3 files changed, 492 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
new file mode 100644
index 0000000000..26fd0df11c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
+From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 31 Oct 2016 17:24:26 +0000
+Subject: [PATCH 1/2] Fix CVE-2016-9535
+* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
+ assertions by runtime checks to avoid assertions in debug mode, or buffer
+ overflows in release mode. Can happen when dealing with unusual tile size
+ like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet    &
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+CVE: CVE-2016-9535
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
+ libtiff/tif_predict.h |   6 +-
+ 2 files changed, 121 insertions(+), 47 deletions(-)
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 555f2f9..b829259 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -34,18 +34,18 @@
+ 
+ #define        PredictorState(tif)     ((TIFFPredictorState*) (tif)->tif_data)
+ 
+-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+ static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
+@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
+ /* - when storing into the byte stream, we explicitly mask with 0xff so */
+ /*   as to make icc -check=conversions happy (not necessary by the standard) */
+ 
+-static void
+static int
+ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+ 
+        unsigned char* cp = (unsigned char*) cp0;
+-       assert((cc%stride)==0);
+    if((cc%stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc8",
+                     "%s", "(cc%stride)!=0");
+        return 0;
+    }
+
+        if (cc > stride) {
+                /*
+                 * Pipeline the most common cases.
+@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        } while (cc>0);
+                }
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        uint16* wp = (uint16*) cp0;
+        tmsize_t wc = cc / 2;
+ 
+         TIFFSwabArrayOfShort(wp, wc);
+-        horAcc16(tif, cp0, cc);
+        return horAcc16(tif, cp0, cc);
+ }
+ 
+-static void
+static int
+ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+        uint16* wp = (uint16*) cp0;
+        tmsize_t wc = cc / 2;
+ 
+-       assert((cc%(2*stride))==0);
+    if((cc%(2*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc16",
+                     "%s", "cc%(2*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        uint32* wp = (uint32*) cp0;
+        tmsize_t wc = cc / 4;
+ 
+         TIFFSwabArrayOfLong(wp, wc);
+-       horAcc32(tif, cp0, cc);
+       return horAcc32(tif, cp0, cc);
+ }
+ 
+-static void
+static int
+ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+        uint32* wp = (uint32*) cp0;
+        tmsize_t wc = cc / 4;
+ 
+-       assert((cc%(4*stride))==0);
+    if((cc%(4*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horAcc32",
+                     "%s", "cc%(4*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+ /*
+  * Floating point predictor accumulation routine.
+  */
+-static void
+static int
+ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint8 *cp = (uint8 *) cp0;
+        uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ 
+-       assert((cc%(bps*stride))==0);
+    if(cc%(bps*stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "fpAcc",
+                     "%s", "cc%(bps*stride))!=0");
+        return 0;
+    }
+ 
+        if (!tmp)
+-               return;
+               return 0;
+ 
+        while (count > stride) {
+                REPEAT4(stride, cp[stride] =
+@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+                }
+        }
+        _TIFFfree(tmp);
+    return 1;
+ }
+ 
+ /*
+@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+        assert(sp->decodepfunc != NULL);  
+ 
+        if ((*sp->decoderow)(tif, op0, occ0, s)) {
+-               (*sp->decodepfunc)(tif, op0, occ0);
+-               return 1;
+               return (*sp->decodepfunc)(tif, op0, occ0);
+        } else
+                return 0;
+ }
+@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+        if ((*sp->decodetile)(tif, op0, occ0, s)) {
+                tmsize_t rowsize = sp->rowsize;
+                assert(rowsize > 0);
+-               assert((occ0%rowsize)==0);
+               if((occ0%rowsize) !=0)
+        {
+            TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
+                         "%s", "occ0%rowsize != 0");
+            return 0;
+        }
+                assert(sp->decodepfunc != NULL);
+                while (occ0 > 0) {
+-                       (*sp->decodepfunc)(tif, op0, rowsize);
+                       if( !(*sp->decodepfunc)(tif, op0, rowsize) )
+                return 0;
+                        occ0 -= rowsize;
+                        op0 += rowsize;
+                }
+@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+                return 0;
+ }
+ 
+-static void
+static int
+ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+        tmsize_t stride = sp->stride;
+        unsigned char* cp = (unsigned char*) cp0;
+ 
+-       assert((cc%stride)==0);
+    if((cc%stride)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+                     "%s", "(cc%stride)!=0");
+        return 0;
+    }
+ 
+        if (cc > stride) {
+                cc -= stride;
+@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        } while ((cc -= stride) > 0);
+                }
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint16 *wp = (uint16*) cp0;
+        tmsize_t wc = cc/2;
+ 
+-       assert((cc%(2*stride))==0);
+    if((cc%(2*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+                     "%s", "(cc%(2*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+     uint16* wp = (uint16*) cp0;
+     tmsize_t wc = cc / 2;
+ 
+-    horDiff16(tif, cp0, cc);
+    if( !horDiff16(tif, cp0, cc) )
+        return 0;
+ 
+     TIFFSwabArrayOfShort(wp, wc);
+    return 1;
+ }
+ 
+-static void
+static int
+ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        TIFFPredictorState* sp = PredictorState(tif);
+@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint32 *wp = (uint32*) cp0;
+        tmsize_t wc = cc/4;
+ 
+-       assert((cc%(4*stride))==0);
+    if((cc%(4*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "horDiff32",
+                     "%s", "(cc%(4*stride))!=0");
+        return 0;
+    }
+ 
+        if (wc > stride) {
+                wc -= stride;
+@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+                        wc -= stride;
+                } while (wc > 0);
+        }
+       return 1;
+ }
+ 
+-static void
+static int
+ swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+     uint32* wp = (uint32*) cp0;
+     tmsize_t wc = cc / 4;
+ 
+-    horDiff32(tif, cp0, cc);
+    if( !horDiff32(tif, cp0, cc) )
+        return 0;
+ 
+     TIFFSwabArrayOfLong(wp, wc);
+    return 1;
+ }
+ 
+ /*
+  * Floating point predictor differencing routine.
+  */
+-static void
+static int
+ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+        tmsize_t stride = PredictorState(tif)->stride;
+@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        uint8 *cp = (uint8 *) cp0;
+        uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ 
+-       assert((cc%(bps*stride))==0);
+-
+    if((cc%(bps*stride))!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "fpDiff",
+                     "%s", "(cc%(bps*stride))!=0");
+        return 0;
+    }
+        if (!tmp)
+-               return;
+               return 0;
+ 
+        _TIFFmemcpy(tmp, cp0, cc);
+        for (count = 0; count < wc; count++) {
+@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        cp += cc - stride - 1;
+        for (count = cc; count > stride; count -= stride)
+                REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
+    return 1;
+ }
+ 
+ static int
+@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+        assert(sp->encoderow != NULL);
+ 
+        /* XXX horizontal differencing alters user's data XXX */
+-       (*sp->encodepfunc)(tif, bp, cc);
+       if( !(*sp->encodepfunc)(tif, bp, cc) )
+        return 0;
+        return (*sp->encoderow)(tif, bp, cc, s);
+ }
+ 
+@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+ 
+        rowsize = sp->rowsize;
+        assert(rowsize > 0);
+-       assert((cc0%rowsize)==0);
+       if((cc0%rowsize)!=0)
+    {
+        TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+                     "%s", "(cc0%rowsize)!=0");
+        return 0;
+    }
+        while (cc > 0) {
+                (*sp->encodepfunc)(tif, bp, rowsize);
+                cc -= rowsize;
+diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
+index 91330cc..9e485a4 100644
+--- a/libtiff/tif_predict.h
+++ b/libtiff/tif_predict.h
+@@ -30,6 +30,8 @@
+  * ``Library-private'' Support for the Predictor Tag
+  */
+ 
+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
+
+ /*
+  * Codecs that want to support the Predictor tag must place
+  * this structure first in their private state block so that
+@@ -43,12 +45,12 @@ typedef struct {
+        TIFFCodeMethod  encoderow;      /* parent codec encode/decode row */
+        TIFFCodeMethod  encodestrip;    /* parent codec encode/decode strip */
+        TIFFCodeMethod  encodetile;     /* parent codec encode/decode tile */ 
+-       TIFFPostMethod  encodepfunc;    /* horizontal differencer */
+       TIFFEncodeDecodeMethod  encodepfunc;    /* horizontal differencer */
+ 
+        TIFFCodeMethod  decoderow;      /* parent codec encode/decode row */
+        TIFFCodeMethod  decodestrip;    /* parent codec encode/decode strip */
+        TIFFCodeMethod  decodetile;     /* parent codec encode/decode tile */ 
+-       TIFFPostMethod  decodepfunc;    /* horizontal accumulator */
+       TIFFEncodeDecodeMethod  decodepfunc;    /* horizontal accumulator */
+ 
+        TIFFVGetMethod  vgetparent;     /* super-class method */
+        TIFFVSetMethod  vsetparent;     /* super-class method */
+-- 
+2.9.3
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
new file mode 100644
index 0000000000..977dbf6c87
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
+From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 4 Nov 2016 09:19:13 +0000
+Subject: [PATCH 2/2] Fix CVE-2016-9535
+* libtiff/tif_predic.c: fix memory leaks in error code
+ paths added in previous commit (fix for MSVR 35105)
+CVE: CVE-2016-9535
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ libtiff/tif_predict.c | 8 ++++++--
+ 1 files changed, 11 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index b829259..3f42f3b 100644
+--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
+@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count = cc;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if(cc%(bps*stride)!=0)
+     {
+@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+         return 0;
+     }
+ 
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+        tmsize_t wc = cc / bps;
+        tmsize_t count;
+        uint8 *cp = (uint8 *) cp0;
+-       uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+       uint8 *tmp;
+ 
+     if((cc%(bps*stride))!=0)
+     {
+@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+                      "%s", "(cc%(bps*stride))!=0");
+         return 0;
+     }
+
+    tmp = (uint8 *)_TIFFmalloc(cc);
+        if (!tmp)
+                return 0;
+ 
+@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+     {
+         TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+                      "%s", "(cc0%rowsize)!=0");
+        _TIFFfree( working_copy );
+         return 0;
+     }
+        while (cc > 0) {
+-- 
+2.9.3
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index a6f714c4b5..6495d1fad5 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -21,6 +21,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-3632.patch \
           file://CVE-2016-9540.patch \
           file://CVE-2016-9539.patch \
+           file://CVE-2016-9535-1.patch \
+           file://CVE-2016-9535-2.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch new file mode 100644 index 0000000000..26fd0df11c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
@@ -0,0 +1,423 @@
		1	From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Mon, 31 Oct 2016 17:24:26 +0000
		4	Subject: [PATCH 1/2] Fix CVE-2016-9535
		5
		6	* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
		7	assertions by runtime checks to avoid assertions in debug mode, or buffer
		8	overflows in release mode. Can happen when dealing with unusual tile size
		9	like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
		10	Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
		11
		12	CVE: CVE-2016-9535
		13	Upstream-Status: Backport
		14	https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
		15
		16	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		17
		18	---
		19	libtiff/tif_predict.c \| 153 +++++++++++++++++++++++++++++++++++---------------
		20	libtiff/tif_predict.h \| 6 +-
		21	2 files changed, 121 insertions(+), 47 deletions(-)
		22
		23	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
		24	index 555f2f9..b829259 100644
		25	--- a/libtiff/tif_predict.c
		26	+++ b/libtiff/tif_predict.c
		27	@@ -34,18 +34,18 @@
		28
		29	#define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
		30
		31	-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
		32	-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		33	-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		34	-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		35	-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		36	-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
		37	-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		38	-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		39	-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		40	-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		41	-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
		42	-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
		43	+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
		44	+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		45	+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		46	+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
		47	+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
		48	+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
		49	+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		50	+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		51	+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
		52	+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
		53	+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
		54	+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
		55	static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
		56	static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
		57	static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
		58	@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
		59	/* - when storing into the byte stream, we explicitly mask with 0xff so */
		60	/* as to make icc -check=conversions happy (not necessary by the standard) */
		61
		62	-static void
		63	+static int
		64	horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
		65	{
		66	tmsize_t stride = PredictorState(tif)->stride;
		67
		68	unsigned char* cp = (unsigned char*) cp0;
		69	- assert((cc%stride)==0);
		70	+ if((cc%stride)!=0)
		71	+ {
		72	+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
		73	+ "%s", "(cc%stride)!=0");
		74	+ return 0;
		75	+ }
		76	+
		77	if (cc > stride) {
		78	/*
		79	* Pipeline the most common cases.
		80	@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
		81	} while (cc>0);
		82	}
		83	}
		84	+ return 1;
		85	}
		86
		87	-static void
		88	+static int
		89	swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		90	{
		91	uint16* wp = (uint16*) cp0;
		92	tmsize_t wc = cc / 2;
		93
		94	TIFFSwabArrayOfShort(wp, wc);
		95	- horAcc16(tif, cp0, cc);
		96	+ return horAcc16(tif, cp0, cc);
		97	}
		98
		99	-static void
		100	+static int
		101	horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		102	{
		103	tmsize_t stride = PredictorState(tif)->stride;
		104	uint16* wp = (uint16*) cp0;
		105	tmsize_t wc = cc / 2;
		106
		107	- assert((cc%(2*stride))==0);
		108	+ if((cc%(2*stride))!=0)
		109	+ {
		110	+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
		111	+ "%s", "cc%(2*stride))!=0");
		112	+ return 0;
		113	+ }
		114
		115	if (wc > stride) {
		116	wc -= stride;
		117	@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
		118	wc -= stride;
		119	} while (wc > 0);
		120	}
		121	+ return 1;
		122	}
		123
		124	-static void
		125	+static int
		126	swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		127	{
		128	uint32* wp = (uint32*) cp0;
		129	tmsize_t wc = cc / 4;
		130
		131	TIFFSwabArrayOfLong(wp, wc);
		132	- horAcc32(tif, cp0, cc);
		133	+ return horAcc32(tif, cp0, cc);
		134	}
		135
		136	-static void
		137	+static int
		138	horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		139	{
		140	tmsize_t stride = PredictorState(tif)->stride;
		141	uint32* wp = (uint32*) cp0;
		142	tmsize_t wc = cc / 4;
		143
		144	- assert((cc%(4*stride))==0);
		145	+ if((cc%(4*stride))!=0)
		146	+ {
		147	+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
		148	+ "%s", "cc%(4*stride))!=0");
		149	+ return 0;
		150	+ }
		151
		152	if (wc > stride) {
		153	wc -= stride;
		154	@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
		155	wc -= stride;
		156	} while (wc > 0);
		157	}
		158	+ return 1;
		159	}
		160
		161	/*
		162	* Floating point predictor accumulation routine.
		163	*/
		164	-static void
		165	+static int
		166	fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		167	{
		168	tmsize_t stride = PredictorState(tif)->stride;
		169	@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		170	uint8 cp = (uint8 ) cp0;
		171	uint8 tmp = (uint8 )_TIFFmalloc(cc);
		172
		173	- assert((cc%(bps*stride))==0);
		174	+ if(cc%(bps*stride)!=0)
		175	+ {
		176	+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
		177	+ "%s", "cc%(bps*stride))!=0");
		178	+ return 0;
		179	+ }
		180
		181	if (!tmp)
		182	- return;
		183	+ return 0;
		184
		185	while (count > stride) {
		186	REPEAT4(stride, cp[stride] =
		187	@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		188	}
		189	}
		190	_TIFFfree(tmp);
		191	+ return 1;
		192	}
		193
		194	/*
		195	@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		196	assert(sp->decodepfunc != NULL);
		197
		198	if ((*sp->decoderow)(tif, op0, occ0, s)) {
		199	- (*sp->decodepfunc)(tif, op0, occ0);
		200	- return 1;
		201	+ return (*sp->decodepfunc)(tif, op0, occ0);
		202	} else
		203	return 0;
		204	}
		205	@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		206	if ((*sp->decodetile)(tif, op0, occ0, s)) {
		207	tmsize_t rowsize = sp->rowsize;
		208	assert(rowsize > 0);
		209	- assert((occ0%rowsize)==0);
		210	+ if((occ0%rowsize) !=0)
		211	+ {
		212	+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
		213	+ "%s", "occ0%rowsize != 0");
		214	+ return 0;
		215	+ }
		216	assert(sp->decodepfunc != NULL);
		217	while (occ0 > 0) {
		218	- (*sp->decodepfunc)(tif, op0, rowsize);
		219	+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
		220	+ return 0;
		221	occ0 -= rowsize;
		222	op0 += rowsize;
		223	}
		224	@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
		225	return 0;
		226	}
		227
		228	-static void
		229	+static int
		230	horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
		231	{
		232	TIFFPredictorState* sp = PredictorState(tif);
		233	tmsize_t stride = sp->stride;
		234	unsigned char* cp = (unsigned char*) cp0;
		235
		236	- assert((cc%stride)==0);
		237	+ if((cc%stride)!=0)
		238	+ {
		239	+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
		240	+ "%s", "(cc%stride)!=0");
		241	+ return 0;
		242	+ }
		243
		244	if (cc > stride) {
		245	cc -= stride;
		246	@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
		247	} while ((cc -= stride) > 0);
		248	}
		249	}
		250	+ return 1;
		251	}
		252
		253	-static void
		254	+static int
		255	horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		256	{
		257	TIFFPredictorState* sp = PredictorState(tif);
		258	@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		259	uint16 wp = (uint16) cp0;
		260	tmsize_t wc = cc/2;
		261
		262	- assert((cc%(2*stride))==0);
		263	+ if((cc%(2*stride))!=0)
		264	+ {
		265	+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
		266	+ "%s", "(cc%(2*stride))!=0");
		267	+ return 0;
		268	+ }
		269
		270	if (wc > stride) {
		271	wc -= stride;
		272	@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		273	wc -= stride;
		274	} while (wc > 0);
		275	}
		276	+ return 1;
		277	}
		278
		279	-static void
		280	+static int
		281	swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
		282	{
		283	uint16* wp = (uint16*) cp0;
		284	tmsize_t wc = cc / 2;
		285
		286	- horDiff16(tif, cp0, cc);
		287	+ if( !horDiff16(tif, cp0, cc) )
		288	+ return 0;
		289
		290	TIFFSwabArrayOfShort(wp, wc);
		291	+ return 1;
		292	}
		293
		294	-static void
		295	+static int
		296	horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		297	{
		298	TIFFPredictorState* sp = PredictorState(tif);
		299	@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		300	uint32 wp = (uint32) cp0;
		301	tmsize_t wc = cc/4;
		302
		303	- assert((cc%(4*stride))==0);
		304	+ if((cc%(4*stride))!=0)
		305	+ {
		306	+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
		307	+ "%s", "(cc%(4*stride))!=0");
		308	+ return 0;
		309	+ }
		310
		311	if (wc > stride) {
		312	wc -= stride;
		313	@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		314	wc -= stride;
		315	} while (wc > 0);
		316	}
		317	+ return 1;
		318	}
		319
		320	-static void
		321	+static int
		322	swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
		323	{
		324	uint32* wp = (uint32*) cp0;
		325	tmsize_t wc = cc / 4;
		326
		327	- horDiff32(tif, cp0, cc);
		328	+ if( !horDiff32(tif, cp0, cc) )
		329	+ return 0;
		330
		331	TIFFSwabArrayOfLong(wp, wc);
		332	+ return 1;
		333	}
		334
		335	/*
		336	* Floating point predictor differencing routine.
		337	*/
		338	-static void
		339	+static int
		340	fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		341	{
		342	tmsize_t stride = PredictorState(tif)->stride;
		343	@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		344	uint8 cp = (uint8 ) cp0;
		345	uint8 tmp = (uint8 )_TIFFmalloc(cc);
		346
		347	- assert((cc%(bps*stride))==0);
		348	-
		349	+ if((cc%(bps*stride))!=0)
		350	+ {
		351	+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
		352	+ "%s", "(cc%(bps*stride))!=0");
		353	+ return 0;
		354	+ }
		355	if (!tmp)
		356	- return;
		357	+ return 0;
		358
		359	_TIFFmemcpy(tmp, cp0, cc);
		360	for (count = 0; count < wc; count++) {
		361	@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		362	cp += cc - stride - 1;
		363	for (count = cc; count > stride; count -= stride)
		364	REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
		365	+ return 1;
		366	}
		367
		368	static int
		369	@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
		370	assert(sp->encoderow != NULL);
		371
		372	/* XXX horizontal differencing alters user's data XXX */
		373	- (*sp->encodepfunc)(tif, bp, cc);
		374	+ if( !(*sp->encodepfunc)(tif, bp, cc) )
		375	+ return 0;
		376	return (*sp->encoderow)(tif, bp, cc, s);
		377	}
		378
		379	@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
		380
		381	rowsize = sp->rowsize;
		382	assert(rowsize > 0);
		383	- assert((cc0%rowsize)==0);
		384	+ if((cc0%rowsize)!=0)
		385	+ {
		386	+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
		387	+ "%s", "(cc0%rowsize)!=0");
		388	+ return 0;
		389	+ }
		390	while (cc > 0) {
		391	(*sp->encodepfunc)(tif, bp, rowsize);
		392	cc -= rowsize;
		393	diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
		394	index 91330cc..9e485a4 100644
		395	--- a/libtiff/tif_predict.h
		396	+++ b/libtiff/tif_predict.h
		397	@@ -30,6 +30,8 @@
		398	* ``Library-private'' Support for the Predictor Tag
		399	*/
		400
		401	+typedef int (TIFFEncodeDecodeMethod)(TIFF tif, uint8* buf, tmsize_t size);
		402	+
		403	/*
		404	* Codecs that want to support the Predictor tag must place
		405	* this structure first in their private state block so that
		406	@@ -43,12 +45,12 @@ typedef struct {
		407	TIFFCodeMethod encoderow; /* parent codec encode/decode row */
		408	TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
		409	TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
		410	- TIFFPostMethod encodepfunc; /* horizontal differencer */
		411	+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
		412
		413	TIFFCodeMethod decoderow; /* parent codec encode/decode row */
		414	TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
		415	TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
		416	- TIFFPostMethod decodepfunc; /* horizontal accumulator */
		417	+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
		418
		419	TIFFVGetMethod vgetparent; /* super-class method */
		420	TIFFVSetMethod vsetparent; /* super-class method */
		421	--
		422	2.9.3
		423


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
@@ -0,0 +1,67 @@
		1	From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Fri, 4 Nov 2016 09:19:13 +0000
		4	Subject: [PATCH 2/2] Fix CVE-2016-9535
		5	* libtiff/tif_predic.c: fix memory leaks in error code
		6	paths added in previous commit (fix for MSVR 35105)
		7
		8	CVE: CVE-2016-9535
		9	Upstream-Status: Backport
		10	https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
		11
		12	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		13
		14	---
		15	libtiff/tif_predict.c \| 8 ++++++--
		16	1 files changed, 11 insertions(+), 2 deletions(-)
		17
		18	diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
		19	index b829259..3f42f3b 100644
		20	--- a/libtiff/tif_predict.c
		21	+++ b/libtiff/tif_predict.c
		22	@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		23	tmsize_t wc = cc / bps;
		24	tmsize_t count = cc;
		25	uint8 cp = (uint8 ) cp0;
		26	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
		27	+ uint8 *tmp;
		28
		29	if(cc%(bps*stride)!=0)
		30	{
		31	@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
		32	return 0;
		33	}
		34
		35	+ tmp = (uint8 *)_TIFFmalloc(cc);
		36	if (!tmp)
		37	return 0;
		38
		39	@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		40	tmsize_t wc = cc / bps;
		41	tmsize_t count;
		42	uint8 cp = (uint8 ) cp0;
		43	- uint8 tmp = (uint8 )_TIFFmalloc(cc);
		44	+ uint8 *tmp;
		45
		46	if((cc%(bps*stride))!=0)
		47	{
		48	@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
		49	"%s", "(cc%(bps*stride))!=0");
		50	return 0;
		51	}
		52	+
		53	+ tmp = (uint8 *)_TIFFmalloc(cc);
		54	if (!tmp)
		55	return 0;
		56
		57	@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
		58	{
		59	TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
		60	"%s", "(cc0%rowsize)!=0");
		61	+ _TIFFfree( working_copy );
		62	return 0;
		63	}
		64	while (cc > 0) {
		65	--
		66	2.9.3
		67


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index a6f714c4b5..6495d1fad5 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -21,6 +21,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
21	file://CVE-2016-3632.patch \	21	file://CVE-2016-3632.patch \
22	file://CVE-2016-9540.patch \	22	file://CVE-2016-9540.patch \
23	file://CVE-2016-9539.patch \	23	file://CVE-2016-9539.patch \
		24	file://CVE-2016-9535-1.patch \
		25	file://CVE-2016-9535-2.patch \
24	"	26	"
25		27
26	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	28	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"