pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 442627 from graphics

Browse Source 
Libtiff 4.0.7 with miscelaneous security fixes

OBS-URL: https://build.opensuse.org/request/show/442627
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=62
This commit is contained in:
Dominique Leuenberger 2016-12-02 15:37:11 +00:00 committed by Git OBS Bridge
commit 126c43f4c3
17 changed files with 255 additions and 885 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
View File

@ -1,36 +0,0 @@
--- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
+++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -106,6 +106,7 @@
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
+ tmsize_t op_offset = 0;
/*
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;

157
tiff-4.0.6-CVE-2015-8782.patch
View File

@ -1,157 +0,0 @@
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
tp = (int16*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (int16*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 2*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ if( cc < 2 )
+ break;
+ rc = *bp++ + (2-128);
b = (int16)(*bp++ << shft);
cc -= 2;
while (rc-- && i < npixels)
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32 *)op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32 *) sp->tbuf;
}
/* copy to array of uint32 */
bp = (unsigned char*) tif->tif_rawcp;
cc = tif->tif_rawcc;
- for (i = 0; i < npixels && cc > 0; i++) {
+ for (i = 0; i < npixels && cc >= 3; i++) {
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
bp += 3;
cc -= 3;
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 4*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
+ if( cc < 2 )
+ break;
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ cc -= 2;
while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogL16Encode";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (int16*) bp;
else {
tp = (int16*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode24";
LogLuvState* sp = EncoderState(tif);
tmsize_t i;
tmsize_t npixels;
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* write out encoded pixels */
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode32";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */

11
tiff-4.0.6-CVE-2016-3186.patch
View File

@ -1,11 +0,0 @@
--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
@@ -349,7 +349,7 @@
int status = 1;
(void) getc(infile);
- while ((count = getc(infile)) && count <= 255)
+ while ((count = getc(infile)) && count > 0 && count <= 255)
if (fread(buf, 1, count, infile) != (size_t) count) {
fprintf(stderr, "short read from file %s (%s)\n",
filename, strerror(errno));

16
tiff-4.0.6-CVE-2016-3623.patch
View File

@ -1,16 +0,0 @@
--- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200
+++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200
@@ -95,9 +95,13 @@
break;
case 'h':
horizSubSampling = atoi(optarg);
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
+ usage(-1);
break;
case 'v':
vertSubSampling = atoi(optarg);
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
+ usage(-1);
break;
case 'r':
rowsperstrip = atoi(optarg);

78
tiff-4.0.6-CVE-2016-3945.patch
View File

@ -1,78 +0,0 @@
--- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200
+++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200
@@ -147,6 +147,7 @@
uint32 row, col;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -163,7 +164,13 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ rastersize = tile_width * tile_height * sizeof (uint32);
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -173,7 +180,13 @@
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ wrk_linesize = tile_width * sizeof (uint32);
+ if (tile_width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
@@ -249,6 +262,7 @@
uint32 row;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -263,7 +277,13 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ rastersize = width * rowsperstrip * sizeof (uint32);
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -273,7 +293,13 @@
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ wrk_linesize = width * sizeof (uint32);
+ if (width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;

17
tiff-4.0.6-CVE-2016-3990.patch
View File

@ -1,17 +0,0 @@
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200
@@ -1131,6 +1131,13 @@
}
llen = sp->stride * td->td_imagewidth;
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
+ if( n > (tmsize_t)(td->td_rowsperstrip * llen) )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too many input bytes provided");
+ return 0;
+ }
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
switch (sp->user_datafmt) {
Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig

111
tiff-4.0.6-CVE-2016-3991.patch
View File

@ -1,111 +0,0 @@
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200
@@ -798,6 +798,11 @@
}
tile_buffsize = tilesize;
+ if (tilesize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
+ exit(-1);
+ }
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -807,6 +812,11 @@
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
+ if (tl != (tile_buffsize / tile_rowsize))
+ {
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
}
tilebuf = _TIFFmalloc(tile_buffsize);
@@ -1210,6 +1220,12 @@
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
return 1;
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
+ {
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
+ exit(-1);
+ }
+
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -1219,6 +1235,11 @@
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
+ if (tl != tile_buffsize / tile_rowsize)
+ {
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
}
tilebuf = _TIFFmalloc(tile_buffsize);
@@ -5945,12 +5966,27 @@
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
tile_rowsize = TIFFTileRowSize(in);
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
+ exit(-1);
+ }
buffsize = tlsize * ntiles;
-
+ if (tlsize != (buffsize / ntiles))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
{
buffsize = ntiles * tl * tile_rowsize;
+ if (ntiles != (buffsize / tl / tile_rowsize))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+
#ifdef DEBUG2
TIFFError("loadImage",
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
@@ -5965,12 +6001,29 @@
}
else
{
+ uint32 buffsize_check;
readunit = STRIP;
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
stsize = TIFFStripSize(in);
nstrips = TIFFNumberOfStrips(in);
- buffsize = stsize * nstrips;
+ if (nstrips == 0 || stsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
+ exit(-1);
+ }
+ buffsize = stsize * nstrips;
+ if (stsize != (buffsize / nstrips))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+ buffsize_check = ((length * width * spp * bps) + 7);
+ if (length != ((buffsize_check - 7) / width / spp / bps))
+ {
+ TIFFError("loadImage", "Integer overflow detected.");
+ exit(-1);
+ }
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
{
buffsize = ((length * width * spp * bps) + 7) / 8;

31
tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
View File

@ -1,31 +0,0 @@
--- tiff-4.0.6/libtiff/tif_getimage.c 2015-08-29 00:16:22.517401728 +0200
+++ tiff-4.0.6/libtiff/tif_getimage.c 2016-10-06 09:42:41.204607032 +0200
@@ -95,6 +95,10 @@
td->td_bitspersample);
return (0);
}
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+ return (0);
+ }
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
switch (colorchannels) {
--- tiff-4.0.6/libtiff/tif_predict.c 2015-09-01 04:39:39.547152871 +0200
+++ tiff-4.0.6/libtiff/tif_predict.c 2016-10-06 09:42:41.204607032 +0200
@@ -80,6 +80,15 @@
td->td_sampleformat);
return 0;
}
+ if (td->td_bitspersample != 16
+ && td->td_bitspersample != 24
+ && td->td_bitspersample != 32
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Floating point \"Predictor\" not supported with %d-bit samples",
+ td->td_bitspersample);
+ return 0;
+ }
break;
default:
TIFFErrorExt(tif->tif_clientdata, module,

17
tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
View File

@ -1,17 +0,0 @@
--- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200
+++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200
@@ -1243,6 +1243,14 @@
assert(sp != NULL);
assert(td->td_photometric == PHOTOMETRIC_LOGL);
+ if( td->td_samplesperpixel != 1 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Sorry, can not handle LogL image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
+
/* for some reason, we can't do this in TIFFInitLogL16 */
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
sp->user_datafmt = LogL16GuessDataFmt(td);

31
tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
View File

@ -1,31 +0,0 @@
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200
@@ -457,6 +457,7 @@
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -692,6 +693,7 @@
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -781,6 +783,12 @@
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ /* Check that we will not fill more than what was allocated */
+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {

124
tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
View File

@ -1,124 +0,0 @@
--- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200
+++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200
@@ -38,6 +38,8 @@
static int TIFFCheckRead(TIFF*, int);
static tmsize_t
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
+static tmsize_t
+TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
#define NOSTRIP ((uint32)(-1)) /* undefined state */
#define NOTILE ((uint32)(-1)) /* undefined state */
@@ -350,6 +352,24 @@
stripsize=TIFFVStripSize(tif,rows);
if (stripsize==0)
return((tmsize_t)(-1));
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE &&
+ size!=(tmsize_t)(-1) && size >= stripsize &&
+ !isMapped(tif) &&
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
+ {
+ if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
+ return ((tmsize_t)(-1));
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits(buf,stripsize);
+
+ (*tif->tif_postdecode)(tif,buf,stripsize);
+ return (stripsize);
+ }
+
if ((size!=(tmsize_t)(-1))&&(size<stripsize))
stripsize=size;
if (!TIFFFillStrip(tif,strip))
@@ -661,6 +681,24 @@
(unsigned long) tile, (unsigned long) td->td_nstrips);
return ((tmsize_t)(-1));
}
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE &&
+ size!=(tmsize_t)(-1) && size >= tilesize &&
+ !isMapped(tif) &&
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
+ {
+ if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
+ return ((tmsize_t)(-1));
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits(buf,tilesize);
+
+ (*tif->tif_postdecode)(tif,buf,tilesize);
+ return (tilesize);
+ }
+
if (size == (tmsize_t)(-1))
size = tilesize;
else if (size > tilesize)
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200
@@ -258,6 +258,23 @@
tif->tif_rawcp = tif->tif_rawdata;
tif->tif_flags &= ~TIFF_POSTENCODE;
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE )
+ {
+ /* swab if needed - note that source buffer will be altered */
+ tif->tif_postdecode( tif, (uint8*) data, cc );
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits((uint8*) data, cc);
+
+ if (cc > 0 &&
+ !TIFFAppendToStrip(tif, strip, (uint8*) data, cc))
+ return ((tmsize_t) -1);
+ return (cc);
+ }
+
sample = (uint16)(strip / td->td_stripsperimage);
if (!(*tif->tif_preencode)(tif, sample))
return ((tmsize_t) -1);
@@ -431,9 +448,7 @@
tif->tif_flags |= TIFF_CODERSETUP;
}
tif->tif_flags &= ~TIFF_POSTENCODE;
- sample = (uint16)(tile/td->td_stripsperimage);
- if (!(*tif->tif_preencode)(tif, sample))
- return ((tmsize_t)(-1));
+
/*
* Clamp write amount to the tile size. This is mostly
* done so that callers can pass in some large number
@@ -442,6 +457,25 @@
if ( cc < 1 || cc > tif->tif_tilesize)
cc = tif->tif_tilesize;
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE )
+ {
+ /* swab if needed - note that source buffer will be altered */
+ tif->tif_postdecode( tif, (uint8*) data, cc );
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits((uint8*) data, cc);
+
+ if (cc > 0 &&
+ !TIFFAppendToStrip(tif, tile, (uint8*) data, cc))
+ return ((tmsize_t) -1);
+ return (cc);
+ }
+
+ sample = (uint16)(tile/td->td_stripsperimage);
+ if (!(*tif->tif_preencode)(tif, sample))
+ return ((tmsize_t)(-1));
/* swab if needed - note that source buffer will be altered */
tif->tif_postdecode( tif, (uint8*) data, cc );

217
tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
View File

@ -1,217 +0,0 @@
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200
@@ -973,17 +973,14 @@
a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1026,17 +1023,14 @@
a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1079,17 +1073,14 @@
ip += 4;
}
} else {
- wp += n + stride - 1; /* point to last one */
- ip += n + stride - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200
@@ -764,7 +764,14 @@
if (!TIFFAppendToStrip(tif,
isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
tif->tif_rawdata, tif->tif_rawcc))
+ {
+ /* We update those variables even in case of error since there's */
+ /* code that doesn't really check the return code of this */
+ /* function */
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
return (0);
+ }
tif->tif_rawcc = 0;
tif->tif_rawcp = tif->tif_rawdata;
}
--- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200
+++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200
@@ -286,7 +286,7 @@
int t2p_process_ojpeg_tables(T2P*, TIFF*);
#endif
#ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
#endif
void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2409,6 +2409,7 @@
stripbuffer,
&striplength,
buffer,
+ t2p->tiff_datasize,
&bufferoffset,
i,
t2p->tiff_length)){
@@ -3439,6 +3440,7 @@
unsigned char* strip,
tsize_t* striplength,
unsigned char* buffer,
+ tsize_t buffersize,
tsize_t* bufferoffset,
tstrip_t no,
uint32 height){
@@ -3473,6 +3475,8 @@
}
switch( strip[i] ){
case 0xd8: /* SOI - start of image */
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
break;
@@ -3482,12 +3486,18 @@
case 0xc9: /* SOF9 */
case 0xca: /* SOF10 */
if(no==0){
+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ if( *bufferoffset + 9 >= buffersize )
+ return(0);
ncomp = buffer[*bufferoffset+9];
if (ncomp < 1 || ncomp > 4)
return(0);
v_samp=1;
h_samp=1;
+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+ return(0);
for(j=0;j<ncomp;j++){
uint16 samp = buffer[*bufferoffset+11+(3*j)];
if( (samp>>4) > h_samp)
@@ -3519,20 +3529,28 @@
break;
case 0xc4: /* DHT */
case 0xdb: /* DQT */
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
break;
case 0xda: /* SOS */
if(no==0){
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
} else {
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
}
i += datalen + 1;
/* copy remainder of strip */
+ if( *bufferoffset + *striplength - i > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
*bufferoffset+= *striplength - i;
return(1);
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200
@@ -5737,7 +5737,8 @@
{
uint32 i;
float xres = 0.0, yres = 0.0;
- uint16 nstrips = 0, ntiles = 0, planar = 0;
+ uint32 nstrips = 0, ntiles = 0;
+ uint16 planar = 0;
uint16 bps = 0, spp = 0, res_unit = 0;
uint16 orientation = 0;
uint16 input_compression = 0, input_photometric = 0;
@@ -6013,11 +6014,23 @@
/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
/* outside buffer */
if (!read_buff)
+ {
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
else
{
if (prev_readsize < buffsize)
{
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
new_buff = _TIFFrealloc(read_buff, buffsize+3);
if (!new_buff)
{
@@ -8859,6 +8872,11 @@
}
bytes_per_pixel = ((bps * spp) + 7) / 8;
+ if( bytes_per_pixel > sizeof(swapbuff) )
+ {
+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+ return (1);
+ }
switch (bps / 8)
{
case 8: /* Use memcpy for multiple bytes per sample data */

3
tiff-4.0.6.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c
size 2192991

2
tiff-4.0.6-CVE-2015-7554.patch → tiff-4.0.7-CVE-2015-7554.patch
View File

@ -13,6 +13,6 @@
{ TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL },
{ TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray },
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },

3
tiff-4.0.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019
size 2076392

247
tiff.changes
View File

@ -1,3 +1,248 @@
-------------------------------------------------------------------
Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com
- Upgrade to upstream release 4.0.7
* libtiff/tif_aux.c
+ Fix crash in TIFFVGetFieldDefaulted() when requesting
Predictor tag and that the zip/lzw codec is not configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
* libtiff/tif_compress.c
+ Make TIFFNoDecode() return 0 to indicate an error and make
upper level read routines treat it accordingly. (linked to the
test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
* libtiff/tif_dir.c
+ Discard values of SMinSampleValue and SMaxSampleValue when
they have been read and the value of SamplesPerPixel is
changed afterwards (like when reading a OJPEG compressed image
with a missing SamplesPerPixel tag, and whose photometric is
RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when
rewriting the directory (for example with tiffset, we will
expect 3 values whereas the array had been allocated with just
one), thus causing a out of bound read access. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840)
* libtiff/tif_dirread.c
+ In TIFFFetchNormalTag(), do not dereference NULL pointer when
values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII
access are 0-byte arrays. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
introduced by previous fix done on 2016-11-11 for
CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448,
bsc#1011103
+ In TIFFFetchNormalTag(), make sure that values of tags with
TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null
terminated, to avoid potential read outside buffer in
_TIFFPrintField(). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2590
(CVE-2016-9297, bsc#1010161)
+ Initialize doubledata at line 3693 to NULL to please MSVC 2013
+ Prevent reading ColorMap or TransferFunction if
BitsPerPixel > 24, so as to avoid huge memory allocation and
file read attempts
+ Reject images with OJPEG compression that have no
TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in
TIFFReadRawStrip1() and other functions that expect
td_stripbytecount to be non NULL. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2585
+ When compiled with DEFER_STRILE_LOAD, fix regression, when
reading a one-strip file without a StripByteCounts tag.
+ Workaround false positive warning of Clang Static Analyzer
about null pointer dereference in TIFFCheckDirOffset().
* libtiff/tif_dirwrite.c
+ Avoid null pointer dereference on td_stripoffset when writing
directory, if FIELD_STRIPOFFSETS was artificially set for a
hack case in OJPEG case. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658,
bsc#974840)
+ Fix truncation to 32 bit of file offsets in TIFFLinkDirectory()
and TIFFWriteDirectorySec() when aligning directory offsets on
an even offset (affects BigTIFF).
* libtiff/tif_dumpmode.c
+ DumpModeEncode() should return 0 in case of failure so that
the above mentionned functions detect the error.
* libtiff/tif_fax3.c
+ remove dead assignment in Fax3PutEOLgdal().
* libtiff/tif_fax3.h
+ make Param member of TIFFFaxTabEnt structure a uint16 to
reduce size of the binary.
* libtiff/tif_getimage.c
+ Fix out-of-bound reads in TIFFRGBAImage interface in case of
unsupported values of SamplesPerPixel/ExtraSamples for
LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in
TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683.
+ Fix some benign warnings which appear in 64-bit compilation
under Microsoft Visual Studio of the form "Arithmetic
overflow: 32-bit value is shifted, then cast to 64-bit value.
Results might not be an expected value."
+ TIFFRGBAImageOK: Reject attempts to read floating point images.
* libtiff/tif_luv.c
+ Fix potential out-of-bound writes in decode functions in non
debug builds by replacing assert()s by regular if checks
(http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix
potential out-of-bound reads in case of short input data.
+ Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL,
there is only one sample per pixel. Avoid potential invalid
memory write on corrupted/unexpected images when using the
TIFFRGBAImageBegin() interface
* libtiff/tif_next.c
+ Fix potential out-of-bound write in NeXTDecode()
(http://bugzilla.maptools.org/show_bug.cgi?id=2508)
* libtiff/tif_pixarlog.c
+ Avoid zlib error messages to pass a NULL string to %s
formatter, which is undefined behaviour in sprintf().
+ Fix out-of-bounds write vulnerabilities in heap allocated
buffers. Reported as MSVR 35094.
+ Fix potential buffer write overrun in PixarLogDecode() on
corrupted/unexpected images (CVE-2016-5875, bsc#987351)
+ Fix write buffer overflow in PixarLogEncode if more input
samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler
check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544,
bsc#975069)
* libtiff/tif_predict.c
+ PredictorSetup: Enforce bits-per-sample requirements of
floating point predictor (3). Fixes CVE-2016-3622 "Divide By
Zero in the tiff2rgba tool." (bsc#974449)
* libtiff/tif_predict.h, libtiff/tif_predict.c
+ Replace assertions by runtime checks to avoid assertions in
debug mode, or buffer overflows in release mode. Can happen
when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105.
* libtiff/tif_read.c
+ Fix out-of-bounds read on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset
is beyond tmsize_t max value
+ Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly
use user provided buffer when no compression (and other
conditions) to save a memcpy().
* libtiff/tif_strip.c
+ Make TIFFNumberOfStrips() return the td->td_nstrips value when
it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read
outsize of array in tiffsplit (or other utilities using
TIFFNumberOfStrips()). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2587
(CVE-2016-9273, bsc#1010163)
* libtiff/tif_write.c
+ Fix issue in error code path of TIFFFlushData1() that didn't
reset the tif_rawcc and tif_rawcp members. I'm not completely
sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points
that a better fix could be to check the return value of
TIFFFlushData1() in places where it isn't done currently, but
it seems this patch is enough. Reported as MSVR 35095.
+ Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
directly use user provided buffer when no compression to save
a memcpy().
+ TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should
return -1 in case of failure of tif_encodestrip() as documented
* tools/fax2tiff.c
+ Fix segfault when specifying -r without argument. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2572
* tools/Makefile.am
+ The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff,
sgisv, and ycbcr are completely removed from the distribution.
The libtiff tools rgb2ycbcr and thumbnail are only built in
the build tree for testing. Old files are put in new 'archive'
subdirectory of the source repository, but not in
distribution archives. These changes are made in order to
lessen the maintenance burden.
* tools/rgb2ycbcr.c
+ Validate values of -v and -h parameters to avoid potential
divide by zero. Fixes CVE-2016-3623, bsc#974618
(http://bugzilla.maptools.org/show_bug.cgi?id=2569)
* tools/tiff2bw.c
+ Fix weight computation that could result of color value
overflow (no security implication). Fix
http://bugzilla.maptools.org/show_bug.cgi?id=2550.
* tools/tiff2pdf.c
+ Avoid undefined behaviour related to overlapping of source and
destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb() Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2577
+ Fix out-of-bounds write vulnerabilities in heap allocate buffer
in t2p_process_jpeg_strip(). Reported as MSVR 35098.
+ Fix potential integer overflows on 32 bit builds in
t2p_read_tiff_size() Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2576
+ Fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101. CVE-2016-9453, bsc#1011107
+ Fix write buffer overflow of 2 bytes on JPEG compressed images.
Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also
prevents writing 2 extra uninitialized bytes to the file
stream.
* tools/tiff2rgba.c
+ Fix integer overflow in size of allocated buffer, when -b mode
is enabled, that could result in out-of-bounds write. Based
initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid
tests that rejected valid files.
(http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614)
* tools/tiffcp.c
+ Fix out-of-bounds write on tiled images with odd tile width vs
image width. Reported as MSVR 35103.
+ Fix read of undefined variable in case of missing required
tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c
+ Avoid access outside of stack allocated array on a tiled
separate TIFF with more than 8 samples per pixel.
(CVE-2016-5321, CVE-2016-5323,
http://bugzilla.maptools.org/show_bug.cgi?id=2558,
http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813,
bsc#984815)
+ Fix memory leak in (recent) error code path. Fixes Coverity
1394415.
+ Fix multiple uint32 overflows in writeBufferToSeparateStrips(),
writeBufferToContigTiles() and writeBufferToSeparateTiles()
that could cause heap buffer overflows. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2592
+ Fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092.
+ Fix out-of-bounds write in loadImage(). From patch
libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm
(http://bugzilla.maptools.org/show_bug.cgi?id=2543, bsc#975070)
+ Fix read of undefined buffer in readContigStripsIntoBuffer()
due to uint16 overflow. Reported as MSVR 35100.
+ Fix various out-of-bounds write vulnerabilities in heap or
stack allocated buffers. Reported as MSVR 35093, MSVR 35096
and MSVR 35097.
+ readContigTilesIntoBuffer: Fix signed/unsigned comparison
warning.
* tools/tiffdump.c
+ Fix a few misaligned 64-bit reads warned by -fsanitize
+ ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument
which resulted in Coverity report. Added more mutiplication
overflow checks
* tools/tiffinfo.c
+ Fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)
+ TIFFReadContigTileData: Fix signed/unsigned comparison warning.
+ TIFFReadSeparateTileData: Fix signed/unsigned comparison
warning.
- Removed patches:
* tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
* tiff-4.0.6-CVE-2015-8782.patch
* tiff-4.0.6-CVE-2016-3186.patch
* tiff-4.0.6-CVE-2016-3623.patch
* tiff-4.0.6-CVE-2016-3945.patch
* tiff-4.0.6-CVE-2016-3990.patch
* tiff-4.0.6-CVE-2016-3991.patch
* tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
* tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
* tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
* tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
* tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
- Fixed in the upsteam release
- Changed patch:
* tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch
- Rediffed to the changed context
-------------------------------------------------------------------
Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com
@ -19,7 +264,7 @@ Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com
* tiff-4.0.6-CVE-2016-3991.patch
- Upstream commits to fix CVE-2016-3623 [bsc#974618],
CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069],
CVE-2016-3991 [bsc#975070]
CVE-2016-3991 [bsc#975070]
-------------------------------------------------------------------
Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com

39
tiff.spec
View File

@ -17,7 +17,7 @@
Name: tiff
Version: 4.0.6
Version: 4.0.7
Release: 0
Summary: Tools for Converting from and to the Tiff Format
License: HPND
@ -30,25 +30,7 @@ Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch1: tiff-4.0.3-compress-warning.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2508
Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2499
Patch3: tiff-4.0.6-CVE-2015-7554.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2522
Patch4: tiff-4.0.6-CVE-2015-8782.patch
#
Patch5: tiff-4.0.6-CVE-2016-3186.patch
#
Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
#
Patch9: tiff-4.0.6-CVE-2016-3623.patch
Patch10: tiff-4.0.6-CVE-2016-3945.patch
Patch11: tiff-4.0.6-CVE-2016-3990.patch
Patch12: tiff-4.0.6-CVE-2016-3991.patch
#
Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
Patch3: tiff-4.0.7-CVE-2015-7554.patch
BuildRequires: gcc-c++
BuildRequires: libjpeg-devel
@ -112,19 +94,7 @@ the libtiff library.
%setup -q
%patch0 -p1
%patch1 -p1
%patch2
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%build
CFLAGS="%{optflags} -fPIE"
@ -147,8 +117,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
find html -name "Makefile*" | xargs rm
%check
cd test
make %{?_smp_mflags} check
for i in tools tests; do
cd $i && make %{?_smp_mflags} check
done
%post -n libtiff5 -p /sbin/ldconfig