diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch')
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch new file mode 100644 index 0000000000..380dfcbbba --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch @@ -0,0 +1,98 @@ +From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Wed, 11 Jan 2017 19:02:49 +0000 +Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add + _TIFFcalloc() + +* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero +initialize tif_rawdata. +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 + +Upstream-Status: Backport + +CVE: CVE-2017-7593 +Signed-off-by: Rajkumar Veer <rveer@mvista.com> +Index: tiff-4.0.7/ChangeLog +=================================================================== +--- tiff-4.0.7.orig/ChangeLog 2017-04-25 19:03:20.584155452 +0530 ++++ tiff-4.0.7/ChangeLog 2017-04-26 12:09:41.986866896 +0530 +@@ -44,6 +44,14 @@ + + 2017-01-11 Even Rouault <even.rouault at spatialys.com> + ++ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc() ++ ++ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero ++ initialize tif_rawdata. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 ++ ++2017-01-11 Even Rouault <even.rouault at spatialys.com> ++ + * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to + avoid UndefinedBehaviorSanitizer warning. + Patch by Nicolas Pena. +Index: tiff-4.0.7/libtiff/tif_read.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 19:03:20.584155452 +0530 ++++ tiff-4.0.7/libtiff/tif_read.c 2017-04-26 12:11:42.814863729 +0530 +@@ -986,7 +986,9 @@ + "Invalid buffer size"); + return (0); + } +- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); ++ /* Initialize to zero to avoid uninitialized buffers in case of */ ++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ ++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); + tif->tif_flags |= TIFF_MYBUFFER; + } + if (tif->tif_rawdata == NULL) { +Index: tiff-4.0.7/libtiff/tif_unix.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_unix.c 2015-08-29 03:46:22.707817041 +0530 ++++ tiff-4.0.7/libtiff/tif_unix.c 2017-04-26 12:13:07.442861510 +0530 +@@ -316,6 +316,14 @@ + return (malloc((size_t) s)); + } + ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb == 0 || siz == 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { +Index: tiff-4.0.7/libtiff/tif_win32.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530 ++++ tiff-4.0.7/libtiff/tif_win32.c 2017-04-26 12:14:12.918859794 +0530 +@@ -360,6 +360,14 @@ + return (malloc((size_t) s)); + } + ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb == 0 || siz == 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { +Index: tiff-4.0.7/libtiff/tiffio.h +=================================================================== +--- tiff-4.0.7.orig/libtiff/tiffio.h 2016-01-24 21:09:51.894442042 +0530 ++++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530 +@@ -293,6 +293,7 @@ + */ + + extern void* _TIFFmalloc(tmsize_t s); ++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); + extern void* _TIFFrealloc(void* p, tmsize_t s); + extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); |