diff --git a/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch b/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch new file mode 100644 index 0000000..eac877c --- /dev/null +++ b/tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch @@ -0,0 +1,31 @@ +--- tiff-4.0.6/libtiff/tif_getimage.c 2015-08-29 00:16:22.517401728 +0200 ++++ tiff-4.0.6/libtiff/tif_getimage.c 2016-10-06 09:42:41.204607032 +0200 +@@ -95,6 +95,10 @@ + td->td_bitspersample); + return (0); + } ++ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { ++ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); ++ return (0); ++ } + colorchannels = td->td_samplesperpixel - td->td_extrasamples; + if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { + switch (colorchannels) { +--- tiff-4.0.6/libtiff/tif_predict.c 2015-09-01 04:39:39.547152871 +0200 ++++ tiff-4.0.6/libtiff/tif_predict.c 2016-10-06 09:42:41.204607032 +0200 +@@ -80,6 +80,15 @@ + td->td_sampleformat); + return 0; + } ++ if (td->td_bitspersample != 16 ++ && td->td_bitspersample != 24 ++ && td->td_bitspersample != 32 ++ && td->td_bitspersample != 64) { /* Should 64 be allowed? */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Floating point \"Predictor\" not supported with %d-bit samples", ++ td->td_bitspersample); ++ return 0; ++ } + break; + default: + TIFFErrorExt(tif->tif_clientdata, module, diff --git a/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch b/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch new file mode 100644 index 0000000..f444462 --- /dev/null +++ b/tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch @@ -0,0 +1,217 @@ +--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 ++++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200 +@@ -973,17 +973,14 @@ + a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; + } + } else { +- ip += n - 1; /* point to last one */ +- wp += n - 1; /* point to last one */ ++ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { +- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) ++ REPEAT(stride, ++ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); ++ wp++; ip++) + n -= stride; + } +- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) + } + } + } +@@ -1026,17 +1023,14 @@ + a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; + } + } else { +- ip += n - 1; /* point to last one */ +- wp += n - 1; /* point to last one */ ++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { +- REPEAT(stride, wp[0] = CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) ++ REPEAT(stride, ++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); ++ wp++; ip++) + n -= stride; + } +- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) + } + } + } +@@ -1079,17 +1073,14 @@ + ip += 4; + } + } else { +- wp += n + stride - 1; /* point to last one */ +- ip += n + stride - 1; /* point to last one */ ++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { +- REPEAT(stride, wp[0] = CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) ++ REPEAT(stride, ++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); ++ wp++; ip++) + n -= stride; + } +- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) + } + } + } +--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 ++++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200 +@@ -764,7 +764,14 @@ + if (!TIFFAppendToStrip(tif, + isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, + tif->tif_rawdata, tif->tif_rawcc)) ++ { ++ /* We update those variables even in case of error since there's */ ++ /* code that doesn't really check the return code of this */ ++ /* function */ ++ tif->tif_rawcc = 0; ++ tif->tif_rawcp = tif->tif_rawdata; + return (0); ++ } + tif->tif_rawcc = 0; + tif->tif_rawcp = tif->tif_rawdata; + } +--- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200 ++++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200 +@@ -286,7 +286,7 @@ + int t2p_process_ojpeg_tables(T2P*, TIFF*); + #endif + #ifdef JPEG_SUPPORT +-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); ++int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); + #endif + void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); + void t2p_write_advance_directory(T2P*, TIFF*); +@@ -2409,6 +2409,7 @@ + stripbuffer, + &striplength, + buffer, ++ t2p->tiff_datasize, + &bufferoffset, + i, + t2p->tiff_length)){ +@@ -3439,6 +3440,7 @@ + unsigned char* strip, + tsize_t* striplength, + unsigned char* buffer, ++ tsize_t buffersize, + tsize_t* bufferoffset, + tstrip_t no, + uint32 height){ +@@ -3473,6 +3475,8 @@ + } + switch( strip[i] ){ + case 0xd8: /* SOI - start of image */ ++ if( *bufferoffset + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; + break; +@@ -3482,12 +3486,18 @@ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ + if(no==0){ ++ if( *bufferoffset + datalen + 2 + 6 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ if( *bufferoffset + 9 >= buffersize ) ++ return(0); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; ++ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) ++ return(0); + for(j=0;j>4) > h_samp) +@@ -3519,20 +3529,28 @@ + break; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ ++ if( *bufferoffset + datalen + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; + break; + case 0xda: /* SOS */ + if(no==0){ ++ if( *bufferoffset + datalen + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; + } else { ++ if( *bufferoffset + 2 > buffersize ) ++ return(0); + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); + } + i += datalen + 1; + /* copy remainder of strip */ ++ if( *bufferoffset + *striplength - i > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; + return(1); +--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 ++++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200 +@@ -5737,7 +5737,8 @@ + { + uint32 i; + float xres = 0.0, yres = 0.0; +- uint16 nstrips = 0, ntiles = 0, planar = 0; ++ uint32 nstrips = 0, ntiles = 0; ++ uint16 planar = 0; + uint16 bps = 0, spp = 0, res_unit = 0; + uint16 orientation = 0; + uint16 input_compression = 0, input_photometric = 0; +@@ -6013,11 +6014,23 @@ + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ + /* outside buffer */ + if (!read_buff) ++ { ++ if( buffsize > 0xFFFFFFFFU - 3 ) ++ { ++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ return (-1); ++ } + read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); ++ } + else + { + if (prev_readsize < buffsize) + { ++ if( buffsize > 0xFFFFFFFFU - 3 ) ++ { ++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ return (-1); ++ } + new_buff = _TIFFrealloc(read_buff, buffsize+3); + if (!new_buff) + { +@@ -8859,6 +8872,11 @@ + } + + bytes_per_pixel = ((bps * spp) + 7) / 8; ++ if( bytes_per_pixel > sizeof(swapbuff) ) ++ { ++ TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); ++ return (1); ++ } + switch (bps / 8) + { + case 8: /* Use memcpy for multiple bytes per sample data */ diff --git a/tiff.changes b/tiff.changes index 7412661..f58d71f 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com + +- Added patches: + * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch + - Upstream fixes for MSVR 35093, MSVR 35094, MSVR 35095, + MSVR 35096, MSVR 35097, MSVR 35098. + * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch + - Enforce bits-per-sample requirements of floating point + predictor. Fixes CVE-2016-3622 [bsc#974449] + ------------------------------------------------------------------- Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com diff --git a/tiff.spec b/tiff.spec index 7a7261f..4b31d71 100644 --- a/tiff.spec +++ b/tiff.spec @@ -46,6 +46,9 @@ Patch9: tiff-4.0.6-CVE-2016-3623.patch Patch10: tiff-4.0.6-CVE-2016-3945.patch Patch11: tiff-4.0.6-CVE-2016-3990.patch Patch12: tiff-4.0.6-CVE-2016-3991.patch +# +Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch +Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -120,6 +123,8 @@ the libtiff library. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build CFLAGS="%{optflags} -fPIE"