From 844e7aa217f5ecf46766a07d46f9d7f083668e8e Mon Sep 17 00:00:00 2001 From: Joe Slater Date: Tue, 22 Oct 2019 13:59:14 -0700 Subject: libtiff: fix CVE-2019-17546 Apply unmodified patch from upstream. Signed-off-by: Joe Slater Signed-off-by: Ross Burton --- .../libtiff/tiff/CVE-2019-17546.patch | 103 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 1 + 2 files changed, 104 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch new file mode 100644 index 0000000000..04c5410930 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch @@ -0,0 +1,103 @@ +libtiff: fix CVE-2019-17546 + +Added after 4.0.10 release. + +CVE: CVE-2019-17546 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff] +Signed-off-by: Joe Slater + +commit 4bb584a35f87af42d6cf09d15e9ce8909a839145 +Author: Even Rouault +Date: Thu Aug 15 15:05:28 2019 +0200 + + RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index c88b5fa..4da785d 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + nrowsub = nrow; + if ((nrowsub%subsamplingver)!=0) + nrowsub+=subsamplingver-nrowsub%subsamplingver; ++ temp = (row + img->row_offset)%rowsperstrip + nrowsub; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); ++ return 0; ++ } + if (_TIFFReadEncodedStripAndAllocBuffer(tif, + TIFFComputeStrip(tif,row+img->row_offset, 0), + (void**)(&buf), + maxstripsize, +- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + offset_row = row + img->row_offset; ++ temp = (row + img->row_offset)%rowsperstrip + nrow; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); ++ return 0; ++ } + if( buf == NULL ) + { + if (_TIFFReadEncodedStripAndAllocBuffer( + tif, TIFFComputeStrip(tif, offset_row, 0), + (void**) &buf, bufsize, +- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + } + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), +- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ p0, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), +- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p1, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), +- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p2, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + if (alpha) + { + if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), +- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ pa, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 0432763cce..5c008c53fe 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb @@ -8,6 +8,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2019-6128.patch \ file://CVE-2019-7663.patch \ file://CVE-2019-14973.patch \ + file://CVE-2019-17546.patch \ " SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" -- cgit 1.2.3-korg