diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | 195 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..0846f0f68e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | |||
@@ -0,0 +1,195 @@ | |||
1 | From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Sun, 27 Dec 2015 16:25:11 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in | ||
5 | decode functions in non debug builds by replacing assert()s by regular if | ||
6 | checks (bugzilla #2522). Fix potential out-of-bound reads in case of short | ||
7 | input data. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 | ||
12 | hand applied Changelog changes | ||
13 | |||
14 | CVE: CVE-2015-8781 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | ChangeLog | 7 +++++++ | ||
19 | libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- | ||
20 | 2 files changed, 51 insertions(+), 11 deletions(-) | ||
21 | |||
22 | Index: tiff-4.0.4/ChangeLog | ||
23 | =================================================================== | ||
24 | --- tiff-4.0.4.orig/ChangeLog | ||
25 | +++ tiff-4.0.4/ChangeLog | ||
26 | @@ -1,3 +1,10 @@ | ||
27 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> | ||
28 | + | ||
29 | + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode | ||
30 | + functions in non debug builds by replacing assert()s by regular if | ||
31 | + checks (bugzilla #2522). | ||
32 | + Fix potential out-of-bound reads in case of short input data. | ||
33 | + | ||
34 | 2015-12-26 Even Rouault <even.rouault at spatialys.com> | ||
35 | |||
36 | * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage | ||
37 | Index: tiff-4.0.4/libtiff/tif_luv.c | ||
38 | =================================================================== | ||
39 | --- tiff-4.0.4.orig/libtiff/tif_luv.c | ||
40 | +++ tiff-4.0.4/libtiff/tif_luv.c | ||
41 | @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
42 | if (sp->user_datafmt == SGILOGDATAFMT_16BIT) | ||
43 | tp = (int16*) op; | ||
44 | else { | ||
45 | - assert(sp->tbuflen >= npixels); | ||
46 | + if(sp->tbuflen < npixels) { | ||
47 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
48 | + "Translation buffer too short"); | ||
49 | + return (0); | ||
50 | + } | ||
51 | tp = (int16*) sp->tbuf; | ||
52 | } | ||
53 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
54 | @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
55 | cc = tif->tif_rawcc; | ||
56 | /* get each byte string */ | ||
57 | for (shft = 2*8; (shft -= 8) >= 0; ) { | ||
58 | - for (i = 0; i < npixels && cc > 0; ) | ||
59 | + for (i = 0; i < npixels && cc > 0; ) { | ||
60 | if (*bp >= 128) { /* run */ | ||
61 | - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
62 | + if( cc < 2 ) | ||
63 | + break; | ||
64 | + rc = *bp++ + (2-128); | ||
65 | b = (int16)(*bp++ << shft); | ||
66 | cc -= 2; | ||
67 | while (rc-- && i < npixels) | ||
68 | @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz | ||
69 | while (--cc && rc-- && i < npixels) | ||
70 | tp[i++] |= (int16)*bp++ << shft; | ||
71 | } | ||
72 | + } | ||
73 | if (i != npixels) { | ||
74 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
75 | TIFFErrorExt(tif->tif_clientdata, module, | ||
76 | @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms | ||
77 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
78 | tp = (uint32 *)op; | ||
79 | else { | ||
80 | - assert(sp->tbuflen >= npixels); | ||
81 | + if(sp->tbuflen < npixels) { | ||
82 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
83 | + "Translation buffer too short"); | ||
84 | + return (0); | ||
85 | + } | ||
86 | tp = (uint32 *) sp->tbuf; | ||
87 | } | ||
88 | /* copy to array of uint32 */ | ||
89 | bp = (unsigned char*) tif->tif_rawcp; | ||
90 | cc = tif->tif_rawcc; | ||
91 | - for (i = 0; i < npixels && cc > 0; i++) { | ||
92 | + for (i = 0; i < npixels && cc >= 3; i++) { | ||
93 | tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; | ||
94 | bp += 3; | ||
95 | cc -= 3; | ||
96 | @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
97 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) | ||
98 | tp = (uint32*) op; | ||
99 | else { | ||
100 | - assert(sp->tbuflen >= npixels); | ||
101 | + if(sp->tbuflen < npixels) { | ||
102 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
103 | + "Translation buffer too short"); | ||
104 | + return (0); | ||
105 | + } | ||
106 | tp = (uint32*) sp->tbuf; | ||
107 | } | ||
108 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); | ||
109 | @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
110 | cc = tif->tif_rawcc; | ||
111 | /* get each byte string */ | ||
112 | for (shft = 4*8; (shft -= 8) >= 0; ) { | ||
113 | - for (i = 0; i < npixels && cc > 0; ) | ||
114 | + for (i = 0; i < npixels && cc > 0; ) { | ||
115 | if (*bp >= 128) { /* run */ | ||
116 | + if( cc < 2 ) | ||
117 | + break; | ||
118 | rc = *bp++ + (2-128); | ||
119 | b = (uint32)*bp++ << shft; | ||
120 | - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ | ||
121 | + cc -= 2; | ||
122 | while (rc-- && i < npixels) | ||
123 | tp[i++] |= b; | ||
124 | } else { /* non-run */ | ||
125 | @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms | ||
126 | while (--cc && rc-- && i < npixels) | ||
127 | tp[i++] |= (uint32)*bp++ << shft; | ||
128 | } | ||
129 | + } | ||
130 | if (i != npixels) { | ||
131 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
132 | TIFFErrorExt(tif->tif_clientdata, module, | ||
133 | @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t | ||
134 | static int | ||
135 | LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
136 | { | ||
137 | + static const char module[] = "LogL16Encode"; | ||
138 | LogLuvState* sp = EncoderState(tif); | ||
139 | int shft; | ||
140 | tmsize_t i; | ||
141 | @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
142 | tp = (int16*) bp; | ||
143 | else { | ||
144 | tp = (int16*) sp->tbuf; | ||
145 | - assert(sp->tbuflen >= npixels); | ||
146 | + if(sp->tbuflen < npixels) { | ||
147 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
148 | + "Translation buffer too short"); | ||
149 | + return (0); | ||
150 | + } | ||
151 | (*sp->tfunc)(sp, bp, npixels); | ||
152 | } | ||
153 | /* compress each byte string */ | ||
154 | @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz | ||
155 | static int | ||
156 | LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
157 | { | ||
158 | + static const char module[] = "LogLuvEncode24"; | ||
159 | LogLuvState* sp = EncoderState(tif); | ||
160 | tmsize_t i; | ||
161 | tmsize_t npixels; | ||
162 | @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
163 | tp = (uint32*) bp; | ||
164 | else { | ||
165 | tp = (uint32*) sp->tbuf; | ||
166 | - assert(sp->tbuflen >= npixels); | ||
167 | + if(sp->tbuflen < npixels) { | ||
168 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
169 | + "Translation buffer too short"); | ||
170 | + return (0); | ||
171 | + } | ||
172 | (*sp->tfunc)(sp, bp, npixels); | ||
173 | } | ||
174 | /* write out encoded pixels */ | ||
175 | @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms | ||
176 | static int | ||
177 | LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) | ||
178 | { | ||
179 | + static const char module[] = "LogLuvEncode32"; | ||
180 | LogLuvState* sp = EncoderState(tif); | ||
181 | int shft; | ||
182 | tmsize_t i; | ||
183 | @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms | ||
184 | tp = (uint32*) bp; | ||
185 | else { | ||
186 | tp = (uint32*) sp->tbuf; | ||
187 | - assert(sp->tbuflen >= npixels); | ||
188 | + if(sp->tbuflen < npixels) { | ||
189 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
190 | + "Translation buffer too short"); | ||
191 | + return (0); | ||
192 | + } | ||
193 | (*sp->tfunc)(sp, bp, npixels); | ||
194 | } | ||
195 | /* compress each byte string */ | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 810a5e4c7d..9879c8bfab 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/" | |||
6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ | 6 | SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ |
7 | file://libtool2.patch \ | 7 | file://libtool2.patch \ |
8 | file://CVE-2015-8665_8683.patch \ | 8 | file://CVE-2015-8665_8683.patch \ |
9 | file://CVE-2015-8781.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 12 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |