6232377d76
- extend tiff-CVE-2018-19210.patch and rename it to tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] OBS-URL: https://build.opensuse.org/request/show/670119 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=135
56 lines
2.7 KiB
Diff
56 lines
2.7 KiB
Diff
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
|
|
===================================================================
|
|
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
|
|
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
|
|
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
|
|
}
|
|
m=(1<<tif->tif_dir.td_bitspersample);
|
|
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
|
|
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
|
|
+ tif->tif_dir.td_transferfunction[1] == NULL)
|
|
+ n = 1;
|
|
/*
|
|
* Check if the table can be written as a single column,
|
|
* or if it must be written as 3 columns. Note that we
|
|
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
|
index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
|
|
--- a/libtiff/tif_dir.c
|
|
+++ b/libtiff/tif_dir.c
|
|
@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
|
_TIFFfree(td->td_smaxsamplevalue);
|
|
td->td_smaxsamplevalue = NULL;
|
|
}
|
|
+ /* Test if 3 transfer functions instead of just one are now needed
|
|
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
|
|
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
|
|
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata,module,
|
|
+ "SamplesPerPixel tag value is changing, "
|
|
+ "but TransferFunction was read with a different value. Cancelling it");
|
|
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
|
|
+ _TIFFfree(td->td_transferfunction[0]);
|
|
+ td->td_transferfunction[0] = NULL;
|
|
+ }
|
|
}
|
|
td->td_samplesperpixel = (uint16) v;
|
|
break;
|
|
@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
|
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
|
|
break;
|
|
case TIFFTAG_EXTRASAMPLES:
|
|
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
|
|
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata,module,
|
|
+ "ExtraSamples tag value is changing, "
|
|
+ "but TransferFunction was read with a different value. Cancelling it");
|
|
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
|
|
+ _TIFFfree(td->td_transferfunction[0]);
|
|
+ td->td_transferfunction[0] = NULL;
|
|
+ }
|
|
if (!setExtraSamples(td, ap, &v))
|
|
goto badvalue;
|
|
break;
|
|
|