tiff: Security fix CVE-2016-10266
(From OE-Core rev: aa1dc0afd99970f474f38a671e6c49aa2090fbe3) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
46ee394865
commit
3b7576ac22
|
@ -0,0 +1,60 @@
|
||||||
|
From 1855407c4e5a27ade006b26c2dec8a31745c356e Mon Sep 17 00:00:00 2001
|
||||||
|
From: erouault <erouault>
|
||||||
|
Date: Fri, 2 Dec 2016 21:56:56 +0000
|
||||||
|
Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
|
||||||
|
in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
|
||||||
|
by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
|
||||||
|
CVE: CVE-2016-10266
|
||||||
|
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
|
||||||
|
---
|
||||||
|
ChangeLog | 7 +++++++
|
||||||
|
libtiff/tif_read.c | 2 +-
|
||||||
|
libtiff/tiffiop.h | 4 ++++
|
||||||
|
3 files changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: tiff-4.0.7/ChangeLog
|
||||||
|
===================================================================
|
||||||
|
--- tiff-4.0.7.orig/ChangeLog
|
||||||
|
+++ tiff-4.0.7/ChangeLog
|
||||||
|
@@ -1,3 +1,10 @@
|
||||||
|
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
+
|
||||||
|
+ * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
|
||||||
|
+ TIFFReadEncodedStrip() that caused an integer division by zero.
|
||||||
|
+ Reported by Agostino Sarubbo.
|
||||||
|
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
|
||||||
|
+
|
||||||
|
2017-07-15 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
|
* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
|
||||||
|
Index: tiff-4.0.7/libtiff/tif_read.c
|
||||||
|
===================================================================
|
||||||
|
--- tiff-4.0.7.orig/libtiff/tif_read.c
|
||||||
|
+++ tiff-4.0.7/libtiff/tif_read.c
|
||||||
|
@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s
|
||||||
|
rowsperstrip=td->td_rowsperstrip;
|
||||||
|
if (rowsperstrip>td->td_imagelength)
|
||||||
|
rowsperstrip=td->td_imagelength;
|
||||||
|
- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
|
||||||
|
+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
|
||||||
|
stripinplane=(strip%stripsperplane);
|
||||||
|
plane=(uint16)(strip/stripsperplane);
|
||||||
|
rows=td->td_imagelength-stripinplane*rowsperstrip;
|
||||||
|
Index: tiff-4.0.7/libtiff/tiffiop.h
|
||||||
|
===================================================================
|
||||||
|
--- tiff-4.0.7.orig/libtiff/tiffiop.h
|
||||||
|
+++ tiff-4.0.7/libtiff/tiffiop.h
|
||||||
|
@@ -250,6 +250,10 @@ struct tiff {
|
||||||
|
#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
|
||||||
|
((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
|
||||||
|
0U)
|
||||||
|
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
|
||||||
|
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
|
||||||
|
+#define TIFFhowmany_32_maxuint_compat(x, y) \
|
||||||
|
+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
|
||||||
|
#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
|
||||||
|
#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
|
||||||
|
#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
|
|
@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
||||||
file://CVE-2016-10271.patch \
|
file://CVE-2016-10271.patch \
|
||||||
file://CVE-2016-10093.patch \
|
file://CVE-2016-10093.patch \
|
||||||
file://CVE-2016-10268.patch \
|
file://CVE-2016-10268.patch \
|
||||||
|
file://CVE-2016-10266.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
|
SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
|
||||||
|
|
Loading…
Reference in New Issue