tiff: Security fix CVE-2016-3658
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546
Patch from:
45c68450be
(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
69a8784b79
commit
bfbed355df
|
@ -0,0 +1,111 @@
|
|||
From: 45c68450bef8ad876f310b495165c513cad8b67d
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
|
||||
* libtiff/tif_dir.c: discard values of SMinSampleValue and
|
||||
SMaxSampleValue when they have been read and the value of
|
||||
SamplesPerPixel is changed afterwards (like when reading a
|
||||
OJPEG compressed image with a missing SamplesPerPixel tag,
|
||||
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
|
||||
being 3). Otherwise when rewriting the directory (for example
|
||||
with tiffset, we will expect 3 values whereas the array had been
|
||||
allocated with just one), thus causing a out of bound read access.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
|
||||
when writing directory, if FIELD_STRIPOFFSETS was artificially set
|
||||
for a hack case in OJPEG case.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
|
||||
CVE: CVE-2016-3658
|
||||
Upstream-Status: Backport
|
||||
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
|
||||
|
||||
Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
|
||||
|
||||
Index: tiff-4.0.6/ChangeLog
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
|
||||
+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
|
||||
@@ -1,3 +1,22 @@
|
||||
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
|
||||
+ SMaxSampleValue when they have been read and the value of
|
||||
+ SamplesPerPixel is changed afterwards (like when reading a
|
||||
+ OJPEG compressed image with a missing SamplesPerPixel tag,
|
||||
+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
|
||||
+ being 3). Otherwise when rewriting the directory (for example
|
||||
+ with tiffset, we will expect 3 values whereas the array had been
|
||||
+ allocated with just one), thus causing a out of bound read access.
|
||||
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
+
|
||||
+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
|
||||
+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
|
||||
+ for a hack case in OJPEG case.
|
||||
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
|
||||
+
|
||||
2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
|
||||
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
||||
Index: tiff-4.0.6/libtiff/tif_dir.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
|
||||
+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
|
||||
@@ -254,6 +254,28 @@
|
||||
v = (uint16) va_arg(ap, uint16_vap);
|
||||
if (v == 0)
|
||||
goto badvalue;
|
||||
+ if( v != td->td_samplesperpixel )
|
||||
+ {
|
||||
+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
|
||||
+ if( td->td_sminsamplevalue != NULL )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
||||
+ "SamplesPerPixel tag value is changing, "
|
||||
+ "but SMinSampleValue tag was read with a different value. Cancelling it");
|
||||
+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
|
||||
+ _TIFFfree(td->td_sminsamplevalue);
|
||||
+ td->td_sminsamplevalue = NULL;
|
||||
+ }
|
||||
+ if( td->td_smaxsamplevalue != NULL )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
||||
+ "SamplesPerPixel tag value is changing, "
|
||||
+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
|
||||
+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
|
||||
+ _TIFFfree(td->td_smaxsamplevalue);
|
||||
+ td->td_smaxsamplevalue = NULL;
|
||||
+ }
|
||||
+ }
|
||||
td->td_samplesperpixel = (uint16) v;
|
||||
break;
|
||||
case TIFFTAG_ROWSPERSTRIP:
|
||||
Index: tiff-4.0.6/libtiff/tif_dirwrite.c
|
||||
===================================================================
|
||||
--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
|
||||
+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
|
||||
@@ -542,7 +542,19 @@
|
||||
{
|
||||
if (!isTiled(tif))
|
||||
{
|
||||
- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
||||
+ /* td_stripoffset might be NULL in an odd OJPEG case. See
|
||||
+ * tif_dirread.c around line 3634.
|
||||
+ * XXX: OJPEG hack.
|
||||
+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
|
||||
+ * and c) the number of strips is 1,
|
||||
+ * then we tolerate the absence of stripoffsets tag,
|
||||
+ * because, presumably, all required data is in the
|
||||
+ * JpegInterchangeFormat stream.
|
||||
+ * We can get here when using tiffset on such a file.
|
||||
+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||
+ */
|
||||
+ if (tif->tif_dir.td_stripoffset != NULL &&
|
||||
+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
||||
goto bad;
|
||||
}
|
||||
else
|
|
@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
|||
file://CVE-2016-3991.patch \
|
||||
file://CVE-2016-3623.patch \
|
||||
file://CVE-2016-3622.patch \
|
||||
file://CVE-2016-3658.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
|
||||
|
|
Loading…
Reference in New Issue