[OE-core] [Master][PATCH] libtiff: Update to 4.0.7

akuster808 akuster808 at gmail.com
Sat Nov 26 15:35:38 UTC 2016



On 11/23/2016 08:04 AM, Burton, Ross wrote:
> CCing Leo and Jose who have been working on this.
> 
> Ross
> 

Had to respin do to additional tiff patches in master just added. V2
will be out shortly.

- armin

> On 23 November 2016 at 15:32, akuster808 <akuster808 at gmail.com> wrote:
> 
>> The never made into patchwork. is there a bug there ? is there an issue on
>> how I submitted?
>>
>> - armin
>>
>>
>> On 11/21/2016 09:28 PM, Armin Kuster wrote:
>>
>>> Major changes:
>>> The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and
>>> ycbcr are completely removed from the distribution, used for demos.
>>>
>>> CVEs fixed:
>>> CVE-2016-9297
>>> CVE-2016-9448
>>> CVE-2016-9273
>>> CVE-2014-8127
>>> CVE-2016-3658
>>> CVE-2016-5875
>>> CVE-2016-5652
>>> CVE-2016-3632
>>>
>>> plus more that are not identified in the changelog.
>>>
>>> removed patches integrated into update.
>>> more info: http://libtiff.maptools.org/v4.0.7.html
>>>
>>> Signed-off-by: Armin Kuster <akuster at mvista.com>
>>> ---
>>>   .../libtiff/files/CVE-2015-8665_8683.patch         | 137
>>> ---------------
>>>   .../libtiff/files/CVE-2015-8781.patch              | 195
>>> ---------------------
>>>   .../libtiff/files/CVE-2015-8784.patch              |  73 --------
>>>   .../libtiff/files/CVE-2016-3186.patch              |  24 ---
>>>   .../libtiff/files/CVE-2016-3622.patch              | 129 --------------
>>>   .../libtiff/files/CVE-2016-3623.patch              |  52 ------
>>>   .../libtiff/files/CVE-2016-3945.patch              | 118 -------------
>>>   .../libtiff/files/CVE-2016-3990.patch              |  66 -------
>>>   .../libtiff/files/CVE-2016-3991.patch              | 147
>>> ----------------
>>>   .../libtiff/files/CVE-2016-5321.patch              |  49 ------
>>>   .../libtiff/files/CVE-2016-5323.patch              | 107 -----------
>>>   .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}       |  15 +-
>>>   12 files changed, 2 insertions(+), 1110 deletions(-)
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8665_8683.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8781.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8784.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3186.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3622.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3623.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3945.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3990.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3991.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-5321.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-5323.patch
>>>   rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}
>>> (74%)
>>>
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> deleted file mode 100644
>>> index 39c5059..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> +++ /dev/null
>>> @@ -1,137 +0,0 @@
>>> -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Sat, 26 Dec 2015 17:32:03 +0000
>>> -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
>>> - TIFFRGBAImage interface in case of unsupported values of
>>> - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
>>> - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
>>> - limingxing and CVE-2015-8683 reported by zzf of Alibaba.
>>> -
>>> -Upstream-Status: Backport
>>> -CVE: CVE-2015-8665
>>> -CVE: CVE-2015-8683
>>> -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334
>>> 592760fbb7938f15eb55
>>> -
>>> -Signed-off-by: Armin Kuster <akuster at mvista.com>
>>> -
>>> ----
>>> - ChangeLog              |  8 ++++++++
>>> - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
>>> - 2 files changed, 30 insertions(+), 13 deletions(-)
>>> -
>>> -Index: tiff-4.0.6/libtiff/tif_getimage.c
>>> -===================================================================
>>> ---- tiff-4.0.6.orig/libtiff/tif_getimage.c
>>> -+++ tiff-4.0.6/libtiff/tif_getimage.c
>>> -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
>>> -                                   "Planarconfiguration",
>>> td->td_planarconfig);
>>> -                               return (0);
>>> -                       }
>>> --                      if( td->td_samplesperpixel != 3 )
>>> -+                      if( td->td_samplesperpixel != 3 || colorchannels
>>> != 3 )
>>> -             {
>>> -                 sprintf(emsg,
>>> --                        "Sorry, can not handle image with %s=%d",
>>> --                        "Samples/pixel", td->td_samplesperpixel);
>>> -+                        "Sorry, can not handle image with %s=%d, %s=%d",
>>> -+                        "Samples/pixel", td->td_samplesperpixel,
>>> -+                        "colorchannels", colorchannels);
>>> -                 return 0;
>>> -             }
>>> -                       break;
>>> -               case PHOTOMETRIC_CIELAB:
>>> --            if( td->td_samplesperpixel != 3 || td->td_bitspersample !=
>>> 8 )
>>> -+            if( td->td_samplesperpixel != 3 || colorchannels != 3 ||
>>> td->td_bitspersample != 8 )
>>> -             {
>>> -                 sprintf(emsg,
>>> --                        "Sorry, can not handle image with %s=%d and
>>> %s=%d",
>>> -+                        "Sorry, can not handle image with %s=%d, %s=%d
>>> and %s=%d",
>>> -                         "Samples/pixel", td->td_samplesperpixel,
>>> -+                        "colorchannels", colorchannels,
>>> -                         "Bits/sample", td->td_bitspersample);
>>> -                 return 0;
>>> -             }
>>> -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
>>> -       int colorchannels;
>>> -       uint16 *red_orig, *green_orig, *blue_orig;
>>> -       int n_color;
>>> -+
>>> -+      if( !TIFFRGBAImageOK(tif, emsg) )
>>> -+              return 0;
>>> -
>>> -       /* Initialize to normal values */
>>> -       img->row_offset = 0;
>>> -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
>>> -               case PHOTOMETRIC_RGB:
>>> -                       switch (img->bitspersample) {
>>> -                               case 8:
>>> --                                      if (img->alpha ==
>>> EXTRASAMPLE_ASSOCALPHA)
>>> -+                                      if (img->alpha ==
>>> EXTRASAMPLE_ASSOCALPHA &&
>>> -+                                              img->samplesperpixel >= 4)
>>> -                                               img->put.contig =
>>> putRGBAAcontig8bittile;
>>> --                                      else if (img->alpha ==
>>> EXTRASAMPLE_UNASSALPHA)
>>> -+                                      else if (img->alpha ==
>>> EXTRASAMPLE_UNASSALPHA &&
>>> -+
>>>  img->samplesperpixel >= 4)
>>> -                                       {
>>> -                                               if (BuildMapUaToAa(img))
>>> -                                                       img->put.contig =
>>> putRGBUAcontig8bittile;
>>> -                                       }
>>> --                                      else
>>> -+                                      else if( img->samplesperpixel >=
>>> 3 )
>>> -                                               img->put.contig =
>>> putRGBcontig8bittile;
>>> -                                       break;
>>> -                               case 16:
>>> --                                      if (img->alpha ==
>>> EXTRASAMPLE_ASSOCALPHA)
>>> -+                                      if (img->alpha ==
>>> EXTRASAMPLE_ASSOCALPHA &&
>>> -+                                              img->samplesperpixel >=4 )
>>> -                                       {
>>> -                                               if
>>> (BuildMapBitdepth16To8(img))
>>> -                                                       img->put.contig =
>>> putRGBAAcontig16bittile;
>>> -                                       }
>>> --                                      else if (img->alpha ==
>>> EXTRASAMPLE_UNASSALPHA)
>>> -+                                      else if (img->alpha ==
>>> EXTRASAMPLE_UNASSALPHA &&
>>> -+
>>>  img->samplesperpixel >=4 )
>>> -                                       {
>>> -                                               if
>>> (BuildMapBitdepth16To8(img) &&
>>> -                                                   BuildMapUaToAa(img))
>>> -                                                       img->put.contig =
>>> putRGBUAcontig16bittile;
>>> -                                       }
>>> --                                      else
>>> -+                                      else if( img->samplesperpixel >=3
>>> )
>>> -                                       {
>>> -                                               if
>>> (BuildMapBitdepth16To8(img))
>>> -                                                       img->put.contig =
>>> putRGBcontig16bittile;
>>> -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
>>> -                       }
>>> -                       break;
>>> -               case PHOTOMETRIC_SEPARATED:
>>> --                      if (buildMap(img)) {
>>> -+                      if (img->samplesperpixel >=4 && buildMap(img)) {
>>> -                               if (img->bitspersample == 8) {
>>> -                                       if (!img->Map)
>>> -                                               img->put.contig =
>>> putRGBcontig8bitCMYKtile;
>>> -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
>>> -                       }
>>> -                       break;
>>> -               case PHOTOMETRIC_CIELAB:
>>> --                      if (buildMap(img)) {
>>> -+                      if (img->samplesperpixel == 3 && buildMap(img)) {
>>> -                               if (img->bitspersample == 8)
>>> -                                       img->put.contig =
>>> initCIELabConversion(img);
>>> -                               break;
>>> -Index: tiff-4.0.6/ChangeLog
>>> -===================================================================
>>> ---- tiff-4.0.6.orig/ChangeLog
>>> -+++ tiff-4.0.6/ChangeLog
>>> -@@ -1,3 +1,11 @@
>>> -+2015-12-26  Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -+   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
>>> -+   interface in case of unsupported values of
>>> SamplesPerPixel/ExtraSamples
>>> -+   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
>>> -+   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
>>> -+   CVE-2015-8683 reported by zzf of Alibaba.
>>> -+
>>> - 2015-09-12  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
>>> -
>>> -       * libtiff 4.0.6 released.
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
>>> deleted file mode 100644
>>> index 0846f0f..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
>>> +++ /dev/null
>>> @@ -1,195 +0,0 @@
>>> -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Sun, 27 Dec 2015 16:25:11 +0000
>>> -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes
>>> in
>>> - decode functions in non debug builds by replacing assert()s by regular
>>> if
>>> - checks (bugzilla #2522). Fix potential out-of-bound reads in case of
>>> short
>>> - input data.
>>> -
>>> -Upstream-Status: Backport
>>> -
>>> -https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f2
>>> 3ccbc79702610439bc65
>>> -hand applied Changelog changes
>>> -
>>> -CVE: CVE-2015-8781
>>> -
>>> -Signed-off-by: Armin Kuster <akuster at mvista.com>
>>> ----
>>> - ChangeLog         |  7 +++++++
>>> - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++
>>> ++++++++++++++-----------
>>> - 2 files changed, 51 insertions(+), 11 deletions(-)
>>> -
>>> -Index: tiff-4.0.4/ChangeLog
>>> -===================================================================
>>> ---- tiff-4.0.4.orig/ChangeLog
>>> -+++ tiff-4.0.4/ChangeLog
>>> -@@ -1,3 +1,10 @@
>>> -+2015-12-27  Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -+      * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
>>> -+      functions in non debug builds by replacing assert()s by regular if
>>> -+      checks (bugzilla #2522).
>>> -+      Fix potential out-of-bound reads in case of short input data.
>>> -+
>>> - 2015-12-26  Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -       * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
>>> -Index: tiff-4.0.4/libtiff/tif_luv.c
>>> -===================================================================
>>> ---- tiff-4.0.4.orig/libtiff/tif_luv.c
>>> -+++ tiff-4.0.4/libtiff/tif_luv.c
>>> -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
>>> -       if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
>>> -               tp = (int16*) op;
>>> -       else {
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               tp = (int16*) sp->tbuf;
>>> -       }
>>> -       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
>>> -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
>>> -       cc = tif->tif_rawcc;
>>> -       /* get each byte string */
>>> -       for (shft = 2*8; (shft -= 8) >= 0; ) {
>>> --              for (i = 0; i < npixels && cc > 0; )
>>> -+              for (i = 0; i < npixels && cc > 0; ) {
>>> -                       if (*bp >= 128) {               /* run */
>>> --                              rc = *bp++ + (2-128);   /* TODO:
>>> potential input buffer overrun when decoding corrupt or truncated data */
>>> -+                              if( cc < 2 )
>>> -+                                      break;
>>> -+                              rc = *bp++ + (2-128);
>>> -                               b = (int16)(*bp++ << shft);
>>> -                               cc -= 2;
>>> -                               while (rc-- && i < npixels)
>>> -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
>>> -                               while (--cc && rc-- && i < npixels)
>>> -                                       tp[i++] |= (int16)*bp++ << shft;
>>> -                       }
>>> -+              }
>>> -               if (i != npixels) {
>>> - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
>>> -                       TIFFErrorExt(tif->tif_clientdata, module,
>>> -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
>>> -       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
>>> -               tp = (uint32 *)op;
>>> -       else {
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               tp = (uint32 *) sp->tbuf;
>>> -       }
>>> -       /* copy to array of uint32 */
>>> -       bp = (unsigned char*) tif->tif_rawcp;
>>> -       cc = tif->tif_rawcc;
>>> --      for (i = 0; i < npixels && cc > 0; i++) {
>>> -+      for (i = 0; i < npixels && cc >= 3; i++) {
>>> -               tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
>>> -               bp += 3;
>>> -               cc -= 3;
>>> -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
>>> -       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
>>> -               tp = (uint32*) op;
>>> -       else {
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               tp = (uint32*) sp->tbuf;
>>> -       }
>>> -       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
>>> -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
>>> -       cc = tif->tif_rawcc;
>>> -       /* get each byte string */
>>> -       for (shft = 4*8; (shft -= 8) >= 0; ) {
>>> --              for (i = 0; i < npixels && cc > 0; )
>>> -+              for (i = 0; i < npixels && cc > 0; ) {
>>> -                       if (*bp >= 128) {               /* run */
>>> -+                              if( cc < 2 )
>>> -+                                      break;
>>> -                               rc = *bp++ + (2-128);
>>> -                               b = (uint32)*bp++ << shft;
>>> --                              cc -= 2;                /* TODO:
>>> potential input buffer overrun when decoding corrupt or truncated data */
>>> -+                              cc -= 2;
>>> -                               while (rc-- && i < npixels)
>>> -                                       tp[i++] |= b;
>>> -                       } else {                        /* non-run */
>>> -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
>>> -                               while (--cc && rc-- && i < npixels)
>>> -                                       tp[i++] |= (uint32)*bp++ << shft;
>>> -                       }
>>> -+              }
>>> -               if (i != npixels) {
>>> - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
>>> -                       TIFFErrorExt(tif->tif_clientdata, module,
>>> -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
>>> - static int
>>> - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
>>> - {
>>> -+      static const char module[] = "LogL16Encode";
>>> -       LogLuvState* sp = EncoderState(tif);
>>> -       int shft;
>>> -       tmsize_t i;
>>> -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
>>> -               tp = (int16*) bp;
>>> -       else {
>>> -               tp = (int16*) sp->tbuf;
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               (*sp->tfunc)(sp, bp, npixels);
>>> -       }
>>> -       /* compress each byte string */
>>> -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
>>> - static int
>>> - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
>>> - {
>>> -+      static const char module[] = "LogLuvEncode24";
>>> -       LogLuvState* sp = EncoderState(tif);
>>> -       tmsize_t i;
>>> -       tmsize_t npixels;
>>> -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
>>> -               tp = (uint32*) bp;
>>> -       else {
>>> -               tp = (uint32*) sp->tbuf;
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               (*sp->tfunc)(sp, bp, npixels);
>>> -       }
>>> -       /* write out encoded pixels */
>>> -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
>>> - static int
>>> - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
>>> - {
>>> -+      static const char module[] = "LogLuvEncode32";
>>> -       LogLuvState* sp = EncoderState(tif);
>>> -       int shft;
>>> -       tmsize_t i;
>>> -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
>>> -               tp = (uint32*) bp;
>>> -       else {
>>> -               tp = (uint32*) sp->tbuf;
>>> --              assert(sp->tbuflen >= npixels);
>>> -+              if(sp->tbuflen < npixels) {
>>> -+                      TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                                               "Translation buffer too
>>> short");
>>> -+                      return (0);
>>> -+              }
>>> -               (*sp->tfunc)(sp, bp, npixels);
>>> -       }
>>> -       /* compress each byte string */
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
>>> deleted file mode 100644
>>> index 0caf800..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
>>> +++ /dev/null
>>> @@ -1,73 +0,0 @@
>>> -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Sun, 27 Dec 2015 16:55:20 +0000
>>> -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write
>>> in
>>> - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl
>>> /vulns/libtiff5.tif
>>> - (bugzilla #2508)
>>> -
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c
>>> 57d3bf4e997a15b1cc1c
>>> -hand applied Changelog changes
>>> -
>>> -CVE:  CVE-2015-8784
>>> -Signed-off-by: Armin Kuster <akuster at mvista.com>
>>> -
>>> ----
>>> - ChangeLog          |  6 ++++++
>>> - libtiff/tif_next.c | 10 ++++++++--
>>> - 2 files changed, 14 insertions(+), 2 deletions(-)
>>> -
>>> -Index: tiff-4.0.4/ChangeLog
>>> -===================================================================
>>> ---- tiff-4.0.4.orig/ChangeLog
>>> -+++ tiff-4.0.4/ChangeLog
>>> -@@ -1,5 +1,11 @@
>>> - 2015-12-27  Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -+      * libtiff/tif_next.c: fix potential out-of-bound write in
>>> NeXTDecode()
>>> -+      triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
>>> -+      (bugzilla #2508)
>>> -+
>>> -+2015-12-27  Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -       * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
>>> -       functions in non debug builds by replacing assert()s by regular if
>>> -       checks (bugzilla #2522).
>>> -Index: tiff-4.0.4/libtiff/tif_next.c
>>> -===================================================================
>>> ---- tiff-4.0.4.orig/libtiff/tif_next.c
>>> -+++ tiff-4.0.4/libtiff/tif_next.c
>>> -@@ -37,7 +37,7 @@
>>> -       case 0: op[0]  = (unsigned char) ((v) << 6); break;     \
>>> -       case 1: op[0] |= (v) << 4; break;       \
>>> -       case 2: op[0] |= (v) << 2; break;       \
>>> --      case 3: *op++ |= (v);      break;       \
>>> -+      case 3: *op++ |= (v);      op_offset++; break;  \
>>> -       }                                       \
>>> - }
>>> -
>>> -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
>>> -                       uint32 imagewidth = tif->tif_dir.td_imagewidth;
>>> -             if( isTiled(tif) )
>>> -                 imagewidth = tif->tif_dir.td_tilewidth;
>>> -+            tmsize_t op_offset = 0;
>>> -
>>> -                       /*
>>> -                        * The scanline is composed of a sequence of
>>> constant
>>> -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
>>> -                                * bounds, potentially resulting in a
>>> security
>>> -                                * issue.
>>> -                                */
>>> --                              while (n-- > 0 && npixels < imagewidth)
>>> -+                              while (n-- > 0 && npixels < imagewidth &&
>>> op_offset < scanline)
>>> -                                       SETPIXEL(op, grey);
>>> -                               if (npixels >= imagewidth)
>>> -                                       break;
>>> -+                if (op_offset >= scanline ) {
>>> -+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid
>>> data for scanline %ld",
>>> -+                        (long) tif->tif_row);
>>> -+                    return (0);
>>> -+                }
>>> -                               if (cc == 0)
>>> -                                       goto bad;
>>> -                               n = *bp++, cc--;
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
>>> deleted file mode 100644
>>> index 4a08aba..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
>>> +++ /dev/null
>>> @@ -1,24 +0,0 @@
>>> -Buffer overflow in the readextension function in gif2tiff.c
>>> -allows remote attackers to cause a denial of service via a crafted GIF
>>> file.
>>> -
>>> -External References:
>>> -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
>>> -https://bugzilla.redhat.com/show_bug.cgi?id=1319503
>>> -
>>> -CVE: CVE-2016-3186
>>> -Upstream-Status: Backport (RedHat)
>>> -https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> -
>>> ---- tiff-4.0.6/tools/gif2tiff.c        2016-04-06 15:43:01.586048341
>>> +0200
>>> -+++ tiff-4.0.6/tools/gif2tiff.c        2016-04-06 15:48:05.523207710
>>> +0200
>>> -@@ -349,7 +349,7 @@
>>> -     int status = 1;
>>> -
>>> -     (void) getc(infile);
>>> --    while ((count = getc(infile)) && count <= 255)
>>> -+    while ((count = getc(infile)) && count >= 0 && count <= 255)
>>> -         if (fread(buf, 1, count, infile) != (size_t) count) {
>>> -             fprintf(stderr, "short read from file %s (%s)\n",
>>> -                     filename, strerror(errno));
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
>>> deleted file mode 100644
>>> index 0c8b716..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
>>> +++ /dev/null
>>> @@ -1,129 +0,0 @@
>>> -From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
>>> -From: bfriesen <bfriesen>
>>> -Date: Sat, 24 Sep 2016 23:11:55 +0000
>>> -Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject
>>> attempts
>>> - to read floating point images.
>>> -
>>> -* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
>>> -requirements of floating point predictor (3).  Fixes CVE-2016-3622
>>> -"Divide By Zero in the tiff2rgba tool."
>>> -
>>> -CVE: CVE-2016-3622
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957
>>> c8c5c47b467aa650b286
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog              | 11 ++++++++++-
>>> - libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
>>> - libtiff/tif_predict.c  | 11 ++++++++++-
>>> - 3 files changed, 40 insertions(+), 20 deletions(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index 26d6f47..a628277 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,3 +1,12 @@
>>> -+2016-09-24  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
>>> -+
>>> -+      * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
>>> -+      read floating point images.
>>> -+
>>> -+      * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
>>> -+      requirements of floating point predictor (3).  Fixes CVE-2016-3622
>>> -+      "Divide By Zero in the tiff2rgba tool."
>>> -+
>>> - 2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -       * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
>>> -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
>>> -index 386cee0..3e689ee 100644
>>> ---- a/libtiff/tif_getimage.c
>>> -+++ b/libtiff/tif_getimage.c
>>> -@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
>>> -                           td->td_bitspersample);
>>> -                       return (0);
>>> -       }
>>> -+        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
>>> -+                sprintf(emsg, "Sorry, can not handle images with IEEE
>>> floating-point samples");
>>> -+                return (0);
>>> -+        }
>>> -       colorchannels = td->td_samplesperpixel - td->td_extrasamples;
>>> -       if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
>>> -               switch (colorchannels) {
>>> -@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
>>> -                                   "Planarconfiguration",
>>> td->td_planarconfig);
>>> -                               return (0);
>>> -                       }
>>> --                      if( td->td_samplesperpixel != 3 || colorchannels
>>> != 3 )
>>> --            {
>>> --                sprintf(emsg,
>>> --                        "Sorry, can not handle image with %s=%d, %s=%d",
>>> --                        "Samples/pixel", td->td_samplesperpixel,
>>> --                        "colorchannels", colorchannels);
>>> --                return 0;
>>> --            }
>>> -+                      if ( td->td_samplesperpixel != 3 || colorchannels
>>> != 3 ) {
>>> -+                                sprintf(emsg,
>>> -+                                        "Sorry, can not handle image
>>> with %s=%d, %s=%d",
>>> -+                                        "Samples/pixel",
>>> td->td_samplesperpixel,
>>> -+                                        "colorchannels", colorchannels);
>>> -+                                return 0;
>>> -+                        }
>>> -                       break;
>>> -               case PHOTOMETRIC_CIELAB:
>>> --            if( td->td_samplesperpixel != 3 || colorchannels != 3 ||
>>> td->td_bitspersample != 8 )
>>> --            {
>>> --                sprintf(emsg,
>>> --                        "Sorry, can not handle image with %s=%d, %s=%d
>>> and %s=%d",
>>> --                        "Samples/pixel", td->td_samplesperpixel,
>>> --                        "colorchannels", colorchannels,
>>> --                        "Bits/sample", td->td_bitspersample);
>>> --                return 0;
>>> --            }
>>> -+                        if ( td->td_samplesperpixel != 3 ||
>>> colorchannels != 3 || td->td_bitspersample != 8 ) {
>>> -+                                sprintf(emsg,
>>> -+                                        "Sorry, can not handle image
>>> with %s=%d, %s=%d and %s=%d",
>>> -+                                        "Samples/pixel",
>>> td->td_samplesperpixel,
>>> -+                                        "colorchannels", colorchannels,
>>> -+                                        "Bits/sample",
>>> td->td_bitspersample);
>>> -+                                return 0;
>>> -+                        }
>>> -                       break;
>>> --              default:
>>> -+                default:
>>> -                       sprintf(emsg, "Sorry, can not handle image with
>>> %s=%d",
>>> -                           photoTag, photometric);
>>> -                       return (0);
>>> -diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
>>> -index 081eb11..555f2f9 100644
>>> ---- a/libtiff/tif_predict.c
>>> -+++ b/libtiff/tif_predict.c
>>> -@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
>>> -                                   td->td_sampleformat);
>>> -                               return 0;
>>> -                       }
>>> -+                        if (td->td_bitspersample != 16
>>> -+                            && td->td_bitspersample != 24
>>> -+                            && td->td_bitspersample != 32
>>> -+                            && td->td_bitspersample != 64) { /* Should
>>> 64 be allowed? */
>>> -+                                TIFFErrorExt(tif->tif_clientdata,
>>> module,
>>> -+                                             "Floating point
>>> \"Predictor\" not supported with %d-bit samples",
>>> -+                                             td->td_bitspersample);
>>> -+                              return 0;
>>> -+                            }
>>> -                       break;
>>> -               default:
>>> -                       TIFFErrorExt(tif->tif_clientdata, module,
>>> -@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
>>> -               }
>>> -               /*
>>> -                * Allocate buffer to keep the decoded bytes before
>>> --               * rearranging in the ight order
>>> -+               * rearranging in the right order
>>> -                */
>>> -       }
>>> -
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
>>> deleted file mode 100644
>>> index f554ac5..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
>>> +++ /dev/null
>>> @@ -1,52 +0,0 @@
>>> -From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 15 Aug 2016 21:26:56 +0000
>>> -Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h
>>> parameters
>>> - to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
>>> -
>>> -CVE: CVE-2016-3623
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea23
>>> 6675607a69f74a66bc7b
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog         | 5 +++++
>>> - tools/rgb2ycbcr.c | 4 ++++
>>> - 2 files changed, 9 insertions(+)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index 5d60608..3e6642a 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,5 +1,10 @@
>>> - 2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -+      * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
>>> -+      avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla
>>> #2569)
>>> -+
>>> -+2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -       * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
>>> -       From patch libtiff-CVE-2016-3991.patch from
>>> -       libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
>>> -diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
>>> -index 3829d6b..51f4259 100644
>>> ---- a/tools/rgb2ycbcr.c
>>> -+++ b/tools/rgb2ycbcr.c
>>> -@@ -95,9 +95,13 @@ main(int argc, char* argv[])
>>> -                       break;
>>> -               case 'h':
>>> -                       horizSubSampling = atoi(optarg);
>>> -+            if( horizSubSampling != 1 && horizSubSampling != 2 &&
>>> horizSubSampling != 4 )
>>> -+                usage(-1);
>>> -                       break;
>>> -               case 'v':
>>> -                       vertSubSampling = atoi(optarg);
>>> -+            if( vertSubSampling != 1 && vertSubSampling != 2 &&
>>> vertSubSampling != 4 )
>>> -+                usage(-1);
>>> -                       break;
>>> -               case 'r':
>>> -                       rowsperstrip = atoi(optarg);
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
>>> deleted file mode 100644
>>> index 4d965be..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
>>> +++ /dev/null
>>> @@ -1,118 +0,0 @@
>>> -From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 15 Aug 2016 20:06:40 +0000
>>> -Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
>>> - allocated buffer, when -b mode is enabled, that could result in
>>> out-of-bounds
>>> - write. Based initially on patch tiff-CVE-2016-3945.patch from
>>> - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
>>> invalid
>>> - tests that rejected valid files.
>>> -
>>> -CVE: CVE-2016-3945
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3
>>> dc9a1f1bc00133a160e6
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog         |  8 ++++++++
>>> - tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
>>> - 2 files changed, 38 insertions(+), 4 deletions(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index 62dc1b5..9c0ab29 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,3 +1,11 @@
>>> -+2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -+      * tools/tiff2rgba.c: Fix integer overflow in size of allocated
>>> -+      buffer, when -b mode is enabled, that could result in
>>> out-of-bounds
>>> -+      write. Based initially on patch tiff-CVE-2016-3945.patch from
>>> -+      libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction
>>> for
>>> -+      invalid tests that rejected valid files.
>>> -+
>>> - 2016-07-11 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -       * tools/tiffcrop.c: Avoid access outside of stack allocated array
>>> -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
>>> -index b7a81eb..16e3dc4 100644
>>> ---- a/tools/tiff2rgba.c
>>> -+++ b/tools/tiff2rgba.c
>>> -@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
>>> -     uint32  row, col;
>>> -     uint32  *wrk_line;
>>> -     int           ok = 1;
>>> -+    uint32  rastersize, wrk_linesize;
>>> -
>>> -     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
>>> -     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
>>> -@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
>>> -     /*
>>> -      * Allocate tile buffer
>>> -      */
>>> --    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof
>>> (uint32));
>>> -+    rastersize = tile_width * tile_height * sizeof (uint32);
>>> -+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
>>> -+    {
>>> -+      TIFFError(TIFFFileName(in), "Integer overflow when calculating
>>> raster buffer");
>>> -+      exit(-1);
>>> -+    }
>>> -+    raster = (uint32*)_TIFFmalloc(rastersize);
>>> -     if (raster == 0) {
>>> -         TIFFError(TIFFFileName(in), "No space for raster buffer");
>>> -         return (0);
>>> -@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
>>> -      * Allocate a scanline buffer for swapping during the vertical
>>> -      * mirroring pass.
>>> -      */
>>> --    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
>>> -+    wrk_linesize = tile_width * sizeof (uint32);
>>> -+    if (tile_width != wrk_linesize / sizeof (uint32))
>>> -+    {
>>> -+        TIFFError(TIFFFileName(in), "Integer overflow when calculating
>>> wrk_line buffer");
>>> -+      exit(-1);
>>> -+    }
>>> -+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
>>> -     if (!wrk_line) {
>>> -         TIFFError(TIFFFileName(in), "No space for raster scanline
>>> buffer");
>>> -         ok = 0;
>>> -@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
>>> -     uint32  row;
>>> -     uint32  *wrk_line;
>>> -     int           ok = 1;
>>> -+    uint32  rastersize, wrk_linesize;
>>> -
>>> -     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
>>> -     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
>>> -@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
>>> -     /*
>>> -      * Allocate strip buffer
>>> -      */
>>> --    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof
>>> (uint32));
>>> -+    rastersize = width * rowsperstrip * sizeof (uint32);
>>> -+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
>>> -+    {
>>> -+      TIFFError(TIFFFileName(in), "Integer overflow when calculating
>>> raster buffer");
>>> -+      exit(-1);
>>> -+    }
>>> -+    raster = (uint32*)_TIFFmalloc(rastersize);
>>> -     if (raster == 0) {
>>> -         TIFFError(TIFFFileName(in), "No space for raster buffer");
>>> -         return (0);
>>> -@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
>>> -      * Allocate a scanline buffer for swapping during the vertical
>>> -      * mirroring pass.
>>> -      */
>>> --    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
>>> -+    wrk_linesize = width * sizeof (uint32);
>>> -+    if (width != wrk_linesize / sizeof (uint32))
>>> -+    {
>>> -+        TIFFError(TIFFFileName(in), "Integer overflow when calculating
>>> wrk_line buffer");
>>> -+      exit(-1);
>>> -+    }
>>> -+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
>>> -     if (!wrk_line) {
>>> -         TIFFError(TIFFFileName(in), "No space for raster scanline
>>> buffer");
>>> -         ok = 0;
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
>>> deleted file mode 100644
>>> index 7bf52ee..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
>>> +++ /dev/null
>>> @@ -1,66 +0,0 @@
>>> -From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 15 Aug 2016 20:49:48 +0000
>>> -Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
>>> - PixarLogEncode if more input samples are provided than expected by
>>> - PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
>>> - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
>>> - simpler check. (bugzilla #2544)
>>> -
>>> -invalid tests that rejected valid files. (bugzilla #2545)
>>> -
>>> -CVE: CVE-2016-3990
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4a
>>> dac7be4575672d0ac5f1
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog              | 10 +++++++++-
>>> - libtiff/tif_pixarlog.c |  7 +++++++
>>> - 2 files changed, 16 insertions(+), 1 deletion(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index 9c0ab29..db4ea18 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,10 +1,18 @@
>>> - 2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -+      * libtiff/tif_pixarlog.c: Fix write buffer overflow in
>>> PixarLogEncode
>>> -+      if more input samples are provided than expected by
>>> PixarLogSetupEncode.
>>> -+      Idea based on libtiff-CVE-2016-3990.patch from
>>> -+      libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with
>>> different and
>>> -+      simpler check. (bugzilla #2544)
>>> -+
>>> -+2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -       * tools/tiff2rgba.c: Fix integer overflow in size of allocated
>>> -       buffer, when -b mode is enabled, that could result in
>>> out-of-bounds
>>> -       write. Based initially on patch tiff-CVE-2016-3945.patch from
>>> -       libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction
>>> for
>>> --      invalid tests that rejected valid files.
>>> -+      invalid tests that rejected valid files. (bugzilla #2545)
>>> -
>>> - 2016-07-11 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
>>> -index e78f788..28329d1 100644
>>> ---- a/libtiff/tif_pixarlog.c
>>> -+++ b/libtiff/tif_pixarlog.c
>>> -@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc,
>>> uint16 s)
>>> -       }
>>> -
>>> -       llen = sp->stride * td->td_imagewidth;
>>> -+    /* Check against the number of elements (of size uint16) of
>>> sp->tbuf */
>>> -+    if( n > td->td_rowsperstrip * llen )
>>> -+    {
>>> -+        TIFFErrorExt(tif->tif_clientdata, module,
>>> -+                     "Too many input bytes provided");
>>> -+        return 0;
>>> -+    }
>>> -
>>> -       for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
>>> -               switch (sp->user_datafmt)  {
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
>>> deleted file mode 100644
>>> index 27dfd37..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
>>> +++ /dev/null
>>> @@ -1,147 +0,0 @@
>>> -From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 15 Aug 2016 21:05:40 +0000
>>> -Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
>>> - loadImage(). From patch libtiff-CVE-2016-3991.patch from
>>> - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
>>> -
>>> -CVE: CVE-2016-3991
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc
>>> 360fdd3afd90ba0fb8ba
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog        |  6 ++++++
>>> - tools/tiffcrop.c | 59 ++++++++++++++++++++++++++++++
>>> +++++++++++++++++++++++---
>>> - 2 files changed, 62 insertions(+), 3 deletions(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index db4ea18..5d60608 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,5 +1,11 @@
>>> - 2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -+      * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
>>> -+      From patch libtiff-CVE-2016-3991.patch from
>>> -+      libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
>>> -+
>>> -+2016-08-15 Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -       * libtiff/tif_pixarlog.c: Fix write buffer overflow in
>>> PixarLogEncode
>>> -       if more input samples are provided than expected by
>>> PixarLogSetupEncode.
>>> -       Idea based on libtiff-CVE-2016-3990.patch from
>>> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
>>> -index 27abc0b..ddba7b9 100644
>>> ---- a/tools/tiffcrop.c
>>> -+++ b/tools/tiffcrop.c
>>> -@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in,
>>> uint8* buf,
>>> -     }
>>> -
>>> -   tile_buffsize = tilesize;
>>> -+  if (tilesize == 0 || tile_rowsize == 0)
>>> -+  {
>>> -+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize
>>> is zero");
>>> -+     exit(-1);
>>> -+  }
>>> -
>>> -   if (tilesize < (tsize_t)(tl * tile_rowsize))
>>> -     {
>>> -@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in,
>>> uint8* buf,
>>> -               tilesize, tl * tile_rowsize);
>>> - #endif
>>> -     tile_buffsize = tl * tile_rowsize;
>>> --    }
>>> -+    if (tl != (tile_buffsize / tile_rowsize))
>>> -+    {
>>> -+      TIFFError("readContigTilesIntoBuffer", "Integer overflow when
>>> calculating buffer size.");
>>> -+        exit(-1);
>>> -+    }
>>> -+    }
>>> -
>>> -   tilebuf = _TIFFmalloc(tile_buffsize);
>>> -   if (tilebuf == 0)
>>> -@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out,
>>> uint8* buf, uint32 imagelength,
>>> -       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
>>> -       return 1;
>>> -
>>> -+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
>>> -+  {
>>> -+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size,
>>> tile width, or tile length is zero");
>>> -+    exit(-1);
>>> -+  }
>>> -+
>>> -   tile_buffsize = tilesize;
>>> -   if (tilesize < (tsize_t)(tl * tile_rowsize))
>>> -     {
>>> -@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out,
>>> uint8* buf, uint32 imagelength,
>>> -               tilesize, tl * tile_rowsize);
>>> - #endif
>>> -     tile_buffsize = tl * tile_rowsize;
>>> -+    if (tl != tile_buffsize / tile_rowsize)
>>> -+    {
>>> -+      TIFFError("writeBufferToContigTiles", "Integer overflow when
>>> calculating buffer size");
>>> -+      exit(-1);
>>> -+    }
>>> -     }
>>> -
>>> -   tilebuf = _TIFFmalloc(tile_buffsize);
>>> -@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image,
>>> struct dump_opts *dump, unsigned c
>>> -     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
>>> -
>>> -     tile_rowsize  = TIFFTileRowSize(in);
>>> -+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
>>> -+    {
>>> -+      TIFFError("loadImage", "File appears to be tiled, but the number
>>> of tiles, tile size, or tile rowsize is zero.");
>>> -+      exit(-1);
>>> -+    }
>>> -     buffsize = tlsize * ntiles;
>>> -+    if (tlsize != (buffsize / ntiles))
>>> -+    {
>>> -+      TIFFError("loadImage", "Integer overflow when calculating buffer
>>> size");
>>> -+      exit(-1);
>>> -+    }
>>> -
>>> --
>>> -     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
>>> -       {
>>> -       buffsize = ntiles * tl * tile_rowsize;
>>> -+      if (ntiles != (buffsize / tl / tile_rowsize))
>>> -+      {
>>> -+      TIFFError("loadImage", "Integer overflow when calculating buffer
>>> size");
>>> -+      exit(-1);
>>> -+      }
>>> -+
>>> - #ifdef DEBUG2
>>> -       TIFFError("loadImage",
>>> -               "Tilesize %u is too small, using ntiles * tilelength *
>>> tilerowsize %lu",
>>> -@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image,
>>> struct dump_opts *dump, unsigned c
>>> -     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
>>> -     stsize = TIFFStripSize(in);
>>> -     nstrips = TIFFNumberOfStrips(in);
>>> -+    if (nstrips == 0 || stsize == 0)
>>> -+    {
>>> -+      TIFFError("loadImage", "File appears to be striped, but the
>>> number of stipes or stripe size is zero.");
>>> -+      exit(-1);
>>> -+    }
>>> -+
>>> -     buffsize = stsize * nstrips;
>>> --
>>> -+    if (stsize != (buffsize / nstrips))
>>> -+    {
>>> -+      TIFFError("loadImage", "Integer overflow when calculating buffer
>>> size");
>>> -+      exit(-1);
>>> -+    }
>>> -+    uint32 buffsize_check;
>>> -+    buffsize_check = ((length * width * spp * bps) + 7);
>>> -+    if (length != ((buffsize_check - 7) / width / spp / bps))
>>> -+    {
>>> -+      TIFFError("loadImage", "Integer overflow detected.");
>>> -+      exit(-1);
>>> -+    }
>>> -     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
>>> -       {
>>> -       buffsize =  ((length * width * spp * bps) + 7) / 8;
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
>>> deleted file mode 100644
>>> index 63c6650..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
>>> +++ /dev/null
>>> @@ -1,49 +0,0 @@
>>> -From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 11 Jul 2016 21:26:03 +0000
>>> -Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
>>> - allocated array on a tiled separate TIFF with more than 8 samples per
>>> pixel.
>>> - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
>>> - (CVE-2016-5321, bugzilla #2558)
>>> -
>>> -CVE: CVE-2016-5321
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51
>>> c5ae9e9b3156527589f0
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog        | 7 +++++++
>>> - tools/tiffcrop.c | 2 +-
>>> - 2 files changed, 8 insertions(+), 1 deletion(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index e98d54d..4e0302f 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -1,3 +1,10 @@
>>> -+2016-07-11 Even Rouault <even.rouault at spatialys.com>
>>> -+
>>> -+      * tools/tiffcrop.c: Avoid access outside of stack allocated array
>>> -+      on a tiled separate TIFF with more than 8 samples per pixel.
>>> -+      Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
>>> -+      (CVE-2016-5321, bugzilla #2558)
>>> -+
>>> - 2015-12-27  Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -       * libtiff/tif_next.c: fix potential out-of-bound write in
>>> NeXTDecode()
>>> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
>>> -index d959ae3..6fc8fc1 100644
>>> ---- a/tools/tiffcrop.c
>>> -+++ b/tools/tiffcrop.c
>>> -@@ -989,7 +989,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in,
>>> uint8 *obuf,
>>> -     nrow = (row + tl > imagelength) ? imagelength - row : tl;
>>> -     for (col = 0; col < imagewidth; col += tw)
>>> -       {
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
>>> -         {  /* Read each plane of a tile set into srcbuffs[s] */
>>> -       tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
>>> -         if (tbytes < 0  && !ignore)
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
>>> deleted file mode 100644
>>> index 41eab91..0000000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
>>> +++ /dev/null
>>> @@ -1,107 +0,0 @@
>>> -From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
>>> -From: erouault <erouault>
>>> -Date: Mon, 11 Jul 2016 21:38:31 +0000
>>> -Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 /
>>> #2559)
>>> -
>>> -CVE: CVE-2016-5323
>>> -Upstream-Status: Backport
>>> -https://github.com/vadz/libtiff/commit/2f79856097f423eb3379
>>> 6a15fcf700d2ea41bf31
>>> -
>>> -Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
>>> ----
>>> - ChangeLog        |  2 +-
>>> - tools/tiffcrop.c | 16 ++++++++--------
>>> - 2 files changed, 9 insertions(+), 9 deletions(-)
>>> -
>>> -diff --git a/ChangeLog b/ChangeLog
>>> -index 4e0302f..62dc1b5 100644
>>> ---- a/ChangeLog
>>> -+++ b/ChangeLog
>>> -@@ -3,7 +3,7 @@
>>> -       * tools/tiffcrop.c: Avoid access outside of stack allocated array
>>> -       on a tiled separate TIFF with more than 8 samples per pixel.
>>> -       Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
>>> --      (CVE-2016-5321, bugzilla #2558)
>>> -+      (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
>>> -
>>> - 2016-07-10 Even Rouault <even.rouault at spatialys.com>
>>> -
>>> -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
>>> -index 6fc8fc1..27abc0b 100644
>>> ---- a/tools/tiffcrop.c
>>> -+++ b/tools/tiffcrop.c
>>> -@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8
>>> *out, uint32 cols,
>>> -
>>> -       matchbits = maskbits << (8 - src_bit - bps);
>>> -       /* load up next sample from each plane */
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         buff1 = ((*src) & matchbits) << (src_bit);
>>> -@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8
>>> *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (16 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         if (little_endian)
>>> -@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8
>>> *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (32 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         if (little_endian)
>>> -@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8
>>> *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (64 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -       {
>>> -       src = in[s] + src_offset + src_byte;
>>> -       if (little_endian)
>>> -@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[],
>>> uint8 *out, uint32 cols,
>>> -
>>> -       matchbits = maskbits << (8 - src_bit - bps);
>>> -       /* load up next sample from each plane */
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         buff1 = ((*src) & matchbits) << (src_bit);
>>> -@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[],
>>> uint8 *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (16 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         if (little_endian)
>>> -@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[],
>>> uint8 *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (32 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -         {
>>> -       src = in[s] + src_offset + src_byte;
>>> -         if (little_endian)
>>> -@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[],
>>> uint8 *out, uint32 cols,
>>> -       src_bit  = bit_offset % 8;
>>> -
>>> -       matchbits = maskbits << (64 - src_bit - bps);
>>> --      for (s = 0; s < spp; s++)
>>> -+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
>>> -       {
>>> -       src = in[s] + src_offset + src_byte;
>>> -       if (little_endian)
>>> ---
>>> -2.7.4
>>> -
>>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
>>> b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
>>> similarity index 74%
>>> rename from meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
>>> rename to meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
>>> index 796d86e..52fc553 100644
>>> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
>>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
>>> @@ -4,21 +4,10 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db4
>>> 6fab7501992f9615d7e158cf"
>>>     SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>>>              file://libtool2.patch \
>>> -           file://CVE-2015-8665_8683.patch \
>>> -           file://CVE-2015-8781.patch \
>>> -           file://CVE-2015-8784.patch \
>>> -           file://CVE-2016-3186.patch \
>>> -           file://CVE-2016-5321.patch \
>>> -           file://CVE-2016-5323.patch \
>>> -           file://CVE-2016-3945.patch \
>>> -           file://CVE-2016-3990.patch \
>>> -           file://CVE-2016-3991.patch \
>>> -           file://CVE-2016-3623.patch \
>>> -           file://CVE-2016-3622.patch \
>>>             "
>>>   -SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
>>> -SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d788
>>> 8930fdfc16ce49f1bf693e5b6247370d68c"
>>> +SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
>>> +SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87
>>> f814c945f22df7ba600d63aac4632c4f019"
>>>     # exclude betas
>>>   UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
>>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
> 



More information about the Openembedded-core mailing list