citadel/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
brl 098b8f982b Squashed 'poky/' content from commit 4469acdf1d
git-subtree-dir: poky
git-subtree-split: 4469acdf1d0338220f3fe2ecb5e079eea6fda375
2017-12-04 16:35:29 -05:00

66 lines
2.4 KiB
Diff

From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 23 Aug 2017 13:33:42 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
TIFFWriteDirectoryTagSubifd()). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
CVE: CVE-2017-13727
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
ChangeLog | 10 +++++++++-
libtiff/tif_dirwrite.c | 9 ++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3e299d9..8f5efe9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,15 @@
2017-08-23 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+ on uint32 when selecting the value of SubIFD tag by runtime check
+ (in TIFFWriteDirectoryTagSubifd()).
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+ Reported by team OWL337
+
+2017-08-23 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_dirwrite.c: replace assertion related to not finding the
- SubIFD tag by runtime check.
+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
Reported by team OWL337
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 14090ae..f0a4baa 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
for (p=0; p < tif->tif_dir.td_nsubifd; p++)
{
assert(pa != 0);
- assert(*pa <= 0xFFFFFFFFUL);
+
+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+ if( *pa > 0xFFFFFFFFUL)
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+ _TIFFfree(o);
+ return(0);
+ }
*pb++=(uint32)(*pa++);
}
n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
--
2.7.4