libtiff: Security fix CVE-2015-8664 and 8683

CVE-2015-8665
CVE-2015-8683

(From OE-Core rev: 49008750ece710201701a6f413537c857190798a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch

@@ -0,0 +1,137 @@
+From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 26 Dec 2015 17:32:03 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
+ TIFFRGBAImage interface in case of unsupported values of
+ SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
+ TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
+ limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8665
+CVE: CVE-2015-8683
+https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog              |  8 ++++++++
+ libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+Index: tiff-4.0.4/libtiff/tif_getimage.c
+===================================================================
+--- tiff-4.0.4.orig/libtiff/tif_getimage.c
++++ tiff-4.0.4/libtiff/tif_getimage.c
+@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
+-			if( td->td_samplesperpixel != 3 )
++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel);
++                        "Sorry, can not handle image with %s=%d, %s=%d",
++                        "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels);
+                 return 0;
+             }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d and %s=%d",
++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                         "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels,
+                         "Bits/sample", td->td_bitspersample);
+                 return 0;
+             }
+@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+ 	int colorchannels;
+ 	uint16 *red_orig, *green_orig, *blue_orig;
+ 	int n_color;
++	
++	if( !TIFFRGBAImageOK(tif, emsg) )
++		return 0;
+ 
+ 	/* Initialize to normal values */
+ 	img->row_offset = 0;
+@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
+ 		case PHOTOMETRIC_RGB:
+ 			switch (img->bitspersample) {
+ 				case 8:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >= 4)
+ 						img->put.contig = putRGBAAcontig8bittile;
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >= 4)
+ 					{
+ 						if (BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig8bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >= 3 )
+ 						img->put.contig = putRGBcontig8bittile;
+ 					break;
+ 				case 16:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBAAcontig16bittile;
+ 					}
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img) &&
+ 						    BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig16bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >=3 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBcontig16bittile;
+@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_SEPARATED:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel >=4 && buildMap(img)) {
+ 				if (img->bitspersample == 8) {
+ 					if (!img->Map)
+ 						img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel == 3 && buildMap(img)) {
+ 				if (img->bitspersample == 8)
+ 					img->put.contig = initCIELabConversion(img);
+ 				break;
+Index: tiff-4.0.4/ChangeLog
+===================================================================
+--- tiff-4.0.4.orig/ChangeLog
++++ tiff-4.0.4/ChangeLog
+@@ -1,3 +1,11 @@
++2015-12-26  Even Rouault <even.rouault at spatialys.com>
++
++   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
++   interface in case of unsupported values of SamplesPerPixel/ExtraSamples
++   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
++   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
++   CVE-2015-8683 reported by zzf of Alibaba.
++
+ 2015-12-27  Even Rouault <even.rouault at spatialys.com>
+ 
+    * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()

meta/recipes-multimedia/libtiff/tiff_4.0.4.bb

@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://CVE-2015-8781.patch \
            file://CVE-2015-8784.patch \
+           file://CVE-2015-8665_8683.patch \
           "
 
 SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"