aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-11-03 23:41:48 -0300
committerNatanael Copa <ncopa@alpinelinux.org>2019-11-14 08:39:07 +0000
commitb6b472198d2967129bb8e42d7ddf72aa6c803567 (patch)
tree5a5a229bf52f28729157338812551f7f924d812e
parent9af25dd61afd81fa6218b3d4149f4f1fb7183519 (diff)
downloadalpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.tar.bz2
alpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.tar.xz
alpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.zip
main/tiff: upgrade to 4.1.0
Diffstat
-rw-r--r--main/tiff/APKBUILD17
-rw-r--r--main/tiff/CVE-2019-14973-rebased.patch424
-rw-r--r--main/tiff/CVE-2019-17546.patch105
3 files changed, 6 insertions, 540 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 9143b94c1a..36bebd13d5 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,21 +2,18 @@
2# Contributor: Leonardo Arena <rnalrd@alpinelinux.org> 2# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
3# Maintainer: Michael Mason <ms13sp@gmail.com> 3# Maintainer: Michael Mason <ms13sp@gmail.com>
4pkgname=tiff 4pkgname=tiff
5pkgver=4.0.10 5pkgver=4.1.0
6pkgrel=2 6pkgrel=0
7pkgdesc="Provides support for the Tag Image File Format or TIFF" 7pkgdesc="Provides support for the Tag Image File Format or TIFF"
8url="http://www.libtiff.org" 8url="http://www.libtiff.org"
9arch="all" 9arch="all"
10license="libtiff" 10license="libtiff"
11depends=
12depends_dev="zlib-dev libjpeg-turbo-dev" 11depends_dev="zlib-dev libjpeg-turbo-dev"
13makedepends="libtool autoconf automake $depends_dev" 12makedepends="libtool autoconf automake $depends_dev"
13checkdepends="diffutils"
14subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx" 14subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx"
15builddir="$srcdir/$pkgname-$pkgver" 15source="http://download.osgeo.org/libtiff/tiff-$pkgver.tar.gz
16source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
17 CVE-2018-12900.patch 16 CVE-2018-12900.patch
18 CVE-2019-14973-rebased.patch
19 CVE-2019-17546.patch
20 " 17 "
21 18
22# secfixes: 19# secfixes:
@@ -98,7 +95,5 @@ tools() {
98 mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ 95 mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
99} 96}
100 97
101sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz 98sha512sums="fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6 tiff-4.1.0.tar.gz
102c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch 99c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch"
1034567184ea17028dbf90753dbebce221881ec26632d88f02d4f6b56556fc19bb9134523f16487707fdd908f21c7bc4660103d0a95f3ccf0890ad4f0d93e81c503 CVE-2019-14973-rebased.patch
104140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1 CVE-2019-17546.patch"
diff --git a/main/tiff/CVE-2019-14973-rebased.patch b/main/tiff/CVE-2019-14973-rebased.patch
deleted file mode 100644
index 9bd5c846ae..0000000000
--- a/main/tiff/CVE-2019-14973-rebased.patch
+++ /dev/null
@@ -1,424 +0,0 @@
1From 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 10 Aug 2019 18:25:03 +0200
4Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
5 implementation-defined behaviour (CVE-2019-14973)
6
7_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
8in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
9signed), which was especially easily triggered on 32-bit builds (with recent
10enough compilers that assume that signed multiplication cannot overflow, since
11this is undefined behaviour by the C standard). The original issue which lead to
12this fix was trigged from tif_fax3.c
13
14There were also unsafe (implementation defied), and broken in practice on 64bit
15builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
16(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
17at that time exploits, but are better to fix in a more bullet-proof way.
18Or similarly use of (int64)uint64_var <= 0.
19---
20 libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
21 libtiff/tif_getimage.c | 6 ++----
22 libtiff/tif_luv.c | 8 +------
23 libtiff/tif_pixarlog.c | 7 +-----
24 libtiff/tif_read.c | 38 +++++++++-----------------------
25 libtiff/tif_strip.c | 35 ++++--------------------------
26 libtiff/tif_tile.c | 27 +++--------------------
27 libtiff/tiffiop.h | 7 +++++-
28 8 files changed, 71 insertions(+), 106 deletions(-)
29
30diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
31index 4ece162..33fb8a4 100644
32--- a/libtiff/tif_aux.c
33+++ b/libtiff/tif_aux.c
34@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
35 return bytes;
36 }
37
38+tmsize_t
39+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
40+{
41+ if( first <= 0 || second <= 0 )
42+ {
43+ if( tif != NULL && where != NULL )
44+ {
45+ TIFFErrorExt(tif->tif_clientdata, where,
46+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
47+ }
48+ return 0;
49+ }
50+
51+ if( first > TIFF_TMSIZE_T_MAX / second )
52+ {
53+ if( tif != NULL && where != NULL )
54+ {
55+ TIFFErrorExt(tif->tif_clientdata, where,
56+ "Integer overflow in %s", where);
57+ }
58+ return 0;
59+ }
60+ return first * second;
61+}
62+
63+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
64+{
65+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
66+ {
67+ if( tif != NULL && module != NULL )
68+ {
69+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
70+ }
71+ return 0;
72+ }
73+ return (tmsize_t)val;
74+}
75+
76 void*
77 _TIFFCheckRealloc(TIFF* tif, void* buffer,
78 tmsize_t nmemb, tmsize_t elem_size, const char* what)
79 {
80 void* cp = NULL;
81- tmsize_t bytes = nmemb * elem_size;
82-
83+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
84 /*
85- * XXX: Check for integer overflow.
86+ * Check for integer overflow.
87 */
88- if (nmemb && elem_size && bytes / elem_size == nmemb)
89- cp = _TIFFrealloc(buffer, bytes);
90+ if (count != 0)
91+ {
92+ cp = _TIFFrealloc(buffer, count);
93+ }
94
95 if (cp == NULL) {
96 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
97diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
98index 6a9d5a7..2106ca2 100644
99--- a/libtiff/tif_getimage.c
100+++ b/libtiff/tif_getimage.c
101@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
102 uint32 leftmost_tw;
103
104 tilesize = TIFFTileSize(tif);
105- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
106+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
107 if (bufsize == 0) {
108- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
109 return (0);
110 }
111
112@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
113 uint16 colorchannels;
114
115 stripsize = TIFFStripSize(tif);
116- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
117+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
118 if (bufsize == 0) {
119- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
120 return (0);
121 }
122
123diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
124index aa35ea0..46d2dff 100644
125--- a/libtiff/tif_luv.c
126+++ b/libtiff/tif_luv.c
127@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
128 return (SGILOGDATAFMT_UNKNOWN);
129 }
130
131-
132-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
133-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
134-
135 static tmsize_t
136 multiply_ms(tmsize_t m1, tmsize_t m2)
137 {
138- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
139- return 0;
140- return m1 * m2;
141+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
142 }
143
144 static int
145diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
146index 7438d69..5c9a6bf 100644
147--- a/libtiff/tif_pixarlog.c
148+++ b/libtiff/tif_pixarlog.c
149@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
150 return guess;
151 }
152
153-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
154-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
155-
156 static tmsize_t
157 multiply_ms(tmsize_t m1, tmsize_t m2)
158 {
159- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
160- return 0;
161- return m1 * m2;
162+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
163 }
164
165 static tmsize_t
166diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
167index e63810c..9a82baa 100644
168--- a/libtiff/tif_read.c
169+++ b/libtiff/tif_read.c
170@@ -29,9 +29,6 @@
171 #include "tiffiop.h"
172 #include <stdio.h>
173
174-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
175-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
176-
177 int TIFFFillStrip(TIFF* tif, uint32 strip);
178 int TIFFFillTile(TIFF* tif, uint32 tile);
179 static int TIFFStartStrip(TIFF* tif, uint32 strip);
180@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
181 #define THRESHOLD_MULTIPLIER 10
182 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
183
184+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
185+
186 /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
187 * Returns 1 in case of success, 0 otherwise. */
188 static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
189@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
190 return ((tmsize_t)(-1));
191 }
192 bytecount = td->td_stripbytecount[strip];
193- if ((int64)bytecount <= 0) {
194-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
195- TIFFErrorExt(tif->tif_clientdata, module,
196- "%I64u: Invalid strip byte count, strip %lu",
197- (unsigned __int64) bytecount,
198- (unsigned long) strip);
199-#else
200- TIFFErrorExt(tif->tif_clientdata, module,
201- "%llu: Invalid strip byte count, strip %lu",
202- (unsigned long long) bytecount,
203- (unsigned long) strip);
204-#endif
205- return ((tmsize_t)(-1));
206- }
207- bytecountm = (tmsize_t)bytecount;
208- if ((uint64)bytecountm!=bytecount) {
209- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
210+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
211+ if (bytecountm == 0) {
212 return ((tmsize_t)(-1));
213 }
214 if (size != (tmsize_t)(-1) && size < bytecountm)
215@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
216 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
217 {
218 uint64 bytecount = td->td_stripbytecount[strip];
219- if ((int64)bytecount <= 0) {
220+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
221 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
222 TIFFErrorExt(tif->tif_clientdata, module,
223 "Invalid strip byte count %I64u, strip %lu",
224@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
225 (bytecount - 4096) / 10 > (uint64)stripsize )
226 {
227 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
228- if( (int64)newbytecount >= 0 )
229+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
230 {
231 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
232 TIFFWarningExt(tif->tif_clientdata, module,
233@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
234 bytecount64 = td->td_stripbytecount[tile];
235 if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
236 bytecount64 = (uint64)size;
237- bytecountm = (tmsize_t)bytecount64;
238- if ((uint64)bytecountm!=bytecount64)
239- {
240- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
241+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
242+ if( bytecountm == 0 ) {
243 return ((tmsize_t)(-1));
244 }
245 return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
246@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
247 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
248 {
249 uint64 bytecount = td->td_stripbytecount[tile];
250- if ((int64)bytecount <= 0) {
251+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
252 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
253 TIFFErrorExt(tif->tif_clientdata, module,
254 "%I64u: Invalid tile byte count, tile %lu",
255@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
256 (bytecount - 4096) / 10 > (uint64)stripsize )
257 {
258 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
259- if( (int64)newbytecount >= 0 )
260+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
261 {
262 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
263 TIFFWarningExt(tif->tif_clientdata, module,
264diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
265index 5b76fba..2366acf 100644
266--- a/libtiff/tif_strip.c
267+++ b/libtiff/tif_strip.c
268@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
269 {
270 static const char module[] = "TIFFVStripSize";
271 uint64 m;
272- tmsize_t n;
273 m=TIFFVStripSize64(tif,nrows);
274- n=(tmsize_t)m;
275- if ((uint64)n!=m)
276- {
277- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
278- n=0;
279- }
280- return(n);
281+ return _TIFFCastUInt64ToSSize(tif, m, module);
282 }
283
284 /*
285@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
286 {
287 static const char module[] = "TIFFStripSize";
288 uint64 m;
289- tmsize_t n;
290 m=TIFFStripSize64(tif);
291- n=(tmsize_t)m;
292- if ((uint64)n!=m)
293- {
294- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
295- n=0;
296- }
297- return(n);
298+ return _TIFFCastUInt64ToSSize(tif, m, module);
299 }
300
301 /*
302@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
303 {
304 static const char module[] = "TIFFScanlineSize";
305 uint64 m;
306- tmsize_t n;
307 m=TIFFScanlineSize64(tif);
308- n=(tmsize_t)m;
309- if ((uint64)n!=m) {
310- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
311- n=0;
312- }
313- return(n);
314+ return _TIFFCastUInt64ToSSize(tif, m, module);
315 }
316
317 /*
318@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
319 {
320 static const char module[] = "TIFFRasterScanlineSize";
321 uint64 m;
322- tmsize_t n;
323 m=TIFFRasterScanlineSize64(tif);
324- n=(tmsize_t)m;
325- if ((uint64)n!=m)
326- {
327- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
328- n=0;
329- }
330- return(n);
331+ return _TIFFCastUInt64ToSSize(tif, m, module);
332 }
333
334 /* vim: set ts=8 sts=8 sw=8 noet: */
335diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
336index 58fe935..661cc77 100644
337--- a/libtiff/tif_tile.c
338+++ b/libtiff/tif_tile.c
339@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
340 {
341 static const char module[] = "TIFFTileRowSize";
342 uint64 m;
343- tmsize_t n;
344 m=TIFFTileRowSize64(tif);
345- n=(tmsize_t)m;
346- if ((uint64)n!=m)
347- {
348- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
349- n=0;
350- }
351- return(n);
352+ return _TIFFCastUInt64ToSSize(tif, m, module);
353 }
354
355 /*
356@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
357 {
358 static const char module[] = "TIFFVTileSize";
359 uint64 m;
360- tmsize_t n;
361 m=TIFFVTileSize64(tif,nrows);
362- n=(tmsize_t)m;
363- if ((uint64)n!=m)
364- {
365- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
366- n=0;
367- }
368- return(n);
369+ return _TIFFCastUInt64ToSSize(tif, m, module);
370 }
371
372 /*
373@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
374 {
375 static const char module[] = "TIFFTileSize";
376 uint64 m;
377- tmsize_t n;
378 m=TIFFTileSize64(tif);
379- n=(tmsize_t)m;
380- if ((uint64)n!=m)
381- {
382- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
383- n=0;
384- }
385- return(n);
386+ return _TIFFCastUInt64ToSSize(tif, m, module);
387 }
388
389 /*
390diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
391index 186c291..558484f 100644
392--- a/libtiff/tiffiop.h
393+++ b/libtiff/tiffiop.h
394@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
395 #define FALSE 0
396 #endif
397
398+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
399+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
400+
401 typedef struct client_info {
402 struct client_info *next;
403 void *data;
404@@ -258,7 +261,7 @@ struct tiff {
405 #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
406 #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
407
408-/* Safe multiply which returns zero if there is an integer overflow */
409+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
410 #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
411
412 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
413@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
414
415 extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
416 extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
417+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
418+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
419 extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
420 extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
421
422--
4232.23.0
424
diff --git a/main/tiff/CVE-2019-17546.patch b/main/tiff/CVE-2019-17546.patch
deleted file mode 100644
index c04f0a3428..0000000000
--- a/main/tiff/CVE-2019-17546.patch
+++ /dev/null
@@ -1,105 +0,0 @@
1From 4bb584a35f87af42d6cf09d15e9ce8909a839145 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Thu, 15 Aug 2019 15:05:28 +0200
4Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
5 write heap buffer overflow, especially on 32 bit builds. Fixes
6 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
7 Fuzz
8
9---
10 libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
11 1 file changed, 20 insertions(+), 6 deletions(-)
12
13diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
14index c88b5fa6..4da785d3 100644
15--- a/libtiff/tif_getimage.c
16+++ b/libtiff/tif_getimage.c
17@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
18 fromskew = (w < imagewidth ? imagewidth - w : 0);
19 for (row = 0; row < h; row += nrow)
20 {
21+ uint32 temp;
22 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
23 nrow = (row + rowstoread > h ? h - row : rowstoread);
24 nrowsub = nrow;
25 if ((nrowsub%subsamplingver)!=0)
26 nrowsub+=subsamplingver-nrowsub%subsamplingver;
27+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
28+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
29+ {
30+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
31+ return 0;
32+ }
33 if (_TIFFReadEncodedStripAndAllocBuffer(tif,
34 TIFFComputeStrip(tif,row+img->row_offset, 0),
35 (void**)(&buf),
36 maxstripsize,
37- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
38+ temp * scanline)==(tmsize_t)(-1)
39 && (buf == NULL || img->stoponerr))
40 {
41 ret = 0;
42@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
43 fromskew = (w < imagewidth ? imagewidth - w : 0);
44 for (row = 0; row < h; row += nrow)
45 {
46+ uint32 temp;
47 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
48 nrow = (row + rowstoread > h ? h - row : rowstoread);
49 offset_row = row + img->row_offset;
50+ temp = (row + img->row_offset)%rowsperstrip + nrow;
51+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
52+ {
53+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
54+ return 0;
55+ }
56 if( buf == NULL )
57 {
58 if (_TIFFReadEncodedStripAndAllocBuffer(
59 tif, TIFFComputeStrip(tif, offset_row, 0),
60 (void**) &buf, bufsize,
61- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
62+ temp * scanline)==(tmsize_t)(-1)
63 && (buf == NULL || img->stoponerr))
64 {
65 ret = 0;
66@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
67 }
68 }
69 else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
70- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
71+ p0, temp * scanline)==(tmsize_t)(-1)
72 && img->stoponerr)
73 {
74 ret = 0;
75@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
76 }
77 if (colorchannels > 1
78 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
79- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
80+ p1, temp * scanline) == (tmsize_t)(-1)
81 && img->stoponerr)
82 {
83 ret = 0;
84@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
85 }
86 if (colorchannels > 1
87 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
88- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
89+ p2, temp * scanline) == (tmsize_t)(-1)
90 && img->stoponerr)
91 {
92 ret = 0;
93@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
94 if (alpha)
95 {
96 if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
97- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
98+ pa, temp * scanline)==(tmsize_t)(-1)
99 && img->stoponerr)
100 {
101 ret = 0;
102--
1032.22.0
104
105
© 2015 Mike Crute