import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch - openbmc/openbmc - Gitiles

 From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Wed, 23 Aug 2017 13:33:42 +0000
 Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
  fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
  TIFFWriteDirectoryTagSubifd()). Fixes
  http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

 SubIFD tag by runtime check (in TIFFWriteDirectorySec())

 Upstream-Status: Backport
 [https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]

 CVE: CVE-2017-13727

 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  ChangeLog              | 10 +++++++++-
  libtiff/tif_dirwrite.c |  9 ++++++++-
  2 files changed, 17 insertions(+), 2 deletions(-)

 diff --git a/ChangeLog b/ChangeLog
 index 3e299d9..8f5efe9 100644
 --- a/ChangeLog
 +++ b/ChangeLog
 @@ -1,7 +1,15 @@
  2017-08-23  Even Rouault <even.rouault at spatialys.com>

 +	* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
 +	on uint32 when selecting the value of SubIFD tag by runtime check
 +	(in TIFFWriteDirectoryTagSubifd()).
 +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
 +	Reported by team OWL337
 +
 +2017-08-23  Even Rouault <even.rouault at spatialys.com>
 +
  	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
 -	SubIFD tag by runtime check.
 +	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
  	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
  	Reported by team OWL337

 diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
 index 14090ae..f0a4baa 100644
 --- a/libtiff/tif_dirwrite.c
 +++ b/libtiff/tif_dirwrite.c
 @@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
  		for (p=0; p < tif->tif_dir.td_nsubifd; p++)
  		{
                          assert(pa != 0);
 -			assert(*pa <= 0xFFFFFFFFUL);
 +
 +                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
 +                        if( *pa > 0xFFFFFFFFUL)
 +                        {
 +                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
 +                            _TIFFfree(o);
 +                            return(0);
 +                        }
  			*pb++=(uint32)(*pa++);
  		}
  		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
 --
 2.7.4
	From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
	From: Even Rouault <even.rouault@spatialys.com>
	Date: Wed, 23 Aug 2017 13:33:42 +0000
	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
	fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
	TIFFWriteDirectoryTagSubifd()). Fixes
	http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

	SubIFD tag by runtime check (in TIFFWriteDirectorySec())

	Upstream-Status: Backport
	[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]

	CVE: CVE-2017-13727

	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	---
	ChangeLog \| 10 +++++++++-
	libtiff/tif_dirwrite.c \| 9 ++++++++-
	2 files changed, 17 insertions(+), 2 deletions(-)

	diff --git a/ChangeLog b/ChangeLog
	index 3e299d9..8f5efe9 100644
	--- a/ChangeLog
	+++ b/ChangeLog
	@@ -1,7 +1,15 @@
	2017-08-23 Even Rouault <even.rouault at spatialys.com>

	+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
	+ on uint32 when selecting the value of SubIFD tag by runtime check
	+ (in TIFFWriteDirectoryTagSubifd()).
	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
	+ Reported by team OWL337
	+
	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
	+
	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
	- SubIFD tag by runtime check.
	+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
	Reported by team OWL337

	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
	index 14090ae..f0a4baa 100644
	--- a/libtiff/tif_dirwrite.c
	+++ b/libtiff/tif_dirwrite.c
	@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
	for (p=0; p < tif->tif_dir.td_nsubifd; p++)
	{
	assert(pa != 0);
	- assert(*pa <= 0xFFFFFFFFUL);
	+
	+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
	+ if( *pa > 0xFFFFFFFFUL)
	+ {
	+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
	+ _TIFFfree(o);
	+ return(0);
	+ }
	pb++=(uint32)(pa++);
	}
	n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
	--
	2.7.4