diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-multimedia/libtiff')
7 files changed, 592 insertions, 2 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch new file mode 100644 index 000000000..39c5059c7 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch @@ -0,0 +1,137 @@ +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sat, 26 Dec 2015 17:32:03 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +Upstream-Status: Backport +CVE: CVE-2015-8665 +CVE: CVE-2015-8683 +https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 8 ++++++++ + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- + 2 files changed, 30 insertions(+), 13 deletions(-) + +Index: tiff-4.0.6/libtiff/tif_getimage.c +=================================================================== +--- tiff-4.0.6.orig/libtiff/tif_getimage.c ++++ tiff-4.0.6/libtiff/tif_getimage.c +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d", +- "Samples/pixel", td->td_samplesperpixel); ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); + return 0; + } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d and %s=%d", ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; +Index: tiff-4.0.6/ChangeLog +=================================================================== +--- tiff-4.0.6.orig/ChangeLog ++++ tiff-4.0.6/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-26 Even Rouault <even.rouault at spatialys.com> ++ ++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage ++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples ++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in ++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and ++ CVE-2015-8683 reported by zzf of Alibaba. ++ + 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + + * libtiff 4.0.6 released. diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch new file mode 100644 index 000000000..0846f0f68 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch @@ -0,0 +1,195 @@ +From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 27 Dec 2015 16:25:11 +0000 +Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in + decode functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). Fix potential out-of-bound reads in case of short + input data. + +Upstream-Status: Backport + +https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 +hand applied Changelog changes + +CVE: CVE-2015-8781 + +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + ChangeLog | 7 +++++++ + libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- + 2 files changed, 51 insertions(+), 11 deletions(-) + +Index: tiff-4.0.4/ChangeLog +=================================================================== +--- tiff-4.0.4.orig/ChangeLog ++++ tiff-4.0.4/ChangeLog +@@ -1,3 +1,10 @@ ++2015-12-27 Even Rouault <even.rouault at spatialys.com> ++ ++ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode ++ functions in non debug builds by replacing assert()s by regular if ++ checks (bugzilla #2522). ++ Fix potential out-of-bound reads in case of short input data. ++ + 2015-12-26 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage +Index: tiff-4.0.4/libtiff/tif_luv.c +=================================================================== +--- tiff-4.0.4.orig/libtiff/tif_luv.c ++++ tiff-4.0.4/libtiff/tif_luv.c +@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch new file mode 100644 index 000000000..0caf800e2 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch @@ -0,0 +1,73 @@ +From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 27 Dec 2015 16:55:20 +0000 +Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in + NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif + (bugzilla #2508) + +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c +hand applied Changelog changes + +CVE: CVE-2015-8784 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 6 ++++++ + libtiff/tif_next.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +Index: tiff-4.0.4/ChangeLog +=================================================================== +--- tiff-4.0.4.orig/ChangeLog ++++ tiff-4.0.4/ChangeLog +@@ -1,5 +1,11 @@ + 2015-12-27 Even Rouault <even.rouault at spatialys.com> + ++ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() ++ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif ++ (bugzilla #2508) ++ ++2015-12-27 Even Rouault <even.rouault at spatialys.com> ++ + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode + functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). +Index: tiff-4.0.4/libtiff/tif_next.c +=================================================================== +--- tiff-4.0.4.orig/libtiff/tif_next.c ++++ tiff-4.0.4/libtiff/tif_next.c +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; ++ tmsize_t op_offset = 0; + + /* + * The scanline is composed of a sequence of constant +@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch new file mode 100644 index 000000000..4a08aba21 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch @@ -0,0 +1,24 @@ +Buffer overflow in the readextension function in gif2tiff.c +allows remote attackers to cause a denial of service via a crafted GIF file. + +External References: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 +https://bugzilla.redhat.com/show_bug.cgi?id=1319503 + +CVE: CVE-2016-3186 +Upstream-Status: Backport (RedHat) +https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> + +--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 ++++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 +@@ -349,7 +349,7 @@ + int status = 1; + + (void) getc(infile); +- while ((count = getc(infile)) && count <= 255) ++ while ((count = getc(infile)) && count >= 0 && count <= 255) + if (fread(buf, 1, count, infile) != (size_t) count) { + fprintf(stderr, "short read from file %s (%s)\n", + filename, strerror(errno)); diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch new file mode 100644 index 000000000..63c665024 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch @@ -0,0 +1,49 @@ +From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 11 Jul 2016 21:26:03 +0000 +Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack + allocated array on a tiled separate TIFF with more than 8 samples per pixel. + Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 + (CVE-2016-5321, bugzilla #2558) + +CVE: CVE-2016-5321 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0 + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> +--- + ChangeLog | 7 +++++++ + tools/tiffcrop.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index e98d54d..4e0302f 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,10 @@ ++2016-07-11 Even Rouault <even.rouault at spatialys.com> ++ ++ * tools/tiffcrop.c: Avoid access outside of stack allocated array ++ on a tiled separate TIFF with more than 8 samples per pixel. ++ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 ++ (CVE-2016-5321, bugzilla #2558) ++ + 2015-12-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index d959ae3..6fc8fc1 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, + nrow = (row + tl > imagelength) ? imagelength - row : tl; + for (col = 0; col < imagewidth; col += tw) + { +- for (s = 0; s < spp; s++) ++ for (s = 0; s < spp && s < MAX_SAMPLES; s++) + { /* Read each plane of a tile set into srcbuffs[s] */ + tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); + if (tbytes < 0 && !ignore) +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch new file mode 100644 index 000000000..41eab91ab --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch @@ -0,0 +1,107 @@ +From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 11 Jul 2016 21:38:31 +0000 +Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) + +CVE: CVE-2016-5323 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> +--- + ChangeLog | 2 +- + tools/tiffcrop.c | 16 ++++++++-------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 4e0302f..62dc1b5 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -3,7 +3,7 @@ + * tools/tiffcrop.c: Avoid access outside of stack allocated array + on a tiled separate TIFF with more than 8 samples per pixel. + Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 +- (CVE-2016-5321, bugzilla #2558) ++ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) + + 2016-07-10 Even Rouault <even.rouault at spatialys.com> + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 6fc8fc1..27abc0b 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, + + matchbits = maskbits << (8 - src_bit - bps); + /* load up next sample from each plane */ +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + buff1 = ((*src) & matchbits) << (src_bit); +@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (16 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (32 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (64 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, + + matchbits = maskbits << (8 - src_bit - bps); + /* load up next sample from each plane */ +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + buff1 = ((*src) & matchbits) << (src_bit); +@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (16 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (32 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, + src_bit = bit_offset % 8; + + matchbits = maskbits << (64 - src_bit - bps); +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + src = in[s] + src_offset + src_byte; + if (little_endian) +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index e2e24e0fb..8147bc4fb 100644 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb @@ -1,10 +1,15 @@ SUMMARY = "Provides support for the Tag Image File Format (TIFF)" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" -HOMEPAGE = "http://www.remotesensing.org/libtiff/" -SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ +SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ + file://CVE-2015-8665_8683.patch \ + file://CVE-2015-8781.patch \ + file://CVE-2015-8784.patch \ + file://CVE-2016-3186.patch \ + file://CVE-2016-5321.patch \ + file://CVE-2016-5323.patch \ " SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |