diff options
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch | 137 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 | 
2 files changed, 138 insertions, 0 deletions
| diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch new file mode 100644 index 0000000000..39c5059c75 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch @@ -0,0 +1,137 @@ +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sat, 26 Dec 2015 17:32:03 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +Upstream-Status: Backport +CVE: CVE-2015-8665 +CVE: CVE-2015-8683 +https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog              |  8 ++++++++ + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- + 2 files changed, 30 insertions(+), 13 deletions(-) + +Index: tiff-4.0.6/libtiff/tif_getimage.c +=================================================================== +--- tiff-4.0.6.orig/libtiff/tif_getimage.c ++++ tiff-4.0.6/libtiff/tif_getimage.c +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 + 				    "Planarconfiguration", td->td_planarconfig); + 				return (0); + 			} +-			if( td->td_samplesperpixel != 3 ) ++			if( td->td_samplesperpixel != 3 || colorchannels != 3 ) +             { +                 sprintf(emsg, +-                        "Sorry, can not handle image with %s=%d", +-                        "Samples/pixel", td->td_samplesperpixel); ++                        "Sorry, can not handle image with %s=%d, %s=%d", ++                        "Samples/pixel", td->td_samplesperpixel, ++                        "colorchannels", colorchannels); +                 return 0; +             } + 			break; + 		case PHOTOMETRIC_CIELAB: +-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) +             { +                 sprintf(emsg, +-                        "Sorry, can not handle image with %s=%d and %s=%d", ++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", +                         "Samples/pixel", td->td_samplesperpixel, ++                        "colorchannels", colorchannels, +                         "Bits/sample", td->td_bitspersample); +                 return 0; +             } +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T + 	int colorchannels; + 	uint16 *red_orig, *green_orig, *blue_orig; + 	int n_color; ++	 ++	if( !TIFFRGBAImageOK(tif, emsg) ) ++		return 0; +  + 	/* Initialize to normal values */ + 	img->row_offset = 0; +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) + 		case PHOTOMETRIC_RGB: + 			switch (img->bitspersample) { + 				case 8: +-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++						img->samplesperpixel >= 4) + 						img->put.contig = putRGBAAcontig8bittile; +-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++							 img->samplesperpixel >= 4) + 					{ + 						if (BuildMapUaToAa(img)) + 							img->put.contig = putRGBUAcontig8bittile; + 					} +-					else ++					else if( img->samplesperpixel >= 3 ) + 						img->put.contig = putRGBcontig8bittile; + 					break; + 				case 16: +-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++						img->samplesperpixel >=4 ) + 					{ + 						if (BuildMapBitdepth16To8(img)) + 							img->put.contig = putRGBAAcontig16bittile; + 					} +-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++							 img->samplesperpixel >=4 ) + 					{ + 						if (BuildMapBitdepth16To8(img) && + 						    BuildMapUaToAa(img)) + 							img->put.contig = putRGBUAcontig16bittile; + 					} +-					else ++					else if( img->samplesperpixel >=3 ) + 					{ + 						if (BuildMapBitdepth16To8(img)) + 							img->put.contig = putRGBcontig16bittile; +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) + 			} + 			break; + 		case PHOTOMETRIC_SEPARATED: +-			if (buildMap(img)) { ++			if (img->samplesperpixel >=4 && buildMap(img)) { + 				if (img->bitspersample == 8) { + 					if (!img->Map) + 						img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) + 			} + 			break; + 		case PHOTOMETRIC_CIELAB: +-			if (buildMap(img)) { ++			if (img->samplesperpixel == 3 && buildMap(img)) { + 				if (img->bitspersample == 8) + 					img->put.contig = initCIELabConversion(img); + 				break; +Index: tiff-4.0.6/ChangeLog +=================================================================== +--- tiff-4.0.6.orig/ChangeLog ++++ tiff-4.0.6/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-26  Even Rouault <even.rouault at spatialys.com> ++ ++   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage ++   interface in case of unsupported values of SamplesPerPixel/ExtraSamples ++   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in ++   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and ++   CVE-2015-8683 reported by zzf of Alibaba. ++ + 2015-09-12  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us> +  + 	* libtiff 4.0.6 released. diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index e2e24e0fb2..810a5e4c7d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb @@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"  SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \             file://libtool2.patch \ +           file://CVE-2015-8665_8683.patch \            "  SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 
