From 581c640515472337e42489148e40baae123a09db Mon Sep 17 00:00:00 2001 From: Sergey Lukin Date: Thu, 19 Jan 2017 14:04:50 +0000 Subject: main/tiff: security upgrade to 4.0.7 - fixes #6667 CVE-2016-9273: heap-buffer-overflow in cpStrips CVE-2016-9297: segfault in _TIFFPrintField CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool CVE-2016-3622: Divide By Zero in the tiff2rgba tool CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1) CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow --- main/tiff/APKBUILD | 75 ++++++-------- main/tiff/CVE-2015-7554.patch | 25 ----- main/tiff/CVE-2015-8665.patch | 113 --------------------- main/tiff/CVE-2015-8668.patch | 42 -------- main/tiff/CVE-2015-8781-8782-8783.patch | 171 -------------------------------- main/tiff/CVE-2015-8784.patch | 49 --------- main/tiff/CVE-2016-3632.patch | 23 ----- main/tiff/CVE-2016-3945.patch | 97 ------------------ main/tiff/CVE-2016-3990.patch | 37 ------- main/tiff/CVE-2016-3991.patch | 126 ----------------------- 10 files changed, 31 insertions(+), 727 deletions(-) delete mode 100644 main/tiff/CVE-2015-7554.patch delete mode 100644 main/tiff/CVE-2015-8665.patch delete mode 100644 main/tiff/CVE-2015-8668.patch delete mode 100644 main/tiff/CVE-2015-8781-8782-8783.patch delete mode 100644 main/tiff/CVE-2015-8784.patch delete mode 100644 main/tiff/CVE-2016-3632.patch delete mode 100644 main/tiff/CVE-2016-3945.patch delete mode 100644 main/tiff/CVE-2016-3990.patch delete mode 100644 main/tiff/CVE-2016-3991.patch (limited to 'main/tiff') diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 86d423de1b..edc67176f1 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -1,9 +1,9 @@ +# Contributor: Sergei Lukin # Contributor: Leonardo Arena -# Contributor: Sergey Lukin # Maintainer: Michael Mason pkgname=tiff -pkgver=4.0.6 -pkgrel=2 +pkgver=4.0.7 +pkgrel=0 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -12,17 +12,31 @@ depends= depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" -source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz - CVE-2015-7554.patch - CVE-2015-8665.patch - CVE-2015-8668.patch - CVE-2015-8781-8782-8783.patch - CVE-2015-8784.patch - CVE-2016-3632.patch - CVE-2016-3945.patch - CVE-2016-3990.patch - CVE-2016-3991.patch - " +source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz" + +# secfixes: +# 4.0.7-r0: +# - CVE-2016-9273 +# - CVE-2016-9297 +# - CVE-2016-9448 +# - CVE-2016-9453 +# - CVE-2016-3186 +# - CVE-2016-3621 +# - CVE-2016-3622 +# - CVE-2016-3623 +# - CVE-2016-3624 +# - CVE-2016-3625 +# - CVE-2016-3658 +# - CVE-2014-8127 +# - CVE-2016-5314 +# - CVE-2016-5315 +# - CVE-2016-5316 +# - CVE-2016-5317 +# - CVE-2016-5320 +# - CVE-2016-5875 +# - CVE-2016-5321 +# - CVE-2016-5323 +# - CVE-2016-5652 builddir="$srcdir"/$pkgname-$pkgver @@ -64,33 +78,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="d1d2e940dea0b5ad435f21f03d96dd72 tiff-4.0.6.tar.gz -1023c7deacbb5d8dc61e6d1e9959b172 CVE-2015-7554.patch -1ed2295ff179a6b64803d33f0f865740 CVE-2015-8665.patch -b6e064713f307a2bbf815fb6f46f5317 CVE-2015-8668.patch -96d2a934914a548d244e0a055f370334 CVE-2015-8781-8782-8783.patch -8b3e84314fc2c0eeabd8d2c410f85727 CVE-2015-8784.patch -0bf7599f2d566038fb583250590716d3 CVE-2016-3632.patch -e1de46d39bda11acf73d6430f5108d19 CVE-2016-3945.patch -ee98f9ec234ac11bd5764b1d3ae0aa00 CVE-2016-3990.patch -f060dad3d0bc8a65e2dba9bb4cba4ff4 CVE-2016-3991.patch" -sha256sums="4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c tiff-4.0.6.tar.gz -2da0ab2927cdaebc790d4cf80a674124a3a08e511bbf6a39a5b232df46068b1b CVE-2015-7554.patch -1e4158f2a85e4c597b2a6d290c54d4ee815c8930f80824363945506bda3fc798 CVE-2015-8665.patch -962abf920444bc02d4086d17acfc24d6a163010b1639384fecff1460dca07f7d CVE-2015-8668.patch -f7c953c51f4f14b8627aad9bfe5b183b5d56e62e96e24d80a233e0b849c0c743 CVE-2015-8781-8782-8783.patch -504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972 CVE-2015-8784.patch -de53c724507a2ab2796b4ae52bd12e8ca358aa03a3ea69664e3986804b9c1b38 CVE-2016-3632.patch -e89921b4e26ffc49fb37a219fa6fc6078949f6f62154e037dbbe66051b97f731 CVE-2016-3945.patch -28a16234ea69877de83ee5e269929b7a05fcce1ff6400db3005c94328c9e1751 CVE-2016-3990.patch -e85df1c5ae13cd6fbf38f13cdb34e6fc7e744005bd8948d97751be1a18208870 CVE-2016-3991.patch" -sha512sums="2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8 tiff-4.0.6.tar.gz -4d902d55d3f796f6f6e266ee1c1237a765ffb0595e0af8c325d08ad3eff76d87409ae4edae5bf3f8adb06796e2ddd2439f598c24760aa2444e30efb3f78e8ce8 CVE-2015-7554.patch -4507d3852d57922574897d53f366d80d71d0d83850aa3c3993b956fabce26165f315838c17430d1abd41f160c40a4e3d8e6b31ff150e81059669ccfe29f90126 CVE-2015-8665.patch -aaa315f45a0410a4173afbd0c913891d9a0df0c447b09fd1be6080ee78366294909b2d599b7908b591b7e3911ed6f5b6d97c054bb5a1e17540204b7542268d23 CVE-2015-8668.patch -4ca7823f666df8f29eba0f62a14f71e440eef20fcc8d3a1a77cf65a07e1e737bdcfb49641ee5b62ce28877ef428106996254989d2100615dc7cf2be7aa903002 CVE-2015-8781-8782-8783.patch -46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f CVE-2015-8784.patch -93dfd29c884daaaa72196cc66537dba25d088ab86f09e8f9a69a3cb91e380e1b62860ae8aa459c4972c609422ac3a026e3a8b0e384438f48e697ab56c6af71f1 CVE-2016-3632.patch -5aa686e8164eea39c0968d2748dcd02f536741b1d2c387dee60891f8768bc343c34f0851fe700f1457949bf3f534f49370f8b114663af977cb45d9a431b38425 CVE-2016-3945.patch -289651ae11fc5c6ddfbab94af7f598165637cf8b827b1cffb5e4522c7d566c96a4fd07acc7195705a655e4c8f95ef0957df8d924f76bdf2bebcf918f4cec3a9d CVE-2016-3990.patch -048cff76de85f51a942e15e5b2d72b63b75a79adba5e9d4a7a7fac8ca47b1caf48c4a4af28b226c3146a235aba7734f525b40f1274bc4f639bb9d870a637aa84 CVE-2016-3991.patch" +md5sums="77ae928d2c6b7fb46a21c3a29325157b tiff-4.0.7.tar.gz" +sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 tiff-4.0.7.tar.gz" +sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc tiff-4.0.7.tar.gz" diff --git a/main/tiff/CVE-2015-7554.patch b/main/tiff/CVE-2015-7554.patch deleted file mode 100644 index 426a8ea914..0000000000 --- a/main/tiff/CVE-2015-7554.patch +++ /dev/null @@ -1,25 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch - -diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c ---- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 -+++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 -@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); - } - } -+ uint32 count = 0; - CopyField(TIFFTAG_PHOTOMETRIC, shortv); -- CopyField(TIFFTAG_PREDICTOR, shortv); -+ CopyField2(TIFFTAG_PREDICTOR, count, shortv); - CopyField(TIFFTAG_THRESHHOLDING, shortv); - CopyField(TIFFTAG_FILLORDER, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); -@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) - CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); - CopyField(TIFFTAG_XRESOLUTION, floatv); - CopyField(TIFFTAG_YRESOLUTION, floatv); -- CopyField(TIFFTAG_GROUP3OPTIONS, longv); -+ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); - CopyField(TIFFTAG_GROUP4OPTIONS, longv); - CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); - CopyField(TIFFTAG_PLANARCONFIG, shortv); diff --git a/main/tiff/CVE-2015-8665.patch b/main/tiff/CVE-2015-8665.patch deleted file mode 100644 index f80d736e15..0000000000 --- a/main/tiff/CVE-2015-8665.patch +++ /dev/null @@ -1,113 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - ---- - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- - 2 files changed, 30 insertions(+), 13 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index cdeff08..261aad6 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2509,29 +2514,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2540,7 +2549,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2636,7 +2645,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; diff --git a/main/tiff/CVE-2015-8668.patch b/main/tiff/CVE-2015-8668.patch deleted file mode 100644 index 3f2f4e4c86..0000000000 --- a/main/tiff/CVE-2015-8668.patch +++ /dev/null @@ -1,42 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch - -diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c -index 376f4e6..c747c13 100644 ---- a/tools/bmp2tiff.c -+++ b/tools/bmp2tiff.c -@@ -614,18 +614,27 @@ main(int argc, char* argv[]) - || info_hdr.iCompression == BMPC_RLE4 ) { - uint32 i, j, k, runlength; - uint32 compr_size, uncompr_size; -+ uint32 bits = 0; - unsigned char *comprbuf; - unsigned char *uncomprbuf; - - compr_size = file_hdr.iSize - file_hdr.iOffBits; -- uncompr_size = width * length; -- /* Detect int overflow */ -- if( uncompr_size / width != length ) { -- TIFFError(infilename, -- "Invalid dimensions of BMP file" ); -- close(fd); -- return -1; -- } -+ -+ bits = info_hdr.iBitCount; -+ -+ if (bits > 8) // bit depth is > 8bit, adjust size -+ { -+ uncompr_size = width * length * (bits / 8); -+ /* Detect int overflow */ -+ if (uncompr_size / width / (bits / 8) != length) { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file"); -+ close(fd); -+ return -1; -+ } -+ } -+ else -+ uncompr_size = width * length; - if ( (compr_size == 0) || - (compr_size > ((uint32) ~0) >> 1) || - (uncompr_size == 0) || diff --git a/main/tiff/CVE-2015-8781-8782-8783.patch b/main/tiff/CVE-2015-8781-8782-8783.patch deleted file mode 100644 index c8073baa08..0000000000 --- a/main/tiff/CVE-2015-8781-8782-8783.patch +++ /dev/null @@ -1,171 +0,0 @@ -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - ---- - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- - 2 files changed, 51 insertions(+), 11 deletions(-) - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 3dc13f1..b66ff64 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/main/tiff/CVE-2015-8784.patch b/main/tiff/CVE-2015-8784.patch deleted file mode 100644 index ab48ddf738..0000000000 --- a/main/tiff/CVE-2015-8784.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - ---- - libtiff/tif_next.c | 10 ++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c -index dd669cc..0a5b635 100644 ---- a/libtiff/tif_next.c -+++ b/libtiff/tif_next.c -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/main/tiff/CVE-2016-3632.patch b/main/tiff/CVE-2016-3632.patch deleted file mode 100644 index 7640d1b17d..0000000000 --- a/main/tiff/CVE-2016-3632.patch +++ /dev/null @@ -1,23 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3632.patch - -From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Mon, 11 Jul 2016 16:04:34 +0200 -Subject: [PATCH 4/8] Fix CVE-2016-3632 ---- - tools/thumbnail.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/tools/thumbnail.c b/tools/thumbnail.c -index fd1cba5..75e7009 100644 ---- a/tools/thumbnail.c -+++ b/tools/thumbnail.c -@@ -253,7 +253,8 @@ static struct cpTag { - { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, - { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, - { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, -- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, -+ // disable BADFAXLINES, CVE-2016-3632 -+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, - { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_INKSET, 1, TIFF_SHORT }, diff --git a/main/tiff/CVE-2016-3945.patch b/main/tiff/CVE-2016-3945.patch deleted file mode 100644 index 53c6dc5d8e..0000000000 --- a/main/tiff/CVE-2016-3945.patch +++ /dev/null @@ -1,97 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3945.patch;jsessionid=1rcllyzw1i6tk1nli211rmjqnf - -From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 20:06:40 +0000 -Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of - allocated buffer, when -b mode is enabled, that could result in out-of-bounds - write. Based initially on patch tiff-CVE-2016-3945.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid - tests that rejected valid files. - -CVE: CVE-2016-3945 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 - -Signed-off-by: Yi Zhao ---- -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index b7a81eb..16e3dc4 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; diff --git a/main/tiff/CVE-2016-3990.patch b/main/tiff/CVE-2016-3990.patch deleted file mode 100644 index b198014667..0000000000 --- a/main/tiff/CVE-2016-3990.patch +++ /dev/null @@ -1,37 +0,0 @@ -https://patchwork.openembedded.org/patch/133225/ - -From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 20:49:48 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in - PixarLogEncode if more input samples are provided than expected by - PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and - simpler check. (bugzilla #2544) - -invalid tests that rejected valid files. (bugzilla #2545) - -CVE: CVE-2016-3990 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 - -Signed-off-by: Yi Zhao ---- -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index e78f788..28329d1 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { diff --git a/main/tiff/CVE-2016-3991.patch b/main/tiff/CVE-2016-3991.patch deleted file mode 100644 index 0a75bba666..0000000000 --- a/main/tiff/CVE-2016-3991.patch +++ /dev/null @@ -1,126 +0,0 @@ -https://patchwork.openembedded.org/patch/133226/ - -From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 21:05:40 +0000 -Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in - loadImage(). From patch libtiff-CVE-2016-3991.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) - -CVE: CVE-2016-3991 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba - -Signed-off-by: Yi Zhao ---- -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 27abc0b..ddba7b9 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - } - - tile_buffsize = tilesize; -+ if (tilesize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); -+ exit(-1); -+ } - - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -- } -+ if (tl != (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ } - - tilebuf = _TIFFmalloc(tile_buffsize); - if (tilebuf == 0) -@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; - -+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); -+ exit(-1); -+ } -+ - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - - tile_rowsize = TIFFTileRowSize(in); -+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize = tlsize * ntiles; -+ if (tlsize != (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - -- - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize = ntiles * tl * tile_rowsize; -+ if (ntiles != (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize = TIFFStripSize(in); - nstrips = TIFFNumberOfStrips(in); -+ if (nstrips == 0 || stsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); -+ exit(-1); -+ } -+ - buffsize = stsize * nstrips; -- -+ if (stsize != (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ uint32 buffsize_check; -+ buffsize_check = ((length * width * spp * bps) + 7); -+ if (length != ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize = ((length * width * spp * bps) + 7) / 8; -- cgit v1.2.3