aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-10 03:22:33 -0500
committerLeo Famulari <leo@famulari.name>2017-01-10 17:52:42 -0500
commit4b96149d8b199048aa526159120d14a44d6ee054 (patch)
tree1ffa03b2a425040f2b00578d417784bf69d1abc5 /gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
parent8966c6b43989a0f7bca972f12b78567da7de3eec (diff)
downloadgnu-guix-4b96149d8b199048aa526159120d14a44d6ee054.tar
gnu-guix-4b96149d8b199048aa526159120d14a44d6ee054.tar.gz
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch, gnu/packages/patches/libtiff-CVE-2016-10093.patch, gnu/packages/patches/libtiff-CVE-2016-10094.patch, gnu/packages/patches/libtiff-assertion-failure.patch, gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch, gnu/packages/patches/libtiff-divide-by-zero.patch, gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch, gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch, gnu/packages/patches/libtiff-invalid-read.patch, gnu/packages/patches/libtiff-null-dereference.patch, gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable.
Diffstat (limited to 'gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch')
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch67
1 files changed, 67 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
new file mode 100644
index 0000000000..f0fef08bf3
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
@@ -0,0 +1,67 @@
+Fix heap buffer overflow in tiffcp when parsing number of inks:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
+called,
+ limit the return number of inks to SamplesPerPixel, so that code that
+parses
+ ink names doesn't go past the end of the buffer.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1184; previous revision: 1.1183
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
+new revision: 1.128; previous revision: 1.127
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.127
+retrieving revision 1.128
+diff -u -r1.127 -r1.128
+--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127
++++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -854,6 +854,32 @@
+ if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
+ return 0;
+
++ if( tag == TIFFTAG_NUMBEROFINKS )
++ {
++ int i;
++ for (i = 0; i < td->td_customValueCount; i++) {
++ uint16 val;
++ TIFFTagValue *tv = td->td_customValues + i;
++ if (tv->info->field_tag != tag)
++ continue;
++ val = *(uint16 *)tv->value;
++ /* Truncate to SamplesPerPixel, since the */
++ /* setting code for INKNAMES assume that there are SamplesPerPixel */
++ /* inknames. */
++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
++ if( val > td->td_samplesperpixel )
++ {
++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
++ "Truncating NumberOfInks from %u to %u",
++ val, td->td_samplesperpixel);
++ val = td->td_samplesperpixel;
++ }
++ *va_arg(ap, uint16*) = val;
++ return 1;
++ }
++ return 0;
++ }
++
+ /*
+ * We want to force the custom code to be used for custom
+ * fields even if the tag happens to match a well known