diff options
20 files changed, 2 insertions, 2221 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch deleted file mode 100644 index 39c5059c75..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch +++ /dev/null @@ -1,137 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - -Upstream-Status: Backport -CVE: CVE-2015-8665 -CVE: CVE-2015-8683 -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- - 2 files changed, 30 insertions(+), 13 deletions(-) - -Index: tiff-4.0.6/libtiff/tif_getimage.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_getimage.c -+++ tiff-4.0.6/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog -+++ tiff-4.0.6/ChangeLog -@@ -1,3 +1,11 @@ -+2015-12-26 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples -+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in -+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and -+ CVE-2015-8683 reported by zzf of Alibaba. -+ - 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - - * libtiff 4.0.6 released. diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch deleted file mode 100644 index 0846f0f68e..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch +++ /dev/null @@ -1,195 +0,0 @@ -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - -Upstream-Status: Backport - -https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 -hand applied Changelog changes - -CVE: CVE-2015-8781 - -Signed-off-by: Armin Kuster <akuster@mvista.com> ---- - ChangeLog | 7 +++++++ - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- - 2 files changed, 51 insertions(+), 11 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,3 +1,10 @@ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode -+ functions in non debug builds by replacing assert()s by regular if -+ checks (bugzilla #2522). -+ Fix potential out-of-bound reads in case of short input data. -+ - 2015-12-26 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -Index: tiff-4.0.4/libtiff/tif_luv.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_luv.c -+++ tiff-4.0.4/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch deleted file mode 100644 index 0caf800e23..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch +++ /dev/null @@ -1,73 +0,0 @@ -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c -hand applied Changelog changes - -CVE: CVE-2015-8784 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 6 ++++++ - libtiff/tif_next.c | 10 ++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,5 +1,11 @@ - 2015-12-27 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif -+ (bugzilla #2508) -+ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). -Index: tiff-4.0.4/libtiff/tif_next.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_next.c -+++ tiff-4.0.4/libtiff/tif_next.c -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch deleted file mode 100644 index 4a08aba211..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch +++ /dev/null @@ -1,24 +0,0 @@ -Buffer overflow in the readextension function in gif2tiff.c -allows remote attackers to cause a denial of service via a crafted GIF file. - -External References: -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 -https://bugzilla.redhat.com/show_bug.cgi?id=1319503 - -CVE: CVE-2016-3186 -Upstream-Status: Backport (RedHat) -https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> - ---- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 -+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 -@@ -349,7 +349,7 @@ - int status = 1; - - (void) getc(infile); -- while ((count = getc(infile)) && count <= 255) -+ while ((count = getc(infile)) && count >= 0 && count <= 255) - if (fread(buf, 1, count, infile) != (size_t) count) { - fprintf(stderr, "short read from file %s (%s)\n", - filename, strerror(errno)); diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch deleted file mode 100644 index 0c8b7164e5..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 -From: bfriesen <bfriesen> -Date: Sat, 24 Sep 2016 23:11:55 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts - to read floating point images. - -* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample -requirements of floating point predictor (3). Fixes CVE-2016-3622 -"Divide By Zero in the tiff2rgba tool." - -CVE: CVE-2016-3622 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - ChangeLog | 11 ++++++++++- - libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ - libtiff/tif_predict.c | 11 ++++++++++- - 3 files changed, 40 insertions(+), 20 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 26d6f47..a628277 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,12 @@ -+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> -+ -+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -+ read floating point images. -+ -+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample -+ requirements of floating point predictor (3). Fixes CVE-2016-3622 -+ "Divide By Zero in the tiff2rgba tool." -+ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - - * tools/rgb2ycbcr.c: validate values of -v and -h parameters to -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 386cee0..3e689ee 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - td->td_bitspersample); - return (0); - } -+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { -+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); -+ return (0); -+ } - colorchannels = td->td_samplesperpixel - td->td_extrasamples; - if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { - switch (colorchannels) { -@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 || colorchannels != 3 ) -- { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d, %s=%d", -- "Samples/pixel", td->td_samplesperpixel, -- "colorchannels", colorchannels); -- return 0; -- } -+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); -+ return 0; -+ } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) -- { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", -- "Samples/pixel", td->td_samplesperpixel, -- "colorchannels", colorchannels, -- "Bits/sample", td->td_bitspersample); -- return 0; -- } -+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, -+ "Bits/sample", td->td_bitspersample); -+ return 0; -+ } - break; -- default: -+ default: - sprintf(emsg, "Sorry, can not handle image with %s=%d", - photoTag, photometric); - return (0); -diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c -index 081eb11..555f2f9 100644 ---- a/libtiff/tif_predict.c -+++ b/libtiff/tif_predict.c -@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif) - td->td_sampleformat); - return 0; - } -+ if (td->td_bitspersample != 16 -+ && td->td_bitspersample != 24 -+ && td->td_bitspersample != 32 -+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Floating point \"Predictor\" not supported with %d-bit samples", -+ td->td_bitspersample); -+ return 0; -+ } - break; - default: - TIFFErrorExt(tif->tif_clientdata, module, -@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif) - } - /* - * Allocate buffer to keep the decoded bytes before -- * rearranging in the ight order -+ * rearranging in the right order - */ - } - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch deleted file mode 100644 index f554ac5464..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch +++ /dev/null @@ -1,52 +0,0 @@ -From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 21:26:56 +0000 -Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters - to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) - -CVE: CVE-2016-3623 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - ChangeLog | 5 +++++ - tools/rgb2ycbcr.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 5d60608..3e6642a 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,10 @@ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - -+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to -+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) -+ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ - * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). - From patch libtiff-CVE-2016-3991.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) -diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c -index 3829d6b..51f4259 100644 ---- a/tools/rgb2ycbcr.c -+++ b/tools/rgb2ycbcr.c -@@ -95,9 +95,13 @@ main(int argc, char* argv[]) - break; - case 'h': - horizSubSampling = atoi(optarg); -+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) -+ usage(-1); - break; - case 'v': - vertSubSampling = atoi(optarg); -+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) -+ usage(-1); - break; - case 'r': - rowsperstrip = atoi(optarg); --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch deleted file mode 100644 index a8392509e6..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com> -Date: Mon, 11 Jul 2016 16:04:34 +0200 -Subject: [PATCH 4/8] Fix CVE-2016-3632 - -CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in -LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service -(out-of-bounds write) or execute arbitrary code via a crafted TIFF image. - -CVE: CVE-2016-3632 -Upstream-Status: Backport [RedHat RHEL7] - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - tools/thumbnail.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tools/thumbnail.c b/tools/thumbnail.c -index fd1cba5..75e7009 100644 ---- a/tools/thumbnail.c -+++ b/tools/thumbnail.c -@@ -253,7 +253,8 @@ static struct cpTag { - { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, - { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, - { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, -- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, -+ // disable BADFAXLINES, CVE-2016-3632 -+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, - { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_INKSET, 1, TIFF_SHORT }, --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch deleted file mode 100644 index 6cb12f2907..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: 45c68450bef8ad876f310b495165c513cad8b67d -From: Even Rouault <even.rouault@spatialys.com> - -* libtiff/tif_dir.c: discard values of SMinSampleValue and -SMaxSampleValue when they have been read and the value of -SamplesPerPixel is changed afterwards (like when reading a -OJPEG compressed image with a missing SamplesPerPixel tag, -and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -being 3). Otherwise when rewriting the directory (for example -with tiffset, we will expect 3 values whereas the array had been -allocated with just one), thus causing a out of bound read access. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -when writing directory, if FIELD_STRIPOFFSETS was artificially set -for a hack case in OJPEG case. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -CVE: CVE-2016-3658 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d - -Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com> - -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 -+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 -@@ -1,3 +1,22 @@ -+2016-10-25 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_dir.c: discard values of SMinSampleValue and -+ SMaxSampleValue when they have been read and the value of -+ SamplesPerPixel is changed afterwards (like when reading a -+ OJPEG compressed image with a missing SamplesPerPixel tag, -+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -+ being 3). Otherwise when rewriting the directory (for example -+ with tiffset, we will expect 3 values whereas the array had been -+ allocated with just one), thus causing a out of bound read access. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ -+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -+ when writing directory, if FIELD_STRIPOFFSETS was artificially set -+ for a hack case in OJPEG case. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ - 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - - * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -Index: tiff-4.0.6/libtiff/tif_dir.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 -@@ -254,6 +254,28 @@ - v = (uint16) va_arg(ap, uint16_vap); - if (v == 0) - goto badvalue; -+ if( v != td->td_samplesperpixel ) -+ { -+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ -+ if( td->td_sminsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMinSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); -+ _TIFFfree(td->td_sminsamplevalue); -+ td->td_sminsamplevalue = NULL; -+ } -+ if( td->td_smaxsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMaxSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); -+ _TIFFfree(td->td_smaxsamplevalue); -+ td->td_smaxsamplevalue = NULL; -+ } -+ } - td->td_samplesperpixel = (uint16) v; - break; - case TIFFTAG_ROWSPERSTRIP: -Index: tiff-4.0.6/libtiff/tif_dirwrite.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 -@@ -542,7 +542,19 @@ - { - if (!isTiled(tif)) - { -- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) -+ /* td_stripoffset might be NULL in an odd OJPEG case. See -+ * tif_dirread.c around line 3634. -+ * XXX: OJPEG hack. -+ * If a) compression is OJPEG, b) it's not a tiled TIFF, -+ * and c) the number of strips is 1, -+ * then we tolerate the absence of stripoffsets tag, -+ * because, presumably, all required data is in the -+ * JpegInterchangeFormat stream. -+ * We can get here when using tiffset on such a file. -+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ */ -+ if (tif->tif_dir.td_stripoffset != NULL && -+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; - } - else diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016 |