diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch | 77 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 3 |
2 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch new file mode 100644 index 0000000000..f244fb2f32 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | CVE: CVE-2019-7663 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 | ||
6 | From: Thomas Bernard <miniupnp@free.fr> | ||
7 | Date: Mon, 11 Feb 2019 10:05:33 +0100 | ||
8 | Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow | ||
9 | |||
10 | fixes bug 2833 | ||
11 | --- | ||
12 | tools/tiffcp.c | 8 +++++++- | ||
13 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 2f406e2d..f0ee2c02 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
20 | int status = 1; | ||
21 | uint32 imagew = TIFFRasterScanlineSize(in); | ||
22 | uint32 tilew = TIFFTileRowSize(in); | ||
23 | - int iskew = imagew - tilew*spp; | ||
24 | + int iskew; | ||
25 | tsize_t tilesize = TIFFTileSize(in); | ||
26 | tdata_t tilebuf; | ||
27 | uint8* bufp = (uint8*) buf; | ||
28 | @@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
29 | uint32 row; | ||
30 | uint16 bps = 0, bytes_per_sample; | ||
31 | |||
32 | + if (spp > (0x7fffffff / tilew)) | ||
33 | + { | ||
34 | + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
35 | + return 0; | ||
36 | + } | ||
37 | + iskew = imagew - tilew*spp; | ||
38 | tilebuf = _TIFFmalloc(tilesize); | ||
39 | if (tilebuf == 0) | ||
40 | return 0; | ||
41 | -- | ||
42 | 2.20.1 | ||
43 | |||
44 | |||
45 | From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 | ||
46 | From: Thomas Bernard <miniupnp@free.fr> | ||
47 | Date: Mon, 11 Feb 2019 21:42:03 +0100 | ||
48 | Subject: [PATCH 2/2] tiffcp.c: use INT_MAX | ||
49 | |||
50 | --- | ||
51 | tools/tiffcp.c | 3 ++- | ||
52 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
53 | |||
54 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
55 | index f0ee2c02..8c81aa4f 100644 | ||
56 | --- a/tools/tiffcp.c | ||
57 | +++ b/tools/tiffcp.c | ||
58 | @@ -41,6 +41,7 @@ | ||
59 | #include <stdio.h> | ||
60 | #include <stdlib.h> | ||
61 | #include <string.h> | ||
62 | +#include <limits.h> | ||
63 | |||
64 | #include <ctype.h> | ||
65 | |||
66 | @@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
67 | uint32 row; | ||
68 | uint16 bps = 0, bytes_per_sample; | ||
69 | |||
70 | - if (spp > (0x7fffffff / tilew)) | ||
71 | + if (spp > (INT_MAX / tilew)) | ||
72 | { | ||
73 | TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
74 | return 0; | ||
75 | -- | ||
76 | 2.20.1 | ||
77 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 3c055a15dc..999496273c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | |||
@@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" | |||
5 | CVE_PRODUCT = "libtiff" | 5 | CVE_PRODUCT = "libtiff" |
6 | 6 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
8 | file://CVE-2019-6128.patch" | 8 | file://CVE-2019-6128.patch \ |
9 | file://CVE-2019-7663.patch" | ||
9 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" | 10 | SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" |
10 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" | 11 | SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" |
11 | 12 | ||