summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch98
1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
new file mode 100644
index 0000000000..380dfcbbba
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
1From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Wed, 11 Jan 2017 19:02:49 +0000
4Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
5 _TIFFcalloc()
6
7* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
8initialize tif_rawdata.
9Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
10
11Upstream-Status: Backport
12
13CVE: CVE-2017-7593
14Signed-off-by: Rajkumar Veer <rveer@mvista.com>
15Index: tiff-4.0.7/ChangeLog
16===================================================================
17--- tiff-4.0.7.orig/ChangeLog 2017-04-25 19:03:20.584155452 +0530
18+++ tiff-4.0.7/ChangeLog 2017-04-26 12:09:41.986866896 +0530
19@@ -44,6 +44,14 @@
20
21 2017-01-11 Even Rouault <even.rouault at spatialys.com>
22
23+ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
24+
25+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
26+ initialize tif_rawdata.
27+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
28+
29+2017-01-11 Even Rouault <even.rouault at spatialys.com>
30+
31 * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
32 avoid UndefinedBehaviorSanitizer warning.
33 Patch by Nicolas Pena.
34Index: tiff-4.0.7/libtiff/tif_read.c
35===================================================================
36--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 19:03:20.584155452 +0530
37+++ tiff-4.0.7/libtiff/tif_read.c 2017-04-26 12:11:42.814863729 +0530
38@@ -986,7 +986,9 @@
39 "Invalid buffer size");
40 return (0);
41 }
42- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
43+ /* Initialize to zero to avoid uninitialized buffers in case of */
44+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
45+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
46 tif->tif_flags |= TIFF_MYBUFFER;
47 }
48 if (tif->tif_rawdata == NULL) {
49Index: tiff-4.0.7/libtiff/tif_unix.c
50===================================================================
51--- tiff-4.0.7.orig/libtiff/tif_unix.c 2015-08-29 03:46:22.707817041 +0530
52+++ tiff-4.0.7/libtiff/tif_unix.c 2017-04-26 12:13:07.442861510 +0530
53@@ -316,6 +316,14 @@
54 return (malloc((size_t) s));
55 }
56
57+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
58+{
59+ if( nmemb == 0 || siz == 0 )
60+ return ((void *) NULL);
61+
62+ return calloc((size_t) nmemb, (size_t)siz);
63+}
64+
65 void
66 _TIFFfree(void* p)
67 {
68Index: tiff-4.0.7/libtiff/tif_win32.c
69===================================================================
70--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
71+++ tiff-4.0.7/libtiff/tif_win32.c 2017-04-26 12:14:12.918859794 +0530
72@@ -360,6 +360,14 @@
73 return (malloc((size_t) s));
74 }
75
76+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
77+{
78+ if( nmemb == 0 || siz == 0 )
79+ return ((void *) NULL);
80+
81+ return calloc((size_t) nmemb, (size_t)siz);
82+}
83+
84 void
85 _TIFFfree(void* p)
86 {
87Index: tiff-4.0.7/libtiff/tiffio.h
88===================================================================
89--- tiff-4.0.7.orig/libtiff/tiffio.h 2016-01-24 21:09:51.894442042 +0530
90+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
91@@ -293,6 +293,7 @@
92 */
93
94 extern void* _TIFFmalloc(tmsize_t s);
95+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
96 extern void* _TIFFrealloc(void* p, tmsize_t s);
97 extern void _TIFFmemset(void* p, int v, tmsize_t c);
98 extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);