From ff3904dec584daf627c267bf639d69aca13a1227 Mon Sep 17 00:00:00 2001
From: Rajkumar Veer <rveer@mvista.com>
Date: Fri, 3 Nov 2017 22:35:09 -0700
Subject: tiff: Security fix for CVE-2017-7593

Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libtiff/files/CVE-2017-7593.patch              | 98 ++++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.7.bb      |  1 +
 2 files changed, 99 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
new file mode 100644
index 0000000000..380dfcbbba
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
+From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:02:49 +0000
+Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+initialize tif_rawdata.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7593
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog	2017-04-25 19:03:20.584155452 +0530
++++ tiff-4.0.7/ChangeLog	2017-04-26 12:09:41.986866896 +0530
+@@ -44,6 +44,14 @@
+ 
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
++	* libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
++
++	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
++	initialize tif_rawdata.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
++
++2017-01-11 Even Rouault <even.rouault at spatialys.com>
++
+ 	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+ 	avoid UndefinedBehaviorSanitizer warning.
+ 	Patch by Nicolas Pena.
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c	2017-04-25 19:03:20.584155452 +0530
++++ tiff-4.0.7/libtiff/tif_read.c	2017-04-26 12:11:42.814863729 +0530
+@@ -986,7 +986,9 @@
+ 				 "Invalid buffer size");
+ 		    return (0);
+ 		}
+-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++                /* Initialize to zero to avoid uninitialized buffers in case of */
++                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++                tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ 		tif->tif_flags |= TIFF_MYBUFFER;
+ 	}
+ 	if (tif->tif_rawdata == NULL) {
+Index: tiff-4.0.7/libtiff/tif_unix.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_unix.c	2015-08-29 03:46:22.707817041 +0530
++++ tiff-4.0.7/libtiff/tif_unix.c	2017-04-26 12:13:07.442861510 +0530
+@@ -316,6 +316,14 @@
+ 	return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tif_win32.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_win32.c	2015-08-29 03:46:22.730570169 +0530
++++ tiff-4.0.7/libtiff/tif_win32.c	2017-04-26 12:14:12.918859794 +0530
+@@ -360,6 +360,14 @@
+ 	return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tiffio.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tiffio.h	2016-01-24 21:09:51.894442042 +0530
++++ tiff-4.0.7/libtiff/tiffio.h	2017-04-26 12:15:55.034857117 +0530
+@@ -293,6 +293,7 @@
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 126cad13fd..866e8526ec 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2017-7598.patch \
            file://CVE-2017-7601.patch \
            file://CVE-2017-7602.patch \
+           file://CVE-2017-7593.patch \
         "
 
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
-- 
cgit 1.2.3-korg