From 1a62f4bdb564a4ab44f243bb0c46075aaf805214853d0a12755e77907de62038 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 1 Sep 2016 14:45:59 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=84 --- tiff-4.0.6-CVE-2016-3623.patch | 16 +++++ tiff-4.0.6-CVE-2016-3945.patch | 78 +++++++++++++++++++++++ tiff-4.0.6-CVE-2016-3990.patch | 17 +++++ tiff-4.0.6-CVE-2016-3991.patch | 111 +++++++++++++++++++++++++++++++++ tiff.changes | 12 ++++ tiff.spec | 9 +++ 6 files changed, 243 insertions(+) create mode 100644 tiff-4.0.6-CVE-2016-3623.patch create mode 100644 tiff-4.0.6-CVE-2016-3945.patch create mode 100644 tiff-4.0.6-CVE-2016-3990.patch create mode 100644 tiff-4.0.6-CVE-2016-3991.patch diff --git a/tiff-4.0.6-CVE-2016-3623.patch b/tiff-4.0.6-CVE-2016-3623.patch new file mode 100644 index 0000000..c6c0864 --- /dev/null +++ b/tiff-4.0.6-CVE-2016-3623.patch @@ -0,0 +1,16 @@ +--- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200 ++++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200 +@@ -95,9 +95,13 @@ + break; + case 'h': + horizSubSampling = atoi(optarg); ++ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) ++ usage(-1); + break; + case 'v': + vertSubSampling = atoi(optarg); ++ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) ++ usage(-1); + break; + case 'r': + rowsperstrip = atoi(optarg); diff --git a/tiff-4.0.6-CVE-2016-3945.patch b/tiff-4.0.6-CVE-2016-3945.patch new file mode 100644 index 0000000..9af3bca --- /dev/null +++ b/tiff-4.0.6-CVE-2016-3945.patch @@ -0,0 +1,78 @@ +--- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200 ++++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200 +@@ -147,6 +147,7 @@ + uint32 row, col; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -163,7 +164,13 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ rastersize = tile_width * tile_height * sizeof (uint32); ++ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -173,7 +180,13 @@ + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); ++ wrk_linesize = tile_width * sizeof (uint32); ++ if (tile_width != wrk_linesize / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +@@ -249,6 +262,7 @@ + uint32 row; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -263,7 +277,13 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ rastersize = width * rowsperstrip * sizeof (uint32); ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -273,7 +293,13 @@ + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); ++ wrk_linesize = width * sizeof (uint32); ++ if (width != wrk_linesize / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; diff --git a/tiff-4.0.6-CVE-2016-3990.patch b/tiff-4.0.6-CVE-2016-3990.patch new file mode 100644 index 0000000..54fe105 --- /dev/null +++ b/tiff-4.0.6-CVE-2016-3990.patch @@ -0,0 +1,17 @@ +--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 ++++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200 +@@ -1131,6 +1131,13 @@ + } + + llen = sp->stride * td->td_imagewidth; ++ /* Check against the number of elements (of size uint16) of sp->tbuf */ ++ if( n > (tmsize_t)(td->td_rowsperstrip * llen) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Too many input bytes provided"); ++ return 0; ++ } + + for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { + switch (sp->user_datafmt) { +Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig diff --git a/tiff-4.0.6-CVE-2016-3991.patch b/tiff-4.0.6-CVE-2016-3991.patch new file mode 100644 index 0000000..c5863a1 --- /dev/null +++ b/tiff-4.0.6-CVE-2016-3991.patch @@ -0,0 +1,111 @@ +--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 ++++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200 +@@ -798,6 +798,11 @@ + } + + tile_buffsize = tilesize; ++ if (tilesize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); ++ exit(-1); ++ } + + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -807,6 +812,11 @@ + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; ++ if (tl != (tile_buffsize / tile_rowsize)) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } + } + + tilebuf = _TIFFmalloc(tile_buffsize); +@@ -1210,6 +1220,12 @@ + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; + ++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) ++ { ++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); ++ exit(-1); ++ } ++ + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -1219,6 +1235,11 @@ + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; ++ if (tl != tile_buffsize / tile_rowsize) ++ { ++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + } + + tilebuf = _TIFFmalloc(tile_buffsize); +@@ -5945,12 +5966,27 @@ + TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + + tile_rowsize = TIFFTileRowSize(in); ++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); ++ exit(-1); ++ } + buffsize = tlsize * ntiles; +- ++ if (tlsize != (buffsize / ntiles)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + + if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) + { + buffsize = ntiles * tl * tile_rowsize; ++ if (ntiles != (buffsize / tl / tile_rowsize)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ + #ifdef DEBUG2 + TIFFError("loadImage", + "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", +@@ -5965,12 +6001,29 @@ + } + else + { ++ uint32 buffsize_check; + readunit = STRIP; + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); + stsize = TIFFStripSize(in); + nstrips = TIFFNumberOfStrips(in); +- buffsize = stsize * nstrips; ++ if (nstrips == 0 || stsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); ++ exit(-1); ++ } + ++ buffsize = stsize * nstrips; ++ if (stsize != (buffsize / nstrips)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ buffsize_check = ((length * width * spp * bps) + 7); ++ if (length != ((buffsize_check - 7) / width / spp / bps)) ++ { ++ TIFFError("loadImage", "Integer overflow detected."); ++ exit(-1); ++ } + if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) + { + buffsize = ((length * width * spp * bps) + 7) / 8; diff --git a/tiff.changes b/tiff.changes index 42fd546..7412661 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com + +- Added patches: + * tiff-4.0.6-CVE-2016-3623.patch + * tiff-4.0.6-CVE-2016-3945.patch + * tiff-4.0.6-CVE-2016-3990.patch + * tiff-4.0.6-CVE-2016-3991.patch + - Upstream commits to fix CVE-2016-3623 [bsc#974618], + CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069], + CVE-2016-3991 [bsc#975070] + ------------------------------------------------------------------- Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com diff --git a/tiff.spec b/tiff.spec index 04e9be0..7a7261f 100644 --- a/tiff.spec +++ b/tiff.spec @@ -41,6 +41,11 @@ Patch5: tiff-4.0.6-CVE-2016-3186.patch Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch +# +Patch9: tiff-4.0.6-CVE-2016-3623.patch +Patch10: tiff-4.0.6-CVE-2016-3945.patch +Patch11: tiff-4.0.6-CVE-2016-3990.patch +Patch12: tiff-4.0.6-CVE-2016-3991.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -111,6 +116,10 @@ the libtiff library. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build CFLAGS="%{optflags} -fPIE"