pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 21235 from graphics

Browse Source 
Copy from graphics/tiff based on submit request 21235 from user msmeissn

OBS-URL: https://build.opensuse.org/request/show/21235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=12
This commit is contained in:
OBS User autobuild 2009-10-02 21:28:01 +00:00 committed by Git OBS Bridge
parent 63f682b29a
commit 0dc7942c47
3 changed files with 180 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
tiff-3.8.2-CVE-2009-2347.patch Normal file
View File

@ -0,0 +1,170 @@
Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
possible integer overflow in calculation of buffer sizes.
CVE-2009-2347
diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
@@ -202,6 +202,17 @@
#undef LumaBlue
#undef V2Code
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
/*
* Convert a strip of RGB data to YCbCr and
* sample to generate the output data.
@@ -278,10 +289,19 @@
float floatv;
char *stringv;
uint32 longv;
+ tsize_t raster_size;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
@@ -124,6 +124,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -133,6 +144,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -150,7 +162,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -158,7 +177,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -226,6 +245,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -241,7 +261,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -249,7 +276,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {
@@ -328,14 +355,22 @@
uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */
uint32 row;
-
+ tsize_t raster_size;
+
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -353,7 +388,7 @@
*/
if( no_alpha )
{
- int pixel_count = width * height;
+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
unsigned char *src, *dst;
src = (unsigned char *) raster;

6
tiff.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Aug 6 14:02:07 CEST 2009 - pgajdos@suse.cz
- fixed integer overflows [bnc#519796]
* CVE-2009-2347.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 2 16:33:02 CEST 2009 - nadvornik@suse.cz Thu Jul 2 16:33:02 CEST 2009 - nadvornik@suse.cz

5
tiff.spec
View File

@ -29,7 +29,7 @@ Obsoletes: tiff-64bit
# #
Url: http://www.remotesensing.org/libtiff/ Url: http://www.remotesensing.org/libtiff/
Version: 3.8.2 Version: 3.8.2
Release: 143 Release: 144
Summary: Tools for Converting from and to the Tiff Format Summary: Tools for Converting from and to the Tiff Format
Source: tiff-%{version}.tar.bz2 Source: tiff-%{version}.tar.bz2
Source1: jpegint.h Source1: jpegint.h
@ -42,6 +42,7 @@ Patch6: tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch
Patch7: tiff-am.patch Patch7: tiff-am.patch
Patch8: tiff-3.8.2-bnc444079.patch Patch8: tiff-3.8.2-bnc444079.patch
Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch
Patch10: tiff-%{version}-CVE-2009-2347.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -106,6 +107,7 @@ the libtiff library.
%patch7 %patch7
%patch8 %patch8
%patch9 %patch9
%patch10 -p1
cp %{S:1} libtiff cp %{S:1} libtiff
find -type d -name "CVS" | xargs rm -rfv find -type d -name "CVS" | xargs rm -rfv
find -type d | xargs chmod 755 find -type d | xargs chmod 755
@ -129,6 +131,7 @@ done
cp %{S:2} . cp %{S:2} .
rm -rf $RPM_BUILD_ROOT/usr/share/doc/tiff* rm -rf $RPM_BUILD_ROOT/usr/share/doc/tiff*
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
find html -name "Makefile*" | xargs rm
%post -n libtiff3 -p /sbin/ldconfig %post -n libtiff3 -p /sbin/ldconfig