diff options
| author |   Mingli Yu <Mingli.Yu@windriver.com> | 2016-12-07 16:01:11 +0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-12-08 10:26:11 +0000 |
| commit | 61d3feb9cad9f61f6551b43f4f19bfa33cadd275 (patch) | |
| tree | f55c3e0c3d981f1c0b11d34759c2a41050deafcc /meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch | |
| parent | fa107101ae42cf42a954c1c9af6a7d3ed298b384 (diff) | |
| download | openembedded-core-contrib-61d3feb9cad9f61f6551b43f4f19bfa33cadd275.tar.gz | |
tiff: Security fix CVE-2016-9535
* libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling.
External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535
Patch from:
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch')
| -rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch new file mode 100644 index 0000000000..977dbf6c87 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch @@ -0,0 +1,67 @@ +From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Fri, 4 Nov 2016 09:19:13 +0000 +Subject: [PATCH 2/2] Fix CVE-2016-9535 +* libtiff/tif_predic.c: fix memory leaks in error code + paths added in previous commit (fix for MSVR 35105) + +CVE: CVE-2016-9535 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 + +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> + +--- + libtiff/tif_predict.c | 8 ++++++-- + 1 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c +index b829259..3f42f3b 100644 +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count = cc; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if(cc%(bps*stride)!=0) + { +@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + return 0; + } + ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + + if((cc%(bps*stride))!=0) + { +@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + "%s", "(cc%(bps*stride))!=0"); + return 0; + } ++ ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) + return 0; + +@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) + { + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", + "%s", "(cc0%rowsize)!=0"); ++ _TIFFfree( working_copy ); + return 0; + } + while (cc > 0) { +-- +2.9.3 + |