pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 433716 from graphics

Browse Source 
CVE-2016-3622

OBS-URL: https://build.opensuse.org/request/show/433716
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=61
This commit is contained in:
Dominique Leuenberger 2016-10-14 01:37:22 +00:00 committed by Git OBS Bridge
commit 50c48502f4
4 changed files with 264 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch Normal file
View File

@ -0,0 +1,31 @@
--- tiff-4.0.6/libtiff/tif_getimage.c 2015-08-29 00:16:22.517401728 +0200
+++ tiff-4.0.6/libtiff/tif_getimage.c 2016-10-06 09:42:41.204607032 +0200
@@ -95,6 +95,10 @@
td->td_bitspersample);
return (0);
}
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+ return (0);
+ }
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
switch (colorchannels) {
--- tiff-4.0.6/libtiff/tif_predict.c 2015-09-01 04:39:39.547152871 +0200
+++ tiff-4.0.6/libtiff/tif_predict.c 2016-10-06 09:42:41.204607032 +0200
@@ -80,6 +80,15 @@
td->td_sampleformat);
return 0;
}
+ if (td->td_bitspersample != 16
+ && td->td_bitspersample != 24
+ && td->td_bitspersample != 32
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Floating point \"Predictor\" not supported with %d-bit samples",
+ td->td_bitspersample);
+ return 0;
+ }
break;
default:
TIFFErrorExt(tif->tif_clientdata, module,

217
tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch Normal file
View File

@ -0,0 +1,217 @@
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200
@@ -973,17 +973,14 @@
a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1026,17 +1023,14 @@
a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1079,17 +1073,14 @@
ip += 4;
}
} else {
- wp += n + stride - 1; /* point to last one */
- ip += n + stride - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200
@@ -764,7 +764,14 @@
if (!TIFFAppendToStrip(tif,
isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
tif->tif_rawdata, tif->tif_rawcc))
+ {
+ /* We update those variables even in case of error since there's */
+ /* code that doesn't really check the return code of this */
+ /* function */
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
return (0);
+ }
tif->tif_rawcc = 0;
tif->tif_rawcp = tif->tif_rawdata;
}
--- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200
+++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200
@@ -286,7 +286,7 @@
int t2p_process_ojpeg_tables(T2P*, TIFF*);
#endif
#ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
#endif
void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2409,6 +2409,7 @@
stripbuffer,
&striplength,
buffer,
+ t2p->tiff_datasize,
&bufferoffset,
i,
t2p->tiff_length)){
@@ -3439,6 +3440,7 @@
unsigned char* strip,
tsize_t* striplength,
unsigned char* buffer,
+ tsize_t buffersize,
tsize_t* bufferoffset,
tstrip_t no,
uint32 height){
@@ -3473,6 +3475,8 @@
}
switch( strip[i] ){
case 0xd8: /* SOI - start of image */
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
break;
@@ -3482,12 +3486,18 @@
case 0xc9: /* SOF9 */
case 0xca: /* SOF10 */
if(no==0){
+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ if( *bufferoffset + 9 >= buffersize )
+ return(0);
ncomp = buffer[*bufferoffset+9];
if (ncomp < 1 || ncomp > 4)
return(0);
v_samp=1;
h_samp=1;
+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+ return(0);
for(j=0;j<ncomp;j++){
uint16 samp = buffer[*bufferoffset+11+(3*j)];
if( (samp>>4) > h_samp)
@@ -3519,20 +3529,28 @@
break;
case 0xc4: /* DHT */
case 0xdb: /* DQT */
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
break;
case 0xda: /* SOS */
if(no==0){
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
} else {
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
}
i += datalen + 1;
/* copy remainder of strip */
+ if( *bufferoffset + *striplength - i > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
*bufferoffset+= *striplength - i;
return(1);
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200
@@ -5737,7 +5737,8 @@
{
uint32 i;
float xres = 0.0, yres = 0.0;
- uint16 nstrips = 0, ntiles = 0, planar = 0;
+ uint32 nstrips = 0, ntiles = 0;
+ uint16 planar = 0;
uint16 bps = 0, spp = 0, res_unit = 0;
uint16 orientation = 0;
uint16 input_compression = 0, input_photometric = 0;
@@ -6013,11 +6014,23 @@
/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
/* outside buffer */
if (!read_buff)
+ {
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
else
{
if (prev_readsize < buffsize)
{
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
new_buff = _TIFFrealloc(read_buff, buffsize+3);
if (!new_buff)
{
@@ -8859,6 +8872,11 @@
}
bytes_per_pixel = ((bps * spp) + 7) / 8;
+ if( bytes_per_pixel > sizeof(swapbuff) )
+ {
+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+ return (1);
+ }
switch (bps / 8)
{
case 8: /* Use memcpy for multiple bytes per sample data */

11
tiff.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com
- Added patches:
* tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
- Upstream fixes for MSVR 35093, MSVR 35094, MSVR 35095,
MSVR 35096, MSVR 35097, MSVR 35098.
* tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
- Enforce bits-per-sample requirements of floating point
predictor. Fixes CVE-2016-3622 [bsc#974449]
-------------------------------------------------------------------
Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com

5
tiff.spec
View File

@ -46,6 +46,9 @@ Patch9: tiff-4.0.6-CVE-2016-3623.patch
Patch10: tiff-4.0.6-CVE-2016-3945.patch
Patch11: tiff-4.0.6-CVE-2016-3990.patch
Patch12: tiff-4.0.6-CVE-2016-3991.patch
#
Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
BuildRequires: gcc-c++
BuildRequires: libjpeg-devel
@ -120,6 +123,8 @@ the libtiff library.
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%build
CFLAGS="%{optflags} -fPIE"