summaryrefslogtreecommitdiff
path: root/meta/recipes-multimedia
AgeCommit message (Collapse)AuthorFiles
2017-01-26libpng: Upgrade 1.6.26 -> 1.6.28Maxin B. John1
This upgrade fixes the vulnerability: CVE-2016-10087 License file changes are due to updates in Package Version and Copyright date. ie: 'libpng version 1.6.28, January 5, 2017' Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-26gstreamer1.0-plugins-base: disable ivorbisRoss Burton1
Even old hardware these days doesn't really need fixed-integer Vorbis decoding by default, so disable Tremor out of the box. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-23tremor: Use mirror tarball instead of svn urlRichard Purdie1
This is the only remaining svn url in OE-Core and building subversion-native for things like the url checker is wearing and slows down builds. Since this rarely changes, use the mirror tarball instead. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-23alsa-tools: 1.1.0 -> 1.1.3Tanu Kaskinen2
Drop 0001-Cus428Midi-Explicitly-cast-constant-to-char-type.patch, because the new release has an equivalent fix (and that's actually the only change in the new release). Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-23alsa-utils(-scripts): fix compile on build machines with python-docutils ↵Andreas Müller1
installed Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-23alsa-utils-scripts: update 1.1.2 -> 1.1.3Andreas Müller1
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-23alsa-utils: update 1.1.2 -> 1.1.3Andreas Müller1
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-23flac: 1.3.1 -> 1.3.2Tanu Kaskinen1
Changelog: https://xiph.org/flac/changelog.html The license checksum changes are due to simple copyright year updates. Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-23Switch to Recipe Specific SysrootsRichard Purdie2
This patch is comparatively large and invasive. It does only do one thing, switching the system to build using recipe specific sysroots and where changes could be isolated from it, that has been done. With the current single sysroot approach, its possible for software to find things which aren't in their dependencies. This leads to a determinism problem and is a growing issue in several of the market segments where OE makes sense. The way to solve this problem for OE is to have seperate sysroots for each recipe and these will only contain the dependencies for that recipe. Its worth noting that this is not task specific sysroots and that OE's dependencies do vary enormously by task. This did result in some implementation challenges. There is nothing stopping the implementation of task specific sysroots at some later point based on this work but that as deemed a bridge too far right now. Implementation details: * Rather than installing the sysroot artefacts into a combined sysroots, they are now placed in TMPDIR/sysroot-components/PACKAGE_ARCH/PN. * WORKDIR/recipe-sysroot and WORKDIR/recipe-sysroot-native are built by hardlinking in files from the sysroot-component trees. These new directories are known as RECIPE_SYSROOT and RECIPE_SYSROOT_NATIVE. * This construction is primarily done by a new do_prepare_recipe_sysroot task which runs before do_configure and consists of a call to the extend_recipe_sysroot function. * Other tasks need things in the sysroot before/after this, e.g. do_patch needs quilt-native and do_package_write_deb needs dpkg-native. The code therefore inspects the dependencies for each task and adds extend_recipe_sysroot as a prefunc if it has populate_sysroot dependencies. * We have to do a search/replace 'fixme' operation on the files installed into the sysroot to change hardcoded paths into the correct ones. We create a fixmepath file in the component directory which lists the files which need this operation. * Some files have "postinstall" commands which need to run against them, e.g. gdk-pixbuf each time a new loader is added. These are handled by adding files in bindir with the name prefixed by "postinst-" and are run in each sysroot as its created if they're present. This did mean most sstate postinstalls have to be rewritten but there shouldn't be many of them. * Since a recipe can have multiple tasks and these tasks can run against each other at the same time we have to have a lock when we perform write operations against the sysroot. We also have to maintain manifests of what we install against a task checksum of the dependency. If the checksum changes, we remove its files and then add the new ones. * The autotools logic for filtering the view of m4 files is no longer needed (and was the model for the way extend_recipe_sysroot works). * For autotools, we used to build a combined m4 macros directory which had both the native and target m4 files. We can no longer do this so we use the target sysroot as the default and add the native sysroot as an extra backup include path. If we don't do this, we'd have to build target pkg-config before we could built anything using pkg-config for example (ditto gettext). Such dependencies would be painful so we haven't required that. * PKDDATA_DIR was moved out the sysroot and works as before using sstate to build a hybrid copy for each machine. The paths therefore changed, the behaviour did not. * The ccache class had to be reworked to function with rss. * The TCBOOTSTRAP sysroot for compiler bootstrap is no longer needed but the -initial data does have to be filtered out from the main recipe sysroots. Putting "-initial" in a normal recipe name therefore remains a bad idea. * The logic in insane needed tweaks to deal with the new path layout, as did the debug source file extraction code in package.bbclass. * The logic in sstate.bbclass had to be rewritten since it previously only performed search and replace on extracted sstate and we now need this to happen even if the compiled path was "correct". This in theory could cause a mild performance issue but since the sysroot data was the main data that needed this and we'd have to do it there regardless with rss, I've opted just to change the way the class for everything. The built output used to build the sstate output is now retained and installed rather than deleted. * The search and replace logic used in sstate objects also seemed weak/incorrect and didn't hold up against testing. This has been rewritten too. There are some assumptions made about paths, we save the 'proper' search and replace operations to fixmepath.cmd but then ignore this. What is here works but is a little hardcoded and an area for future improvement. * In order to work with eSDK we need a way to build something that looks like the old style sysroot. "bitbake build-sysroots" will construct such a sysroot based on everything in the components directory that matches the current MACHINE. It will allow transition of external tools and can built target or native variants or both. It also supports a clean task. I'd suggest not relying on this for anything other than transitional purposes though. To see XXX in that sysroot, you'd have to have built that in a previous bitbake invocation. * pseudo is run out of its components directory. This is fine as its statically linked. * The hacks for wayland to see allarch dependencies in the multilib case are no longer needed and can be dropped. * wic needed more extensive changes to work with rss and the fixes are in a separate commit series * Various oe-selftest tweaks were needed since tests did assume the location to binaries and the combined sysroot in several cases. * Most missing dependencies this work found have been sent out as separate patches as they were found but a few tweaks are still included here. * A late addition is that extend_recipe_sysroot became multilib aware and able to populate multilib sysroots. I had hoped not to have to add that complexity but the meta-environment recipe forced my hand. That implementation can probably be neater but this is on the list of things to cleanup later at this point. In summary, the impact people will likely see after this change: * Recipes may fail with missing dependencies, particularly native tools like gettext-native, glib-2.0-native and libxml2.0-native. Some hosts have these installed and will mask these errors * Any recipe/class using SSTATEPOSTINSTFUNCS will need that code rewriting into a postinst * There was a separate patch series dealing with roots postinst native dependency issues. Any postinst which expects native tools at rootfs time will need to mark that dependency with PACKAGE_WRITE_DEPS. There could well be other issues. This has been tested repeatedly against our autobuilders and oe-selftest and issues found have been fixed. We believe at least OE-Core is in good shape but that doesn't mean we've found all the issues. Also, the logging is a bit chatty at the moment. It does help if something goes wrong and goes to the task logfiles, not the console so I've intentionally left this like that for now. We can turn it down easily enough in due course. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-19sysprof/gst-player/pcmanfm: Add missing glib-2.0-native DEPENDSRichard Purdie1
These recipes use glib-2.0 NLS tools so we need to depend on glib-2.0-native. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-19gstreamer1.0: make libunwind detection deterministicRoss Burton3
Otherwise libunwind support will be based on the contents of the sysroot, which can cause problems. Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-19gstreamer1.0-plugins-good: fix qtdemux_parse_svq3_stsd_data() memory leakAndre McCurdy2
Backport from 1.11.1 https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=29433495d697e4dcb3bc50ff0e0d866acb949890 Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-19gstreamer1.0-plugins-bad: Backport patches for improving live playbackKhem Raj4
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09x264: for x32, disable asm and pass -mx32Christopher Larson2
We should probably patch it to stop adding the -m argument to CFLAGS/LDFLAGS in the first place, since we pass it in via CC, but this will do for now. Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09ffmpeg: disable asm for x32Christopher Larson1
This is the usual way this is handled in desktop distros (see debian, gentoo). I wasn't able to track down a patch to add proper x32 support to ffmpeg. There was, however, a libav patch series which may be worth investigating. Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09gstreamer1.0-libav: disable asm for x32Christopher Larson1
The included libav lacks support for x32, so disable the assembly optimizations. Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09meta: use require instead of include when file should existPaul Eggleton15
If the file is expected to exist, then we should always be using require so that if it doesn't we get an error rather than some other more obscure failure later on. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-22gstreamer: Upgrade to 1.10.2Khem Raj12
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-22gstreamer1.0-libav: Fix build on mips64Khem Raj2
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-22x264: Fix build on mips architecturesKhem Raj1
Disable asm to fix | You specified a pre-MSA CPU in your CFLAGS. | If you really want to run on such a CPU, configure with --disable-asm. Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-17gstreamer1.0-plugins-bad: default to using eglNicolas Dechesne1
With the current set of PACKAGECONFIG, we end up building with 'gles2' and neither 'opengl', nor 'egl'. As a result we are building -bad with neither 'glx' nor 'egl' platform support. So let's make sure that we at least have egl by default (since we default to 'gles2'). (From OE-Core rev: 4de8447c6536385ca134866682709efebf7d4e3d) Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-12-17ffmpeg: update to 3.2.2Alexander Kanavin1
(From OE-Core rev: b9b50814dfb40f8d124be736f7af9ed4d69bc6b3) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-12-16meta: remove True option to getVar callsJoshua Lock3
getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13libtiff: Update to 4.0.7Armin Kuster20
Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13gstreamer-vaapi-1.0: check for "opengl" featureIsmo Puustinen1
If "opengl" distro feature is not set, libva recipe is skipped. Since missing libva breaks gstreamer-vaapi-1.0 build, the same check has to be done in gstreamer-vaapi-1.0 recipe too. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13gstreamer1.0-vaapi: Import from meta-intelKhem Raj3
Update to 1.10.1 at the same time Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13gstreamer1.0-rtsp-server: Add libcheck to depsKhem Raj1
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13gstreamer1.0-plugins-bad: Define and use WAYLAND_PROTOCOLS_SYSROOT_DIR for ↵Khem Raj3
output of pkg-config When configure pokes for wayland-protocols isntallations it ended up using the ones from host, which is because it did not account for sysroot prefix Remove MACHINE from variable reference tracking to avoid unnessary rebuilds for different machine with same arch Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13gstreamer1.0: Upgrade to 1.10.1Khem Raj19
Remove backported patches and upstreamed ones Drop --disable-trace its no more in 1.10.x Add packageconfig option for kms, keep it disabled by default in bad plugins recipe Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-13tiff: set CVE_PRODUCTRoss Burton1
This is 'libtiff' in NVD. Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08ffmpeg: disable unsupported extensions on mips32r1Andreas Oberritter1
| Warning: the `dsp' extension requires MIPS32 revision 2 or greater | Warning: the `dspr2' extension requires MIPS32 revision 2 or greater Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08tiff: Fix several CVE issuesMingli Yu2
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537 Patch from: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08tiff: Security fix CVE-2016-9538Mingli Yu2
* tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08tiff: Security fix CVE-2016-9535Mingli Yu3
* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-08tiff: set CVE NAMERoss Burton1
2016-12-07ffmpeg: Add packageconfig for vdpau accelarationKhem Raj1
Fixes dangling dependency QA issue WARNING: ffmpeg-3.2.1-r0 do_package_qa: QA Issue: libavutil rdepends on libvdpau, but it isn't a build dependency, missing libvdpau in DEPENDS or PACKAGECONFIG? [build-deps] Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30ffmpeg: update to 3.2.1Alexander Kanavin1
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30tiff: Security fix CVE-2016-9539Zhixiong Chi2
tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30tiff: Security fix CVE-2016-9540Zhixiong Chi2
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23tiff: Security fix CVE-2016-3632Yi Zhao2
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632 http://bugzilla.maptools.org/show_bug.cgi?id=2549 https://bugzilla.redhat.com/show_bug.cgi?id=1325095 The patch is from RHEL7. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-23tiff: Security fix CVE-2016-3658Zhixiong Chi2
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-15x264: Update to latest on stable branchKhem Raj2
- unexport AS variable - Switch URI to use github mirror for reliabality - Disable openCL code, its not used - TEXTRELs are fixed, therefore dont skip QA check Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06libsamplerate0: clean up dependenciesTanu Kaskinen2
The flac dependency was completely bogus. Flac isn't used at all. FFTW is only used by tests, so we don't need to provide a packageconfig for that. ALSA is only used by example code that isn't part of the packaged files, so even if ALSA is enabled, it doesn't affect the build result. Nevertheless, I prefer to disable it explicitly to be extra sure. --disable-alsa resulted in a warning about an unsupported configure option, although by some magic it seemed to actually work as expected. A patch is added to get rid of that warning. Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06libsamplerate0: 0.1.8 -> 0.1.9Tanu Kaskinen1
The license has changed to BSD as explained here: http://www.mega-nerd.com/SRC/license.html Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06libpng: Upgrade 1.6.24 -> 1.6.25Maxin B. John1
License file changes are due to updates in Version and Copyright date Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06ffmpeg: update to 3.2Alexander Kanavin1
Drop faac package config as upstream ./configure doesn't have it anymore. Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06tiff: Security fix CVE-2016-3622Yi Zhao2
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06tiff: Security fix CVE-2016-3623Yi Zhao2
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623 http://bugzilla.maptools.org/show_bug.cgi?id=2569 Patch from: https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06tiff: Security fix CVE-2016-3991Yi Zhao2
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991 http://bugzilla.maptools.org/show_bug.cgi?id=2543 Patch from: https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-06tiff: Security fix CVE-2016-3990Yi Zhao2
CVE-2016-3990 libtiff: Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990 http://bugzilla.maptools.org/show_bug.cgi?id=2544 Patch from: https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>