aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-06-16 00:59:15 -0400
committerMark H Weaver <mhw@netris.org>2015-06-16 01:02:01 -0400
commit8e28d22c914122aa7bfb70847370d8ae0f070688 (patch)
tree14ffa1b7954a3f67c4057bc03ab35c993e98120f /gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
parent7d02724b7bddb4d5e1cc93db99f737baa26840ca (diff)
downloadguix-8e28d22c914122aa7bfb70847370d8ae0f070688.tar
guix-8e28d22c914122aa7bfb70847370d8ae0f070688.tar.gz
gnu: libtiff: Add fixes for several CVEs.
* gnu/packages/patches/libtiff-CVE-2012-4564.patch, gnu/packages/patches/libtiff-CVE-2013-1960.patch, gnu/packages/patches/libtiff-CVE-2013-1961.patch, gnu/packages/patches/libtiff-CVE-2013-4231.patch, gnu/packages/patches/libtiff-CVE-2013-4232.patch, gnu/packages/patches/libtiff-CVE-2013-4243.patch, gnu/packages/patches/libtiff-CVE-2013-4244.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch, gnu/packages/patches/libtiff-CVE-2014-8129.patch, gnu/packages/patches/libtiff-CVE-2014-9330.patch, gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch295
1 files changed, 295 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
new file mode 100644
index 0000000000..62d903c650
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
@@ -0,0 +1,295 @@
+Copied from Debian
+
+From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 15:15:31 +0000
+Subject: [PATCH] Fix various crasher bugs on fuzzed images. *
+ libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
+ TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
+ the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read
+ ColorMap or TransferFunction if BitsPerSample has not yet been read,
+ otherwise reading it later will cause user code to crash if BitsPerSample > 1
+ * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
+ SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample
+ != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
+ instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int
+ overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to
+ invalid tile count (should likely be checked by libtiff too). Detect invalid
+ settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB *
+ tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight *
+ tools/tiffdump.c: fix crash due to overflow of entry count.
+
+---
+ ChangeLog | 19 +++++++++++++++++++
+ libtiff/tif_dir.c | 21 +++++++++++++++++++--
+ libtiff/tif_dirread.c | 17 +++++++++++++++++
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ libtiff/tif_next.c | 2 ++
+ tools/bmp2tiff.c | 15 +++++++++++++++
+ tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ tools/tiffcrop.c | 7 ++++---
+ tools/tiffdump.c | 9 ++++++---
+ 9 files changed, 138 insertions(+), 8 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 98cf66d..ab43a28 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
++ double dblval;
+ char* s;
+ const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
+ uint32 standard_tag = tag;
+@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
+ break;
+ case TIFFTAG_XRESOLUTION:
+- td->td_xresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_xresolution = (float) dblval;
+ break;
+ case TIFFTAG_YRESOLUTION:
+- td->td_yresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_yresolution = (float) dblval;
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ va_end(ap);
+ }
+ return (0);
++badvaluedouble:
++ {
++ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Bad value %f for \"%s\" tag",
++ tif->tif_name, dblval,
++ fip ? fip->field_name : "Unknown");
++ va_end(ap);
++ }
++ return (0);
+ }
+
+ /*
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 391c823..f66c9a7 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif)
+ const TIFFField* fip;
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
++ int bitspersample_read = FALSE;
++
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+ return 0; /* last offset or bad offset (IFD looping) */
+@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ if (!TIFFSetField(tif,dp->tdir_tag,value))
+ goto bad;
++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
++ bitspersample_read = TRUE;
+ }
+ break;
+ case TIFFTAG_SMINSAMPLEVALUE:
+@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif)
+ uint32 countrequired;
+ uint32 incrementpersample;
+ uint16* value=NULL;
++ /* It would be dangerous to instanciate those tag values */
++ /* since if td_bitspersample has not yet been read (due to */
++ /* unordered tags), it could be read afterwards with a */
++ /* values greater than the default one (1), which may cause */
++ /* crashes in user code */
++ if( !bitspersample_read )
++ {
++ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "Ignoring %s since BitsPerSample tag not found",
++ fip ? fip->field_name : "unknown tagname");
++ continue;
++ }
+ countpersample=(1L<<tif->tif_dir.td_bitspersample);
+ if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
+ {
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 074d32a..396ad08 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
++ if( td->td_samplesperpixel != 3 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d",
++ "Samples/pixel", td->td_samplesperpixel);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 55e2537..a53c716 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ default: {
+ uint32 npixels = 0, grey;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
++ if( isTiled(tif) )
++ imagewidth = tif->tif_dir.td_tilewidth;
+
+ /*
+ * The scanline is composed of a sequence of constant
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index dfda963..f202b41 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ && (xuint16 == PLANARCONFIG_SEPARATE ) ){
+ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
++ {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid tile count, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
+ }
+ if( t2p->tiff_tiles[i].tiles_tilecount > 0){
+@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ #endif
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for CIELAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for CIELAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]= -127;
+ t2p->pdf_labrange[1]= 127;
+ t2p->pdf_labrange[2]= -127;
+@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ t2p->pdf_colorspace=T2P_CS_LAB;
+ break;
+ case PHOTOMETRIC_ITULAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for ITULAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for ITULAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]=-85;
+ t2p->pdf_labrange[1]=85;
+ t2p->pdf_labrange[2]=-75;
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f5530bb..4088463 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tsize_t tilesize = TIFFTileSize(out);
+ unsigned char *tilebuf = NULL;
+
+- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
++ return 1;
+
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+diff --git a/tools/tiffdump.c b/tools/tiffdump.c
+index cf5d62f..8247765 100644
+--- a/tools/tiffdump.c
++++ b/tools/tiffdump.c
+@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ void* datamem;
+ uint64 dataoffset;
+ int datatruncated;
++ int datasizeoverflow;
++
+ tag = *(uint16*)dp;
+ if (swabflag)
+ TIFFSwabShort(&tag);
+@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ else
+ typewidth = datawidth[type];
+ datasize = count*typewidth;
++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
+ datafits = 1;
+ datamem = dp;
+ dataoffset = 0;
+ datatruncated = 0;
+ if (!bigtiff)
+ {
+- if (datasize>4)
++ if (datasizeoverflow || datasize>4)
+ {
+ uint32 dataoffset32;
+ datafits = 0;
+@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ }
+ else
+ {
+- if (datasize>8)
++ if (datasizeoverflow || datasize>8)
+ {
+ datafits = 0;
+ datamem = NULL;
+@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ }
+ dp += sizeof(uint64);
+ }
+- if (datasize>0x10000)
++ if (datasizeoverflow || datasize>0x10000)
+ {
+ datatruncated = 1;
+ count = 0x10000/typewidth;
generated by cgit v1.2.3 (git 2.45.0) at 2025-01-11 10:36:13 +0000