2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
new file mode 100644
index 0000000000..9b9962ed35
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
@@ -0,0 +1,46 @@
+From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
+From: Nathan Baker <elitebadger@gmail.com>
+Date: Thu, 25 Jan 2018 21:28:15 +0000
+Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
+CVE: CVE-2017-17095
+Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com.
+---
+ tools/pal2rgb.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 0423598..01fcf94 100644
+--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
+@@ -182,8 +182,21 @@ main(int argc, char* argv[])
+        { unsigned char *ibuf, *obuf;
+          register unsigned char* pp;
+          register uint32 x;
+-         ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
+-         obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+         tmsize_t tss_in = TIFFScanlineSize(in);
+         tmsize_t tss_out = TIFFScanlineSize(out);
+         if (tss_out / tss_in < 3) {
+               /*
+                * BUG 2750: The following code does not know about chroma
+                * subsampling of JPEG data. It assumes that the output buffer is 3x
+                * the length of the input buffer due to exploding the palette into
+                * RGB tuples. If this assumption is incorrect, it could lead to a
+                * buffer overflow. Go ahead and fail now to prevent that.
+                */
+               fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+               return -1;
+      }
+         ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+         obuf = (unsigned char*)_TIFFmalloc(tss_out);
+          switch (config) {
+          case PLANARCONFIG_CONTIG:
+                for (row = 0; row < imagelength; row++) {
+-- 
+1.7.9.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index fa64d11216..93beddb4da 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2018-10963.patch \
           file://CVE-2018-8905.patch \
           file://CVE-2018-7456.patch \
+           file://CVE-2017-17095.patch \
          "
 SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch new file mode 100644 index 0000000000..9b9962ed35 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
@@ -0,0 +1,46 @@
		1	From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
		2	From: Nathan Baker <elitebadger@gmail.com>
		3	Date: Thu, 25 Jan 2018 21:28:15 +0000
		4	Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
		5
		6	CVE: CVE-2017-17095
		7
		8	Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...]
		9
		10	Signed-off-by: Joe Slater <joe.slater@windriver.com.
		11
		12	---
		13	tools/pal2rgb.c \| 17 +++++++++++++++--
		14	1 file changed, 15 insertions(+), 2 deletions(-)
		15
		16	diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
		17	index 0423598..01fcf94 100644
		18	--- a/tools/pal2rgb.c
		19	+++ b/tools/pal2rgb.c
		20	@@ -182,8 +182,21 @@ main(int argc, char* argv[])
		21	{ unsigned char ibuf, obuf;
		22	register unsigned char* pp;
		23	register uint32 x;
		24	- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
		25	- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
		26	+ tmsize_t tss_in = TIFFScanlineSize(in);
		27	+ tmsize_t tss_out = TIFFScanlineSize(out);
		28	+ if (tss_out / tss_in < 3) {
		29	+ /*
		30	+ * BUG 2750: The following code does not know about chroma
		31	+ * subsampling of JPEG data. It assumes that the output buffer is 3x
		32	+ * the length of the input buffer due to exploding the palette into
		33	+ * RGB tuples. If this assumption is incorrect, it could lead to a
		34	+ * buffer overflow. Go ahead and fail now to prevent that.
		35	+ */
		36	+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
		37	+ return -1;
		38	+ }
		39	+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
		40	+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
		41	switch (config) {
		42	case PLANARCONFIG_CONTIG:
		43	for (row = 0; row < imagelength; row++) {
		44	--
		45	1.7.9.5
		46


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index fa64d11216..93beddb4da 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2018-10963.patch \	12	file://CVE-2018-10963.patch \
13	file://CVE-2018-8905.patch \	13	file://CVE-2018-8905.patch \
14	file://CVE-2018-7456.patch \	14	file://CVE-2018-7456.patch \
		15	file://CVE-2017-17095.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"	18	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"