Accepting request 407887 from graphics

Some security fixes

OBS-URL: https://build.opensuse.org/request/show/407887
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=59
This commit is contained in:
Dominique Leuenberger 2016-07-18 19:22:59 +00:00 committed by Git OBS Bridge
commit 446d7dcac3
5 changed files with 192 additions and 1 deletions

View File

@ -0,0 +1,17 @@
--- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200
+++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200
@@ -1243,6 +1243,14 @@
assert(sp != NULL);
assert(td->td_photometric == PHOTOMETRIC_LOGL);
+ if( td->td_samplesperpixel != 1 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Sorry, can not handle LogL image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
+
/* for some reason, we can't do this in TIFFInitLogL16 */
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
sp->user_datafmt = LogL16GuessDataFmt(td);

View File

@ -0,0 +1,31 @@
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200
@@ -457,6 +457,7 @@
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -692,6 +693,7 @@
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -781,6 +783,12 @@
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ /* Check that we will not fill more than what was allocated */
+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {

View File

@ -0,0 +1,124 @@
--- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200
+++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200
@@ -38,6 +38,8 @@
static int TIFFCheckRead(TIFF*, int);
static tmsize_t
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
+static tmsize_t
+TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
#define NOSTRIP ((uint32)(-1)) /* undefined state */
#define NOTILE ((uint32)(-1)) /* undefined state */
@@ -350,6 +352,24 @@
stripsize=TIFFVStripSize(tif,rows);
if (stripsize==0)
return((tmsize_t)(-1));
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE &&
+ size!=(tmsize_t)(-1) && size >= stripsize &&
+ !isMapped(tif) &&
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
+ {
+ if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
+ return ((tmsize_t)(-1));
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits(buf,stripsize);
+
+ (*tif->tif_postdecode)(tif,buf,stripsize);
+ return (stripsize);
+ }
+
if ((size!=(tmsize_t)(-1))&&(size<stripsize))
stripsize=size;
if (!TIFFFillStrip(tif,strip))
@@ -661,6 +681,24 @@
(unsigned long) tile, (unsigned long) td->td_nstrips);
return ((tmsize_t)(-1));
}
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE &&
+ size!=(tmsize_t)(-1) && size >= tilesize &&
+ !isMapped(tif) &&
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
+ {
+ if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
+ return ((tmsize_t)(-1));
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits(buf,tilesize);
+
+ (*tif->tif_postdecode)(tif,buf,tilesize);
+ return (tilesize);
+ }
+
if (size == (tmsize_t)(-1))
size = tilesize;
else if (size > tilesize)
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200
@@ -258,6 +258,23 @@
tif->tif_rawcp = tif->tif_rawdata;
tif->tif_flags &= ~TIFF_POSTENCODE;
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE )
+ {
+ /* swab if needed - note that source buffer will be altered */
+ tif->tif_postdecode( tif, (uint8*) data, cc );
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits((uint8*) data, cc);
+
+ if (cc > 0 &&
+ !TIFFAppendToStrip(tif, strip, (uint8*) data, cc))
+ return ((tmsize_t) -1);
+ return (cc);
+ }
+
sample = (uint16)(strip / td->td_stripsperimage);
if (!(*tif->tif_preencode)(tif, sample))
return ((tmsize_t) -1);
@@ -431,9 +448,7 @@
tif->tif_flags |= TIFF_CODERSETUP;
}
tif->tif_flags &= ~TIFF_POSTENCODE;
- sample = (uint16)(tile/td->td_stripsperimage);
- if (!(*tif->tif_preencode)(tif, sample))
- return ((tmsize_t)(-1));
+
/*
* Clamp write amount to the tile size. This is mostly
* done so that callers can pass in some large number
@@ -442,6 +457,25 @@
if ( cc < 1 || cc > tif->tif_tilesize)
cc = tif->tif_tilesize;
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE )
+ {
+ /* swab if needed - note that source buffer will be altered */
+ tif->tif_postdecode( tif, (uint8*) data, cc );
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits((uint8*) data, cc);
+
+ if (cc > 0 &&
+ !TIFFAppendToStrip(tif, tile, (uint8*) data, cc))
+ return ((tmsize_t) -1);
+ return (cc);
+ }
+
+ sample = (uint16)(tile/td->td_stripsperimage);
+ if (!(*tif->tif_preencode)(tif, sample))
+ return ((tmsize_t)(-1));
/* swab if needed - note that source buffer will be altered */
tif->tif_postdecode( tif, (uint8*) data, cc );

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com
- Added patches:
* tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
* tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
* tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
- Upstream commits to fix CVE-2016-5314 [bsc#984831],
CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842],
CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351]
-------------------------------------------------------------------
Wed Apr 6 13:56:19 UTC 2016 - fstrba@suse.com
@ -11,7 +22,7 @@ Mon Feb 1 08:01:19 UTC 2016 - fstrba@suse.com
- Added patch:
* tiff-4.0.6-CVE-2015-8782.patch
- fix CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds
writes for invalid images (upstream bug #2522) [bsc#964225]
writes for invalid images (upstream bug #2522) [bsc#964225]
-------------------------------------------------------------------
Wed Jan 13 17:03:31 UTC 2016 - fstrba@suse.com

View File

@ -37,6 +37,11 @@ Patch3: tiff-4.0.6-CVE-2015-7554.patch
Patch4: tiff-4.0.6-CVE-2015-8782.patch
#
Patch5: tiff-4.0.6-CVE-2016-3186.patch
#
Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
BuildRequires: gcc-c++
BuildRequires: libjpeg-devel
BuildRequires: libtool
@ -103,6 +108,9 @@ the libtiff library.
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
CFLAGS="%{optflags} -fPIE"