poky/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch - stefanberger/openbmc - Gitiles

 From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Sat, 12 May 2018 15:32:31 +0200
 Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
  CVE-2018-8905

 The fix consists in using the similar code LZWDecode() to validate we
 don't write outside of the output buffer.

 ---
 CVE: CVE-2018-8905

 Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]

 Signed-off-by: Joe Slater <joe.slater@windriver.com>

 ---
  libtiff/tif_lzw.c |   18 ++++++++++++------
  1 file changed, 12 insertions(+), 6 deletions(-)

 diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
 index 4ccb443..94d85e3 100644
 --- a/libtiff/tif_lzw.c
 +++ b/libtiff/tif_lzw.c
 @@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
  	char *tp;
  	unsigned char *bp;
  	int code, nbits;
 +	int len;
  	long nextbits, nextdata, nbitsmask;
  	code_t *codep, *free_entp, *maxcodep, *oldcodep;

 @@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
  				}  while (--occ);
  				break;
  			}
 -			assert(occ >= codep->length);
 -			op += codep->length;
 -			occ -= codep->length;
 -			tp = op;
 +			len = codep->length;
 +			tp = op + len;
  			do {
 -				*--tp = codep->value;
 -			} while( (codep = codep->next) != NULL );
 +				int t;
 +				--tp;
 +				t = codep->value;
 +				codep = codep->next;
 +				*tp = (char)t;
 +			} while (codep && tp > op);
 +			assert(occ >= len);
 +			op += len;
 +			occ -= len;
  		} else {
  			*op++ = (char)code;
  			occ--;
 --
 1.7.9.5
	From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
	From: Even Rouault <even.rouault@spatialys.com>
	Date: Sat, 12 May 2018 15:32:31 +0200
	Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
	CVE-2018-8905

	The fix consists in using the similar code LZWDecode() to validate we
	don't write outside of the output buffer.

	---
	CVE: CVE-2018-8905

	Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]

	Signed-off-by: Joe Slater <joe.slater@windriver.com>

	---
	libtiff/tif_lzw.c \| 18 ++++++++++++------
	1 file changed, 12 insertions(+), 6 deletions(-)

	diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
	index 4ccb443..94d85e3 100644
	--- a/libtiff/tif_lzw.c
	+++ b/libtiff/tif_lzw.c
	@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
	char *tp;
	unsigned char *bp;
	int code, nbits;
	+ int len;
	long nextbits, nextdata, nbitsmask;
	code_t codep, free_entp, maxcodep, oldcodep;

	@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
	} while (--occ);
	break;
	}
	- assert(occ >= codep->length);
	- op += codep->length;
	- occ -= codep->length;
	- tp = op;
	+ len = codep->length;
	+ tp = op + len;
	do {
	- *--tp = codep->value;
	- } while( (codep = codep->next) != NULL );
	+ int t;
	+ --tp;
	+ t = codep->value;
	+ codep = codep->next;
	+ *tp = (char)t;
	+ } while (codep && tp > op);
	+ assert(occ >= len);
	+ op += len;
	+ occ -= len;
	} else {
	*op++ = (char)code;
	occ--;
	--
	1.7.9.5