summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2016-12-10 09:38:43 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-13 22:47:33 +0000
commit9945cbccc4c737c84ad441773061acbf90c7baed (patch)
tree19446d6a6bee8d9313abb332df9ba71dbbb86fce /meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
parentfacf9fa905100945738c13f9f79e938ed4a81030 (diff)
downloadopenembedded-core-contrib-9945cbccc4c737c84ad441773061acbf90c7baed.tar.gz
openembedded-core-contrib-9945cbccc4c737c84ad441773061acbf90c7baed.tar.bz2
openembedded-core-contrib-9945cbccc4c737c84ad441773061acbf90c7baed.zip
libtiff: Update to 4.0.7
Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch111
1 files changed, 0 insertions, 111 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
deleted file mode 100644
index 6cb12f2907..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From: 45c68450bef8ad876f310b495165c513cad8b67d
-From: Even Rouault <even.rouault@spatialys.com>
-
-* libtiff/tif_dir.c: discard values of SMinSampleValue and
-SMaxSampleValue when they have been read and the value of
-SamplesPerPixel is changed afterwards (like when reading a
-OJPEG compressed image with a missing SamplesPerPixel tag,
-and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-being 3). Otherwise when rewriting the directory (for example
-with tiffset, we will expect 3 values whereas the array had been
-allocated with just one), thus causing a out of bound read access.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-when writing directory, if FIELD_STRIPOFFSETS was artificially set
-for a hack case in OJPEG case.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-CVE: CVE-2016-3658
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
-
-Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
-
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
-+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
-@@ -1,3 +1,22 @@
-+2016-10-25 Even Rouault <even.rouault at spatialys.com>
-+
-+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
-+ SMaxSampleValue when they have been read and the value of
-+ SamplesPerPixel is changed afterwards (like when reading a
-+ OJPEG compressed image with a missing SamplesPerPixel tag,
-+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-+ being 3). Otherwise when rewriting the directory (for example
-+ with tiffset, we will expect 3 values whereas the array had been
-+ allocated with just one), thus causing a out of bound read access.
-+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ (CVE-2014-8127, duplicate: CVE-2016-3658)
-+
-+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
-+ for a hack case in OJPEG case.
-+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ (CVE-2014-8127, duplicate: CVE-2016-3658)
-+
- 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
-
- * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-Index: tiff-4.0.6/libtiff/tif_dir.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
-@@ -254,6 +254,28 @@
- v = (uint16) va_arg(ap, uint16_vap);
- if (v == 0)
- goto badvalue;
-+ if( v != td->td_samplesperpixel )
-+ {
-+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
-+ if( td->td_sminsamplevalue != NULL )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,
-+ "SamplesPerPixel tag value is changing, "
-+ "but SMinSampleValue tag was read with a different value. Cancelling it");
-+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
-+ _TIFFfree(td->td_sminsamplevalue);
-+ td->td_sminsamplevalue = NULL;
-+ }
-+ if( td->td_smaxsamplevalue != NULL )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,
-+ "SamplesPerPixel tag value is changing, "
-+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
-+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
-+ _TIFFfree(td->td_smaxsamplevalue);
-+ td->td_smaxsamplevalue = NULL;
-+ }
-+ }
- td->td_samplesperpixel = (uint16) v;
- break;
- case TIFFTAG_ROWSPERSTRIP:
-Index: tiff-4.0.6/libtiff/tif_dirwrite.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
-@@ -542,7 +542,19 @@
- {
- if (!isTiled(tif))
- {
-- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
-+ /* td_stripoffset might be NULL in an odd OJPEG case. See
-+ * tif_dirread.c around line 3634.
-+ * XXX: OJPEG hack.
-+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
-+ * and c) the number of strips is 1,
-+ * then we tolerate the absence of stripoffsets tag,
-+ * because, presumably, all required data is in the
-+ * JpegInterchangeFormat stream.
-+ * We can get here when using tiffset on such a file.
-+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+ */
-+ if (tif->tif_dir.td_stripoffset != NULL &&
-+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
- goto bad;
- }
- else