tiff: security fix CVE-2018-7456

NULL pointer use as described at nvd.nist.gov/vuln/detail/CVE-2018-7456. (From OE-Core rev: 122da5cec495fc8ddfd880327e7c3ed0dc70e04f) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2018-07-18 11:25:00 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-07-26 13:16:40 +0100
commit: 8a2b440f87eb4084fab638a3814e82727af8f8cf (patch)
tree: a24ea406f414b5825792dbc77e9c9022827a7e7c
parent: d85feee51c76ee7b530a26272ccdf68a8120cbb3 (diff)
download: poky-8a2b440f87eb4084fab638a3814e82727af8f8cf.tar.gz
2 files changed, 179 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
new file mode 100644
index 0000000000..2c11f93d13
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
@@ -0,0 +1,178 @@
+From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sun, 8 Apr 2018 14:07:08 -0400
+Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
+The TIFFPrintDirectory function relies on the following assumptions,
+supposed to be guaranteed by the specification:
+(a) A Transfer Function field is only present if the TIFF file has
+    photometric type < 3.
+(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
+    has count SamplesPerPixel - (Color Channels) and contains
+    information about supplementary channels.
+While respect of (a) and (b) are essential for the well functioning of
+TIFFPrintDirectory, no checks are realized neither by the callee nor
+by TIFFPrintDirectory itself. Hence, following scenarios might happen
+and trigger the NULL pointer dereference:
+(1) TIFF File of photometric type 4 or more has illegal Transfer
+    Function field.
+(2) TIFF File has photometric type 3 or less and defines a
+    SamplesPerPixel field such that SamplesPerPixel > Color Channels
+    without defining all extra samples in the ExtraSamples fields.
+In this patch, we address both issues with respect of the following
+principles:
+(A) In the case of (1), the defined transfer table should be printed
+    safely even if it isn't 'legal'. This allows us to avoid expensive
+    checks in TIFFPrintDirectory. Also, it is quite possible that
+    an alternative photometric type would be developed (not part of the
+    standard) and would allow definition of Transfer Table. We want
+    libtiff to be able to handle this scenario out of the box.
+(B) In the case of (2), the transfer table should be printed at its
+    right size, that is if TIFF file has photometric type Palette
+    then the transfer table should have one row and not three, even
+    if two extra samples are declared.
+In order to fulfill (A) we simply add a new 'i < 3' end condition to
+the broken TIFFPrintDirectory loop. This makes sure that in any case
+where (b) would be respected but not (a), everything stays fine.
+(B) is fulfilled by the loop condition
+'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
+long as (b) is respected.
+Naturally, we also make sure (b) is respected. This is done in the
+TIFFReadDirectory function by making sure any non-color channel is
+counted in ExtraSamples.
+This commit addresses CVE-2018-7456.
+---
+CVE: CVE-2018-7456
+Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ libtiff/tif_dirread.c |   62 +++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_print.c   |    2 +-
+ 2 files changed, 63 insertions(+), 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 6baa7b3..af5b84a 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
+static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
+ }
+ 
+ /*
+ * Return the maximum number of color channels specified for a given photometric
+ * type. 0 is returned if photometric type isn't supported or no default value
+ * is defined by the specification.
+ */
+static int _TIFFGetMaxColorChannels( uint16 photometric )
+{
+    switch (photometric) {
+       case PHOTOMETRIC_PALETTE:
+       case PHOTOMETRIC_MINISWHITE:
+       case PHOTOMETRIC_MINISBLACK:
+            return 1;
+       case PHOTOMETRIC_YCBCR:
+       case PHOTOMETRIC_RGB:
+       case PHOTOMETRIC_CIELAB:
+            return 3;
+       case PHOTOMETRIC_SEPARATED:
+       case PHOTOMETRIC_MASK:
+            return 4;
+       case PHOTOMETRIC_LOGL:
+       case PHOTOMETRIC_LOGLUV:
+       case PHOTOMETRIC_CFA:
+       case PHOTOMETRIC_ITULAB:
+       case PHOTOMETRIC_ICCLAB:
+       default:
+            return 0;
+    }
+}
+
+/*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+  */
+@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
+        uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
+        int color_channels;
+ 
+        tif->tif_diroff=tif->tif_nextdiroff;
+        if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
+                        }
+                }
+        }
+
+       /*
+        * Make sure all non-color channels are extrasamples.
+        * If it's not the case, define them as such.
+        */
+        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
+        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
+                uint16 old_extrasamples;
+                uint16 *new_sampleinfo;
+
+                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
+                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
+                    "Defining non-color channels as ExtraSamples.");
+
+                old_extrasamples = tif->tif_dir.td_extrasamples;
+                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
+
+                // sampleinfo should contain information relative to these new extra samples
+                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
+                if (!new_sampleinfo) {
+                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
+                                "temporary new sampleinfo array (%d 16 bit elements)",
+                                tif->tif_dir.td_extrasamples);
+                    goto bad;
+                }
+
+                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                _TIFFfree(new_sampleinfo);
+        }
+
+        /*
+         * Verify Palette image has a Colormap.
+         */
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 8deceb2..1d86adb 100644
+--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
+@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+                                uint16 i;
+                                fprintf(fd, "    %2ld: %5u",
+                                    l, td->td_transferfunction[0][l]);
+-                               for (i = 1; i < td->td_samplesperpixel; i++)
+                               for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
+                                        fprintf(fd, " %5u",
+                                            td->td_transferfunction[i][l]);
+                                fputc('\n', fd);
+-- 
+1.7.9.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index 53b2b81ec2..fa64d11216 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2018-5784.patch \
           file://CVE-2018-10963.patch \
           file://CVE-2018-8905.patch \
+           file://CVE-2018-7456.patch \
          "
 SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"
author	Joe Slater <joe.slater@windriver.com>	2018-07-18 11:25:00 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-07-26 13:16:40 +0100
commit	8a2b440f87eb4084fab638a3814e82727af8f8cf (patch)
tree	a24ea406f414b5825792dbc77e9c9022827a7e7c
parent	d85feee51c76ee7b530a26272ccdf68a8120cbb3 (diff)
download	poky-8a2b440f87eb4084fab638a3814e82727af8f8cf.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch new file mode 100644 index 0000000000..2c11f93d13 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
@@ -0,0 +1,178 @@
		1	From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
		2	From: Hugo Lefeuvre <hle@debian.org>
		3	Date: Sun, 8 Apr 2018 14:07:08 -0400
		4	Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
		5
		6	The TIFFPrintDirectory function relies on the following assumptions,
		7	supposed to be guaranteed by the specification:
		8
		9	(a) A Transfer Function field is only present if the TIFF file has
		10	photometric type < 3.
		11
		12	(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
		13	has count SamplesPerPixel - (Color Channels) and contains
		14	information about supplementary channels.
		15
		16	While respect of (a) and (b) are essential for the well functioning of
		17	TIFFPrintDirectory, no checks are realized neither by the callee nor
		18	by TIFFPrintDirectory itself. Hence, following scenarios might happen
		19	and trigger the NULL pointer dereference:
		20
		21	(1) TIFF File of photometric type 4 or more has illegal Transfer
		22	Function field.
		23
		24	(2) TIFF File has photometric type 3 or less and defines a
		25	SamplesPerPixel field such that SamplesPerPixel > Color Channels
		26	without defining all extra samples in the ExtraSamples fields.
		27
		28	In this patch, we address both issues with respect of the following
		29	principles:
		30
		31	(A) In the case of (1), the defined transfer table should be printed
		32	safely even if it isn't 'legal'. This allows us to avoid expensive
		33	checks in TIFFPrintDirectory. Also, it is quite possible that
		34	an alternative photometric type would be developed (not part of the
		35	standard) and would allow definition of Transfer Table. We want
		36	libtiff to be able to handle this scenario out of the box.
		37
		38	(B) In the case of (2), the transfer table should be printed at its
		39	right size, that is if TIFF file has photometric type Palette
		40	then the transfer table should have one row and not three, even
		41	if two extra samples are declared.
		42
		43	In order to fulfill (A) we simply add a new 'i < 3' end condition to
		44	the broken TIFFPrintDirectory loop. This makes sure that in any case
		45	where (b) would be respected but not (a), everything stays fine.
		46
		47	(B) is fulfilled by the loop condition
		48	'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
		49	long as (b) is respected.
		50
		51	Naturally, we also make sure (b) is respected. This is done in the
		52	TIFFReadDirectory function by making sure any non-color channel is
		53	counted in ExtraSamples.
		54
		55	This commit addresses CVE-2018-7456.
		56
		57	---
		58	CVE: CVE-2018-7456
		59
		60	Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...]
		61
		62	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		63
		64	---
		65	libtiff/tif_dirread.c \| 62 +++++++++++++++++++++++++++++++++++++++++++++++++
		66	libtiff/tif_print.c \| 2 +-
		67	2 files changed, 63 insertions(+), 1 deletion(-)
		68
		69	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		70	index 6baa7b3..af5b84a 100644
		71	--- a/libtiff/tif_dirread.c
		72	+++ b/libtiff/tif_dirread.c
		73	@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
		74	static int TIFFFetchSubjectDistance(TIFF, TIFFDirEntry);
		75	static void ChopUpSingleUncompressedStrip(TIFF*);
		76	static uint64 TIFFReadUInt64(const uint8 *value);
		77	+static int _TIFFGetMaxColorChannels(uint16 photometric);
		78
		79	static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
		80
		81	@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
		82	}
		83
		84	/*
		85	+ * Return the maximum number of color channels specified for a given photometric
		86	+ * type. 0 is returned if photometric type isn't supported or no default value
		87	+ * is defined by the specification.
		88	+ */
		89	+static int _TIFFGetMaxColorChannels( uint16 photometric )
		90	+{
		91	+ switch (photometric) {
		92	+ case PHOTOMETRIC_PALETTE:
		93	+ case PHOTOMETRIC_MINISWHITE:
		94	+ case PHOTOMETRIC_MINISBLACK:
		95	+ return 1;
		96	+ case PHOTOMETRIC_YCBCR:
		97	+ case PHOTOMETRIC_RGB:
		98	+ case PHOTOMETRIC_CIELAB:
		99	+ return 3;
		100	+ case PHOTOMETRIC_SEPARATED:
		101	+ case PHOTOMETRIC_MASK:
		102	+ return 4;
		103	+ case PHOTOMETRIC_LOGL:
		104	+ case PHOTOMETRIC_LOGLUV:
		105	+ case PHOTOMETRIC_CFA:
		106	+ case PHOTOMETRIC_ITULAB:
		107	+ case PHOTOMETRIC_ICCLAB:
		108	+ default:
		109	+ return 0;
		110	+ }
		111	+}
		112	+
		113	+/*
		114	* Read the next TIFF directory from a file and convert it to the internal
		115	* format. We read directories sequentially.
		116	*/
		117	@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
		118	uint32 fii=FAILED_FII;
		119	toff_t nextdiroff;
		120	int bitspersample_read = FALSE;
		121	+ int color_channels;
		122
		123	tif->tif_diroff=tif->tif_nextdiroff;
		124	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
		125	@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
		126	}
		127	}
		128	}
		129	+
		130	+ /*
		131	+ * Make sure all non-color channels are extrasamples.
		132	+ * If it's not the case, define them as such.
		133	+ */
		134	+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
		135	+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
		136	+ uint16 old_extrasamples;
		137	+ uint16 *new_sampleinfo;
		138	+
		139	+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
		140	+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
		141	+ "Defining non-color channels as ExtraSamples.");
		142	+
		143	+ old_extrasamples = tif->tif_dir.td_extrasamples;
		144	+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
		145	+
		146	+ // sampleinfo should contain information relative to these new extra samples
		147	+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
		148	+ if (!new_sampleinfo) {
		149	+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
		150	+ "temporary new sampleinfo array (%d 16 bit elements)",
		151	+ tif->tif_dir.td_extrasamples);
		152	+ goto bad;
		153	+ }
		154	+
		155	+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
		156	+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
		157	+ _TIFFfree(new_sampleinfo);
		158	+ }
		159	+
		160	/*
		161	* Verify Palette image has a Colormap.
		162	*/
		163	diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
		164	index 8deceb2..1d86adb 100644
		165	--- a/libtiff/tif_print.c
		166	+++ b/libtiff/tif_print.c
		167	@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
		168	uint16 i;
		169	fprintf(fd, " %2ld: %5u",
		170	l, td->td_transferfunction[0][l]);
		171	- for (i = 1; i < td->td_samplesperpixel; i++)
		172	+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
		173	fprintf(fd, " %5u",
		174	td->td_transferfunction[i][l]);
		175	fputc('\n', fd);
		176	--
		177	1.7.9.5
		178


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index 53b2b81ec2..fa64d11216 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
11	file://CVE-2018-5784.patch \	11	file://CVE-2018-5784.patch \
12	file://CVE-2018-10963.patch \	12	file://CVE-2018-10963.patch \
13	file://CVE-2018-8905.patch \	13	file://CVE-2018-8905.patch \
		14	file://CVE-2018-7456.patch \
14	"	15	"
15		16
16	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"	17	SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"