main/tiff: sec fixes from upstream (CVE-2012-4447,CVE-2012-4564,CVE-2013-1960,CVE-2013-1961)

ref #2203
fixes #2204

1 files changed, 40 insertions, 0 deletions

diff --git a/main/tiff/libtiff-CVE-2012-4447.patch b/main/tiff/libtiff-CVE-2012-4447.patch
new file mode 100644
index 0000000000..ebf9a00e1b
--- /dev/null
+++ b/main/tiff/libtiff-CVE-2012-4447.patch
@@ -0,0 +1,40 @@
+Upstream patch for CVE-2012-4447.
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
+--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c	2012-07-04 15:26:31.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_pixarlog.c	2012-12-12 16:43:18.931315699 -0500
+@@ -644,6 +644,20 @@
+ 	return bytes;
+ }
+ 
++static tmsize_t
++add_ms(tmsize_t m1, tmsize_t m2)
++{
++	tmsize_t bytes = m1 + m2;
++
++	/* if either input is zero, assume overflow already occurred */
++	if (m1 == 0 || m2 == 0)
++		bytes = 0;
++	else if (bytes <= m1 || bytes <= m2)
++		bytes = 0;
++
++	return bytes;
++}
++
+ static int
+ PixarLogFixupTags(TIFF* tif)
+ {
+@@ -671,9 +685,11 @@
+ 	    td->td_samplesperpixel : 1);
+ 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ 				      td->td_rowsperstrip), sizeof(uint16));
++	/* add one more stride in case input ends mid-stride */
++	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ 	if (tbuf_size == 0)
+ 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
+-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
++	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)