From: Saul Wold <sgw@linux.intel.com>
To: Mark Hatle <mark.hatle@windriver.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
Date: Fri, 22 Nov 2013 10:43:43 -0800 [thread overview]
Message-ID: <528FA5DF.8040707@linux.intel.com> (raw)
In-Reply-To: <1385017505-22630-2-git-send-email-mark.hatle@windriver.com>
On 11/20/2013 11:05 PM, Mark Hatle wrote:
> From: Ming Liu <ming.liu@windriver.com>
>
> Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
> in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
> service (crash) and possibly execute arbitrary code via a crafted TIFF image
> file.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
>
> Signed-off-by: Ming Liu <ming.liu@windriver.com>
> Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
> ---
> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
> 2 files changed, 153 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>
For some reason this patch is not applying cleanly.
Sau!
> diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
> new file mode 100644
> index 0000000..e4348f1
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
> @@ -0,0 +1,151 @@
> +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Ming Liu <ming.liu@windriver.com>
> +
> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
> +@@ -3341,33 +3341,56 @@
> + uint32 height){
> +
> + tsize_t i=0;
> +- uint16 ri =0;
> +- uint16 v_samp=1;
> +- uint16 h_samp=1;
> +- int j=0;
> +-
> +- i++;
> +-
> +- while(i<(*striplength)){
> ++
> ++ while (i < *striplength) {
> ++ tsize_t datalen;
> ++ uint16 ri;
> ++ uint16 v_samp;
> ++ uint16 h_samp;
> ++ int j;
> ++ int ncomp;
> ++
> ++ /* marker header: one or more FFs */
> ++ if (strip[i] != 0xff)
> ++ return(0);
> ++ i++;
> ++ while (i < *striplength && strip[i] == 0xff)
> ++ i++;
> ++ if (i >= *striplength)
> ++ return(0);
> ++ /* SOI is the only pre-SOS marker without a length word */
> ++ if (strip[i] == 0xd8)
> ++ datalen = 0;
> ++ else {
> ++ if ((*striplength - i) <= 2)
> ++ return(0);
> ++ datalen = (strip[i+1] << 8) | strip[i+2];
> ++ if (datalen < 2 || datalen >= (*striplength - i))
> ++ return(0);
> ++ }
> + switch( strip[i] ){
> +- case 0xd8:
> +- /* SOI - start of image */
> ++ case 0xd8: /* SOI - start of image */
> + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
> + *bufferoffset+=2;
> +- i+=2;
> + break;
> +- case 0xc0:
> +- case 0xc1:
> +- case 0xc3:
> +- case 0xc9:
> +- case 0xca:
> ++ case 0xc0: /* SOF0 */
> ++ case 0xc1: /* SOF1 */
> ++ case 0xc3: /* SOF3 */
> ++ case 0xc9: /* SOF9 */
> ++ case 0xca: /* SOF10 */
> + if(no==0){
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- for(j=0;j<buffer[*bufferoffset+9];j++){
> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
> +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
> +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ ncomp = buffer[*bufferoffset+9];
> ++ if (ncomp < 1 || ncomp > 4)
> ++ return(0);
> ++ v_samp=1;
> ++ h_samp=1;
> ++ for(j=0;j<ncomp;j++){
> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
> ++ if( (samp>>4) > h_samp)
> ++ h_samp = (samp>>4);
> ++ if( (samp & 0x0f) > v_samp)
> ++ v_samp = (samp & 0x0f);
> + }
> + v_samp*=8;
> + h_samp*=8;
> +@@ -3381,45 +3404,43 @@
> + (unsigned char) ((height>>8) & 0xff);
> + buffer[*bufferoffset+6]=
> + (unsigned char) (height & 0xff);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> +-
> ++ *bufferoffset+=datalen+2;
> ++ /* insert a DRI marker */
> + buffer[(*bufferoffset)++]=0xff;
> + buffer[(*bufferoffset)++]=0xdd;
> + buffer[(*bufferoffset)++]=0x00;
> + buffer[(*bufferoffset)++]=0x04;
> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
> + buffer[(*bufferoffset)++]= ri & 0xff;
> +- } else {
> +- i+=strip[i+2]+2;
> + }
> + break;
> +- case 0xc4:
> +- case 0xdb:
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> ++ case 0xc4: /* DHT */
> ++ case 0xdb: /* DQT */
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ *bufferoffset+=datalen+2;
> + break;
> +- case 0xda:
> ++ case 0xda: /* SOS */
> + if(no==0){
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ *bufferoffset+=datalen+2;
> + } else {
> + buffer[(*bufferoffset)++]=0xff;
> + buffer[(*bufferoffset)++]=
> + (unsigned char)(0xd0 | ((no-1)%8));
> +- i+=strip[i+2]+2;
> + }
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
> +- *bufferoffset+=(*striplength)-i-1;
> ++ i += datalen + 1;
> ++ /* copy remainder of strip */
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
> ++ *bufferoffset+= *striplength - i;
> + return(1);
> + default:
> +- i+=strip[i+2]+2;
> ++ /* ignore any other marker */
> ++ break;
> + }
> ++ i += datalen + 1;
> + }
> +-
> +
> ++ /* failed to find SOS marker */
> + return(0);
> + }
> + #endif
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> index 256e75e..8e450df 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
> PR = "r0"
>
> SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
> - file://libtool2.patch"
> + file://libtool2.patch \
> + file://libtiff-CVE-2013-1960.patch"
>
> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
> SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
>
next prev parent reply other threads:[~2013-11-22 18:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle
2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle
2013-11-22 18:43 ` Saul Wold [this message]
2013-12-05 20:51 ` Mark Hatle
2013-12-05 21:48 ` Saul Wold
2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=528FA5DF.8040707@linux.intel.com \
--to=sgw@linux.intel.com \
--cc=mark.hatle@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.