Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.
CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster <akuster...@gmail.com> --- .../libtiff/files/CVE-2015-8665_8683.patch | 137 ------- .../libtiff/files/CVE-2015-8781.patch | 195 ---------- .../libtiff/files/CVE-2015-8784.patch | 73 ---- .../libtiff/files/CVE-2016-3186.patch | 24 -- .../libtiff/files/CVE-2016-3622.patch | 129 ------- .../libtiff/files/CVE-2016-3623.patch | 52 --- .../libtiff/files/CVE-2016-3632.patch | 34 -- .../libtiff/files/CVE-2016-3658.patch | 111 ------ .../libtiff/files/CVE-2016-3945.patch | 118 ------ .../libtiff/files/CVE-2016-3990.patch | 66 ---- .../libtiff/files/CVE-2016-3991.patch | 147 ------- .../libtiff/files/CVE-2016-5321.patch | 49 --- .../libtiff/files/CVE-2016-5323.patch | 107 ------ .../libtiff/files/CVE-2016-9535-1.patch | 423 --------------------- .../libtiff/files/CVE-2016-9535-2.patch | 67 ---- .../libtiff/files/CVE-2016-9538.patch | 67 ---- .../libtiff/files/CVE-2016-9539.patch | 60 --- .../libtiff/files/CVE-2016-9540.patch | 60 --- .../libtiff/files/Fix_several_CVE_issues.patch | 281 -------------- .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} | 23 +- 20 files changed, 2 insertions(+), 2221 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} (65%) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch deleted file mode 100644 index 39c5059..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch +++ /dev/null @@ -1,137 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - -Upstream-Status: Backport -CVE: CVE-2015-8665 -CVE: CVE-2015-8683 -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 - -Signed-off-by: Armin Kuster <akus...@mvista.com> - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- - 2 files changed, 30 insertions(+), 13 deletions(-) - -Index: tiff-4.0.6/libtiff/tif_getimage.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_getimage.c -+++ tiff-4.0.6/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog -+++ tiff-4.0.6/ChangeLog -@@ -1,3 +1,11 @@ -+2015-12-26 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples -+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in -+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and -+ CVE-2015-8683 reported by zzf of Alibaba. -+ - 2015-09-12 Bob Friesenhahn <bfrie...@simple.dallas.tx.us> - - * libtiff 4.0.6 released. diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch deleted file mode 100644 index 0846f0f..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch +++ /dev/null @@ -1,195 +0,0 @@ -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - -Upstream-Status: Backport - -https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 -hand applied Changelog changes - -CVE: CVE-2015-8781 - -Signed-off-by: Armin Kuster <akus...@mvista.com> ---- - ChangeLog | 7 +++++++ - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- - 2 files changed, 51 insertions(+), 11 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,3 +1,10 @@ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode -+ functions in non debug builds by replacing assert()s by regular if -+ checks (bugzilla #2522). -+ Fix potential out-of-bound reads in case of short input data. -+ - 2015-12-26 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -Index: tiff-4.0.4/libtiff/tif_luv.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_luv.c -+++ tiff-4.0.4/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch deleted file mode 100644 index 0caf800..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch +++ /dev/null @@ -1,73 +0,0 @@ -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c -hand applied Changelog changes - -CVE: CVE-2015-8784 -Signed-off-by: Armin Kuster <akus...@mvista.com> - ---- - ChangeLog | 6 ++++++ - libtiff/tif_next.c | 10 ++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,5 +1,11 @@ - 2015-12-27 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif -+ (bugzilla #2508) -+ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). -Index: tiff-4.0.4/libtiff/tif_next.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_next.c -+++ tiff-4.0.4/libtiff/tif_next.c -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch deleted file mode 100644 index 4a08aba..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch +++ /dev/null @@ -1,24 +0,0 @@ -Buffer overflow in the readextension function in gif2tiff.c -allows remote attackers to cause a denial of service via a crafted GIF file. - -External References: -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 -https://bugzilla.redhat.com/show_bug.cgi?id=1319503 - -CVE: CVE-2016-3186 -Upstream-Status: Backport (RedHat) -https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> - ---- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 -+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 -@@ -349,7 +349,7 @@ - int status = 1; - - (void) getc(infile); -- while ((count = getc(infile)) && count <= 255) -+ while ((count = getc(infile)) && count >= 0 && count <= 255) - if (fread(buf, 1, count, infile) != (size_t) count) { - fprintf(stderr, "short read from file %s (%s)\n", - filename, strerror(errno)); diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch deleted file mode 100644 index 0c8b716..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 -From: bfriesen <bfriesen> -Date: Sat, 24 Sep 2016 23:11:55 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts - to read floating point images. - -* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample -requirements of floating point predictor (3). Fixes CVE-2016-3622 -"Divide By Zero in the tiff2rgba tool." - -CVE: CVE-2016-3622 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 11 ++++++++++- - libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ - libtiff/tif_predict.c | 11 ++++++++++- - 3 files changed, 40 insertions(+), 20 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 26d6f47..a628277 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,12 @@ -+2016-09-24 Bob Friesenhahn <bfrie...@simple.dallas.tx.us> -+ -+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -+ read floating point images. -+ -+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample -+ requirements of floating point predictor (3). Fixes CVE-2016-3622 -+ "Divide By Zero in the tiff2rgba tool." -+ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - - * tools/rgb2ycbcr.c: validate values of -v and -h parameters to -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 386cee0..3e689ee 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - td->td_bitspersample); - return (0); - } -+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { -+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); -+ return (0); -+ } - colorchannels = td->td_samplesperpixel - td->td_extrasamples; - if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { - switch (colorchannels) { -@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 || colorchannels != 3 ) -- { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d, %s=%d", -- "Samples/pixel", td->td_samplesperpixel, -- "colorchannels", colorchannels); -- return 0; -- } -+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); -+ return 0; -+ } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) -- { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", -- "Samples/pixel", td->td_samplesperpixel, -- "colorchannels", colorchannels, -- "Bits/sample", td->td_bitspersample); -- return 0; -- } -+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, -+ "Bits/sample", td->td_bitspersample); -+ return 0; -+ } - break; -- default: -+ default: - sprintf(emsg, "Sorry, can not handle image with %s=%d", - photoTag, photometric); - return (0); -diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c -index 081eb11..555f2f9 100644 ---- a/libtiff/tif_predict.c -+++ b/libtiff/tif_predict.c -@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif) - td->td_sampleformat); - return 0; - } -+ if (td->td_bitspersample != 16 -+ && td->td_bitspersample != 24 -+ && td->td_bitspersample != 32 -+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Floating point \"Predictor\" not supported with %d-bit samples", -+ td->td_bitspersample); -+ return 0; -+ } - break; - default: - TIFFErrorExt(tif->tif_clientdata, module, -@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif) - } - /* - * Allocate buffer to keep the decoded bytes before -- * rearranging in the ight order -+ * rearranging in the right order - */ - } - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch deleted file mode 100644 index f554ac5..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch +++ /dev/null @@ -1,52 +0,0 @@ -From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 21:26:56 +0000 -Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters - to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) - -CVE: CVE-2016-3623 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 5 +++++ - tools/rgb2ycbcr.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 5d60608..3e6642a 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,10 @@ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - -+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to -+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) -+ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ - * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). - From patch libtiff-CVE-2016-3991.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) -diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c -index 3829d6b..51f4259 100644 ---- a/tools/rgb2ycbcr.c -+++ b/tools/rgb2ycbcr.c -@@ -95,9 +95,13 @@ main(int argc, char* argv[]) - break; - case 'h': - horizSubSampling = atoi(optarg); -+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) -+ usage(-1); - break; - case 'v': - vertSubSampling = atoi(optarg); -+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) -+ usage(-1); - break; - case 'r': - rowsperstrip = atoi(optarg); --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch deleted file mode 100644 index a839250..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nfo...@redhat.com> -Date: Mon, 11 Jul 2016 16:04:34 +0200 -Subject: [PATCH 4/8] Fix CVE-2016-3632 - -CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in -LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service -(out-of-bounds write) or execute arbitrary code via a crafted TIFF image. - -CVE: CVE-2016-3632 -Upstream-Status: Backport [RedHat RHEL7] - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - tools/thumbnail.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tools/thumbnail.c b/tools/thumbnail.c -index fd1cba5..75e7009 100644 ---- a/tools/thumbnail.c -+++ b/tools/thumbnail.c -@@ -253,7 +253,8 @@ static struct cpTag { - { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, - { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, - { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, -- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, -+ // disable BADFAXLINES, CVE-2016-3632 -+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, - { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_INKSET, 1, TIFF_SHORT }, --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch deleted file mode 100644 index 6cb12f2..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: 45c68450bef8ad876f310b495165c513cad8b67d -From: Even Rouault <even.roua...@spatialys.com> - -* libtiff/tif_dir.c: discard values of SMinSampleValue and -SMaxSampleValue when they have been read and the value of -SamplesPerPixel is changed afterwards (like when reading a -OJPEG compressed image with a missing SamplesPerPixel tag, -and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -being 3). Otherwise when rewriting the directory (for example -with tiffset, we will expect 3 values whereas the array had been -allocated with just one), thus causing a out of bound read access. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -when writing directory, if FIELD_STRIPOFFSETS was artificially set -for a hack case in OJPEG case. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -CVE: CVE-2016-3658 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d - -Signed-off-by: Zhixiong.Chi <zhixiong....@windriver.com> - -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 -+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 -@@ -1,3 +1,22 @@ -+2016-10-25 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_dir.c: discard values of SMinSampleValue and -+ SMaxSampleValue when they have been read and the value of -+ SamplesPerPixel is changed afterwards (like when reading a -+ OJPEG compressed image with a missing SamplesPerPixel tag, -+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -+ being 3). Otherwise when rewriting the directory (for example -+ with tiffset, we will expect 3 values whereas the array had been -+ allocated with just one), thus causing a out of bound read access. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ -+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -+ when writing directory, if FIELD_STRIPOFFSETS was artificially set -+ for a hack case in OJPEG case. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ - 2016-09-24 Bob Friesenhahn <bfrie...@simple.dallas.tx.us> - - * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -Index: tiff-4.0.6/libtiff/tif_dir.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 -@@ -254,6 +254,28 @@ - v = (uint16) va_arg(ap, uint16_vap); - if (v == 0) - goto badvalue; -+ if( v != td->td_samplesperpixel ) -+ { -+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ -+ if( td->td_sminsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMinSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); -+ _TIFFfree(td->td_sminsamplevalue); -+ td->td_sminsamplevalue = NULL; -+ } -+ if( td->td_smaxsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMaxSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); -+ _TIFFfree(td->td_smaxsamplevalue); -+ td->td_smaxsamplevalue = NULL; -+ } -+ } - td->td_samplesperpixel = (uint16) v; - break; - case TIFFTAG_ROWSPERSTRIP: -Index: tiff-4.0.6/libtiff/tif_dirwrite.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 -@@ -542,7 +542,19 @@ - { - if (!isTiled(tif)) - { -- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) -+ /* td_stripoffset might be NULL in an odd OJPEG case. See -+ * tif_dirread.c around line 3634. -+ * XXX: OJPEG hack. -+ * If a) compression is OJPEG, b) it's not a tiled TIFF, -+ * and c) the number of strips is 1, -+ * then we tolerate the absence of stripoffsets tag, -+ * because, presumably, all required data is in the -+ * JpegInterchangeFormat stream. -+ * We can get here when using tiffset on such a file. -+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ */ -+ if (tif->tif_dir.td_stripoffset != NULL && -+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; - } - else diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch deleted file mode 100644 index 4d965be..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 20:06:40 +0000 -Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of - allocated buffer, when -b mode is enabled, that could result in out-of-bounds - write. Based initially on patch tiff-CVE-2016-3945.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid - tests that rejected valid files. - -CVE: CVE-2016-3945 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 8 ++++++++ - tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- - 2 files changed, 38 insertions(+), 4 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 62dc1b5..9c0ab29 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,11 @@ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated -+ buffer, when -b mode is enabled, that could result in out-of-bounds -+ write. Based initially on patch tiff-CVE-2016-3945.patch from -+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for -+ invalid tests that rejected valid files. -+ - 2016-07-11 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcrop.c: Avoid access outside of stack allocated array -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index b7a81eb..16e3dc4 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch deleted file mode 100644 index 7bf52ee..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 20:49:48 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in - PixarLogEncode if more input samples are provided than expected by - PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and - simpler check. (bugzilla #2544) - -invalid tests that rejected valid files. (bugzilla #2545) - -CVE: CVE-2016-3990 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 10 +++++++++- - libtiff/tif_pixarlog.c | 7 +++++++ - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 9c0ab29..db4ea18 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,10 +1,18 @@ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode -+ if more input samples are provided than expected by PixarLogSetupEncode. -+ Idea based on libtiff-CVE-2016-3990.patch from -+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and -+ simpler check. (bugzilla #2544) -+ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ - * tools/tiff2rgba.c: Fix integer overflow in size of allocated - buffer, when -b mode is enabled, that could result in out-of-bounds - write. Based initially on patch tiff-CVE-2016-3945.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for -- invalid tests that rejected valid files. -+ invalid tests that rejected valid files. (bugzilla #2545) - - 2016-07-11 Even Rouault <even.rouault at spatialys.com> - -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index e78f788..28329d1 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch deleted file mode 100644 index 27dfd37..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch +++ /dev/null @@ -1,147 +0,0 @@ -From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 21:05:40 +0000 -Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in - loadImage(). From patch libtiff-CVE-2016-3991.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) - -CVE: CVE-2016-3991 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 6 ++++++ - tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 62 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index db4ea18..5d60608 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,11 @@ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - -+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). -+ From patch libtiff-CVE-2016-3991.patch from -+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) -+ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ - * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode - if more input samples are provided than expected by PixarLogSetupEncode. - Idea based on libtiff-CVE-2016-3990.patch from -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 27abc0b..ddba7b9 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - } - - tile_buffsize = tilesize; -+ if (tilesize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); -+ exit(-1); -+ } - - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -- } -+ if (tl != (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ } - - tilebuf = _TIFFmalloc(tile_buffsize); - if (tilebuf == 0) -@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; - -+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); -+ exit(-1); -+ } -+ - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - - tile_rowsize = TIFFTileRowSize(in); -+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize = tlsize * ntiles; -+ if (tlsize != (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - -- - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize = ntiles * tl * tile_rowsize; -+ if (ntiles != (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize = TIFFStripSize(in); - nstrips = TIFFNumberOfStrips(in); -+ if (nstrips == 0 || stsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); -+ exit(-1); -+ } -+ - buffsize = stsize * nstrips; -- -+ if (stsize != (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ uint32 buffsize_check; -+ buffsize_check = ((length * width * spp * bps) + 7); -+ if (length != ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize = ((length * width * spp * bps) + 7) / 8; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch deleted file mode 100644 index 63c6650..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 11 Jul 2016 21:26:03 +0000 -Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack - allocated array on a tiled separate TIFF with more than 8 samples per pixel. - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 - (CVE-2016-5321, bugzilla #2558) - -CVE: CVE-2016-5321 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0 - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 7 +++++++ - tools/tiffcrop.c | 2 +- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index e98d54d..4e0302f 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2016-07-11 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiffcrop.c: Avoid access outside of stack allocated array -+ on a tiled separate TIFF with more than 8 samples per pixel. -+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 -+ (CVE-2016-5321, bugzilla #2558) -+ - 2015-12-27 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index d959ae3..6fc8fc1 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, - nrow = (row + tl > imagelength) ? imagelength - row : tl; - for (col = 0; col < imagewidth; col += tw) - { -- for (s = 0; s < spp; s++) -+ for (s = 0; s < spp && s < MAX_SAMPLES; s++) - { /* Read each plane of a tile set into srcbuffs[s] */ - tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); - if (tbytes < 0 && !ignore) --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch deleted file mode 100644 index 41eab91..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 11 Jul 2016 21:38:31 +0000 -Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) - -CVE: CVE-2016-5323 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 - -Signed-off-by: Yi Zhao <yi.z...@windirver.com> ---- - ChangeLog | 2 +- - tools/tiffcrop.c | 16 ++++++++-------- - 2 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 4e0302f..62dc1b5 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -3,7 +3,7 @@ - * tools/tiffcrop.c: Avoid access outside of stack allocated array - on a tiled separate TIFF with more than 8 samples per pixel. - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 -- (CVE-2016-5321, bugzilla #2558) -+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) - - 2016-07-10 Even Rouault <even.rouault at spatialys.com> - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 6fc8fc1..27abc0b 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch deleted file mode 100644 index 26fd0df..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch +++ /dev/null @@ -1,423 +0,0 @@ -From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 31 Oct 2016 17:24:26 +0000 -Subject: [PATCH 1/2] Fix CVE-2016-9535 - -* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace - assertions by runtime checks to avoid assertions in debug mode, or buffer - overflows in release mode. Can happen when dealing with unusual tile size - like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet & - Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. - -CVE: CVE-2016-9535 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 - -Signed-off-by: Mingli Yu <mingli...@windriver.com> - ---- - libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++--------------- - libtiff/tif_predict.h | 6 +- - 2 files changed, 121 insertions(+), 47 deletions(-) - -diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c -index 555f2f9..b829259 100644 ---- a/libtiff/tif_predict.c -+++ b/libtiff/tif_predict.c -@@ -34,18 +34,18 @@ - - #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data) - --static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); --static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); --static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); --static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); --static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); --static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); --static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); --static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); --static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); --static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); --static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); --static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); -+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); - static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); - static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); - static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s); -@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif) - /* - when storing into the byte stream, we explicitly mask with 0xff so */ - /* as to make icc -check=conversions happy (not necessary by the standard) */ - --static void -+static int - horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) - { - tmsize_t stride = PredictorState(tif)->stride; - - unsigned char* cp = (unsigned char*) cp0; -- assert((cc%stride)==0); -+ if((cc%stride)!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horAcc8", -+ "%s", "(cc%stride)!=0"); -+ return 0; -+ } -+ - if (cc > stride) { - /* - * Pipeline the most common cases. -@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) - } while (cc>0); - } - } -+ return 1; - } - --static void -+static int - swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) - { - uint16* wp = (uint16*) cp0; - tmsize_t wc = cc / 2; - - TIFFSwabArrayOfShort(wp, wc); -- horAcc16(tif, cp0, cc); -+ return horAcc16(tif, cp0, cc); - } - --static void -+static int - horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) - { - tmsize_t stride = PredictorState(tif)->stride; - uint16* wp = (uint16*) cp0; - tmsize_t wc = cc / 2; - -- assert((cc%(2*stride))==0); -+ if((cc%(2*stride))!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horAcc16", -+ "%s", "cc%(2*stride))!=0"); -+ return 0; -+ } - - if (wc > stride) { - wc -= stride; -@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) - wc -= stride; - } while (wc > 0); - } -+ return 1; - } - --static void -+static int - swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) - { - uint32* wp = (uint32*) cp0; - tmsize_t wc = cc / 4; - - TIFFSwabArrayOfLong(wp, wc); -- horAcc32(tif, cp0, cc); -+ return horAcc32(tif, cp0, cc); - } - --static void -+static int - horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) - { - tmsize_t stride = PredictorState(tif)->stride; - uint32* wp = (uint32*) cp0; - tmsize_t wc = cc / 4; - -- assert((cc%(4*stride))==0); -+ if((cc%(4*stride))!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horAcc32", -+ "%s", "cc%(4*stride))!=0"); -+ return 0; -+ } - - if (wc > stride) { - wc -= stride; -@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) - wc -= stride; - } while (wc > 0); - } -+ return 1; - } - - /* - * Floating point predictor accumulation routine. - */ --static void -+static int - fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) - { - tmsize_t stride = PredictorState(tif)->stride; -@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) - uint8 *cp = (uint8 *) cp0; - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); - -- assert((cc%(bps*stride))==0); -+ if(cc%(bps*stride)!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "fpAcc", -+ "%s", "cc%(bps*stride))!=0"); -+ return 0; -+ } - - if (!tmp) -- return; -+ return 0; - - while (count > stride) { - REPEAT4(stride, cp[stride] = -@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) - } - } - _TIFFfree(tmp); -+ return 1; - } - - /* -@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - assert(sp->decodepfunc != NULL); - - if ((*sp->decoderow)(tif, op0, occ0, s)) { -- (*sp->decodepfunc)(tif, op0, occ0); -- return 1; -+ return (*sp->decodepfunc)(tif, op0, occ0); - } else - return 0; - } -@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - if ((*sp->decodetile)(tif, op0, occ0, s)) { - tmsize_t rowsize = sp->rowsize; - assert(rowsize > 0); -- assert((occ0%rowsize)==0); -+ if((occ0%rowsize) !=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile", -+ "%s", "occ0%rowsize != 0"); -+ return 0; -+ } - assert(sp->decodepfunc != NULL); - while (occ0 > 0) { -- (*sp->decodepfunc)(tif, op0, rowsize); -+ if( !(*sp->decodepfunc)(tif, op0, rowsize) ) -+ return 0; - occ0 -= rowsize; - op0 += rowsize; - } -@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - return 0; - } - --static void -+static int - horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) - { - TIFFPredictorState* sp = PredictorState(tif); - tmsize_t stride = sp->stride; - unsigned char* cp = (unsigned char*) cp0; - -- assert((cc%stride)==0); -+ if((cc%stride)!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horDiff8", -+ "%s", "(cc%stride)!=0"); -+ return 0; -+ } - - if (cc > stride) { - cc -= stride; -@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) - } while ((cc -= stride) > 0); - } - } -+ return 1; - } - --static void -+static int - horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) - { - TIFFPredictorState* sp = PredictorState(tif); -@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) - uint16 *wp = (uint16*) cp0; - tmsize_t wc = cc/2; - -- assert((cc%(2*stride))==0); -+ if((cc%(2*stride))!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horDiff8", -+ "%s", "(cc%(2*stride))!=0"); -+ return 0; -+ } - - if (wc > stride) { - wc -= stride; -@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) - wc -= stride; - } while (wc > 0); - } -+ return 1; - } - --static void -+static int - swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) - { - uint16* wp = (uint16*) cp0; - tmsize_t wc = cc / 2; - -- horDiff16(tif, cp0, cc); -+ if( !horDiff16(tif, cp0, cc) ) -+ return 0; - - TIFFSwabArrayOfShort(wp, wc); -+ return 1; - } - --static void -+static int - horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) - { - TIFFPredictorState* sp = PredictorState(tif); -@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) - uint32 *wp = (uint32*) cp0; - tmsize_t wc = cc/4; - -- assert((cc%(4*stride))==0); -+ if((cc%(4*stride))!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "horDiff32", -+ "%s", "(cc%(4*stride))!=0"); -+ return 0; -+ } - - if (wc > stride) { - wc -= stride; -@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) - wc -= stride; - } while (wc > 0); - } -+ return 1; - } - --static void -+static int - swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) - { - uint32* wp = (uint32*) cp0; - tmsize_t wc = cc / 4; - -- horDiff32(tif, cp0, cc); -+ if( !horDiff32(tif, cp0, cc) ) -+ return 0; - - TIFFSwabArrayOfLong(wp, wc); -+ return 1; - } - - /* - * Floating point predictor differencing routine. - */ --static void -+static int - fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) - { - tmsize_t stride = PredictorState(tif)->stride; -@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) - uint8 *cp = (uint8 *) cp0; - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); - -- assert((cc%(bps*stride))==0); -- -+ if((cc%(bps*stride))!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "fpDiff", -+ "%s", "(cc%(bps*stride))!=0"); -+ return 0; -+ } - if (!tmp) -- return; -+ return 0; - - _TIFFmemcpy(tmp, cp0, cc); - for (count = 0; count < wc; count++) { -@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) - cp += cc - stride - 1; - for (count = cc; count > stride; count -= stride) - REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--) -+ return 1; - } - - static int -@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - assert(sp->encoderow != NULL); - - /* XXX horizontal differencing alters user's data XXX */ -- (*sp->encodepfunc)(tif, bp, cc); -+ if( !(*sp->encodepfunc)(tif, bp, cc) ) -+ return 0; - return (*sp->encoderow)(tif, bp, cc, s); - } - -@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) - - rowsize = sp->rowsize; - assert(rowsize > 0); -- assert((cc0%rowsize)==0); -+ if((cc0%rowsize)!=0) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", -+ "%s", "(cc0%rowsize)!=0"); -+ return 0; -+ } - while (cc > 0) { - (*sp->encodepfunc)(tif, bp, rowsize); - cc -= rowsize; -diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h -index 91330cc..9e485a4 100644 ---- a/libtiff/tif_predict.h -+++ b/libtiff/tif_predict.h -@@ -30,6 +30,8 @@ - * ``Library-private'' Support for the Predictor Tag - */ - -+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size); -+ - /* - * Codecs that want to support the Predictor tag must place - * this structure first in their private state block so that -@@ -43,12 +45,12 @@ typedef struct { - TIFFCodeMethod encoderow; /* parent codec encode/decode row */ - TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */ - TIFFCodeMethod encodetile; /* parent codec encode/decode tile */ -- TIFFPostMethod encodepfunc; /* horizontal differencer */ -+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */ - - TIFFCodeMethod decoderow; /* parent codec encode/decode row */ - TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */ - TIFFCodeMethod decodetile; /* parent codec encode/decode tile */ -- TIFFPostMethod decodepfunc; /* horizontal accumulator */ -+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */ - - TIFFVGetMethod vgetparent; /* super-class method */ - TIFFVSetMethod vsetparent; /* super-class method */ --- -2.9.3 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch deleted file mode 100644 index 977dbf6..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Fri, 4 Nov 2016 09:19:13 +0000 -Subject: [PATCH 2/2] Fix CVE-2016-9535 -* libtiff/tif_predic.c: fix memory leaks in error code - paths added in previous commit (fix for MSVR 35105) - -CVE: CVE-2016-9535 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 - -Signed-off-by: Mingli Yu <mingli...@windriver.com> - ---- - libtiff/tif_predict.c | 8 ++++++-- - 1 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c -index b829259..3f42f3b 100644 ---- a/libtiff/tif_predict.c -+++ b/libtiff/tif_predict.c -@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) - tmsize_t wc = cc / bps; - tmsize_t count = cc; - uint8 *cp = (uint8 *) cp0; -- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); -+ uint8 *tmp; - - if(cc%(bps*stride)!=0) - { -@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) - return 0; - } - -+ tmp = (uint8 *)_TIFFmalloc(cc); - if (!tmp) - return 0; - -@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) - tmsize_t wc = cc / bps; - tmsize_t count; - uint8 *cp = (uint8 *) cp0; -- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); -+ uint8 *tmp; - - if((cc%(bps*stride))!=0) - { -@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) - "%s", "(cc%(bps*stride))!=0"); - return 0; - } -+ -+ tmp = (uint8 *)_TIFFmalloc(cc); - if (!tmp) - return 0; - -@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) - { - TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", - "%s", "(cc0%rowsize)!=0"); -+ _TIFFfree( working_copy ); - return 0; - } - while (cc > 0) { --- -2.9.3 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch deleted file mode 100644 index e1141df..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sat, 8 Oct 2016 15:04:31 +0000 -Subject: [PATCH] Fix CVE-2016-9538 -* tools/tiffcp.c: fix read of undefined variable in case of - missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c: - fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 - overflow. Probably not a security issue but I can be wrong. Reported as MSVR - 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team. - -CVE: CVE-2016-9538 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f - -Signed-off-by: Mingli Yu <mingli...@windriver.com> - ---- - tools/tiffcp.c | 4 ++-- - tools/tiffcrop.c | 9 ++++++--- - 2 files changed, 17 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index ba2b715..4ad74d3 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); - static int - tiffcp(TIFF* in, TIFF* out) - { -- uint16 bitspersample, samplesperpixel; -- uint16 input_compression, input_photometric; -+ uint16 bitspersample, samplesperpixel = 1; -+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; - copyFunc cf; - uint32 width, length; - struct cpTag* p; -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 7685566..eb6de77 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) - { - uint8* bufp = buf; - int32 bytes_read = 0; -- uint16 strip, nstrips = TIFFNumberOfStrips(in); -+ uint32 strip, nstrips = TIFFNumberOfStrips(in); - uint32 stripsize = TIFFStripSize(in); - uint32 rows = 0; - uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); -@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, - uint32 width, uint16 spp, - struct dump_opts *dump) - { -- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; -+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; -+ uint32 j; - int32 bytes_read = 0; -- uint16 bps, nstrips, planar, strips_per_sample; -+ uint16 bps, planar; -+ uint32 nstrips; -+ uint32 strips_per_sample; - uint32 src_rowsize, dst_rowsize, rows_processed, rps; - uint32 rows_this_strip = 0; - tsample_t s; --- -2.9.3 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch deleted file mode 100644 index 1d9be42..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Fri, 14 Oct 2016 19:13:20 +0000 -Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes - in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet - & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. - -CVE: CVE-2016-9539 - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 - -Signed-off-by: Zhixiong Chi <zhixiong....@windriver.com> - ---- - ChangeLog | 6 ++++++ - tools/tiffcrop.c | 11 ++++++++++- - 2 files changed, 16 insertions(+), 1 deletion(-) - -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800 -+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800 -@@ -17,6 +17,12 @@ - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 - (CVE-2014-8127, duplicate: CVE-2016-3658) - -+2016-10-14 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in -+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet -+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. -+ - 2016-10-08 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd -Index: tiff-4.0.6/tools/tiffcrop.c -=================================================================== ---- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800 -+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800 -@@ -819,9 +819,18 @@ - } - } - -- tilebuf = _TIFFmalloc(tile_buffsize); -+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ -+ if( tile_buffsize > 0xFFFFFFFFU - 3 ) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ tilebuf = _TIFFmalloc(tile_buffsize + 3); - if (tilebuf == 0) - return 0; -+ tilebuf[tile_buffsize] = 0; -+ tilebuf[tile_buffsize+1] = 0; -+ tilebuf[tile_buffsize+2] = 0; - - dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; - for (row = 0; row < imagelength; row += tl) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch deleted file mode 100644 index dddaa0c..0000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sat, 8 Oct 2016 15:54:56 +0000 -Subject: [PATCH] fix CVE-2016-9540 - * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd - tile width vs image width. Reported as MSVR 35103 - by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & - Mitigations team. - -CVE: CVE-2016-9540 - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 - -Signed-off-by: Zhixiong Chi <zhixiong....@windriver.com> ---- - ChangeLog | 7 +++++++ - tools/tiffcp.c | 4 ++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800 -+++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800 -@@ -17,6 +17,13 @@ - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 - (CVE-2014-8127, duplicate: CVE-2016-3658) - -+2016-10-08 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd -+ tile width vs image width. Reported as MSVR 35103 -+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & -+ Mitigations team. -+ - 2016-09-24 Bob Friesenhahn <bfrie...@simple.dallas.tx.us> - - * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -Index: tiff-4.0.4/tools/tiffcp.c -=================================================================== ---- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800 -+++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800 -@@ -1338,7 +1338,7 @@ - uint32 colb = 0; - uint32 col; - -- for (col = 0; col < imagewidth; col += tw) { -+ for (col = 0; col < imagewidth && colb < imagew; col += tw) { - if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0 - && !ignore) { - TIFFError(TIFFFileName(in), -@@ -1523,7 +1523,7 @@ - uint32 colb = 0; - uint32 col; - -- for (col = 0; col < imagewidth; col += tw) { -+ for (col = 0; col < imagewidth && colb < imagew; col += tw) { - /* - * Tile is clipped horizontally. Calculate - * visible portion and skewing factors. diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch deleted file mode 100644 index bd587e6..0000000 --- a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch +++ /dev/null @@ -1,281 +0,0 @@ -From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Fri, 23 Sep 2016 22:12:18 +0000 -Subject: [PATCH] Fix several CVE issues - -Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 - -* tools/tiffcrop.c: fix various out-of-bounds write - vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093, - MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from - the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix - out-of-bounds write vulnerabilities in heap allocate buffer in - t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet - and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * - libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap - allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and - Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * - libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that - didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if - that could happen in practice outside of the odd behaviour of t2p_seekproc() - of tiff2pdf). The report points that a better fix could be to check the - return value of TIFFFlushData1() in places where it isn't done currently, but - it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel - Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities & - Mitigations team. - -CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef - -Signed-off-by: Mingli Yu <mingli...@windriver.com> - ---- - libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++----------------------------- - libtiff/tif_write.c | 7 +++++++ - tools/tiff2pdf.c | 22 ++++++++++++++++++-- - tools/tiffcrop.c | 20 +++++++++++++++++- - 4 files changed, 92 insertions(+), 35 deletions(-) - -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index 1fb8f3b..d1246c3 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2) - a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; - } - } else { -- ip += n - 1; /* point to last one */ -- wp += n - 1; /* point to last one */ -- n -= stride; -- while (n > 0) { -- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -- n -= stride; -- } -- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) -+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) -+ n -= stride; -+ while (n > 0) { -+ REPEAT(stride, -+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); -+ wp++; ip++) -+ n -= stride; -+ } - } - } - } -@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride, - a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1; - } - } else { -- ip += n - 1; /* point to last one */ -- wp += n - 1; /* point to last one */ -+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) - n -= stride; - while (n > 0) { -- REPEAT(stride, wp[0] = CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -- n -= stride; -- } -- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) -+ REPEAT(stride, -+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); -+ wp++; ip++) -+ n -= stride; -+ } - } - } - } -@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride, - ip += 4; - } - } else { -- wp += n + stride - 1; /* point to last one */ -- ip += n + stride - 1; /* point to last one */ -- n -= stride; -- while (n > 0) { -- REPEAT(stride, wp[0] = CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -- n -= stride; -- } -- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) -- } -+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) -+ n -= stride; -+ while (n > 0) { -+ REPEAT(stride, -+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); -+ wp++; ip++) -+ n -= stride; -+ } -+ } - } - } - -diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c -index f9a3fc0..d8fa802 100644 ---- a/libtiff/tif_write.c -+++ b/libtiff/tif_write.c -@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif) - if (!TIFFAppendToStrip(tif, - isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, - tif->tif_rawdata, tif->tif_rawcc)) -+ { -+ /* We update those variables even in case of error since there's */ -+ /* code that doesn't really check the return code of this */ -+ /* function */ -+ tif->tif_rawcc = 0; -+ tif->tif_rawcp = tif->tif_rawdata; - return (0); -+ } - tif->tif_rawcc = 0; - tif->tif_rawcp = tif->tif_rawdata; - } -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index dcd5a7e..f8df6b5 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t); - int t2p_process_ojpeg_tables(T2P*, TIFF*); - #endif - #ifdef JPEG_SUPPORT --int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); -+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); - #endif - void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); - void t2p_write_advance_directory(T2P*, TIFF*); -@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ - if(!t2p_process_jpeg_strip( - stripbuffer, - &striplength, -- buffer, -+ buffer, -+ t2p->tiff_datasize, - &bufferoffset, - i, - t2p->tiff_length)){ -@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip( - unsigned char* strip, - tsize_t* striplength, - unsigned char* buffer, -+ tsize_t buffersize, - tsize_t* bufferoffset, - tstrip_t no, - uint32 height){ -@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip( - } - switch( strip[i] ){ - case 0xd8: /* SOI - start of image */ -+ if( *bufferoffset + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); - *bufferoffset+=2; - break; -@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip( - case 0xc9: /* SOF9 */ - case 0xca: /* SOF10 */ - if(no==0){ -+ if( *bufferoffset + datalen + 2 + 6 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ if( *bufferoffset + 9 >= buffersize ) -+ return(0); - ncomp = buffer[*bufferoffset+9]; - if (ncomp < 1 || ncomp > 4) - return(0); - v_samp=1; - h_samp=1; -+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) -+ return(0); - for(j=0;j<ncomp;j++){ - uint16 samp = buffer[*bufferoffset+11+(3*j)]; - if( (samp>>4) > h_samp) -@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip( - break; - case 0xc4: /* DHT */ - case 0xdb: /* DQT */ -+ if( *bufferoffset + datalen + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); - *bufferoffset+=datalen+2; - break; - case 0xda: /* SOS */ - if(no==0){ -+ if( *bufferoffset + datalen + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); - *bufferoffset+=datalen+2; - } else { -+ if( *bufferoffset + 2 > buffersize ) -+ return(0); - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]= - (unsigned char)(0xd0 | ((no-1)%8)); - } - i += datalen + 1; - /* copy remainder of strip */ -+ if( *bufferoffset + *striplength - i > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); - *bufferoffset+= *striplength - i; - return(1); -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index ebc4aba..7685566 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - { - uint32 i; - float xres = 0.0, yres = 0.0; -- uint16 nstrips = 0, ntiles = 0, planar = 0; -+ uint32 nstrips = 0, ntiles = 0; -+ uint16 planar = 0; - uint16 bps = 0, spp = 0, res_unit = 0; - uint16 orientation = 0; - uint16 input_compression = 0, input_photometric = 0; -@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ - /* outside buffer */ - if (!read_buff) -+ { -+ if( buffsize > 0xFFFFFFFFU - 3 ) -+ { -+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ return (-1); -+ } - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); -+ } - else - { - if (prev_readsize < buffsize) -+ { -+ if( buffsize > 0xFFFFFFFFU - 3 ) - { -+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ return (-1); -+ } - new_buff = _TIFFrealloc(read_buff, buffsize+3); - if (!new_buff) - { -@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width, - } - - bytes_per_pixel = ((bps * spp) + 7) / 8; -+ if( bytes_per_pixel > sizeof(swapbuff) ) -+ { -+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); -+ return (1); -+ } - switch (bps / 8) - { - case 8: /* Use memcpy for multiple bytes per sample data */ --- -2.9.3 - diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb similarity index 65% rename from meta/recipes-multimedia/libtiff/tiff_4.0.6.bb rename to meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 450927d..bbc7389 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb @@ -6,29 +6,10 @@ CVE_NAME = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ - file://CVE-2015-8665_8683.patch \ - file://CVE-2015-8781.patch \ - file://CVE-2015-8784.patch \ - file://CVE-2016-3186.patch \ - file://CVE-2016-5321.patch \ - file://CVE-2016-5323.patch \ - file://CVE-2016-3945.patch \ - file://CVE-2016-3990.patch \ - file://CVE-2016-3991.patch \ - file://CVE-2016-3623.patch \ - file://CVE-2016-3622.patch \ - file://CVE-2016-3658.patch \ - file://CVE-2016-3632.patch \ - file://CVE-2016-9540.patch \ - file://CVE-2016-9539.patch \ - file://CVE-2016-9535-1.patch \ - file://CVE-2016-9535-2.patch \ - file://CVE-2016-9538.patch \ - file://Fix_several_CVE_issues.patch \ " -SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" -SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c" +SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" +SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
