diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch @@ -0,0 +1,67 @@ +From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Fri, 4 Nov 2016 09:19:13 +0000 +Subject: [PATCH 2/2] Fix CVE-2016-9535 +* libtiff/tif_predic.c: fix memory leaks in error code + paths added in previous commit (fix for MSVR 35105) + +CVE: CVE-2016-9535 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 + +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> + +--- + libtiff/tif_predict.c | 8 ++++++-- + 1 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c +index b829259..3f42f3b 100644 +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count = cc; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if(cc%(bps*stride)!=0) + { +@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + return 0; + } + ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if((cc%(bps*stride))!=0) + { +@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + "%s", "(cc%(bps*stride))!=0"); + return 0; + } ++ ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) + { + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", + "%s", "(cc0%rowsize)!=0"); ++ _TIFFfree( working_copy ); + return 0; + } + while (cc > 0) { +-- +2.9.3 + |