diff --git a/bfriesen.2805.patch b/bfriesen.2805.patch new file mode 100644 index 0000000..54f68c9 --- /dev/null +++ b/bfriesen.2805.patch @@ -0,0 +1,32 @@ +--------------------- +PatchSet 2805 +Date: 2012/11/18 19:51:52 +Author: bfriesen +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not +require malloc() to return NULL pointer if requested allocation +size is zero. Assure that _TIFFmalloc does. + +Members: + ChangeLog:1.924->1.925 + libtiff/tif_unix.c:1.23->1.24 + libtiff/tif_vms.c:1.11->1.12 + libtiff/tif_win32.c:1.39->1.40 + +Index: libtiff/libtiff/tif_unix.c +diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24 +--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012 ++++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012 +@@ -257,6 +257,9 @@ + void* + _TIFFmalloc(tmsize_t s) + { ++ if (s == 0) ++ return ((void *) NULL); ++ + return (malloc((size_t) s)); + } + + diff --git a/erouault.2856.patch b/erouault.2856.patch new file mode 100644 index 0000000..6f2ffd5 --- /dev/null +++ b/erouault.2856.patch @@ -0,0 +1,336 @@ +--------------------- +PatchSet 2856 +Date: 2014/12/21 17:15:31 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +Fix various crasher bugs on fuzzed images. +* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for +TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing +the directory +* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or +TransferFunction if BitsPerSample has not yet been read, otherwise reading +it later will cause user code to crash if BitsPerSample > 1 +* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with +SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 +* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images +instead of imagewidth to avoid crash +* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions +* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by +libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB +* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight +* tools/tiffdump.c: fix crash due to overflow of entry count. + +Members: + ChangeLog:1.960->1.961 + libtiff/tif_dir.c:1.117->1.118 + libtiff/tif_dirread.c:1.180->1.181 + libtiff/tif_getimage.c:1.82->1.83 + libtiff/tif_next.c:1.13->1.14 + tools/bmp2tiff.c:1.23->1.24 + tools/tiff2pdf.c:1.77->1.78 + tools/tiffcrop.c:1.23->1.24 + tools/tiffdump.c:1.28->1.29 + +Index: libtiff/libtiff/tif_dir.c +diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118 +--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014 ++++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014 +@@ -160,6 +160,7 @@ + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -284,10 +285,16 @@ + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -694,6 +701,16 @@ + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +Index: libtiff/libtiff/tif_dirread.c +diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181 +--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014 ++++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014 +@@ -3430,6 +3430,8 @@ + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int bitspersample_read = FALSE; ++ + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3706,6 +3708,8 @@ + } + if (!TIFFSetField(tif,dp->tdir_tag,value)) + goto bad; ++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) ++ bitspersample_read = TRUE; + } + break; + case TIFFTAG_SMINSAMPLEVALUE: +@@ -3763,6 +3767,19 @@ + uint32 countrequired; + uint32 incrementpersample; + uint16* value=NULL; ++ /* It would be dangerous to instanciate those tag values */ ++ /* since if td_bitspersample has not yet been read (due to */ ++ /* unordered tags), it could be read afterwards with a */ ++ /* values greater than the default one (1), which may cause */ ++ /* crashes in user code */ ++ if( !bitspersample_read ) ++ { ++ fip = TIFFFieldWithTag(tif,dp->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s since BitsPerSample tag not found", ++ fip ? fip->field_name : "unknown tagname"); ++ continue; ++ } + countpersample=(1L<tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { +Index: libtiff/libtiff/tif_getimage.c +diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83 +--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012 ++++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014 +@@ -1,4 +1,4 @@ +-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */ ++/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -182,8 +182,23 @@ + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14 +--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010 ++++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014 +@@ -102,6 +102,8 @@ + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +Index: libtiff/tools/bmp2tiff.c +diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24 +--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010 ++++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014 +@@ -403,6 +403,13 @@ + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + + switch (info_hdr.iBitCount) + { +@@ -593,6 +600,14 @@ + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, +Index: libtiff/tools/tiff2pdf.c +diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78 +--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014 ++++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014 +@@ -1167,6 +1167,15 @@ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1552,6 +1561,22 @@ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1567,6 +1592,22 @@ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +Index: libtiff/tools/tiffcrop.c +diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24 +--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014 ++++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014 +@@ -1205,9 +1205,10 @@ + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) +Index: libtiff/tools/tiffdump.c +diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29 +--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014 ++++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014 +@@ -374,6 +374,8 @@ + void* datamem; + uint64 dataoffset; + int datatruncated; ++ int datasizeoverflow; ++ + tag = *(uint16*)dp; + if (swabflag) + TIFFSwabShort(&tag); +@@ -412,13 +414,14 @@ + else + typewidth = datawidth[type]; + datasize = count*typewidth; ++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); + datafits = 1; + datamem = dp; + dataoffset = 0; + datatruncated = 0; + if (!bigtiff) + { +- if (datasize>4) ++ if (datasizeoverflow || datasize>4) + { + uint32 dataoffset32; + datafits = 0; +@@ -432,7 +435,7 @@ + } + else + { +- if (datasize>8) ++ if (datasizeoverflow || datasize>8) + { + datafits = 0; + datamem = NULL; +@@ -442,7 +445,7 @@ + } + dp += sizeof(uint64); + } +- if (datasize>0x10000) ++ if (datasizeoverflow || datasize>0x10000) + { + datatruncated = 1; + count = 0x10000/typewidth; diff --git a/erouault.2857.patch b/erouault.2857.patch new file mode 100644 index 0000000..c1e7a3c --- /dev/null +++ b/erouault.2857.patch @@ -0,0 +1,47 @@ +--------------------- +PatchSet 2857 +Date: 2014/12/21 18:28:37 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. +Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) +Description: fix for Debian bug #741451 +tiffcp crashes when converting JPEG-encoded TIFF to a different +encoding (like none or lzw). For example this will probably fail: +tiffcp -c none jpeg_encoded_file.tif output.tif +The reason is that when the input file contains JPEG data, +the tiffcp code forces conversion to RGB space. However, +the output normally inherits YCbCr subsampling parameters +from the input, which leads to a smaller working buffer +than necessary. The buffer is subsequently overrun inside +cpStripToTile() (called from writeBufferToContigTiles). +Note that the resulting TIFF file would be scrambled even +if tiffcp wouldn't crash, since the output file would contain +RGB data intepreted as subsampled YCbCr values. +This patch fixes the problem by forcing RGB space on the output +TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. +Author: Tomasz Buchert + +Members: + ChangeLog:1.961->1.962 + tools/tiffcp.c:1.50->1.51 + +Index: libtiff/tools/tiffcp.c +diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51 +--- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013 ++++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014 +@@ -633,6 +633,12 @@ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, + samplesperpixel == 1 ? + PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); ++ else if (input_compression == COMPRESSION_JPEG && ++ samplesperpixel == 3 ) { ++ /* RGB conversion was forced above ++ hence the output will be of the same type */ ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); ++ } + else + CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); + if (fillorder != 0) diff --git a/erouault.2858.patch b/erouault.2858.patch new file mode 100644 index 0000000..2d4e076 --- /dev/null +++ b/erouault.2858.patch @@ -0,0 +1,35 @@ +--------------------- +PatchSet 2858 +Date: 2014/12/21 19:36:36 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiff2pdf.c: check return code of TIFFGetField() when reading +TIFFTAG_SAMPLESPERPIXEL + +Members: + ChangeLog:1.962->1.963 + tools/tiff2pdf.c:1.78->1.79 + +Index: libtiff/tools/tiff2pdf.c +diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79 +--- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014 ++++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014 +@@ -1166,7 +1166,15 @@ + t2p->tiff_pages[i].page_tilecount; + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ +- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Missing SamplesPerPixel, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( diff --git a/erouault.2859.patch b/erouault.2859.patch new file mode 100644 index 0000000..6744820 --- /dev/null +++ b/erouault.2859.patch @@ -0,0 +1,47 @@ +--------------------- +PatchSet 2859 +Date: 2014/12/21 20:07:48 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes +http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) + +Members: + ChangeLog:1.963->1.964 + libtiff/tif_next.c:1.14->1.15 + + +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15 +--- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014 ++++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014 +@@ -141,10 +141,27 @@ + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; diff --git a/erouault.2860.patch b/erouault.2860.patch new file mode 100644 index 0000000..c9a199f --- /dev/null +++ b/erouault.2860.patch @@ -0,0 +1,85 @@ +--------------------- +PatchSet 2860 +Date: 2014/12/21 20:52:42 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS +or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or +COMPRESSION_CCITTFAX4 +http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) + +Members: + ChangeLog:1.964->1.965 + tools/thumbnail.c:1.17->1.18 + tools/tiffcmp.c:1.16->1.17 + + +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18 +--- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014 +@@ -274,7 +274,26 @@ + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ ++ /* if we request a tag that is defined in a codec, but that codec */ ++ /* isn't used */ ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +Index: libtiff/tools/tiffcmp.c +diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17 +--- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010 ++++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014 +@@ -260,6 +260,7 @@ + static int + cmptags(TIFF* tif1, TIFF* tif2) + { ++ uint16 compression1, compression2; + CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); + CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); + CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); +@@ -276,8 +277,20 @@ + CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); + CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); + CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); +- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); +- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX3 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX3 ) ++ { ++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); ++ } ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX4 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX4 ) ++ { ++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ } + CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); + CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); + CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); diff --git a/erouault.2861.patch b/erouault.2861.patch new file mode 100644 index 0000000..67284a7 --- /dev/null +++ b/erouault.2861.patch @@ -0,0 +1,33 @@ +--------------------- +PatchSet 2861 +Date: 2014/12/21 21:53:59 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/thumbnail.c: fix out-of-buffer write +http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) + +Members: + ChangeLog:1.965->1.966 + tools/thumbnail.c:1.18->1.19 + +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19 +--- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014 +@@ -568,7 +568,13 @@ + err -= limit; + sy++; + if (err >= limit) +- rows[nrows++] = br + bpr*sy; ++ { ++ /* We should perhaps error loudly, but I can't make sense of that */ ++ /* code... */ ++ if( nrows == 256 ) ++ break; ++ rows[nrows++] = br + bpr*sy; ++ } + } + setrow(row, nrows, rows); + row += tnw; diff --git a/erouault.2862.patch b/erouault.2862.patch new file mode 100644 index 0000000..8516542 --- /dev/null +++ b/erouault.2862.patch @@ -0,0 +1,44 @@ +--------------------- +PatchSet 2862 +Date: 2014/12/21 22:04:31 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES +copying. The right fix would be to properly copy it, but not worth the burden +for those esoteric utilities. +http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + +Members: + ChangeLog:1.966->1.967 + tools/pal2rgb.c:1.13->1.14 + tools/thumbnail.c:1.19->1.20 + + +Index: libtiff/tools/pal2rgb.c +diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14 +--- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010 ++++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014 +@@ -372,7 +372,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20 +--- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014 +@@ -257,7 +257,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff --git a/erouault.2863.patch b/erouault.2863.patch new file mode 100644 index 0000000..42089b3 --- /dev/null +++ b/erouault.2863.patch @@ -0,0 +1,31 @@ +--------------------- +PatchSet 2863 +Date: 2014/12/21 22:58:29 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiff2bw.c: when Photometric=RGB, the utility only works if +SamplesPerPixel = 3. Enforce that +http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) + +Members: + ChangeLog:1.967->1.968 + tools/tiff2bw.c:1.16->1.17 + +Index: libtiff/tools/tiff2bw.c +diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17 +--- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013 ++++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014 +@@ -171,6 +171,11 @@ + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff --git a/erouault.2876.patch b/erouault.2876.patch new file mode 100644 index 0000000..5afaad3 --- /dev/null +++ b/erouault.2876.patch @@ -0,0 +1,90 @@ +--------------------- +PatchSet 2876 +Date: 2014/12/29 14:09:11 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_next.c: add new tests to check that we don't read outside of +the compressed input stream buffer. + +* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height + +Members: + ChangeLog:1.980->1.981 + libtiff/tif_getimage.c:1.85->1.86 + libtiff/tif_next.c:1.15->1.16 + +Index: libtiff/libtiff/tif_getimage.c +diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86 +--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014 ++++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014 +@@ -1871,7 +1871,7 @@ + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1948,7 +1948,7 @@ + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1959,7 +1959,8 @@ + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2050,7 +2051,7 @@ + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2059,7 +2060,8 @@ + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16 +--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014 ++++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014 +@@ -71,7 +71,7 @@ + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) diff --git a/tiff-dither-malloc-check.patch b/tiff-dither-malloc-check.patch new file mode 100644 index 0000000..7e067ac --- /dev/null +++ b/tiff-dither-malloc-check.patch @@ -0,0 +1,16 @@ +Index: tools/tiffdither.c +=================================================================== +--- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100 ++++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100 +@@ -77,6 +77,11 @@ + outlinesize = TIFFScanlineSize(out); + outline = (unsigned char *) _TIFFmalloc(outlinesize); + ++ if (! (inputline && thisline && nextline && outline)) { ++ fprintf(stderr, "Out of memory.\n"); ++ return; ++ } ++ + /* + * Get first line + */ diff --git a/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch b/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch new file mode 100644 index 0000000..c463684 --- /dev/null +++ b/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch @@ -0,0 +1,12 @@ +Index: libtiff/tif_dirinfo.c +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100 ++++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100 +@@ -141,6 +141,7 @@ + { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, ++ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, + { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, diff --git a/tiff-handle-TIFFTAG_PREDICTOR.patch b/tiff-handle-TIFFTAG_PREDICTOR.patch new file mode 100644 index 0000000..ad94c07 --- /dev/null +++ b/tiff-handle-TIFFTAG_PREDICTOR.patch @@ -0,0 +1,12 @@ +Index: libtiff/tif_dirinfo.c +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100 ++++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100 +@@ -142,6 +142,7 @@ + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, ++ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, + { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, diff --git a/tiff.changes b/tiff.changes index 5dbc71c..145ee3b 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com + +- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, + CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 + bnc#914890, bnc#916925, bnc#916927 + + erouault.2856.patch + + erouault.2857.patch + + erouault.2858.patch + + erouault.2859.patch + + erouault.2860.patch + + erouault.2861.patch + + erouault.2862.patch + + erouault.2863.patch + + erouault.2876.patch + + bfriesen.2805.patch + + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + + tiff-handle-TIFFTAG_PREDICTOR.patch + + tiff-dither-malloc-check.patch + ------------------------------------------------------------------- Mon Dec 22 19:58:43 UTC 2014 - meissner@suse.com diff --git a/tiff.spec b/tiff.spec index ba46a96..934d930 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,6 +60,20 @@ Patch8: tiff-4.0.3-CVE-2013-4232.patch Patch9: tiff-4.0.3-CVE-2013-4231.patch Patch10: tiff-4.0.3-CVE-2013-4244.patch Patch11: tiff-4.0.3-CVE-2013-4243.patch +Patch12: erouault.2856.patch +Patch13: erouault.2857.patch +Patch14: erouault.2858.patch +Patch15: erouault.2859.patch +Patch16: erouault.2860.patch +Patch17: erouault.2861.patch +Patch18: erouault.2862.patch +Patch19: erouault.2863.patch +Patch20: erouault.2876.patch +Patch21: bfriesen.2805.patch +Patch22: tiff-dither-malloc-check.patch +Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch +Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch + # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -115,6 +129,19 @@ the libtiff library. %patch9 %patch10 %patch11 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 +%patch23 +%patch24 %build CFLAGS="$RPM_OPT_FLAGS -fPIE"