pool/tiff
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 614266 from graphics

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/614266
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=73
This commit is contained in:
Dominique Leuenberger 2018-06-08 21:19:57 +00:00 committed by Git OBS Bridge
commit 3a18562cc0
5 changed files with 194 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
tiff-CVE-2017-11613.patch Normal file
View File

@ -0,0 +1,21 @@
Index: tiff-4.0.9/libtiff/tif_dirread.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200
+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (offset >= TIFFGetFileSize(tif) ||
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

108
tiff-CVE-2018-7456.patch Normal file
View File

@ -0,0 +1,108 @@
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 6baa7b3..af5b84a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
static void ChopUpSingleUncompressedStrip(TIFF*);
static uint64 TIFFReadUInt64(const uint8 *value);
+static int _TIFFGetMaxColorChannels(uint16 photometric);
static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
}
/*
+ * Return the maximum number of color channels specified for a given photometric
+ * type. 0 is returned if photometric type isn't supported or no default value
+ * is defined by the specification.
+ */
+static int _TIFFGetMaxColorChannels( uint16 photometric )
+{
+ switch (photometric) {
+ case PHOTOMETRIC_PALETTE:
+ case PHOTOMETRIC_MINISWHITE:
+ case PHOTOMETRIC_MINISBLACK:
+ return 1;
+ case PHOTOMETRIC_YCBCR:
+ case PHOTOMETRIC_RGB:
+ case PHOTOMETRIC_CIELAB:
+ return 3;
+ case PHOTOMETRIC_SEPARATED:
+ case PHOTOMETRIC_MASK:
+ return 4;
+ case PHOTOMETRIC_LOGL:
+ case PHOTOMETRIC_LOGLUV:
+ case PHOTOMETRIC_CFA:
+ case PHOTOMETRIC_ITULAB:
+ case PHOTOMETRIC_ICCLAB:
+ default:
+ return 0;
+ }
+}
+
+/*
* Read the next TIFF directory from a file and convert it to the internal
* format. We read directories sequentially.
*/
@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
uint32 fii=FAILED_FII;
toff_t nextdiroff;
int bitspersample_read = FALSE;
+ int color_channels;
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
}
}
}
+
+ /*
+ * Make sure all non-color channels are extrasamples.
+ * If it's not the case, define them as such.
+ */
+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
+ uint16 old_extrasamples;
+ uint16 *new_sampleinfo;
+
+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
+ "Defining non-color channels as ExtraSamples.");
+
+ old_extrasamples = tif->tif_dir.td_extrasamples;
+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
+
+ // sampleinfo should contain information relative to these new extra samples
+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
+ if (!new_sampleinfo) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
+ "temporary new sampleinfo array (%d 16 bit elements)",
+ tif->tif_dir.td_extrasamples);
+ goto bad;
+ }
+
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+
/*
* Verify Palette image has a Colormap.
*/
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 8deceb2..1d86adb 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
uint16 i;
fprintf(fd, " %2ld: %5u",
l, td->td_transferfunction[0][l]);
- for (i = 1; i < td->td_samplesperpixel; i++)
+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
fprintf(fd, " %5u",
td->td_transferfunction[i][l]);
fputc('\n', fd);

38
tiff-CVE-2018-8905.patch Normal file
View File

@ -0,0 +1,38 @@
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 4ccb443..94d85e3 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
char *tp;
unsigned char *bp;
int code, nbits;
+ int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
} while (--occ);
break;
}
- assert(occ >= codep->length);
- op += codep->length;
- occ -= codep->length;
- tp = op;
+ len = codep->length;
+ tp = op + len;
do {
- *--tp = codep->value;
- } while( (codep = codep->next) != NULL );
+ int t;
+ --tp;
+ t = codep->value;
+ codep = codep->next;
+ *tp = (char)t;
+ } while (codep && tp > op);
+ assert(occ >= len);
+ op += len;
+ occ -= len;
} else {
*op++ = (char)code;
occ--;

21
tiff.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Tue Jun 5 12:21:02 UTC 2018 - pgajdos@suse.com
- security update
* CVE-2018-8905 [bsc#1086408]
+ tiff-CVE-2018-8905.patch
-------------------------------------------------------------------
Mon Jun 4 15:12:15 UTC 2018 - pgajdos@suse.com
- security update
* CVE-2017-11613 [bsc#1082332]
+ tiff-CVE-2017-11613.patch
-------------------------------------------------------------------
Mon Jun 4 12:55:54 UTC 2018 - pgajdos@suse.com
- security update
* CVE-2018-7456 [bsc#1082825]
+ tiff-CVE-2018-7456.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri May 18 09:18:26 UTC 2018 - pgajdos@suse.com Fri May 18 09:18:26 UTC 2018 - pgajdos@suse.com

6
tiff.spec
View File

@ -34,6 +34,9 @@ Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch
Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
Patch4: tiff-CVE-2018-10963.patch Patch4: tiff-CVE-2018-10963.patch
Patch5: tiff-CVE-2017-18013.patch Patch5: tiff-CVE-2017-18013.patch
Patch6: tiff-CVE-2018-7456.patch
Patch7: tiff-CVE-2017-11613.patch
Patch8: tiff-CVE-2018-8905.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
@ -101,6 +104,9 @@ the libtiff library.
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build %build
CFLAGS="%{optflags} -fPIE" CFLAGS="%{optflags} -fPIE"