summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch73
1 files changed, 0 insertions, 73 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
deleted file mode 100644
index 0caf800e23..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:55:20 +0000
-Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
- NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
- (bugzilla #2508)
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
-hand applied Changelog changes
-
-CVE: CVE-2015-8784
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 6 ++++++
- libtiff/tif_next.c | 10 ++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog
-+++ tiff-4.0.4/ChangeLog
-@@ -1,5 +1,11 @@
- 2015-12-27 Even Rouault <even.rouault at spatialys.com>
-
-+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
-+ (bugzilla #2508)
-+
-+2015-12-27 Even Rouault <even.rouault at spatialys.com>
-+
- * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
- functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522).
-Index: tiff-4.0.4/libtiff/tif_next.c
-===================================================================
---- tiff-4.0.4.orig/libtiff/tif_next.c
-+++ tiff-4.0.4/libtiff/tif_next.c
-@@ -37,7 +37,7 @@
- case 0: op[0] = (unsigned char) ((v) << 6); break; \
- case 1: op[0] |= (v) << 4; break; \
- case 2: op[0] |= (v) << 2; break; \
-- case 3: *op++ |= (v); break; \
-+ case 3: *op++ |= (v); op_offset++; break; \
- } \
- }
-
-@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- uint32 imagewidth = tif->tif_dir.td_imagewidth;
- if( isTiled(tif) )
- imagewidth = tif->tif_dir.td_tilewidth;
-+ tmsize_t op_offset = 0;
-
- /*
- * The scanline is composed of a sequence of constant
-@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- * bounds, potentially resulting in a security
- * issue.
- */
-- while (n-- > 0 && npixels < imagewidth)
-+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- SETPIXEL(op, grey);
- if (npixels >= imagewidth)
- break;
-+ if (op_offset >= scanline ) {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+ (long) tif->tif_row);
-+ return (0);
-+ }
- if (cc == 0)
- goto bad;
- n = *bp++, cc--;