tiff: Security fix for CVE-2017-7593

(From OE-Core rev: b6ec8ab42befaa07c859a5c5cc14611b821a1304) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-11-03 22:35:09 -07:00 · 2017-11-03 22:35:09 -07:00 · a2ad903fa9
parent 2aed68963f
commit a2ad903fa9
2 changed files with 99 additions and 0 deletions
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@ -0,0 +1,98 @@
+From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:02:49 +0000
+Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+initialize tif_rawdata.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7593
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog	2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/ChangeLog	2017-04-26 12:09:41.986866896 +0530
+@@ -44,6 +44,14 @@
+ 
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+	* libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
+
+	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+	initialize tif_rawdata.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ 	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+ 	avoid UndefinedBehaviorSanitizer warning.
+ 	Patch by Nicolas Pena.
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c	2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/libtiff/tif_read.c	2017-04-26 12:11:42.814863729 +0530
+@@ -986,7 +986,9 @@
+ 				 "Invalid buffer size");
+ 		    return (0);
+ 		}
+-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+                /* Initialize to zero to avoid uninitialized buffers in case of */
+                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+                tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ 		tif->tif_flags |= TIFF_MYBUFFER;
+ 	}
+ 	if (tif->tif_rawdata == NULL) {
+Index: tiff-4.0.7/libtiff/tif_unix.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_unix.c	2015-08-29 03:46:22.707817041 +0530
+++ tiff-4.0.7/libtiff/tif_unix.c	2017-04-26 12:13:07.442861510 +0530
+@@ -316,6 +316,14 @@
+ 	return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tif_win32.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_win32.c	2015-08-29 03:46:22.730570169 +0530
+++ tiff-4.0.7/libtiff/tif_win32.c	2017-04-26 12:14:12.918859794 +0530
+@@ -360,6 +360,14 @@
+ 	return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tiffio.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tiffio.h	2016-01-24 21:09:51.894442042 +0530
+++ tiff-4.0.7/libtiff/tiffio.h	2017-04-26 12:15:55.034857117 +0530
+@@ -293,6 +293,7 @@
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2017-7598.patch \
           file://CVE-2017-7601.patch \
           file://CVE-2017-7602.patch \
+           file://CVE-2017-7593.patch \
        "

 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"