sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

tiff: Security fix CVE-2016-3622 

CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4

Patch from:
92d966a5fc

(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Yi Zhao 2016-10-26 16:26:48 +08:00 committed by Richard Purdie
parent 28c8e12e30
commit 3a6612a811
2 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch Normal file
View File

@ -0,0 +1,129 @@
From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
From: bfriesen <bfriesen>
Date: Sat, 24 Sep 2016 23:11:55 +0000
Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
to read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
CVE: CVE-2016-3622
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 11 ++++++++++-
libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
libtiff/tif_predict.c | 11 ++++++++++-
3 files changed, 40 insertions(+), 20 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 26d6f47..a628277 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+ read floating point images.
+
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
+ "Divide By Zero in the tiff2rgba tool."
+
2016-08-15 Even Rouault <even.rouault at spatialys.com>
* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 386cee0..3e689ee 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
td->td_bitspersample);
return (0);
}
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+ return (0);
+ }
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
switch (colorchannels) {
@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels,
- "Bits/sample", td->td_bitspersample);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
- default:
+ default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
photoTag, photometric);
return (0);
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index 081eb11..555f2f9 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
td->td_sampleformat);
return 0;
}
+ if (td->td_bitspersample != 16
+ && td->td_bitspersample != 24
+ && td->td_bitspersample != 32
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Floating point \"Predictor\" not supported with %d-bit samples",
+ td->td_bitspersample);
+ return 0;
+ }
break;
default:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
}
/*
* Allocate buffer to keep the decoded bytes before
- * rearranging in the ight order
+ * rearranging in the right order
*/
}
--
2.7.4

1
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
View File

@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-3990.patch \
file://CVE-2016-3991.patch \
file://CVE-2016-3623.patch \
file://CVE-2016-3622.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"