diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
6 files changed, 295 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000000..e4348f1d2c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
6 | |||
7 | diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
8 | --- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 | ||
9 | +++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 | ||
10 | @@ -3341,33 +3341,56 @@ | ||
11 | uint32 height){ | ||
12 | |||
13 | tsize_t i=0; | ||
14 | - uint16 ri =0; | ||
15 | - uint16 v_samp=1; | ||
16 | - uint16 h_samp=1; | ||
17 | - int j=0; | ||
18 | - | ||
19 | - i++; | ||
20 | - | ||
21 | - while(i<(*striplength)){ | ||
22 | + | ||
23 | + while (i < *striplength) { | ||
24 | + tsize_t datalen; | ||
25 | + uint16 ri; | ||
26 | + uint16 v_samp; | ||
27 | + uint16 h_samp; | ||
28 | + int j; | ||
29 | + int ncomp; | ||
30 | + | ||
31 | + /* marker header: one or more FFs */ | ||
32 | + if (strip[i] != 0xff) | ||
33 | + return(0); | ||
34 | + i++; | ||
35 | + while (i < *striplength && strip[i] == 0xff) | ||
36 | + i++; | ||
37 | + if (i >= *striplength) | ||
38 | + return(0); | ||
39 | + /* SOI is the only pre-SOS marker without a length word */ | ||
40 | + if (strip[i] == 0xd8) | ||
41 | + datalen = 0; | ||
42 | + else { | ||
43 | + if ((*striplength - i) <= 2) | ||
44 | + return(0); | ||
45 | + datalen = (strip[i+1] << 8) | strip[i+2]; | ||
46 | + if (datalen < 2 || datalen >= (*striplength - i)) | ||
47 | + return(0); | ||
48 | + } | ||
49 | switch( strip[i] ){ | ||
50 | - case 0xd8: | ||
51 | - /* SOI - start of image */ | ||
52 | + case 0xd8: /* SOI - start of image */ | ||
53 | _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
54 | *bufferoffset+=2; | ||
55 | - i+=2; | ||
56 | break; | ||
57 | - case 0xc0: | ||
58 | - case 0xc1: | ||
59 | - case 0xc3: | ||
60 | - case 0xc9: | ||
61 | - case 0xca: | ||
62 | + case 0xc0: /* SOF0 */ | ||
63 | + case 0xc1: /* SOF1 */ | ||
64 | + case 0xc3: /* SOF3 */ | ||
65 | + case 0xc9: /* SOF9 */ | ||
66 | + case 0xca: /* SOF10 */ | ||
67 | if(no==0){ | ||
68 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
69 | - for(j=0;j<buffer[*bufferoffset+9];j++){ | ||
70 | - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) | ||
71 | - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); | ||
72 | - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) | ||
73 | - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); | ||
74 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
75 | + ncomp = buffer[*bufferoffset+9]; | ||
76 | + if (ncomp < 1 || ncomp > 4) | ||
77 | + return(0); | ||
78 | + v_samp=1; | ||
79 | + h_samp=1; | ||
80 | + for(j=0;j<ncomp;j++){ | ||
81 | + uint16 samp = buffer[*bufferoffset+11+(3*j)]; | ||
82 | + if( (samp>>4) > h_samp) | ||
83 | + h_samp = (samp>>4); | ||
84 | + if( (samp & 0x0f) > v_samp) | ||
85 | + v_samp = (samp & 0x0f); | ||
86 | } | ||
87 | v_samp*=8; | ||
88 | h_samp*=8; | ||
89 | @@ -3381,45 +3404,43 @@ | ||
90 | (unsigned char) ((height>>8) & 0xff); | ||
91 | buffer[*bufferoffset+6]= | ||
92 | (unsigned char) (height & 0xff); | ||
93 | - *bufferoffset+=strip[i+2]+2; | ||
94 | - i+=strip[i+2]+2; | ||
95 | - | ||
96 | + *bufferoffset+=datalen+2; | ||
97 | + /* insert a DRI marker */ | ||
98 | buffer[(*bufferoffset)++]=0xff; | ||
99 | buffer[(*bufferoffset)++]=0xdd; | ||
100 | buffer[(*bufferoffset)++]=0x00; | ||
101 | buffer[(*bufferoffset)++]=0x04; | ||
102 | buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; | ||
103 | buffer[(*bufferoffset)++]= ri & 0xff; | ||
104 | - } else { | ||
105 | - i+=strip[i+2]+2; | ||
106 | } | ||
107 | break; | ||
108 | - case 0xc4: | ||
109 | - case 0xdb: | ||
110 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
111 | - *bufferoffset+=strip[i+2]+2; | ||
112 | - i+=strip[i+2]+2; | ||
113 | + case 0xc4: /* DHT */ | ||
114 | + case 0xdb: /* DQT */ | ||
115 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
116 | + *bufferoffset+=datalen+2; | ||
117 | break; | ||
118 | - case 0xda: | ||
119 | + case 0xda: /* SOS */ | ||
120 | if(no==0){ | ||
121 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); | ||
122 | - *bufferoffset+=strip[i+2]+2; | ||
123 | - i+=strip[i+2]+2; | ||
124 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); | ||
125 | + *bufferoffset+=datalen+2; | ||
126 | } else { | ||
127 | buffer[(*bufferoffset)++]=0xff; | ||
128 | buffer[(*bufferoffset)++]= | ||
129 | (unsigned char)(0xd0 | ((no-1)%8)); | ||
130 | - i+=strip[i+2]+2; | ||
131 | } | ||
132 | - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); | ||
133 | - *bufferoffset+=(*striplength)-i-1; | ||
134 | + i += datalen + 1; | ||
135 | + /* copy remainder of strip */ | ||
136 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); | ||
137 | + *bufferoffset+= *striplength - i; | ||
138 | return(1); | ||
139 | default: | ||
140 | - i+=strip[i+2]+2; | ||
141 | + /* ignore any other marker */ | ||
142 | + break; | ||
143 | } | ||
144 | + i += datalen + 1; | ||
145 | } | ||
146 | - | ||
147 | |||
148 | + /* failed to find SOS marker */ | ||
149 | return(0); | ||
150 | } | ||
151 | #endif | ||
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch new file mode 100644 index 0000000000..9ebf8f9a2d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch | |||
@@ -0,0 +1,15 @@ | |||
1 | This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=513&action=diff | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Baogen shang <baogen.shang@windriver.com> | ||
6 | --- a/tools/tiff2pdf.c 2013-10-21 10:36:38.214170346 +0800 | ||
7 | +++ b/tools/tiff2pdf.c 2013-10-21 10:38:58.246170329 +0800 | ||
8 | @@ -2387,6 +2387,7 @@ | ||
9 | TIFFFileName(input)); | ||
10 | t2p->t2p_error = T2P_ERR_ERROR; | ||
11 | _TIFFfree(buffer); | ||
12 | + return(0); | ||
13 | } else { | ||
14 | buffer=samplebuffer; | ||
15 | t2p->tiff_datasize *= t2p->tiff_samplesperpixel; | ||
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch new file mode 100644 index 0000000000..642a117976 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=518&action=diff#tools/gif2tiff.c_sec2 | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Baogen shang <baogen.shang@windriver.com> | ||
6 | --- a/tools/gif2tiff.c 2013-10-14 17:08:43.966239709 +0800 | ||
7 | +++ b/tools/gif2tiff.c 2013-10-14 17:18:22.994239638 +0800 | ||
8 | @@ -280,6 +280,10 @@ | ||
9 | fprintf(stderr, "no colormap present for image\n"); | ||
10 | return (0); | ||
11 | } | ||
12 | + if (width == 0 || height == 0) { | ||
13 | + fprintf(stderr, "Invalid value of width or height\n"); | ||
14 | + return(0); | ||
15 | + } | ||
16 | if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { | ||
17 | fprintf(stderr, "not enough memory for image\n"); | ||
18 | return (0); | ||
19 | @@ -397,6 +401,10 @@ | ||
20 | return 1; | ||
21 | } | ||
22 | |||
23 | + if (*fill >= raster + width*height) { | ||
24 | + fprintf(stderr, "raster full before eoi code\n"); | ||
25 | + return 0; | ||
26 | + } | ||
27 | if (oldcode == -1) { | ||
28 | *(*fill)++ = suffix[code]; | ||
29 | firstchar = oldcode = code; | ||
30 | @@ -428,6 +436,10 @@ | ||
31 | } | ||
32 | oldcode = incode; | ||
33 | do { | ||
34 | + if (*fill >= raster + width*height) { | ||
35 | + fprintf(stderr, "raster full before eoi code\n"); | ||
36 | + return 0; | ||
37 | + } | ||
38 | *(*fill)++ = *--stackp; | ||
39 | } while (stackp > stack); | ||
40 | return 1; | ||
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch new file mode 100644 index 0000000000..1a668307ae --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | This patch comes from: https://github.com/vadz/libtiff/commit/ce6841d9e41d621ba23cf18b190ee6a23b2cc833 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Signed-off-by: Baogen shang <baogen.shang@windriver.com> | ||
6 | --- a/tools/gif2tiff.c 2013-12-17 16:46:02.160814995 +0800 | ||
7 | +++ b/tools/gif2tiff.c 2013-12-17 16:52:25.140814949 +0800 | ||
8 | @@ -406,6 +406,11 @@ | ||
9 | return 0; | ||
10 | } | ||
11 | if (oldcode == -1) { | ||
12 | + if (code >= clear) { | ||
13 | + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); | ||
14 | + return 0; | ||
15 | + } | ||
16 | + | ||
17 | *(*fill)++ = suffix[code]; | ||
18 | firstchar = oldcode = code; | ||
19 | return 1; | ||
diff --git a/meta/recipes-multimedia/libtiff/files/libtool2.patch b/meta/recipes-multimedia/libtiff/files/libtool2.patch new file mode 100644 index 0000000000..457202eae5 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtool2.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | Upstream-Status: Inappropriate [configuration] | ||
2 | |||
3 | --- | ||
4 | configure.ac | 2 +- | ||
5 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
6 | |||
7 | Index: tiff-3.9.5/configure.ac | ||
8 | =================================================================== | ||
9 | --- tiff-3.9.5.orig/configure.ac | ||
10 | +++ tiff-3.9.5/configure.ac | ||
11 | @@ -27,7 +27,7 @@ dnl Process this file with autoconf to p | ||
12 | AC_PREREQ(2.64) | ||
13 | AC_INIT([LibTIFF Software],[3.9.5],[tiff@lists.maptools.org],[tiff]) | ||
14 | AC_CONFIG_AUX_DIR(config) | ||
15 | -AC_CONFIG_MACRO_DIR(m4) | ||
16 | +dnl AC_CONFIG_MACRO_DIR(m4) | ||
17 | AC_LANG(C) | ||
18 | |||
19 | dnl Compute the canonical host (run-time) system type variable | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb new file mode 100644 index 0000000000..fb9e0bf67d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | |||
@@ -0,0 +1,51 @@ | |||
1 | SUMMARY = "Provides support for the Tag Image File Format (TIFF)" | ||
2 | LICENSE = "BSD-2-Clause" | ||
3 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" | ||
4 | HOMEPAGE = "http://www.remotesensing.org/libtiff/" | ||
5 | |||
6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | ||
7 | file://libtool2.patch \ | ||
8 | file://libtiff-CVE-2013-1960.patch \ | ||
9 | file://libtiff-CVE-2013-4232.patch \ | ||
10 | file://libtiff-CVE-2013-4243.patch \ | ||
11 | file://libtiff-CVE-2013-4244.patch" | ||
12 | |||
13 | SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" | ||
14 | SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" | ||
15 | |||
16 | inherit autotools | ||
17 | |||
18 | CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" | ||
19 | |||
20 | PACKAGECONFIG ?= "cxx jpeg zlib lzma \ | ||
21 | strip-chopping extrasample-as-alpha check-ycbcr-subsampling" | ||
22 | |||
23 | PACKAGECONFIG[cxx] = "--enable-cxx,--disable-cxx,," | ||
24 | PACKAGECONFIG[jpeg] = "--enable-jpeg,--disable-jpeg,jpeg," | ||
25 | PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib," | ||
26 | PACKAGECONFIG[lzma] = "--enable-lzma,--disable-lzma,xz," | ||
27 | |||
28 | # Convert single-strip uncompressed images to multiple strips of specified | ||
29 | # size (default: 8192) to reduce memory usage | ||
30 | PACKAGECONFIG[strip-chopping] = "--enable-strip-chopping,--disable-strip-chopping,," | ||
31 | |||
32 | # Treat a fourth sample with no EXTRASAMPLE_ value as being ASSOCALPHA | ||
33 | PACKAGECONFIG[extrasample-as-alpha] = "--enable-extrasample-as-alpha,--disable-extrasample-as-alpha,," | ||
34 | |||
35 | # Control picking up YCbCr subsample info. Disable to support files lacking | ||
36 | # the tag | ||
37 | PACKAGECONFIG[check-ycbcr-subsampling] = "--enable-check-ycbcr-subsampling,--disable-check-ycbcr-subsampling,," | ||
38 | |||
39 | # Support a mechanism allowing reading large strips (usually one strip files) | ||
40 | # in chunks when using TIFFReadScanline. Experimental 4.0+ feature | ||
41 | PACKAGECONFIG[chunky-strip-read] = "--enable-chunky-strip-read,--disable-chunky-strip-read,," | ||
42 | |||
43 | PACKAGES =+ "tiffxx tiffxx-dbg tiffxx-dev tiffxx-staticdev tiff-utils tiff-utils-dbg" | ||
44 | FILES_tiffxx = "${libdir}/libtiffxx.so.*" | ||
45 | FILES_tiffxx-dev = "${libdir}/libtiffxx.so ${libdir}/libtiffxx.la" | ||
46 | FILES_tiffxx-staticdev = "${libdir}/libtiffxx.a" | ||
47 | FILES_tiffxx-dbg += "${libdir}/.debug/libtiffxx.so*" | ||
48 | FILES_tiff-utils = "${bindir}/*" | ||
49 | FILES_tiff-utils-dbg += "${bindir}/.debug/" | ||
50 | |||
51 | BBCLASSEXTEND = "native" | ||