tiff: Security fix CVE-2016-3622
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4
Patch from:
92d966a5fc
(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
28c8e12e30
commit
3a6612a811
|
@ -0,0 +1,129 @@
|
|||
From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
|
||||
From: bfriesen <bfriesen>
|
||||
Date: Sat, 24 Sep 2016 23:11:55 +0000
|
||||
Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
|
||||
to read floating point images.
|
||||
|
||||
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
|
||||
requirements of floating point predictor (3). Fixes CVE-2016-3622
|
||||
"Divide By Zero in the tiff2rgba tool."
|
||||
|
||||
CVE: CVE-2016-3622
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 11 ++++++++++-
|
||||
libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
|
||||
libtiff/tif_predict.c | 11 ++++++++++-
|
||||
3 files changed, 40 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 26d6f47..a628277 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,12 @@
|
||||
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
+
|
||||
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
||||
+ read floating point images.
|
||||
+
|
||||
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
|
||||
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
|
||||
+ "Divide By Zero in the tiff2rgba tool."
|
||||
+
|
||||
2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 386cee0..3e689ee 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
|
||||
td->td_bitspersample);
|
||||
return (0);
|
||||
}
|
||||
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
|
||||
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
|
||||
+ return (0);
|
||||
+ }
|
||||
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
|
||||
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
|
||||
switch (colorchannels) {
|
||||
@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
||||
- {
|
||||
- sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel,
|
||||
- "colorchannels", colorchannels);
|
||||
- return 0;
|
||||
- }
|
||||
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
||||
- {
|
||||
- sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel,
|
||||
- "colorchannels", colorchannels,
|
||||
- "Bits/sample", td->td_bitspersample);
|
||||
- return 0;
|
||||
- }
|
||||
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels,
|
||||
+ "Bits/sample", td->td_bitspersample);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
- default:
|
||||
+ default:
|
||||
sprintf(emsg, "Sorry, can not handle image with %s=%d",
|
||||
photoTag, photometric);
|
||||
return (0);
|
||||
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
|
||||
index 081eb11..555f2f9 100644
|
||||
--- a/libtiff/tif_predict.c
|
||||
+++ b/libtiff/tif_predict.c
|
||||
@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
|
||||
td->td_sampleformat);
|
||||
return 0;
|
||||
}
|
||||
+ if (td->td_bitspersample != 16
|
||||
+ && td->td_bitspersample != 24
|
||||
+ && td->td_bitspersample != 32
|
||||
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Floating point \"Predictor\" not supported with %d-bit samples",
|
||||
+ td->td_bitspersample);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
|
||||
}
|
||||
/*
|
||||
* Allocate buffer to keep the decoded bytes before
|
||||
- * rearranging in the ight order
|
||||
+ * rearranging in the right order
|
||||
*/
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
|||
file://CVE-2016-3990.patch \
|
||||
file://CVE-2016-3991.patch \
|
||||
file://CVE-2016-3623.patch \
|
||||
file://CVE-2016-3622.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
|
||||
|
|
Loading…
Reference in New Issue