summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch423
1 files changed, 0 insertions, 423 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
deleted file mode 100644
index 26fd0df11c..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
+++ /dev/null
@@ -1,423 +0,0 @@
-From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 31 Oct 2016 17:24:26 +0000
-Subject: [PATCH 1/2] Fix CVE-2016-9535
-
-* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
- assertions by runtime checks to avoid assertions in debug mode, or buffer
- overflows in release mode. Can happen when dealing with unusual tile size
- like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
- Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9535
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-
----
- libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
- libtiff/tif_predict.h | 6 +-
- 2 files changed, 121 insertions(+), 47 deletions(-)
-
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index 555f2f9..b829259 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -34,18 +34,18 @@
-
- #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
-
--static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
- static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
-@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
- /* - when storing into the byte stream, we explicitly mask with 0xff so */
- /* as to make icc -check=conversions happy (not necessary by the standard) */
-
--static void
-+static int
- horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-
- unsigned char* cp = (unsigned char*) cp0;
-- assert((cc%stride)==0);
-+ if((cc%stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
-+ "%s", "(cc%stride)!=0");
-+ return 0;
-+ }
-+
- if (cc > stride) {
- /*
- * Pipeline the most common cases.
-@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- } while (cc>0);
- }
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
- TIFFSwabArrayOfShort(wp, wc);
-- horAcc16(tif, cp0, cc);
-+ return horAcc16(tif, cp0, cc);
- }
-
--static void
-+static int
- horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
-- assert((cc%(2*stride))==0);
-+ if((cc%(2*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
-+ "%s", "cc%(2*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
- TIFFSwabArrayOfLong(wp, wc);
-- horAcc32(tif, cp0, cc);
-+ return horAcc32(tif, cp0, cc);
- }
-
--static void
-+static int
- horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
-- assert((cc%(4*stride))==0);
-+ if((cc%(4*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
-+ "%s", "cc%(4*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
- /*
- * Floating point predictor accumulation routine.
- */
--static void
-+static int
- fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-
-- assert((cc%(bps*stride))==0);
-+ if(cc%(bps*stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
-+ "%s", "cc%(bps*stride))!=0");
-+ return 0;
-+ }
-
- if (!tmp)
-- return;
-+ return 0;
-
- while (count > stride) {
- REPEAT4(stride, cp[stride] =
-@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- }
- }
- _TIFFfree(tmp);
-+ return 1;
- }
-
- /*
-@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- assert(sp->decodepfunc != NULL);
-
- if ((*sp->decoderow)(tif, op0, occ0, s)) {
-- (*sp->decodepfunc)(tif, op0, occ0);
-- return 1;
-+ return (*sp->decodepfunc)(tif, op0, occ0);
- } else
- return 0;
- }
-@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- if ((*sp->decodetile)(tif, op0, occ0, s)) {
- tmsize_t rowsize = sp->rowsize;
- assert(rowsize > 0);
-- assert((occ0%rowsize)==0);
-+ if((occ0%rowsize) !=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
-+ "%s", "occ0%rowsize != 0");
-+ return 0;
-+ }
- assert(sp->decodepfunc != NULL);
- while (occ0 > 0) {
-- (*sp->decodepfunc)(tif, op0, rowsize);
-+ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
-+ return 0;
- occ0 -= rowsize;
- op0 += rowsize;
- }
-@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- return 0;
- }
-
--static void
-+static int
- horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
- tmsize_t stride = sp->stride;
- unsigned char* cp = (unsigned char*) cp0;
-
-- assert((cc%stride)==0);
-+ if((cc%stride)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+ "%s", "(cc%stride)!=0");
-+ return 0;
-+ }
-
- if (cc > stride) {
- cc -= stride;
-@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- } while ((cc -= stride) > 0);
- }
- }
-+ return 1;
- }
-
--static void
-+static int
- horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
-@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint16 *wp = (uint16*) cp0;
- tmsize_t wc = cc/2;
-
-- assert((cc%(2*stride))==0);
-+ if((cc%(2*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+ "%s", "(cc%(2*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint16* wp = (uint16*) cp0;
- tmsize_t wc = cc / 2;
-
-- horDiff16(tif, cp0, cc);
-+ if( !horDiff16(tif, cp0, cc) )
-+ return 0;
-
- TIFFSwabArrayOfShort(wp, wc);
-+ return 1;
- }
-
--static void
-+static int
- horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- TIFFPredictorState* sp = PredictorState(tif);
-@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint32 *wp = (uint32*) cp0;
- tmsize_t wc = cc/4;
-
-- assert((cc%(4*stride))==0);
-+ if((cc%(4*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
-+ "%s", "(cc%(4*stride))!=0");
-+ return 0;
-+ }
-
- if (wc > stride) {
- wc -= stride;
-@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- wc -= stride;
- } while (wc > 0);
- }
-+ return 1;
- }
-
--static void
-+static int
- swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- uint32* wp = (uint32*) cp0;
- tmsize_t wc = cc / 4;
-
-- horDiff32(tif, cp0, cc);
-+ if( !horDiff32(tif, cp0, cc) )
-+ return 0;
-
- TIFFSwabArrayOfLong(wp, wc);
-+ return 1;
- }
-
- /*
- * Floating point predictor differencing routine.
- */
--static void
-+static int
- fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- tmsize_t stride = PredictorState(tif)->stride;
-@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- uint8 *cp = (uint8 *) cp0;
- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-
-- assert((cc%(bps*stride))==0);
--
-+ if((cc%(bps*stride))!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
-+ "%s", "(cc%(bps*stride))!=0");
-+ return 0;
-+ }
- if (!tmp)
-- return;
-+ return 0;
-
- _TIFFmemcpy(tmp, cp0, cc);
- for (count = 0; count < wc; count++) {
-@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- cp += cc - stride - 1;
- for (count = cc; count > stride; count -= stride)
- REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
-+ return 1;
- }
-
- static int
-@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- assert(sp->encoderow != NULL);
-
- /* XXX horizontal differencing alters user's data XXX */
-- (*sp->encodepfunc)(tif, bp, cc);
-+ if( !(*sp->encodepfunc)(tif, bp, cc) )
-+ return 0;
- return (*sp->encoderow)(tif, bp, cc, s);
- }
-
-@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
-
- rowsize = sp->rowsize;
- assert(rowsize > 0);
-- assert((cc0%rowsize)==0);
-+ if((cc0%rowsize)!=0)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
-+ "%s", "(cc0%rowsize)!=0");
-+ return 0;
-+ }
- while (cc > 0) {
- (*sp->encodepfunc)(tif, bp, rowsize);
- cc -= rowsize;
-diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
-index 91330cc..9e485a4 100644
---- a/libtiff/tif_predict.h
-+++ b/libtiff/tif_predict.h
-@@ -30,6 +30,8 @@
- * ``Library-private'' Support for the Predictor Tag
- */
-
-+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
-+
- /*
- * Codecs that want to support the Predictor tag must place
- * this structure first in their private state block so that
-@@ -43,12 +45,12 @@ typedef struct {
- TIFFCodeMethod encoderow; /* parent codec encode/decode row */
- TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
- TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
-- TIFFPostMethod encodepfunc; /* horizontal differencer */
-+ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
-
- TIFFCodeMethod decoderow; /* parent codec encode/decode row */
- TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
- TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
-- TIFFPostMethod decodepfunc; /* horizontal accumulator */
-+ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
-
- TIFFVGetMethod vgetparent; /* super-class method */
- TIFFVSetMethod vsetparent; /* super-class method */
---
-2.9.3
-