- fixed "Possibly exploitable memory corruption issue in libtiff"

(see http://bugzilla.maptools.org/show_bug.cgi?id=2228) [bnc#624215] * scanlinesize.patch - fixed crash while using libjpeg7 and higher * dont-fancy-upsampling.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=23
2010-09-06 13:07:10 +00:00 · 2010-09-06 13:07:10 +00:00 · 3cc206640a
commit 3cc206640a
parent 7fe5753bde
4 changed files with 91 additions and 0 deletions
--- a/tiff-3.9.4-dont-fancy-upsampling.patch
+++ b/tiff-3.9.4-dont-fancy-upsampling.patch
@ -0,0 +1,12 @@
+Index: tiff-3.9.4/libtiff/tif_jpeg.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_jpeg.c
+++ tiff-3.9.4/libtiff/tif_jpeg.c
+@@ -850,6 +850,7 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
+ 	if (downsampled_output) {
+ 		/* Need to use raw-data interface to libjpeg */
+ 		sp->cinfo.d.raw_data_out = TRUE;
+                sp->cinfo.d.do_fancy_upsampling = FALSE;
+ 		tif->tif_decoderow = JPEGDecodeRaw;
+ 		tif->tif_decodestrip = JPEGDecodeRaw;
+ 		tif->tif_decodetile = JPEGDecodeRaw;
--- a/tiff-3.9.4-scanlinesize.patch
+++ b/tiff-3.9.4-scanlinesize.patch
@ -0,0 +1,65 @@
+diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
+--- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 22:40:40.000000000 -0500
+@@ -988,8 +988,15 @@
+ 	tsize_t nrows;
+ 	(void) s;
+ 
+-	/* data is expected to be read in multiples of a scanline */
+-	if ( (nrows = sp->cinfo.d.image_height) ) {
+    nrows = cc / sp->bytesperline;
+    if (cc % sp->bytesperline)
+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
+
+    if( nrows > (int) sp->cinfo.d.image_height )
+        nrows = sp->cinfo.d.image_height;
+
+    /* data is expected to be read in multiples of a scanline */
+    if (nrows) {
+ 		/* Cb,Cr both have sampling factors 1, so this is correct */
+ 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
+ 		int samples_per_clump = sp->samplesperclump;
+@@ -1087,8 +1094,7 @@
+ 			 * TODO: resolve this */
+ 			buf += sp->bytesperline;
+ 			cc -= sp->bytesperline;
+-			nrows -= sp->v_sampling;
+-		} while (nrows > 0);
+		} while (--nrows > 0);
+ 
+ #ifdef JPEG_LIB_MK1
+ 		_TIFFfree(tmpbuf);
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c	2010-01-05 21:39:20.000000000 -0500
+@@ -238,23 +238,19 @@
+ 				     ycbcrsubsampling + 0,
+ 				     ycbcrsubsampling + 1);
+ 
+-			if (ycbcrsubsampling[0] == 0) {
+			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 					     "Invalid YCbCr subsampling");
+ 				return 0;
+ 			}
+ 
+-			scanline = TIFFroundup(td->td_imagewidth,
+			/* number of sample clumps per line */
+			scanline = TIFFhowmany(td->td_imagewidth,
+ 					       ycbcrsubsampling[0]);
+-			scanline = TIFFhowmany8(multiply(tif, scanline,
+-							 td->td_bitspersample,
+-							 "TIFFScanlineSize"));
+-			return ((tsize_t)
+-				summarize(tif, scanline,
+-					  multiply(tif, 2,
+-						scanline / ycbcrsubsampling[0],
+-						"TIFFVStripSize"),
+-					  "TIFFVStripSize"));
+			/* number of samples per line */
+			scanline = multiply(tif, scanline,
+					    ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
+					    "TIFFScanlineSize");
+ 		} else {
+ 			scanline = multiply(tif, td->td_imagewidth,
+ 					    td->td_samplesperpixel,
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Sep  6 14:56:09 CEST 2010 - pgajdos@suse.cz
+
+- fixed "Possibly exploitable memory corruption issue in libtiff"
+  (see http://bugzilla.maptools.org/show_bug.cgi?id=2228)
+  [bnc#624215]
+  * scanlinesize.patch
+- fixed crash while using libjpeg7 and higher
+  * dont-fancy-upsampling.patch
+
 -------------------------------------------------------------------
 Mon Jul 12 16:36:48 CEST 2010 - pgajdos@suse.cz

--- a/tiff.spec
+++ b/tiff.spec
@ -38,6 +38,8 @@ Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
 Patch6:         tiff-%{version}-oob-read.patch
 Patch7:         tiff-%{version}-getimage-64bit.patch
+Patch8:         tiff-%{version}-scanlinesize.patch
+Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -101,6 +103,8 @@ the libtiff library.
 %patch3 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755