poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2019-7663
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@intel.com>

 From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
 From: Thomas Bernard <miniupnp@free.fr>
 Date: Mon, 11 Feb 2019 10:05:33 +0100
 Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow

 fixes bug 2833
 ---
  tools/tiffcp.c | 8 +++++++-
  1 file changed, 7 insertions(+), 1 deletion(-)

 diff --git a/tools/tiffcp.c b/tools/tiffcp.c
 index 2f406e2d..f0ee2c02 100644
 --- a/tools/tiffcp.c
 +++ b/tools/tiffcp.c
 @@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
  	int status = 1;
  	uint32 imagew = TIFFRasterScanlineSize(in);
  	uint32 tilew = TIFFTileRowSize(in);
 -	int iskew  = imagew - tilew*spp;
 +	int iskew;
  	tsize_t tilesize = TIFFTileSize(in);
  	tdata_t tilebuf;
  	uint8* bufp = (uint8*) buf;
 @@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
  	uint32 row;
  	uint16 bps = 0, bytes_per_sample;

 +	if (spp > (0x7fffffff / tilew))
 +	{
 +		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
 +		return 0;
 +	}
 +	iskew = imagew - tilew*spp;
  	tilebuf = _TIFFmalloc(tilesize);
  	if (tilebuf == 0)
  		return 0;
 --
 2.20.1


 From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
 From: Thomas Bernard <miniupnp@free.fr>
 Date: Mon, 11 Feb 2019 21:42:03 +0100
 Subject: [PATCH 2/2] tiffcp.c: use INT_MAX

 ---
  tools/tiffcp.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/tools/tiffcp.c b/tools/tiffcp.c
 index f0ee2c02..8c81aa4f 100644
 --- a/tools/tiffcp.c
 +++ b/tools/tiffcp.c
 @@ -41,6 +41,7 @@
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
 +#include <limits.h>

  #include <ctype.h>

 @@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
  	uint32 row;
  	uint16 bps = 0, bytes_per_sample;

 -	if (spp > (0x7fffffff / tilew))
 +	if (spp > (INT_MAX / tilew))
  	{
  		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
  		return 0;
 --
 2.20.1
	CVE: CVE-2019-7663
	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@intel.com>

	From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
	From: Thomas Bernard <miniupnp@free.fr>
	Date: Mon, 11 Feb 2019 10:05:33 +0100
	Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow

	fixes bug 2833
	---
	tools/tiffcp.c \| 8 +++++++-
	1 file changed, 7 insertions(+), 1 deletion(-)

	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
	index 2f406e2d..f0ee2c02 100644
	--- a/tools/tiffcp.c
	+++ b/tools/tiffcp.c
	@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
	int status = 1;
	uint32 imagew = TIFFRasterScanlineSize(in);
	uint32 tilew = TIFFTileRowSize(in);
	- int iskew = imagew - tilew*spp;
	+ int iskew;
	tsize_t tilesize = TIFFTileSize(in);
	tdata_t tilebuf;
	uint8* bufp = (uint8*) buf;
	@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
	uint32 row;
	uint16 bps = 0, bytes_per_sample;

	+ if (spp > (0x7fffffff / tilew))
	+ {
	+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
	+ return 0;
	+ }
	+ iskew = imagew - tilew*spp;
	tilebuf = _TIFFmalloc(tilesize);
	if (tilebuf == 0)
	return 0;
	--
	2.20.1


	From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
	From: Thomas Bernard <miniupnp@free.fr>
	Date: Mon, 11 Feb 2019 21:42:03 +0100
	Subject: [PATCH 2/2] tiffcp.c: use INT_MAX

	---
	tools/tiffcp.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
	index f0ee2c02..8c81aa4f 100644
	--- a/tools/tiffcp.c
	+++ b/tools/tiffcp.c
	@@ -41,6 +41,7 @@
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	+#include <limits.h>

	#include <ctype.h>

	@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
	uint32 row;
	uint16 bps = 0, bytes_per_sample;

	- if (spp > (0x7fffffff / tilew))
	+ if (spp > (INT_MAX / tilew))
	{
	TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
	return 0;
	--
	2.20.1