Accepting request 21235 from graphics

Copy from graphics/tiff based on submit request 21235 from user msmeissn

OBS-URL: https://build.opensuse.org/request/show/21235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=12

tiff-3.8.2-CVE-2009-2347.patch

@@ -0,0 +1,170 @@
+Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
+possible integer overflow in calculation of buffer sizes.
+
+CVE-2009-2347
+
+
+diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
+--- tiff-3.8.2.orig/tools/rgb2ycbcr.c	2004-09-03 03:57:13.000000000 -0400
++++ tiff-3.8.2/tools/rgb2ycbcr.c	2009-07-10 17:12:32.000000000 -0400
+@@ -202,6 +202,17 @@
+ #undef LumaBlue
+ #undef V2Code
+ 
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;		/* overflow */
++
++    return prod;
++}
++
+ /*
+  * Convert a strip of RGB data to YCbCr and
+  * sample to generate the output data.
+@@ -278,10 +289,19 @@
+ 	float floatv;
+ 	char *stringv;
+ 	uint32 longv;
++	tsize_t raster_size;
+ 
+ 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+-	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++
++	raster_size = multiply(multiply(width, height), sizeof (uint32));
++	if (!raster_size) {
++		TIFFError(TIFFFileName(in),
++			  "Can't allocate buffer for raster of size %lux%lu",
++			  (unsigned long) width, (unsigned long) height);
++		return (0);
++	}
++	raster = (uint32*)_TIFFmalloc(raster_size);
+ 	if (raster == 0) {
+ 		TIFFError(TIFFFileName(in), "No space for raster buffer");
+ 		return (0);
+diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
+--- tiff-3.8.2.orig/tools/tiff2rgba.c	2004-11-07 06:08:37.000000000 -0500
++++ tiff-3.8.2/tools/tiff2rgba.c	2009-07-10 17:06:42.000000000 -0400
+@@ -124,6 +124,17 @@
+     return (0);
+ }
+ 
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;		/* overflow */
++
++    return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+ 
+@@ -133,6 +144,7 @@
+     uint32  tile_width, tile_height;
+     uint32  row, col;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -150,7 +162,14 @@
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) tile_width, (unsigned long) tile_height);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -158,7 +177,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -226,6 +245,7 @@
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -241,7 +261,14 @@
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) width, (unsigned long) rowsperstrip);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -249,7 +276,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -328,14 +355,22 @@
+     uint32* raster;			/* retrieve RGBA image */
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+-        
++    tsize_t raster_size;
++
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++    raster_size = multiply(multiply(width, height), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) width, (unsigned long) height);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -353,7 +388,7 @@
+     */
+     if( no_alpha )
+     {
+-        int	pixel_count = width * height;
++        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
+         unsigned char *src, *dst;
+ 
+         src = (unsigned char *) raster;
+

tiff.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Aug  6 14:02:07 CEST 2009 - pgajdos@suse.cz
+
+- fixed integer overflows [bnc#519796]
+  * CVE-2009-2347.patch
+
 -------------------------------------------------------------------
 Thu Jul  2 16:33:02 CEST 2009 - nadvornik@suse.cz
 

tiff.spec

@@ -29,7 +29,7 @@ Obsoletes:      tiff-64bit
 #
 Url:            http://www.remotesensing.org/libtiff/
 Version:        3.8.2
-Release:        143
+Release:        144
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
 Source1:        jpegint.h
@@ -42,6 +42,7 @@ Patch6:         tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch
 Patch7:         tiff-am.patch
 Patch8:         tiff-3.8.2-bnc444079.patch
 Patch9:         tiff-3.8.2-lzw-CVE-2009-2285.patch
+Patch10:        tiff-%{version}-CVE-2009-2347.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -106,6 +107,7 @@ the libtiff library.
 %patch7
 %patch8
 %patch9
+%patch10 -p1
 cp %{S:1} libtiff
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755
@@ -129,6 +131,7 @@ done
 cp %{S:2} .
 rm -rf $RPM_BUILD_ROOT/usr/share/doc/tiff*
 rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
+find html -name "Makefile*" | xargs rm
 
 %post -n libtiff3 -p /sbin/ldconfig