import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch - openbmc/openbmc - Gitiles

 From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Sat, 26 Dec 2015 17:32:03 +0000
 Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
  TIFFRGBAImage interface in case of unsupported values of
  SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
  TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
  limingxing and CVE-2015-8683 reported by zzf of Alibaba.

 Upstream-Status: Backport
 CVE: CVE-2015-8665
 CVE: CVE-2015-8683
 https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55

 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  ChangeLog              |  8 ++++++++
  libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
  2 files changed, 30 insertions(+), 13 deletions(-)

 Index: tiff-4.0.6/libtiff/tif_getimage.c
 ===================================================================
 --- tiff-4.0.6.orig/libtiff/tif_getimage.c
 +++ tiff-4.0.6/libtiff/tif_getimage.c
 @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
  				    "Planarconfiguration", td->td_planarconfig);
  				return (0);
  			}
 -			if( td->td_samplesperpixel != 3 )
 +			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
              {
                  sprintf(emsg,
 -                        "Sorry, can not handle image with %s=%d",
 -                        "Samples/pixel", td->td_samplesperpixel);
 +                        "Sorry, can not handle image with %s=%d, %s=%d",
 +                        "Samples/pixel", td->td_samplesperpixel,
 +                        "colorchannels", colorchannels);
                  return 0;
              }
  			break;
  		case PHOTOMETRIC_CIELAB:
 -            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
 +            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
              {
                  sprintf(emsg,
 -                        "Sorry, can not handle image with %s=%d and %s=%d",
 +                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
                          "Samples/pixel", td->td_samplesperpixel,
 +                        "colorchannels", colorchannels,
                          "Bits/sample", td->td_bitspersample);
                  return 0;
              }
 @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
  	int colorchannels;
  	uint16 *red_orig, *green_orig, *blue_orig;
  	int n_color;
 +
 +	if( !TIFFRGBAImageOK(tif, emsg) )
 +		return 0;

  	/* Initialize to normal values */
  	img->row_offset = 0;
 @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
  		case PHOTOMETRIC_RGB:
  			switch (img->bitspersample) {
  				case 8:
 -					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
 +					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
 +						img->samplesperpixel >= 4)
  						img->put.contig = putRGBAAcontig8bittile;
 -					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
 +					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
 +							 img->samplesperpixel >= 4)
  					{
  						if (BuildMapUaToAa(img))
  							img->put.contig = putRGBUAcontig8bittile;
  					}
 -					else
 +					else if( img->samplesperpixel >= 3 )
  						img->put.contig = putRGBcontig8bittile;
  					break;
  				case 16:
 -					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
 +					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
 +						img->samplesperpixel >=4 )
  					{
  						if (BuildMapBitdepth16To8(img))
  							img->put.contig = putRGBAAcontig16bittile;
  					}
 -					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
 +					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
 +							 img->samplesperpixel >=4 )
  					{
  						if (BuildMapBitdepth16To8(img) &&
  						    BuildMapUaToAa(img))
  							img->put.contig = putRGBUAcontig16bittile;
  					}
 -					else
 +					else if( img->samplesperpixel >=3 )
  					{
  						if (BuildMapBitdepth16To8(img))
  							img->put.contig = putRGBcontig16bittile;
 @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
  			}
  			break;
  		case PHOTOMETRIC_SEPARATED:
 -			if (buildMap(img)) {
 +			if (img->samplesperpixel >=4 && buildMap(img)) {
  				if (img->bitspersample == 8) {
  					if (!img->Map)
  						img->put.contig = putRGBcontig8bitCMYKtile;
 @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
  			}
  			break;
  		case PHOTOMETRIC_CIELAB:
 -			if (buildMap(img)) {
 +			if (img->samplesperpixel == 3 && buildMap(img)) {
  				if (img->bitspersample == 8)
  					img->put.contig = initCIELabConversion(img);
  				break;
 Index: tiff-4.0.6/ChangeLog
 ===================================================================
 --- tiff-4.0.6.orig/ChangeLog
 +++ tiff-4.0.6/ChangeLog
 @@ -1,3 +1,11 @@
 +2015-12-26  Even Rouault <even.rouault at spatialys.com>
 +
 +   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
 +   interface in case of unsupported values of SamplesPerPixel/ExtraSamples
 +   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
 +   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
 +   CVE-2015-8683 reported by zzf of Alibaba.
 +
  2015-09-12  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>

  	* libtiff 4.0.6 released.
	From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
	From: erouault <erouault>
	Date: Sat, 26 Dec 2015 17:32:03 +0000
	Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
	TIFFRGBAImage interface in case of unsupported values of
	SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
	TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
	limingxing and CVE-2015-8683 reported by zzf of Alibaba.

	Upstream-Status: Backport
	CVE: CVE-2015-8665
	CVE: CVE-2015-8683
	https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55

	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	ChangeLog \| 8 ++++++++
	libtiff/tif_getimage.c \| 35 ++++++++++++++++++++++-------------
	2 files changed, 30 insertions(+), 13 deletions(-)

	Index: tiff-4.0.6/libtiff/tif_getimage.c
	===================================================================
	--- tiff-4.0.6.orig/libtiff/tif_getimage.c
	+++ tiff-4.0.6/libtiff/tif_getimage.c
	@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
	"Planarconfiguration", td->td_planarconfig);
	return (0);
	}
	- if( td->td_samplesperpixel != 3 )
	+ if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 )
	{
	sprintf(emsg,
	- "Sorry, can not handle image with %s=%d",
	- "Samples/pixel", td->td_samplesperpixel);
	+ "Sorry, can not handle image with %s=%d, %s=%d",
	+ "Samples/pixel", td->td_samplesperpixel,
	+ "colorchannels", colorchannels);
	return 0;
	}
	break;
	case PHOTOMETRIC_CIELAB:
	- if( td->td_samplesperpixel != 3 \|\| td->td_bitspersample != 8 )
	+ if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 \|\| td->td_bitspersample != 8 )
	{
	sprintf(emsg,
	- "Sorry, can not handle image with %s=%d and %s=%d",
	+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
	"Samples/pixel", td->td_samplesperpixel,
	+ "colorchannels", colorchannels,
	"Bits/sample", td->td_bitspersample);
	return 0;
	}
	@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
	int colorchannels;
	uint16 red_orig, green_orig, *blue_orig;
	int n_color;
	+
	+ if( !TIFFRGBAImageOK(tif, emsg) )
	+ return 0;

	/* Initialize to normal values */
	img->row_offset = 0;
	@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
	case PHOTOMETRIC_RGB:
	switch (img->bitspersample) {
	case 8:
	- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
	+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
	+ img->samplesperpixel >= 4)
	img->put.contig = putRGBAAcontig8bittile;
	- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
	+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
	+ img->samplesperpixel >= 4)
	{
	if (BuildMapUaToAa(img))
	img->put.contig = putRGBUAcontig8bittile;
	}
	- else
	+ else if( img->samplesperpixel >= 3 )
	img->put.contig = putRGBcontig8bittile;
	break;
	case 16:
	- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
	+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
	+ img->samplesperpixel >=4 )
	{
	if (BuildMapBitdepth16To8(img))
	img->put.contig = putRGBAAcontig16bittile;
	}
	- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
	+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
	+ img->samplesperpixel >=4 )
	{
	if (BuildMapBitdepth16To8(img) &&
	BuildMapUaToAa(img))
	img->put.contig = putRGBUAcontig16bittile;
	}
	- else
	+ else if( img->samplesperpixel >=3 )
	{
	if (BuildMapBitdepth16To8(img))
	img->put.contig = putRGBcontig16bittile;
	@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
	}
	break;
	case PHOTOMETRIC_SEPARATED:
	- if (buildMap(img)) {
	+ if (img->samplesperpixel >=4 && buildMap(img)) {
	if (img->bitspersample == 8) {
	if (!img->Map)
	img->put.contig = putRGBcontig8bitCMYKtile;
	@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
	}
	break;
	case PHOTOMETRIC_CIELAB:
	- if (buildMap(img)) {
	+ if (img->samplesperpixel == 3 && buildMap(img)) {
	if (img->bitspersample == 8)
	img->put.contig = initCIELabConversion(img);
	break;
	Index: tiff-4.0.6/ChangeLog
	===================================================================
	--- tiff-4.0.6.orig/ChangeLog
	+++ tiff-4.0.6/ChangeLog
	@@ -1,3 +1,11 @@
	+2015-12-26 Even Rouault <even.rouault at spatialys.com>
	+
	+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
	+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
	+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
	+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
	+ CVE-2015-8683 reported by zzf of Alibaba.
	+
	2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

	* libtiff 4.0.6 released.