This commit is contained in:
Fridrich Strba
Git OBS Bridge
parent
c6abd52efe
commit
1a62f4bdb5
16
tiff-4.0.6-CVE-2016-3623.patch
Normal file
16
tiff-4.0.6-CVE-2016-3623.patch
Normal file
@ -0,0 +1,16 @@
|
||||
--- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200
|
||||
+++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200
|
||||
@@ -95,9 +95,13 @@
|
||||
break;
|
||||
case 'h':
|
||||
horizSubSampling = atoi(optarg);
|
||||
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
|
||||
+ usage(-1);
|
||||
break;
|
||||
case 'v':
|
||||
vertSubSampling = atoi(optarg);
|
||||
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
|
||||
+ usage(-1);
|
||||
break;
|
||||
case 'r':
|
||||
rowsperstrip = atoi(optarg);
|
||||
78
tiff-4.0.6-CVE-2016-3945.patch
Normal file
78
tiff-4.0.6-CVE-2016-3945.patch
Normal file
@ -0,0 +1,78 @@
|
||||
--- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200
|
||||
+++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200
|
||||
@@ -147,6 +147,7 @@
|
||||
uint32 row, col;
|
||||
uint32 *wrk_line;
|
||||
int ok = 1;
|
||||
+ uint32 rastersize, wrk_linesize;
|
||||
|
||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||
@@ -163,7 +164,13 @@
|
||||
/*
|
||||
* Allocate tile buffer
|
||||
*/
|
||||
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
||||
+ rastersize = tile_width * tile_height * sizeof (uint32);
|
||||
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
||||
if (raster == 0) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
||||
return (0);
|
||||
@@ -173,7 +180,13 @@
|
||||
* Allocate a scanline buffer for swapping during the vertical
|
||||
* mirroring pass.
|
||||
*/
|
||||
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
||||
+ wrk_linesize = tile_width * sizeof (uint32);
|
||||
+ if (tile_width != wrk_linesize / sizeof (uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
||||
if (!wrk_line) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
||||
ok = 0;
|
||||
@@ -249,6 +262,7 @@
|
||||
uint32 row;
|
||||
uint32 *wrk_line;
|
||||
int ok = 1;
|
||||
+ uint32 rastersize, wrk_linesize;
|
||||
|
||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||
@@ -263,7 +277,13 @@
|
||||
/*
|
||||
* Allocate strip buffer
|
||||
*/
|
||||
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
||||
+ rastersize = width * rowsperstrip * sizeof (uint32);
|
||||
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
||||
if (raster == 0) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
||||
return (0);
|
||||
@@ -273,7 +293,13 @@
|
||||
* Allocate a scanline buffer for swapping during the vertical
|
||||
* mirroring pass.
|
||||
*/
|
||||
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
||||
+ wrk_linesize = width * sizeof (uint32);
|
||||
+ if (width != wrk_linesize / sizeof (uint32))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
||||
if (!wrk_line) {
|
||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
||||
ok = 0;
|
||||
17
tiff-4.0.6-CVE-2016-3990.patch
Normal file
17
tiff-4.0.6-CVE-2016-3990.patch
Normal file
@ -0,0 +1,17 @@
|
||||
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
|
||||
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200
|
||||
@@ -1131,6 +1131,13 @@
|
||||
}
|
||||
|
||||
llen = sp->stride * td->td_imagewidth;
|
||||
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
|
||||
+ if( n > (tmsize_t)(td->td_rowsperstrip * llen) )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Too many input bytes provided");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
|
||||
switch (sp->user_datafmt) {
|
||||
Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig
|
||||
111
tiff-4.0.6-CVE-2016-3991.patch
Normal file
111
tiff-4.0.6-CVE-2016-3991.patch
Normal file
@ -0,0 +1,111 @@
|
||||
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
|
||||
+++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200
|
||||
@@ -798,6 +798,11 @@
|
||||
}
|
||||
|
||||
tile_buffsize = tilesize;
|
||||
+ if (tilesize == 0 || tile_rowsize == 0)
|
||||
+ {
|
||||
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
|
||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
||||
{
|
||||
@@ -807,6 +812,11 @@
|
||||
tilesize, tl * tile_rowsize);
|
||||
#endif
|
||||
tile_buffsize = tl * tile_rowsize;
|
||||
+ if (tl != (tile_buffsize / tile_rowsize))
|
||||
+ {
|
||||
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
}
|
||||
|
||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
@@ -1210,6 +1220,12 @@
|
||||
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
|
||||
return 1;
|
||||
|
||||
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
|
||||
+ {
|
||||
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
tile_buffsize = tilesize;
|
||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
||||
{
|
||||
@@ -1219,6 +1235,11 @@
|
||||
tilesize, tl * tile_rowsize);
|
||||
#endif
|
||||
tile_buffsize = tl * tile_rowsize;
|
||||
+ if (tl != tile_buffsize / tile_rowsize)
|
||||
+ {
|
||||
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
}
|
||||
|
||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
@@ -5945,12 +5966,27 @@
|
||||
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
|
||||
|
||||
tile_rowsize = TIFFTileRowSize(in);
|
||||
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
|
||||
+ {
|
||||
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
buffsize = tlsize * ntiles;
|
||||
-
|
||||
+ if (tlsize != (buffsize / ntiles))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
|
||||
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
|
||||
{
|
||||
buffsize = ntiles * tl * tile_rowsize;
|
||||
+ if (ntiles != (buffsize / tl / tile_rowsize))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
#ifdef DEBUG2
|
||||
TIFFError("loadImage",
|
||||
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
|
||||
@@ -5965,12 +6001,29 @@
|
||||
}
|
||||
else
|
||||
{
|
||||
+ uint32 buffsize_check;
|
||||
readunit = STRIP;
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
||||
stsize = TIFFStripSize(in);
|
||||
nstrips = TIFFNumberOfStrips(in);
|
||||
- buffsize = stsize * nstrips;
|
||||
+ if (nstrips == 0 || stsize == 0)
|
||||
+ {
|
||||
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
|
||||
+ buffsize = stsize * nstrips;
|
||||
+ if (stsize != (buffsize / nstrips))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ buffsize_check = ((length * width * spp * bps) + 7);
|
||||
+ if (length != ((buffsize_check - 7) / width / spp / bps))
|
||||
+ {
|
||||
+ TIFFError("loadImage", "Integer overflow detected.");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
|
||||
{
|
||||
buffsize = ((length * width * spp * bps) + 7) / 8;
|
||||
12
tiff.changes
12
tiff.changes
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com
|
||||
|
||||
- Added patches:
|
||||
* tiff-4.0.6-CVE-2016-3623.patch
|
||||
* tiff-4.0.6-CVE-2016-3945.patch
|
||||
* tiff-4.0.6-CVE-2016-3990.patch
|
||||
* tiff-4.0.6-CVE-2016-3991.patch
|
||||
- Upstream commits to fix CVE-2016-3623 [bsc#974618],
|
||||
CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069],
|
||||
CVE-2016-3991 [bsc#975070]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com
|
||||
|
||||
|
||||
@ -41,6 +41,11 @@ Patch5: tiff-4.0.6-CVE-2016-3186.patch
|
||||
Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
|
||||
Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
|
||||
Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
|
||||
#
|
||||
Patch9: tiff-4.0.6-CVE-2016-3623.patch
|
||||
Patch10: tiff-4.0.6-CVE-2016-3945.patch
|
||||
Patch11: tiff-4.0.6-CVE-2016-3990.patch
|
||||
Patch12: tiff-4.0.6-CVE-2016-3991.patch
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libjpeg-devel
|
||||
@ -111,6 +116,10 @@ the libtiff library.
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
%build
|
||||
CFLAGS="%{optflags} -fPIE"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user