From 6803e562210e54605972009e536d5fe1ac30797c0df619d8ad5fad0dd1ba5746 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Tue, 20 Feb 2018 16:23:09 +0000
Subject: [PATCH 1/2] - bsc#1081690: Add tiff-4.0.9-CVE-2018-5784.patch   Fix
 uncontrolled resource consumption in TIFFSetDirectory

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=113
---
 tiff-4.0.9-bsc1081690-CVE-2018-5784.patch | 128 ++++++++++++++++++++++
 tiff.changes                              |   6 +
 tiff.spec                                 |   2 +
 3 files changed, 136 insertions(+)
 create mode 100644 tiff-4.0.9-bsc1081690-CVE-2018-5784.patch

diff --git a/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch b/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
new file mode 100644
index 0000000..8fb8316
--- /dev/null
+++ b/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
@@ -0,0 +1,128 @@
+From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001
+From: Nathan Baker <nathanb@lenovo-chrome.com>
+Date: Tue, 6 Feb 2018 10:13:57 -0500
+Subject: [PATCH] Fix for bug 2772
+
+It is possible to craft a TIFF document where the IFD list is circular,
+leading to an infinite loop while traversing the chain. The libtiff
+directory reader has a failsafe that will break out of this loop after
+reading 65535 directory entries, but it will continue processing,
+consuming time and resources to process what is essentially a bogus TIFF
+document.
+
+This change fixes the above behavior by breaking out of processing when
+a TIFF document has >= 65535 directories and terminating with an error.
+---
+ contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
+ tools/tiff2pdf.c                | 10 ++++++++++
+ tools/tiffcrop.c                | 13 +++++++++++--
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
+index c61ffbb..03b3573 100644
+--- a/contrib/addtiffo/tif_overview.c
++++ b/contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ #  define MAX(a,b)      ((a>b) ? a : b)
+ #endif
+ 
++#define TIFF_DIR_MAX  65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+                          int (*)(double,void*), void * );
+ 
+@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+ {
+     toff_t	nBaseDirOffset;
+     toff_t	nOffset;
++    tdir_t	iNumDir;
+ 
+     (void) bUseSubIFDs;
+ 
+@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+         return 0;
+ 
+     TIFFWriteDirectory( hTIFF );
+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++    iNumDir = TIFFNumberOfDirectories(hTIFF);
++    if( iNumDir > TIFF_DIR_MAX )
++    {
++        TIFFErrorExt( TIFFClientdata(hTIFF),
++                      "TIFF_WriteOverview",
++                      "File `%s' has too many directories.\n",
++                      TIFFFileName(hTIFF) );
++        exit(-1);
++    }
++    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+ 
+     nOffset = TIFFCurrentDirOffset( hTIFF );
+ 
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 984ef65..832a247 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+ 
+ #define PS_UNIT_SIZE	72.0F
+ 
++#define TIFF_DIR_MAX    65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+ 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */
+@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
++	if(directorycount > TIFF_DIR_MAX) {
++		TIFFError(
++			TIFF2PDF_MODULE,
++			"TIFF contains too many directories, %s",
++			TIFFFileName(input));
++		t2p->t2p_error = T2P_ERR_ERROR;
++		return;
++	}
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ 	if(t2p->tiff_pages==NULL){
+ 		TIFFError(
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 91a38f6..e466dae 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ #define DUMP_TEXT   1
+ #define DUMP_RAW    2
+ 
++#define TIFF_DIR_MAX  65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -2232,7 +2234,7 @@ main(int argc, char* argv[])
+     pageNum = -1;
+   else
+     total_images = 0;
+-  /* read multiple input files and write to output file(s) */
++  /* Read multiple input files and write to output file(s) */
+   while (optind < argc - 1)
+     {
+     in = TIFFOpen (argv[optind], "r");
+@@ -2240,7 +2242,14 @@ main(int argc, char* argv[])
+       return (-3);
+ 
+     /* If only one input file is specified, we can use directory count */
+-    total_images = TIFFNumberOfDirectories(in); 
++    total_images = TIFFNumberOfDirectories(in);
++    if (total_images > TIFF_DIR_MAX)
++      {
++      TIFFError (TIFFFileName(in), "File contains too many directories");
++      if (out != NULL)
++        (void) TIFFClose(out);
++      return (1);
++      }
+     if (image_count == 0)
+       {
+       dirnum = 0;
+--
+libgit2 0.26.0
+
diff --git a/tiff.changes b/tiff.changes
index 1f61912..3603b3f 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb 20 16:18:33 UTC 2018 - mvetter@suse.com
+
+- bsc#1081690: Add tiff-4.0.9-CVE-2018-5784.patch
+  Fix uncontrolled resource consumption in TIFFSetDirectory
+
 -------------------------------------------------------------------
 Fri Feb 16 14:05:39 UTC 2018 - mvetter@suse.com
 
diff --git a/tiff.spec b/tiff.spec
index 3c10660..433d9f7 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -31,6 +31,7 @@ Patch0:         tiff-4.0.3-seek.patch
 Patch1:         tiff-4.0.3-compress-warning.patch
 # Contained in upstream repo. See bsc#1046077 for commit IDs.
 Patch2:         tiff-4.0.9-bsc1046077-CVE-2017-9935.patch
+Patch3:         tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
 
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
@@ -95,6 +96,7 @@ the libtiff library.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE"

From facb4b0d943d74d4fe0da796240e28ce84a5d79f6f74470bad261c6ddc9f0ca8 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Tue, 20 Feb 2018 16:40:49 +0000
Subject: [PATCH 2/2] - bsc#1081690: Add
 tiff-4.0.9-bsc1081690-CVE-2018-5784.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=114
---
 tiff.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tiff.changes b/tiff.changes
index 3603b3f..8b71384 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,7 +1,7 @@
 -------------------------------------------------------------------
 Tue Feb 20 16:18:33 UTC 2018 - mvetter@suse.com
 
-- bsc#1081690: Add tiff-4.0.9-CVE-2018-5784.patch
+- bsc#1081690: Add tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
   Fix uncontrolled resource consumption in TIFFSetDirectory
 
 -------------------------------------------------------------------