diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2016-3991.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2016-3991.patch | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/packages/patches/libtiff-CVE-2016-3991.patch new file mode 100644 index 0000000000..cb05f0007f --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-3991.patch @@ -0,0 +1,123 @@ +Fix CVE-2016-3991 (out-of-bounds write in loadImage()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991 +http://bugzilla.maptools.org/show_bug.cgi?id=2543 + +Patch extracted from upstream CVS repo with: +$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c + +Index: tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.37 +retrieving revision 1.38 +diff -u -r1.37 -r1.38 +--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37 ++++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38 +@@ -798,6 +798,11 @@ + } + + tile_buffsize = tilesize; ++ if (tilesize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); ++ exit(-1); ++ } + + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -807,7 +812,12 @@ + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; +- } ++ if (tl != (tile_buffsize / tile_rowsize)) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ } + + tilebuf = _TIFFmalloc(tile_buffsize); + if (tilebuf == 0) +@@ -1210,6 +1220,12 @@ + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; + ++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) ++ { ++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); ++ exit(-1); ++ } ++ + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -1219,6 +1235,11 @@ + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; ++ if (tl != tile_buffsize / tile_rowsize) ++ { ++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + } + + tilebuf = _TIFFmalloc(tile_buffsize); +@@ -5945,12 +5966,27 @@ + TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + + tile_rowsize = TIFFTileRowSize(in); ++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); ++ exit(-1); ++ } + buffsize = tlsize * ntiles; ++ if (tlsize != (buffsize / ntiles)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + +- + if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) + { + buffsize = ntiles * tl * tile_rowsize; ++ if (ntiles != (buffsize / tl / tile_rowsize)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ + #ifdef DEBUG2 + TIFFError("loadImage", + "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", +@@ -5969,8 +6005,25 @@ + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); + stsize = TIFFStripSize(in); + nstrips = TIFFNumberOfStrips(in); ++ if (nstrips == 0 || stsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); ++ exit(-1); ++ } ++ + buffsize = stsize * nstrips; +- ++ if (stsize != (buffsize / nstrips)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ uint32 buffsize_check; ++ buffsize_check = ((length * width * spp * bps) + 7); ++ if (length != ((buffsize_check - 7) / width / spp / bps)) ++ { ++ TIFFError("loadImage", "Integer overflow detected."); ++ exit(-1); ++ } + if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) + { + buffsize = ((length * width * spp * bps) + 7) / 8; |