tiff: Security fix for CVE-2016-10270
(From OE-Core rev: 9600bca011fe5fd2837606ab05e64325b3f12114) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
6a2f7581c5
commit
7af530d449
|
@ -0,0 +1,134 @@
|
|||
From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sat, 3 Dec 2016 11:02:15 +0000
|
||||
Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify
|
||||
ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
|
||||
TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
|
||||
the total size of data. Which is faulty is the total size of data is not
|
||||
sufficient to fill the whole image, and thus results in reading outside of
|
||||
the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
|
||||
by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
|
||||
|
||||
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
|
||||
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
|
||||
the above change is a better fix that makes it unnecessary.
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
CVE: CVE-2016-10270
|
||||
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
|
||||
---
|
||||
ChangeLog | 15 +++++++++++++++
|
||||
libtiff/tif_dirread.c | 22 ++++++++++------------
|
||||
libtiff/tif_strip.c | 9 ---------
|
||||
3 files changed, 25 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 0a2c2a7..6e30e41 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,5 +1,20 @@
|
||||
2016-12-03 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
|
||||
+ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
|
||||
+ instead of a logic based on the total size of data. Which is faulty is
|
||||
+ the total size of data is not sufficient to fill the whole image, and thus
|
||||
+ results in reading outside of the StripByCounts/StripOffsets arrays when
|
||||
+ using TIFFReadScanline().
|
||||
+ Reported by Agostino Sarubbo.
|
||||
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
|
||||
+
|
||||
+ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
|
||||
+ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
|
||||
+ the above change is a better fix that makes it unnecessary.
|
||||
+
|
||||
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
|
||||
overflow on generation of PixarLog / LUV compressed files, with
|
||||
ColorMap, TransferFunction attached and nasty plays with bitspersample.
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index 3eec79c..570d0c3 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||
uint64 rowblockbytes;
|
||||
uint64 stripbytes;
|
||||
uint32 strip;
|
||||
- uint64 nstrips64;
|
||||
- uint32 nstrips32;
|
||||
+ uint32 nstrips;
|
||||
uint32 rowsperstrip;
|
||||
uint64* newcounts;
|
||||
uint64* newoffsets;
|
||||
@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||
return;
|
||||
|
||||
/*
|
||||
- * never increase the number of strips in an image
|
||||
+ * never increase the number of rows per strip
|
||||
*/
|
||||
if (rowsperstrip >= td->td_rowsperstrip)
|
||||
return;
|
||||
- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
|
||||
- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
|
||||
- return;
|
||||
- nstrips32 = (uint32)nstrips64;
|
||||
+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
|
||||
+ if( nstrips == 0 )
|
||||
+ return;
|
||||
|
||||
- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
|
||||
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
"for chopped \"StripByteCounts\" array");
|
||||
- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
|
||||
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
"for chopped \"StripOffsets\" array");
|
||||
if (newcounts == NULL || newoffsets == NULL) {
|
||||
/*
|
||||
@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||
* Fill the strip information arrays with new bytecounts and offsets
|
||||
* that reflect the broken-up format.
|
||||
*/
|
||||
- for (strip = 0; strip < nstrips32; strip++) {
|
||||
+ for (strip = 0; strip < nstrips; strip++) {
|
||||
if (stripbytes > bytecount)
|
||||
stripbytes = bytecount;
|
||||
newcounts[strip] = stripbytes;
|
||||
- newoffsets[strip] = offset;
|
||||
+ newoffsets[strip] = stripbytes ? offset : 0;
|
||||
offset += stripbytes;
|
||||
bytecount -= stripbytes;
|
||||
}
|
||||
/*
|
||||
* Replace old single strip info with multi-strip info.
|
||||
*/
|
||||
- td->td_stripsperimage = td->td_nstrips = nstrips32;
|
||||
+ td->td_stripsperimage = td->td_nstrips = nstrips;
|
||||
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
||||
|
||||
_TIFFfree(td->td_stripbytecount);
|
||||
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
|
||||
index 4c46ecf..1676e47 100644
|
||||
--- a/libtiff/tif_strip.c
|
||||
+++ b/libtiff/tif_strip.c
|
||||
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
|
||||
TIFFDirectory *td = &tif->tif_dir;
|
||||
uint32 nstrips;
|
||||
|
||||
- /* If the value was already computed and store in td_nstrips, then return it,
|
||||
- since ChopUpSingleUncompressedStrip might have altered and resized the
|
||||
- since the td_stripbytecount and td_stripoffset arrays to the new value
|
||||
- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
|
||||
- tif_dirread.c ~line 3612.
|
||||
- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
|
||||
- if( td->td_nstrips )
|
||||
- return td->td_nstrips;
|
||||
-
|
||||
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
|
||||
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
|
||||
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
|
||||
--
|
||||
1.9.1
|
||||
|
|
@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
|||
file://CVE-2016-10266.patch \
|
||||
file://CVE-2016-10267.patch \
|
||||
file://CVE-2016-10269.patch \
|
||||
file://CVE-2016-10270.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
|
||||
|
|
Loading…
Reference in New Issue