tiff: Security fix CVE-2015-8781

CVE-2015-8781 libtiff: out-of-bounds writes for invalid images

(From OE-Core master rev: 29c80024bdb67477dae47d8fb903feda2efe75d4)

minor tweek to get Changelog changes to apply

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
new file mode 100644 (file)
index 0000000..c148add
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
@@ -0,0 +1,196 @@
+From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 27 Dec 2015 16:25:11 +0000
+Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
+ decode functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
+ input data.
+
+Upstream-Status: Backport
+
+https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
+hand applied Changelog changes
+
+CVE: CVE-2015-8781
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog         |  7 +++++++
+ libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 51 insertions(+), 11 deletions(-)
+
+Index: tiff-4.0.3/libtiff/tif_luv.c
+===================================================================
+--- tiff-4.0.3.orig/libtiff/tif_luv.c
++++ tiff-4.0.3/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+       if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+               tp = (int16*) op;
+       else {
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               tp = (int16*) sp->tbuf;
+       }
+       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+       cc = tif->tif_rawcc;
+       /* get each byte string */
+       for (shft = 2*8; (shft -= 8) >= 0; ) {
+-              for (i = 0; i < npixels && cc > 0; )
++              for (i = 0; i < npixels && cc > 0; ) {
+                       if (*bp >= 128) {               /* run */
+-                              rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++                              if( cc < 2 )
++                                      break;
++                              rc = *bp++ + (2-128);
+                               b = (int16)(*bp++ << shft);
+                               cc -= 2;
+                               while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
+                               while (--cc && rc-- && i < npixels)
+                                       tp[i++] |= (int16)*bp++ << shft;
+                       }
++              }
+               if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
+       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+               tp = (uint32 *)op;
+       else {
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               tp = (uint32 *) sp->tbuf;
+       }
+       /* copy to array of uint32 */
+       bp = (unsigned char*) tif->tif_rawcp;
+       cc = tif->tif_rawcc;
+-      for (i = 0; i < npixels && cc > 0; i++) {
++      for (i = 0; i < npixels && cc >= 3; i++) {
+               tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+               bp += 3;
+               cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+               tp = (uint32*) op;
+       else {
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               tp = (uint32*) sp->tbuf;
+       }
+       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+       cc = tif->tif_rawcc;
+       /* get each byte string */
+       for (shft = 4*8; (shft -= 8) >= 0; ) {
+-              for (i = 0; i < npixels && cc > 0; )
++              for (i = 0; i < npixels && cc > 0; ) {
+                       if (*bp >= 128) {               /* run */
++                              if( cc < 2 )
++                                      break;
+                               rc = *bp++ + (2-128);
+                               b = (uint32)*bp++ << shft;
+-                              cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++                              cc -= 2;
+                               while (rc-- && i < npixels)
+                                       tp[i++] |= b;
+                       } else {                        /* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
+                               while (--cc && rc-- && i < npixels)
+                                       tp[i++] |= (uint32)*bp++ << shft;
+                       }
++              }
+               if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++      static const char module[] = "LogL16Encode";
+       LogLuvState* sp = EncoderState(tif);
+       int shft;
+       tmsize_t i;
+@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+               tp = (int16*) bp;
+       else {
+               tp = (int16*) sp->tbuf;
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               (*sp->tfunc)(sp, bp, npixels);
+       }
+       /* compress each byte string */
+@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++      static const char module[] = "LogLuvEncode24";
+       LogLuvState* sp = EncoderState(tif);
+       tmsize_t i;
+       tmsize_t npixels;
+@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+               tp = (uint32*) bp;
+       else {
+               tp = (uint32*) sp->tbuf;
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               (*sp->tfunc)(sp, bp, npixels);
+       }
+       /* write out encoded pixels */
+@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++      static const char module[] = "LogLuvEncode32";
+       LogLuvState* sp = EncoderState(tif);
+       int shft;
+       tmsize_t i;
+@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
+               tp = (uint32*) bp;
+       else {
+               tp = (uint32*) sp->tbuf;
+-              assert(sp->tbuflen >= npixels);
++              if(sp->tbuflen < npixels) {
++                      TIFFErrorExt(tif->tif_clientdata, module,
++                                               "Translation buffer too short");
++                      return (0);
++              }
+               (*sp->tfunc)(sp, bp, npixels);
+       }
+       /* compress each byte string */
+Index: tiff-4.0.3/ChangeLog
+===================================================================
+--- tiff-4.0.3.orig/ChangeLog
++++ tiff-4.0.3/ChangeLog
+@@ -1,3 +1,11 @@
++2015-12-27  Even Rouault <even.rouault at spatialys.com>
++
++   * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
++   functions in non debug builds by replacing assert()s by regular if
++   checks (bugzilla #2522).
++   Fix potential out-of-bound reads in case of short input data.
++
++
+ 2012-09-22  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 
+       * libtiff 4.0.3 released.

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index b7d1129ad63c4f2653e68ba681369e69403bb7cb..070065b1881018e1258cfeb01a9954ae6c112552 100644 (file)
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -11,7 +11,9 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtiff-CVE-2013-4243.patch \
            file://libtiff-CVE-2013-4244.patch \
            file://libtiff-CVE-2013-4231.patch \
-           file://tiff-CVE-2012-4564.patch "
+           file://tiff-CVE-2012-4564.patch  \
+           file://CVE-2015-8781.patch \
+           "
 
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"