From fa7fac56be40fdb519d426e9465436415e3f5527 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 29 Jan 2016 17:39:36 -0800 Subject: tiff: Security fix CVE-2015-8781 CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) minor tweek to get Changelog changes to apply Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Joshua Lock --- .../libtiff/files/CVE-2015-8781.patch | 196 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 4 +- 2 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 0000000000..c148add5d1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch @@ -0,0 +1,196 @@ +From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 27 Dec 2015 16:25:11 +0000 +Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in + decode functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). Fix potential out-of-bound reads in case of short + input data. + +Upstream-Status: Backport + +https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 +hand applied Changelog changes + +CVE: CVE-2015-8781 + +Signed-off-by: Armin Kuster +--- + ChangeLog | 7 +++++++ + libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- + 2 files changed, 51 insertions(+), 11 deletions(-) + +Index: tiff-4.0.3/libtiff/tif_luv.c +=================================================================== +--- tiff-4.0.3.orig/libtiff/tif_luv.c ++++ tiff-4.0.3/libtiff/tif_luv.c +@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +Index: tiff-4.0.3/ChangeLog +=================================================================== +--- tiff-4.0.3.orig/ChangeLog ++++ tiff-4.0.3/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-27 Even Rouault ++ ++ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode ++ functions in non debug builds by replacing assert()s by regular if ++ checks (bugzilla #2522). ++ Fix potential out-of-bound reads in case of short input data. ++ ++ + 2012-09-22 Bob Friesenhahn + + * libtiff 4.0.3 released. diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index b7d1129ad6..070065b188 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb @@ -11,7 +11,9 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ file://libtiff-CVE-2013-4243.patch \ file://libtiff-CVE-2013-4244.patch \ file://libtiff-CVE-2013-4231.patch \ - file://tiff-CVE-2012-4564.patch " + file://tiff-CVE-2012-4564.patch \ + file://CVE-2015-8781.patch \ + " SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" -- cgit 1.2.3-korg