diff --git a/SOURCES/libtiff-CVE-2014-8127.patch b/SOURCES/libtiff-CVE-2014-8127.patch new file mode 100644 index 0000000..d426710 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8127.patch @@ -0,0 +1,169 @@ +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 19a26e2..6667228 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif) + if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1)) + goto bad; + } ++ /* ++ * SamplesPerPixel value has changed, adjust SMinSampleValue ++ * and SMaxSampleValue arrays if necessary ++ */ ++ { ++ uint32 saved_flags; ++ saved_flags = tif->tif_flags; ++ tif->tif_flags &= ~TIFF_PERSAMPLE; ++ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE)) ++ { ++ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0])) ++ { ++ tif->tif_flags = saved_flags; ++ goto bad; ++ } ++ } ++ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE)) ++ { ++ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0])) ++ { ++ tif->tif_flags = saved_flags; ++ goto bad; ++ } ++ } ++ tif->tif_flags = saved_flags; ++ } + } + } + /* +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index fa20609..fa68d1c 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + { + if (!isTiled(tif)) + { +- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) +- goto bad; ++ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */ ++ if (tif->tif_dir.td_stripoffset) ++ { ++ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) ++ goto bad; ++ } + } + else + { +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba822a..dfc5b07 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid strip byte count, strip %lu", +@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index b5ed30b..376f4e6 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -401,6 +401,24 @@ main(int argc, char* argv[]) + return 0; + } + ++ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4) ++ { ++ TIFFError(infilename, ++ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression", ++ info_hdr.iBitCount); ++ close(fd); ++ return 0; ++ } ++ ++ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8) ++ { ++ TIFFError(infilename, ++ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression", ++ info_hdr.iBitCount); ++ close(fd); ++ return 0; ++ } ++ + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; + if( width <= 0 || length <= 0 ) +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 8608aad..426bbc0 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -372,7 +372,8 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) ++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fd1cba5..06edf93 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -257,7 +257,8 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) ++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out) + rowsize = TIFFScanlineSize(in); + rastersize = sh * rowsize; + fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); +- raster = (unsigned char*)_TIFFmalloc(rastersize); ++ raster = (unsigned char*)_TIFFmalloc(rastersize + 3); + if (!raster) { + TIFFError(TIFFFileName(in), + "Can't allocate space for raster buffer."); +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index c5dcb7c..02605df 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -171,6 +171,11 @@ main(int argc, char* argv[]) + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff --git a/SOURCES/libtiff-CVE-2014-8129.patch b/SOURCES/libtiff-CVE-2014-8129.patch new file mode 100644 index 0000000..9cd7bd9 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8129.patch @@ -0,0 +1,174 @@ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 8bf3ea7..f812fa2 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -693,6 +700,16 @@ badvalue32: + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip->field_name); ++ va_end(ap); ++ } ++ return (0); + } + + /* +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 524e127..81084ff 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +@@ -139,10 +141,28 @@ bad: + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 26a1acb..2a64ec3 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index abeb4f6..ea4f7a1 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) diff --git a/SOURCES/libtiff-CVE-2014-8130.patch b/SOURCES/libtiff-CVE-2014-8130.patch new file mode 100644 index 0000000..d6683c3 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8130.patch @@ -0,0 +1,26 @@ +diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c +index 1387558..0a3a4a8 100644 +--- a/libtiff/tif_unix.c ++++ b/libtiff/tif_unix.c +@@ -257,6 +257,8 @@ TIFFOpenW(const wchar_t* name, const char* mode) + void* + _TIFFmalloc(tmsize_t s) + { ++ if ( s == 0 ) ++ return ((void *) NULL); + return (malloc((size_t) s)); + } + +diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c +index 2cf1de9..612a00d 100644 +--- a/libtiff/tif_win32.c ++++ b/libtiff/tif_win32.c +@@ -329,6 +329,8 @@ TIFFOpenW(const wchar_t* name, const char* mode) + void* + _TIFFmalloc(tmsize_t s) + { ++ if ( s == 0 ) ++ return ((tdata_t) NULL); + return (malloc((size_t) s)); + } + diff --git a/SOURCES/libtiff-CVE-2014-9330.patch b/SOURCES/libtiff-CVE-2014-9330.patch new file mode 100644 index 0000000..cfc83cc --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-9330.patch @@ -0,0 +1,34 @@ +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index c66a8d2..b5ed30b 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -403,6 +403,14 @@ main(int argc, char* argv[]) + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } ++ + + switch (info_hdr.iBitCount) + { +@@ -593,6 +601,14 @@ main(int argc, char* argv[]) + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff --git a/SOURCES/libtiff-CVE-2014-9655.patch b/SOURCES/libtiff-CVE-2014-9655.patch new file mode 100644 index 0000000..033c627 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-9655.patch @@ -0,0 +1,108 @@ +From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 15:50:56 +0200 +Subject: [PATCH 1/8] Fix CVE-2014-9655 + +--- + libtiff/tif_getimage.c | 20 ++++++++++++++------ + libtiff/tif_next.c | 4 +++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a85273c..1c1cf9e 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + int32 fromskew, toskew; + int ret = 1, flip; + ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ if( subsamplingver == 0 ) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); ++ return (0); ++ } ++ + buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); +@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + + TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ + scanline = TIFFScanlineSize(tif); + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) +@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 524e127..92ef6ee 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2015-1547_8784.patch b/SOURCES/libtiff-CVE-2015-1547_8784.patch new file mode 100644 index 0000000..03d9b32 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-1547_8784.patch @@ -0,0 +1,52 @@ +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index b014685..13c0848 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -107,6 +107,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; + ++ tmsize_t op_offset = 0; ++ + /* + * The scanline is composed of a sequence of constant + * color ``runs''. We shift into ``run mode'' and +@@ -120,10 +122,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; +@@ -162,9 +169,9 @@ NeXTPreDecode(TIFF* tif, uint16 s) + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; +- tif->tif_predecode = NeXTPreDecode; +- tif->tif_decoderow = NeXTDecode; +- tif->tif_decodestrip = NeXTDecode; ++ tif->tif_predecode = NeXTPreDecode; ++ tif->tif_decoderow = NeXTDecode; ++ tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; + return (1); + } diff --git a/SOURCES/libtiff-CVE-2015-7554.patch b/SOURCES/libtiff-CVE-2015-7554.patch new file mode 100644 index 0000000..cc76047 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-7554.patch @@ -0,0 +1,23 @@ +diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c +--- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 ++++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 +@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) + TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); + } + } ++ uint32 count = 0; + CopyField(TIFFTAG_PHOTOMETRIC, shortv); +- CopyField(TIFFTAG_PREDICTOR, shortv); ++ CopyField2(TIFFTAG_PREDICTOR, count, shortv); + CopyField(TIFFTAG_THRESHHOLDING, shortv); + CopyField(TIFFTAG_FILLORDER, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); +@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) + CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); + CopyField(TIFFTAG_XRESOLUTION, floatv); + CopyField(TIFFTAG_YRESOLUTION, floatv); +- CopyField(TIFFTAG_GROUP3OPTIONS, longv); ++ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); + CopyField(TIFFTAG_GROUP4OPTIONS, longv); + CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); + CopyField(TIFFTAG_PLANARCONFIG, shortv); diff --git a/SOURCES/libtiff-CVE-2015-8668.patch b/SOURCES/libtiff-CVE-2015-8668.patch new file mode 100644 index 0000000..436326e --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8668.patch @@ -0,0 +1,41 @@ +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index 376f4e6..c747c13 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -614,19 +614,27 @@ main(int argc, char* argv[]) + || info_hdr.iCompression == BMPC_RLE4 ) { + uint32 i, j, k, runlength; + uint32 compr_size, uncompr_size; ++ uint32 bits = 0; + unsigned char *comprbuf; + unsigned char *uncomprbuf; + + compr_size = file_hdr.iSize - file_hdr.iOffBits; +- uncompr_size = width * length; +- /* Detect int overflow */ +- if( uncompr_size / width != length ) +- { +- TIFFError(infilename, +- "Invalid dimensions of BMP file" ); +- close(fd); +- return -1; +- } ++ ++ bits = info_hdr.iBitCount; ++ ++ if (bits > 8) // bit depth is > 8bit, adjust size ++ { ++ uncompr_size = width * length * (bits / 8); ++ /* Detect int overflow */ ++ if (uncompr_size / width / (bits / 8) != length) { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file"); ++ close(fd); ++ return -1; ++ } ++ } ++ else ++ uncompr_size = width * length; + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff --git a/SOURCES/libtiff-CVE-2015-8683_8665.patch b/SOURCES/libtiff-CVE-2015-8683_8665.patch new file mode 100644 index 0000000..13647d0 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8683_8665.patch @@ -0,0 +1,98 @@ +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 1633325..018351b 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -182,8 +182,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +@@ -241,6 +258,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; + ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; ++ + /* Initialize to normal values */ + img->row_offset = 0; + img->col_offset = 0; +@@ -2453,29 +2473,33 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2484,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2580,7 +2604,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; diff --git a/SOURCES/libtiff-CVE-2015-8781.patch b/SOURCES/libtiff-CVE-2015-8781.patch new file mode 100644 index 0000000..f56aa90 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8781.patch @@ -0,0 +1,159 @@ +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index eba6c08..ebbd692 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if ( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if ( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ diff --git a/SOURCES/libtiff-CVE-2016-3632.patch b/SOURCES/libtiff-CVE-2016-3632.patch new file mode 100644 index 0000000..bb0bc07 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3632.patch @@ -0,0 +1,26 @@ +From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:04:34 +0200 +Subject: [PATCH 4/8] Fix CVE-2016-3632 + +--- + tools/thumbnail.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fd1cba5..75e7009 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -253,7 +253,8 @@ static struct cpTag { + { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, + { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, + { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, +- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, ++ // disable BADFAXLINES, CVE-2016-3632 ++ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3945.patch b/SOURCES/libtiff-CVE-2016-3945.patch new file mode 100644 index 0000000..cb496a0 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3945.patch @@ -0,0 +1,92 @@ +From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:05:49 +0200 +Subject: [PATCH 5/8] Fix CVE-2016-3945 + +--- + tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index 737167c..5228966 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) + uint32 row, col; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ rastersize = tile_width * tile_height * sizeof (uint32); ++ if (width != (tile_width / tile_height) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); ++ wrk_linesize = tile_width * sizeof (uint32); ++ if (wrk_linesize != tile_width / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) + uint32 row; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ rastersize = width * rowsperstrip * sizeof (uint32); ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); ++ wrk_linesize = width * sizeof (uint32); ++ if (wrk_linesize != width / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3990.patch b/SOURCES/libtiff-CVE-2016-3990.patch new file mode 100644 index 0000000..c5a9e8b --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3990.patch @@ -0,0 +1,63 @@ +From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:44:22 +0200 +Subject: [PATCH 6/8] Fix CVE-2016-3990 + +--- + libtiff/tif_pixarlog.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 2793b22..c9f056e 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -462,6 +462,7 @@ typedef struct { + int state; + int user_datafmt; + int quality; ++ tsize_t tbuf_size; + #define PLSTATE_INIT 1 + + TIFFVSetMethod vgetparent; /* super-class method */ +@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif) + td->td_samplesperpixel : 1); + tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ sp->tbuf_size = tbuf_size; + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); +@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + } + + llen = sp->stride * td->td_imagewidth; +- ++ if (llen > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); ++ exit (0); ++ } + for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { ++ if (up > sp->tbuf+sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); ++ exit (0); ++ } + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalDifferenceF((float *)bp, llen, +@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + "ZLib cannot deal with buffers this size"); + return (0); + } ++ if (sp->stream.avail_in > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name); ++ return (0); ++ } + + do { + if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) { +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3991.patch b/SOURCES/libtiff-CVE-2016-3991.patch new file mode 100644 index 0000000..0ca667d --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3991.patch @@ -0,0 +1,111 @@ +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ea4f7a1..f04e2eb 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, + } + + tile_buffsize = tilesize; ++ if (tilesize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); ++ exit(-1); ++ } + + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; +- } ++ if (tl != (tile_buffsize / tile_rowsize)) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ } + + tilebuf = _TIFFmalloc(tile_buffsize); + if (tilebuf == 0) +@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; + ++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) ++ { ++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); ++ exit(-1); ++ } ++ + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; ++ if (tl != tile_buffsize / tile_rowsize) ++ { ++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + } + + tilebuf = _TIFFmalloc(tile_buffsize); +@@ -5931,12 +5952,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + + tile_rowsize = TIFFTileRowSize(in); ++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); ++ exit(-1); ++ } + buffsize = tlsize * ntiles; ++ if (tlsize != (buffsize / ntiles)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + +- + if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) + { + buffsize = ntiles * tl * tile_rowsize; ++ if (ntiles != (buffsize / tl / tile_rowsize)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ + #ifdef DEBUG2 + TIFFError("loadImage", + "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", +@@ -5955,8 +5991,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); + stsize = TIFFStripSize(in); + nstrips = TIFFNumberOfStrips(in); ++ if (nstrips == 0 || stsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); ++ exit(-1); ++ } ++ + buffsize = stsize * nstrips; +- ++ if (stsize != (buffsize / nstrips)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ uint32 buffsize_check; ++ buffsize_check = ((length * width * spp * bps) + 7); ++ if (length != ((buffsize_check - 7) / width / spp / bps)) ++ { ++ TIFFError("loadImage", "Integer overflow detected."); ++ exit(-1); ++ } + if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) + { + buffsize = ((length * width * spp * bps) + 7) / 8; diff --git a/SOURCES/libtiff-CVE-2016-5320.patch b/SOURCES/libtiff-CVE-2016-5320.patch new file mode 100644 index 0000000..fc05ed6 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-5320.patch @@ -0,0 +1,45 @@ +From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:54:49 +0200 +Subject: [PATCH 8/8] Fix CVE-2016-5320 + +--- + libtiff/tif_pixarlog.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index c9f056e..c961529 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -462,7 +462,7 @@ typedef struct { + int state; + int user_datafmt; + int quality; +- tsize_t tbuf_size; ++ tmsize_t tbuf_size; + #define PLSTATE_INIT 1 + + TIFFVSetMethod vgetparent; /* super-class method */ +@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif) + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); ++ sp->tbuf_size = tbuf_size; + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) +@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); + return (0); + } ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size"); ++ return (0); ++ } + do { + int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); + if (state == Z_STREAM_END) { +-- +2.7.4 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 9892c94..141e1ee 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.3 -Release: 14%{?dist} +Release: 25%{?dist} License: libtiff Group: System Environment/Libraries @@ -22,6 +22,21 @@ Patch9: libtiff-CVE-2013-4231.patch Patch10: libtiff-CVE-2013-4232.patch Patch11: libtiff-CVE-2013-4244.patch Patch12: libtiff-CVE-2013-4243.patch +Patch13: libtiff-CVE-2014-9330.patch +Patch14: libtiff-CVE-2014-8127.patch +Patch15: libtiff-CVE-2014-8129.patch +Patch16: libtiff-CVE-2014-8130.patch +Patch17: libtiff-CVE-2014-9655.patch +Patch18: libtiff-CVE-2015-1547_8784.patch +Patch19: libtiff-CVE-2015-7554.patch +Patch20: libtiff-CVE-2015-8683_8665.patch +Patch21: libtiff-CVE-2015-8668.patch +Patch22: libtiff-CVE-2015-8781.patch +Patch23: libtiff-CVE-2016-3632.patch +Patch24: libtiff-CVE-2016-3945.patch +Patch25: libtiff-CVE-2016-3990.patch +Patch26: libtiff-CVE-2016-3991.patch +Patch27: libtiff-CVE-2016-5320.patch BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -85,6 +100,21 @@ image files using the libtiff library. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -189,6 +219,68 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Wed Jul 27 2016 Nikola Forró - 4.0.3-25 +- Add patches for CVEs: + CVE-2015-7554, CVE-2015-8683, CVE-2015-8665, + CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, + CVE-2015-8784 +- Related: #1299920 + +* Tue Jul 26 2016 Nikola Forró - 4.0.3-24 +- Update patches for CVEs: + CVE-2014-8127, CVE-2014-8130 +- Related: #1299920 + +* Tue Jul 26 2016 Petr Hracek - 4.0.3-23 +- Update patches: + CVE-2014-9330, CVE-2014-8127, CVE-2014-8129 + CVE-2014-8130 +- Related: #1299920 + +* Tue Jul 19 2016 Nikola Forró - 4.0.3-22 +- Update patch for CVE-2015-8668 +- Related: #1299920 + +* Mon Jul 11 2016 Nikola Forró - 4.0.3-21 +- Remove patches for CVEs: + CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, + CVE-2014-9330, CVE-2015-7554, CVE-2015-8665, + CVE-2015-8683, CVE-2015-8781, CVE-2015-8784 +- Add patches for CVEs: + CVE-2016-3632, CVE-2016-3945, CVE-2016-3990, + CVE-2016-3991, CVE-2016-5320 +- Update patches for CVEs: + CVE-2014-9655, CVE-2015-1547, CVE-2015-8668 +- Related: #1299920 + +* Tue Apr 19 2016 Petr Hracek - 4.0.3-20 +- CVE-2014-8127 should contain only two fixes +- Related: #1299920 + +* Fri Apr 15 2016 Petr Hracek - 4.0.3-19 +- Revert previous patch CVE-2014-8127 +- Related: #1299920 + +* Thu Mar 31 2016 Petr Hracek - 4.0.3-18 +- Fix patch CVE-2014-8127. Wrongly applied +- Related: #1299920 + +* Tue Mar 15 2016 Petr Hracek - 4.0.3-17 +- Fix patch CVE-2015-8668. Wrongly applied by me +- Related: #1299920 + +* Tue Mar 08 2016 Petr Hracek - 4.0.3-16 +- Fixed patches on preview CVEs +- Related: #1299920 + +* Wed Feb 03 2016 Petr Hracek - 4.0.3-15 +- This resolves several CVEs +- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130 +- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781 +- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683 +- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668 +- Resolves: #1299920 + * Thu Feb 13 2014 Petr Hracek - 4.0.3-14 - Resolves: #996827 CVE-2013-4243 libtiff various flaws