[oe-commits] [openembedded-core] 07/53: tiff: Security fix CVE-2016-10266

git at git.openembedded.org git at git.openembedded.org
Tue Nov 21 14:44:28 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch morty
in repository openembedded-core.

commit 3a604aa5cb0d35a9df10a5b958eb4a871de76c26
Author: Rajkumar Veer <rveer at mvista.com>
AuthorDate: Fri Nov 3 21:49:23 2017 -0700

    tiff: Security fix CVE-2016-10266
    
    Signed-off-by: Rajkumar Veer <rveer at mvista.com>
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../libtiff/files/CVE-2016-10266.patch             | 60 ++++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.7.bb      |  1 +
 2 files changed, 61 insertions(+)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch
new file mode 100644
index 0000000..e1c90c6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-10266.patch
@@ -0,0 +1,60 @@
+From 1855407c4e5a27ade006b26c2dec8a31745c356e Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 21:56:56 +0000
+Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
+ in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+Upstream-Status: Backport
+
+CVE: CVE-2016-10266
+Signed-off-by: Rajkumar Veer <rveer at mvista.com>
+---
+ ChangeLog          | 7 +++++++
+ libtiff/tif_read.c | 2 +-
+ libtiff/tiffiop.h  | 4 ++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog
++++ tiff-4.0.7/ChangeLog
+@@ -1,3 +1,10 @@
++2016-12-02 Even Rouault <even.rouault at spatialys.com>
++
++       * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
++       TIFFReadEncodedStrip() that caused an integer division by zero.
++       Reported by Agostino Sarubbo.
++       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
++
+ 2017-07-15  Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c
++++ tiff-4.0.7/libtiff/tif_read.c
+@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s
+ 	rowsperstrip=td->td_rowsperstrip;
+ 	if (rowsperstrip>td->td_imagelength)
+ 		rowsperstrip=td->td_imagelength;
+-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ 	stripinplane=(strip%stripsperplane);
+ 	plane=(uint16)(strip/stripsperplane);
+ 	rows=td->td_imagelength-stripinplane*rowsperstrip;
+Index: tiff-4.0.7/libtiff/tiffiop.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tiffiop.h
++++ tiff-4.0.7/libtiff/tiffiop.h
+@@ -250,6 +250,10 @@ struct tiff {
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 			   0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 9432074..cb7c494 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2016-10271.patch \
            file://CVE-2016-10093.patch \
            file://CVE-2016-10268.patch \
+           file://CVE-2016-10266.patch \
           "
 
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list