[OE-core] [PATCH]] libtiff: Update to 4.0.7
Armin Kuster
akuster808 at gmail.com
Sat Dec 10 17:38:43 UTC 2016
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.
CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632
plus more that are not identified in the changelog.
removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../libtiff/files/CVE-2015-8665_8683.patch | 137 -------
.../libtiff/files/CVE-2015-8781.patch | 195 ----------
.../libtiff/files/CVE-2015-8784.patch | 73 ----
.../libtiff/files/CVE-2016-3186.patch | 24 --
.../libtiff/files/CVE-2016-3622.patch | 129 -------
.../libtiff/files/CVE-2016-3623.patch | 52 ---
.../libtiff/files/CVE-2016-3632.patch | 34 --
.../libtiff/files/CVE-2016-3658.patch | 111 ------
.../libtiff/files/CVE-2016-3945.patch | 118 ------
.../libtiff/files/CVE-2016-3990.patch | 66 ----
.../libtiff/files/CVE-2016-3991.patch | 147 -------
.../libtiff/files/CVE-2016-5321.patch | 49 ---
.../libtiff/files/CVE-2016-5323.patch | 107 ------
.../libtiff/files/CVE-2016-9535-1.patch | 423 ---------------------
.../libtiff/files/CVE-2016-9535-2.patch | 67 ----
.../libtiff/files/CVE-2016-9538.patch | 67 ----
.../libtiff/files/CVE-2016-9539.patch | 60 ---
.../libtiff/files/CVE-2016-9540.patch | 60 ---
.../libtiff/files/Fix_several_CVE_issues.patch | 281 --------------
.../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} | 23 +-
20 files changed, 2 insertions(+), 2221 deletions(-)
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} (65%)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
deleted file mode 100644
index 39c5059..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 26 Dec 2015 17:32:03 +0000
-Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
- TIFFRGBAImage interface in case of unsupported values of
- SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
- TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
- limingxing and CVE-2015-8683 reported by zzf of Alibaba.
-
-Upstream-Status: Backport
-CVE: CVE-2015-8665
-CVE: CVE-2015-8683
-https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
-
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog | 8 ++++++++
- libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
- 2 files changed, 30 insertions(+), 13 deletions(-)
-
-Index: tiff-4.0.6/libtiff/tif_getimage.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_getimage.c
-+++ tiff-4.0.6/libtiff/tif_getimage.c
-@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
- "Planarconfiguration", td->td_planarconfig);
- return (0);
- }
-- if( td->td_samplesperpixel != 3 )
-+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d",
-- "Samples/pixel", td->td_samplesperpixel);
-+ "Sorry, can not handle image with %s=%d, %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels);
- return 0;
- }
- break;
- case PHOTOMETRIC_CIELAB:
-- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
- {
- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d and %s=%d",
-+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels,
- "Bits/sample", td->td_bitspersample);
- return 0;
- }
-@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
- int colorchannels;
- uint16 *red_orig, *green_orig, *blue_orig;
- int n_color;
-+
-+ if( !TIFFRGBAImageOK(tif, emsg) )
-+ return 0;
-
- /* Initialize to normal values */
- img->row_offset = 0;
-@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
- case PHOTOMETRIC_RGB:
- switch (img->bitspersample) {
- case 8:
-- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+ img->samplesperpixel >= 4)
- img->put.contig = putRGBAAcontig8bittile;
-- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+ img->samplesperpixel >= 4)
- {
- if (BuildMapUaToAa(img))
- img->put.contig = putRGBUAcontig8bittile;
- }
-- else
-+ else if( img->samplesperpixel >= 3 )
- img->put.contig = putRGBcontig8bittile;
- break;
- case 16:
-- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+ img->samplesperpixel >=4 )
- {
- if (BuildMapBitdepth16To8(img))
- img->put.contig = putRGBAAcontig16bittile;
- }
-- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+ img->samplesperpixel >=4 )
- {
- if (BuildMapBitdepth16To8(img) &&
- BuildMapUaToAa(img))
- img->put.contig = putRGBUAcontig16bittile;
- }
-- else
-+ else if( img->samplesperpixel >=3 )
- {
- if (BuildMapBitdepth16To8(img))
- img->put.contig = putRGBcontig16bittile;
-@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
- }
- break;
- case PHOTOMETRIC_SEPARATED:
-- if (buildMap(img)) {
-+ if (img->samplesperpixel >=4 && buildMap(img)) {
- if (img->bitspersample == 8) {
- if (!img->Map)
- img->put.contig = putRGBcontig8bitCMYKtile;
-@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
- }
- break;
- case PHOTOMETRIC_CIELAB:
-- if (buildMap(img)) {
-+ if (img->samplesperpixel == 3 && buildMap(img)) {
- if (img->bitspersample == 8)
- img->put.contig = initCIELabConversion(img);
- break;
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog
-+++ tiff-4.0.6/ChangeLog
-@@ -1,3 +1,11 @@
-+2015-12-26 Even Rouault <even.rouault at spatialys.com>
-+
-+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
-+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
-+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
-+ CVE-2015-8683 reported by zzf of Alibaba.
-+
- 2015-09-12 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
-
- * libtiff 4.0.6 released.
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
deleted file mode 100644
index 0846f0f..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:25:11 +0000
-Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
- decode functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
- input data.
-
-Upstream-Status: Backport
-
-https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
-hand applied Changelog changes
-
-CVE: CVE-2015-8781
-
-Signed-off-by: Armin Kuster <akuster at mvista.com>
----
- ChangeLog | 7 +++++++
- libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
- 2 files changed, 51 insertions(+), 11 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog
-+++ tiff-4.0.4/ChangeLog
-@@ -1,3 +1,10 @@
-+2015-12-27 Even Rouault <even.rouault at spatialys.com>
-+
-+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
-+ functions in non debug builds by replacing assert()s by regular if
-+ checks (bugzilla #2522).
-+ Fix potential out-of-bound reads in case of short input data.
-+
- 2015-12-26 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-Index: tiff-4.0.4/libtiff/tif_luv.c
-===================================================================
---- tiff-4.0.4.orig/libtiff/tif_luv.c
-+++ tiff-4.0.4/libtiff/tif_luv.c
-@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
- tp = (int16*) op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (int16*) sp->tbuf;
- }
- _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- cc = tif->tif_rawcc;
- /* get each byte string */
- for (shft = 2*8; (shft -= 8) >= 0; ) {
-- for (i = 0; i < npixels && cc > 0; )
-+ for (i = 0; i < npixels && cc > 0; ) {
- if (*bp >= 128) { /* run */
-- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+ if( cc < 2 )
-+ break;
-+ rc = *bp++ + (2-128);
- b = (int16)(*bp++ << shft);
- cc -= 2;
- while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- while (--cc && rc-- && i < npixels)
- tp[i++] |= (int16)*bp++ << shft;
- }
-+ }
- if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
- if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- tp = (uint32 *)op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (uint32 *) sp->tbuf;
- }
- /* copy to array of uint32 */
- bp = (unsigned char*) tif->tif_rawcp;
- cc = tif->tif_rawcc;
-- for (i = 0; i < npixels && cc > 0; i++) {
-+ for (i = 0; i < npixels && cc >= 3; i++) {
- tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
- bp += 3;
- cc -= 3;
-@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- tp = (uint32*) op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (uint32*) sp->tbuf;
- }
- _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- cc = tif->tif_rawcc;
- /* get each byte string */
- for (shft = 4*8; (shft -= 8) >= 0; ) {
-- for (i = 0; i < npixels && cc > 0; )
-+ for (i = 0; i < npixels && cc > 0; ) {
- if (*bp >= 128) { /* run */
-+ if( cc < 2 )
-+ break;
- rc = *bp++ + (2-128);
- b = (uint32)*bp++ << shft;
-- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+ cc -= 2;
- while (rc-- && i < npixels)
- tp[i++] |= b;
- } else { /* non-run */
-@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- while (--cc && rc-- && i < npixels)
- tp[i++] |= (uint32)*bp++ << shft;
- }
-+ }
- if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogL16Encode";
- LogLuvState* sp = EncoderState(tif);
- int shft;
- tmsize_t i;
-@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
- tp = (int16*) bp;
- else {
- tp = (int16*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* compress each byte string */
-@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogLuvEncode24";
- LogLuvState* sp = EncoderState(tif);
- tmsize_t i;
- tmsize_t npixels;
-@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
- tp = (uint32*) bp;
- else {
- tp = (uint32*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* write out encoded pixels */
-@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogLuvEncode32";
- LogLuvState* sp = EncoderState(tif);
- int shft;
- tmsize_t i;
-@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
- tp = (uint32*) bp;
- else {
- tp = (uint32*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
deleted file mode 100644
index 0caf800..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:55:20 +0000
-Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
- NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
- (bugzilla #2508)
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
-hand applied Changelog changes
-
-CVE: CVE-2015-8784
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog | 6 ++++++
- libtiff/tif_next.c | 10 ++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog
-+++ tiff-4.0.4/ChangeLog
-@@ -1,5 +1,11 @@
- 2015-12-27 Even Rouault <even.rouault at spatialys.com>
-
-+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
-+ (bugzilla #2508)
-+
-+2015-12-27 Even Rouault <even.rouault at spatialys.com>
-+
- * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
- functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522).
-Index: tiff-4.0.4/libtiff/tif_next.c
-===================================================================
---- tiff-4.0.4.orig/libtiff/tif_next.c
-+++ tiff-4.0.4/libtiff/tif_next.c
-@@ -37,7 +37,7 @@
- case 0: op[0] = (unsigned char) ((v) << 6); break; \
- case 1: op[0] |= (v) << 4; break; \
- case 2: op[0] |= (v) << 2; break; \
-- case 3: *op++ |= (v); break; \
-+ case 3: *op++ |= (v); op_offset++; break; \
- } \
- }
-
-@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- uint32 imagewidth = tif->tif_dir.td_imagewidth;
- if( isTiled(tif) )
- imagewidth = tif->tif_dir.td_tilewidth;
-+ tmsize_t op_offset = 0;
-
- /*
- * The scanline is composed of a sequence of constant
-@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- * bounds, potentially resulting in a security
- * issue.
- */
-- while (n-- > 0 && npixels < imagewidth)
-+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- SETPIXEL(op, grey);
- if (npixels >= imagewidth)
- break;
-+ if (op_offset >= scanline ) {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+ (long) tif->tif_row);
-+ return (0);
-+ }
- if (cc == 0)
- goto bad;
- n = *bp++, cc--;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
deleted file mode 100644
index 4a08aba..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Buffer overflow in the readextension function in gif2tiff.c
-allows remote attackers to cause a denial of service via a crafted GIF file.
-
-External References:
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
-https://bugzilla.redhat.com/show_bug.cgi?id=1319503
-
-CVE: CVE-2016-3186
-Upstream-Status: Backport (RedHat)
-https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
-
---- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
-+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
-@@ -349,7 +349,7 @@
- int status = 1;
-
- (void) getc(infile);
-- while ((count = getc(infile)) && count <= 255)
-+ while ((count = getc(infile)) && count >= 0 && count <= 255)
- if (fread(buf, 1, count, infile) != (size_t) count) {
- fprintf(stderr, "short read from file %s (%s)\n",
- filename, strerror(errno));
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
deleted file mode 100644
index 0c8b716..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
-From: bfriesen <bfriesen>
-Date: Sat, 24 Sep 2016 23:11:55 +0000
-Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
- to read floating point images.
-
-* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
-requirements of floating point predictor (3). Fixes CVE-2016-3622
-"Divide By Zero in the tiff2rgba tool."
-
-CVE: CVE-2016-3622
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 11 ++++++++++-
- libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
- libtiff/tif_predict.c | 11 ++++++++++-
- 3 files changed, 40 insertions(+), 20 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 26d6f47..a628277 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,12 @@
-+2016-09-24 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
-+
-+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-+ read floating point images.
-+
-+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
-+ requirements of floating point predictor (3). Fixes CVE-2016-3622
-+ "Divide By Zero in the tiff2rgba tool."
-+
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
-
- * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 386cee0..3e689ee 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- td->td_bitspersample);
- return (0);
- }
-+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
-+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
-+ return (0);
-+ }
- colorchannels = td->td_samplesperpixel - td->td_extrasamples;
- if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
- switch (colorchannels) {
-@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- "Planarconfiguration", td->td_planarconfig);
- return (0);
- }
-- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
-- {
-- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d, %s=%d",
-- "Samples/pixel", td->td_samplesperpixel,
-- "colorchannels", colorchannels);
-- return 0;
-- }
-+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
-+ sprintf(emsg,
-+ "Sorry, can not handle image with %s=%d, %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels);
-+ return 0;
-+ }
- break;
- case PHOTOMETRIC_CIELAB:
-- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
-- {
-- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-- "Samples/pixel", td->td_samplesperpixel,
-- "colorchannels", colorchannels,
-- "Bits/sample", td->td_bitspersample);
-- return 0;
-- }
-+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
-+ sprintf(emsg,
-+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels,
-+ "Bits/sample", td->td_bitspersample);
-+ return 0;
-+ }
- break;
-- default:
-+ default:
- sprintf(emsg, "Sorry, can not handle image with %s=%d",
- photoTag, photometric);
- return (0);
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index 081eb11..555f2f9 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
- td->td_sampleformat);
- return 0;
- }
-+ if (td->td_bitspersample != 16
-+ && td->td_bitspersample != 24
-+ && td->td_bitspersample != 32
-+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Floating point \"Predictor\" not supported with %d-bit samples",
-+ td->td_bitspersample);
-+ return 0;
-+ }
- break;
- default:
- TIFFErrorExt(tif->tif_clientdata, module,
-@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
- }
- /*
- * Allocate buffer to keep the decoded bytes before
-- * rearranging in the ight order
-+ * rearranging in the right order
- */
- }
-
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
deleted file mode 100644
index f554ac5..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 21:26:56 +0000
-Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
- to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
-
-CVE: CVE-2016-3623
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 5 +++++
- tools/rgb2ycbcr.c | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/ChangeLog b/ChangeLog
-index 5d60608..3e6642a 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,10 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
-
-+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
-+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
- From patch libtiff-CVE-2016-3991.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
-index 3829d6b..51f4259 100644
---- a/tools/rgb2ycbcr.c
-+++ b/tools/rgb2ycbcr.c
-@@ -95,9 +95,13 @@ main(int argc, char* argv[])
- break;
- case 'h':
- horizSubSampling = atoi(optarg);
-+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
-+ usage(-1);
- break;
- case 'v':
- vertSubSampling = atoi(optarg);
-+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
-+ usage(-1);
- break;
- case 'r':
- rowsperstrip = atoi(optarg);
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
deleted file mode 100644
index a839250..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro at redhat.com>
-Date: Mon, 11 Jul 2016 16:04:34 +0200
-Subject: [PATCH 4/8] Fix CVE-2016-3632
-
-CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
-LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service
-(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
-
-CVE: CVE-2016-3632
-Upstream-Status: Backport [RedHat RHEL7]
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- tools/thumbnail.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index fd1cba5..75e7009 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -253,7 +253,8 @@ static struct cpTag {
- { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
- { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
- { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
-- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
-+ // disable BADFAXLINES, CVE-2016-3632
-+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
- { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
- { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
- { TIFFTAG_INKSET, 1, TIFF_SHORT },
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
deleted file mode 100644
index 6cb12f2..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From: 45c68450bef8ad876f310b495165c513cad8b67d
-From: Even Rouault <even.rouault at spatialys.com>
-
-* libtiff/tif_dir.c: discard values of SMinSampleValue and
-SMaxSampleValue when they have been read and the value of
-SamplesPerPixel is changed afterwards (like when reading a
-OJPEG compressed image with a missing SamplesPerPixel tag,
-and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-being 3). Otherwise when rewriting the directory (for example
-with tiffset, we will expect 3 values whereas the array had been
-allocated with just one), thus causing a out of bound read access.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-when writing directory, if FIELD_STRIPOFFSETS was artificially set
-for a hack case in OJPEG case.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-CVE: CVE-2016-3658
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
-
-Signed-off-by: Zhixiong.Chi <zhixiong.chi at windriver.com>
-
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
-+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
-@@ -1,3 +1,22 @@
-+2016-10-25 Even Rouault <even.rouault at spatialys.com>
-+
-+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
-+ SMaxSampleValue when they have been read and the value of
-+ SamplesPerPixel is changed afterwards (like when reading a
-+ OJPEG compressed image with a missing SamplesPerPixel tag,
-+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-+ being 3). Otherwise when rewriting the directory (for example
-+ with tiffset, we will expect 3 values whereas the array had been
-+ allocated with just one), thus causing a out of bound read access.
-+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ (CVE-2014-8127, duplicate: CVE-2016-3658)
-+
-+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
-+ for a hack case in OJPEG case.
-+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ (CVE-2014-8127, duplicate: CVE-2016-3658)
-+
- 2016-09-24 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
-
- * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-Index: tiff-4.0.6/libtiff/tif_dir.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
-@@ -254,6 +254,28 @@
- v = (uint16) va_arg(ap, uint16_vap);
- if (v == 0)
- goto badvalue;
-+ if( v != td->td_samplesperpixel )
-+ {
-+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
-+ if( td->td_sminsamplevalue != NULL )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,
-+ "SamplesPerPixel tag value is changing, "
-+ "but SMinSampleValue tag was read with a different value. Cancelling it");
-+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
-+ _TIFFfree(td->td_sminsamplevalue);
-+ td->td_sminsamplevalue = NULL;
-+ }
-+ if( td->td_smaxsamplevalue != NULL )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,
-+ "SamplesPerPixel tag value is changing, "
-+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
-+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
-+ _TIFFfree(td->td_smaxsamplevalue);
-+ td->td_smaxsamplevalue = NULL;
-+ }
-+ }
- td->td_samplesperpixel = (uint16) v;
- break;
- case TIFFTAG_ROWSPERSTRIP:
-Index: tiff-4.0.6/libtiff/tif_dirwrite.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
-@@ -542,7 +542,19 @@
- {
- if (!isTiled(tif))
- {
-- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
-+ /* td_stripoffset might be NULL in an odd OJPEG case. See
-+ * tif_dirread.c around line 3634.
-+ * XXX: OJPEG hack.
-+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
-+ * and c) the number of strips is 1,
-+ * then we tolerate the absence of stripoffsets tag,
-+ * because, presumably, all required data is in the
-+ * JpegInterchangeFormat stream.
-+ * We can get here when using tiffset on such a file.
-+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ */
-+ if (tif->tif_dir.td_stripoffset != NULL &&
-+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
- goto bad;
- }
- else
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
deleted file mode 100644
index 4d965be..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 20:06:40 +0000
-Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
- allocated buffer, when -b mode is enabled, that could result in out-of-bounds
- write. Based initially on patch tiff-CVE-2016-3945.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
- tests that rejected valid files.
-
-CVE: CVE-2016-3945
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 8 ++++++++
- tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
- 2 files changed, 38 insertions(+), 4 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 62dc1b5..9c0ab29 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,11 @@
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
-+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
-+ buffer, when -b mode is enabled, that could result in out-of-bounds
-+ write. Based initially on patch tiff-CVE-2016-3945.patch from
-+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
-+ invalid tests that rejected valid files.
-+
- 2016-07-11 Even Rouault <even.rouault at spatialys.com>
-
- * tools/tiffcrop.c: Avoid access outside of stack allocated array
-diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
-index b7a81eb..16e3dc4 100644
---- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
- uint32 row, col;
- uint32 *wrk_line;
- int ok = 1;
-+ uint32 rastersize, wrk_linesize;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
- /*
- * Allocate tile buffer
- */
-- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+ rastersize = tile_width * tile_height * sizeof (uint32);
-+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+ exit(-1);
-+ }
-+ raster = (uint32*)_TIFFmalloc(rastersize);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
- * Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
- */
-- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+ wrk_linesize = tile_width * sizeof (uint32);
-+ if (tile_width != wrk_linesize / sizeof (uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+ exit(-1);
-+ }
-+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
- if (!wrk_line) {
- TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
- ok = 0;
-@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
- uint32 row;
- uint32 *wrk_line;
- int ok = 1;
-+ uint32 rastersize, wrk_linesize;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
- /*
- * Allocate strip buffer
- */
-- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+ rastersize = width * rowsperstrip * sizeof (uint32);
-+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+ exit(-1);
-+ }
-+ raster = (uint32*)_TIFFmalloc(rastersize);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
- * Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
- */
-- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+ wrk_linesize = width * sizeof (uint32);
-+ if (width != wrk_linesize / sizeof (uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+ exit(-1);
-+ }
-+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
- if (!wrk_line) {
- TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
- ok = 0;
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
deleted file mode 100644
index 7bf52ee..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 20:49:48 +0000
-Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
- PixarLogEncode if more input samples are provided than expected by
- PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
- simpler check. (bugzilla #2544)
-
-invalid tests that rejected valid files. (bugzilla #2545)
-
-CVE: CVE-2016-3990
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 10 +++++++++-
- libtiff/tif_pixarlog.c | 7 +++++++
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 9c0ab29..db4ea18 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,10 +1,18 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
-
-+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
-+ if more input samples are provided than expected by PixarLogSetupEncode.
-+ Idea based on libtiff-CVE-2016-3990.patch from
-+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
-+ simpler check. (bugzilla #2544)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- * tools/tiff2rgba.c: Fix integer overflow in size of allocated
- buffer, when -b mode is enabled, that could result in out-of-bounds
- write. Based initially on patch tiff-CVE-2016-3945.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
-- invalid tests that rejected valid files.
-+ invalid tests that rejected valid files. (bugzilla #2545)
-
- 2016-07-11 Even Rouault <even.rouault at spatialys.com>
-
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index e78f788..28329d1 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- }
-
- llen = sp->stride * td->td_imagewidth;
-+ /* Check against the number of elements (of size uint16) of sp->tbuf */
-+ if( n > td->td_rowsperstrip * llen )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Too many input bytes provided");
-+ return 0;
-+ }
-
- for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
- switch (sp->user_datafmt) {
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
deleted file mode 100644
index 27dfd37..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 21:05:40 +0000
-Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
- loadImage(). From patch libtiff-CVE-2016-3991.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-
-CVE: CVE-2016-3991
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 6 ++++++
- tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 62 insertions(+), 3 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index db4ea18..5d60608 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,11 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
-
-+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
-+ From patch libtiff-CVE-2016-3991.patch from
-+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
- if more input samples are provided than expected by PixarLogSetupEncode.
- Idea based on libtiff-CVE-2016-3990.patch from
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 27abc0b..ddba7b9 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
- }
-
- tile_buffsize = tilesize;
-+ if (tilesize == 0 || tile_rowsize == 0)
-+ {
-+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
-+ exit(-1);
-+ }
-
- if (tilesize < (tsize_t)(tl * tile_rowsize))
- {
-@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
- tilesize, tl * tile_rowsize);
- #endif
- tile_buffsize = tl * tile_rowsize;
-- }
-+ if (tl != (tile_buffsize / tile_rowsize))
-+ {
-+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+ exit(-1);
-+ }
-+ }
-
- tilebuf = _TIFFmalloc(tile_buffsize);
- if (tilebuf == 0)
-@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
- !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
- return 1;
-
-+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
-+ {
-+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
-+ exit(-1);
-+ }
-+
- tile_buffsize = tilesize;
- if (tilesize < (tsize_t)(tl * tile_rowsize))
- {
-@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
- tilesize, tl * tile_rowsize);
- #endif
- tile_buffsize = tl * tile_rowsize;
-+ if (tl != tile_buffsize / tile_rowsize)
-+ {
-+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
- }
-
- tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
- TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
-
- tile_rowsize = TIFFTileRowSize(in);
-+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
-+ {
-+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
-+ exit(-1);
-+ }
- buffsize = tlsize * ntiles;
-+ if (tlsize != (buffsize / ntiles))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-
--
- if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
- {
- buffsize = ntiles * tl * tile_rowsize;
-+ if (ntiles != (buffsize / tl / tile_rowsize))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-+
- #ifdef DEBUG2
- TIFFError("loadImage",
- "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
- TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
- stsize = TIFFStripSize(in);
- nstrips = TIFFNumberOfStrips(in);
-+ if (nstrips == 0 || stsize == 0)
-+ {
-+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
-+ exit(-1);
-+ }
-+
- buffsize = stsize * nstrips;
--
-+ if (stsize != (buffsize / nstrips))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-+ uint32 buffsize_check;
-+ buffsize_check = ((length * width * spp * bps) + 7);
-+ if (length != ((buffsize_check - 7) / width / spp / bps))
-+ {
-+ TIFFError("loadImage", "Integer overflow detected.");
-+ exit(-1);
-+ }
- if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
- {
- buffsize = ((length * width * spp * bps) + 7) / 8;
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
deleted file mode 100644
index 63c6650..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 11 Jul 2016 21:26:03 +0000
-Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
- allocated array on a tiled separate TIFF with more than 8 samples per pixel.
- Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
- (CVE-2016-5321, bugzilla #2558)
-
-CVE: CVE-2016-5321
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 7 +++++++
- tools/tiffcrop.c | 2 +-
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index e98d54d..4e0302f 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,10 @@
-+2016-07-11 Even Rouault <even.rouault at spatialys.com>
-+
-+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
-+ on a tiled separate TIFF with more than 8 samples per pixel.
-+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
-+ (CVE-2016-5321, bugzilla #2558)
-+
- 2015-12-27 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index d959ae3..6fc8fc1 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
- nrow = (row + tl > imagelength) ? imagelength - row : tl;
- for (col = 0; col < imagewidth; col += tw)
- {
-- for (s = 0; s < spp; s++)
-+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
- { /* Read each plane of a tile set into srcbuffs[s] */
- tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
- if (tbytes < 0 && !ignore)
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
deleted file mode 100644
index 41eab91..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 11 Jul 2016 21:38:31 +0000
-Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
-
-CVE: CVE-2016-5323
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog | 2 +-
- tools/tiffcrop.c | 16 ++++++++--------
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 4e0302f..62dc1b5 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -3,7 +3,7 @@
- * tools/tiffcrop.c: Avoid access outside of stack allocated array
- on a tiled separate TIFF with more than 8 samples per pixel.
- Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
-- (CVE-2016-5321, bugzilla #2558)
-+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
-
- 2016-07-10 Even Rouault <even.rouault at spatialys.com>
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 6fc8fc1..27abc0b 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
-
- matchbits = maskbits << (8 - src_bit - bps);
- /* load up next sample from each plane */
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (16 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (32 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (64 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
-
- matchbits = maskbits << (8 - src_bit - bps);
- /* load up next sample from each plane */
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (16 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (32 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (64 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
---
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
deleted file mode 100644
index 26fd0df..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
+++ /dev/null
@@ -1,423 +0,0 @@
-From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 31 Oct 2016 17:24:26 +0000
-Subject: [PATCH 1/2] Fix CVE-2016-9535
-
-* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
- assertions by runtime checks to avoid assertions in debug mode, or buffer
- overflows in release mode. Can happen when dealing with unusual tile size
- like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
- Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9535
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
- libtiff/tif_predict.h | 6 +-
- 2 files changed, 121 insertions(+), 47 deletions(-)
-
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index 555f2f9..b829259 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -34,18 +34,18 @@
-
- #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
-
--static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
- static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
-@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
- /* - when storing into the byte stream, we explicitly mask with 0xff so */
- /* as to make icc -check=conversions happy (not necessary by the standard) */
-
--static void
-+static int
- horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-
- unsigned char* cp = (unsigned char*) cp0;
-- assert((cc%stride)==0);
-+ if((cc%stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
-+ "%s", "(cc%stride)!=0");
-+ return 0;
-+ }
-+
- if (cc > stride) {
- /*
- * Pipeline the most common cases.
-@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- } while (cc>0);
- }
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
- TIFFSwabArrayOfShort(wp, wc);
-- horAcc16(tif, cp0, cc);
-+ return horAcc16(tif, cp0, cc);
- }
-
--static void
-+static int
- horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
-- assert((cc%(2*stride))==0);
-+ if((cc%(2*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
-+ "%s", "cc%(2*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
- TIFFSwabArrayOfLong(wp, wc);
-- horAcc32(tif, cp0, cc);
-+ return horAcc32(tif, cp0, cc);
- }
-
--static void
-+static int
- horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
-- assert((cc%(4*stride))==0);
-+ if((cc%(4*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
-+ "%s", "cc%(4*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
- /*
- * Floating point predictor accumulation routine.
- */
--static void
-+static int
- fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-
-- assert((cc%(bps*stride))==0);
-+ if(cc%(bps*stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
-+ "%s", "cc%(bps*stride))!=0");
-+ return 0;
-+ }
-
- if (!tmp)
-- return;
-+ return 0;
-
- while (count > stride) {
- REPEAT4(stride, cp[stride] =
-@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- }
- }
- _TIFFfree(tmp);
-+ return 1;
- }
-
- /*
-@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- assert(sp->decodepfunc != NULL);
-
- if ((*sp->decoderow)(tif, op0, occ0, s)) {
-- (*sp->decodepfunc)(tif, op0, occ0);
-- return 1;
-+ return (*sp->decodepfunc)(tif, op0, occ0);
- } else
- return 0;
- }
-@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- if ((*sp->decodetile)(tif, op0, occ0, s)) {
- tmsize_t rowsize = sp->rowsize;
- assert(rowsize > 0);
-- assert((occ0%rowsize)==0);
-+ if((occ0%rowsize) !=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
-+ "%s", "occ0%rowsize != 0");
-+ return 0;
-+ }
- assert(sp->decodepfunc != NULL);
- while (occ0 > 0) {
-- (*sp->decodepfunc)(tif, op0, rowsize);
-+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
-+ return 0;
- occ0 -= rowsize;
- op0 += rowsize;
- }
-@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- return 0;
- }
-
--static void
-+static int
- horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
- tmsize_t stride = sp->stride;
- unsigned char* cp = (unsigned char*) cp0;
-
-- assert((cc%stride)==0);
-+ if((cc%stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+ "%s", "(cc%stride)!=0");
-+ return 0;
-+ }
-
- if (cc > stride) {
- cc -= stride;
-@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- } while ((cc -= stride) > 0);
- }
- }
-+ return 1;
- }
-
--static void
-+static int
- horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
-@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint16 *wp = (uint16*) cp0;
- tmsize_t wc = cc/2;
-
-- assert((cc%(2*stride))==0);
-+ if((cc%(2*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+ "%s", "(cc%(2*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
-- horDiff16(tif, cp0, cc);
-+ if( !horDiff16(tif, cp0, cc) )
-+ return 0;
-
- TIFFSwabArrayOfShort(wp, wc);
-+ return 1;
- }
-
--static void
-+static int
- horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
-@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint32 *wp = (uint32*) cp0;
- tmsize_t wc = cc/4;
-
-- assert((cc%(4*stride))==0);
-+ if((cc%(4*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
-+ "%s", "(cc%(4*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
-- horDiff32(tif, cp0, cc);
-+ if( !horDiff32(tif, cp0, cc) )
-+ return 0;
-
- TIFFSwabArrayOfLong(wp, wc);
-+ return 1;
- }
-
- /*
- * Floating point predictor differencing routine.
- */
--static void
-+static int
- fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-
-- assert((cc%(bps*stride))==0);
--
-+ if((cc%(bps*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
-+ "%s", "(cc%(bps*stride))!=0");
-+ return 0;
-+ }
- if (!tmp)
-- return;
-+ return 0;
-
- _TIFFmemcpy(tmp, cp0, cc);
- for (count = 0; count < wc; count++) {
-@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- cp += cc - stride - 1;
- for (count = cc; count > stride; count -= stride)
- REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
-+ return 1;
- }
-
- static int
-@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- assert(sp->encoderow != NULL);
-
- /* XXX horizontal differencing alters user's data XXX */
-- (*sp->encodepfunc)(tif, bp, cc);
-+ if( !(*sp->encodepfunc)(tif, bp, cc) )
-+ return 0;
- return (*sp->encoderow)(tif, bp, cc, s);
- }
-
-@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
-
- rowsize = sp->rowsize;
- assert(rowsize > 0);
-- assert((cc0%rowsize)==0);
-+ if((cc0%rowsize)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
-+ "%s", "(cc0%rowsize)!=0");
-+ return 0;
-+ }
- while (cc > 0) {
- (*sp->encodepfunc)(tif, bp, rowsize);
- cc -= rowsize;
-diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
-index 91330cc..9e485a4 100644
---- a/libtiff/tif_predict.h
-+++ b/libtiff/tif_predict.h
-@@ -30,6 +30,8 @@
- * ``Library-private'' Support for the Predictor Tag
- */
-
-+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
-+
- /*
- * Codecs that want to support the Predictor tag must place
- * this structure first in their private state block so that
-@@ -43,12 +45,12 @@ typedef struct {
- TIFFCodeMethod encoderow; /* parent codec encode/decode row */
- TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
- TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
-- TIFFPostMethod encodepfunc; /* horizontal differencer */
-+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
-
- TIFFCodeMethod decoderow; /* parent codec encode/decode row */
- TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
- TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
-- TIFFPostMethod decodepfunc; /* horizontal accumulator */
-+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
-
- TIFFVGetMethod vgetparent; /* super-class method */
- TIFFVSetMethod vsetparent; /* super-class method */
---
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
deleted file mode 100644
index 977dbf6..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 4 Nov 2016 09:19:13 +0000
-Subject: [PATCH 2/2] Fix CVE-2016-9535
-* libtiff/tif_predic.c: fix memory leaks in error code
- paths added in previous commit (fix for MSVR 35105)
-
-CVE: CVE-2016-9535
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_predict.c | 8 ++++++--
- 1 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index b829259..3f42f3b 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- tmsize_t wc = cc / bps;
- tmsize_t count = cc;
- uint8 *cp = (uint8 *) cp0;
-- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-+ uint8 *tmp;
-
- if(cc%(bps*stride)!=0)
- {
-@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- return 0;
- }
-
-+ tmp = (uint8 *)_TIFFmalloc(cc);
- if (!tmp)
- return 0;
-
-@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- tmsize_t wc = cc / bps;
- tmsize_t count;
- uint8 *cp = (uint8 *) cp0;
-- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-+ uint8 *tmp;
-
- if((cc%(bps*stride))!=0)
- {
-@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- "%s", "(cc%(bps*stride))!=0");
- return 0;
- }
-+
-+ tmp = (uint8 *)_TIFFmalloc(cc);
- if (!tmp)
- return 0;
-
-@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
- {
- TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
- "%s", "(cc0%rowsize)!=0");
-+ _TIFFfree( working_copy );
- return 0;
- }
- while (cc > 0) {
---
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
deleted file mode 100644
index e1141df..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 8 Oct 2016 15:04:31 +0000
-Subject: [PATCH] Fix CVE-2016-9538
-* tools/tiffcp.c: fix read of undefined variable in case of
- missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
- fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
- overflow. Probably not a security issue but I can be wrong. Reported as MSVR
- 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9538
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- tools/tiffcp.c | 4 ++--
- tools/tiffcrop.c | 9 ++++++---
- 2 files changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index ba2b715..4ad74d3 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
- static int
- tiffcp(TIFF* in, TIFF* out)
- {
-- uint16 bitspersample, samplesperpixel;
-- uint16 input_compression, input_photometric;
-+ uint16 bitspersample, samplesperpixel = 1;
-+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
- copyFunc cf;
- uint32 width, length;
- struct cpTag* p;
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 7685566..eb6de77 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
- {
- uint8* bufp = buf;
- int32 bytes_read = 0;
-- uint16 strip, nstrips = TIFFNumberOfStrips(in);
-+ uint32 strip, nstrips = TIFFNumberOfStrips(in);
- uint32 stripsize = TIFFStripSize(in);
- uint32 rows = 0;
- uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
-@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
- uint32 width, uint16 spp,
- struct dump_opts *dump)
- {
-- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
-+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
-+ uint32 j;
- int32 bytes_read = 0;
-- uint16 bps, nstrips, planar, strips_per_sample;
-+ uint16 bps, planar;
-+ uint32 nstrips;
-+ uint32 strips_per_sample;
- uint32 src_rowsize, dst_rowsize, rows_processed, rps;
- uint32 rows_this_strip = 0;
- tsample_t s;
---
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
deleted file mode 100644
index 1d9be42..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 14 Oct 2016 19:13:20 +0000
-Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes
- in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
- & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9539
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
-
-Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
-
----
- ChangeLog | 6 ++++++
- tools/tiffcrop.c | 11 ++++++++++-
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog 2016-11-28 14:56:32.109283913 +0800
-+++ tiff-4.0.6/ChangeLog 2016-11-28 16:36:01.805325534 +0800
-@@ -17,6 +17,12 @@
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
- (CVE-2014-8127, duplicate: CVE-2016-3658)
-
-+2016-10-14 Even Rouault <even.rouault at spatialys.com>
-+
-+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
-+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
-+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-+
- 2016-10-08 Even Rouault <even.rouault at spatialys.com>
-
- * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
-Index: tiff-4.0.6/tools/tiffcrop.c
-===================================================================
---- tiff-4.0.6.orig/tools/tiffcrop.c 2016-11-28 14:56:31.433283908 +0800
-+++ tiff-4.0.6/tools/tiffcrop.c 2016-11-28 16:42:13.793328128 +0800
-@@ -819,9 +819,18 @@
- }
- }
-
-- tilebuf = _TIFFmalloc(tile_buffsize);
-+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
-+ if( tile_buffsize > 0xFFFFFFFFU - 3 )
-+ {
-+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+ exit(-1);
-+ }
-+ tilebuf = _TIFFmalloc(tile_buffsize + 3);
- if (tilebuf == 0)
- return 0;
-+ tilebuf[tile_buffsize] = 0;
-+ tilebuf[tile_buffsize+1] = 0;
-+ tilebuf[tile_buffsize+2] = 0;
-
- dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;
- for (row = 0; row < imagelength; row += tl)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
deleted file mode 100644
index dddaa0c..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 8 Oct 2016 15:54:56 +0000
-Subject: [PATCH] fix CVE-2016-9540
- * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
- tile width vs image width. Reported as MSVR 35103
- by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
- Mitigations team.
-
-CVE: CVE-2016-9540
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
-
-Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
----
- ChangeLog | 7 +++++++
- tools/tiffcp.c | 4 ++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog 2016-11-24 14:40:43.046867737 +0800
-+++ tiff-4.0.4/ChangeLog 2016-11-28 14:38:01.681276171 +0800
-@@ -17,6 +17,13 @@
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
- (CVE-2014-8127, duplicate: CVE-2016-3658)
-
-+2016-10-08 Even Rouault <even.rouault at spatialys.com>
-+
-+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
-+ tile width vs image width. Reported as MSVR 35103
-+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
-+ Mitigations team.
-+
- 2016-09-24 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
-
- * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-Index: tiff-4.0.4/tools/tiffcp.c
-===================================================================
---- tiff-4.0.4.orig/tools/tiffcp.c 2015-06-21 09:09:10.000000000 +0800
-+++ tiff-4.0.4/tools/tiffcp.c 2016-11-28 14:41:02.221277430 +0800
-@@ -1338,7 +1338,7 @@
- uint32 colb = 0;
- uint32 col;
-
-- for (col = 0; col < imagewidth; col += tw) {
-+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
- if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
- && !ignore) {
- TIFFError(TIFFFileName(in),
-@@ -1523,7 +1523,7 @@
- uint32 colb = 0;
- uint32 col;
-
-- for (col = 0; col < imagewidth; col += tw) {
-+ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
- /*
- * Tile is clipped horizontally. Calculate
- * visible portion and skewing factors.
diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
deleted file mode 100644
index bd587e6..0000000
--- a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
+++ /dev/null
@@ -1,281 +0,0 @@
-From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 23 Sep 2016 22:12:18 +0000
-Subject: [PATCH] Fix several CVE issues
-
-Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537
-
-* tools/tiffcrop.c: fix various out-of-bounds write
- vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
- MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
- the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
- out-of-bounds write vulnerabilities in heap allocate buffer in
- t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
- and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
- libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
- allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
- Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
- libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
- didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
- that could happen in practice outside of the odd behaviour of t2p_seekproc()
- of tiff2pdf). The report points that a better fix could be to check the
- return value of TIFFFlushData1() in places where it isn't done currently, but
- it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
- Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
- Mitigations team.
-
-CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
- libtiff/tif_write.c | 7 +++++++
- tools/tiff2pdf.c | 22 ++++++++++++++++++--
- tools/tiffcrop.c | 20 +++++++++++++++++-
- 4 files changed, 92 insertions(+), 35 deletions(-)
-
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index 1fb8f3b..d1246c3 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
- a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
- }
- } else {
-- ip += n - 1; /* point to last one */
-- wp += n - 1; /* point to last one */
-- n -= stride;
-- while (n > 0) {
-- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
-- wp[stride] -= wp[0];
-- wp[stride] &= mask;
-- wp--; ip--)
-- n -= stride;
-- }
-- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
-+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
-+ n -= stride;
-+ while (n > 0) {
-+ REPEAT(stride,
-+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
-+ wp++; ip++)
-+ n -= stride;
-+ }
- }
- }
- }
-@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
- a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
- }
- } else {
-- ip += n - 1; /* point to last one */
-- wp += n - 1; /* point to last one */
-+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
- n -= stride;
- while (n > 0) {
-- REPEAT(stride, wp[0] = CLAMP(ip[0]);
-- wp[stride] -= wp[0];
-- wp[stride] &= mask;
-- wp--; ip--)
-- n -= stride;
-- }
-- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
-+ REPEAT(stride,
-+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
-+ wp++; ip++)
-+ n -= stride;
-+ }
- }
- }
- }
-@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
- ip += 4;
- }
- } else {
-- wp += n + stride - 1; /* point to last one */
-- ip += n + stride - 1; /* point to last one */
-- n -= stride;
-- while (n > 0) {
-- REPEAT(stride, wp[0] = CLAMP(ip[0]);
-- wp[stride] -= wp[0];
-- wp[stride] &= mask;
-- wp--; ip--)
-- n -= stride;
-- }
-- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
-- }
-+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
-+ n -= stride;
-+ while (n > 0) {
-+ REPEAT(stride,
-+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
-+ wp++; ip++)
-+ n -= stride;
-+ }
-+ }
- }
- }
-
-diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
-index f9a3fc0..d8fa802 100644
---- a/libtiff/tif_write.c
-+++ b/libtiff/tif_write.c
-@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif)
- if (!TIFFAppendToStrip(tif,
- isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
- tif->tif_rawdata, tif->tif_rawcc))
-+ {
-+ /* We update those variables even in case of error since there's */
-+ /* code that doesn't really check the return code of this */
-+ /* function */
-+ tif->tif_rawcc = 0;
-+ tif->tif_rawcp = tif->tif_rawdata;
- return (0);
-+ }
- tif->tif_rawcc = 0;
- tif->tif_rawcp = tif->tif_rawdata;
- }
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index dcd5a7e..f8df6b5 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
- int t2p_process_ojpeg_tables(T2P*, TIFF*);
- #endif
- #ifdef JPEG_SUPPORT
--int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
-+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
- #endif
- void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
- void t2p_write_advance_directory(T2P*, TIFF*);
-@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
- if(!t2p_process_jpeg_strip(
- stripbuffer,
- &striplength,
-- buffer,
-+ buffer,
-+ t2p->tiff_datasize,
- &bufferoffset,
- i,
- t2p->tiff_length)){
-@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip(
- unsigned char* strip,
- tsize_t* striplength,
- unsigned char* buffer,
-+ tsize_t buffersize,
- tsize_t* bufferoffset,
- tstrip_t no,
- uint32 height){
-@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip(
- }
- switch( strip[i] ){
- case 0xd8: /* SOI - start of image */
-+ if( *bufferoffset + 2 > buffersize )
-+ return(0);
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- *bufferoffset+=2;
- break;
-@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip(
- case 0xc9: /* SOF9 */
- case 0xca: /* SOF10 */
- if(no==0){
-+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
-+ return(0);
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ if( *bufferoffset + 9 >= buffersize )
-+ return(0);
- ncomp = buffer[*bufferoffset+9];
- if (ncomp < 1 || ncomp > 4)
- return(0);
- v_samp=1;
- h_samp=1;
-+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
-+ return(0);
- for(j=0;j<ncomp;j++){
- uint16 samp = buffer[*bufferoffset+11+(3*j)];
- if( (samp>>4) > h_samp)
-@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip(
- break;
- case 0xc4: /* DHT */
- case 0xdb: /* DQT */
-+ if( *bufferoffset + datalen + 2 > buffersize )
-+ return(0);
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
- *bufferoffset+=datalen+2;
- break;
- case 0xda: /* SOS */
- if(no==0){
-+ if( *bufferoffset + datalen + 2 > buffersize )
-+ return(0);
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
- *bufferoffset+=datalen+2;
- } else {
-+ if( *bufferoffset + 2 > buffersize )
-+ return(0);
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=
- (unsigned char)(0xd0 | ((no-1)%8));
- }
- i += datalen + 1;
- /* copy remainder of strip */
-+ if( *bufferoffset + *striplength - i > buffersize )
-+ return(0);
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
- *bufferoffset+= *striplength - i;
- return(1);
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index ebc4aba..7685566 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
- {
- uint32 i;
- float xres = 0.0, yres = 0.0;
-- uint16 nstrips = 0, ntiles = 0, planar = 0;
-+ uint32 nstrips = 0, ntiles = 0;
-+ uint16 planar = 0;
- uint16 bps = 0, spp = 0, res_unit = 0;
- uint16 orientation = 0;
- uint16 input_compression = 0, input_photometric = 0;
-@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
-+ {
-+ if( buffsize > 0xFFFFFFFFU - 3 )
-+ {
-+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+ return (-1);
-+ }
- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
-+ }
- else
- {
- if (prev_readsize < buffsize)
-+ {
-+ if( buffsize > 0xFFFFFFFFU - 3 )
- {
-+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+ return (-1);
-+ }
- new_buff = _TIFFrealloc(read_buff, buffsize+3);
- if (!new_buff)
- {
-@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
- }
-
- bytes_per_pixel = ((bps * spp) + 7) / 8;
-+ if( bytes_per_pixel > sizeof(swapbuff) )
-+ {
-+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
-+ return (1);
-+ }
- switch (bps / 8)
- {
- case 8: /* Use memcpy for multiple bytes per sample data */
---
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
similarity index 65%
rename from meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
rename to meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 450927d..bbc7389 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -6,29 +6,10 @@ CVE_NAME = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
- file://CVE-2015-8665_8683.patch \
- file://CVE-2015-8781.patch \
- file://CVE-2015-8784.patch \
- file://CVE-2016-3186.patch \
- file://CVE-2016-5321.patch \
- file://CVE-2016-5323.patch \
- file://CVE-2016-3945.patch \
- file://CVE-2016-3990.patch \
- file://CVE-2016-3991.patch \
- file://CVE-2016-3623.patch \
- file://CVE-2016-3622.patch \
- file://CVE-2016-3658.patch \
- file://CVE-2016-3632.patch \
- file://CVE-2016-9540.patch \
- file://CVE-2016-9539.patch \
- file://CVE-2016-9535-1.patch \
- file://CVE-2016-9535-2.patch \
- file://CVE-2016-9538.patch \
- file://Fix_several_CVE_issues.patch \
"
-SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
-SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c"
+SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
+SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
--
2.7.4
More information about the Openembedded-core
mailing list