mirror of
https://git.yoctoproject.org/poky
synced 2026-06-02 01:19:52 +00:00
Mingli Yu
863bfa81af
* tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae) (From OE-Core rev: 33cad1173f6d1b803b794a2ec57fe8a9ef19fb44) (From OE-Core rev: 5597998cf8b852bfe9b794d83314090a148bf78b) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Sat, 8 Oct 2016 15:04:31 +0000
|
|
Subject: [PATCH] Fix CVE-2016-9538
|
|
* tools/tiffcp.c: fix read of undefined variable in case of
|
|
missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
|
|
fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
|
|
overflow. Probably not a security issue but I can be wrong. Reported as MSVR
|
|
35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
|
|
|
|
CVE: CVE-2016-9538
|
|
Upstream-Status: Backport
|
|
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
|
|
|
|
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
|
|
|
---
|
|
tools/tiffcp.c | 4 ++--
|
|
tools/tiffcrop.c | 9 ++++++---
|
|
2 files changed, 17 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
index ba2b715..4ad74d3 100644
|
|
--- a/tools/tiffcp.c
|
|
+++ b/tools/tiffcp.c
|
|
@@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
|
|
static int
|
|
tiffcp(TIFF* in, TIFF* out)
|
|
{
|
|
- uint16 bitspersample, samplesperpixel;
|
|
- uint16 input_compression, input_photometric;
|
|
+ uint16 bitspersample, samplesperpixel = 1;
|
|
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
|
|
copyFunc cf;
|
|
uint32 width, length;
|
|
struct cpTag* p;
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index 7685566..eb6de77 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
|
|
{
|
|
uint8* bufp = buf;
|
|
int32 bytes_read = 0;
|
|
- uint16 strip, nstrips = TIFFNumberOfStrips(in);
|
|
+ uint32 strip, nstrips = TIFFNumberOfStrips(in);
|
|
uint32 stripsize = TIFFStripSize(in);
|
|
uint32 rows = 0;
|
|
uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
|
|
@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
|
|
uint32 width, uint16 spp,
|
|
struct dump_opts *dump)
|
|
{
|
|
- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
|
|
+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
|
|
+ uint32 j;
|
|
int32 bytes_read = 0;
|
|
- uint16 bps, nstrips, planar, strips_per_sample;
|
|
+ uint16 bps, planar;
|
|
+ uint32 nstrips;
|
|
+ uint32 strips_per_sample;
|
|
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
|
|
uint32 rows_this_strip = 0;
|
|
tsample_t s;
|
|
--
|
|
2.9.3
|
|
|