import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-10093.patch - openbmc/openbmc - Gitiles

 From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Sat, 3 Dec 2016 16:40:01 +0000
 Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
  cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
  http://bugzilla.maptools.org/show_bug.cgi?id=2610

 Upstream-Status: Backport
 CVE: CVE-2016-10093
 Signed-off-by: Rajkumar Veer <rveer@mvista.com>

 ---
  ChangeLog      | 7 +++++++
  tools/tiffcp.c | 6 +++---
  2 files changed, 10 insertions(+), 3 deletions(-)

 Index: tiff-4.0.7/tools/tiffcp.c
 ===================================================================
 --- tiff-4.0.7.orig/tools/tiffcp.c
 +++ tiff-4.0.7/tools/tiffcp.c
 @@ -1163,7 +1163,7 @@ bad:

  static void
  cpStripToTile(uint8* out, uint8* in,
 -    uint32 rows, uint32 cols, int outskew, int inskew)
 +    uint32 rows, uint32 cols, int outskew, int64 inskew)
  {
  	while (rows-- > 0) {
  		uint32 j = cols;
 @@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
  	tdata_t tilebuf;
  	uint32 imagew = TIFFScanlineSize(in);
  	uint32 tilew  = TIFFTileRowSize(in);
 -	int iskew = imagew - tilew;
 +	int64 iskew = (int64)imagew - (int64)tilew;
  	uint8* bufp = (uint8*) buf;
  	uint32 tw, tl;
  	uint32 row;
 @@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
  				status = 0;
  				goto done;
  			}
 -			if (colb + tilew > imagew) {
 +			if (colb > iskew) {
  				uint32 width = imagew - colb;
  				uint32 oskew = tilew - width;
  				cpStripToTile(bufp + colb,
	From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001
	From: erouault <erouault>
	Date: Sat, 3 Dec 2016 16:40:01 +0000
	Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
	cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
	http://bugzilla.maptools.org/show_bug.cgi?id=2610

	Upstream-Status: Backport
	CVE: CVE-2016-10093
	Signed-off-by: Rajkumar Veer <rveer@mvista.com>

	---
	ChangeLog \| 7 +++++++
	tools/tiffcp.c \| 6 +++---
	2 files changed, 10 insertions(+), 3 deletions(-)

	Index: tiff-4.0.7/tools/tiffcp.c
	===================================================================
	--- tiff-4.0.7.orig/tools/tiffcp.c
	+++ tiff-4.0.7/tools/tiffcp.c
	@@ -1163,7 +1163,7 @@ bad:

	static void
	cpStripToTile(uint8* out, uint8* in,
	- uint32 rows, uint32 cols, int outskew, int inskew)
	+ uint32 rows, uint32 cols, int outskew, int64 inskew)
	{
	while (rows-- > 0) {
	uint32 j = cols;
	@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
	tdata_t tilebuf;
	uint32 imagew = TIFFScanlineSize(in);
	uint32 tilew = TIFFTileRowSize(in);
	- int iskew = imagew - tilew;
	+ int64 iskew = (int64)imagew - (int64)tilew;
	uint8* bufp = (uint8*) buf;
	uint32 tw, tl;
	uint32 row;
	@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
	status = 0;
	goto done;
	}
	- if (colb + tilew > imagew) {
	+ if (colb > iskew) {
	uint32 width = imagew - colb;
	uint32 oskew = tilew - width;
	cpStripToTile(bufp + colb,