sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

libtiff: Update to 4.0.7 

Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.

CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632

plus more that are not identified in the changelog.

removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html

(From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2016-12-10 09:38:43 -08:00 committed by Richard Purdie
parent 840ea755f2
commit a63b53841b
20 changed files with 2 additions and 2221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
View File

@ -1,137 +0,0 @@
From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 26 Dec 2015 17:32:03 +0000
Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
TIFFRGBAImage interface in case of unsupported values of
SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
limingxing and CVE-2015-8683 reported by zzf of Alibaba.
Upstream-Status: Backport
CVE: CVE-2015-8665
CVE: CVE-2015-8683
https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 8 ++++++++
libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
2 files changed, 30 insertions(+), 13 deletions(-)
Index: tiff-4.0.6/libtiff/tif_getimage.c
===================================================================
--- tiff-4.0.6.orig/libtiff/tif_getimage.c
+++ tiff-4.0.6/libtiff/tif_getimage.c
@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d",
- "Samples/pixel", td->td_samplesperpixel);
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
return 0;
}
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d and %s=%d",
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
"Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
"Bits/sample", td->td_bitspersample);
return 0;
}
@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
int colorchannels;
uint16 *red_orig, *green_orig, *blue_orig;
int n_color;
+
+ if( !TIFFRGBAImageOK(tif, emsg) )
+ return 0;
/* Initialize to normal values */
img->row_offset = 0;
@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
case PHOTOMETRIC_RGB:
switch (img->bitspersample) {
case 8:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >= 4)
img->put.contig = putRGBAAcontig8bittile;
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >= 4)
{
if (BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig8bittile;
}
- else
+ else if( img->samplesperpixel >= 3 )
img->put.contig = putRGBcontig8bittile;
break;
case 16:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBAAcontig16bittile;
}
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img) &&
BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig16bittile;
}
- else
+ else if( img->samplesperpixel >=3 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBcontig16bittile;
@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
}
break;
case PHOTOMETRIC_SEPARATED:
- if (buildMap(img)) {
+ if (img->samplesperpixel >=4 && buildMap(img)) {
if (img->bitspersample == 8) {
if (!img->Map)
img->put.contig = putRGBcontig8bitCMYKtile;
@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
}
break;
case PHOTOMETRIC_CIELAB:
- if (buildMap(img)) {
+ if (img->samplesperpixel == 3 && buildMap(img)) {
if (img->bitspersample == 8)
img->put.contig = initCIELabConversion(img);
break;
Index: tiff-4.0.6/ChangeLog
===================================================================
--- tiff-4.0.6.orig/ChangeLog
+++ tiff-4.0.6/ChangeLog
@@ -1,3 +1,11 @@
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.6 released.

195
meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
View File

@ -1,195 +0,0 @@
From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:25:11 +0000
Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
decode functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
input data.
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
hand applied Changelog changes
CVE: CVE-2015-8781
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 7 +++++++
libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
2 files changed, 51 insertions(+), 11 deletions(-)
Index: tiff-4.0.4/ChangeLog
===================================================================
--- tiff-4.0.4.orig/ChangeLog
+++ tiff-4.0.4/ChangeLog
@@ -1,3 +1,10 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522).
+ Fix potential out-of-bound reads in case of short input data.
+
2015-12-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
Index: tiff-4.0.4/libtiff/tif_luv.c
===================================================================
--- tiff-4.0.4.orig/libtiff/tif_luv.c
+++ tiff-4.0.4/libtiff/tif_luv.c
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
tp = (int16*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (int16*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 2*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ if( cc < 2 )
+ break;
+ rc = *bp++ + (2-128);
b = (int16)(*bp++ << shft);
cc -= 2;
while (rc-- && i < npixels)
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32 *)op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32 *) sp->tbuf;
}
/* copy to array of uint32 */
bp = (unsigned char*) tif->tif_rawcp;
cc = tif->tif_rawcc;
- for (i = 0; i < npixels && cc > 0; i++) {
+ for (i = 0; i < npixels && cc >= 3; i++) {
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
bp += 3;
cc -= 3;
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 4*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
+ if( cc < 2 )
+ break;
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ cc -= 2;
while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
static int
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogL16Encode";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
tp = (int16*) bp;
else {
tp = (int16*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
static int
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode24";
LogLuvState* sp = EncoderState(tif);
tmsize_t i;
tmsize_t npixels;
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* write out encoded pixels */
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
static int
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode32";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */

73
meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
View File

@ -1,73 +0,0 @@
From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:55:20 +0000
Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
(bugzilla #2508)
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
hand applied Changelog changes
CVE: CVE-2015-8784
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 6 ++++++
libtiff/tif_next.c | 10 ++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
Index: tiff-4.0.4/ChangeLog
===================================================================
--- tiff-4.0.4.orig/ChangeLog
+++ tiff-4.0.4/ChangeLog
@@ -1,5 +1,11 @@
2015-12-27 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522).
Index: tiff-4.0.4/libtiff/tif_next.c
===================================================================
--- tiff-4.0.4.orig/libtiff/tif_next.c
+++ tiff-4.0.4/libtiff/tif_next.c
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
+ tmsize_t op_offset = 0;
/*
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;

24
meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
View File

@ -1,24 +0,0 @@
Buffer overflow in the readextension function in gif2tiff.c
allows remote attackers to cause a denial of service via a crafted GIF file.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
https://bugzilla.redhat.com/show_bug.cgi?id=1319503
CVE: CVE-2016-3186
Upstream-Status: Backport (RedHat)
https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
@@ -349,7 +349,7 @@
int status = 1;
(void) getc(infile);
- while ((count = getc(infile)) && count <= 255)
+ while ((count = getc(infile)) && count >= 0 && count <= 255)
if (fread(buf, 1, count, infile) != (size_t) count) {
fprintf(stderr, "short read from file %s (%s)\n",
filename, strerror(errno));

129
meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
View File

@ -1,129 +0,0 @@
From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
From: bfriesen <bfriesen>
Date: Sat, 24 Sep 2016 23:11:55 +0000
Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
to read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
CVE: CVE-2016-3622
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 11 ++++++++++-
libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
libtiff/tif_predict.c | 11 ++++++++++-
3 files changed, 40 insertions(+), 20 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 26d6f47..a628277 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+ read floating point images.
+
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
+ "Divide By Zero in the tiff2rgba tool."
+
2016-08-15 Even Rouault <even.rouault at spatialys.com>
* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 386cee0..3e689ee 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
td->td_bitspersample);
return (0);
}
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+ return (0);
+ }
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
switch (colorchannels) {
@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels,
- "Bits/sample", td->td_bitspersample);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
- default:
+ default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
photoTag, photometric);
return (0);
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index 081eb11..555f2f9 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
td->td_sampleformat);
return 0;
}
+ if (td->td_bitspersample != 16
+ && td->td_bitspersample != 24
+ && td->td_bitspersample != 32
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Floating point \"Predictor\" not supported with %d-bit samples",
+ td->td_bitspersample);
+ return 0;
+ }
break;
default:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
}
/*
* Allocate buffer to keep the decoded bytes before
- * rearranging in the ight order
+ * rearranging in the right order
*/
}
--
2.7.4

52
meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
View File

@ -1,52 +0,0 @@
From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 21:26:56 +0000
Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
CVE: CVE-2016-3623
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 5 +++++
tools/rgb2ycbcr.c | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 5d60608..3e6642a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
index 3829d6b..51f4259 100644
--- a/tools/rgb2ycbcr.c
+++ b/tools/rgb2ycbcr.c
@@ -95,9 +95,13 @@ main(int argc, char* argv[])
break;
case 'h':
horizSubSampling = atoi(optarg);
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
+ usage(-1);
break;
case 'v':
vertSubSampling = atoi(optarg);
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
+ usage(-1);
break;
case 'r':
rowsperstrip = atoi(optarg);
--
2.7.4

34
meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
View File

@ -1,34 +0,0 @@
From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:04:34 +0200
Subject: [PATCH 4/8] Fix CVE-2016-3632
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service
(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
CVE: CVE-2016-3632
Upstream-Status: Backport [RedHat RHEL7]
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
tools/thumbnail.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
index fd1cba5..75e7009 100644
--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
@@ -253,7 +253,8 @@ static struct cpTag {
{ TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
{ TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
{ TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
+ // disable BADFAXLINES, CVE-2016-3632
+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
--
2.7.4

111
meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
View File

@ -1,111 +0,0 @@
From: 45c68450bef8ad876f310b495165c513cad8b67d
From: Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_dir.c: discard values of SMinSampleValue and
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
CVE: CVE-2016-3658
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
Index: tiff-4.0.6/ChangeLog
===================================================================
--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
@@ -1,3 +1,22 @@
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
+ SMaxSampleValue when they have been read and the value of
+ SamplesPerPixel is changed afterwards (like when reading a
+ OJPEG compressed image with a missing SamplesPerPixel tag,
+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
+ being 3). Otherwise when rewriting the directory (for example
+ with tiffset, we will expect 3 values whereas the array had been
+ allocated with just one), thus causing a out of bound read access.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
+
+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
+ for a hack case in OJPEG case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
+
2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
Index: tiff-4.0.6/libtiff/tif_dir.c
===================================================================
--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
@@ -254,6 +254,28 @@
v = (uint16) va_arg(ap, uint16_vap);
if (v == 0)
goto badvalue;
+ if( v != td->td_samplesperpixel )
+ {
+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
+ if( td->td_sminsamplevalue != NULL )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but SMinSampleValue tag was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
+ _TIFFfree(td->td_sminsamplevalue);
+ td->td_sminsamplevalue = NULL;
+ }
+ if( td->td_smaxsamplevalue != NULL )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
+ _TIFFfree(td->td_smaxsamplevalue);
+ td->td_smaxsamplevalue = NULL;
+ }
+ }
td->td_samplesperpixel = (uint16) v;
break;
case TIFFTAG_ROWSPERSTRIP:
Index: tiff-4.0.6/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
@@ -542,7 +542,19 @@
{
if (!isTiled(tif))
{
- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+ /* td_stripoffset might be NULL in an odd OJPEG case. See
+ * tif_dirread.c around line 3634.
+ * XXX: OJPEG hack.
+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
+ * and c) the number of strips is 1,
+ * then we tolerate the absence of stripoffsets tag,
+ * because, presumably, all required data is in the
+ * JpegInterchangeFormat stream.
+ * We can get here when using tiffset on such a file.
+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
+ */
+ if (tif->tif_dir.td_stripoffset != NULL &&
+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
goto bad;
}
else

118
meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
View File

@ -1,118 +0,0 @@
From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 20:06:40 +0000
Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
allocated buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
tests that rejected valid files.
CVE: CVE-2016-3945
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 8 ++++++++
tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 62dc1b5..9c0ab29 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
+ buffer, when -b mode is enabled, that could result in out-of-bounds
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
+ invalid tests that rejected valid files.
+
2016-07-11 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcrop.c: Avoid access outside of stack allocated array
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index b7a81eb..16e3dc4 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
uint32 row, col;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ rastersize = tile_width * tile_height * sizeof (uint32);
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ wrk_linesize = tile_width * sizeof (uint32);
+ if (tile_width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
uint32 row;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ rastersize = width * rowsperstrip * sizeof (uint32);
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ wrk_linesize = width * sizeof (uint32);
+ if (width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
--
2.7.4

66
meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
View File

@ -1,66 +0,0 @@
From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 20:49:48 +0000
Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
PixarLogEncode if more input samples are provided than expected by
PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
simpler check. (bugzilla #2544)
invalid tests that rejected valid files. (bugzilla #2545)
CVE: CVE-2016-3990
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 10 +++++++++-
libtiff/tif_pixarlog.c | 7 +++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 9c0ab29..db4ea18 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,18 @@
2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
+ if more input samples are provided than expected by PixarLogSetupEncode.
+ Idea based on libtiff-CVE-2016-3990.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
+ simpler check. (bugzilla #2544)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
- invalid tests that rejected valid files.
+ invalid tests that rejected valid files. (bugzilla #2545)
2016-07-11 Even Rouault <even.rouault at spatialys.com>
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index e78f788..28329d1 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
}
llen = sp->stride * td->td_imagewidth;
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
+ if( n > td->td_rowsperstrip * llen )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too many input bytes provided");
+ return 0;
+ }
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
switch (sp->user_datafmt) {
--
2.7.4

147
meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
View File

@ -1,147 +0,0 @@
From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 21:05:40 +0000
Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
loadImage(). From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
CVE: CVE-2016-3991
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 6 ++++++
tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 62 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index db4ea18..5d60608 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
+ From patch libtiff-CVE-2016-3991.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 27abc0b..ddba7b9 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
}
tile_buffsize = tilesize;
+ if (tilesize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
+ exit(-1);
+ }
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
- }
+ if (tl != (tile_buffsize / tile_rowsize))
+ {
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
+ }
tilebuf = _TIFFmalloc(tile_buffsize);
if (tilebuf == 0)
@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
return 1;
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
+ {
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
+ exit(-1);
+ }
+
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
+ if (tl != tile_buffsize / tile_rowsize)
+ {
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
}
tilebuf = _TIFFmalloc(tile_buffsize);
@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
tile_rowsize = TIFFTileRowSize(in);
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
+ exit(-1);
+ }
buffsize = tlsize * ntiles;
+ if (tlsize != (buffsize / ntiles))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
-
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
{
buffsize = ntiles * tl * tile_rowsize;
+ if (ntiles != (buffsize / tl / tile_rowsize))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+
#ifdef DEBUG2
TIFFError("loadImage",
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
stsize = TIFFStripSize(in);
nstrips = TIFFNumberOfStrips(in);
+ if (nstrips == 0 || stsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
+ exit(-1);
+ }
+
buffsize = stsize * nstrips;
-
+ if (stsize != (buffsize / nstrips))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+ uint32 buffsize_check;
+ buffsize_check = ((length * width * spp * bps) + 7);
+ if (length != ((buffsize_check - 7) / width / spp / bps))
+ {
+ TIFFError("loadImage", "Integer overflow detected.");
+ exit(-1);
+ }
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
{
buffsize = ((length * width * spp * bps) + 7) / 8;
--
2.7.4

49
meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
View File

@ -1,49 +0,0 @@
From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 11 Jul 2016 21:26:03 +0000
Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
allocated array on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
CVE: CVE-2016-5321
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 7 +++++++
tools/tiffcrop.c | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index e98d54d..4e0302f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
+ on a tiled separate TIFF with more than 8 samples per pixel.
+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
+ (CVE-2016-5321, bugzilla #2558)
+
2015-12-27 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d959ae3..6fc8fc1 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
nrow = (row + tl > imagelength) ? imagelength - row : tl;
for (col = 0; col < imagewidth; col += tw)
{
- for (s = 0; s < spp; s++)
+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
{ /* Read each plane of a tile set into srcbuffs[s] */
tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
if (tbytes < 0 && !ignore)
--
2.7.4

107
meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
View File

@ -1,107 +0,0 @@
From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 11 Jul 2016 21:38:31 +0000
Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
CVE: CVE-2016-5323
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 2 +-
tools/tiffcrop.c | 16 ++++++++--------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 4e0302f..62dc1b5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,7 +3,7 @@
* tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
- (CVE-2016-5321, bugzilla #2558)
+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
2016-07-10 Even Rouault <even.rouault at spatialys.com>
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 6fc8fc1..27abc0b 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
matchbits = maskbits << (8 - src_bit - bps);
/* load up next sample from each plane */
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
buff1 = ((*src) & matchbits) << (src_bit);
@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (16 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (32 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (64 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
matchbits = maskbits << (8 - src_bit - bps);
/* load up next sample from each plane */
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
buff1 = ((*src) & matchbits) << (src_bit);
@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (16 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (32 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
src_bit = bit_offset % 8;
matchbits = maskbits << (64 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
--
2.7.4

423
meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
View File

@ -1,423 +0,0 @@
From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 31 Oct 2016 17:24:26 +0000
Subject: [PATCH 1/2] Fix CVE-2016-9535
* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
assertions by runtime checks to avoid assertions in debug mode, or buffer
overflows in release mode. Can happen when dealing with unusual tile size
like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
CVE: CVE-2016-9535
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
libtiff/tif_predict.h | 6 +-
2 files changed, 121 insertions(+), 47 deletions(-)
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index 555f2f9..b829259 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -34,18 +34,18 @@
#define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
/* - when storing into the byte stream, we explicitly mask with 0xff so */
/* as to make icc -check=conversions happy (not necessary by the standard) */
-static void
+static int
horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
tmsize_t stride = PredictorState(tif)->stride;
unsigned char* cp = (unsigned char*) cp0;
- assert((cc%stride)==0);
+ if((cc%stride)!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
+ "%s", "(cc%stride)!=0");
+ return 0;
+ }
+
if (cc > stride) {
/*
* Pipeline the most common cases.
@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
} while (cc>0);
}
}
+ return 1;
}
-static void
+static int
swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
uint16* wp = (uint16*) cp0;
tmsize_t wc = cc / 2;
TIFFSwabArrayOfShort(wp, wc);
- horAcc16(tif, cp0, cc);
+ return horAcc16(tif, cp0, cc);
}
-static void
+static int
horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
tmsize_t stride = PredictorState(tif)->stride;
uint16* wp = (uint16*) cp0;
tmsize_t wc = cc / 2;
- assert((cc%(2*stride))==0);
+ if((cc%(2*stride))!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
+ "%s", "cc%(2*stride))!=0");
+ return 0;
+ }
if (wc > stride) {
wc -= stride;
@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
wc -= stride;
} while (wc > 0);
}
+ return 1;
}
-static void
+static int
swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
uint32* wp = (uint32*) cp0;
tmsize_t wc = cc / 4;
TIFFSwabArrayOfLong(wp, wc);
- horAcc32(tif, cp0, cc);
+ return horAcc32(tif, cp0, cc);
}
-static void
+static int
horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
tmsize_t stride = PredictorState(tif)->stride;
uint32* wp = (uint32*) cp0;
tmsize_t wc = cc / 4;
- assert((cc%(4*stride))==0);
+ if((cc%(4*stride))!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
+ "%s", "cc%(4*stride))!=0");
+ return 0;
+ }
if (wc > stride) {
wc -= stride;
@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
wc -= stride;
} while (wc > 0);
}
+ return 1;
}
/*
* Floating point predictor accumulation routine.
*/
-static void
+static int
fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
{
tmsize_t stride = PredictorState(tif)->stride;
@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
uint8 *cp = (uint8 *) cp0;
uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
- assert((cc%(bps*stride))==0);
+ if(cc%(bps*stride)!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
+ "%s", "cc%(bps*stride))!=0");
+ return 0;
+ }
if (!tmp)
- return;
+ return 0;
while (count > stride) {
REPEAT4(stride, cp[stride] =
@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
}
}
_TIFFfree(tmp);
+ return 1;
}
/*
@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
assert(sp->decodepfunc != NULL);
if ((*sp->decoderow)(tif, op0, occ0, s)) {
- (*sp->decodepfunc)(tif, op0, occ0);
- return 1;
+ return (*sp->decodepfunc)(tif, op0, occ0);
} else
return 0;
}
@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
if ((*sp->decodetile)(tif, op0, occ0, s)) {
tmsize_t rowsize = sp->rowsize;
assert(rowsize > 0);
- assert((occ0%rowsize)==0);
+ if((occ0%rowsize) !=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
+ "%s", "occ0%rowsize != 0");
+ return 0;
+ }
assert(sp->decodepfunc != NULL);
while (occ0 > 0) {
- (*sp->decodepfunc)(tif, op0, rowsize);
+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
+ return 0;
occ0 -= rowsize;
op0 += rowsize;
}
@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
return 0;
}
-static void
+static int
horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
TIFFPredictorState* sp = PredictorState(tif);
tmsize_t stride = sp->stride;
unsigned char* cp = (unsigned char*) cp0;
- assert((cc%stride)==0);
+ if((cc%stride)!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+ "%s", "(cc%stride)!=0");
+ return 0;
+ }
if (cc > stride) {
cc -= stride;
@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
} while ((cc -= stride) > 0);
}
}
+ return 1;
}
-static void
+static int
horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
TIFFPredictorState* sp = PredictorState(tif);
@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
uint16 *wp = (uint16*) cp0;
tmsize_t wc = cc/2;
- assert((cc%(2*stride))==0);
+ if((cc%(2*stride))!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
+ "%s", "(cc%(2*stride))!=0");
+ return 0;
+ }
if (wc > stride) {
wc -= stride;
@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
wc -= stride;
} while (wc > 0);
}
+ return 1;
}
-static void
+static int
swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
uint16* wp = (uint16*) cp0;
tmsize_t wc = cc / 2;
- horDiff16(tif, cp0, cc);
+ if( !horDiff16(tif, cp0, cc) )
+ return 0;
TIFFSwabArrayOfShort(wp, wc);
+ return 1;
}
-static void
+static int
horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
TIFFPredictorState* sp = PredictorState(tif);
@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
uint32 *wp = (uint32*) cp0;
tmsize_t wc = cc/4;
- assert((cc%(4*stride))==0);
+ if((cc%(4*stride))!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
+ "%s", "(cc%(4*stride))!=0");
+ return 0;
+ }
if (wc > stride) {
wc -= stride;
@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
wc -= stride;
} while (wc > 0);
}
+ return 1;
}
-static void
+static int
swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
uint32* wp = (uint32*) cp0;
tmsize_t wc = cc / 4;
- horDiff32(tif, cp0, cc);
+ if( !horDiff32(tif, cp0, cc) )
+ return 0;
TIFFSwabArrayOfLong(wp, wc);
+ return 1;
}
/*
* Floating point predictor differencing routine.
*/
-static void
+static int
fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
{
tmsize_t stride = PredictorState(tif)->stride;
@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
uint8 *cp = (uint8 *) cp0;
uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
- assert((cc%(bps*stride))==0);
-
+ if((cc%(bps*stride))!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
+ "%s", "(cc%(bps*stride))!=0");
+ return 0;
+ }
if (!tmp)
- return;
+ return 0;
_TIFFmemcpy(tmp, cp0, cc);
for (count = 0; count < wc; count++) {
@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
cp += cc - stride - 1;
for (count = cc; count > stride; count -= stride)
REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
+ return 1;
}
static int
@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
assert(sp->encoderow != NULL);
/* XXX horizontal differencing alters user's data XXX */
- (*sp->encodepfunc)(tif, bp, cc);
+ if( !(*sp->encodepfunc)(tif, bp, cc) )
+ return 0;
return (*sp->encoderow)(tif, bp, cc, s);
}
@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
rowsize = sp->rowsize;
assert(rowsize > 0);
- assert((cc0%rowsize)==0);
+ if((cc0%rowsize)!=0)
+ {
+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
+ "%s", "(cc0%rowsize)!=0");
+ return 0;
+ }
while (cc > 0) {
(*sp->encodepfunc)(tif, bp, rowsize);
cc -= rowsize;
diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
index 91330cc..9e485a4 100644
--- a/libtiff/tif_predict.h
+++ b/libtiff/tif_predict.h
@@ -30,6 +30,8 @@
* ``Library-private'' Support for the Predictor Tag
*/
+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
+
/*
* Codecs that want to support the Predictor tag must place
* this structure first in their private state block so that
@@ -43,12 +45,12 @@ typedef struct {
TIFFCodeMethod encoderow; /* parent codec encode/decode row */
TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
- TIFFPostMethod encodepfunc; /* horizontal differencer */
+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
TIFFCodeMethod decoderow; /* parent codec encode/decode row */
TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
- TIFFPostMethod decodepfunc; /* horizontal accumulator */
+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
TIFFVGetMethod vgetparent; /* super-class method */
TIFFVSetMethod vsetparent; /* super-class method */
--
2.9.3

67
meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
View File

@ -1,67 +0,0 @@
From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 4 Nov 2016 09:19:13 +0000
Subject: [PATCH 2/2] Fix CVE-2016-9535
* libtiff/tif_predic.c: fix memory leaks in error code
paths added in previous commit (fix for MSVR 35105)
CVE: CVE-2016-9535
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
libtiff/tif_predict.c | 8 ++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index b829259..3f42f3b 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
tmsize_t wc = cc / bps;
tmsize_t count = cc;
uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ uint8 *tmp;
if(cc%(bps*stride)!=0)
{
@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
return 0;
}
+ tmp = (uint8 *)_TIFFmalloc(cc);
if (!tmp)
return 0;
@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
tmsize_t wc = cc / bps;
tmsize_t count;
uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+ uint8 *tmp;
if((cc%(bps*stride))!=0)
{
@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
"%s", "(cc%(bps*stride))!=0");
return 0;
}
+
+ tmp = (uint8 *)_TIFFmalloc(cc);
if (!tmp)
return 0;
@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
{
TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
"%s", "(cc0%rowsize)!=0");
+ _TIFFfree( working_copy );
return 0;
}
while (cc > 0) {
--
2.9.3

67
meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
View File

@ -1,67 +0,0 @@
From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 8 Oct 2016 15:04:31 +0000
Subject: [PATCH] Fix CVE-2016-9538
* tools/tiffcp.c: fix read of undefined variable in case of
missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
overflow. Probably not a security issue but I can be wrong. Reported as MSVR
35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
CVE: CVE-2016-9538
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
tools/tiffcp.c | 4 ++--
tools/tiffcrop.c | 9 ++++++---
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index ba2b715..4ad74d3 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
static int
tiffcp(TIFF* in, TIFF* out)
{
- uint16 bitspersample, samplesperpixel;
- uint16 input_compression, input_photometric;
+ uint16 bitspersample, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
copyFunc cf;
uint32 width, length;
struct cpTag* p;
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7685566..eb6de77 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
{
uint8* bufp = buf;
int32 bytes_read = 0;
- uint16 strip, nstrips = TIFFNumberOfStrips(in);
+ uint32 strip, nstrips = TIFFNumberOfStrips(in);
uint32 stripsize = TIFFStripSize(in);
uint32 rows = 0;
uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
uint32 width, uint16 spp,
struct dump_opts *dump)
{
- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+ uint32 j;
int32 bytes_read = 0;
- uint16 bps, nstrips, planar, strips_per_sample;
+ uint16 bps, planar;
+ uint32 nstrips;
+ uint32 strips_per_sample;
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
uint32 rows_this_strip = 0;
tsample_t s;
--
2.9.3

60
meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
View File

@ -1,60 +0,0 @@
From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 14 Oct 2016 19:13:20 +0000
Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes
in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
CVE: CVE-2016-9539
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
ChangeLog | 6 ++++++
tools/tiffcrop.c | 11 ++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
Index: tiff-4.0.6/ChangeLog
===================================================================
--- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800
+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800
@@ -17,6 +17,12 @@
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
+2016-10-14 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+
2016-10-08 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
Index: tiff-4.0.6/tools/tiffcrop.c
===================================================================
--- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800
+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800
@@ -819,9 +819,18 @@
}
}
- tilebuf = _TIFFmalloc(tile_buffsize);
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if( tile_buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
+ tilebuf = _TIFFmalloc(tile_buffsize + 3);
if (tilebuf == 0)
return 0;
+ tilebuf[tile_buffsize] = 0;
+ tilebuf[tile_buffsize+1] = 0;
+ tilebuf[tile_buffsize+2] = 0;
dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;
for (row = 0; row < imagelength; row += tl)

60
meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
View File

@ -1,60 +0,0 @@
From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 8 Oct 2016 15:54:56 +0000
Subject: [PATCH] fix CVE-2016-9540
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
CVE: CVE-2016-9540
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
ChangeLog | 7 +++++++
tools/tiffcp.c | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)
Index: tiff-4.0.4/ChangeLog
===================================================================
--- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800
+++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800
@@ -17,6 +17,13 @@
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
+ tile width vs image width. Reported as MSVR 35103
+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
+ Mitigations team.
+
2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
Index: tiff-4.0.4/tools/tiffcp.c
===================================================================
--- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800
+++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800
@@ -1338,7 +1338,7 @@
uint32 colb = 0;
uint32 col;
- for (col = 0; col < imagewidth; col += tw) {
+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
&& !ignore) {
TIFFError(TIFFFileName(in),
@@ -1523,7 +1523,7 @@
uint32 colb = 0;
uint32 col;
- for (col = 0; col < imagewidth; col += tw) {
+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
/*
* Tile is clipped horizontally. Calculate
* visible portion and skewing factors.

281
meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
View File

@ -1,281 +0,0 @@
From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 23 Sep 2016 22:12:18 +0000
Subject: [PATCH] Fix several CVE issues
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537
* tools/tiffcrop.c: fix various out-of-bounds write
vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
out-of-bounds write vulnerabilities in heap allocate buffer in
t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
that could happen in practice outside of the odd behaviour of t2p_seekproc()
of tiff2pdf). The report points that a better fix could be to check the
return value of TIFFFlushData1() in places where it isn't done currently, but
it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
Mitigations team.
CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
libtiff/tif_write.c | 7 +++++++
tools/tiff2pdf.c | 22 ++++++++++++++++++--
tools/tiffcrop.c | 20 +++++++++++++++++-
4 files changed, 92 insertions(+), 35 deletions(-)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 1fb8f3b..d1246c3 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
- n -= stride;
- while (n > 0) {
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
- n -= stride;
- }
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
+ n -= stride;
+ while (n > 0) {
+ REPEAT(stride,
+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
+ n -= stride;
+ }
}
}
}
@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
- n -= stride;
- }
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
+ n -= stride;
+ }
}
}
}
@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
ip += 4;
}
} else {
- wp += n + stride - 1; /* point to last one */
- ip += n + stride - 1; /* point to last one */
- n -= stride;
- while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
- n -= stride;
- }
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
- }
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
+ n -= stride;
+ while (n > 0) {
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
+ n -= stride;
+ }
+ }
}
}
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index f9a3fc0..d8fa802 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif)
if (!TIFFAppendToStrip(tif,
isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
tif->tif_rawdata, tif->tif_rawcc))
+ {
+ /* We update those variables even in case of error since there's */
+ /* code that doesn't really check the return code of this */
+ /* function */
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
return (0);
+ }
tif->tif_rawcc = 0;
tif->tif_rawcp = tif->tif_rawdata;
}
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index dcd5a7e..f8df6b5 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
int t2p_process_ojpeg_tables(T2P*, TIFF*);
#endif
#ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
#endif
void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
if(!t2p_process_jpeg_strip(
stripbuffer,
&striplength,
- buffer,
+ buffer,
+ t2p->tiff_datasize,
&bufferoffset,
i,
t2p->tiff_length)){
@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip(
unsigned char* strip,
tsize_t* striplength,
unsigned char* buffer,
+ tsize_t buffersize,
tsize_t* bufferoffset,
tstrip_t no,
uint32 height){
@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip(
}
switch( strip[i] ){
case 0xd8: /* SOI - start of image */
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
break;
@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip(
case 0xc9: /* SOF9 */
case 0xca: /* SOF10 */
if(no==0){
+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ if( *bufferoffset + 9 >= buffersize )
+ return(0);
ncomp = buffer[*bufferoffset+9];
if (ncomp < 1 || ncomp > 4)
return(0);
v_samp=1;
h_samp=1;
+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+ return(0);
for(j=0;j<ncomp;j++){
uint16 samp = buffer[*bufferoffset+11+(3*j)];
if( (samp>>4) > h_samp)
@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip(
break;
case 0xc4: /* DHT */
case 0xdb: /* DQT */
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
break;
case 0xda: /* SOS */
if(no==0){
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
} else {
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
}
i += datalen + 1;
/* copy remainder of strip */
+ if( *bufferoffset + *striplength - i > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
*bufferoffset+= *striplength - i;
return(1);
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ebc4aba..7685566 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
{
uint32 i;
float xres = 0.0, yres = 0.0;
- uint16 nstrips = 0, ntiles = 0, planar = 0;
+ uint32 nstrips = 0, ntiles = 0;
+ uint16 planar = 0;
uint16 bps = 0, spp = 0, res_unit = 0;
uint16 orientation = 0;
uint16 input_compression = 0, input_photometric = 0;
@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
/* outside buffer */
if (!read_buff)
+ {
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
else
{
if (prev_readsize < buffsize)
+ {
+ if( buffsize > 0xFFFFFFFFU - 3 )
{
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
new_buff = _TIFFrealloc(read_buff, buffsize+3);
if (!new_buff)
{
@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
}
bytes_per_pixel = ((bps * spp) + 7) / 8;
+ if( bytes_per_pixel > sizeof(swapbuff) )
+ {
+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+ return (1);
+ }
switch (bps / 8)
{
case 8: /* Use memcpy for multiple bytes per sample data */
--
2.9.3

23
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb → meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
View File

@ -6,29 +6,10 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
file://CVE-2015-8665_8683.patch \
file://CVE-2015-8781.patch \
file://CVE-2015-8784.patch \
file://CVE-2016-3186.patch \
file://CVE-2016-5321.patch \
file://CVE-2016-5323.patch \
file://CVE-2016-3945.patch \
file://CVE-2016-3990.patch \
file://CVE-2016-3991.patch \
file://CVE-2016-3623.patch \
file://CVE-2016-3622.patch \
file://CVE-2016-3658.patch \
file://CVE-2016-3632.patch \
file://CVE-2016-9540.patch \
file://CVE-2016-9539.patch \
file://CVE-2016-9535-1.patch \
file://CVE-2016-9535-2.patch \
file://CVE-2016-9538.patch \
file://Fix_several_CVE_issues.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c"
SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"