From 6232377d76af8ef6517419a1206a8a1f4e446eecb10f4d90b3d5c429ed6a4b19 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Wed, 30 Jan 2019 13:03:18 +0000
Subject: [PATCH] Accepting request 670119 from home:pgajdos

- extend tiff-CVE-2018-19210.patch and rename it to
  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]

OBS-URL: https://build.opensuse.org/request/show/670119
OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=135
---
 tiff-CVE-2018-17000,19210.patch | 55 +++++++++++++++++++++++++++++++++
 tiff-CVE-2018-19210.patch       | 14 ---------
 tiff.changes                    |  7 +++++
 tiff.spec                       |  2 +-
 4 files changed, 63 insertions(+), 15 deletions(-)
 create mode 100644 tiff-CVE-2018-17000,19210.patch
 delete mode 100644 tiff-CVE-2018-19210.patch

diff --git a/tiff-CVE-2018-17000,19210.patch b/tiff-CVE-2018-17000,19210.patch
new file mode 100644
index 0000000..742d0d0
--- /dev/null
+++ b/tiff-CVE-2018-17000,19210.patch
@@ -0,0 +1,55 @@
+Index: tiff-4.0.10/libtiff/tif_dirwrite.c
+===================================================================
+--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c	2018-06-24 22:26:30.335763566 +0200
++++ tiff-4.0.10/libtiff/tif_dirwrite.c	2018-11-19 14:21:42.703256410 +0100
+@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
+ 	}
+ 	m=(1<<tif->tif_dir.td_bitspersample);
+ 	n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
++        if (tif->tif_dir.td_transferfunction[2] == NULL ||
++            tif->tif_dir.td_transferfunction[1] == NULL)
++          n = 1;
+ 	/*
+ 	 * Check if the table can be written as a single column,
+ 	 * or if it must be written as 3 columns.  Note that we
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+                 _TIFFfree(td->td_smaxsamplevalue);
+                 td->td_smaxsamplevalue = NULL;
+             }
++            /* Test if 3 transfer functions instead of just one are now needed
++               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
++            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
++                !(td->td_samplesperpixel - td->td_extrasamples > 1))
++            {
++                    TIFFWarningExt(tif->tif_clientdata,module,
++                        "SamplesPerPixel tag value is changing, "
++                        "but TransferFunction was read with a different value. Cancelling it");
++                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++                    _TIFFfree(td->td_transferfunction[0]);
++                    td->td_transferfunction[0] = NULL;
++            }
+         }
+ 		td->td_samplesperpixel = (uint16) v;
+ 		break;
+@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ 		break;
+ 	case TIFFTAG_EXTRASAMPLES:
++            if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
++                 !(td->td_samplesperpixel - td->td_extrasamples > 1))
++            {
++                    TIFFWarningExt(tif->tif_clientdata,module,
++                        "ExtraSamples tag value is changing, "
++                        "but TransferFunction was read with a different value. Cancelling it");
++                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++                    _TIFFfree(td->td_transferfunction[0]);
++                    td->td_transferfunction[0] = NULL;
++            }
+ 		if (!setExtraSamples(td, ap, &v))
+ 			goto badvalue;
+ 		break;
+
diff --git a/tiff-CVE-2018-19210.patch b/tiff-CVE-2018-19210.patch
deleted file mode 100644
index c9fde26..0000000
--- a/tiff-CVE-2018-19210.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Index: tiff-4.0.10/libtiff/tif_dirwrite.c
-===================================================================
---- tiff-4.0.10.orig/libtiff/tif_dirwrite.c	2018-06-24 22:26:30.335763566 +0200
-+++ tiff-4.0.10/libtiff/tif_dirwrite.c	2018-11-19 14:21:42.703256410 +0100
-@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
- 	}
- 	m=(1<<tif->tif_dir.td_bitspersample);
- 	n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
-+        if (tif->tif_dir.td_transferfunction[2] == NULL ||
-+            tif->tif_dir.td_transferfunction[1] == NULL)
-+          n = 1;
- 	/*
- 	 * Check if the table can be written as a single column,
- 	 * or if it must be written as 3 columns.  Note that we
diff --git a/tiff.changes b/tiff.changes
index 9077ec1..d2f2469 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
+
+- extend tiff-CVE-2018-19210.patch and rename it to
+  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
+  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]
+
 -------------------------------------------------------------------
 Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
 
diff --git a/tiff.spec b/tiff.spec
index fe925cf..1e5b0fc 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -34,7 +34,7 @@ Patch1:         tiff-4.0.3-compress-warning.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2798
 # https://gitlab.com/libtiff/libtiff/merge_requests/44
 Patch2:         tiff-CVE-2018-12900.patch
-Patch3:         tiff-CVE-2018-19210.patch
+Patch3:         tiff-CVE-2018-17000,19210.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjbig-devel
 BuildRequires:  libjpeg-devel