2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
new file mode 100644
index 0000000000..0c8b7164e5
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
+From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sat, 24 Sep 2016 23:11:55 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
+ to read floating point images.
+* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+requirements of floating point predictor (3).  Fixes CVE-2016-3622
+"Divide By Zero in the tiff2rgba tool."
+CVE: CVE-2016-3622
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog              | 11 ++++++++++-
+ libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
+ libtiff/tif_predict.c  | 11 ++++++++++-
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 26d6f47..a628277 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,12 @@
+2016-09-24  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+       * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+       read floating point images.
+
+       * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+       requirements of floating point predictor (3).  Fixes CVE-2016-3622
+       "Divide By Zero in the tiff2rgba tool."
+
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ 
+        * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 386cee0..3e689ee 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+                            td->td_bitspersample);
+                        return (0);
+        }
+        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+                sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+                return (0);
+        }
+        colorchannels = td->td_samplesperpixel - td->td_extrasamples;
+        if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
+                switch (colorchannels) {
+@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+                                    "Planarconfiguration", td->td_planarconfig);
+                                return (0);
+                        }
+-                       if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels);
+-                return 0;
+-            }
+                       if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
+                                sprintf(emsg,
+                                        "Sorry, can not handle image with %s=%d, %s=%d",
+                                        "Samples/pixel", td->td_samplesperpixel,
+                                        "colorchannels", colorchannels);
+                                return 0;
+                        }
+                        break;
+                case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels,
+-                        "Bits/sample", td->td_bitspersample);
+-                return 0;
+-            }
+                        if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
+                                sprintf(emsg,
+                                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                                        "Samples/pixel", td->td_samplesperpixel,
+                                        "colorchannels", colorchannels,
+                                        "Bits/sample", td->td_bitspersample);
+                                return 0;
+                        }
+                        break;
+-               default:
+                default:
+                        sprintf(emsg, "Sorry, can not handle image with %s=%d",
+                            photoTag, photometric);
+                        return (0);
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 081eb11..555f2f9 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
+                                    td->td_sampleformat);
+                                return 0;
+                        }
+                        if (td->td_bitspersample != 16
+                            && td->td_bitspersample != 24
+                            && td->td_bitspersample != 32
+                            && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+                                TIFFErrorExt(tif->tif_clientdata, module,
+                                             "Floating point \"Predictor\" not supported with %d-bit samples",
+                                             td->td_bitspersample);
+                               return 0;
+                            }
+                        break;
+                default:
+                        TIFFErrorExt(tif->tif_clientdata, module,
+@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
+                }
+                /*
+                 * Allocate buffer to keep the decoded bytes before
+-                * rearranging in the ight order
+                * rearranging in the right order
+                 */
+        }
+ 
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 466dfbb50d..796d86e8f8 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-3990.patch \
           file://CVE-2016-3991.patch \
           file://CVE-2016-3623.patch \
+           file://CVE-2016-3622.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch new file mode 100644 index 0000000000..0c8b7164e5 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
		1	From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
		2	From: bfriesen <bfriesen>
		3	Date: Sat, 24 Sep 2016 23:11:55 +0000
		4	Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
		5	to read floating point images.
		6
		7	* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
		8	requirements of floating point predictor (3). Fixes CVE-2016-3622
		9	"Divide By Zero in the tiff2rgba tool."
		10
		11	CVE: CVE-2016-3622
		12	Upstream-Status: Backport
		13	https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
		14
		15	Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
		16	---
		17	ChangeLog \| 11 ++++++++++-
		18	libtiff/tif_getimage.c \| 38 ++++++++++++++++++++------------------
		19	libtiff/tif_predict.c \| 11 ++++++++++-
		20	3 files changed, 40 insertions(+), 20 deletions(-)
		21
		22	diff --git a/ChangeLog b/ChangeLog
		23	index 26d6f47..a628277 100644
		24	--- a/ChangeLog
		25	+++ b/ChangeLog
		26	@@ -1,3 +1,12 @@
		27	+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
		28	+
		29	+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
		30	+ read floating point images.
		31	+
		32	+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
		33	+ requirements of floating point predictor (3). Fixes CVE-2016-3622
		34	+ "Divide By Zero in the tiff2rgba tool."
		35	+
		36	2016-08-15 Even Rouault <even.rouault at spatialys.com>
		37
		38	* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
		39	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
		40	index 386cee0..3e689ee 100644
		41	--- a/libtiff/tif_getimage.c
		42	+++ b/libtiff/tif_getimage.c
		43	@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
		44	td->td_bitspersample);
		45	return (0);
		46	}
		47	+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
		48	+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
		49	+ return (0);
		50	+ }
		51	colorchannels = td->td_samplesperpixel - td->td_extrasamples;
		52	if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
		53	switch (colorchannels) {
		54	@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
		55	"Planarconfiguration", td->td_planarconfig);
		56	return (0);
		57	}
		58	- if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 )
		59	- {
		60	- sprintf(emsg,
		61	- "Sorry, can not handle image with %s=%d, %s=%d",
		62	- "Samples/pixel", td->td_samplesperpixel,
		63	- "colorchannels", colorchannels);
		64	- return 0;
		65	- }
		66	+ if ( td->td_samplesperpixel != 3 \|\| colorchannels != 3 ) {
		67	+ sprintf(emsg,
		68	+ "Sorry, can not handle image with %s=%d, %s=%d",
		69	+ "Samples/pixel", td->td_samplesperpixel,
		70	+ "colorchannels", colorchannels);
		71	+ return 0;
		72	+ }
		73	break;
		74	case PHOTOMETRIC_CIELAB:
		75	- if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 \|\| td->td_bitspersample != 8 )
		76	- {
		77	- sprintf(emsg,
		78	- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
		79	- "Samples/pixel", td->td_samplesperpixel,
		80	- "colorchannels", colorchannels,
		81	- "Bits/sample", td->td_bitspersample);
		82	- return 0;
		83	- }
		84	+ if ( td->td_samplesperpixel != 3 \|\| colorchannels != 3 \|\| td->td_bitspersample != 8 ) {
		85	+ sprintf(emsg,
		86	+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
		87	+ "Samples/pixel", td->td_samplesperpixel,
		88	+ "colorchannels", colorchannels,
		89	+ "Bits/sample", td->td_bitspersample);
		90	+ return 0;
		91	+ }
		92	break;
		93	- default:
		94	+ default:
		95	sprintf(emsg, "Sorry, can not handle image with %s=%d",
		96	photoTag, photometric);
		97	return (0);
		98	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
		99	index 081eb11..555f2f9 100644
		100	--- a/libtiff/tif_predict.c
		101	+++ b/libtiff/tif_predict.c
		102	@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
		103	td->td_sampleformat);
		104	return 0;
		105	}
		106	+ if (td->td_bitspersample != 16
		107	+ && td->td_bitspersample != 24
		108	+ && td->td_bitspersample != 32
		109	+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
		110	+ TIFFErrorExt(tif->tif_clientdata, module,
		111	+ "Floating point \"Predictor\" not supported with %d-bit samples",
		112	+ td->td_bitspersample);
		113	+ return 0;
		114	+ }
		115	break;
		116	default:
		117	TIFFErrorExt(tif->tif_clientdata, module,
		118	@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
		119	}
		120	/*
		121	* Allocate buffer to keep the decoded bytes before
		122	- * rearranging in the ight order
		123	+ * rearranging in the right order
		124	*/
		125	}
		126
		127	--
		128	2.7.4
		129


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 466dfbb50d..796d86e8f8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
14	file://CVE-2016-3990.patch \	14	file://CVE-2016-3990.patch \
15	file://CVE-2016-3991.patch \	15	file://CVE-2016-3991.patch \
16	file://CVE-2016-3623.patch \	16	file://CVE-2016-3623.patch \
		17	file://CVE-2016-3622.patch \
17	"	18	"
18		19
19	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	20	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"