libtiff: Security Advisory - CVE-2012-4564
v2 changes: * update format for commit log * add Upstream-Status for patch ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564 (From OE-Core rev: 9f02922d44de483ef4d02ce95b55efe79a8b09a2) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
9d40ce5dd1
commit
c44d7b5cde
|
@ -0,0 +1,99 @@
|
|||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
|
||||
Index: tools/ppm2tiff.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v
|
||||
retrieving revision 1.16
|
||||
retrieving revision 1.18
|
||||
diff -u -r1.16 -r1.18
|
||||
--- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16
|
||||
+++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */
|
||||
+/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1991-1997 Sam Leffler
|
||||
@@ -72,6 +72,17 @@
|
||||
exit(-2);
|
||||
}
|
||||
|
||||
+static tmsize_t
|
||||
+multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||
+{
|
||||
+ tmsize_t bytes = m1 * m2;
|
||||
+
|
||||
+ if (m1 && bytes / m1 != m2)
|
||||
+ bytes = 0;
|
||||
+
|
||||
+ return bytes;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main(int argc, char* argv[])
|
||||
{
|
||||
@@ -79,7 +90,7 @@
|
||||
uint32 rowsperstrip = (uint32) -1;
|
||||
double resolution = -1;
|
||||
unsigned char *buf = NULL;
|
||||
- tsize_t linebytes = 0;
|
||||
+ tmsize_t linebytes = 0;
|
||||
uint16 spp = 1;
|
||||
uint16 bpp = 8;
|
||||
TIFF *out;
|
||||
@@ -89,6 +100,7 @@
|
||||
int c;
|
||||
extern int optind;
|
||||
extern char* optarg;
|
||||
+ tmsize_t scanline_size;
|
||||
|
||||
if (argc < 2) {
|
||||
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
|
||||
@@ -221,7 +233,8 @@
|
||||
}
|
||||
switch (bpp) {
|
||||
case 1:
|
||||
- linebytes = (spp * w + (8 - 1)) / 8;
|
||||
+ /* if round-up overflows, result will be zero, OK */
|
||||
+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
|
||||
if (rowsperstrip == (uint32) -1) {
|
||||
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
|
||||
} else {
|
||||
@@ -230,15 +243,31 @@
|
||||
}
|
||||
break;
|
||||
case 8:
|
||||
- linebytes = spp * w;
|
||||
+ linebytes = multiply_ms(spp, w);
|
||||
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
||||
TIFFDefaultStripSize(out, rowsperstrip));
|
||||
break;
|
||||
}
|
||||
- if (TIFFScanlineSize(out) > linebytes)
|
||||
+ if (linebytes == 0) {
|
||||
+ fprintf(stderr, "%s: scanline size overflow\n", infile);
|
||||
+ (void) TIFFClose(out);
|
||||
+ exit(-2);
|
||||
+ }
|
||||
+ scanline_size = TIFFScanlineSize(out);
|
||||
+ if (scanline_size == 0) {
|
||||
+ /* overflow - TIFFScanlineSize already printed a message */
|
||||
+ (void) TIFFClose(out);
|
||||
+ exit(-2);
|
||||
+ }
|
||||
+ if (scanline_size < linebytes)
|
||||
buf = (unsigned char *)_TIFFmalloc(linebytes);
|
||||
else
|
||||
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
||||
+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
|
||||
+ if (buf == NULL) {
|
||||
+ fprintf(stderr, "%s: Not enough memory\n", infile);
|
||||
+ (void) TIFFClose(out);
|
||||
+ exit(-2);
|
||||
+ }
|
||||
if (resolution > 0) {
|
||||
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
|
||||
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
|
|
@ -9,7 +9,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
|
|||
file://libtiff-CVE-2013-4232.patch \
|
||||
file://libtiff-CVE-2013-4243.patch \
|
||||
file://libtiff-CVE-2013-4244.patch \
|
||||
file://libtiff-CVE-2013-4231.patch "
|
||||
file://libtiff-CVE-2013-4231.patch \
|
||||
file://tiff-CVE-2012-4564.patch "
|
||||
|
||||
SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
|
||||
SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
|
||||
|
|
Loading…
Reference in New Issue