aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch107
1 files changed, 107 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
new file mode 100644
index 0000000000..811516dbe9
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
@@ -0,0 +1,107 @@
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
+diff -u -r1.93 -r1.94
+--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
++++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
+@@ -182,20 +182,22 @@
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d",
+- "Samples/pixel", td->td_samplesperpixel);
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
+ return 0;
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d and %s=%d",
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
+@@ -255,6 +257,9 @@
+ int colorchannels;
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
++
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
+
+ /* Initialize to normal values */
+ img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig = putRGBAAcontig8bittile;
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig = putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBAAcontig16bittile;
+ }
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img) &&
+ BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig = initCIELabConversion(img);
+ break;