From a7301f1b499a971f6b208865f1241aaffa4b1dde Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Wed, 7 Dec 2016 16:01:11 +0800 Subject: tiff: Security fix CVE-2016-9535 * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) Signed-off-by: Mingli Yu Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Sona Sarmadi --- .../libtiff/files/CVE-2016-9535-2.patch | 67 ++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch') diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch @@ -0,0 +1,67 @@ +From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Fri, 4 Nov 2016 09:19:13 +0000 +Subject: [PATCH 2/2] Fix CVE-2016-9535 +* libtiff/tif_predic.c: fix memory leaks in error code + paths added in previous commit (fix for MSVR 35105) + +CVE: CVE-2016-9535 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 + +Signed-off-by: Mingli Yu + +--- + libtiff/tif_predict.c | 8 ++++++-- + 1 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c +index b829259..3f42f3b 100644 +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count = cc; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if(cc%(bps*stride)!=0) + { +@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + return 0; + } + ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if((cc%(bps*stride))!=0) + { +@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + "%s", "(cc%(bps*stride))!=0"); + return 0; + } ++ ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) + { + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", + "%s", "(cc0%rowsize)!=0"); ++ _TIFFfree( working_copy ); + return 0; + } + while (cc > 0) { +-- +2.9.3 + -- cgit v1.2.3-54-g00ecf