poky/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch

From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 15 Jul 2017 11:13:46 +0000
Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
 "Raw" mode on PlanarConfig=Contig input images. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337

Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]

CVE: CVE-2017-11355

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ChangeLog        | 7 +++++++
 tools/tiff2pdf.c | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 42eaeb7..6980da8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-07-15  Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+	mode on PlanarConfig=Contig input images.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
+	Reported by team OWL337
+
 2017-06-30  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index db196e0..cd1e235 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
 	    return;
 
 	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
-	if(t2p->pdf_nopassthrough==0){
+        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
+        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
+        /* do not take into account the number of samples, and thus */
+        /* that can cause heap buffer overflows such as in */
+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
+	if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
 #ifdef CCITT_SUPPORT
 		if(t2p->tiff_compression==COMPRESSION_CCITTFAX4  
 			){
-- 
2.7.4