tiff: Security fix CVE-2015-8781

CVE-2015-8781 libtiff: out-of-bounds writes for invalid images External Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8781 (From OE-Core rev: 9e97ff5582fab9f157ecd970c7c3559265210131) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-08-10 15:11:16 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-08-17 10:35:39 +0100
commit: dc75fc92b50f64e655da1371ade001e2a8f084ac (patch)
tree: 3ddcd00a2a982fdbab85be2752bd8c916247a0ab /meta
parent: 955d6cb60f2a760d555022201586f6006703ff47 (diff)
download: poky-dc75fc92b50f64e655da1371ade001e2a8f084ac.tar.gz
2 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644
index 0000000000..0846f0f68e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,195 @@
+From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 27 Dec 2015 16:25:11 +0000
+Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
+ decode functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
+ input data.
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
+hand applied Changelog changes
+CVE: CVE-2015-8781
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog         |  7 +++++++
+ libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 51 insertions(+), 11 deletions(-)
+Index: tiff-4.0.4/ChangeLog
+===================================================================
+--- tiff-4.0.4.orig/ChangeLog
+++ tiff-4.0.4/ChangeLog
+@@ -1,3 +1,10 @@
+2015-12-27  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+       functions in non debug builds by replacing assert()s by regular if
+       checks (bugzilla #2522).
+       Fix potential out-of-bound reads in case of short input data.
+
+ 2015-12-26  Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+Index: tiff-4.0.4/libtiff/tif_luv.c
+===================================================================
+--- tiff-4.0.4.orig/libtiff/tif_luv.c
+++ tiff-4.0.4/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+        if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+                tp = (int16*) op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (int16*) sp->tbuf;
+        }
+        _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+        cc = tif->tif_rawcc;
+        /* get each byte string */
+        for (shft = 2*8; (shft -= 8) >= 0; ) {
+-               for (i = 0; i < npixels && cc > 0; )
+               for (i = 0; i < npixels && cc > 0; ) {
+                        if (*bp >= 128) {               /* run */
+-                               rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+                               if( cc < 2 )
+                                       break;
+                               rc = *bp++ + (2-128);
+                                b = (int16)(*bp++ << shft);
+                                cc -= 2;
+                                while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+                                while (--cc && rc-- && i < npixels)
+                                        tp[i++] |= (int16)*bp++ << shft;
+                        }
+               }
+                if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
+        if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+                tp = (uint32 *)op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (uint32 *) sp->tbuf;
+        }
+        /* copy to array of uint32 */
+        bp = (unsigned char*) tif->tif_rawcp;
+        cc = tif->tif_rawcc;
+-       for (i = 0; i < npixels && cc > 0; i++) {
+       for (i = 0; i < npixels && cc >= 3; i++) {
+                tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+                bp += 3;
+                cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+        if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+                tp = (uint32*) op;
+        else {
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                tp = (uint32*) sp->tbuf;
+        }
+        _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+        cc = tif->tif_rawcc;
+        /* get each byte string */
+        for (shft = 4*8; (shft -= 8) >= 0; ) {
+-               for (i = 0; i < npixels && cc > 0; )
+               for (i = 0; i < npixels && cc > 0; ) {
+                        if (*bp >= 128) {               /* run */
+                               if( cc < 2 )
+                                       break;
+                                rc = *bp++ + (2-128);
+                                b = (uint32)*bp++ << shft;
+-                               cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+                               cc -= 2;
+                                while (rc-- && i < npixels)
+                                        tp[i++] |= b;
+                        } else {                        /* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+                                while (--cc && rc-- && i < npixels)
+                                        tp[i++] |= (uint32)*bp++ << shft;
+                        }
+               }
+                if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogL16Encode";
+        LogLuvState* sp = EncoderState(tif);
+        int shft;
+        tmsize_t i;
+@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+                tp = (int16*) bp;
+        else {
+                tp = (int16*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* compress each byte string */
+@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogLuvEncode24";
+        LogLuvState* sp = EncoderState(tif);
+        tmsize_t i;
+        tmsize_t npixels;
+@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+                tp = (uint32*) bp;
+        else {
+                tp = (uint32*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* write out encoded pixels */
+@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
+       static const char module[] = "LogLuvEncode32";
+        LogLuvState* sp = EncoderState(tif);
+        int shft;
+        tmsize_t i;
+@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
+                tp = (uint32*) bp;
+        else {
+                tp = (uint32*) sp->tbuf;
+-               assert(sp->tbuflen >= npixels);
+               if(sp->tbuflen < npixels) {
+                       TIFFErrorExt(tif->tif_clientdata, module,
+                                                "Translation buffer too short");
+                       return (0);
+               }
+                (*sp->tfunc)(sp, bp, npixels);
+        }
+        /* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 810a5e4c7d..9879c8bfab 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
           file://libtool2.patch \
           file://CVE-2015-8665_8683.patch \
+           file://CVE-2015-8781.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
author	Armin Kuster <akuster@mvista.com>	2016-08-10 15:11:16 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-08-17 10:35:39 +0100
commit	dc75fc92b50f64e655da1371ade001e2a8f084ac (patch)
tree	3ddcd00a2a982fdbab85be2752bd8c916247a0ab /meta
parent	955d6cb60f2a760d555022201586f6006703ff47 (diff)
download	poky-dc75fc92b50f64e655da1371ade001e2a8f084ac.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..0846f0f68e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,195 @@
		1	From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Sun, 27 Dec 2015 16:25:11 +0000
		4	Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
		5	decode functions in non debug builds by replacing assert()s by regular if
		6	checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
		7	input data.
		8
		9	Upstream-Status: Backport
		10
		11	https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
		12	hand applied Changelog changes
		13
		14	CVE: CVE-2015-8781
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17	---
		18	ChangeLog \| 7 +++++++
		19	libtiff/tif_luv.c \| 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
		20	2 files changed, 51 insertions(+), 11 deletions(-)
		21
		22	Index: tiff-4.0.4/ChangeLog
		23	===================================================================
		24	--- tiff-4.0.4.orig/ChangeLog
		25	+++ tiff-4.0.4/ChangeLog
		26	@@ -1,3 +1,10 @@
		27	+2015-12-27 Even Rouault <even.rouault at spatialys.com>
		28	+
		29	+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
		30	+ functions in non debug builds by replacing assert()s by regular if
		31	+ checks (bugzilla #2522).
		32	+ Fix potential out-of-bound reads in case of short input data.
		33	+
		34	2015-12-26 Even Rouault <even.rouault at spatialys.com>
		35
		36	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
		37	Index: tiff-4.0.4/libtiff/tif_luv.c
		38	===================================================================
		39	--- tiff-4.0.4.orig/libtiff/tif_luv.c
		40	+++ tiff-4.0.4/libtiff/tif_luv.c
		41	@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		42	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
		43	tp = (int16*) op;
		44	else {
		45	- assert(sp->tbuflen >= npixels);
		46	+ if(sp->tbuflen < npixels) {
		47	+ TIFFErrorExt(tif->tif_clientdata, module,
		48	+ "Translation buffer too short");
		49	+ return (0);
		50	+ }
		51	tp = (int16*) sp->tbuf;
		52	}
		53	_TIFFmemset((void) tp, 0, npixelssizeof (tp[0]));
		54	@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		55	cc = tif->tif_rawcc;
		56	/* get each byte string */
		57	for (shft = 2*8; (shft -= 8) >= 0; ) {
		58	- for (i = 0; i < npixels && cc > 0; )
		59	+ for (i = 0; i < npixels && cc > 0; ) {
		60	if (bp >= 128) { / run */
		61	- rc = bp++ + (2-128); / TODO: potential input buffer overrun when decoding corrupt or truncated data */
		62	+ if( cc < 2 )
		63	+ break;
		64	+ rc = *bp++ + (2-128);
		65	b = (int16)(*bp++ << shft);
		66	cc -= 2;
		67	while (rc-- && i < npixels)
		68	@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
		69	while (--cc && rc-- && i < npixels)
		70	tp[i++] \|= (int16)*bp++ << shft;
		71	}
		72	+ }
		73	if (i != npixels) {
		74	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		75	TIFFErrorExt(tif->tif_clientdata, module,
		76	@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
		77	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
		78	tp = (uint32 *)op;
		79	else {
		80	- assert(sp->tbuflen >= npixels);
		81	+ if(sp->tbuflen < npixels) {
		82	+ TIFFErrorExt(tif->tif_clientdata, module,
		83	+ "Translation buffer too short");
		84	+ return (0);
		85	+ }
		86	tp = (uint32 *) sp->tbuf;
		87	}
		88	/* copy to array of uint32 */
		89	bp = (unsigned char*) tif->tif_rawcp;
		90	cc = tif->tif_rawcc;
		91	- for (i = 0; i < npixels && cc > 0; i++) {
		92	+ for (i = 0; i < npixels && cc >= 3; i++) {
		93	tp[i] = bp[0] << 16 \| bp[1] << 8 \| bp[2];
		94	bp += 3;
		95	cc -= 3;
		96	@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		97	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
		98	tp = (uint32*) op;
		99	else {
		100	- assert(sp->tbuflen >= npixels);
		101	+ if(sp->tbuflen < npixels) {
		102	+ TIFFErrorExt(tif->tif_clientdata, module,
		103	+ "Translation buffer too short");
		104	+ return (0);
		105	+ }
		106	tp = (uint32*) sp->tbuf;
		107	}
		108	_TIFFmemset((void) tp, 0, npixelssizeof (tp[0]));
		109	@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		110	cc = tif->tif_rawcc;
		111	/* get each byte string */
		112	for (shft = 4*8; (shft -= 8) >= 0; ) {
		113	- for (i = 0; i < npixels && cc > 0; )
		114	+ for (i = 0; i < npixels && cc > 0; ) {
		115	if (bp >= 128) { / run */
		116	+ if( cc < 2 )
		117	+ break;
		118	rc = *bp++ + (2-128);
		119	b = (uint32)*bp++ << shft;
		120	- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
		121	+ cc -= 2;
		122	while (rc-- && i < npixels)
		123	tp[i++] \|= b;
		124	} else { /* non-run */
		125	@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
		126	while (--cc && rc-- && i < npixels)
		127	tp[i++] \|= (uint32)*bp++ << shft;
		128	}
		129	+ }
		130	if (i != npixels) {
		131	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
		132	TIFFErrorExt(tif->tif_clientdata, module,
		133	@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
		134	static int
		135	LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		136	{
		137	+ static const char module[] = "LogL16Encode";
		138	LogLuvState* sp = EncoderState(tif);
		139	int shft;
		140	tmsize_t i;
		141	@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
		142	tp = (int16*) bp;
		143	else {
		144	tp = (int16*) sp->tbuf;
		145	- assert(sp->tbuflen >= npixels);
		146	+ if(sp->tbuflen < npixels) {
		147	+ TIFFErrorExt(tif->tif_clientdata, module,
		148	+ "Translation buffer too short");
		149	+ return (0);
		150	+ }
		151	(*sp->tfunc)(sp, bp, npixels);
		152	}
		153	/* compress each byte string */
		154	@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
		155	static int
		156	LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		157	{
		158	+ static const char module[] = "LogLuvEncode24";
		159	LogLuvState* sp = EncoderState(tif);
		160	tmsize_t i;
		161	tmsize_t npixels;
		162	@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
		163	tp = (uint32*) bp;
		164	else {
		165	tp = (uint32*) sp->tbuf;
		166	- assert(sp->tbuflen >= npixels);
		167	+ if(sp->tbuflen < npixels) {
		168	+ TIFFErrorExt(tif->tif_clientdata, module,
		169	+ "Translation buffer too short");
		170	+ return (0);
		171	+ }
		172	(*sp->tfunc)(sp, bp, npixels);
		173	}
		174	/* write out encoded pixels */
		175	@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
		176	static int
		177	LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		178	{
		179	+ static const char module[] = "LogLuvEncode32";
		180	LogLuvState* sp = EncoderState(tif);
		181	int shft;
		182	tmsize_t i;
		183	@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
		184	tp = (uint32*) bp;
		185	else {
		186	tp = (uint32*) sp->tbuf;
		187	- assert(sp->tbuflen >= npixels);
		188	+ if(sp->tbuflen < npixels) {
		189	+ TIFFErrorExt(tif->tif_clientdata, module,
		190	+ "Translation buffer too short");
		191	+ return (0);
		192	+ }
		193	(*sp->tfunc)(sp, bp, npixels);
		194	}
		195	/* compress each byte string */


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 810a5e4c7d..9879c8bfab 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
6	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \	6	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
7	file://libtool2.patch \	7	file://libtool2.patch \
8	file://CVE-2015-8665_8683.patch \	8	file://CVE-2015-8665_8683.patch \
		9	file://CVE-2015-8781.patch \
9	"	10	"
10		11
11	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	12	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"