diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch | 295 |
1 files changed, 0 insertions, 295 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch deleted file mode 100644 index 62d903c650..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch +++ /dev/null @@ -1,295 +0,0 @@ -Copied from Debian - -From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 21 Dec 2014 15:15:31 +0000 -Subject: [PATCH] Fix various crasher bugs on fuzzed images. * - libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for - TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing - the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read - ColorMap or TransferFunction if BitsPerSample has not yet been read, - otherwise reading it later will cause user code to crash if BitsPerSample > 1 - * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with - SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample - != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images - instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int - overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to - invalid tile count (should likely be checked by libtiff too). Detect invalid - settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * - tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * - tools/tiffdump.c: fix crash due to overflow of entry count. - ---- - ChangeLog | 19 +++++++++++++++++++ - libtiff/tif_dir.c | 21 +++++++++++++++++++-- - libtiff/tif_dirread.c | 17 +++++++++++++++++ - libtiff/tif_getimage.c | 15 +++++++++++++++ - libtiff/tif_next.c | 2 ++ - tools/bmp2tiff.c | 15 +++++++++++++++ - tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ - tools/tiffcrop.c | 7 ++++--- - tools/tiffdump.c | 9 ++++++--- - 9 files changed, 138 insertions(+), 8 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 98cf66d..ab43a28 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -+ double dblval; - char* s; - const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); - uint32 standard_tag = tag; -@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); - break; - case TIFFTAG_XRESOLUTION: -- td->td_xresolution = (float) va_arg(ap, double); -+ dblval = va_arg(ap, double); -+ if( dblval < 0 ) -+ goto badvaluedouble; -+ td->td_xresolution = (float) dblval; - break; - case TIFFTAG_YRESOLUTION: -- td->td_yresolution = (float) va_arg(ap, double); -+ dblval = va_arg(ap, double); -+ if( dblval < 0 ) -+ goto badvaluedouble; -+ td->td_yresolution = (float) dblval; - break; - case TIFFTAG_PLANARCONFIG: - v = (uint16) va_arg(ap, uint16_vap); -@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - va_end(ap); - } - return (0); -+badvaluedouble: -+ { -+ const TIFFField* fip=TIFFFieldWithTag(tif,tag); -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Bad value %f for \"%s\" tag", -+ tif->tif_name, dblval, -+ fip ? fip->field_name : "Unknown"); -+ va_end(ap); -+ } -+ return (0); - } - - /* -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 391c823..f66c9a7 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif) - const TIFFField* fip; - uint32 fii=FAILED_FII; - toff_t nextdiroff; -+ int bitspersample_read = FALSE; -+ - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) - return 0; /* last offset or bad offset (IFD looping) */ -@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif) - } - if (!TIFFSetField(tif,dp->tdir_tag,value)) - goto bad; -+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) -+ bitspersample_read = TRUE; - } - break; - case TIFFTAG_SMINSAMPLEVALUE: -@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif) - uint32 countrequired; - uint32 incrementpersample; - uint16* value=NULL; -+ /* It would be dangerous to instanciate those tag values */ -+ /* since if td_bitspersample has not yet been read (due to */ -+ /* unordered tags), it could be read afterwards with a */ -+ /* values greater than the default one (1), which may cause */ -+ /* crashes in user code */ -+ if( !bitspersample_read ) -+ { -+ fip = TIFFFieldWithTag(tif,dp->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "Ignoring %s since BitsPerSample tag not found", -+ fip ? fip->field_name : "unknown tagname"); -+ continue; -+ } - countpersample=(1L<<tif->tif_dir.td_bitspersample); - if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) - { -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 074d32a..396ad08 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -+ if( td->td_samplesperpixel != 3 ) -+ { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d", -+ "Samples/pixel", td->td_samplesperpixel); -+ return 0; -+ } - break; - case PHOTOMETRIC_CIELAB: -+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ { -+ sprintf(emsg, -+ "Sorry, can not handle image with %s=%d and %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "Bits/sample", td->td_bitspersample); -+ return 0; -+ } - break; - default: - sprintf(emsg, "Sorry, can not handle image with %s=%d", -diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c -index 55e2537..a53c716 100644 ---- a/libtiff/tif_next.c -+++ b/libtiff/tif_next.c -@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - default: { - uint32 npixels = 0, grey; - uint32 imagewidth = tif->tif_dir.td_imagewidth; -+ if( isTiled(tif) ) -+ imagewidth = tif->tif_dir.td_tilewidth; - - /* - * The scanline is composed of a sequence of constant -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index dfda963..f202b41 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) - && (xuint16 == PLANARCONFIG_SEPARATE ) ){ - TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); -+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) -+ { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Invalid tile count, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_tiles[i].tiles_tilecount/= xuint16; - } - if( t2p->tiff_tiles[i].tiles_tilecount > 0){ -@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - #endif - break; - case PHOTOMETRIC_CIELAB: -+ if( t2p->tiff_samplesperpixel != 3){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Unsupported samplesperpixel = %d for CIELAB", -+ t2p->tiff_samplesperpixel); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ if( t2p->tiff_bitspersample != 8){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Invalid bitspersample = %d for CIELAB", -+ t2p->tiff_bitspersample); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->pdf_labrange[0]= -127; - t2p->pdf_labrange[1]= 127; - t2p->pdf_labrange[2]= -127; -@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - t2p->pdf_colorspace=T2P_CS_LAB; - break; - case PHOTOMETRIC_ITULAB: -+ if( t2p->tiff_samplesperpixel != 3){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Unsupported samplesperpixel = %d for ITULAB", -+ t2p->tiff_samplesperpixel); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ if( t2p->tiff_bitspersample != 8){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Invalid bitspersample = %d for ITULAB", -+ t2p->tiff_bitspersample); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->pdf_labrange[0]=-85; - t2p->pdf_labrange[1]=85; - t2p->pdf_labrange[2]=-75; -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index f5530bb..4088463 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - tsize_t tilesize = TIFFTileSize(out); - unsigned char *tilebuf = NULL; - -- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); -- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); -- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || -+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || -+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) -+ return 1; - - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) -diff --git a/tools/tiffdump.c b/tools/tiffdump.c -index cf5d62f..8247765 100644 ---- a/tools/tiffdump.c -+++ b/tools/tiffdump.c -@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) - void* datamem; - uint64 dataoffset; - int datatruncated; -+ int datasizeoverflow; -+ - tag = *(uint16*)dp; - if (swabflag) - TIFFSwabShort(&tag); -@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) - else - typewidth = datawidth[type]; - datasize = count*typewidth; -+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); - datafits = 1; - datamem = dp; - dataoffset = 0; - datatruncated = 0; - if (!bigtiff) - { -- if (datasize>4) -+ if (datasizeoverflow || datasize>4) - { - uint32 dataoffset32; - datafits = 0; -@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) - } - else - { -- if (datasize>8) -+ if (datasizeoverflow || datasize>8) - { - datafits = 0; - datamem = NULL; -@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) - } - dp += sizeof(uint64); - } -- if (datasize>0x10000) -+ if (datasizeoverflow || datasize>0x10000) - { - datatruncated = 1; - count = 0x10000/typewidth; |