tiff: Security fix CVE-2015-8781

CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-29 17:39:36 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-30 12:13:09 +0000
commit: c6ae9c1fae18b7efbc028f04315690fd3544ee49 (patch)
tree: 1343302473c599a140e853da3f849e43a939e4bf
parent: 049b7db30c51c25006f914cdb502982d733e0bb1 (diff)
download: poky-c6ae9c1fae18b7efbc028f04315690fd3544ee49.tar.gz
2 files changed, 197 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644
index 0000000000..bdbe69695c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,196 @@
+From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 27 Dec 2015 16:25:11 +0000
+Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
+ decode functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
+ input data.
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
+hand applied Changelog changes
+CVE: CVE-2015-8781
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog         |  7 +++++++
+ libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 51 insertions(+), 11 deletions(-)
+Index: tiff-4.0.4/ChangeLog
+===================================================================
+--- tiff-4.0.4.orig/ChangeLog
+++ tiff-4.0.4/ChangeLog
+@@ -1,3 +1,11 @@
+2015-12-27  Even Rouault <even.rouault at spatialys.com>
+
+   * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+   functions in non debug builds by replacing assert()s by regular if
+   checks (bugzilla #2522).
+   Fix potential out-of-bound reads in case of short input data.
+
+
+ 2015-06-21  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 
+        * libtiff 4.0.4 released.
+Index: tiff-4.0.4/libtiff/tif_luv.c
+===================================================================
+--- tiff-4.0.4.orig/libtiff/tif_luv.c
+++ tiff-4.0.4/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+        if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+                tp = (int16*) op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (int16*) sp->tbuf;
+        }
+        _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+        cc = tif->tif_rawcc;
+        /* get each byte string */
+        for (shft = 2*8; (shft -= 8) >= 0; ) {
+-               for (i = 0; i < npixels && cc > 0; )
+               for (i = 0; i < npixels && cc > 0; ) {
+                        if (*bp >= 128) {               /* run */
+-                               rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+                               if( cc < 2 )
+                                       break;
+                               rc = *bp++ + (2-128);
+                                b = (int16)(*bp++ << shft);
+                                cc -= 2;
+                                while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+                                while (--cc && rc-- && i < npixels)
+                                        tp[i++] |= (int16)*bp++ << shft;
+                        }
+               }
+                if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
+        if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+                tp = (uint32 *)op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (uint32 *) sp->tbuf;
+        }
+        /* copy to array of uint32 */
+        bp = (unsigned char*) tif->tif_rawcp;
+        cc = tif->tif_rawcc;
+-       for (i = 0; i < npixels && cc > 0; i++) {
+       for (i = 0; i < npixels && cc >= 3; i++) {
+                tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+                bp += 3;
+                cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+        if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+                tp = (uint32*) op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (uint32*) sp->tbuf;
+        }
+        _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+        cc = tif->tif_rawcc;
+        /* get each byte string */
+        for (shft = 4*8; (shft -= 8) >= 0; ) {
+-               for (i = 0; i < npixels && cc > 0; )
+               for (i = 0; i < npixels && cc > 0; ) {
+                        if (*bp >= 128) {               /* run */
+                               if( cc < 2 )
+                                       break;
+                                rc = *bp++ + (2-128);
+                                b = (uint32)*bp++ << shft;
+-                               cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+                               cc -= 2;
+                                while (rc-- && i < npixels)
+                                        tp[i++] |= b;
+                        } else {                        /* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+                                while (--cc && rc-- && i < npixels)
+                                        tp[i++] |= (uint32)*bp++ << shft;
+                        }
+               }
+                if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogL16Encode";
+        LogLuvState* sp = EncoderState(tif);
+        int shft;
+        tmsize_t i;
+@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+                tp = (int16*) bp;
+        else {
+                tp = (int16*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* compress each byte string */
+@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogLuvEncode24";
+        LogLuvState* sp = EncoderState(tif);
+        tmsize_t i;
+        tmsize_t npixels;
+@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+                tp = (uint32*) bp;
+        else {
+                tp = (uint32*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* write out encoded pixels */
+@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogLuvEncode32";
+        LogLuvState* sp = EncoderState(tif);
+        int shft;
+        tmsize_t i;
+@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
+                tp = (uint32*) bp;
+        else {
+                tp = (uint32*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
index cf3a5f04c5..6166663fca 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
@@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
           file://libtool2.patch \
+           file://CVE-2015-8781.patch \
          "
 SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"
author	Armin Kuster <akuster@mvista.com>	2016-01-29 17:39:36 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-30 12:13:09 +0000
commit	c6ae9c1fae18b7efbc028f04315690fd3544ee49 (patch)
tree	1343302473c599a140e853da3f849e43a939e4bf
parent	049b7db30c51c25006f914cdb502982d733e0bb1 (diff)
download	poky-c6ae9c1fae18b7efbc028f04315690fd3544ee49.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..bdbe69695c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,196 @@
		1	From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Sun, 27 Dec 2015 16:25:11 +0000
		4	Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
		5	decode functions in non debug builds by replacing assert()s by regular if
		6	checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
		7	input data.
		8
		9	Upstream-Status: Backport
		10
		11	https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
		12	hand applied Changelog changes
		13
		14	CVE: CVE-2015-8781
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17	---
		18	ChangeLog \| 7 +++++++
		19	libtiff/tif_luv.c \| 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
		20	2 files changed, 51 insertions(+), 11 deletions(-)
		21
		22	Index: tiff-4.0.4/ChangeLog
		23	===================================================================
		24	--- tiff-4.0.4.orig/ChangeLog
		25	+++ tiff-4.0.4/ChangeLog
		26	@@ -1,3 +1,11 @@
		27	+2015-12-27 Even Rouault <even.rouault at spatialys.com>
		28	+
		29	+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
		30	+ functions in non debug builds by replacing assert()s by regular if
		31	+ checks (bugzilla #2522).
		32	+ Fix potential out-of-bound reads in case of short input data.
		33	+
		34	+
		35	2015-06-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
		36
		37	* libtiff 4.0.4 released.
		38	Index: tiff-4.0.4/libtiff/tif_luv.c
		39	===================================================================
		40	--- tiff-4.0.4.orig/libtiff/tif_luv.c
		41	+++ tiff-4.0.4/libtiff/tif_luv.c
		42	@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		43	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
		44	tp = (int16*) op;
		45	else {
		46	- assert(sp->tbuflen >= npixels);
		47	+ if(sp->tbuflen < npixels) {
		48	+ TIFFErrorExt(tif->tif_clientdata, module,
		49	+ "Translation buffer too short");
		50	+ return (0);
		51	+ }
		52	tp = (int16*) sp->tbuf;
		53	}
		54	_TIFFmemset((void) tp, 0, npixelssizeof (tp[0]));
		55	@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		56	cc = tif->tif_rawcc;
		57	/* get each byte string */
		58	for (shft = 2*8; (shft -= 8) >= 0; ) {
		59	- for (i = 0; i < npixels && cc > 0; )
		60	+ for (i = 0; i < npixels && cc > 0; ) {
		61	if (bp >= 128) { / run */
		62	- rc = bp++ + (2-128); / TODO: potential input buffer overrun when decoding corrupt or truncated data */
		63	+ if( cc < 2 )
		64	+ break;
		65	+ rc = *bp++ + (2-128);
		66	b = (int16)(*bp++ << shft);
		67	cc -= 2;
		68	while (rc-- && i < npixels)
		69	@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		70	while (--cc && rc-- && i < npixels)
		71	tp[i++] \|= (int16)*bp++ << shft;
		72	}
		73	+ }
		74	if (i != npixels) {
		75	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		76	TIFFErrorExt(tif->tif_clientdata, module,
		77	@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
		78	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
		79	tp = (uint32 *)op;
		80	else {
		81	- assert(sp->tbuflen >= npixels);
		82	+ if(sp->tbuflen < npixels) {
		83	+ TIFFErrorExt(tif->tif_clientdata, module,
		84	+ "Translation buffer too short");
		85	+ return (0);
		86	+ }
		87	tp = (uint32 *) sp->tbuf;
		88	}
		89	/* copy to array of uint32 */
		90	bp = (unsigned char*) tif->tif_rawcp;
		91	cc = tif->tif_rawcc;
		92	- for (i = 0; i < npixels && cc > 0; i++) {
		93	+ for (i = 0; i < npixels && cc >= 3; i++) {
		94	tp[i] = bp[0] << 16 \| bp[1] << 8 \| bp[2];
		95	bp += 3;
		96	cc -= 3;
		97	@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		98	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
		99	tp = (uint32*) op;
		100	else {
		101	- assert(sp->tbuflen >= npixels);
		102	+ if(sp->tbuflen < npixels) {
		103	+ TIFFErrorExt(tif->tif_clientdata, module,
		104	+ "Translation buffer too short");
		105	+ return (0);
		106	+ }
		107	tp = (uint32*) sp->tbuf;
		108	}
		109	_TIFFmemset((void) tp, 0, npixelssizeof (tp[0]));
		110	@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		111	cc = tif->tif_rawcc;
		112	/* get each byte string */
		113	for (shft = 4*8; (shft -= 8) >= 0; ) {
		114	- for (i = 0; i < npixels && cc > 0; )
		115	+ for (i = 0; i < npixels && cc > 0; ) {
		116	if (bp >= 128) { / run */
		117	+ if( cc < 2 )
		118	+ break;
		119	rc = *bp++ + (2-128);
		120	b = (uint32)*bp++ << shft;
		121	- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
		122	+ cc -= 2;
		123	while (rc-- && i < npixels)
		124	tp[i++] \|= b;
		125	} else { /* non-run */
		126	@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		127	while (--cc && rc-- && i < npixels)
		128	tp[i++] \|= (uint32)*bp++ << shft;
		129	}
		130	+ }
		131	if (i != npixels) {
		132	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		133	TIFFErrorExt(tif->tif_clientdata, module,
		134	@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
		135	static int
		136	LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		137	{
		138	+ static const char module[] = "LogL16Encode";
		139	LogLuvState* sp = EncoderState(tif);
		140	int shft;
		141	tmsize_t i;
		142	@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
		143	tp = (int16*) bp;
		144	else {
		145	tp = (int16*) sp->tbuf;
		146	- assert(sp->tbuflen >= npixels);
		147	+ if(sp->tbuflen < npixels) {
		148	+ TIFFErrorExt(tif->tif_clientdata, module,
		149	+ "Translation buffer too short");
		150	+ return (0);
		151	+ }
		152	(*sp->tfunc)(sp, bp, npixels);
		153	}
		154	/* compress each byte string */
		155	@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
		156	static int
		157	LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		158	{
		159	+ static const char module[] = "LogLuvEncode24";
		160	LogLuvState* sp = EncoderState(tif);
		161	tmsize_t i;
		162	tmsize_t npixels;
		163	@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
		164	tp = (uint32*) bp;
		165	else {
		166	tp = (uint32*) sp->tbuf;
		167	- assert(sp->tbuflen >= npixels);
		168	+ if(sp->tbuflen < npixels) {
		169	+ TIFFErrorExt(tif->tif_clientdata, module,
		170	+ "Translation buffer too short");
		171	+ return (0);
		172	+ }
		173	(*sp->tfunc)(sp, bp, npixels);
		174	}
		175	/* write out encoded pixels */
		176	@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
		177	static int
		178	LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		179	{
		180	+ static const char module[] = "LogLuvEncode32";
		181	LogLuvState* sp = EncoderState(tif);
		182	int shft;
		183	tmsize_t i;
		184	@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
		185	tp = (uint32*) bp;
		186	else {
		187	tp = (uint32*) sp->tbuf;
		188	- assert(sp->tbuflen >= npixels);
		189	+ if(sp->tbuflen < npixels) {
		190	+ TIFFErrorExt(tif->tif_clientdata, module,
		191	+ "Translation buffer too short");
		192	+ return (0);
		193	+ }
		194	(*sp->tfunc)(sp, bp, npixels);
		195	}
		196	/* compress each byte string */


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb index cf3a5f04c5..6166663fca 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
@@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
5		5
6	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \	6	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
7	file://libtool2.patch \	7	file://libtool2.patch \
		8	file://CVE-2015-8781.patch \
8	"	9	"
9		10
10	SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"	11	SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"