diff options
author | Leo Famulari <leo@famulari.name> | 2017-01-10 03:22:33 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-01-10 17:52:42 -0500 |
commit | 4b96149d8b199048aa526159120d14a44d6ee054 (patch) | |
tree | 1ffa03b2a425040f2b00578d417784bf69d1abc5 | |
parent | 8966c6b43989a0f7bca972f12b78567da7de3eec (diff) | |
download | guix-4b96149d8b199048aa526159120d14a44d6ee054.tar guix-4b96149d8b199048aa526159120d14a44d6ee054.tar.gz |
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch,
gnu/packages/patches/libtiff-CVE-2016-10093.patch,
gnu/packages/patches/libtiff-CVE-2016-10094.patch,
gnu/packages/patches/libtiff-assertion-failure.patch,
gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
gnu/packages/patches/libtiff-divide-by-zero.patch,
gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
gnu/packages/patches/libtiff-invalid-read.patch,
gnu/packages/patches/libtiff-null-dereference.patch,
gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
17 files changed, 1056 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index a7b917e6e7..e34ae17796 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -683,6 +683,21 @@ dist_patch_DATA = \ %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ + %D%/packages/patches/libtiff-CVE-2016-10092.patch \ + %D%/packages/patches/libtiff-CVE-2016-10093.patch \ + %D%/packages/patches/libtiff-CVE-2016-10094.patch \ + %D%/packages/patches/libtiff-assertion-failure.patch \ + %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ + %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ + %D%/packages/patches/libtiff-divide-by-zero-tiffcrop.patch \ + %D%/packages/patches/libtiff-divide-by-zero.patch \ + %D%/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch \ + %D%/packages/patches/libtiff-heap-overflow-tif-dirread.patch \ + %D%/packages/patches/libtiff-heap-overflow-tiffcp.patch \ + %D%/packages/patches/libtiff-heap-overflow-tiffcrop.patch \ + %D%/packages/patches/libtiff-invalid-read.patch \ + %D%/packages/patches/libtiff-null-dereference.patch \ + %D%/packages/patches/libtiff-tiffcp-underflow.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libupnp-CVE-2016-6255.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 4e40533a21..a9bbf192cc 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2015 Amirouche Boubekki <amirouche@hypermove.net> ;;; Copyright © 2014 John Darrington <jmd@gnu.org> ;;; Copyright © 2016 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org> @@ -258,6 +259,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") + (replacement libtiff/fixed) (version "4.0.7") (source (origin (method url-fetch) @@ -290,6 +292,28 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) +(define libtiff/fixed + (package + (inherit libtiff) + (source + (origin + (inherit (package-source libtiff)) + (patches (search-patches "libtiff-heap-overflow-tiffcp.patch" + "libtiff-null-dereference.patch" + "libtiff-heap-overflow-tif-dirread.patch" + "libtiff-heap-overflow-pixarlog-luv.patch" + "libtiff-divide-by-zero.patch" + "libtiff-divide-by-zero-ojpeg.patch" + "libtiff-tiffcp-underflow.patch" + "libtiff-invalid-read.patch" + "libtiff-CVE-2016-10092.patch" + "libtiff-heap-overflow-tiffcrop.patch" + "libtiff-divide-by-zero-tiffcrop.patch" + "libtiff-CVE-2016-10093.patch" + "libtiff-divide-by-zero-tiffcp.patch" + "libtiff-assertion-failure.patch" + "libtiff-CVE-2016-10094.patch")))))) + (define-public libwmf (package (name "libwmf") diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch new file mode 100644 index 0000000000..d5fd796169 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch @@ -0,0 +1,42 @@ +Fix CVE-2016-10092: + +http://bugzilla.maptools.org/show_bug.cgi?id=2620 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 +https://security-tracker.debian.org/tracker/CVE-2016-10092 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) + mode so that the output buffer is correctly incremented to avoid write + outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1178; previous revision: 1.1177 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.47; previous revision: 1.46 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.46 +retrieving revision 1.47 +diff -u -r1.46 -r1.47 +--- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -3698,7 +3698,7 @@ + (unsigned long) strip, (unsigned long)rows); + return 0; + } +- bufp += bytes_read; ++ bufp += stripsize; + } + + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch new file mode 100644 index 0000000000..5897ec1029 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch @@ -0,0 +1,53 @@ +Fix CVE-2016-10093: + +http://bugzilla.maptools.org/show_bug.cgi?id=2610 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 +https://security-tracker.debian.org/tracker/CVE-2016-10093 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1187; previous revision: 1.1186 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.59; previous revision: 1.58 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.58 +retrieving revision 1.59 +diff -u -r1.58 -r1.59 +--- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 +@@ -1163,7 +1163,7 @@ + + static void + cpStripToTile(uint8* out, uint8* in, +- uint32 rows, uint32 cols, int outskew, int inskew) ++ uint32 rows, uint32 cols, int outskew, int64 inskew) + { + while (rows-- > 0) { + uint32 j = cols; +@@ -1320,7 +1320,7 @@ + tdata_t tilebuf; + uint32 imagew = TIFFScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew; ++ int64 iskew = (int64)imagew - (int64)tilew; + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +@@ -1348,7 +1348,7 @@ + status = 0; + goto done; + } +- if (colb + tilew > imagew) { ++ if (colb > iskew) { + uint32 width = imagew - colb; + uint32 oskew = tilew - width; + cpStripToTile(bufp + colb, diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch new file mode 100644 index 0000000000..9018773565 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch @@ -0,0 +1,34 @@ +Fix CVE-2016-10094: + +http://bugzilla.maptools.org/show_bug.cgi?id=2640 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 +https://security-tracker.debian.org/tracker/CVE-2016-10094 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1199; previous revision: 1.1198 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.101; previous revision: 1.100 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.100 +retrieving revision 1.101 +diff -u -r1.100 -r1.101 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 +@@ -2895,7 +2895,7 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count >= 4) { ++ if (count > 4) { + int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch new file mode 100644 index 0000000000..ef747fbdd7 --- /dev/null +++ b/gnu/packages/patches/libtiff-assertion-failure.patch @@ -0,0 +1,60 @@ +Fix assertion failure in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert +check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1188; previous revision: 1.1187 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.60; previous revision: 1.59 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.59 +retrieving revision 1.60 +diff -u -r1.59 -r1.60 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 +@@ -45,7 +45,6 @@ + #include <string.h> + + #include <ctype.h> +-#include <assert.h> + + #ifdef HAVE_UNISTD_H + # include <unistd.h> +@@ -1393,7 +1392,12 @@ + status = 0; + goto done; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ status = 0; ++ goto done; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { +@@ -1584,7 +1588,12 @@ + _TIFFfree(obuf); + return 0; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch new file mode 100644 index 0000000000..2a96b68521 --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch @@ -0,0 +1,63 @@ +Fix divide-by-zero in OJPEGDecodeRaw(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure +in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other +issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1177; previous revision: 1.1176 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c +new revision: 1.66; previous revision: 1.65 + +Index: libtiff/libtiff/tif_ojpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.65 +retrieving revision 1.66 +diff -u -r1.65 -r1.66 +--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65 ++++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66 +@@ -1,4 +1,4 @@ +-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ + + /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 + specification is now totally obsolete and deprecated for new applications and +@@ -244,6 +244,7 @@ + + typedef struct { + TIFF* tif; ++ int decoder_ok; + #ifndef LIBJPEG_ENCAP_EXTERNAL + JMP_BUF exit_jmpbuf; + #endif +@@ -722,6 +723,7 @@ + } + sp->write_curstrile++; + } ++ sp->decoder_ok = 1; + return(1); + } + +@@ -784,8 +786,14 @@ + static int + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) + { ++ static const char module[]="OJPEGDecode"; + OJPEGState* sp=(OJPEGState*)tif->tif_data; + (void)s; ++ if( !sp->decoder_ok ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); ++ return 0; ++ } + if (sp->libjpeg_jpeg_query_style==0) + { + if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch new file mode 100644 index 0000000000..d3f1c2b60e --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch @@ -0,0 +1,104 @@ +Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2597 +http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1183; previous revision: 1.1182 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.57; previous revision: 1.56 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1378,7 +1378,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) +@@ -1387,6 +1387,12 @@ + (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); ++ status = 0; ++ goto done; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1186; previous revision: 1.1185 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.58; previous revision: 1.57 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.57 +retrieving revision 1.58 +diff -u -r1.57 -r1.58 +--- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1569,7 +1569,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tl, tw; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(TIFFTileSize(out)); + if (obuf == NULL) +@@ -1578,6 +1578,12 @@ + (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch new file mode 100644 index 0000000000..823293f1cf --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch @@ -0,0 +1,57 @@ +Fix divide-by-zero in readSeparateStripsIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is +missing. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1180; previous revision: 1.1179 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -1164,7 +1164,7 @@ + tdata_t obuf; + + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); + bytes_per_sample = (bps + 7) / 8; + if( width == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || +@@ -4760,7 +4760,7 @@ + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; + int32 bytes_read = 0; +- uint16 bps, planar; ++ uint16 bps = 0, planar; + uint32 nstrips; + uint32 strips_per_sample; + uint32 src_rowsize, dst_rowsize, rows_processed, rps; +@@ -4780,7 +4780,7 @@ + } + + memset (srcbuffs, '\0', sizeof(srcbuffs)); +- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + if (rps > length) diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch new file mode 100644 index 0000000000..6dbd4666cd --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero.patch @@ -0,0 +1,67 @@ +Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: + +http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1173; previous revision: 1.1172 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c +new revision: 1.50; previous revision: 1.49 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h +new revision: 1.90; previous revision: 1.89 + +Index: libtiff/libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.49 +retrieving revision 1.50 +diff -u -r1.49 -r1.50 +--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 ++++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -346,7 +346,7 @@ + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: libtiff/libtiff/tiffiop.h +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v +retrieving revision 1.89 +retrieving revision 1.90 +diff -u -r1.89 -r1.90 +--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 ++++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 +@@ -1,4 +1,4 @@ +-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -250,6 +250,10 @@ + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch new file mode 100644 index 0000000000..2d5e23586d --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch @@ -0,0 +1,131 @@ +Fix heap-based buffer overflow in _TIFFmemcpy(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1175; previous revision: 1.1174 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c +new revision: 1.44; previous revision: 1.43 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <-- +libtiff/tif_pixarlog.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/libtiff/tif_luv.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v +retrieving revision 1.43 +retrieving revision 1.44 +diff -u -r1.43 -r1.44 +--- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43 ++++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44 +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void +Index: libtiff/libtiff/tif_pixarlog.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48 ++++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ ++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1996-1997 Sam Leffler +@@ -1233,8 +1233,10 @@ + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<<bitspersample. So if we increase it, an access ++ * out of the buffer will happen at directory flushing. ++ * Another option would be to clear those targs. ++ */ ++ td->td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch new file mode 100644 index 0000000000..68889b121b --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch @@ -0,0 +1,132 @@ +Fix heap-based buffer overflow in TIFFFillStrip(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2608 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, +rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and +thus + results in reading outside of the StripByCounts/StripOffsets arrays +when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 +since + the above change is a better fix that makes it unnecessary. + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1176; previous revision: 1.1175 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- +libtiff/tif_dirread.c +new revision: 1.205; previous revision: 1.204 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c +new revision: 1.38; previous revision: 1.37 + +Index: libtiff/libtiff/tif_dirread.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.204 +retrieving revision 1.205 +diff -u -r1.204 -r1.205 +--- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 ++++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ ++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -5502,8 +5502,7 @@ + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5533,17 @@ + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ +- return; +- nstrips32 = (uint32)nstrips64; ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) ++ return; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5560,18 @@ + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); +Index: libtiff/libtiff/tif_strip.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v +retrieving revision 1.37 +retrieving revision 1.38 +diff -u -r1.37 -r1.38 +--- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 ++++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38 +@@ -1,4 +1,4 @@ +-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ ++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -63,15 +63,6 @@ + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch new file mode 100644 index 0000000000..f0fef08bf3 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch @@ -0,0 +1,67 @@ +Fix heap buffer overflow in tiffcp when parsing number of inks: + +http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is +called, + limit the return number of inks to SamplesPerPixel, so that code that +parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1184; previous revision: 1.1183 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c +new revision: 1.128; previous revision: 1.127 + +Index: libtiff/libtiff/tif_dir.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v +retrieving revision 1.127 +retrieving revision 1.128 +diff -u -r1.127 -r1.128 +--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127 ++++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ ++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -854,6 +854,32 @@ + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ + return 0; + ++ if( tag == TIFFTAG_NUMBEROFINKS ) ++ { ++ int i; ++ for (i = 0; i < td->td_customValueCount; i++) { ++ uint16 val; ++ TIFFTagValue *tv = td->td_customValues + i; ++ if (tv->info->field_tag != tag) ++ continue; ++ val = *(uint16 *)tv->value; ++ /* Truncate to SamplesPerPixel, since the */ ++ /* setting code for INKNAMES assume that there are SamplesPerPixel */ ++ /* inknames. */ ++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ ++ if( val > td->td_samplesperpixel ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", ++ "Truncating NumberOfInks from %u to %u", ++ val, td->td_samplesperpixel); ++ val = td->td_samplesperpixel; ++ } ++ *va_arg(ap, uint16*) = val; ++ return 1; ++ } ++ return 0; ++ } ++ + /* + * We want to force the custom code to be used for custom + * fields even if the tag happens to match a well known diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch new file mode 100644 index 0000000000..8166c55758 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch @@ -0,0 +1,60 @@ +Fix heap-based buffer overflow in combineSeparateSamples16bits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated +buffer. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1179; previous revision: 1.1178 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.48; previous revision: 1.47 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.47 +retrieving revision 1.48 +diff -u -r1.47 -r1.48 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -4815,10 +4815,17 @@ + nstrips = TIFFNumberOfStrips(in); + strips_per_sample = nstrips /spp; + ++ /* Add 3 padding bytes for combineSeparateSamples32bits */ ++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U ) ++ { ++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = _TIFFmalloc(stripsize); ++ buff = _TIFFmalloc(stripsize + 3); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4827,6 +4834,9 @@ + _TIFFfree (srcbuffs[i]); + return 0; + } ++ buff[stripsize] = 0; ++ buff[stripsize+1] = 0; ++ buff[stripsize+2] = 0; + srcbuffs[s] = buff; + } + diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch new file mode 100644 index 0000000000..92742d8757 --- /dev/null +++ b/gnu/packages/patches/libtiff-invalid-read.patch @@ -0,0 +1,64 @@ +Fix invalid read in t2p_writeproc(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1198; previous revision: 1.1197 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.100; previous revision: 1.99 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.99 +retrieving revision 1.100 +diff -u -r1.99 -r1.100 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 +@@ -2896,6 +2896,7 @@ + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { + if (count >= 4) { ++ int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; +@@ -2903,22 +2904,23 @@ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; + xuint32 = bufferoffset; +- bufferoffset -= 2; +- bufferoffset += TIFFReadRawTile( ++ bufferoffset -= 2; ++ retTIFFReadRawTile= TIFFReadRawTile( + input, + tile, + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); ++ if( retTIFFReadRawTile < 0 ) ++ { ++ _TIFFfree(buffer); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return(0); ++ } ++ bufferoffset += retTIFFReadRawTile; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; +- } else { +- bufferoffset += TIFFReadRawTile( +- input, +- tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), +- -1); + } + } + t2pWriteFile(output, (tdata_t) buffer, bufferoffset); diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch new file mode 100644 index 0000000000..8c6345b804 --- /dev/null +++ b/gnu/packages/patches/libtiff-null-dereference.patch @@ -0,0 +1,42 @@ +Fix NULL pointer dereference in TIFFReadRawData(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2594 + + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when + * the +image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1182; previous revision: 1.1181 +/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c +new revision: 1.26; previous revision: 1.25 + +Index: libtiff/tools/tiffinfo.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v +retrieving revision 1.25 +retrieving revision 1.26 +diff -u -r1.25 -r1.26 +--- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25 ++++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26 +@@ -1,4 +1,4 @@ +-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */ ++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -417,7 +417,7 @@ + uint64* stripbc=NULL; + + TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc); +- if (nstrips > 0) { ++ if (stripbc != NULL && nstrips > 0) { + uint32 bufsize = (uint32) stripbc[0]; + tdata_t buf = _TIFFmalloc(bufsize); + tstrip_t s; diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch new file mode 100644 index 0000000000..5615cbb3e1 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch @@ -0,0 +1,41 @@ +Fix a integer underflow in tiffcp that led to heap overflows in +TIFFReverseBits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1174; previous revision: 1.1173 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.56; previous revision: 1.55 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.55 +retrieving revision 1.56 +diff -u -r1.55 -r1.56 +--- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 ++++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -985,7 +985,7 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 |