gnu: libtiff: Update to 4.0.7.
* gnu/packages/image.scm (libtiff): Update to 4.0.7. [source]: Update URL and remove obsolete patches. [home-page]: Update URL. [native-inputs]: Add gcc-5. (libtiff-4.0.7): Delete variable. * gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-CVE-2016-3623.patch, gnu/packages/patches/libtiff-CVE-2016-3945.patch, gnu/packages/patches/libtiff-CVE-2016-3990.patch, gnu/packages/patches/libtiff-CVE-2016-3991.patch, gnu/packages/patches/libtiff-CVE-2016-5314.patch, gnu/packages/patches/libtiff-CVE-2016-5321.patch, gnu/packages/patches/libtiff-CVE-2016-5323.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
2ac7d54616
commit
0bd1097c50
10
gnu/local.mk
10
gnu/local.mk
|
@ -664,16 +664,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
|
%D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
|
||||||
%D%/packages/patches/libtar-CVE-2013-4420.patch \
|
%D%/packages/patches/libtar-CVE-2013-4420.patch \
|
||||||
%D%/packages/patches/libtheora-config-guess.patch \
|
%D%/packages/patches/libtheora-config-guess.patch \
|
||||||
%D%/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-3623.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-3945.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-3990.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-3991.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
|
|
||||||
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
|
|
||||||
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
|
|
||||||
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
|
|
||||||
%D%/packages/patches/libtool-skip-tests2.patch \
|
%D%/packages/patches/libtool-skip-tests2.patch \
|
||||||
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
|
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
|
||||||
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
|
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
|
||||||
|
|
|
@ -36,6 +36,8 @@
|
||||||
#:use-module (gnu packages compression)
|
#:use-module (gnu packages compression)
|
||||||
#:use-module (gnu packages documentation)
|
#:use-module (gnu packages documentation)
|
||||||
#:use-module (gnu packages fontutils)
|
#:use-module (gnu packages fontutils)
|
||||||
|
;; To provide gcc@5 and gcc@6, to work around <http://bugs.gnu.org/24703>.
|
||||||
|
#:use-module (gnu packages gcc)
|
||||||
#:use-module (gnu packages gettext)
|
#:use-module (gnu packages gettext)
|
||||||
#:use-module (gnu packages ghostscript)
|
#:use-module (gnu packages ghostscript)
|
||||||
#:use-module (gnu packages gl)
|
#:use-module (gnu packages gl)
|
||||||
|
@ -243,25 +245,14 @@ extracting icontainer icon files.")
|
||||||
(define-public libtiff
|
(define-public libtiff
|
||||||
(package
|
(package
|
||||||
(name "libtiff")
|
(name "libtiff")
|
||||||
(replacement libtiff-4.0.7)
|
(version "4.0.7")
|
||||||
(version "4.0.6")
|
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
|
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
|
||||||
version ".tar.gz"))
|
version ".tar.gz"))
|
||||||
(sha256 (base32
|
(sha256
|
||||||
"136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
|
(base32
|
||||||
(patches (search-patches
|
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
|
||||||
"libtiff-oob-accesses-in-decode.patch"
|
|
||||||
"libtiff-oob-write-in-nextdecode.patch"
|
|
||||||
"libtiff-CVE-2015-8665+CVE-2015-8683.patch"
|
|
||||||
"libtiff-CVE-2016-3623.patch"
|
|
||||||
"libtiff-CVE-2016-3945.patch"
|
|
||||||
"libtiff-CVE-2016-3990.patch"
|
|
||||||
"libtiff-CVE-2016-3991.patch"
|
|
||||||
"libtiff-CVE-2016-5314.patch"
|
|
||||||
"libtiff-CVE-2016-5321.patch"
|
|
||||||
"libtiff-CVE-2016-5323.patch"))))
|
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(outputs '("out"
|
(outputs '("out"
|
||||||
"doc")) ;1.3 MiB of HTML documentation
|
"doc")) ;1.3 MiB of HTML documentation
|
||||||
|
@ -271,6 +262,9 @@ extracting icontainer icon files.")
|
||||||
(assoc-ref %outputs "doc")
|
(assoc-ref %outputs "doc")
|
||||||
"/share/doc/"
|
"/share/doc/"
|
||||||
,name "-" ,version))))
|
,name "-" ,version))))
|
||||||
|
;; Build with a patched GCC to work around <http://bugs.gnu.org/24703>.
|
||||||
|
(native-inputs
|
||||||
|
`(("gcc@5" ,gcc-5)))
|
||||||
(inputs `(("zlib" ,zlib)
|
(inputs `(("zlib" ,zlib)
|
||||||
("libjpeg" ,libjpeg)))
|
("libjpeg" ,libjpeg)))
|
||||||
(synopsis "Library for handling TIFF files")
|
(synopsis "Library for handling TIFF files")
|
||||||
|
@ -281,19 +275,6 @@ Included are a library, libtiff, for reading and writing TIFF and a small
|
||||||
collection of tools for doing simple manipulations of TIFF images.")
|
collection of tools for doing simple manipulations of TIFF images.")
|
||||||
(license (license:non-copyleft "file://COPYRIGHT"
|
(license (license:non-copyleft "file://COPYRIGHT"
|
||||||
"See COPYRIGHT in the distribution."))
|
"See COPYRIGHT in the distribution."))
|
||||||
(home-page "http://www.remotesensing.org/libtiff/")))
|
|
||||||
|
|
||||||
(define libtiff-4.0.7
|
|
||||||
(package
|
|
||||||
(inherit libtiff)
|
|
||||||
(version "4.0.7")
|
|
||||||
(source (origin
|
|
||||||
(method url-fetch)
|
|
||||||
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
|
|
||||||
version ".tar.gz"))
|
|
||||||
(sha256
|
|
||||||
(base32
|
|
||||||
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
|
|
||||||
(home-page "http://www.simplesystems.org/libtiff/")))
|
(home-page "http://www.simplesystems.org/libtiff/")))
|
||||||
|
|
||||||
(define-public libwmf
|
(define-public libwmf
|
||||||
|
|
|
@ -1,107 +0,0 @@
|
||||||
2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
|
||||||
|
|
||||||
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
|
||||||
interface in case of unsupported values of SamplesPerPixel/ExtraSamples
|
|
||||||
for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
|
|
||||||
TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
|
|
||||||
CVE-2015-8683 reported by zzf of Alibaba.
|
|
||||||
|
|
||||||
diff -u -r1.93 -r1.94
|
|
||||||
--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
|
|
||||||
+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
|
|
||||||
@@ -182,20 +182,22 @@
|
|
||||||
"Planarconfiguration", td->td_planarconfig);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
- if( td->td_samplesperpixel != 3 )
|
|
||||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
|
||||||
{
|
|
||||||
sprintf(emsg,
|
|
||||||
- "Sorry, can not handle image with %s=%d",
|
|
||||||
- "Samples/pixel", td->td_samplesperpixel);
|
|
||||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
|
||||||
+ "Samples/pixel", td->td_samplesperpixel,
|
|
||||||
+ "colorchannels", colorchannels);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case PHOTOMETRIC_CIELAB:
|
|
||||||
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
|
|
||||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
|
||||||
{
|
|
||||||
sprintf(emsg,
|
|
||||||
- "Sorry, can not handle image with %s=%d and %s=%d",
|
|
||||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
|
||||||
"Samples/pixel", td->td_samplesperpixel,
|
|
||||||
+ "colorchannels", colorchannels,
|
|
||||||
"Bits/sample", td->td_bitspersample);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -255,6 +257,9 @@
|
|
||||||
int colorchannels;
|
|
||||||
uint16 *red_orig, *green_orig, *blue_orig;
|
|
||||||
int n_color;
|
|
||||||
+
|
|
||||||
+ if( !TIFFRGBAImageOK(tif, emsg) )
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
/* Initialize to normal values */
|
|
||||||
img->row_offset = 0;
|
|
||||||
@@ -2509,29 +2514,33 @@
|
|
||||||
case PHOTOMETRIC_RGB:
|
|
||||||
switch (img->bitspersample) {
|
|
||||||
case 8:
|
|
||||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
|
||||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
|
||||||
+ img->samplesperpixel >= 4)
|
|
||||||
img->put.contig = putRGBAAcontig8bittile;
|
|
||||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
|
||||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
|
||||||
+ img->samplesperpixel >= 4)
|
|
||||||
{
|
|
||||||
if (BuildMapUaToAa(img))
|
|
||||||
img->put.contig = putRGBUAcontig8bittile;
|
|
||||||
}
|
|
||||||
- else
|
|
||||||
+ else if( img->samplesperpixel >= 3 )
|
|
||||||
img->put.contig = putRGBcontig8bittile;
|
|
||||||
break;
|
|
||||||
case 16:
|
|
||||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
|
||||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
|
||||||
+ img->samplesperpixel >=4 )
|
|
||||||
{
|
|
||||||
if (BuildMapBitdepth16To8(img))
|
|
||||||
img->put.contig = putRGBAAcontig16bittile;
|
|
||||||
}
|
|
||||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
|
||||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
|
||||||
+ img->samplesperpixel >=4 )
|
|
||||||
{
|
|
||||||
if (BuildMapBitdepth16To8(img) &&
|
|
||||||
BuildMapUaToAa(img))
|
|
||||||
img->put.contig = putRGBUAcontig16bittile;
|
|
||||||
}
|
|
||||||
- else
|
|
||||||
+ else if( img->samplesperpixel >=3 )
|
|
||||||
{
|
|
||||||
if (BuildMapBitdepth16To8(img))
|
|
||||||
img->put.contig = putRGBcontig16bittile;
|
|
||||||
@@ -2540,7 +2549,7 @@
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case PHOTOMETRIC_SEPARATED:
|
|
||||||
- if (buildMap(img)) {
|
|
||||||
+ if (img->samplesperpixel >=4 && buildMap(img)) {
|
|
||||||
if (img->bitspersample == 8) {
|
|
||||||
if (!img->Map)
|
|
||||||
img->put.contig = putRGBcontig8bitCMYKtile;
|
|
||||||
@@ -2636,7 +2645,7 @@
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case PHOTOMETRIC_CIELAB:
|
|
||||||
- if (buildMap(img)) {
|
|
||||||
+ if (img->samplesperpixel == 3 && buildMap(img)) {
|
|
||||||
if (img->bitspersample == 8)
|
|
||||||
img->put.contig = initCIELabConversion(img);
|
|
||||||
break;
|
|
|
@ -1,30 +0,0 @@
|
||||||
Fix CVE-2016-3623.
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2569
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c
|
|
||||||
|
|
||||||
Index: tools/rgb2ycbcr.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v
|
|
||||||
retrieving revision 1.16
|
|
||||||
retrieving revision 1.17
|
|
||||||
diff -u -r1.16 -r1.17
|
|
||||||
--- libtiff/tools/rgb2ycbcr.c 21 Jun 2015 01:09:10 -0000 1.16
|
|
||||||
+++ libtiff/tools/rgb2ycbcr.c 15 Aug 2016 21:26:56 -0000 1.17
|
|
||||||
@@ -95,9 +95,13 @@
|
|
||||||
break;
|
|
||||||
case 'h':
|
|
||||||
horizSubSampling = atoi(optarg);
|
|
||||||
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
|
|
||||||
+ usage(-1);
|
|
||||||
break;
|
|
||||||
case 'v':
|
|
||||||
vertSubSampling = atoi(optarg);
|
|
||||||
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
|
|
||||||
+ usage(-1);
|
|
||||||
break;
|
|
||||||
case 'r':
|
|
||||||
rowsperstrip = atoi(optarg);
|
|
|
@ -1,94 +0,0 @@
|
||||||
Fix CVE-2016-3945 (integer overflow in size of allocated
|
|
||||||
buffer, when -b mode is enabled, that could result in out-of-bounds
|
|
||||||
write).
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2545
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
|
|
||||||
|
|
||||||
Index: tools/tiff2rgba.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
|
|
||||||
retrieving revision 1.21
|
|
||||||
retrieving revision 1.22
|
|
||||||
diff -u -r1.21 -r1.22
|
|
||||||
--- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21
|
|
||||||
+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22
|
|
||||||
@@ -147,6 +147,7 @@
|
|
||||||
uint32 row, col;
|
|
||||||
uint32 *wrk_line;
|
|
||||||
int ok = 1;
|
|
||||||
+ uint32 rastersize, wrk_linesize;
|
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
||||||
@@ -163,7 +164,13 @@
|
|
||||||
/*
|
|
||||||
* Allocate tile buffer
|
|
||||||
*/
|
|
||||||
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
|
||||||
+ rastersize = tile_width * tile_height * sizeof (uint32);
|
|
||||||
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
|
|
||||||
+ {
|
|
||||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
||||||
if (raster == 0) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
||||||
return (0);
|
|
||||||
@@ -173,7 +180,13 @@
|
|
||||||
* Allocate a scanline buffer for swapping during the vertical
|
|
||||||
* mirroring pass.
|
|
||||||
*/
|
|
||||||
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
|
||||||
+ wrk_linesize = tile_width * sizeof (uint32);
|
|
||||||
+ if (tile_width != wrk_linesize / sizeof (uint32))
|
|
||||||
+ {
|
|
||||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
||||||
if (!wrk_line) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
||||||
ok = 0;
|
|
||||||
@@ -249,6 +262,7 @@
|
|
||||||
uint32 row;
|
|
||||||
uint32 *wrk_line;
|
|
||||||
int ok = 1;
|
|
||||||
+ uint32 rastersize, wrk_linesize;
|
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
||||||
@@ -263,7 +277,13 @@
|
|
||||||
/*
|
|
||||||
* Allocate strip buffer
|
|
||||||
*/
|
|
||||||
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
|
||||||
+ rastersize = width * rowsperstrip * sizeof (uint32);
|
|
||||||
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
|
|
||||||
+ {
|
|
||||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
||||||
if (raster == 0) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
||||||
return (0);
|
|
||||||
@@ -273,7 +293,13 @@
|
|
||||||
* Allocate a scanline buffer for swapping during the vertical
|
|
||||||
* mirroring pass.
|
|
||||||
*/
|
|
||||||
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
|
||||||
+ wrk_linesize = width * sizeof (uint32);
|
|
||||||
+ if (width != wrk_linesize / sizeof (uint32))
|
|
||||||
+ {
|
|
||||||
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
||||||
if (!wrk_line) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
||||||
ok = 0;
|
|
|
@ -1,31 +0,0 @@
|
||||||
Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input
|
|
||||||
samples are provided than expected by PixarLogSetupEncode).
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2544
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c
|
|
||||||
|
|
||||||
Index: libtiff/tif_pixarlog.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
|
|
||||||
retrieving revision 1.45
|
|
||||||
retrieving revision 1.46
|
|
||||||
diff -u -r1.45 -r1.46
|
|
||||||
--- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45
|
|
||||||
+++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46
|
|
||||||
@@ -1141,6 +1141,13 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
llen = sp->stride * td->td_imagewidth;
|
|
||||||
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
|
|
||||||
+ if( n > td->td_rowsperstrip * llen )
|
|
||||||
+ {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Too many input bytes provided");
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
|
|
||||||
switch (sp->user_datafmt) {
|
|
|
@ -1,123 +0,0 @@
|
||||||
Fix CVE-2016-3991 (out-of-bounds write in loadImage()).
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2543
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c
|
|
||||||
|
|
||||||
Index: tools/tiffcrop.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
|
|
||||||
retrieving revision 1.37
|
|
||||||
retrieving revision 1.38
|
|
||||||
diff -u -r1.37 -r1.38
|
|
||||||
--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
|
|
||||||
+++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38
|
|
||||||
@@ -798,6 +798,11 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
tile_buffsize = tilesize;
|
|
||||||
+ if (tilesize == 0 || tile_rowsize == 0)
|
|
||||||
+ {
|
|
||||||
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
|
||||||
{
|
|
||||||
@@ -807,7 +812,12 @@
|
|
||||||
tilesize, tl * tile_rowsize);
|
|
||||||
#endif
|
|
||||||
tile_buffsize = tl * tile_rowsize;
|
|
||||||
- }
|
|
||||||
+ if (tl != (tile_buffsize / tile_rowsize))
|
|
||||||
+ {
|
|
||||||
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
|
||||||
if (tilebuf == 0)
|
|
||||||
@@ -1210,6 +1220,12 @@
|
|
||||||
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
|
|
||||||
+ {
|
|
||||||
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
tile_buffsize = tilesize;
|
|
||||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
|
||||||
{
|
|
||||||
@@ -1219,6 +1235,11 @@
|
|
||||||
tilesize, tl * tile_rowsize);
|
|
||||||
#endif
|
|
||||||
tile_buffsize = tl * tile_rowsize;
|
|
||||||
+ if (tl != tile_buffsize / tile_rowsize)
|
|
||||||
+ {
|
|
||||||
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
|
||||||
@@ -5945,12 +5966,27 @@
|
|
||||||
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
|
|
||||||
|
|
||||||
tile_rowsize = TIFFTileRowSize(in);
|
|
||||||
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
buffsize = tlsize * ntiles;
|
|
||||||
+ if (tlsize != (buffsize / ntiles))
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
-
|
|
||||||
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
|
|
||||||
{
|
|
||||||
buffsize = ntiles * tl * tile_rowsize;
|
|
||||||
+ if (ntiles != (buffsize / tl / tile_rowsize))
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifdef DEBUG2
|
|
||||||
TIFFError("loadImage",
|
|
||||||
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
|
|
||||||
@@ -5969,8 +6005,25 @@
|
|
||||||
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
|
||||||
stsize = TIFFStripSize(in);
|
|
||||||
nstrips = TIFFNumberOfStrips(in);
|
|
||||||
+ if (nstrips == 0 || stsize == 0)
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
buffsize = stsize * nstrips;
|
|
||||||
-
|
|
||||||
+ if (stsize != (buffsize / nstrips))
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
+ uint32 buffsize_check;
|
|
||||||
+ buffsize_check = ((length * width * spp * bps) + 7);
|
|
||||||
+ if (length != ((buffsize_check - 7) / width / spp / bps))
|
|
||||||
+ {
|
|
||||||
+ TIFFError("loadImage", "Integer overflow detected.");
|
|
||||||
+ exit(-1);
|
|
||||||
+ }
|
|
||||||
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
|
|
||||||
{
|
|
||||||
buffsize = ((length * width * spp * bps) + 7) / 8;
|
|
|
@ -1,45 +0,0 @@
|
||||||
Fix CVE-2016-5314.
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314
|
|
||||||
bugzilla.maptools.org/show_bug.cgi?id=2554
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c
|
|
||||||
|
|
||||||
Index: libtiff/tif_pixarlog.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
|
|
||||||
retrieving revision 1.43
|
|
||||||
retrieving revision 1.44
|
|
||||||
diff -u -r1.43 -r1.44
|
|
||||||
--- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43
|
|
||||||
+++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44
|
|
||||||
@@ -459,6 +459,7 @@
|
|
||||||
typedef struct {
|
|
||||||
TIFFPredictorState predict;
|
|
||||||
z_stream stream;
|
|
||||||
+ tmsize_t tbuf_size; /* only set/used on reading for now */
|
|
||||||
uint16 *tbuf;
|
|
||||||
uint16 stride;
|
|
||||||
int state;
|
|
||||||
@@ -694,6 +695,7 @@
|
|
||||||
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
|
|
||||||
if (sp->tbuf == NULL)
|
|
||||||
return (0);
|
|
||||||
+ sp->tbuf_size = tbuf_size;
|
|
||||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
|
|
||||||
sp->user_datafmt = PixarLogGuessDataFmt(td);
|
|
||||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
|
|
||||||
@@ -783,6 +785,12 @@
|
|
||||||
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
+ /* Check that we will not fill more than what was allocated */
|
|
||||||
+ if (sp->stream.avail_out > sp->tbuf_size)
|
|
||||||
+ {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
do {
|
|
||||||
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
|
|
||||||
if (state == Z_STREAM_END) {
|
|
|
@ -1,25 +0,0 @@
|
||||||
Fix CVE-2016-5321.
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2558
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c
|
|
||||||
|
|
||||||
Index: tools/tiffcrop.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
|
|
||||||
retrieving revision 1.35
|
|
||||||
retrieving revision 1.36
|
|
||||||
diff -u -r1.35 -r1.36
|
|
||||||
--- libtiff/tools/tiffcrop.c 19 Aug 2015 02:31:04 -0000 1.35
|
|
||||||
+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
|
|
||||||
@@ -989,7 +989,7 @@
|
|
||||||
nrow = (row + tl > imagelength) ? imagelength - row : tl;
|
|
||||||
for (col = 0; col < imagewidth; col += tw)
|
|
||||||
{
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
|
|
||||||
{ /* Read each plane of a tile set into srcbuffs[s] */
|
|
||||||
tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
|
|
||||||
if (tbytes < 0 && !ignore)
|
|
|
@ -1,88 +0,0 @@
|
||||||
Fix CVE-2016-5323.
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2559
|
|
||||||
|
|
||||||
Patch extracted from upstream CVS repo with:
|
|
||||||
$ cvs diff -u -r1.36 -r1.37 tools/tiffcrop.c
|
|
||||||
|
|
||||||
Index: tools/tiffcrop.c
|
|
||||||
===================================================================
|
|
||||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
|
|
||||||
retrieving revision 1.36
|
|
||||||
retrieving revision 1.37
|
|
||||||
diff -u -r1.36 -r1.37
|
|
||||||
--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
|
|
||||||
+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
|
|
||||||
@@ -3738,7 +3738,7 @@
|
|
||||||
|
|
||||||
matchbits = maskbits << (8 - src_bit - bps);
|
|
||||||
/* load up next sample from each plane */
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
buff1 = ((*src) & matchbits) << (src_bit);
|
|
||||||
@@ -3837,7 +3837,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (16 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
||||||
@@ -3947,7 +3947,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (32 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
||||||
@@ -4073,7 +4073,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (64 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
||||||
@@ -4263,7 +4263,7 @@
|
|
||||||
|
|
||||||
matchbits = maskbits << (8 - src_bit - bps);
|
|
||||||
/* load up next sample from each plane */
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
buff1 = ((*src) & matchbits) << (src_bit);
|
|
||||||
@@ -4362,7 +4362,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (16 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
||||||
@@ -4471,7 +4471,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (32 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
||||||
@@ -4597,7 +4597,7 @@
|
|
||||||
src_bit = bit_offset % 8;
|
|
||||||
|
|
||||||
matchbits = maskbits << (64 - src_bit - bps);
|
|
||||||
- for (s = 0; s < spp; s++)
|
|
||||||
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
|
|
||||||
{
|
|
||||||
src = in[s] + src_offset + src_byte;
|
|
||||||
if (little_endian)
|
|
|
@ -1,171 +0,0 @@
|
||||||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
|
||||||
|
|
||||||
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
|
||||||
functions in non debug builds by replacing assert()s by regular if
|
|
||||||
checks (bugzilla #2522).
|
|
||||||
Fix potential out-of-bound reads in case of short input data.
|
|
||||||
|
|
||||||
diff -u -r1.40 -r1.41
|
|
||||||
--- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
|
|
||||||
+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
|
|
||||||
+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Copyright (c) 1997 Greg Ward Larson
|
|
||||||
@@ -202,7 +202,11 @@
|
|
||||||
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
|
|
||||||
tp = (int16*) op;
|
|
||||||
else {
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
tp = (int16*) sp->tbuf;
|
|
||||||
}
|
|
||||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
|
||||||
@@ -211,9 +215,11 @@
|
|
||||||
cc = tif->tif_rawcc;
|
|
||||||
/* get each byte string */
|
|
||||||
for (shft = 2*8; (shft -= 8) >= 0; ) {
|
|
||||||
- for (i = 0; i < npixels && cc > 0; )
|
|
||||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
|
||||||
if (*bp >= 128) { /* run */
|
|
||||||
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
|
||||||
+ if( cc < 2 )
|
|
||||||
+ break;
|
|
||||||
+ rc = *bp++ + (2-128);
|
|
||||||
b = (int16)(*bp++ << shft);
|
|
||||||
cc -= 2;
|
|
||||||
while (rc-- && i < npixels)
|
|
||||||
@@ -223,6 +229,7 @@
|
|
||||||
while (--cc && rc-- && i < npixels)
|
|
||||||
tp[i++] |= (int16)*bp++ << shft;
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
if (i != npixels) {
|
|
||||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
|
||||||
TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
@@ -268,13 +275,17 @@
|
|
||||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
|
||||||
tp = (uint32 *)op;
|
|
||||||
else {
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
tp = (uint32 *) sp->tbuf;
|
|
||||||
}
|
|
||||||
/* copy to array of uint32 */
|
|
||||||
bp = (unsigned char*) tif->tif_rawcp;
|
|
||||||
cc = tif->tif_rawcc;
|
|
||||||
- for (i = 0; i < npixels && cc > 0; i++) {
|
|
||||||
+ for (i = 0; i < npixels && cc >= 3; i++) {
|
|
||||||
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
|
|
||||||
bp += 3;
|
|
||||||
cc -= 3;
|
|
||||||
@@ -325,7 +336,11 @@
|
|
||||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
|
||||||
tp = (uint32*) op;
|
|
||||||
else {
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
tp = (uint32*) sp->tbuf;
|
|
||||||
}
|
|
||||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
|
||||||
@@ -334,11 +349,13 @@
|
|
||||||
cc = tif->tif_rawcc;
|
|
||||||
/* get each byte string */
|
|
||||||
for (shft = 4*8; (shft -= 8) >= 0; ) {
|
|
||||||
- for (i = 0; i < npixels && cc > 0; )
|
|
||||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
|
||||||
if (*bp >= 128) { /* run */
|
|
||||||
+ if( cc < 2 )
|
|
||||||
+ break;
|
|
||||||
rc = *bp++ + (2-128);
|
|
||||||
b = (uint32)*bp++ << shft;
|
|
||||||
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
|
||||||
+ cc -= 2;
|
|
||||||
while (rc-- && i < npixels)
|
|
||||||
tp[i++] |= b;
|
|
||||||
} else { /* non-run */
|
|
||||||
@@ -346,6 +363,7 @@
|
|
||||||
while (--cc && rc-- && i < npixels)
|
|
||||||
tp[i++] |= (uint32)*bp++ << shft;
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
if (i != npixels) {
|
|
||||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
|
||||||
TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
@@ -413,6 +431,7 @@
|
|
||||||
static int
|
|
||||||
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
|
||||||
{
|
|
||||||
+ static const char module[] = "LogL16Encode";
|
|
||||||
LogLuvState* sp = EncoderState(tif);
|
|
||||||
int shft;
|
|
||||||
tmsize_t i;
|
|
||||||
@@ -433,7 +452,11 @@
|
|
||||||
tp = (int16*) bp;
|
|
||||||
else {
|
|
||||||
tp = (int16*) sp->tbuf;
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
(*sp->tfunc)(sp, bp, npixels);
|
|
||||||
}
|
|
||||||
/* compress each byte string */
|
|
||||||
@@ -506,6 +529,7 @@
|
|
||||||
static int
|
|
||||||
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
|
||||||
{
|
|
||||||
+ static const char module[] = "LogLuvEncode24";
|
|
||||||
LogLuvState* sp = EncoderState(tif);
|
|
||||||
tmsize_t i;
|
|
||||||
tmsize_t npixels;
|
|
||||||
@@ -521,7 +545,11 @@
|
|
||||||
tp = (uint32*) bp;
|
|
||||||
else {
|
|
||||||
tp = (uint32*) sp->tbuf;
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
(*sp->tfunc)(sp, bp, npixels);
|
|
||||||
}
|
|
||||||
/* write out encoded pixels */
|
|
||||||
@@ -553,6 +581,7 @@
|
|
||||||
static int
|
|
||||||
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
|
||||||
{
|
|
||||||
+ static const char module[] = "LogLuvEncode32";
|
|
||||||
LogLuvState* sp = EncoderState(tif);
|
|
||||||
int shft;
|
|
||||||
tmsize_t i;
|
|
||||||
@@ -574,7 +603,11 @@
|
|
||||||
tp = (uint32*) bp;
|
|
||||||
else {
|
|
||||||
tp = (uint32*) sp->tbuf;
|
|
||||||
- assert(sp->tbuflen >= npixels);
|
|
||||||
+ if(sp->tbuflen < npixels) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
||||||
+ "Translation buffer too short");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
(*sp->tfunc)(sp, bp, npixels);
|
|
||||||
}
|
|
||||||
/* compress each byte string */
|
|
|
@ -1,49 +0,0 @@
|
||||||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
|
||||||
|
|
||||||
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
|
||||||
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
|
||||||
(bugzilla #2508)
|
|
||||||
|
|
||||||
diff -u -r1.16 -r1.18
|
|
||||||
--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
|
|
||||||
+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
|
|
||||||
+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Copyright (c) 1988-1997 Sam Leffler
|
|
||||||
@@ -37,7 +37,7 @@
|
|
||||||
case 0: op[0] = (unsigned char) ((v) << 6); break; \
|
|
||||||
case 1: op[0] |= (v) << 4; break; \
|
|
||||||
case 2: op[0] |= (v) << 2; break; \
|
|
||||||
- case 3: *op++ |= (v); break; \
|
|
||||||
+ case 3: *op++ |= (v); op_offset++; break; \
|
|
||||||
} \
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -103,6 +103,7 @@
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
uint32 npixels = 0, grey;
|
|
||||||
+ tmsize_t op_offset = 0;
|
|
||||||
uint32 imagewidth = tif->tif_dir.td_imagewidth;
|
|
||||||
if( isTiled(tif) )
|
|
||||||
imagewidth = tif->tif_dir.td_tilewidth;
|
|
||||||
@@ -122,10 +123,15 @@
|
|
||||||
* bounds, potentially resulting in a security
|
|
||||||
* issue.
|
|
||||||
*/
|
|
||||||
- while (n-- > 0 && npixels < imagewidth)
|
|
||||||
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
|
|
||||||
SETPIXEL(op, grey);
|
|
||||||
if (npixels >= imagewidth)
|
|
||||||
break;
|
|
||||||
+ if (op_offset >= scanline ) {
|
|
||||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
|
|
||||||
+ (long) tif->tif_row);
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
if (cc == 0)
|
|
||||||
goto bad;
|
|
||||||
n = *bp++, cc--;
|
|
Loading…
Reference in New Issue