diff options
Diffstat (limited to 'source/l/libtiff')
| -rw-r--r-- | source/l/libtiff/libtiff-CVE-2011-0192.patch | 27 | ||||
| -rw-r--r-- | source/l/libtiff/libtiff-CVE-2011-1167.patch | 53 | ||||
| -rw-r--r-- | source/l/libtiff/libtiff-CVE-2012-1173.patch | 71 | ||||
| -rwxr-xr-x | source/l/libtiff/libtiff.SlackBuild | 7 |
4 files changed, 74 insertions, 84 deletions
diff --git a/source/l/libtiff/libtiff-CVE-2011-0192.patch b/source/l/libtiff/libtiff-CVE-2011-0192.patch deleted file mode 100644 index 892f70e01..000000000 --- a/source/l/libtiff/libtiff-CVE-2011-0192.patch +++ /dev/null @@ -1,27 +0,0 @@ -Protect against a fax VL(n) codeword commanding a move left. Without -this, a malicious input file can generate an indefinitely large series -of runs without a0 ever reaching the right margin, thus overrunning -our buffer of run lengths. Per CVE-2011-0192. This is a modified -version of a patch proposed by Drew Yao of Apple Product Security. -It adds an unexpected() report, and disallows the equality case except -for the first run of a line, since emitting a run without increasing a0 -still allows buffer overrun. (We have to allow it for the first run to -cover the case of encoding a zero-length run at start of line using VL.) - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h ---- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 -@@ -478,6 +478,12 @@ - break; \ - case S_VL: \ - CHECK_b1; \ -+ if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+ } \ -+ } \ - SETVALUE(b1 - a0 - TabEnt->Param); \ - b1 -= *--pb; \ - break; \ diff --git a/source/l/libtiff/libtiff-CVE-2011-1167.patch b/source/l/libtiff/libtiff-CVE-2011-1167.patch deleted file mode 100644 index d3fcf6f64..000000000 --- a/source/l/libtiff/libtiff-CVE-2011-1167.patch +++ /dev/null @@ -1,53 +0,0 @@ -Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder -decoder (ZDI-CAN-1004). - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c ---- tiff-3.9.4.orig/libtiff/tif_thunder.c 2010-06-08 14:50:43.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_thunder.c 2011-03-18 12:17:13.635796403 -0400 -@@ -55,12 +55,32 @@ - static const int twobitdeltas[4] = { 0, 1, 0, -1 }; - static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; - --#define SETPIXEL(op, v) { \ -- lastpixel = (v) & 0xf; \ -- if (npixels++ & 1) \ -- *op++ |= lastpixel; \ -- else \ -+#define SETPIXEL(op, v) { \ -+ lastpixel = (v) & 0xf; \ -+ if ( npixels < maxpixels ) \ -+ { \ -+ if (npixels++ & 1) \ -+ *op++ |= lastpixel; \ -+ else \ - op[0] = (tidataval_t) (lastpixel << 4); \ -+ } \ -+} -+ -+static int -+ThunderSetupDecode(TIFF* tif) -+{ -+ static const char module[] = "ThunderSetupDecode"; -+ -+ if( tif->tif_dir.td_bitspersample != 4 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", -+ (int) tif->tif_dir.td_bitspersample ); -+ return 0; -+ } -+ -+ -+ return (1); - } - - static int -@@ -151,6 +171,7 @@ - (void) scheme; - tif->tif_decoderow = ThunderDecodeRow; - tif->tif_decodestrip = ThunderDecodeRow; -+ tif->tif_setupdecode = ThunderSetupDecode; - return (1); - } - #endif /* THUNDER_SUPPORT */ diff --git a/source/l/libtiff/libtiff-CVE-2012-1173.patch b/source/l/libtiff/libtiff-CVE-2012-1173.patch new file mode 100644 index 000000000..0ada700b4 --- /dev/null +++ b/source/l/libtiff/libtiff-CVE-2012-1173.patch @@ -0,0 +1,71 @@ +This patch is submitted to upstream for CVE-2012-1173 + + +diff -Naur tiff-3.9.5.orig/libtiff/tif_getimage.c tiff-3.9.5/libtiff/tif_getimage.c +--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2010-07-08 12:17:59.000000000 -0400 ++++ tiff-3.9.5/libtiff/tif_getimage.c 2012-03-14 14:49:25.796728783 -0400 +@@ -673,18 +673,24 @@ + unsigned char* p2; + unsigned char* pa; + tsize_t tilesize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -880,17 +886,23 @@ + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tsize_t stripsize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); +diff -Naur tiff-3.9.5.orig/libtiff/tiffiop.h tiff-3.9.5/libtiff/tiffiop.h +--- tiff-3.9.5.orig/libtiff/tiffiop.h 2011-03-28 09:43:43.000000000 -0400 ++++ tiff-3.9.5/libtiff/tiffiop.h 2012-03-14 14:49:25.797728754 -0400 +@@ -246,7 +246,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) diff --git a/source/l/libtiff/libtiff.SlackBuild b/source/l/libtiff/libtiff.SlackBuild index 33e871f35..91ec64fad 100755 --- a/source/l/libtiff/libtiff.SlackBuild +++ b/source/l/libtiff/libtiff.SlackBuild @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright 2005-2011 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2005-2012 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -21,7 +21,7 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. VERSION=${VERSION:-$(echo tiff-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=2 +BUILD=1 # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -63,8 +63,7 @@ rm -rf tiff-$VERSION tar xvf $CWD/tiff-$VERSION.tar.?z* || exit 1 cd tiff-$VERSION -zcat $CWD/libtiff-CVE-2011-0192.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/libtiff-CVE-2011-1167.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/libtiff-CVE-2012-1173.patch.gz | patch -p1 --verbose || exit 1 chown -R root:root . find . \ |