	91	@@ -293,6 +293,7 @@
	92	*/
	93
	94	extern void* _TIFFmalloc(tmsize_t s);
	95	+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
	96	extern void* _TIFFrealloc(void* p, tmsize_t s);
	97	extern void _TIFFmemset(void* p, int v, tmsize_t c);
	98	extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);