From c6abd52efe5da79261170019218f997b9299f32a8b270a7472b6b17eba84e3c0 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Tue, 12 Jul 2016 09:27:05 +0000
Subject: [PATCH] Some security fixes

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=82
---
 ...c-validate-that-for-COMPRESSION_SGIL.patch |  17 +++
 ...rlog.c-fix-potential-buffer-write-ov.patch |  31 +++++
 ...read.c-make-TIFFReadEncodedStrip-and.patch | 124 ++++++++++++++++++
 tiff.changes                                  |  13 +-
 tiff.spec                                     |   8 ++
 5 files changed, 192 insertions(+), 1 deletion(-)
 create mode 100644 tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
 create mode 100644 tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
 create mode 100644 tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch

diff --git a/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch b/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
new file mode 100644
index 0000000..54a536e
--- /dev/null
+++ b/tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
@@ -0,0 +1,17 @@
+--- tiff-4.0.6/libtiff/tif_luv.c	2015-08-29 00:16:22.554966897 +0200
++++ tiff-4.0.6/libtiff/tif_luv.c	2016-07-12 10:15:05.008194511 +0200
+@@ -1243,6 +1243,14 @@
+ 	assert(sp != NULL);
+ 	assert(td->td_photometric == PHOTOMETRIC_LOGL);
+ 
++	if( td->td_samplesperpixel != 1 )
++	{
++		TIFFErrorExt(tif->tif_clientdata, module,
++		             "Sorry, can not handle LogL image with %s=%d",
++			     "Samples/pixel", td->td_samplesperpixel);
++		return 0;
++	}
++
+ 	/* for some reason, we can't do this in TIFFInitLogL16 */
+ 	if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = LogL16GuessDataFmt(td);
diff --git a/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch b/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
new file mode 100644
index 0000000..535e466
--- /dev/null
+++ b/tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
@@ -0,0 +1,31 @@
+--- tiff-4.0.6/libtiff/tif_pixarlog.c	2015-08-29 00:16:22.630733284 +0200
++++ tiff-4.0.6/libtiff/tif_pixarlog.c	2016-07-12 10:11:52.444459447 +0200
+@@ -457,6 +457,7 @@
+ typedef	struct {
+ 	TIFFPredictorState	predict;
+ 	z_stream		stream;
++	tmsize_t		tbuf_size; /* only set/used on reading for now */
+ 	uint16			*tbuf; 
+ 	uint16			stride;
+ 	int			state;
+@@ -692,6 +693,7 @@
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
++	sp->tbuf_size = tbuf_size;
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = PixarLogGuessDataFmt(td);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -781,6 +783,12 @@
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ 		return (0);
+ 	}
++	/* Check that we will not fill more than what was allocated */
++	if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
++		return (0);
++	}
+ 	do {
+ 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ 		if (state == Z_STREAM_END) {
diff --git a/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch b/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
new file mode 100644
index 0000000..0c3224d
--- /dev/null
+++ b/tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
@@ -0,0 +1,124 @@
+--- tiff-4.0.6/libtiff/tif_read.c	2015-08-29 00:16:22.656727936 +0200
++++ tiff-4.0.6/libtiff/tif_read.c	2016-07-12 10:16:48.693897925 +0200
+@@ -38,6 +38,8 @@
+ static int TIFFCheckRead(TIFF*, int);
+ static tmsize_t
+ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
++static tmsize_t
++TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
+ 
+ #define NOSTRIP ((uint32)(-1))       /* undefined state */
+ #define NOTILE ((uint32)(-1))         /* undefined state */
+@@ -350,6 +352,24 @@
+ 	stripsize=TIFFVStripSize(tif,rows);
+ 	if (stripsize==0)
+ 		return((tmsize_t)(-1));
++
++    /* shortcut to avoid an extra memcpy() */
++    if( td->td_compression == COMPRESSION_NONE &&
++        size!=(tmsize_t)(-1) && size >= stripsize &&
++        !isMapped(tif) &&
++        ((tif->tif_flags&TIFF_NOREADRAW)==0) )
++    {
++        if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
++            return ((tmsize_t)(-1));
++
++        if (!isFillOrder(tif, td->td_fillorder) &&
++            (tif->tif_flags & TIFF_NOBITREV) == 0)
++            TIFFReverseBits(buf,stripsize);
++
++        (*tif->tif_postdecode)(tif,buf,stripsize);
++        return (stripsize);
++    }
++
+ 	if ((size!=(tmsize_t)(-1))&&(size<stripsize))
+ 		stripsize=size;
+ 	if (!TIFFFillStrip(tif,strip))
+@@ -661,6 +681,24 @@
+ 		    (unsigned long) tile, (unsigned long) td->td_nstrips);
+ 		return ((tmsize_t)(-1));
+ 	}
++
++    /* shortcut to avoid an extra memcpy() */
++    if( td->td_compression == COMPRESSION_NONE &&
++        size!=(tmsize_t)(-1) && size >= tilesize &&
++        !isMapped(tif) &&
++        ((tif->tif_flags&TIFF_NOREADRAW)==0) )
++    {
++        if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
++            return ((tmsize_t)(-1));
++
++        if (!isFillOrder(tif, td->td_fillorder) &&
++            (tif->tif_flags & TIFF_NOBITREV) == 0)
++            TIFFReverseBits(buf,tilesize);
++
++        (*tif->tif_postdecode)(tif,buf,tilesize);
++        return (tilesize);
++    }
++
+ 	if (size == (tmsize_t)(-1))
+ 		size = tilesize;
+ 	else if (size > tilesize)
+--- tiff-4.0.6/libtiff/tif_write.c	2015-08-29 00:16:22.761805698 +0200
++++ tiff-4.0.6/libtiff/tif_write.c	2016-07-12 10:16:48.693897925 +0200
+@@ -258,6 +258,23 @@
+     tif->tif_rawcp = tif->tif_rawdata;
+ 
+ 	tif->tif_flags &= ~TIFF_POSTENCODE;
++
++    /* shortcut to avoid an extra memcpy() */
++    if( td->td_compression == COMPRESSION_NONE )
++    {
++        /* swab if needed - note that source buffer will be altered */
++        tif->tif_postdecode( tif, (uint8*) data, cc );
++
++        if (!isFillOrder(tif, td->td_fillorder) &&
++            (tif->tif_flags & TIFF_NOBITREV) == 0)
++            TIFFReverseBits((uint8*) data, cc);
++
++        if (cc > 0 &&
++            !TIFFAppendToStrip(tif, strip, (uint8*) data, cc))
++            return ((tmsize_t) -1);
++        return (cc);
++    }
++
+ 	sample = (uint16)(strip / td->td_stripsperimage);
+ 	if (!(*tif->tif_preencode)(tif, sample))
+ 		return ((tmsize_t) -1);
+@@ -431,9 +448,7 @@
+ 		tif->tif_flags |= TIFF_CODERSETUP;
+ 	}
+ 	tif->tif_flags &= ~TIFF_POSTENCODE;
+-	sample = (uint16)(tile/td->td_stripsperimage);
+-	if (!(*tif->tif_preencode)(tif, sample))
+-		return ((tmsize_t)(-1));
++
+ 	/*
+ 	 * Clamp write amount to the tile size.  This is mostly
+ 	 * done so that callers can pass in some large number
+@@ -442,6 +457,25 @@
+ 	if ( cc < 1 || cc > tif->tif_tilesize)
+ 		cc = tif->tif_tilesize;
+ 
++    /* shortcut to avoid an extra memcpy() */
++    if( td->td_compression == COMPRESSION_NONE )
++    {
++        /* swab if needed - note that source buffer will be altered */
++        tif->tif_postdecode( tif, (uint8*) data, cc );
++
++        if (!isFillOrder(tif, td->td_fillorder) &&
++            (tif->tif_flags & TIFF_NOBITREV) == 0)
++            TIFFReverseBits((uint8*) data, cc);
++
++        if (cc > 0 &&
++            !TIFFAppendToStrip(tif, tile, (uint8*) data, cc))
++            return ((tmsize_t) -1);
++        return (cc);
++    }
++
++    sample = (uint16)(tile/td->td_stripsperimage);
++    if (!(*tif->tif_preencode)(tif, sample))
++        return ((tmsize_t)(-1));
+         /* swab if needed - note that source buffer will be altered */
+ 	tif->tif_postdecode( tif, (uint8*) data, cc );
+ 
diff --git a/tiff.changes b/tiff.changes
index df5d980..42fd546 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com
+
+- Added patches:
+  * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
+  * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
+  * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
+    - Upstream commits to fix CVE-2016-5314 [bsc#984831],
+      CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842],
+      CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351]
+
 -------------------------------------------------------------------
 Wed Apr  6 13:56:19 UTC 2016 - fstrba@suse.com
 
@@ -11,7 +22,7 @@ Mon Feb  1 08:01:19 UTC 2016 - fstrba@suse.com
 - Added patch:
   * tiff-4.0.6-CVE-2015-8782.patch
     - fix CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds
-	  writes for invalid images (upstream bug #2522) [bsc#964225]
+      writes for invalid images (upstream bug #2522) [bsc#964225]
 
 -------------------------------------------------------------------
 Wed Jan 13 17:03:31 UTC 2016 - fstrba@suse.com
diff --git a/tiff.spec b/tiff.spec
index 4fb3b89..04e9be0 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -37,6 +37,11 @@ Patch3:         tiff-4.0.6-CVE-2015-7554.patch
 Patch4:         tiff-4.0.6-CVE-2015-8782.patch
 # 
 Patch5:         tiff-4.0.6-CVE-2016-3186.patch
+#
+Patch6:         tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
+Patch7:         tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
+Patch8:         tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
+
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtool
@@ -103,6 +108,9 @@ the libtiff library.
 %patch3
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE"