libtiff: Update to 4.0.7
Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html (From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
840ea755f2
commit
a63b53841b
|
@ -1,137 +0,0 @@
|
|||
From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sat, 26 Dec 2015 17:32:03 +0000
|
||||
Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
|
||||
TIFFRGBAImage interface in case of unsupported values of
|
||||
SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
|
||||
TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
|
||||
limingxing and CVE-2015-8683 reported by zzf of Alibaba.
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2015-8665
|
||||
CVE: CVE-2015-8683
|
||||
https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
ChangeLog | 8 ++++++++
|
||||
libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
|
||||
2 files changed, 30 insertions(+), 13 deletions(-)
|
||||
|
||||
Index: tiff-4.0.6/libtiff/tif_getimage.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/libtiff/tif_getimage.c
|
||||
+++ tiff-4.0.6/libtiff/tif_getimage.c
|
||||
@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
- if( td->td_samplesperpixel != 3 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel);
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels);
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d and %s=%d",
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
"Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels,
|
||||
"Bits/sample", td->td_bitspersample);
|
||||
return 0;
|
||||
}
|
||||
@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
|
||||
int colorchannels;
|
||||
uint16 *red_orig, *green_orig, *blue_orig;
|
||||
int n_color;
|
||||
+
|
||||
+ if( !TIFFRGBAImageOK(tif, emsg) )
|
||||
+ return 0;
|
||||
|
||||
/* Initialize to normal values */
|
||||
img->row_offset = 0;
|
||||
@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
case PHOTOMETRIC_RGB:
|
||||
switch (img->bitspersample) {
|
||||
case 8:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
img->put.contig = putRGBAAcontig8bittile;
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
{
|
||||
if (BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig8bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >= 3 )
|
||||
img->put.contig = putRGBcontig8bittile;
|
||||
break;
|
||||
case 16:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBAAcontig16bittile;
|
||||
}
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img) &&
|
||||
BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig16bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >=3 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBcontig16bittile;
|
||||
@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_SEPARATED:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel >=4 && buildMap(img)) {
|
||||
if (img->bitspersample == 8) {
|
||||
if (!img->Map)
|
||||
img->put.contig = putRGBcontig8bitCMYKtile;
|
||||
@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel == 3 && buildMap(img)) {
|
||||
if (img->bitspersample == 8)
|
||||
img->put.contig = initCIELabConversion(img);
|
||||
break;
|
||||
Index: tiff-4.0.6/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/ChangeLog
|
||||
+++ tiff-4.0.6/ChangeLog
|
||||
@@ -1,3 +1,11 @@
|
||||
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
||||
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
|
||||
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
|
||||
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
|
||||
+ CVE-2015-8683 reported by zzf of Alibaba.
|
||||
+
|
||||
2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
|
||||
* libtiff 4.0.6 released.
|
|
@ -1,195 +0,0 @@
|
|||
From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sun, 27 Dec 2015 16:25:11 +0000
|
||||
Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
|
||||
decode functions in non debug builds by replacing assert()s by regular if
|
||||
checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
|
||||
input data.
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
|
||||
hand applied Changelog changes
|
||||
|
||||
CVE: CVE-2015-8781
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
---
|
||||
ChangeLog | 7 +++++++
|
||||
libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
|
||||
2 files changed, 51 insertions(+), 11 deletions(-)
|
||||
|
||||
Index: tiff-4.0.4/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/ChangeLog
|
||||
+++ tiff-4.0.4/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
||||
+ functions in non debug builds by replacing assert()s by regular if
|
||||
+ checks (bugzilla #2522).
|
||||
+ Fix potential out-of-bound reads in case of short input data.
|
||||
+
|
||||
2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
||||
Index: tiff-4.0.4/libtiff/tif_luv.c
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/libtiff/tif_luv.c
|
||||
+++ tiff-4.0.4/libtiff/tif_luv.c
|
||||
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
|
||||
tp = (int16*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (int16*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 2*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
+ rc = *bp++ + (2-128);
|
||||
b = (int16)(*bp++ << shft);
|
||||
cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (int16)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32 *)op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32 *) sp->tbuf;
|
||||
}
|
||||
/* copy to array of uint32 */
|
||||
bp = (unsigned char*) tif->tif_rawcp;
|
||||
cc = tif->tif_rawcc;
|
||||
- for (i = 0; i < npixels && cc > 0; i++) {
|
||||
+ for (i = 0; i < npixels && cc >= 3; i++) {
|
||||
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
|
||||
bp += 3;
|
||||
cc -= 3;
|
||||
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 4*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
rc = *bp++ + (2-128);
|
||||
b = (uint32)*bp++ << shft;
|
||||
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
tp[i++] |= b;
|
||||
} else { /* non-run */
|
||||
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (uint32)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
|
||||
static int
|
||||
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogL16Encode";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
|
||||
tp = (int16*) bp;
|
||||
else {
|
||||
tp = (int16*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
||||
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
|
||||
static int
|
||||
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode24";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
tmsize_t i;
|
||||
tmsize_t npixels;
|
||||
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* write out encoded pixels */
|
||||
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
|
||||
static int
|
||||
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode32";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
|
@ -1,73 +0,0 @@
|
|||
From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sun, 27 Dec 2015 16:55:20 +0000
|
||||
Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
|
||||
NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
||||
(bugzilla #2508)
|
||||
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
|
||||
hand applied Changelog changes
|
||||
|
||||
CVE: CVE-2015-8784
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
libtiff/tif_next.c | 10 ++++++++--
|
||||
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: tiff-4.0.4/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/ChangeLog
|
||||
+++ tiff-4.0.4/ChangeLog
|
||||
@@ -1,5 +1,11 @@
|
||||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
||||
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
||||
+ (bugzilla #2508)
|
||||
+
|
||||
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
||||
functions in non debug builds by replacing assert()s by regular if
|
||||
checks (bugzilla #2522).
|
||||
Index: tiff-4.0.4/libtiff/tif_next.c
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/libtiff/tif_next.c
|
||||
+++ tiff-4.0.4/libtiff/tif_next.c
|
||||
@@ -37,7 +37,7 @@
|
||||
case 0: op[0] = (unsigned char) ((v) << 6); break; \
|
||||
case 1: op[0] |= (v) << 4; break; \
|
||||
case 2: op[0] |= (v) << 2; break; \
|
||||
- case 3: *op++ |= (v); break; \
|
||||
+ case 3: *op++ |= (v); op_offset++; break; \
|
||||
} \
|
||||
}
|
||||
|
||||
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
|
||||
uint32 imagewidth = tif->tif_dir.td_imagewidth;
|
||||
if( isTiled(tif) )
|
||||
imagewidth = tif->tif_dir.td_tilewidth;
|
||||
+ tmsize_t op_offset = 0;
|
||||
|
||||
/*
|
||||
* The scanline is composed of a sequence of constant
|
||||
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
|
||||
* bounds, potentially resulting in a security
|
||||
* issue.
|
||||
*/
|
||||
- while (n-- > 0 && npixels < imagewidth)
|
||||
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
|
||||
SETPIXEL(op, grey);
|
||||
if (npixels >= imagewidth)
|
||||
break;
|
||||
+ if (op_offset >= scanline ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
|
||||
+ (long) tif->tif_row);
|
||||
+ return (0);
|
||||
+ }
|
||||
if (cc == 0)
|
||||
goto bad;
|
||||
n = *bp++, cc--;
|
|
@ -1,24 +0,0 @@
|
|||
Buffer overflow in the readextension function in gif2tiff.c
|
||||
allows remote attackers to cause a denial of service via a crafted GIF file.
|
||||
|
||||
External References:
|
||||
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1319503
|
||||
|
||||
CVE: CVE-2016-3186
|
||||
Upstream-Status: Backport (RedHat)
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
|
||||
--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
|
||||
+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
|
||||
@@ -349,7 +349,7 @@
|
||||
int status = 1;
|
||||
|
||||
(void) getc(infile);
|
||||
- while ((count = getc(infile)) && count <= 255)
|
||||
+ while ((count = getc(infile)) && count >= 0 && count <= 255)
|
||||
if (fread(buf, 1, count, infile) != (size_t) count) {
|
||||
fprintf(stderr, "short read from file %s (%s)\n",
|
||||
filename, strerror(errno));
|
|
@ -1,129 +0,0 @@
|
|||
From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
|
||||
From: bfriesen <bfriesen>
|
||||
Date: Sat, 24 Sep 2016 23:11:55 +0000
|
||||
Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
|
||||
to read floating point images.
|
||||
|
||||
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
|
||||
requirements of floating point predictor (3). Fixes CVE-2016-3622
|
||||
"Divide By Zero in the tiff2rgba tool."
|
||||
|
||||
CVE: CVE-2016-3622
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 11 ++++++++++-
|
||||
libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
|
||||
libtiff/tif_predict.c | 11 ++++++++++-
|
||||
3 files changed, 40 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 26d6f47..a628277 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,12 @@
|
||||
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
+
|
||||
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
||||
+ read floating point images.
|
||||
+
|
||||
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
|
||||
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
|
||||
+ "Divide By Zero in the tiff2rgba tool."
|
||||
+
|
||||
2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 386cee0..3e689ee 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
|
||||
td->td_bitspersample);
|
||||
return (0);
|
||||
}
|
||||
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
|
||||
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
|
||||
+ return (0);
|
||||
+ }
|
||||
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
|
||||
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
|
||||
switch (colorchannels) {
|
||||
@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
||||
- {
|
||||
- sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel,
|
||||
- "colorchannels", colorchannels);
|
||||
- return 0;
|
||||
- }
|
||||
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
||||
- {
|
||||
- sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel,
|
||||
- "colorchannels", colorchannels,
|
||||
- "Bits/sample", td->td_bitspersample);
|
||||
- return 0;
|
||||
- }
|
||||
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels,
|
||||
+ "Bits/sample", td->td_bitspersample);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
- default:
|
||||
+ default:
|
||||
sprintf(emsg, "Sorry, can not handle image with %s=%d",
|
||||
photoTag, photometric);
|
||||
return (0);
|
||||
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
|
||||
index 081eb11..555f2f9 100644
|
||||
--- a/libtiff/tif_predict.c
|
||||
+++ b/libtiff/tif_predict.c
|
||||
@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
|
||||
td->td_sampleformat);
|
||||
return 0;
|
||||
}
|
||||
+ if (td->td_bitspersample != 16
|
||||
+ && td->td_bitspersample != 24
|
||||
+ && td->td_bitspersample != 32
|
||||
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Floating point \"Predictor\" not supported with %d-bit samples",
|
||||
+ td->td_bitspersample);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
|
||||
}
|
||||
/*
|
||||
* Allocate buffer to keep the decoded bytes before
|
||||
- * rearranging in the ight order
|
||||
+ * rearranging in the right order
|
||||
*/
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 15 Aug 2016 21:26:56 +0000
|
||||
Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
|
||||
to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
|
||||
|
||||
CVE: CVE-2016-3623
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 5 +++++
|
||||
tools/rgb2ycbcr.c | 4 ++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 5d60608..3e6642a 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,5 +1,10 @@
|
||||
2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
|
||||
+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
|
||||
+
|
||||
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
|
||||
From patch libtiff-CVE-2016-3991.patch from
|
||||
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
|
||||
diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
|
||||
index 3829d6b..51f4259 100644
|
||||
--- a/tools/rgb2ycbcr.c
|
||||
+++ b/tools/rgb2ycbcr.c
|
||||
@@ -95,9 +95,13 @@ main(int argc, char* argv[])
|
||||
break;
|
||||
case 'h':
|
||||
horizSubSampling = atoi(optarg);
|
||||
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
|
||||
+ usage(-1);
|
||||
break;
|
||||
case 'v':
|
||||
vertSubSampling = atoi(optarg);
|
||||
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
|
||||
+ usage(-1);
|
||||
break;
|
||||
case 'r':
|
||||
rowsperstrip = atoi(optarg);
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Mon, 11 Jul 2016 16:04:34 +0200
|
||||
Subject: [PATCH 4/8] Fix CVE-2016-3632
|
||||
|
||||
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
|
||||
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service
|
||||
(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
|
||||
|
||||
CVE: CVE-2016-3632
|
||||
Upstream-Status: Backport [RedHat RHEL7]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
tools/thumbnail.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
|
||||
index fd1cba5..75e7009 100644
|
||||
--- a/tools/thumbnail.c
|
||||
+++ b/tools/thumbnail.c
|
||||
@@ -253,7 +253,8 @@ static struct cpTag {
|
||||
{ TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
|
||||
{ TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
|
||||
{ TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
|
||||
- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
|
||||
+ // disable BADFAXLINES, CVE-2016-3632
|
||||
+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
|
||||
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
|
||||
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
|
||||
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,111 +0,0 @@
|
|||
From: 45c68450bef8ad876f310b495165c513cad8b67d
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
|
||||
* libtiff/tif_dir.c: discard values of SMinSampleValue and
|
||||
SMaxSampleValue when they have been read and the value of
|
||||
SamplesPerPixel is changed afterwards (like when reading a
|
||||
OJPEG compressed image with a missing SamplesPerPixel tag,
|
||||
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
|
||||
being 3). Otherwise when rewriting the directory (for example
|
||||
with tiffset, we will expect 3 values whereas the array had been
|
||||
allocated with just one), thus causing a out of bound read access.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
|
||||
when writing directory, if FIELD_STRIPOFFSETS was artificially set
|
||||
for a hack case in OJPEG case.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
CVE: CVE-2016-3658
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
|
||||
|
||||
Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
|
||||
|
||||
Index: tiff-4.0.6/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
|
||||
+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
|
||||
@@ -1,3 +1,22 @@
|
||||
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
|
||||
+ SMaxSampleValue when they have been read and the value of
|
||||
+ SamplesPerPixel is changed afterwards (like when reading a
|
||||
+ OJPEG compressed image with a missing SamplesPerPixel tag,
|
||||
+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
|
||||
+ being 3). Otherwise when rewriting the directory (for example
|
||||
+ with tiffset, we will expect 3 values whereas the array had been
|
||||
+ allocated with just one), thus causing a out of bound read access.
|
||||
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
+
|
||||
+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
|
||||
+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
|
||||
+ for a hack case in OJPEG case.
|
||||
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
+
|
||||
2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
|
||||
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
||||
Index: tiff-4.0.6/libtiff/tif_dir.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
|
||||
+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
|
||||
@@ -254,6 +254,28 @@
|
||||
v = (uint16) va_arg(ap, uint16_vap);
|
||||
if (v == 0)
|
||||
goto badvalue;
|
||||
+ if( v != td->td_samplesperpixel )
|
||||
+ {
|
||||
+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
|
||||
+ if( td->td_sminsamplevalue != NULL )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
||||
+ "SamplesPerPixel tag value is changing, "
|
||||
+ "but SMinSampleValue tag was read with a different value. Cancelling it");
|
||||
+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
|
||||
+ _TIFFfree(td->td_sminsamplevalue);
|
||||
+ td->td_sminsamplevalue = NULL;
|
||||
+ }
|
||||
+ if( td->td_smaxsamplevalue != NULL )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
||||
+ "SamplesPerPixel tag value is changing, "
|
||||
+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
|
||||
+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
|
||||
+ _TIFFfree(td->td_smaxsamplevalue);
|
||||
+ td->td_smaxsamplevalue = NULL;
|
||||
+ }
|
||||
+ }
|
||||
td->td_samplesperpixel = (uint16) v;
|
||||
break;
|
||||
case TIFFTAG_ROWSPERSTRIP:
|
||||
Index: tiff-4.0.6/libtiff/tif_dirwrite.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
|
||||
+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
|
||||
@@ -542,7 +542,19 @@
|
||||
{
|
||||
if (!isTiled(tif))
|
||||
{
|
||||
- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
||||
+ /* td_stripoffset might be NULL in an odd OJPEG case. See
|
||||
+ * tif_dirread.c around line 3634.
|
||||
+ * XXX: OJPEG hack.
|
||||
+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
|
||||
+ * and c) the number of strips is 1,
|
||||
+ * then we tolerate the absence of stripoffsets tag,
|
||||
+ * because, presumably, all required data is in the
|
||||
+ * JpegInterchangeFormat stream.
|
||||
+ * We can get here when using tiffset on such a file.
|
||||
+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ */
|
||||
+ if (tif->tif_dir.td_stripoffset != NULL &&
|
||||
+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
||||
goto bad;
|
||||
}
|
||||
else
|
|
@ -1,118 +0,0 @@
|
|||
From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 15 Aug 2016 20:06:40 +0000
|
||||
Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
|
||||
allocated buffer, when -b mode is enabled, that could result in out-of-bounds
|
||||
write. Based initially on patch tiff-CVE-2016-3945.patch from
|
||||
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
|
||||
tests that rejected valid files.
|
||||
|
||||
CVE: CVE-2016-3945
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 8 ++++++++
|
||||
tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
|
||||
2 files changed, 38 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 62dc1b5..9c0ab29 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,11 @@
|
||||
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
|
||||
+ buffer, when -b mode is enabled, that could result in out-of-bounds
|
||||
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
|
||||
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
|
||||
+ invalid tests that rejected valid files.
|
||||
+
|
||||
2016-07-11 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* tools/tiffcrop.c: Avoid access outside of stack allocated array
|
||||
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
||||
index b7a81eb..16e3dc4 100644
|
||||
--- a/tools/tiff2rgba.c
|
||||
+++ b/tools/tiff2rgba.c
|
||||
@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
||||
uint32 row, col;
|
||||
uint32 *wrk_line;
|
||||
int ok = 1;
|
||||
+ uint32 rastersize, wrk_linesize;
|
||||
|
||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||
@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
||||
/*
|
||||
* Allocate tile buffer
|
||||
*/
|
||||
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
||||
+ rastersize = tile_width * tile_height * sizeof (uint32);
|
||||
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
||||
if (raster == 0) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
||||
return (0);
|
||||
@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
||||
* Allocate a scanline buffer for swapping during the vertical
|
||||
* mirroring pass.
|
||||
*/
|
||||
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
||||
+ wrk_linesize = tile_width * sizeof (uint32);
|
||||
+ if (tile_width != wrk_linesize / sizeof (uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
||||
if (!wrk_line) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
||||
ok = 0;
|
||||
@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
||||
uint32 row;
|
||||
uint32 *wrk_line;
|
||||
int ok = 1;
|
||||
+ uint32 rastersize, wrk_linesize;
|
||||
|
||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||
@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
||||
/*
|
||||
* Allocate strip buffer
|
||||
*/
|
||||
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
||||
+ rastersize = width * rowsperstrip * sizeof (uint32);
|
||||
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
||||
if (raster == 0) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
||||
return (0);
|
||||
@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
||||
* Allocate a scanline buffer for swapping during the vertical
|
||||
* mirroring pass.
|
||||
*/
|
||||
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
||||
+ wrk_linesize = width * sizeof (uint32);
|
||||
+ if (width != wrk_linesize / sizeof (uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
||||
if (!wrk_line) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
||||
ok = 0;
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,66 +0,0 @@
|
|||
From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 15 Aug 2016 20:49:48 +0000
|
||||
Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
|
||||
PixarLogEncode if more input samples are provided than expected by
|
||||
PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
|
||||
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
|
||||
simpler check. (bugzilla #2544)
|
||||
|
||||
invalid tests that rejected valid files. (bugzilla #2545)
|
||||
|
||||
CVE: CVE-2016-3990
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 10 +++++++++-
|
||||
libtiff/tif_pixarlog.c | 7 +++++++
|
||||
2 files changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 9c0ab29..db4ea18 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,10 +1,18 @@
|
||||
2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
|
||||
+ if more input samples are provided than expected by PixarLogSetupEncode.
|
||||
+ Idea based on libtiff-CVE-2016-3990.patch from
|
||||
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
|
||||
+ simpler check. (bugzilla #2544)
|
||||
+
|
||||
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* tools/tiff2rgba.c: Fix integer overflow in size of allocated
|
||||
buffer, when -b mode is enabled, that could result in out-of-bounds
|
||||
write. Based initially on patch tiff-CVE-2016-3945.patch from
|
||||
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
|
||||
- invalid tests that rejected valid files.
|
||||
+ invalid tests that rejected valid files. (bugzilla #2545)
|
||||
|
||||
2016-07-11 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index e78f788..28329d1 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
}
|
||||
|
||||
llen = sp->stride * td->td_imagewidth;
|
||||
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
|
||||
+ if( n > td->td_rowsperstrip * llen )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Too many input bytes provided");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
|
||||
switch (sp->user_datafmt) {
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,147 +0,0 @@
|
|||
From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 15 Aug 2016 21:05:40 +0000
|
||||
Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
|
||||
loadImage(). From patch libtiff-CVE-2016-3991.patch from
|
||||
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
|
||||
|
||||
CVE: CVE-2016-3991
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||
2 files changed, 62 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index db4ea18..5d60608 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,5 +1,11 @@
|
||||
2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
|
||||
+ From patch libtiff-CVE-2016-3991.patch from
|
||||
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
|
||||
+
|
||||
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
|
||||
if more input samples are provided than expected by PixarLogSetupEncode.
|
||||
Idea based on libtiff-CVE-2016-3990.patch from
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 27abc0b..ddba7b9 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
|
||||
}
|
||||
|
||||
tile_buffsize = tilesize;
|
||||
+ if (tilesize == 0 || tile_rowsize == 0)
|
||||
+ {
|
||||
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
|
||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
||||
{
|
||||
@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
|
||||
tilesize, tl * tile_rowsize);
|
||||
#endif
|
||||
tile_buffsize = tl * tile_rowsize;
|
||||
- }
|
||||
+ if (tl != (tile_buffsize / tile_rowsize))
|
||||
+ {
|
||||
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
if (tilebuf == 0)
|
||||
@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
|
||||
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
|
||||
return 1;
|
||||
|
||||
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
|
||||
+ {
|
||||
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
tile_buffsize = tilesize;
|
||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
||||
{
|
||||
@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
|
||||
tilesize, tl * tile_rowsize);
|
||||
#endif
|
||||
tile_buffsize = tl * tile_rowsize;
|
||||
+ if (tl != tile_buffsize / tile_rowsize)
|
||||
+ {
|
||||
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
}
|
||||
|
||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
||||
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
|
||||
|
||||
tile_rowsize = TIFFTileRowSize(in);
|
||||
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
|
||||
+ {
|
||||
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
buffsize = tlsize * ntiles;
|
||||
+ if (tlsize != (buffsize / ntiles))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
|
||||
-
|
||||
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
|
||||
{
|
||||
buffsize = ntiles * tl * tile_rowsize;
|
||||
+ if (ntiles != (buffsize / tl / tile_rowsize))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
#ifdef DEBUG2
|
||||
TIFFError("loadImage",
|
||||
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
|
||||
@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
||||
stsize = TIFFStripSize(in);
|
||||
nstrips = TIFFNumberOfStrips(in);
|
||||
+ if (nstrips == 0 || stsize == 0)
|
||||
+ {
|
||||
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
buffsize = stsize * nstrips;
|
||||
-
|
||||
+ if (stsize != (buffsize / nstrips))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ uint32 buffsize_check;
|
||||
+ buffsize_check = ((length * width * spp * bps) + 7);
|
||||
+ if (length != ((buffsize_check - 7) / width / spp / bps))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow detected.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
|
||||
{
|
||||
buffsize = ((length * width * spp * bps) + 7) / 8;
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 11 Jul 2016 21:26:03 +0000
|
||||
Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
|
||||
allocated array on a tiled separate TIFF with more than 8 samples per pixel.
|
||||
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
|
||||
(CVE-2016-5321, bugzilla #2558)
|
||||
|
||||
CVE: CVE-2016-5321
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 7 +++++++
|
||||
tools/tiffcrop.c | 2 +-
|
||||
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index e98d54d..4e0302f 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+2016-07-11 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
|
||||
+ on a tiled separate TIFF with more than 8 samples per pixel.
|
||||
+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
|
||||
+ (CVE-2016-5321, bugzilla #2558)
|
||||
+
|
||||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index d959ae3..6fc8fc1 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
|
||||
nrow = (row + tl > imagelength) ? imagelength - row : tl;
|
||||
for (col = 0; col < imagewidth; col += tw)
|
||||
{
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
|
||||
{ /* Read each plane of a tile set into srcbuffs[s] */
|
||||
tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
|
||||
if (tbytes < 0 && !ignore)
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,107 +0,0 @@
|
|||
From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 11 Jul 2016 21:38:31 +0000
|
||||
Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
|
||||
|
||||
CVE: CVE-2016-5323
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
ChangeLog | 2 +-
|
||||
tools/tiffcrop.c | 16 ++++++++--------
|
||||
2 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 4e0302f..62dc1b5 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -3,7 +3,7 @@
|
||||
* tools/tiffcrop.c: Avoid access outside of stack allocated array
|
||||
on a tiled separate TIFF with more than 8 samples per pixel.
|
||||
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
|
||||
- (CVE-2016-5321, bugzilla #2558)
|
||||
+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
|
||||
|
||||
2016-07-10 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 6fc8fc1..27abc0b 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
|
||||
matchbits = maskbits << (8 - src_bit - bps);
|
||||
/* load up next sample from each plane */
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
buff1 = ((*src) & matchbits) << (src_bit);
|
||||
@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (16 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (32 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (64 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
|
||||
matchbits = maskbits << (8 - src_bit - bps);
|
||||
/* load up next sample from each plane */
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
buff1 = ((*src) & matchbits) << (src_bit);
|
||||
@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (16 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (32 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
|
||||
src_bit = bit_offset % 8;
|
||||
|
||||
matchbits = maskbits << (64 - src_bit - bps);
|
||||
- for (s = 0; s < spp; s++)
|
||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
||||
{
|
||||
src = in[s] + src_offset + src_byte;
|
||||
if (little_endian)
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,423 +0,0 @@
|
|||
From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Mon, 31 Oct 2016 17:24:26 +0000
|
||||
Subject: [PATCH 1/2] Fix CVE-2016-9535
|
||||
|
||||
* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
|
||||
assertions by runtime checks to avoid assertions in debug mode, or buffer
|
||||
overflows in release mode. Can happen when dealing with unusual tile size
|
||||
like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
|
||||
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
|
||||
|
||||
CVE: CVE-2016-9535
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
|
||||
|
||||
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
||||
|
||||
---
|
||||
libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
|
||||
libtiff/tif_predict.h | 6 +-
|
||||
2 files changed, 121 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
|
||||
index 555f2f9..b829259 100644
|
||||
--- a/libtiff/tif_predict.c
|
||||
+++ b/libtiff/tif_predict.c
|
||||
@@ -34,18 +34,18 @@
|
||||
|
||||
#define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
|
||||
|
||||
-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
|
||||
static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
|
||||
static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
|
||||
static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
|
||||
@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
|
||||
/* - when storing into the byte stream, we explicitly mask with 0xff so */
|
||||
/* as to make icc -check=conversions happy (not necessary by the standard) */
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
tmsize_t stride = PredictorState(tif)->stride;
|
||||
|
||||
unsigned char* cp = (unsigned char*) cp0;
|
||||
- assert((cc%stride)==0);
|
||||
+ if((cc%stride)!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
|
||||
+ "%s", "(cc%stride)!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (cc > stride) {
|
||||
/*
|
||||
* Pipeline the most common cases.
|
||||
@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
} while (cc>0);
|
||||
}
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
uint16* wp = (uint16*) cp0;
|
||||
tmsize_t wc = cc / 2;
|
||||
|
||||
TIFFSwabArrayOfShort(wp, wc);
|
||||
- horAcc16(tif, cp0, cc);
|
||||
+ return horAcc16(tif, cp0, cc);
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
tmsize_t stride = PredictorState(tif)->stride;
|
||||
uint16* wp = (uint16*) cp0;
|
||||
tmsize_t wc = cc / 2;
|
||||
|
||||
- assert((cc%(2*stride))==0);
|
||||
+ if((cc%(2*stride))!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
|
||||
+ "%s", "cc%(2*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (wc > stride) {
|
||||
wc -= stride;
|
||||
@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
wc -= stride;
|
||||
} while (wc > 0);
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
uint32* wp = (uint32*) cp0;
|
||||
tmsize_t wc = cc / 4;
|
||||
|
||||
TIFFSwabArrayOfLong(wp, wc);
|
||||
- horAcc32(tif, cp0, cc);
|
||||
+ return horAcc32(tif, cp0, cc);
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
tmsize_t stride = PredictorState(tif)->stride;
|
||||
uint32* wp = (uint32*) cp0;
|
||||
tmsize_t wc = cc / 4;
|
||||
|
||||
- assert((cc%(4*stride))==0);
|
||||
+ if((cc%(4*stride))!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
|
||||
+ "%s", "cc%(4*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (wc > stride) {
|
||||
wc -= stride;
|
||||
@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
wc -= stride;
|
||||
} while (wc > 0);
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Floating point predictor accumulation routine.
|
||||
*/
|
||||
-static void
|
||||
+static int
|
||||
fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
tmsize_t stride = PredictorState(tif)->stride;
|
||||
@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
uint8 *cp = (uint8 *) cp0;
|
||||
uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
|
||||
- assert((cc%(bps*stride))==0);
|
||||
+ if(cc%(bps*stride)!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
|
||||
+ "%s", "cc%(bps*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (!tmp)
|
||||
- return;
|
||||
+ return 0;
|
||||
|
||||
while (count > stride) {
|
||||
REPEAT4(stride, cp[stride] =
|
||||
@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
}
|
||||
}
|
||||
_TIFFfree(tmp);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
assert(sp->decodepfunc != NULL);
|
||||
|
||||
if ((*sp->decoderow)(tif, op0, occ0, s)) {
|
||||
- (*sp->decodepfunc)(tif, op0, occ0);
|
||||
- return 1;
|
||||
+ return (*sp->decodepfunc)(tif, op0, occ0);
|
||||
} else
|
||||
return 0;
|
||||
}
|
||||
@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
if ((*sp->decodetile)(tif, op0, occ0, s)) {
|
||||
tmsize_t rowsize = sp->rowsize;
|
||||
assert(rowsize > 0);
|
||||
- assert((occ0%rowsize)==0);
|
||||
+ if((occ0%rowsize) !=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
|
||||
+ "%s", "occ0%rowsize != 0");
|
||||
+ return 0;
|
||||
+ }
|
||||
assert(sp->decodepfunc != NULL);
|
||||
while (occ0 > 0) {
|
||||
- (*sp->decodepfunc)(tif, op0, rowsize);
|
||||
+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
|
||||
+ return 0;
|
||||
occ0 -= rowsize;
|
||||
op0 += rowsize;
|
||||
}
|
||||
@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
TIFFPredictorState* sp = PredictorState(tif);
|
||||
tmsize_t stride = sp->stride;
|
||||
unsigned char* cp = (unsigned char*) cp0;
|
||||
|
||||
- assert((cc%stride)==0);
|
||||
+ if((cc%stride)!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
|
||||
+ "%s", "(cc%stride)!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (cc > stride) {
|
||||
cc -= stride;
|
||||
@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
} while ((cc -= stride) > 0);
|
||||
}
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
TIFFPredictorState* sp = PredictorState(tif);
|
||||
@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
uint16 *wp = (uint16*) cp0;
|
||||
tmsize_t wc = cc/2;
|
||||
|
||||
- assert((cc%(2*stride))==0);
|
||||
+ if((cc%(2*stride))!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
|
||||
+ "%s", "(cc%(2*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (wc > stride) {
|
||||
wc -= stride;
|
||||
@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
wc -= stride;
|
||||
} while (wc > 0);
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
uint16* wp = (uint16*) cp0;
|
||||
tmsize_t wc = cc / 2;
|
||||
|
||||
- horDiff16(tif, cp0, cc);
|
||||
+ if( !horDiff16(tif, cp0, cc) )
|
||||
+ return 0;
|
||||
|
||||
TIFFSwabArrayOfShort(wp, wc);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
TIFFPredictorState* sp = PredictorState(tif);
|
||||
@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
uint32 *wp = (uint32*) cp0;
|
||||
tmsize_t wc = cc/4;
|
||||
|
||||
- assert((cc%(4*stride))==0);
|
||||
+ if((cc%(4*stride))!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
|
||||
+ "%s", "(cc%(4*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (wc > stride) {
|
||||
wc -= stride;
|
||||
@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
wc -= stride;
|
||||
} while (wc > 0);
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
uint32* wp = (uint32*) cp0;
|
||||
tmsize_t wc = cc / 4;
|
||||
|
||||
- horDiff32(tif, cp0, cc);
|
||||
+ if( !horDiff32(tif, cp0, cc) )
|
||||
+ return 0;
|
||||
|
||||
TIFFSwabArrayOfLong(wp, wc);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Floating point predictor differencing routine.
|
||||
*/
|
||||
-static void
|
||||
+static int
|
||||
fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
{
|
||||
tmsize_t stride = PredictorState(tif)->stride;
|
||||
@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
uint8 *cp = (uint8 *) cp0;
|
||||
uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
|
||||
- assert((cc%(bps*stride))==0);
|
||||
-
|
||||
+ if((cc%(bps*stride))!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
|
||||
+ "%s", "(cc%(bps*stride))!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
if (!tmp)
|
||||
- return;
|
||||
+ return 0;
|
||||
|
||||
_TIFFmemcpy(tmp, cp0, cc);
|
||||
for (count = 0; count < wc; count++) {
|
||||
@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
cp += cc - stride - 1;
|
||||
for (count = cc; count > stride; count -= stride)
|
||||
REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
assert(sp->encoderow != NULL);
|
||||
|
||||
/* XXX horizontal differencing alters user's data XXX */
|
||||
- (*sp->encodepfunc)(tif, bp, cc);
|
||||
+ if( !(*sp->encodepfunc)(tif, bp, cc) )
|
||||
+ return 0;
|
||||
return (*sp->encoderow)(tif, bp, cc, s);
|
||||
}
|
||||
|
||||
@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
|
||||
|
||||
rowsize = sp->rowsize;
|
||||
assert(rowsize > 0);
|
||||
- assert((cc0%rowsize)==0);
|
||||
+ if((cc0%rowsize)!=0)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
|
||||
+ "%s", "(cc0%rowsize)!=0");
|
||||
+ return 0;
|
||||
+ }
|
||||
while (cc > 0) {
|
||||
(*sp->encodepfunc)(tif, bp, rowsize);
|
||||
cc -= rowsize;
|
||||
diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
|
||||
index 91330cc..9e485a4 100644
|
||||
--- a/libtiff/tif_predict.h
|
||||
+++ b/libtiff/tif_predict.h
|
||||
@@ -30,6 +30,8 @@
|
||||
* ``Library-private'' Support for the Predictor Tag
|
||||
*/
|
||||
|
||||
+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
|
||||
+
|
||||
/*
|
||||
* Codecs that want to support the Predictor tag must place
|
||||
* this structure first in their private state block so that
|
||||
@@ -43,12 +45,12 @@ typedef struct {
|
||||
TIFFCodeMethod encoderow; /* parent codec encode/decode row */
|
||||
TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
|
||||
TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
|
||||
- TIFFPostMethod encodepfunc; /* horizontal differencer */
|
||||
+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
|
||||
|
||||
TIFFCodeMethod decoderow; /* parent codec encode/decode row */
|
||||
TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
|
||||
TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
|
||||
- TIFFPostMethod decodepfunc; /* horizontal accumulator */
|
||||
+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
|
||||
|
||||
TIFFVGetMethod vgetparent; /* super-class method */
|
||||
TIFFVSetMethod vsetparent; /* super-class method */
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,67 +0,0 @@
|
|||
From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Fri, 4 Nov 2016 09:19:13 +0000
|
||||
Subject: [PATCH 2/2] Fix CVE-2016-9535
|
||||
* libtiff/tif_predic.c: fix memory leaks in error code
|
||||
paths added in previous commit (fix for MSVR 35105)
|
||||
|
||||
CVE: CVE-2016-9535
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
|
||||
|
||||
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
||||
|
||||
---
|
||||
libtiff/tif_predict.c | 8 ++++++--
|
||||
1 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
|
||||
index b829259..3f42f3b 100644
|
||||
--- a/libtiff/tif_predict.c
|
||||
+++ b/libtiff/tif_predict.c
|
||||
@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
tmsize_t wc = cc / bps;
|
||||
tmsize_t count = cc;
|
||||
uint8 *cp = (uint8 *) cp0;
|
||||
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
+ uint8 *tmp;
|
||||
|
||||
if(cc%(bps*stride)!=0)
|
||||
{
|
||||
@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
if (!tmp)
|
||||
return 0;
|
||||
|
||||
@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
tmsize_t wc = cc / bps;
|
||||
tmsize_t count;
|
||||
uint8 *cp = (uint8 *) cp0;
|
||||
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
+ uint8 *tmp;
|
||||
|
||||
if((cc%(bps*stride))!=0)
|
||||
{
|
||||
@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
|
||||
"%s", "(cc%(bps*stride))!=0");
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ tmp = (uint8 *)_TIFFmalloc(cc);
|
||||
if (!tmp)
|
||||
return 0;
|
||||
|
||||
@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
|
||||
{
|
||||
TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
|
||||
"%s", "(cc0%rowsize)!=0");
|
||||
+ _TIFFfree( working_copy );
|
||||
return 0;
|
||||
}
|
||||
while (cc > 0) {
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,67 +0,0 @@
|
|||
From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sat, 8 Oct 2016 15:04:31 +0000
|
||||
Subject: [PATCH] Fix CVE-2016-9538
|
||||
* tools/tiffcp.c: fix read of undefined variable in case of
|
||||
missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
|
||||
fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
|
||||
overflow. Probably not a security issue but I can be wrong. Reported as MSVR
|
||||
35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
|
||||
|
||||
CVE: CVE-2016-9538
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
|
||||
|
||||
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
||||
|
||||
---
|
||||
tools/tiffcp.c | 4 ++--
|
||||
tools/tiffcrop.c | 9 ++++++---
|
||||
2 files changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index ba2b715..4ad74d3 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
|
||||
static int
|
||||
tiffcp(TIFF* in, TIFF* out)
|
||||
{
|
||||
- uint16 bitspersample, samplesperpixel;
|
||||
- uint16 input_compression, input_photometric;
|
||||
+ uint16 bitspersample, samplesperpixel = 1;
|
||||
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
|
||||
copyFunc cf;
|
||||
uint32 width, length;
|
||||
struct cpTag* p;
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 7685566..eb6de77 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
|
||||
{
|
||||
uint8* bufp = buf;
|
||||
int32 bytes_read = 0;
|
||||
- uint16 strip, nstrips = TIFFNumberOfStrips(in);
|
||||
+ uint32 strip, nstrips = TIFFNumberOfStrips(in);
|
||||
uint32 stripsize = TIFFStripSize(in);
|
||||
uint32 rows = 0;
|
||||
uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
|
||||
@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
|
||||
uint32 width, uint16 spp,
|
||||
struct dump_opts *dump)
|
||||
{
|
||||
- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
|
||||
+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
|
||||
+ uint32 j;
|
||||
int32 bytes_read = 0;
|
||||
- uint16 bps, nstrips, planar, strips_per_sample;
|
||||
+ uint16 bps, planar;
|
||||
+ uint32 nstrips;
|
||||
+ uint32 strips_per_sample;
|
||||
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
|
||||
uint32 rows_this_strip = 0;
|
||||
tsample_t s;
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Fri, 14 Oct 2016 19:13:20 +0000
|
||||
Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes
|
||||
in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
|
||||
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
|
||||
|
||||
CVE: CVE-2016-9539
|
||||
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
|
||||
|
||||
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
|
||||
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
tools/tiffcrop.c | 11 ++++++++++-
|
||||
2 files changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: tiff-4.0.6/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800
|
||||
+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800
|
||||
@@ -17,6 +17,12 @@
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
+2016-10-14 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
|
||||
+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
|
||||
+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
|
||||
+
|
||||
2016-10-08 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
|
||||
Index: tiff-4.0.6/tools/tiffcrop.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800
|
||||
+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800
|
||||
@@ -819,9 +819,18 @@
|
||||
}
|
||||
}
|
||||
|
||||
- tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
|
||||
+ if( tile_buffsize > 0xFFFFFFFFU - 3 )
|
||||
+ {
|
||||
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ tilebuf = _TIFFmalloc(tile_buffsize + 3);
|
||||
if (tilebuf == 0)
|
||||
return 0;
|
||||
+ tilebuf[tile_buffsize] = 0;
|
||||
+ tilebuf[tile_buffsize+1] = 0;
|
||||
+ tilebuf[tile_buffsize+2] = 0;
|
||||
|
||||
dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;
|
||||
for (row = 0; row < imagelength; row += tl)
|
|
@ -1,60 +0,0 @@
|
|||
From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sat, 8 Oct 2016 15:54:56 +0000
|
||||
Subject: [PATCH] fix CVE-2016-9540
|
||||
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
|
||||
tile width vs image width. Reported as MSVR 35103
|
||||
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
|
||||
Mitigations team.
|
||||
|
||||
CVE: CVE-2016-9540
|
||||
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
|
||||
|
||||
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
|
||||
---
|
||||
ChangeLog | 7 +++++++
|
||||
tools/tiffcp.c | 4 ++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: tiff-4.0.4/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800
|
||||
+++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800
|
||||
@@ -17,6 +17,13 @@
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
|
||||
+ tile width vs image width. Reported as MSVR 35103
|
||||
+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
|
||||
+ Mitigations team.
|
||||
+
|
||||
2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
|
||||
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
||||
Index: tiff-4.0.4/tools/tiffcp.c
|
||||
===================================================================
|
||||
--- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800
|
||||
+++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800
|
||||
@@ -1338,7 +1338,7 @@
|
||||
uint32 colb = 0;
|
||||
uint32 col;
|
||||
|
||||
- for (col = 0; col < imagewidth; col += tw) {
|
||||
+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
|
||||
if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
|
||||
&& !ignore) {
|
||||
TIFFError(TIFFFileName(in),
|
||||
@@ -1523,7 +1523,7 @@
|
||||
uint32 colb = 0;
|
||||
uint32 col;
|
||||
|
||||
- for (col = 0; col < imagewidth; col += tw) {
|
||||
+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
|
||||
/*
|
||||
* Tile is clipped horizontally. Calculate
|
||||
* visible portion and skewing factors.
|
|
@ -1,281 +0,0 @@
|
|||
From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Fri, 23 Sep 2016 22:12:18 +0000
|
||||
Subject: [PATCH] Fix several CVE issues
|
||||
|
||||
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537
|
||||
|
||||
* tools/tiffcrop.c: fix various out-of-bounds write
|
||||
vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
|
||||
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
|
||||
the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
|
||||
out-of-bounds write vulnerabilities in heap allocate buffer in
|
||||
t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
|
||||
and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
|
||||
libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
|
||||
allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
|
||||
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
|
||||
libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
|
||||
didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
|
||||
that could happen in practice outside of the odd behaviour of t2p_seekproc()
|
||||
of tiff2pdf). The report points that a better fix could be to check the
|
||||
return value of TIFFFlushData1() in places where it isn't done currently, but
|
||||
it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
|
||||
Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
|
||||
Mitigations team.
|
||||
|
||||
CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
|
||||
|
||||
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
||||
|
||||
---
|
||||
libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
|
||||
libtiff/tif_write.c | 7 +++++++
|
||||
tools/tiff2pdf.c | 22 ++++++++++++++++++--
|
||||
tools/tiffcrop.c | 20 +++++++++++++++++-
|
||||
4 files changed, 92 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index 1fb8f3b..d1246c3 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
|
||||
a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
|
||||
}
|
||||
} else {
|
||||
- ip += n - 1; /* point to last one */
|
||||
- wp += n - 1; /* point to last one */
|
||||
- n -= stride;
|
||||
- while (n > 0) {
|
||||
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
|
||||
- wp[stride] -= wp[0];
|
||||
- wp[stride] &= mask;
|
||||
- wp--; ip--)
|
||||
- n -= stride;
|
||||
- }
|
||||
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
|
||||
+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
|
||||
+ n -= stride;
|
||||
+ while (n > 0) {
|
||||
+ REPEAT(stride,
|
||||
+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
|
||||
+ wp++; ip++)
|
||||
+ n -= stride;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
|
||||
a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
|
||||
}
|
||||
} else {
|
||||
- ip += n - 1; /* point to last one */
|
||||
- wp += n - 1; /* point to last one */
|
||||
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
|
||||
n -= stride;
|
||||
while (n > 0) {
|
||||
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
|
||||
- wp[stride] -= wp[0];
|
||||
- wp[stride] &= mask;
|
||||
- wp--; ip--)
|
||||
- n -= stride;
|
||||
- }
|
||||
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
|
||||
+ REPEAT(stride,
|
||||
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
|
||||
+ wp++; ip++)
|
||||
+ n -= stride;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
|
||||
ip += 4;
|
||||
}
|
||||
} else {
|
||||
- wp += n + stride - 1; /* point to last one */
|
||||
- ip += n + stride - 1; /* point to last one */
|
||||
- n -= stride;
|
||||
- while (n > 0) {
|
||||
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
|
||||
- wp[stride] -= wp[0];
|
||||
- wp[stride] &= mask;
|
||||
- wp--; ip--)
|
||||
- n -= stride;
|
||||
- }
|
||||
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
|
||||
- }
|
||||
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
|
||||
+ n -= stride;
|
||||
+ while (n > 0) {
|
||||
+ REPEAT(stride,
|
||||
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
|
||||
+ wp++; ip++)
|
||||
+ n -= stride;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
|
||||
index f9a3fc0..d8fa802 100644
|
||||
--- a/libtiff/tif_write.c
|
||||
+++ b/libtiff/tif_write.c
|
||||
@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif)
|
||||
if (!TIFFAppendToStrip(tif,
|
||||
isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
|
||||
tif->tif_rawdata, tif->tif_rawcc))
|
||||
+ {
|
||||
+ /* We update those variables even in case of error since there's */
|
||||
+ /* code that doesn't really check the return code of this */
|
||||
+ /* function */
|
||||
+ tif->tif_rawcc = 0;
|
||||
+ tif->tif_rawcp = tif->tif_rawdata;
|
||||
return (0);
|
||||
+ }
|
||||
tif->tif_rawcc = 0;
|
||||
tif->tif_rawcp = tif->tif_rawdata;
|
||||
}
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index dcd5a7e..f8df6b5 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
|
||||
int t2p_process_ojpeg_tables(T2P*, TIFF*);
|
||||
#endif
|
||||
#ifdef JPEG_SUPPORT
|
||||
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
|
||||
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
|
||||
#endif
|
||||
void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
|
||||
void t2p_write_advance_directory(T2P*, TIFF*);
|
||||
@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
|
||||
if(!t2p_process_jpeg_strip(
|
||||
stripbuffer,
|
||||
&striplength,
|
||||
- buffer,
|
||||
+ buffer,
|
||||
+ t2p->tiff_datasize,
|
||||
&bufferoffset,
|
||||
i,
|
||||
t2p->tiff_length)){
|
||||
@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip(
|
||||
unsigned char* strip,
|
||||
tsize_t* striplength,
|
||||
unsigned char* buffer,
|
||||
+ tsize_t buffersize,
|
||||
tsize_t* bufferoffset,
|
||||
tstrip_t no,
|
||||
uint32 height){
|
||||
@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip(
|
||||
}
|
||||
switch( strip[i] ){
|
||||
case 0xd8: /* SOI - start of image */
|
||||
+ if( *bufferoffset + 2 > buffersize )
|
||||
+ return(0);
|
||||
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
|
||||
*bufferoffset+=2;
|
||||
break;
|
||||
@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip(
|
||||
case 0xc9: /* SOF9 */
|
||||
case 0xca: /* SOF10 */
|
||||
if(no==0){
|
||||
+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
|
||||
+ return(0);
|
||||
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
|
||||
+ if( *bufferoffset + 9 >= buffersize )
|
||||
+ return(0);
|
||||
ncomp = buffer[*bufferoffset+9];
|
||||
if (ncomp < 1 || ncomp > 4)
|
||||
return(0);
|
||||
v_samp=1;
|
||||
h_samp=1;
|
||||
+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
|
||||
+ return(0);
|
||||
for(j=0;j<ncomp;j++){
|
||||
uint16 samp = buffer[*bufferoffset+11+(3*j)];
|
||||
if( (samp>>4) > h_samp)
|
||||
@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip(
|
||||
break;
|
||||
case 0xc4: /* DHT */
|
||||
case 0xdb: /* DQT */
|
||||
+ if( *bufferoffset + datalen + 2 > buffersize )
|
||||
+ return(0);
|
||||
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
|
||||
*bufferoffset+=datalen+2;
|
||||
break;
|
||||
case 0xda: /* SOS */
|
||||
if(no==0){
|
||||
+ if( *bufferoffset + datalen + 2 > buffersize )
|
||||
+ return(0);
|
||||
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
|
||||
*bufferoffset+=datalen+2;
|
||||
} else {
|
||||
+ if( *bufferoffset + 2 > buffersize )
|
||||
+ return(0);
|
||||
buffer[(*bufferoffset)++]=0xff;
|
||||
buffer[(*bufferoffset)++]=
|
||||
(unsigned char)(0xd0 | ((no-1)%8));
|
||||
}
|
||||
i += datalen + 1;
|
||||
/* copy remainder of strip */
|
||||
+ if( *bufferoffset + *striplength - i > buffersize )
|
||||
+ return(0);
|
||||
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
|
||||
*bufferoffset+= *striplength - i;
|
||||
return(1);
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index ebc4aba..7685566 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
||||
{
|
||||
uint32 i;
|
||||
float xres = 0.0, yres = 0.0;
|
||||
- uint16 nstrips = 0, ntiles = 0, planar = 0;
|
||||
+ uint32 nstrips = 0, ntiles = 0;
|
||||
+ uint16 planar = 0;
|
||||
uint16 bps = 0, spp = 0, res_unit = 0;
|
||||
uint16 orientation = 0;
|
||||
uint16 input_compression = 0, input_photometric = 0;
|
||||
@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
||||
/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
|
||||
/* outside buffer */
|
||||
if (!read_buff)
|
||||
+ {
|
||||
+ if( buffsize > 0xFFFFFFFFU - 3 )
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
|
||||
+ return (-1);
|
||||
+ }
|
||||
read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
|
||||
+ }
|
||||
else
|
||||
{
|
||||
if (prev_readsize < buffsize)
|
||||
+ {
|
||||
+ if( buffsize > 0xFFFFFFFFU - 3 )
|
||||
{
|
||||
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
|
||||
+ return (-1);
|
||||
+ }
|
||||
new_buff = _TIFFrealloc(read_buff, buffsize+3);
|
||||
if (!new_buff)
|
||||
{
|
||||
@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
|
||||
}
|
||||
|
||||
bytes_per_pixel = ((bps * spp) + 7) / 8;
|
||||
+ if( bytes_per_pixel > sizeof(swapbuff) )
|
||||
+ {
|
||||
+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
|
||||
+ return (1);
|
||||
+ }
|
||||
switch (bps / 8)
|
||||
{
|
||||
case 8: /* Use memcpy for multiple bytes per sample data */
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -6,29 +6,10 @@ CVE_PRODUCT = "libtiff"
|
|||
|
||||
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
||||
file://libtool2.patch \
|
||||
file://CVE-2015-8665_8683.patch \
|
||||
file://CVE-2015-8781.patch \
|
||||
file://CVE-2015-8784.patch \
|
||||
file://CVE-2016-3186.patch \
|
||||
file://CVE-2016-5321.patch \
|
||||
file://CVE-2016-5323.patch \
|
||||
file://CVE-2016-3945.patch \
|
||||
file://CVE-2016-3990.patch \
|
||||
file://CVE-2016-3991.patch \
|
||||
file://CVE-2016-3623.patch \
|
||||
file://CVE-2016-3622.patch \
|
||||
file://CVE-2016-3658.patch \
|
||||
file://CVE-2016-3632.patch \
|
||||
file://CVE-2016-9540.patch \
|
||||
file://CVE-2016-9539.patch \
|
||||
file://CVE-2016-9535-1.patch \
|
||||
file://CVE-2016-9535-2.patch \
|
||||
file://CVE-2016-9538.patch \
|
||||
file://Fix_several_CVE_issues.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
|
||||
SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c"
|
||||
SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
|
||||
SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019"
|
||||
|
||||
# exclude betas
|
||||
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
|
Loading…
Reference in New Issue