mirror of
https://git.yoctoproject.org/poky
synced 2026-03-02 05:19:40 +01:00
49f6a9e794
Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Porting patch from <https://github.com/vadz/libtiff/commit/ 5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225. (From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
93 lines
3.0 KiB
Diff
93 lines
3.0 KiB
Diff
From a24df1e93833dfeaa69bf4d510518dc4684db64d Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Wed, 25 Jan 2017 17:07:21 +0800
|
|
Subject: [PATCH] libtiff: fix CVE-2017-5225
|
|
|
|
tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
|
|
and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
|
|
overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2657
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2017-5225
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
ChangeLog | 7 +++++++
|
|
tools/tiffcp.c | 24 ++++++++++++++++++++++--
|
|
2 files changed, 29 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index 9b9d397..7e82795 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,10 @@
|
|
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
|
|
+
|
|
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
|
|
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
|
|
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
|
|
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
|
|
+
|
|
2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
|
|
|
* libtiff 4.0.7 released.
|
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
index 338a3d1..2e84577 100644
|
|
--- a/tools/tiffcp.c
|
|
+++ b/tools/tiffcp.c
|
|
@@ -592,7 +592,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
|
|
static int
|
|
tiffcp(TIFF* in, TIFF* out)
|
|
{
|
|
- uint16 bitspersample, samplesperpixel = 1;
|
|
+ uint16 bitspersample = 1, samplesperpixel = 1;
|
|
uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
|
|
copyFunc cf;
|
|
uint32 width, length;
|
|
@@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
|
|
register uint32 n;
|
|
uint32 row;
|
|
tsample_t s;
|
|
+ uint16 bps = 0;
|
|
+
|
|
+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
|
|
+ if( bps != 8 )
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Error, can only handle BitsPerSample=8 in %s",
|
|
+ "cpContig2SeparateByRow");
|
|
+ return 0;
|
|
+ }
|
|
|
|
inbuf = _TIFFmalloc(scanlinesizein);
|
|
outbuf = _TIFFmalloc(scanlinesizeout);
|
|
@@ -1121,6 +1131,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
|
|
register uint32 n;
|
|
uint32 row;
|
|
tsample_t s;
|
|
+ uint16 bps = 0;
|
|
+
|
|
+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
|
|
+ if( bps != 8 )
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Error, can only handle BitsPerSample=8 in %s",
|
|
+ "cpSeparate2ContigByRow");
|
|
+ return 0;
|
|
+ }
|
|
|
|
inbuf = _TIFFmalloc(scanlinesizein);
|
|
outbuf = _TIFFmalloc(scanlinesizeout);
|
|
@@ -1763,7 +1783,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
|
|
uint32 w, l, tw, tl;
|
|
int bychunk;
|
|
|
|
- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
|
|
+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
|
|
if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
|
|
fprintf(stderr,
|
|
"%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
|
|
--
|
|
1.9.1
|
|
|