From aa1dc0afd99970f474f38a671e6c49aa2090fbe3 Mon Sep 17 00:00:00 2001 From: Rajkumar Veer Date: Fri, 3 Nov 2017 21:49:23 -0700 Subject: tiff: Security fix CVE-2016-10266 Signed-off-by: Rajkumar Veer Signed-off-by: Armin Kuster --- .../libtiff/files/CVE-2016-10266.patch | 60 ++++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.7.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch new file mode 100644 index 0000000000..e1c90c630c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch @@ -0,0 +1,60 @@ +From 1855407c4e5a27ade006b26c2dec8a31745c356e Mon Sep 17 00:00:00 2001 +From: erouault +Date: Fri, 2 Dec 2016 21:56:56 +0000 +Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow + in TIFFReadEncodedStrip() that caused an integer division by zero. Reported + by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +Upstream-Status: Backport + +CVE: CVE-2016-10266 +Signed-off-by: Rajkumar Veer +--- + ChangeLog | 7 +++++++ + libtiff/tif_read.c | 2 +- + libtiff/tiffiop.h | 4 ++++ + 3 files changed, 12 insertions(+), 1 deletion(-) + +Index: tiff-4.0.7/ChangeLog +=================================================================== +--- tiff-4.0.7.orig/ChangeLog ++++ tiff-4.0.7/ChangeLog +@@ -1,3 +1,10 @@ ++2016-12-02 Even Rouault ++ ++ * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in ++ TIFFReadEncodedStrip() that caused an integer division by zero. ++ Reported by Agostino Sarubbo. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 ++ + 2017-07-15 Even Rouault + + * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" +Index: tiff-4.0.7/libtiff/tif_read.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_read.c ++++ tiff-4.0.7/libtiff/tif_read.c +@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: tiff-4.0.7/libtiff/tiffiop.h +=================================================================== +--- tiff-4.0.7.orig/libtiff/tiffiop.h ++++ tiff-4.0.7/libtiff/tiffiop.h +@@ -250,6 +250,10 @@ struct tiff { + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 9432074d5a..cb7c4949cd 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2016-10271.patch \ file://CVE-2016-10093.patch \ file://CVE-2016-10268.patch \ + file://CVE-2016-10266.patch \ " SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" -- cgit 1.2.3-korg