diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch')
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch deleted file mode 100644 index 1d9be423a7..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Fri, 14 Oct 2016 19:13:20 +0000 -Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes - in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet - & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. - -CVE: CVE-2016-9539 - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 - -Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> - ---- - ChangeLog | 6 ++++++ - tools/tiffcrop.c | 11 ++++++++++- - 2 files changed, 16 insertions(+), 1 deletion(-) - -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800 -+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800 -@@ -17,6 +17,12 @@ - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 - (CVE-2014-8127, duplicate: CVE-2016-3658) - -+2016-10-14 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in -+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet -+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. -+ - 2016-10-08 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd -Index: tiff-4.0.6/tools/tiffcrop.c -=================================================================== ---- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800 -+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800 -@@ -819,9 +819,18 @@ - } - } - -- tilebuf = _TIFFmalloc(tile_buffsize); -+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ -+ if( tile_buffsize > 0xFFFFFFFFU - 3 ) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ tilebuf = _TIFFmalloc(tile_buffsize + 3); - if (tilebuf == 0) - return 0; -+ tilebuf[tile_buffsize] = 0; -+ tilebuf[tile_buffsize+1] = 0; -+ tilebuf[tile_buffsize+2] = 0; - - dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; - for (row = 0; row < imagelength; row += tl) |