summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch42
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch160
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch135
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.9.bb3
4 files changed, 340 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
new file mode 100644
index 0000000000..878e0de959
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
@@ -0,0 +1,42 @@
1From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 31 Dec 2017 15:09:41 +0100
4Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
5 dereference on corrupted file. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2770
7
8Upstream-Status: Backport
9[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01]
10
11CVE: CVE-2017-18013
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 libtiff/tif_print.c | 8 ++++----
16 1 file changed, 4 insertions(+), 4 deletions(-)
17
18diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
19index 24d4b98..f494cfb 100644
20--- a/libtiff/tif_print.c
21+++ b/libtiff/tif_print.c
22@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
23 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
24 fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
25 (unsigned long) s,
26- (unsigned __int64) td->td_stripoffset[s],
27- (unsigned __int64) td->td_stripbytecount[s]);
28+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
29+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
30 #else
31 fprintf(fd, " %3lu: [%8llu, %8llu]\n",
32 (unsigned long) s,
33- (unsigned long long) td->td_stripoffset[s],
34- (unsigned long long) td->td_stripbytecount[s]);
35+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
36+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
37 #endif
38 }
39 }
40--
412.7.4
42
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
new file mode 100644
index 0000000000..60684dd2a6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
@@ -0,0 +1,160 @@
1From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001
2From: Brian May <brian@linuxpenguins.xyz>
3Date: Thu, 7 Dec 2017 07:46:47 +1100
4Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
5
6Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
7
8This vulnerability - at least for the supplied test case - is because we
9assume that a tiff will only have one transfer function that is the same
10for all pages. This is not required by the TIFF standards.
11
12We than read the transfer function for every page. Depending on the
13transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
14We allocate this memory after we read in the transfer function for the
15page.
16
17For the first exploit - POC1, this file has 3 pages. For the first page
18we allocate 2 extra extra XREF entries. Then for the next page 2 more
19entries. Then for the last page the transfer function changes and we
20allocate 4 more entries.
21
22When we read the file into memory, we assume we have 4 bytes extra for
23each and every page (as per the last transfer function we read). Which
24is not correct, we only have 2 bytes extra for the first 2 pages. As a
25result, we end up writing past the end of the buffer.
26
27There are also some related issues that this also fixes. For example,
28TIFFGetField can return uninitalized pointer values, and the logic to
29detect a N=3 vs N=1 transfer function seemed rather strange.
30
31It is also strange that we declare the transfer functions to be of type
32float, when the standard says they are unsigned 16 bit values. This is
33fixed in another patch.
34
35This patch will check to ensure that the N value for every transfer
36function is the same for every page. If this changes, we abort with an
37error. In theory, we should perhaps check that the transfer function
38itself is identical for every page, however we don't do that due to the
39confusion of the type of the data in the transfer function.
40
41Upstream-Status: Backport
42[https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940]
43
44CVE: CVE-2017-9935
45
46Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
47---
48 libtiff/tif_dir.c | 3 +++
49 tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
50 2 files changed, 47 insertions(+), 21 deletions(-)
51
52diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
53index f00f808..c36a5f3 100644
54--- a/libtiff/tif_dir.c
55+++ b/libtiff/tif_dir.c
56@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
57 if (td->td_samplesperpixel - td->td_extrasamples > 1) {
58 *va_arg(ap, uint16**) = td->td_transferfunction[1];
59 *va_arg(ap, uint16**) = td->td_transferfunction[2];
60+ } else {
61+ *va_arg(ap, uint16**) = NULL;
62+ *va_arg(ap, uint16**) = NULL;
63 }
64 break;
65 case TIFFTAG_REFERENCEBLACKWHITE:
66diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
67index 454befb..0b5973e 100644
68--- a/tools/tiff2pdf.c
69+++ b/tools/tiff2pdf.c
70@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
71 uint16 pagen=0;
72 uint16 paged=0;
73 uint16 xuint16=0;
74+ uint16 tiff_transferfunctioncount=0;
75+ float* tiff_transferfunction[3];
76
77 directorycount=TIFFNumberOfDirectories(input);
78 t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
79@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
80 }
81 #endif
82 if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
83- &(t2p->tiff_transferfunction[0]),
84- &(t2p->tiff_transferfunction[1]),
85- &(t2p->tiff_transferfunction[2]))) {
86- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
87- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
88- (t2p->tiff_transferfunction[1] !=
89- t2p->tiff_transferfunction[0])) {
90- t2p->tiff_transferfunctioncount = 3;
91- t2p->tiff_pages[i].page_extra += 4;
92- t2p->pdf_xrefcount += 4;
93- } else {
94- t2p->tiff_transferfunctioncount = 1;
95- t2p->tiff_pages[i].page_extra += 2;
96- t2p->pdf_xrefcount += 2;
97- }
98- if(t2p->pdf_minorversion < 2)
99- t2p->pdf_minorversion = 2;
100+ &(tiff_transferfunction[0]),
101+ &(tiff_transferfunction[1]),
102+ &(tiff_transferfunction[2]))) {
103+
104+ if((tiff_transferfunction[1] != (float*) NULL) &&
105+ (tiff_transferfunction[2] != (float*) NULL)
106+ ) {
107+ tiff_transferfunctioncount=3;
108+ } else {
109+ tiff_transferfunctioncount=1;
110+ }
111 } else {
112- t2p->tiff_transferfunctioncount=0;
113+ tiff_transferfunctioncount=0;
114 }
115+
116+ if (i > 0){
117+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
118+ TIFFError(
119+ TIFF2PDF_MODULE,
120+ "Different transfer function on page %d",
121+ i);
122+ t2p->t2p_error = T2P_ERR_ERROR;
123+ return;
124+ }
125+ }
126+
127+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
128+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
129+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
130+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
131+ if(tiff_transferfunctioncount == 3){
132+ t2p->tiff_pages[i].page_extra += 4;
133+ t2p->pdf_xrefcount += 4;
134+ if(t2p->pdf_minorversion < 2)
135+ t2p->pdf_minorversion = 2;
136+ } else if (tiff_transferfunctioncount == 1){
137+ t2p->tiff_pages[i].page_extra += 2;
138+ t2p->pdf_xrefcount += 2;
139+ if(t2p->pdf_minorversion < 2)
140+ t2p->pdf_minorversion = 2;
141+ }
142+
143 if( TIFFGetField(
144 input,
145 TIFFTAG_ICCPROFILE,
146@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
147 &(t2p->tiff_transferfunction[1]),
148 &(t2p->tiff_transferfunction[2]))) {
149 if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
150- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
151- (t2p->tiff_transferfunction[1] !=
152- t2p->tiff_transferfunction[0])) {
153+ (t2p->tiff_transferfunction[2] != (float*) NULL)
154+ ) {
155 t2p->tiff_transferfunctioncount=3;
156 } else {
157 t2p->tiff_transferfunctioncount=1;
158--
1592.7.4
160
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
new file mode 100644
index 0000000000..406001d579
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch
@@ -0,0 +1,135 @@
1From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001
2From: Nathan Baker <nathanb@lenovo-chrome.com>
3Date: Tue, 6 Feb 2018 10:13:57 -0500
4Subject: [PATCH] Fix for bug 2772
5
6It is possible to craft a TIFF document where the IFD list is circular,
7leading to an infinite loop while traversing the chain. The libtiff
8directory reader has a failsafe that will break out of this loop after
9reading 65535 directory entries, but it will continue processing,
10consuming time and resources to process what is essentially a bogus TIFF
11document.
12
13This change fixes the above behavior by breaking out of processing when
14a TIFF document has >= 65535 directories and terminating with an error.
15
16Upstream-Status: Backport
17[https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef]
18
19CVE: CVE-2018-5784
20
21Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
22---
23 contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
24 tools/tiff2pdf.c | 10 ++++++++++
25 tools/tiffcrop.c | 13 +++++++++++--
26 3 files changed, 34 insertions(+), 3 deletions(-)
27
28diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
29index c61ffbb..03b3573 100644
30--- a/contrib/addtiffo/tif_overview.c
31+++ b/contrib/addtiffo/tif_overview.c
32@@ -65,6 +65,8 @@
33 # define MAX(a,b) ((a>b) ? a : b)
34 #endif
35
36+#define TIFF_DIR_MAX 65534
37+
38 void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
39 int (*)(double,void*), void * );
40
41@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
42 {
43 toff_t nBaseDirOffset;
44 toff_t nOffset;
45+ tdir_t iNumDir;
46
47 (void) bUseSubIFDs;
48
49@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
50 return 0;
51
52 TIFFWriteDirectory( hTIFF );
53- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
54+ iNumDir = TIFFNumberOfDirectories(hTIFF);
55+ if( iNumDir > TIFF_DIR_MAX )
56+ {
57+ TIFFErrorExt( TIFFClientdata(hTIFF),
58+ "TIFF_WriteOverview",
59+ "File `%s' has too many directories.\n",
60+ TIFFFileName(hTIFF) );
61+ exit(-1);
62+ }
63+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
64
65 nOffset = TIFFCurrentDirOffset( hTIFF );
66
67diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
68index 0b5973e..ef5d6a0 100644
69--- a/tools/tiff2pdf.c
70+++ b/tools/tiff2pdf.c
71@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
72
73 #define PS_UNIT_SIZE 72.0F
74
75+#define TIFF_DIR_MAX 65534
76+
77 /* This type is of PDF color spaces. */
78 typedef enum {
79 T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
80@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
81 float* tiff_transferfunction[3];
82
83 directorycount=TIFFNumberOfDirectories(input);
84+ if(directorycount > TIFF_DIR_MAX) {
85+ TIFFError(
86+ TIFF2PDF_MODULE,
87+ "TIFF contains too many directories, %s",
88+ TIFFFileName(input));
89+ t2p->t2p_error = T2P_ERR_ERROR;
90+ return;
91+ }
92 t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
93 if(t2p->tiff_pages==NULL){
94 TIFFError(
95diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
96index c69177e..c60cb38 100644
97--- a/tools/tiffcrop.c
98+++ b/tools/tiffcrop.c
99@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
100 #define DUMP_TEXT 1
101 #define DUMP_RAW 2
102
103+#define TIFF_DIR_MAX 65534
104+
105 /* Offsets into buffer for margins and fixed width and length segments */
106 struct offset {
107 uint32 tmargin;
108@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
109 pageNum = -1;
110 else
111 total_images = 0;
112- /* read multiple input files and write to output file(s) */
113+ /* Read multiple input files and write to output file(s) */
114 while (optind < argc - 1)
115 {
116 in = TIFFOpen (argv[optind], "r");
117@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
118 return (-3);
119
120 /* If only one input file is specified, we can use directory count */
121- total_images = TIFFNumberOfDirectories(in);
122+ total_images = TIFFNumberOfDirectories(in);
123+ if (total_images > TIFF_DIR_MAX)
124+ {
125+ TIFFError (TIFFFileName(in), "File contains too many directories");
126+ if (out != NULL)
127+ (void) TIFFClose(out);
128+ return (1);
129+ }
130 if (image_count == 0)
131 {
132 dirnum = 0;
133--
1342.7.4
135
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index b8f895b143..8c3bba5c64 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -6,6 +6,9 @@ CVE_PRODUCT = "libtiff"
6 6
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8 file://libtool2.patch \ 8 file://libtool2.patch \
9 file://CVE-2017-9935.patch \
10 file://CVE-2017-18013.patch \
11 file://CVE-2018-5784.patch \
9 " 12 "
10 13
11SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" 14SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"