diff options
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/libtiff-CVE-2017-5225.patch | 92 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2017-5225.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2017-5225.patch new file mode 100644 index 0000000000..3263353a75 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2017-5225.patch @@ -0,0 +1,92 @@ +From a24df1e93833dfeaa69bf4d510518dc4684db64d Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.zhou@windriver.com> +Date: Wed, 25 Jan 2017 17:07:21 +0800 +Subject: [PATCH] libtiff: fix CVE-2017-5225 + +tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow +and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based +overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and +http://bugzilla.maptools.org/show_bug.cgi?id=2657 + +Upstream-Status: Backport +CVE: CVE-2017-5225 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + ChangeLog | 7 +++++++ + tools/tiffcp.c | 24 ++++++++++++++++++++++-- + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 9b9d397..7e82795 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-01-11 Even Rouault <even.rouault at spatialys.com> ++ ++ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and ++ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and ++ http://bugzilla.maptools.org/show_bug.cgi?id=2657 ++ + 2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + + * libtiff 4.0.7 released. +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 338a3d1..2e84577 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -592,7 +592,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1121,6 +1131,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1763,7 +1783,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", +-- +1.9.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 729678208f..e58173604e 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb @@ -6,6 +6,7 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ + file://libtiff-CVE-2017-5225.patch \ " SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" |