poky/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch

From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 30 Jun 2017 17:29:44 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: in
 TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
 data type, replace assertion that the file is BigTIFF, by a non-fatal error.
 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
 OWL337

Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]

CVE: CVE-2017-10688

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ChangeLog              |  8 ++++++++
 libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
 2 files changed, 24 insertions(+), 4 deletions(-)

Index: tiff-4.0.7/ChangeLog
===================================================================
--- tiff-4.0.7.orig/ChangeLog
+++ tiff-4.0.7/ChangeLog
@@ -1,3 +1,11 @@
+2017-06-30  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+	functions associated with LONG8/SLONG8 data type, replace assertion that
+	the file is BigTIFF, by a non-fatal error.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
+	Reported by team OWL337
+
 2017-06-26  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
Index: tiff-4.0.7/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.7.orig/libtiff/tif_dirwrite.c
+++ tiff-4.0.7/libtiff/tif_dirwrite.c
@@ -2047,7 +2047,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF*
 {
 	uint64 m;
 	assert(sizeof(uint64)==8);
-	assert(tif->tif_flags&TIFF_BIGTIFF);
+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+		return(0);
+	}
 	m=value;
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabLong8(&m);
@@ -2060,7 +2063,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(T
 {
 	assert(count<0x20000000);
 	assert(sizeof(uint64)==8);
-	assert(tif->tif_flags&TIFF_BIGTIFF);
+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+		return(0);
+	}
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabArrayOfLong8(value,count);
 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2072,7 +2078,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF*
 {
 	int64 m;
 	assert(sizeof(int64)==8);
-	assert(tif->tif_flags&TIFF_BIGTIFF);
+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+		return(0);
+	}
 	m=value;
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabLong8((uint64*)(&m));
@@ -2085,7 +2094,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(
 {
 	assert(count<0x20000000);
 	assert(sizeof(int64)==8);
-	assert(tif->tif_flags&TIFF_BIGTIFF);
+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+		return(0);
+	}
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabArrayOfLong8((uint64*)value,count);
 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));