From 573d56a5283e0873a70f7cd7c000f7508126b8810658741f7b0a3519a932aeeb Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 23 Nov 2016 09:20:56 +0000 Subject: [PATCH 1/2] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=88 --- tiff-4.0.4-uninitialized_mem_NeXTDecode.patch | 36 --- tiff-4.0.6-CVE-2015-7554.patch | 2 +- tiff-4.0.6-CVE-2015-8782.patch | 157 ------------- tiff-4.0.6-CVE-2016-3186.patch | 11 - tiff-4.0.6-CVE-2016-3623.patch | 16 -- tiff-4.0.6-CVE-2016-3945.patch | 78 ------- tiff-4.0.6-CVE-2016-3990.patch | 17 -- tiff-4.0.6-CVE-2016-3991.patch | 111 --------- ...mage.c-TIFFRGBAImageOK-Reject-attemp.patch | 31 --- ...c-validate-that-for-COMPRESSION_SGIL.patch | 17 -- ...rlog.c-fix-potential-buffer-write-ov.patch | 31 --- ...read.c-make-TIFFReadEncodedStrip-and.patch | 124 ---------- ...-fix-various-out-of-bounds-write-vul.patch | 217 ------------------ tiff-4.0.6.tar.gz | 3 - tiff-4.0.7.tar.gz | 3 + tiff.spec | 37 +-- 16 files changed, 8 insertions(+), 883 deletions(-) delete mode 100644 tiff-4.0.4-uninitialized_mem_NeXTDecode.patch delete mode 100644 tiff-4.0.6-CVE-2015-8782.patch delete mode 100644 tiff-4.0.6-CVE-2016-3186.patch delete mode 100644 tiff-4.0.6-CVE-2016-3623.patch delete mode 100644 tiff-4.0.6-CVE-2016-3945.patch delete mode 100644 tiff-4.0.6-CVE-2016-3990.patch delete mode 100644 tiff-4.0.6-CVE-2016-3991.patch delete mode 100644 tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch delete mode 100644 tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch delete mode 100644 tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch delete mode 100644 tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch delete mode 100644 tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch delete mode 100644 tiff-4.0.6.tar.gz create mode 100644 tiff-4.0.7.tar.gz diff --git a/tiff-4.0.4-uninitialized_mem_NeXTDecode.patch b/tiff-4.0.4-uninitialized_mem_NeXTDecode.patch deleted file mode 100644 index 1c4b9ef..0000000 --- a/tiff-4.0.4-uninitialized_mem_NeXTDecode.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 -+++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/tiff-4.0.6-CVE-2015-7554.patch b/tiff-4.0.6-CVE-2015-7554.patch index 8b750ef..585d0ef 100644 --- a/tiff-4.0.6-CVE-2015-7554.patch +++ b/tiff-4.0.6-CVE-2015-7554.patch @@ -13,6 +13,6 @@ { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, - { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray }, + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, diff --git a/tiff-4.0.6-CVE-2015-8782.patch b/tiff-4.0.6-CVE-2015-8782.patch deleted file mode 100644 index 331d583..0000000 --- a/tiff-4.0.6-CVE-2015-8782.patch +++ /dev/null @@ -1,157 +0,0 @@ ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/tiff-4.0.6-CVE-2016-3186.patch b/tiff-4.0.6-CVE-2016-3186.patch deleted file mode 100644 index 57af601..0000000 --- a/tiff-4.0.6-CVE-2016-3186.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 -+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 -@@ -349,7 +349,7 @@ - int status = 1; - - (void) getc(infile); -- while ((count = getc(infile)) && count <= 255) -+ while ((count = getc(infile)) && count > 0 && count <= 255) - if (fread(buf, 1, count, infile) != (size_t) count) { - fprintf(stderr, "short read from file %s (%s)\n", - filename, strerror(errno)); diff --git a/tiff-4.0.6-CVE-2016-3623.patch b/tiff-4.0.6-CVE-2016-3623.patch deleted file mode 100644 index c6c0864..0000000 --- a/tiff-4.0.6-CVE-2016-3623.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200 -+++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200 -@@ -95,9 +95,13 @@ - break; - case 'h': - horizSubSampling = atoi(optarg); -+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) -+ usage(-1); - break; - case 'v': - vertSubSampling = atoi(optarg); -+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) -+ usage(-1); - break; - case 'r': - rowsperstrip = atoi(optarg); diff --git a/tiff-4.0.6-CVE-2016-3945.patch b/tiff-4.0.6-CVE-2016-3945.patch deleted file mode 100644 index 9af3bca..0000000 --- a/tiff-4.0.6-CVE-2016-3945.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200 -+++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200 -@@ -147,6 +147,7 @@ - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; diff --git a/tiff-4.0.6-CVE-2016-3990.patch b/tiff-4.0.6-CVE-2016-3990.patch deleted file mode 100644 index 54fe105..0000000 --- a/tiff-4.0.6-CVE-2016-3990.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 -+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200 -@@ -1131,6 +1131,13 @@ - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > (tmsize_t)(td->td_rowsperstrip * llen) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { -Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig diff --git a/tiff-4.0.6-CVE-2016-3991.patch b/tiff-4.0.6-CVE-2016-3991.patch deleted file mode 100644 index c5863a1..0000000 --- a/tiff-4.0.6-CVE-2016-3991.patch +++ /dev/null @@ -1,111 +0,0 @@ ---- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 -+++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200 -@@ -798,6 +798,11 @@ - } - - tile_buffsize = tilesize; -+ if (tilesize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); -+ exit(-1); -+ } - - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,6 +812,11 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -1210,6 +1220,12 @@ - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; - -+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); -+ exit(-1); -+ } -+ - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - - tile_rowsize = TIFFTileRowSize(in); -+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize = tlsize * ntiles; -- -+ if (tlsize != (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize = ntiles * tl * tile_rowsize; -+ if (ntiles != (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5965,12 +6001,29 @@ - } - else - { -+ uint32 buffsize_check; - readunit = STRIP; - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize = TIFFStripSize(in); - nstrips = TIFFNumberOfStrips(in); -- buffsize = stsize * nstrips; -+ if (nstrips == 0 || stsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); -+ exit(-1); -+ } - -+ buffsize = stsize * nstrips; -+ if (stsize != (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ buffsize_check = ((length * width * spp * bps) + 7); -+ if (length != ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize = ((length * width * spp * bps) + 7) / 8; diff --git a/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch b/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch deleted file mode 100644 index eac877c..0000000 --- a/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_getimage.c 2015-08-29 00:16:22.517401728 +0200 -+++ tiff-4.0.6/libtiff/tif_getimage.c 2016-10-06 09:42:41.204607032 +0200 -@@ -95,6 +95,10 @@ - td->td_bitspersample); - return (0); - } -+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { -+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); -+ return (0); -+ } - colorchannels = td->td_samplesperpixel - td->td_extrasamples; - if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { - switch (colorchannels) { ---- tiff-4.0.6/libtiff/tif_predict.c 2015-09-01 04:39:39.547152871 +0200 -+++ tiff-4.0.6/libtiff/tif_predict.c 2016-10-06 09:42:41.204607032 +0200 -@@ -80,6 +80,15 @@ - td->td_sampleformat); - return 0; - } -+ if (td->td_bitspersample != 16 -+ && td->td_bitspersample != 24 -+ && td->td_bitspersample != 32 -+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Floating point \"Predictor\" not supported with %d-bit samples", -+ td->td_bitspersample); -+ return 0; -+ } - break; - default: - TIFFErrorExt(tif->tif_clientdata, module, diff --git a/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch b/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch deleted file mode 100644 index 54a536e..0000000 --- a/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200 -+++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200 -@@ -1243,6 +1243,14 @@ - assert(sp != NULL); - assert(td->td_photometric == PHOTOMETRIC_LOGL); - -+ if( td->td_samplesperpixel != 1 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Sorry, can not handle LogL image with %s=%d", -+ "Samples/pixel", td->td_samplesperpixel); -+ return 0; -+ } -+ - /* for some reason, we can't do this in TIFFInitLogL16 */ - if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) - sp->user_datafmt = LogL16GuessDataFmt(td); diff --git a/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch b/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch deleted file mode 100644 index 535e466..0000000 --- a/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 -+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200 -@@ -457,6 +457,7 @@ - typedef struct { - TIFFPredictorState predict; - z_stream stream; -+ tmsize_t tbuf_size; /* only set/used on reading for now */ - uint16 *tbuf; - uint16 stride; - int state; -@@ -692,6 +693,7 @@ - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); - if (sp->tbuf == NULL) - return (0); -+ sp->tbuf_size = tbuf_size; - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) - sp->user_datafmt = PixarLogGuessDataFmt(td); - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { -@@ -781,6 +783,12 @@ - TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); - return (0); - } -+ /* Check that we will not fill more than what was allocated */ -+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); -+ return (0); -+ } - do { - int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); - if (state == Z_STREAM_END) { diff --git a/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch b/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch deleted file mode 100644 index 0c3224d..0000000 --- a/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch +++ /dev/null @@ -1,124 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200 -+++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200 -@@ -38,6 +38,8 @@ - static int TIFFCheckRead(TIFF*, int); - static tmsize_t - TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module); -+static tmsize_t -+TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module); - - #define NOSTRIP ((uint32)(-1)) /* undefined state */ - #define NOTILE ((uint32)(-1)) /* undefined state */ -@@ -350,6 +352,24 @@ - stripsize=TIFFVStripSize(tif,rows); - if (stripsize==0) - return((tmsize_t)(-1)); -+ -+ /* shortcut to avoid an extra memcpy() */ -+ if( td->td_compression == COMPRESSION_NONE && -+ size!=(tmsize_t)(-1) && size >= stripsize && -+ !isMapped(tif) && -+ ((tif->tif_flags&TIFF_NOREADRAW)==0) ) -+ { -+ if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize) -+ return ((tmsize_t)(-1)); -+ -+ if (!isFillOrder(tif, td->td_fillorder) && -+ (tif->tif_flags & TIFF_NOBITREV) == 0) -+ TIFFReverseBits(buf,stripsize); -+ -+ (*tif->tif_postdecode)(tif,buf,stripsize); -+ return (stripsize); -+ } -+ - if ((size!=(tmsize_t)(-1))&&(sizetd_nstrips); - return ((tmsize_t)(-1)); - } -+ -+ /* shortcut to avoid an extra memcpy() */ -+ if( td->td_compression == COMPRESSION_NONE && -+ size!=(tmsize_t)(-1) && size >= tilesize && -+ !isMapped(tif) && -+ ((tif->tif_flags&TIFF_NOREADRAW)==0) ) -+ { -+ if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize) -+ return ((tmsize_t)(-1)); -+ -+ if (!isFillOrder(tif, td->td_fillorder) && -+ (tif->tif_flags & TIFF_NOBITREV) == 0) -+ TIFFReverseBits(buf,tilesize); -+ -+ (*tif->tif_postdecode)(tif,buf,tilesize); -+ return (tilesize); -+ } -+ - if (size == (tmsize_t)(-1)) - size = tilesize; - else if (size > tilesize) ---- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 -+++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200 -@@ -258,6 +258,23 @@ - tif->tif_rawcp = tif->tif_rawdata; - - tif->tif_flags &= ~TIFF_POSTENCODE; -+ -+ /* shortcut to avoid an extra memcpy() */ -+ if( td->td_compression == COMPRESSION_NONE ) -+ { -+ /* swab if needed - note that source buffer will be altered */ -+ tif->tif_postdecode( tif, (uint8*) data, cc ); -+ -+ if (!isFillOrder(tif, td->td_fillorder) && -+ (tif->tif_flags & TIFF_NOBITREV) == 0) -+ TIFFReverseBits((uint8*) data, cc); -+ -+ if (cc > 0 && -+ !TIFFAppendToStrip(tif, strip, (uint8*) data, cc)) -+ return ((tmsize_t) -1); -+ return (cc); -+ } -+ - sample = (uint16)(strip / td->td_stripsperimage); - if (!(*tif->tif_preencode)(tif, sample)) - return ((tmsize_t) -1); -@@ -431,9 +448,7 @@ - tif->tif_flags |= TIFF_CODERSETUP; - } - tif->tif_flags &= ~TIFF_POSTENCODE; -- sample = (uint16)(tile/td->td_stripsperimage); -- if (!(*tif->tif_preencode)(tif, sample)) -- return ((tmsize_t)(-1)); -+ - /* - * Clamp write amount to the tile size. This is mostly - * done so that callers can pass in some large number -@@ -442,6 +457,25 @@ - if ( cc < 1 || cc > tif->tif_tilesize) - cc = tif->tif_tilesize; - -+ /* shortcut to avoid an extra memcpy() */ -+ if( td->td_compression == COMPRESSION_NONE ) -+ { -+ /* swab if needed - note that source buffer will be altered */ -+ tif->tif_postdecode( tif, (uint8*) data, cc ); -+ -+ if (!isFillOrder(tif, td->td_fillorder) && -+ (tif->tif_flags & TIFF_NOBITREV) == 0) -+ TIFFReverseBits((uint8*) data, cc); -+ -+ if (cc > 0 && -+ !TIFFAppendToStrip(tif, tile, (uint8*) data, cc)) -+ return ((tmsize_t) -1); -+ return (cc); -+ } -+ -+ sample = (uint16)(tile/td->td_stripsperimage); -+ if (!(*tif->tif_preencode)(tif, sample)) -+ return ((tmsize_t)(-1)); - /* swab if needed - note that source buffer will be altered */ - tif->tif_postdecode( tif, (uint8*) data, cc ); - diff --git a/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch b/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch deleted file mode 100644 index f444462..0000000 --- a/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch +++ /dev/null @@ -1,217 +0,0 @@ ---- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 -+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200 -@@ -973,17 +973,14 @@ - a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; - } - } else { -- ip += n - 1; /* point to last one */ -- wp += n - 1; /* point to last one */ -+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) - n -= stride; - while (n > 0) { -- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -+ REPEAT(stride, -+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); -+ wp++; ip++) - n -= stride; - } -- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) - } - } - } -@@ -1026,17 +1023,14 @@ - a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; - } - } else { -- ip += n - 1; /* point to last one */ -- wp += n - 1; /* point to last one */ -+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) - n -= stride; - while (n > 0) { -- REPEAT(stride, wp[0] = CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -+ REPEAT(stride, -+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); -+ wp++; ip++) - n -= stride; - } -- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) - } - } - } -@@ -1079,17 +1073,14 @@ - ip += 4; - } - } else { -- wp += n + stride - 1; /* point to last one */ -- ip += n + stride - 1; /* point to last one */ -+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) - n -= stride; - while (n > 0) { -- REPEAT(stride, wp[0] = CLAMP(ip[0]); -- wp[stride] -= wp[0]; -- wp[stride] &= mask; -- wp--; ip--) -+ REPEAT(stride, -+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); -+ wp++; ip++) - n -= stride; - } -- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) - } - } - } ---- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 -+++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200 -@@ -764,7 +764,14 @@ - if (!TIFFAppendToStrip(tif, - isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, - tif->tif_rawdata, tif->tif_rawcc)) -+ { -+ /* We update those variables even in case of error since there's */ -+ /* code that doesn't really check the return code of this */ -+ /* function */ -+ tif->tif_rawcc = 0; -+ tif->tif_rawcp = tif->tif_rawdata; - return (0); -+ } - tif->tif_rawcc = 0; - tif->tif_rawcp = tif->tif_rawdata; - } ---- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200 -+++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200 -@@ -286,7 +286,7 @@ - int t2p_process_ojpeg_tables(T2P*, TIFF*); - #endif - #ifdef JPEG_SUPPORT --int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); -+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); - #endif - void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); - void t2p_write_advance_directory(T2P*, TIFF*); -@@ -2409,6 +2409,7 @@ - stripbuffer, - &striplength, - buffer, -+ t2p->tiff_datasize, - &bufferoffset, - i, - t2p->tiff_length)){ -@@ -3439,6 +3440,7 @@ - unsigned char* strip, - tsize_t* striplength, - unsigned char* buffer, -+ tsize_t buffersize, - tsize_t* bufferoffset, - tstrip_t no, - uint32 height){ -@@ -3473,6 +3475,8 @@ - } - switch( strip[i] ){ - case 0xd8: /* SOI - start of image */ -+ if( *bufferoffset + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); - *bufferoffset+=2; - break; -@@ -3482,12 +3486,18 @@ - case 0xc9: /* SOF9 */ - case 0xca: /* SOF10 */ - if(no==0){ -+ if( *bufferoffset + datalen + 2 + 6 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ if( *bufferoffset + 9 >= buffersize ) -+ return(0); - ncomp = buffer[*bufferoffset+9]; - if (ncomp < 1 || ncomp > 4) - return(0); - v_samp=1; - h_samp=1; -+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) -+ return(0); - for(j=0;j>4) > h_samp) -@@ -3519,20 +3529,28 @@ - break; - case 0xc4: /* DHT */ - case 0xdb: /* DQT */ -+ if( *bufferoffset + datalen + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); - *bufferoffset+=datalen+2; - break; - case 0xda: /* SOS */ - if(no==0){ -+ if( *bufferoffset + datalen + 2 > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); - *bufferoffset+=datalen+2; - } else { -+ if( *bufferoffset + 2 > buffersize ) -+ return(0); - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]= - (unsigned char)(0xd0 | ((no-1)%8)); - } - i += datalen + 1; - /* copy remainder of strip */ -+ if( *bufferoffset + *striplength - i > buffersize ) -+ return(0); - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); - *bufferoffset+= *striplength - i; - return(1); ---- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 -+++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200 -@@ -5737,7 +5737,8 @@ - { - uint32 i; - float xres = 0.0, yres = 0.0; -- uint16 nstrips = 0, ntiles = 0, planar = 0; -+ uint32 nstrips = 0, ntiles = 0; -+ uint16 planar = 0; - uint16 bps = 0, spp = 0, res_unit = 0; - uint16 orientation = 0; - uint16 input_compression = 0, input_photometric = 0; -@@ -6013,11 +6014,23 @@ - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ - /* outside buffer */ - if (!read_buff) -+ { -+ if( buffsize > 0xFFFFFFFFU - 3 ) -+ { -+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ return (-1); -+ } - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); -+ } - else - { - if (prev_readsize < buffsize) - { -+ if( buffsize > 0xFFFFFFFFU - 3 ) -+ { -+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ return (-1); -+ } - new_buff = _TIFFrealloc(read_buff, buffsize+3); - if (!new_buff) - { -@@ -8859,6 +8872,11 @@ - } - - bytes_per_pixel = ((bps * spp) + 7) / 8; -+ if( bytes_per_pixel > sizeof(swapbuff) ) -+ { -+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); -+ return (1); -+ } - switch (bps / 8) - { - case 8: /* Use memcpy for multiple bytes per sample data */ diff --git a/tiff-4.0.6.tar.gz b/tiff-4.0.6.tar.gz deleted file mode 100644 index e14dd68..0000000 --- a/tiff-4.0.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c -size 2192991 diff --git a/tiff-4.0.7.tar.gz b/tiff-4.0.7.tar.gz new file mode 100644 index 0000000..50c863d --- /dev/null +++ b/tiff-4.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 +size 2076392 diff --git a/tiff.spec b/tiff.spec index 4b31d71..350c629 100644 --- a/tiff.spec +++ b/tiff.spec @@ -17,7 +17,7 @@ Name: tiff -Version: 4.0.6 +Version: 4.0.7 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: HPND @@ -30,25 +30,7 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2499 Patch3: tiff-4.0.6-CVE-2015-7554.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2522 -Patch4: tiff-4.0.6-CVE-2015-8782.patch -# -Patch5: tiff-4.0.6-CVE-2016-3186.patch -# -Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch -Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch -Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch -# -Patch9: tiff-4.0.6-CVE-2016-3623.patch -Patch10: tiff-4.0.6-CVE-2016-3945.patch -Patch11: tiff-4.0.6-CVE-2016-3990.patch -Patch12: tiff-4.0.6-CVE-2016-3991.patch -# -Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch -Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -112,19 +94,7 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 %patch3 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 %build CFLAGS="%{optflags} -fPIE" @@ -147,8 +117,9 @@ find %{buildroot} -type f -name "*.la" -delete -print find html -name "Makefile*" | xargs rm %check -cd test -make %{?_smp_mflags} check +for i in tools tests; do + cd $i && make %{?_smp_mflags} check +done %post -n libtiff5 -p /sbin/ldconfig From ce111c7af91404045dc38de3a3a5d934c1bfe4d2f9ffce5d6827dcb564c43a14 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 29 Nov 2016 09:11:43 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=89 --- ...54.patch => tiff-4.0.7-CVE-2015-7554.patch | 0 tiff.changes | 247 +++++++++++++++++- tiff.spec | 2 +- 3 files changed, 247 insertions(+), 2 deletions(-) rename tiff-4.0.6-CVE-2015-7554.patch => tiff-4.0.7-CVE-2015-7554.patch (100%) diff --git a/tiff-4.0.6-CVE-2015-7554.patch b/tiff-4.0.7-CVE-2015-7554.patch similarity index 100% rename from tiff-4.0.6-CVE-2015-7554.patch rename to tiff-4.0.7-CVE-2015-7554.patch diff --git a/tiff.changes b/tiff.changes index f58d71f..e3ebc5c 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,248 @@ +------------------------------------------------------------------- +Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com + +- Upgrade to upstream release 4.0.7 + * libtiff/tif_aux.c + + Fix crash in TIFFVGetFieldDefaulted() when requesting + Predictor tag and that the zip/lzw codec is not configured. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591 + * libtiff/tif_compress.c + + Make TIFFNoDecode() return 0 to indicate an error and make + upper level read routines treat it accordingly. (linked to the + test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517) + * libtiff/tif_dir.c + + Discard values of SMinSampleValue and SMaxSampleValue when + they have been read and the value of SamplesPerPixel is + changed afterwards (like when reading a OJPEG compressed image + with a missing SamplesPerPixel tag, and whose photometric is + RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when + rewriting the directory (for example with tiffset, we will + expect 3 values whereas the array had been allocated with just + one), thus causing a out of bound read access. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840) + * libtiff/tif_dirread.c + + In TIFFFetchNormalTag(), do not dereference NULL pointer when + values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII + access are 0-byte arrays. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression + introduced by previous fix done on 2016-11-11 for + CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448, + bsc#1011103 + + In TIFFFetchNormalTag(), make sure that values of tags with + TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null + terminated, to avoid potential read outside buffer in + _TIFFPrintField(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2590 + (CVE-2016-9297, bsc#1010161) + + Initialize doubledata at line 3693 to NULL to please MSVC 2013 + + Prevent reading ColorMap or TransferFunction if + BitsPerPixel > 24, so as to avoid huge memory allocation and + file read attempts + + Reject images with OJPEG compression that have no + TileOffsets/StripOffsets tag, when OJPEG compression is + disabled. Prevent null pointer dereference in + TIFFReadRawStrip1() and other functions that expect + td_stripbytecount to be non NULL. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2585 + + When compiled with DEFER_STRILE_LOAD, fix regression, when + reading a one-strip file without a StripByteCounts tag. + + Workaround false positive warning of Clang Static Analyzer + about null pointer dereference in TIFFCheckDirOffset(). + * libtiff/tif_dirwrite.c + + Avoid null pointer dereference on td_stripoffset when writing + directory, if FIELD_STRIPOFFSETS was artificially set for a + hack case in OJPEG case. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, + bsc#974840) + + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory() + and TIFFWriteDirectorySec() when aligning directory offsets on + an even offset (affects BigTIFF). + * libtiff/tif_dumpmode.c + + DumpModeEncode() should return 0 in case of failure so that + the above mentionned functions detect the error. + * libtiff/tif_fax3.c + + remove dead assignment in Fax3PutEOLgdal(). + * libtiff/tif_fax3.h + + make Param member of TIFFFaxTabEnt structure a uint16 to + reduce size of the binary. + * libtiff/tif_getimage.c + + Fix out-of-bound reads in TIFFRGBAImage interface in case of + unsupported values of SamplesPerPixel/ExtraSamples for + LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in + TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683. + + Fix some benign warnings which appear in 64-bit compilation + under Microsoft Visual Studio of the form "Arithmetic + overflow: 32-bit value is shifted, then cast to 64-bit value. + Results might not be an expected value." + + TIFFRGBAImageOK: Reject attempts to read floating point images. + * libtiff/tif_luv.c + + Fix potential out-of-bound writes in decode functions in non + debug builds by replacing assert()s by regular if checks + (http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix + potential out-of-bound reads in case of short input data. + + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL, + there is only one sample per pixel. Avoid potential invalid + memory write on corrupted/unexpected images when using the + TIFFRGBAImageBegin() interface + * libtiff/tif_next.c + + Fix potential out-of-bound write in NeXTDecode() + (http://bugzilla.maptools.org/show_bug.cgi?id=2508) + * libtiff/tif_pixarlog.c + + Avoid zlib error messages to pass a NULL string to %s + formatter, which is undefined behaviour in sprintf(). + + Fix out-of-bounds write vulnerabilities in heap allocated + buffers. Reported as MSVR 35094. + + Fix potential buffer write overrun in PixarLogDecode() on + corrupted/unexpected images (CVE-2016-5875, bsc#987351) + + Fix write buffer overflow in PixarLogEncode if more input + samples are provided than expected by PixarLogSetupEncode. + Idea based on libtiff-CVE-2016-3990.patch from + libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler + check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544, + bsc#975069) + * libtiff/tif_predict.c + + PredictorSetup: Enforce bits-per-sample requirements of + floating point predictor (3). Fixes CVE-2016-3622 "Divide By + Zero in the tiff2rgba tool." (bsc#974449) + * libtiff/tif_predict.h, libtiff/tif_predict.c + + Replace assertions by runtime checks to avoid assertions in + debug mode, or buffer overflows in release mode. Can happen + when dealing with unusual tile size like YCbCr with + subsampling. Reported as MSVR 35105. + * libtiff/tif_read.c + + Fix out-of-bounds read on memory-mapped files in + TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset + is beyond tmsize_t max value + + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly + use user provided buffer when no compression (and other + conditions) to save a memcpy(). + * libtiff/tif_strip.c + + Make TIFFNumberOfStrips() return the td->td_nstrips value when + it is non-zero, instead of recomputing it. This is needed in + TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read + outsize of array in tiffsplit (or other utilities using + TIFFNumberOfStrips()). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2587 + (CVE-2016-9273, bsc#1010163) + * libtiff/tif_write.c + + Fix issue in error code path of TIFFFlushData1() that didn't + reset the tif_rawcc and tif_rawcp members. I'm not completely + sure if that could happen in practice outside of the odd + behaviour of t2p_seekproc() of tiff2pdf). The report points + that a better fix could be to check the return value of + TIFFFlushData1() in places where it isn't done currently, but + it seems this patch is enough. Reported as MSVR 35095. + + Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() + directly use user provided buffer when no compression to save + a memcpy(). + + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should + return -1 in case of failure of tif_encodestrip() as documented + * tools/fax2tiff.c + + Fix segfault when specifying -r without argument. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2572 + * tools/Makefile.am + + The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, + sgisv, and ycbcr are completely removed from the distribution. + The libtiff tools rgb2ycbcr and thumbnail are only built in + the build tree for testing. Old files are put in new 'archive' + subdirectory of the source repository, but not in + distribution archives. These changes are made in order to + lessen the maintenance burden. + * tools/rgb2ycbcr.c + + Validate values of -v and -h parameters to avoid potential + divide by zero. Fixes CVE-2016-3623, bsc#974618 + (http://bugzilla.maptools.org/show_bug.cgi?id=2569) + * tools/tiff2bw.c + + Fix weight computation that could result of color value + overflow (no security implication). Fix + http://bugzilla.maptools.org/show_bug.cgi?id=2550. + * tools/tiff2pdf.c + + Avoid undefined behaviour related to overlapping of source and + destination buffer in memcpy() call in + t2p_sample_rgbaa_to_rgb() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2577 + + Fix out-of-bounds write vulnerabilities in heap allocate buffer + in t2p_process_jpeg_strip(). Reported as MSVR 35098. + + Fix potential integer overflows on 32 bit builds in + t2p_read_tiff_size() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2576 + + Fix read -largely- outsize of buffer in + t2p_readwrite_pdf_image_tile(), causing crash, when reading a + JPEG compressed image with TIFFTAG_JPEGTABLES length being one. + Reported as MSVR 35101. CVE-2016-9453, bsc#1011107 + + Fix write buffer overflow of 2 bytes on JPEG compressed images. + Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also + prevents writing 2 extra uninitialized bytes to the file + stream. + * tools/tiff2rgba.c + + Fix integer overflow in size of allocated buffer, when -b mode + is enabled, that could result in out-of-bounds write. Based + initially on patch tiff-CVE-2016-3945.patch from + libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid + tests that rejected valid files. + (http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614) + * tools/tiffcp.c + + Fix out-of-bounds write on tiled images with odd tile width vs + image width. Reported as MSVR 35103. + + Fix read of undefined variable in case of missing required + tags. Found on test case of MSVR 35100. + * tools/tiffcrop.c + + Avoid access outside of stack allocated array on a tiled + separate TIFF with more than 8 samples per pixel. + (CVE-2016-5321, CVE-2016-5323, + http://bugzilla.maptools.org/show_bug.cgi?id=2558, + http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813, + bsc#984815) + + Fix memory leak in (recent) error code path. Fixes Coverity + 1394415. + + Fix multiple uint32 overflows in writeBufferToSeparateStrips(), + writeBufferToContigTiles() and writeBufferToSeparateTiles() + that could cause heap buffer overflows. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2592 + + Fix out-of-bound read of up to 3 bytes in + readContigTilesIntoBuffer(). Reported as MSVR 35092. + + Fix out-of-bounds write in loadImage(). From patch + libtiff-CVE-2016-3991.patch from + libtiff-4.0.3-25.el7_2.src.rpm + (http://bugzilla.maptools.org/show_bug.cgi?id=2543, bsc#975070) + + Fix read of undefined buffer in readContigStripsIntoBuffer() + due to uint16 overflow. Reported as MSVR 35100. + + Fix various out-of-bounds write vulnerabilities in heap or + stack allocated buffers. Reported as MSVR 35093, MSVR 35096 + and MSVR 35097. + + readContigTilesIntoBuffer: Fix signed/unsigned comparison + warning. + * tools/tiffdump.c + + Fix a few misaligned 64-bit reads warned by -fsanitize + + ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument + which resulted in Coverity report. Added more mutiplication + overflow checks + * tools/tiffinfo.c + + Fix out-of-bound read on some tiled images. + (http://bugzilla.maptools.org/show_bug.cgi?id=2517) + + TIFFReadContigTileData: Fix signed/unsigned comparison warning. + + TIFFReadSeparateTileData: Fix signed/unsigned comparison + warning. +- Removed patches: + * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch + * tiff-4.0.6-CVE-2015-8782.patch + * tiff-4.0.6-CVE-2016-3186.patch + * tiff-4.0.6-CVE-2016-3623.patch + * tiff-4.0.6-CVE-2016-3945.patch + * tiff-4.0.6-CVE-2016-3990.patch + * tiff-4.0.6-CVE-2016-3991.patch + * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch + * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch + * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch + * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch + * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch + - Fixed in the upsteam release +- Changed patch: + * tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch + - Rediffed to the changed context + ------------------------------------------------------------------- Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com @@ -19,7 +264,7 @@ Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com * tiff-4.0.6-CVE-2016-3991.patch - Upstream commits to fix CVE-2016-3623 [bsc#974618], CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069], - CVE-2016-3991 [bsc#975070] + CVE-2016-3991 [bsc#975070] ------------------------------------------------------------------- Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com diff --git a/tiff.spec b/tiff.spec index 350c629..afa5881 100644 --- a/tiff.spec +++ b/tiff.spec @@ -30,7 +30,7 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch3: tiff-4.0.6-CVE-2015-7554.patch +Patch3: tiff-4.0.7-CVE-2015-7554.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel