Commit c14e8873 authored by Natanael Copa's avatar Natanael Copa

main/tiff: sec fixes from upstream (CVE-2012-4447,CVE-2012-4564,CVE-2013-1960,CVE-2013-1961)

ref #2203
fixes #2204
parent 07620e72
......@@ -2,7 +2,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.3
pkgrel=0
pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
......@@ -12,6 +12,10 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
libtiff-CVE-2012-4447.patch
libtiff-CVE-2012-4564.patch
libtiff-CVE-2013-1960.patch
libtiff-CVE-2013-1961.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
......@@ -54,4 +58,18 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
md5sums="051c1068e6a0627f461948c365290410 tiff-4.0.3.tar.gz"
md5sums="051c1068e6a0627f461948c365290410 tiff-4.0.3.tar.gz
71bbe3b51f8a4e3a26cbf0af63588e4a libtiff-CVE-2012-4447.patch
a4b9f293f706b5668df62833cf0b56d2 libtiff-CVE-2012-4564.patch
e9de577a81571ab8ffac84aac8c64381 libtiff-CVE-2013-1960.patch
e484981da6d2366a30a89dc0217c115a libtiff-CVE-2013-1961.patch"
sha256sums="ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 tiff-4.0.3.tar.gz
917187494cd3f80929e4919951637683aaccd98ffa23a6f1f97e49f6db85baa9 libtiff-CVE-2012-4447.patch
0ef1f4055930c8b38246a4f6ed66e393bb2f2a3d5238f5c5f5d57d1f4b230d3e libtiff-CVE-2012-4564.patch
688e577d3266b1cd7df5321b5e63fed82d088407a447a022eea2188d643b5a5b libtiff-CVE-2013-1960.patch
2f0a1cf4826416d248ff5288db7702b80245d02c624c415836053a762c1e3fd4 libtiff-CVE-2013-1961.patch"
sha512sums="d80e18b00e9e696a30b954c0d92e5f2f773fd9a7a0a944cf6cabb69c1798e671506580daa1cd2ebf493ae922000170c2491dfc6d4c0a9cd0b865684070595a73 tiff-4.0.3.tar.gz
1377b675cfbeffbe810518053fb2e683f889cf1274d0b1adc6060beb9ef70dcd504038b02d569d08bf497511b99ea9c237e581b4a66676d0a69370b78c98736b libtiff-CVE-2012-4447.patch
d8e9ffaefd9ce9f38c117faa6368fd858422b870d1afa3e9ce7b05218f35c29a84e23a1da00879aedade4c1d1d578c06be08aa51ed4e2e7d2a3ca819614be8e8 libtiff-CVE-2012-4564.patch
db160c93453db8f4b611028bca48622eebfa54b320b780b7491bdc9c3385d227928a7e9016073a64cdd85388284aa2bb0f0af04daa235d45cdb28e4e6fcf82fa libtiff-CVE-2013-1960.patch
c9870c7b85d2a3c666e2c9f932c815a1b4c9fb0bf2485c7cfff3ab3435222214fa7900adc0ded0f49866f28db2124121012bac7186b675955613fa983dbf45d7 libtiff-CVE-2013-1961.patch"
Upstream patch for CVE-2012-4447.
diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
+++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
@@ -644,6 +644,20 @@
return bytes;
}
+static tmsize_t
+add_ms(tmsize_t m1, tmsize_t m2)
+{
+ tmsize_t bytes = m1 + m2;
+
+ /* if either input is zero, assume overflow already occurred */
+ if (m1 == 0 || m2 == 0)
+ bytes = 0;
+ else if (bytes <= m1 || bytes <= m2)
+ bytes = 0;
+
+ return bytes;
+}
+
static int
PixarLogFixupTags(TIFF* tif)
{
@@ -671,9 +685,11 @@
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
td->td_rowsperstrip), sizeof(uint16));
+ /* add one more stride in case input ends mid-stride */
+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
Upstream patch for CVE-2012-4564.
diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
+++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
@@ -72,6 +72,17 @@
exit(-2);
}
+static tmsize_t
+multiply_ms(tmsize_t m1, tmsize_t m2)
+{
+ tmsize_t bytes = m1 * m2;
+
+ if (m1 && bytes / m1 != m2)
+ bytes = 0;
+
+ return bytes;
+}
+
int
main(int argc, char* argv[])
{
@@ -79,7 +90,7 @@
uint32 rowsperstrip = (uint32) -1;
double resolution = -1;
unsigned char *buf = NULL;
- tsize_t linebytes = 0;
+ tmsize_t linebytes = 0;
uint16 spp = 1;
uint16 bpp = 8;
TIFF *out;
@@ -89,6 +100,7 @@
int c;
extern int optind;
extern char* optarg;
+ tmsize_t scanline_size;
if (argc < 2) {
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@@ -221,7 +233,8 @@
}
switch (bpp) {
case 1:
- linebytes = (spp * w + (8 - 1)) / 8;
+ /* if round-up overflows, result will be zero, OK */
+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
if (rowsperstrip == (uint32) -1) {
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
} else {
@@ -230,15 +243,31 @@
}
break;
case 8:
- linebytes = spp * w;
+ linebytes = multiply_ms(spp, w);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
break;
}
- if (TIFFScanlineSize(out) > linebytes)
+ if (linebytes == 0) {
+ fprintf(stderr, "%s: scanline size overflow\n", infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ scanline_size = TIFFScanlineSize(out);
+ if (scanline_size == 0) {
+ /* overflow - TIFFScanlineSize already printed a message */
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ if (scanline_size < linebytes)
buf = (unsigned char *)_TIFFmalloc(linebytes);
else
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
+ if (buf == NULL) {
+ fprintf(stderr, "%s: Not enough memory\n", infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
if (resolution > 0) {
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
+++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
@@ -3341,33 +3341,56 @@
uint32 height){
tsize_t i=0;
- uint16 ri =0;
- uint16 v_samp=1;
- uint16 h_samp=1;
- int j=0;
-
- i++;
-
- while(i<(*striplength)){
+
+ while (i < *striplength) {
+ tsize_t datalen;
+ uint16 ri;
+ uint16 v_samp;
+ uint16 h_samp;
+ int j;
+ int ncomp;
+
+ /* marker header: one or more FFs */
+ if (strip[i] != 0xff)
+ return(0);
+ i++;
+ while (i < *striplength && strip[i] == 0xff)
+ i++;
+ if (i >= *striplength)
+ return(0);
+ /* SOI is the only pre-SOS marker without a length word */
+ if (strip[i] == 0xd8)
+ datalen = 0;
+ else {
+ if ((*striplength - i) <= 2)
+ return(0);
+ datalen = (strip[i+1] << 8) | strip[i+2];
+ if (datalen < 2 || datalen >= (*striplength - i))
+ return(0);
+ }
switch( strip[i] ){
- case 0xd8:
- /* SOI - start of image */
+ case 0xd8: /* SOI - start of image */
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
- i+=2;
break;
- case 0xc0:
- case 0xc1:
- case 0xc3:
- case 0xc9:
- case 0xca:
+ case 0xc0: /* SOF0 */
+ case 0xc1: /* SOF1 */
+ case 0xc3: /* SOF3 */
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- for(j=0;j<buffer[*bufferoffset+9];j++){
- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
+ for(j=0;j<ncomp;j++){
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+ h_samp = (samp>>4);
+ if( (samp & 0x0f) > v_samp)
+ v_samp = (samp & 0x0f);
}
v_samp*=8;
h_samp*=8;
@@ -3381,45 +3404,43 @@
(unsigned char) ((height>>8) & 0xff);
buffer[*bufferoffset+6]=
(unsigned char) (height & 0xff);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
-
+ *bufferoffset+=datalen+2;
+ /* insert a DRI marker */
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=0xdd;
buffer[(*bufferoffset)++]=0x00;
buffer[(*bufferoffset)++]=0x04;
buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
buffer[(*bufferoffset)++]= ri & 0xff;
- } else {
- i+=strip[i+2]+2;
}
break;
- case 0xc4:
- case 0xdb:
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
break;
- case 0xda:
+ case 0xda: /* SOS */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
} else {
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
- i+=strip[i+2]+2;
}
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
- *bufferoffset+=(*striplength)-i-1;
+ i += datalen + 1;
+ /* copy remainder of strip */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
return(1);
default:
- i+=strip[i+2]+2;
+ /* ignore any other marker */
+ break;
}
+ i += datalen + 1;
}
-
+ /* failed to find SOS marker */
return(0);
}
#endif
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment