Accepting request 407887 from graphics
Some security fixes OBS-URL: https://build.opensuse.org/request/show/407887 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=59
This commit is contained in:
commit
446d7dcac3
@ -0,0 +1,17 @@
|
||||
--- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200
|
||||
+++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200
|
||||
@@ -1243,6 +1243,14 @@
|
||||
assert(sp != NULL);
|
||||
assert(td->td_photometric == PHOTOMETRIC_LOGL);
|
||||
|
||||
+ if( td->td_samplesperpixel != 1 )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Sorry, can not handle LogL image with %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/* for some reason, we can't do this in TIFFInitLogL16 */
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
|
||||
sp->user_datafmt = LogL16GuessDataFmt(td);
|
@ -0,0 +1,31 @@
|
||||
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
|
||||
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200
|
||||
@@ -457,6 +457,7 @@
|
||||
typedef struct {
|
||||
TIFFPredictorState predict;
|
||||
z_stream stream;
|
||||
+ tmsize_t tbuf_size; /* only set/used on reading for now */
|
||||
uint16 *tbuf;
|
||||
uint16 stride;
|
||||
int state;
|
||||
@@ -692,6 +693,7 @@
|
||||
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
|
||||
if (sp->tbuf == NULL)
|
||||
return (0);
|
||||
+ sp->tbuf_size = tbuf_size;
|
||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
|
||||
sp->user_datafmt = PixarLogGuessDataFmt(td);
|
||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
|
||||
@@ -781,6 +783,12 @@
|
||||
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
|
||||
return (0);
|
||||
}
|
||||
+ /* Check that we will not fill more than what was allocated */
|
||||
+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
|
||||
+ return (0);
|
||||
+ }
|
||||
do {
|
||||
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
|
||||
if (state == Z_STREAM_END) {
|
@ -0,0 +1,124 @@
|
||||
--- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200
|
||||
+++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200
|
||||
@@ -38,6 +38,8 @@
|
||||
static int TIFFCheckRead(TIFF*, int);
|
||||
static tmsize_t
|
||||
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
|
||||
+static tmsize_t
|
||||
+TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
|
||||
|
||||
#define NOSTRIP ((uint32)(-1)) /* undefined state */
|
||||
#define NOTILE ((uint32)(-1)) /* undefined state */
|
||||
@@ -350,6 +352,24 @@
|
||||
stripsize=TIFFVStripSize(tif,rows);
|
||||
if (stripsize==0)
|
||||
return((tmsize_t)(-1));
|
||||
+
|
||||
+ /* shortcut to avoid an extra memcpy() */
|
||||
+ if( td->td_compression == COMPRESSION_NONE &&
|
||||
+ size!=(tmsize_t)(-1) && size >= stripsize &&
|
||||
+ !isMapped(tif) &&
|
||||
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
|
||||
+ {
|
||||
+ if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
|
||||
+ return ((tmsize_t)(-1));
|
||||
+
|
||||
+ if (!isFillOrder(tif, td->td_fillorder) &&
|
||||
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
|
||||
+ TIFFReverseBits(buf,stripsize);
|
||||
+
|
||||
+ (*tif->tif_postdecode)(tif,buf,stripsize);
|
||||
+ return (stripsize);
|
||||
+ }
|
||||
+
|
||||
if ((size!=(tmsize_t)(-1))&&(size<stripsize))
|
||||
stripsize=size;
|
||||
if (!TIFFFillStrip(tif,strip))
|
||||
@@ -661,6 +681,24 @@
|
||||
(unsigned long) tile, (unsigned long) td->td_nstrips);
|
||||
return ((tmsize_t)(-1));
|
||||
}
|
||||
+
|
||||
+ /* shortcut to avoid an extra memcpy() */
|
||||
+ if( td->td_compression == COMPRESSION_NONE &&
|
||||
+ size!=(tmsize_t)(-1) && size >= tilesize &&
|
||||
+ !isMapped(tif) &&
|
||||
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
|
||||
+ {
|
||||
+ if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
|
||||
+ return ((tmsize_t)(-1));
|
||||
+
|
||||
+ if (!isFillOrder(tif, td->td_fillorder) &&
|
||||
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
|
||||
+ TIFFReverseBits(buf,tilesize);
|
||||
+
|
||||
+ (*tif->tif_postdecode)(tif,buf,tilesize);
|
||||
+ return (tilesize);
|
||||
+ }
|
||||
+
|
||||
if (size == (tmsize_t)(-1))
|
||||
size = tilesize;
|
||||
else if (size > tilesize)
|
||||
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
|
||||
+++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200
|
||||
@@ -258,6 +258,23 @@
|
||||
tif->tif_rawcp = tif->tif_rawdata;
|
||||
|
||||
tif->tif_flags &= ~TIFF_POSTENCODE;
|
||||
+
|
||||
+ /* shortcut to avoid an extra memcpy() */
|
||||
+ if( td->td_compression == COMPRESSION_NONE )
|
||||
+ {
|
||||
+ /* swab if needed - note that source buffer will be altered */
|
||||
+ tif->tif_postdecode( tif, (uint8*) data, cc );
|
||||
+
|
||||
+ if (!isFillOrder(tif, td->td_fillorder) &&
|
||||
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
|
||||
+ TIFFReverseBits((uint8*) data, cc);
|
||||
+
|
||||
+ if (cc > 0 &&
|
||||
+ !TIFFAppendToStrip(tif, strip, (uint8*) data, cc))
|
||||
+ return ((tmsize_t) -1);
|
||||
+ return (cc);
|
||||
+ }
|
||||
+
|
||||
sample = (uint16)(strip / td->td_stripsperimage);
|
||||
if (!(*tif->tif_preencode)(tif, sample))
|
||||
return ((tmsize_t) -1);
|
||||
@@ -431,9 +448,7 @@
|
||||
tif->tif_flags |= TIFF_CODERSETUP;
|
||||
}
|
||||
tif->tif_flags &= ~TIFF_POSTENCODE;
|
||||
- sample = (uint16)(tile/td->td_stripsperimage);
|
||||
- if (!(*tif->tif_preencode)(tif, sample))
|
||||
- return ((tmsize_t)(-1));
|
||||
+
|
||||
/*
|
||||
* Clamp write amount to the tile size. This is mostly
|
||||
* done so that callers can pass in some large number
|
||||
@@ -442,6 +457,25 @@
|
||||
if ( cc < 1 || cc > tif->tif_tilesize)
|
||||
cc = tif->tif_tilesize;
|
||||
|
||||
+ /* shortcut to avoid an extra memcpy() */
|
||||
+ if( td->td_compression == COMPRESSION_NONE )
|
||||
+ {
|
||||
+ /* swab if needed - note that source buffer will be altered */
|
||||
+ tif->tif_postdecode( tif, (uint8*) data, cc );
|
||||
+
|
||||
+ if (!isFillOrder(tif, td->td_fillorder) &&
|
||||
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
|
||||
+ TIFFReverseBits((uint8*) data, cc);
|
||||
+
|
||||
+ if (cc > 0 &&
|
||||
+ !TIFFAppendToStrip(tif, tile, (uint8*) data, cc))
|
||||
+ return ((tmsize_t) -1);
|
||||
+ return (cc);
|
||||
+ }
|
||||
+
|
||||
+ sample = (uint16)(tile/td->td_stripsperimage);
|
||||
+ if (!(*tif->tif_preencode)(tif, sample))
|
||||
+ return ((tmsize_t)(-1));
|
||||
/* swab if needed - note that source buffer will be altered */
|
||||
tif->tif_postdecode( tif, (uint8*) data, cc );
|
||||
|
11
tiff.changes
11
tiff.changes
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com
|
||||
|
||||
- Added patches:
|
||||
* tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
|
||||
* tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
|
||||
* tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
|
||||
- Upstream commits to fix CVE-2016-5314 [bsc#984831],
|
||||
CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842],
|
||||
CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 6 13:56:19 UTC 2016 - fstrba@suse.com
|
||||
|
||||
|
@ -37,6 +37,11 @@ Patch3: tiff-4.0.6-CVE-2015-7554.patch
|
||||
Patch4: tiff-4.0.6-CVE-2015-8782.patch
|
||||
#
|
||||
Patch5: tiff-4.0.6-CVE-2016-3186.patch
|
||||
#
|
||||
Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
|
||||
Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
|
||||
Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libjpeg-devel
|
||||
BuildRequires: libtool
|
||||
@ -103,6 +108,9 @@ the libtiff library.
|
||||
%patch3
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
%build
|
||||
CFLAGS="%{optflags} -fPIE"
|
||||
|
Loading…
Reference in New Issue
Block a user