[oe-commits] [openembedded-core] 38/49: tiff: Security fix for CVE-2016-10270

git at git.openembedded.org git at git.openembedded.org
Sun Nov 5 22:42:57 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch pyro
in repository openembedded-core.

commit 9600bca011fe5fd2837606ab05e64325b3f12114
Author: Rajkumar Veer <rveer at mvista.com>
AuthorDate: Fri Nov 3 22:18:19 2017 -0700

    tiff: Security fix for CVE-2016-10270
    
    Signed-off-by: Rajkumar Veer <rveer at mvista.com>
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../libtiff/files/CVE-2016-10270.patch             | 134 +++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.7.bb      |   1 +
 2 files changed, 135 insertions(+)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
new file mode 100644
index 0000000..43ad6ed
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10270.patch
@@ -0,0 +1,134 @@
+From 6e7042c61e300cf9971c645c79d05de974b24308 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:02:15 +0000
+Subject: [PATCH 3/4] * libtiff/tif_dirread.c: modify
+ ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
+ TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
+ the total size of data. Which is faulty is the total size of data is not
+ sufficient to fill the whole image, and thus results in reading outside of
+ the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+the above change is a better fix that makes it unnecessary.
+
+Upstream-Status: Backport
+
+CVE: CVE-2016-10270
+Signed-off-by: Rajkumar Veer <rveer at mvista.com>
+---
+ ChangeLog             | 15 +++++++++++++++
+ libtiff/tif_dirread.c | 22 ++++++++++------------
+ libtiff/tif_strip.c   |  9 ---------
+ 3 files changed, 25 insertions(+), 21 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 0a2c2a7..6e30e41 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,20 @@
+ 2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ 
++	* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
++	instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
++	instead of a logic based on the total size of data. Which is faulty is
++	the total size of data is not sufficient to fill the whole image, and thus
++	results in reading outside of the StripByCounts/StripOffsets arrays when
++	using TIFFReadScanline().
++	Reported by Agostino Sarubbo.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
++
++	* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
++	for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
++	the above change is a better fix that makes it unnecessary.
++
++2016-12-03 Even Rouault <even.rouault at spatialys.com>
++
+ 	* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+ 	overflow on generation of PixarLog / LUV compressed files, with
+ 	ColorMap, TransferFunction attached and nasty plays with bitspersample.
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 3eec79c..570d0c3 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	uint64 rowblockbytes;
+ 	uint64 stripbytes;
+ 	uint32 strip;
+-	uint64 nstrips64;
+-	uint32 nstrips32;
++	uint32 nstrips;
+ 	uint32 rowsperstrip;
+ 	uint64* newcounts;
+ 	uint64* newoffsets;
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	    return;
+ 
+ 	/*
+-	 * never increase the number of strips in an image
++	 * never increase the number of rows per strip
+ 	 */
+ 	if (rowsperstrip >= td->td_rowsperstrip)
+ 		return;
+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-	    return;
+-	nstrips32 = (uint32)nstrips64;
++        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++        if( nstrips == 0 )
++            return;
+ 
+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripOffsets\" array");
+ 	if (newcounts == NULL || newoffsets == NULL) {
+ 		/*
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	 * Fill the strip information arrays with new bytecounts and offsets
+ 	 * that reflect the broken-up format.
+ 	 */
+-	for (strip = 0; strip < nstrips32; strip++) {
++	for (strip = 0; strip < nstrips; strip++) {
+ 		if (stripbytes > bytecount)
+ 			stripbytes = bytecount;
+ 		newcounts[strip] = stripbytes;
+-		newoffsets[strip] = offset;
++		newoffsets[strip] = stripbytes ? offset : 0;
+ 		offset += stripbytes;
+ 		bytecount -= stripbytes;
+ 	}
+ 	/*
+ 	 * Replace old single strip info with multi-strip info.
+ 	 */
+-	td->td_stripsperimage = td->td_nstrips = nstrips32;
++	td->td_stripsperimage = td->td_nstrips = nstrips;
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+ 	_TIFFfree(td->td_stripbytecount);
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 4c46ecf..1676e47 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+-- 
+1.9.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 0878e00..4efe4c2 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2016-10266.patch \
            file://CVE-2016-10267.patch \
            file://CVE-2016-10269.patch \
+           file://CVE-2016-10270.patch \
           "
 
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list