From 9600bca011fe5fd2837606ab05e64325b3f12114 Mon Sep 17 00:00:00 2001 From: Rajkumar Veer Date: Fri, 3 Nov 2017 22:18:19 -0700 Subject: tiff: Security fix for CVE-2016-10270 Signed-off-by: Rajkumar Veer Signed-off-by: Armin Kuster --- .../libtiff/files/CVE-2016-10270.patch | 134 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | 1 + 2 files changed, 135 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch new file mode 100644 index 0000000000..43ad6eda9f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch @@ -0,0 +1,134 @@ +From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sat, 3 Dec 2016 11:02:15 +0000 +Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify + ChopUpSingleUncompressedStrip() to instanciate compute ntrips as + TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on + the total size of data. Which is faulty is the total size of data is not + sufficient to fill the whole image, and thus results in reading outside of + the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported + by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + +* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done +for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since +the above change is a better fix that makes it unnecessary. + +Upstream-Status: Backport + +CVE: CVE-2016-10270 +Signed-off-by: Rajkumar Veer +--- + ChangeLog | 15 +++++++++++++++ + libtiff/tif_dirread.c | 22 ++++++++++------------ + libtiff/tif_strip.c | 9 --------- + 3 files changed, 25 insertions(+), 21 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 0a2c2a7..6e30e41 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,20 @@ + 2016-12-03 Even Rouault + ++ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to ++ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), ++ instead of a logic based on the total size of data. Which is faulty is ++ the total size of data is not sufficient to fill the whole image, and thus ++ results in reading outside of the StripByCounts/StripOffsets arrays when ++ using TIFFReadScanline(). ++ Reported by Agostino Sarubbo. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. ++ ++ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done ++ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since ++ the above change is a better fix that makes it unnecessary. ++ ++2016-12-03 Even Rouault ++ + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 3eec79c..570d0c3 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ +- return; +- nstrips32 = (uint32)nstrips64; ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) ++ return; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); +diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c +index 4c46ecf..1676e47 100644 +--- a/libtiff/tif_strip.c ++++ b/libtiff/tif_strip.c +@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) +-- +1.9.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 0878e0014a..4efe4c2db6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2016-10266.patch \ file://CVE-2016-10267.patch \ file://CVE-2016-10269.patch \ + file://CVE-2016-10270.patch \ " SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" -- cgit 1.2.3-korg