2 files changed, 153 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000000..e4348f1d2c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
+This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
+Upstream-Status: Pending
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+--- a/tools/tiff2pdf.c  2012-07-25 22:56:43.000000000 -0400
+++ b/tools/tiff2pdf.c  2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+        uint32 height){
+ 
+        tsize_t i=0;
+-       uint16 ri =0;
+-       uint16 v_samp=1;
+-       uint16 h_samp=1;
+-       int j=0;
+-       
+-       i++;
+-       
+-       while(i<(*striplength)){
+
+       while (i < *striplength) {
+               tsize_t datalen;
+               uint16 ri;
+               uint16 v_samp;
+               uint16 h_samp;
+               int j;
+               int ncomp;
+
+               /* marker header: one or more FFs */
+               if (strip[i] != 0xff)
+                       return(0);
+               i++;
+               while (i < *striplength && strip[i] == 0xff)
+                       i++;
+               if (i >= *striplength)
+                       return(0);
+               /* SOI is the only pre-SOS marker without a length word */
+               if (strip[i] == 0xd8)
+                       datalen = 0;
+               else {
+                       if ((*striplength - i) <= 2)
+                               return(0);
+                       datalen = (strip[i+1] << 8) | strip[i+2];
+                       if (datalen < 2 || datalen >= (*striplength - i))
+                               return(0);
+               }
+                switch( strip[i] ){
+-                       case 0xd8:
+-                               /* SOI - start of image */
+                       case 0xd8:      /* SOI - start of image */
+                                _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+                                *bufferoffset+=2;
+-                               i+=2;
+                                break;
+-                       case 0xc0:
+-                       case 0xc1:
+-                       case 0xc3:
+-                       case 0xc9:
+-                       case 0xca:
+                       case 0xc0:      /* SOF0 */
+                       case 0xc1:      /* SOF1 */
+                       case 0xc3:      /* SOF3 */
+                       case 0xc9:      /* SOF9 */
+                       case 0xca:      /* SOF10 */
+                                if(no==0){
+-                                       _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-                                       for(j=0;j<buffer[*bufferoffset+9];j++){
+-                                               if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
+-                                                       h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+-                                               if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
+-                                                       v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
+                                       _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+                                       ncomp = buffer[*bufferoffset+9];
+                                       if (ncomp < 1 || ncomp > 4)
+                                               return(0);
+                                       v_samp=1;
+                                       h_samp=1;
+                                       for(j=0;j<ncomp;j++){
+                                               uint16 samp = buffer[*bufferoffset+11+(3*j)];
+                                               if( (samp>>4) > h_samp) 
+                                                       h_samp = (samp>>4);
+                                               if( (samp & 0x0f) > v_samp) 
+                                                       v_samp = (samp & 0x0f);
+                                        }
+                                        v_samp*=8;
+                                        h_samp*=8;
+@@ -3381,45 +3404,43 @@
+                                           (unsigned char) ((height>>8) & 0xff);
+                                        buffer[*bufferoffset+6]=
+                                             (unsigned char) (height & 0xff);
+-                                       *bufferoffset+=strip[i+2]+2;
+-                                       i+=strip[i+2]+2;
+-
+                                       *bufferoffset+=datalen+2;
+                                       /* insert a DRI marker */
+                                        buffer[(*bufferoffset)++]=0xff;
+                                        buffer[(*bufferoffset)++]=0xdd;
+                                        buffer[(*bufferoffset)++]=0x00;
+                                        buffer[(*bufferoffset)++]=0x04;
+                                        buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+                                        buffer[(*bufferoffset)++]= ri & 0xff;
+-                               } else {
+-                                       i+=strip[i+2]+2;
+                                }
+                                break;
+-                       case 0xc4:
+-                       case 0xdb:
+-                               _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-                               *bufferoffset+=strip[i+2]+2;
+-                               i+=strip[i+2]+2;
+                       case 0xc4: /* DHT */
+                       case 0xdb: /* DQT */
+                               _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+                               *bufferoffset+=datalen+2;
+                                break;
+-                       case 0xda:
+                       case 0xda: /* SOS */
+                                if(no==0){
+-                                       _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-                                       *bufferoffset+=strip[i+2]+2;
+-                                       i+=strip[i+2]+2;
+                                       _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+                                       *bufferoffset+=datalen+2;
+                                } else {
+                                        buffer[(*bufferoffset)++]=0xff;
+                                        buffer[(*bufferoffset)++]=
+                                             (unsigned char)(0xd0 | ((no-1)%8));
+-                                       i+=strip[i+2]+2;
+                                }
+-                               _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+-                               *bufferoffset+=(*striplength)-i-1;
+                               i += datalen + 1;
+                               /* copy remainder of strip */
+                               _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+                               *bufferoffset+= *striplength - i;
+                                return(1);
+                        default:
+-                               i+=strip[i+2]+2;
+                               /* ignore any other marker */
+                               break;
+                }
+               i += datalen + 1;
+        }
+-       
+ 
+       /* failed to find SOS marker */
+        return(0);
+ }
+ #endif
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index c90b4b29ac..def408e574 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -5,7 +5,8 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
 DEPENDS = "zlib jpeg xz"
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
-           file://libtool2.patch"
+           file://libtool2.patch \
+           file://libtiff-CVE-2013-1960.patch"
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"

diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000000..e4348f1d2c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
		1	This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
		2
		3	Upstream-Status: Pending
		4
		5	Signed-off-by: Ming Liu <ming.liu@windriver.com>
		6
		7	diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		8	--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
		9	+++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
		10	@@ -3341,33 +3341,56 @@
		11	uint32 height){
		12
		13	tsize_t i=0;
		14	- uint16 ri =0;
		15	- uint16 v_samp=1;
		16	- uint16 h_samp=1;
		17	- int j=0;
		18	-
		19	- i++;
		20	-
		21	- while(i<(*striplength)){
		22	+
		23	+ while (i < *striplength) {
		24	+ tsize_t datalen;
		25	+ uint16 ri;
		26	+ uint16 v_samp;
		27	+ uint16 h_samp;
		28	+ int j;
		29	+ int ncomp;
		30	+
		31	+ /* marker header: one or more FFs */
		32	+ if (strip[i] != 0xff)
		33	+ return(0);
		34	+ i++;
		35	+ while (i < *striplength && strip[i] == 0xff)
		36	+ i++;
		37	+ if (i >= *striplength)
		38	+ return(0);
		39	+ /* SOI is the only pre-SOS marker without a length word */
		40	+ if (strip[i] == 0xd8)
		41	+ datalen = 0;
		42	+ else {
		43	+ if ((*striplength - i) <= 2)
		44	+ return(0);
		45	+ datalen = (strip[i+1] << 8) \| strip[i+2];
		46	+ if (datalen < 2 \|\| datalen >= (*striplength - i))
		47	+ return(0);
		48	+ }
		49	switch( strip[i] ){
		50	- case 0xd8:
		51	- /* SOI - start of image */
		52	+ case 0xd8: /* SOI - start of image */
		53	_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
		54	*bufferoffset+=2;
		55	- i+=2;
		56	break;
		57	- case 0xc0:
		58	- case 0xc1:
		59	- case 0xc3:
		60	- case 0xc9:
		61	- case 0xca:
		62	+ case 0xc0: /* SOF0 */
		63	+ case 0xc1: /* SOF1 */
		64	+ case 0xc3: /* SOF3 */
		65	+ case 0xc9: /* SOF9 */
		66	+ case 0xca: /* SOF10 */
		67	if(no==0){
		68	- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
		69	- for(j=0;j<buffer[*bufferoffset+9];j++){
		70	- if( (buffer[bufferoffset+11+(2j)]>>4) > h_samp)
		71	- h_samp = (buffer[bufferoffset+11+(2j)]>>4);
		72	- if( (buffer[bufferoffset+11+(2j)] & 0x0f) > v_samp)
		73	- v_samp = (buffer[bufferoffset+11+(2j)] & 0x0f);
		74	+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
		75	+ ncomp = buffer[*bufferoffset+9];
		76	+ if (ncomp < 1 \|\| ncomp > 4)
		77	+ return(0);
		78	+ v_samp=1;
		79	+ h_samp=1;
		80	+ for(j=0;j<ncomp;j++){
		81	+ uint16 samp = buffer[bufferoffset+11+(3j)];
		82	+ if( (samp>>4) > h_samp)
		83	+ h_samp = (samp>>4);
		84	+ if( (samp & 0x0f) > v_samp)
		85	+ v_samp = (samp & 0x0f);
		86	}
		87	v_samp*=8;
		88	h_samp*=8;
		89	@@ -3381,45 +3404,43 @@
		90	(unsigned char) ((height>>8) & 0xff);
		91	buffer[*bufferoffset+6]=
		92	(unsigned char) (height & 0xff);
		93	- *bufferoffset+=strip[i+2]+2;
		94	- i+=strip[i+2]+2;
		95	-
		96	+ *bufferoffset+=datalen+2;
		97	+ /* insert a DRI marker */
		98	buffer[(*bufferoffset)++]=0xff;
		99	buffer[(*bufferoffset)++]=0xdd;
		100	buffer[(*bufferoffset)++]=0x00;
		101	buffer[(*bufferoffset)++]=0x04;
		102	buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
		103	buffer[(*bufferoffset)++]= ri & 0xff;
		104	- } else {
		105	- i+=strip[i+2]+2;
		106	}
		107	break;
		108	- case 0xc4:
		109	- case 0xdb:
		110	- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
		111	- *bufferoffset+=strip[i+2]+2;
		112	- i+=strip[i+2]+2;
		113	+ case 0xc4: /* DHT */
		114	+ case 0xdb: /* DQT */
		115	+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
		116	+ *bufferoffset+=datalen+2;
		117	break;
		118	- case 0xda:
		119	+ case 0xda: /* SOS */
		120	if(no==0){
		121	- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
		122	- *bufferoffset+=strip[i+2]+2;
		123	- i+=strip[i+2]+2;
		124	+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
		125	+ *bufferoffset+=datalen+2;
		126	} else {
		127	buffer[(*bufferoffset)++]=0xff;
		128	buffer[(*bufferoffset)++]=
		129	(unsigned char)(0xd0 \| ((no-1)%8));
		130	- i+=strip[i+2]+2;
		131	}
		132	- _TIFFmemcpy(&(buffer[bufferoffset]), &(strip[i-1]), (striplength)-i-1);
		133	- bufferoffset+=(striplength)-i-1;
		134	+ i += datalen + 1;
		135	+ /* copy remainder of strip */
		136	+ _TIFFmemcpy(&(buffer[bufferoffset]), &(strip[i]), striplength - i);
		137	+ bufferoffset+= striplength - i;
		138	return(1);
		139	default:
		140	- i+=strip[i+2]+2;
		141	+ /* ignore any other marker */
		142	+ break;
		143	}
		144	+ i += datalen + 1;
		145	}
		146	-
		147
		148	+ /* failed to find SOS marker */
		149	return(0);
		150	}
		151	#endif


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index c90b4b29ac..def408e574 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -5,7 +5,8 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
5	DEPENDS = "zlib jpeg xz"	5	DEPENDS = "zlib jpeg xz"
6		6
7	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \	7	SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
8	file://libtool2.patch"	8	file://libtool2.patch \
		9	file://libtiff-CVE-2013-1960.patch"
9		10
10	SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"	11	SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
11	SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"	12	SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"