diff options
author | Leo <thinkabit.ukim@gmail.com> | 2019-11-03 23:41:48 -0300 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-11-14 08:39:07 +0000 |
commit | b6b472198d2967129bb8e42d7ddf72aa6c803567 (patch) | |
tree | 5a5a229bf52f28729157338812551f7f924d812e | |
parent | 9af25dd61afd81fa6218b3d4149f4f1fb7183519 (diff) | |
download | alpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.tar.bz2 alpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.tar.xz alpine_aports-b6b472198d2967129bb8e42d7ddf72aa6c803567.zip |
main/tiff: upgrade to 4.1.0
-rw-r--r-- | main/tiff/APKBUILD | 17 | ||||
-rw-r--r-- | main/tiff/CVE-2019-14973-rebased.patch | 424 | ||||
-rw-r--r-- | main/tiff/CVE-2019-17546.patch | 105 |
3 files changed, 6 insertions, 540 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 9143b94c1a..36bebd13d5 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
@@ -2,21 +2,18 @@ | |||
2 | # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> | 2 | # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> |
3 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 3 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
4 | pkgname=tiff | 4 | pkgname=tiff |
5 | pkgver=4.0.10 | 5 | pkgver=4.1.0 |
6 | pkgrel=2 | 6 | pkgrel=0 |
7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
8 | url="http://www.libtiff.org" | 8 | url="http://www.libtiff.org" |
9 | arch="all" | 9 | arch="all" |
10 | license="libtiff" | 10 | license="libtiff" |
11 | depends= | ||
12 | depends_dev="zlib-dev libjpeg-turbo-dev" | 11 | depends_dev="zlib-dev libjpeg-turbo-dev" |
13 | makedepends="libtool autoconf automake $depends_dev" | 12 | makedepends="libtool autoconf automake $depends_dev" |
13 | checkdepends="diffutils" | ||
14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx" | 14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx" |
15 | builddir="$srcdir/$pkgname-$pkgver" | 15 | source="http://download.osgeo.org/libtiff/tiff-$pkgver.tar.gz |
16 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz | ||
17 | CVE-2018-12900.patch | 16 | CVE-2018-12900.patch |
18 | CVE-2019-14973-rebased.patch | ||
19 | CVE-2019-17546.patch | ||
20 | " | 17 | " |
21 | 18 | ||
22 | # secfixes: | 19 | # secfixes: |
@@ -98,7 +95,5 @@ tools() { | |||
98 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ | 95 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ |
99 | } | 96 | } |
100 | 97 | ||
101 | sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz | 98 | sha512sums="fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6 tiff-4.1.0.tar.gz |
102 | c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch | 99 | c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch" |
103 | 4567184ea17028dbf90753dbebce221881ec26632d88f02d4f6b56556fc19bb9134523f16487707fdd908f21c7bc4660103d0a95f3ccf0890ad4f0d93e81c503 CVE-2019-14973-rebased.patch | ||
104 | 140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1 CVE-2019-17546.patch" | ||
diff --git a/main/tiff/CVE-2019-14973-rebased.patch b/main/tiff/CVE-2019-14973-rebased.patch deleted file mode 100644 index 9bd5c846ae..0000000000 --- a/main/tiff/CVE-2019-14973-rebased.patch +++ /dev/null | |||
@@ -1,424 +0,0 @@ | |||
1 | From 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 10 Aug 2019 18:25:03 +0200 | ||
4 | Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other | ||
5 | implementation-defined behaviour (CVE-2019-14973) | ||
6 | |||
7 | _TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow | ||
8 | in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus | ||
9 | signed), which was especially easily triggered on 32-bit builds (with recent | ||
10 | enough compilers that assume that signed multiplication cannot overflow, since | ||
11 | this is undefined behaviour by the C standard). The original issue which lead to | ||
12 | this fix was trigged from tif_fax3.c | ||
13 | |||
14 | There were also unsafe (implementation defied), and broken in practice on 64bit | ||
15 | builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing | ||
16 | (uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known | ||
17 | at that time exploits, but are better to fix in a more bullet-proof way. | ||
18 | Or similarly use of (int64)uint64_var <= 0. | ||
19 | --- | ||
20 | libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- | ||
21 | libtiff/tif_getimage.c | 6 ++---- | ||
22 | libtiff/tif_luv.c | 8 +------ | ||
23 | libtiff/tif_pixarlog.c | 7 +----- | ||
24 | libtiff/tif_read.c | 38 +++++++++----------------------- | ||
25 | libtiff/tif_strip.c | 35 ++++-------------------------- | ||
26 | libtiff/tif_tile.c | 27 +++-------------------- | ||
27 | libtiff/tiffiop.h | 7 +++++- | ||
28 | 8 files changed, 71 insertions(+), 106 deletions(-) | ||
29 | |||
30 | diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c | ||
31 | index 4ece162..33fb8a4 100644 | ||
32 | --- a/libtiff/tif_aux.c | ||
33 | +++ b/libtiff/tif_aux.c | ||
34 | @@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) | ||
35 | return bytes; | ||
36 | } | ||
37 | |||
38 | +tmsize_t | ||
39 | +_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) | ||
40 | +{ | ||
41 | + if( first <= 0 || second <= 0 ) | ||
42 | + { | ||
43 | + if( tif != NULL && where != NULL ) | ||
44 | + { | ||
45 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
46 | + "Invalid argument to _TIFFMultiplySSize() in %s", where); | ||
47 | + } | ||
48 | + return 0; | ||
49 | + } | ||
50 | + | ||
51 | + if( first > TIFF_TMSIZE_T_MAX / second ) | ||
52 | + { | ||
53 | + if( tif != NULL && where != NULL ) | ||
54 | + { | ||
55 | + TIFFErrorExt(tif->tif_clientdata, where, | ||
56 | + "Integer overflow in %s", where); | ||
57 | + } | ||
58 | + return 0; | ||
59 | + } | ||
60 | + return first * second; | ||
61 | +} | ||
62 | + | ||
63 | +tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) | ||
64 | +{ | ||
65 | + if( val > (uint64)TIFF_TMSIZE_T_MAX ) | ||
66 | + { | ||
67 | + if( tif != NULL && module != NULL ) | ||
68 | + { | ||
69 | + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
70 | + } | ||
71 | + return 0; | ||
72 | + } | ||
73 | + return (tmsize_t)val; | ||
74 | +} | ||
75 | + | ||
76 | void* | ||
77 | _TIFFCheckRealloc(TIFF* tif, void* buffer, | ||
78 | tmsize_t nmemb, tmsize_t elem_size, const char* what) | ||
79 | { | ||
80 | void* cp = NULL; | ||
81 | - tmsize_t bytes = nmemb * elem_size; | ||
82 | - | ||
83 | + tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); | ||
84 | /* | ||
85 | - * XXX: Check for integer overflow. | ||
86 | + * Check for integer overflow. | ||
87 | */ | ||
88 | - if (nmemb && elem_size && bytes / elem_size == nmemb) | ||
89 | - cp = _TIFFrealloc(buffer, bytes); | ||
90 | + if (count != 0) | ||
91 | + { | ||
92 | + cp = _TIFFrealloc(buffer, count); | ||
93 | + } | ||
94 | |||
95 | if (cp == NULL) { | ||
96 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
97 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
98 | index 6a9d5a7..2106ca2 100644 | ||
99 | --- a/libtiff/tif_getimage.c | ||
100 | +++ b/libtiff/tif_getimage.c | ||
101 | @@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
102 | uint32 leftmost_tw; | ||
103 | |||
104 | tilesize = TIFFTileSize(tif); | ||
105 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); | ||
106 | + bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); | ||
107 | if (bufsize == 0) { | ||
108 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); | ||
109 | return (0); | ||
110 | } | ||
111 | |||
112 | @@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
113 | uint16 colorchannels; | ||
114 | |||
115 | stripsize = TIFFStripSize(tif); | ||
116 | - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); | ||
117 | + bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); | ||
118 | if (bufsize == 0) { | ||
119 | - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); | ||
120 | return (0); | ||
121 | } | ||
122 | |||
123 | diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c | ||
124 | index aa35ea0..46d2dff 100644 | ||
125 | --- a/libtiff/tif_luv.c | ||
126 | +++ b/libtiff/tif_luv.c | ||
127 | @@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) | ||
128 | return (SGILOGDATAFMT_UNKNOWN); | ||
129 | } | ||
130 | |||
131 | - | ||
132 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
133 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
134 | - | ||
135 | static tmsize_t | ||
136 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
137 | { | ||
138 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
139 | - return 0; | ||
140 | - return m1 * m2; | ||
141 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
142 | } | ||
143 | |||
144 | static int | ||
145 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
146 | index 7438d69..5c9a6bf 100644 | ||
147 | --- a/libtiff/tif_pixarlog.c | ||
148 | +++ b/libtiff/tif_pixarlog.c | ||
149 | @@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) | ||
150 | return guess; | ||
151 | } | ||
152 | |||
153 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
154 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
155 | - | ||
156 | static tmsize_t | ||
157 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
158 | { | ||
159 | - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
160 | - return 0; | ||
161 | - return m1 * m2; | ||
162 | + return _TIFFMultiplySSize(NULL, m1, m2, NULL); | ||
163 | } | ||
164 | |||
165 | static tmsize_t | ||
166 | diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c | ||
167 | index e63810c..9a82baa 100644 | ||
168 | --- a/libtiff/tif_read.c | ||
169 | +++ b/libtiff/tif_read.c | ||
170 | @@ -29,9 +29,6 @@ | ||
171 | #include "tiffiop.h" | ||
172 | #include <stdio.h> | ||
173 | |||
174 | -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
175 | -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
176 | - | ||
177 | int TIFFFillStrip(TIFF* tif, uint32 strip); | ||
178 | int TIFFFillTile(TIFF* tif, uint32 tile); | ||
179 | static int TIFFStartStrip(TIFF* tif, uint32 strip); | ||
180 | @@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m | ||
181 | #define THRESHOLD_MULTIPLIER 10 | ||
182 | #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) | ||
183 | |||
184 | +#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) | ||
185 | + | ||
186 | /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' | ||
187 | * Returns 1 in case of success, 0 otherwise. */ | ||
188 | static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, | ||
189 | @@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) | ||
190 | return ((tmsize_t)(-1)); | ||
191 | } | ||
192 | bytecount = td->td_stripbytecount[strip]; | ||
193 | - if ((int64)bytecount <= 0) { | ||
194 | -#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
195 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
196 | - "%I64u: Invalid strip byte count, strip %lu", | ||
197 | - (unsigned __int64) bytecount, | ||
198 | - (unsigned long) strip); | ||
199 | -#else | ||
200 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
201 | - "%llu: Invalid strip byte count, strip %lu", | ||
202 | - (unsigned long long) bytecount, | ||
203 | - (unsigned long) strip); | ||
204 | -#endif | ||
205 | - return ((tmsize_t)(-1)); | ||
206 | - } | ||
207 | - bytecountm = (tmsize_t)bytecount; | ||
208 | - if ((uint64)bytecountm!=bytecount) { | ||
209 | - TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); | ||
210 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); | ||
211 | + if (bytecountm == 0) { | ||
212 | return ((tmsize_t)(-1)); | ||
213 | } | ||
214 | if (size != (tmsize_t)(-1) && size < bytecountm) | ||
215 | @@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
216 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
217 | { | ||
218 | uint64 bytecount = td->td_stripbytecount[strip]; | ||
219 | - if ((int64)bytecount <= 0) { | ||
220 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
221 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
222 | TIFFErrorExt(tif->tif_clientdata, module, | ||
223 | "Invalid strip byte count %I64u, strip %lu", | ||
224 | @@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) | ||
225 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
226 | { | ||
227 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
228 | - if( (int64)newbytecount >= 0 ) | ||
229 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
230 | { | ||
231 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
232 | TIFFWarningExt(tif->tif_clientdata, module, | ||
233 | @@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) | ||
234 | bytecount64 = td->td_stripbytecount[tile]; | ||
235 | if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) | ||
236 | bytecount64 = (uint64)size; | ||
237 | - bytecountm = (tmsize_t)bytecount64; | ||
238 | - if ((uint64)bytecountm!=bytecount64) | ||
239 | - { | ||
240 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
241 | + bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); | ||
242 | + if( bytecountm == 0 ) { | ||
243 | return ((tmsize_t)(-1)); | ||
244 | } | ||
245 | return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); | ||
246 | @@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
247 | if ((tif->tif_flags&TIFF_NOREADRAW)==0) | ||
248 | { | ||
249 | uint64 bytecount = td->td_stripbytecount[tile]; | ||
250 | - if ((int64)bytecount <= 0) { | ||
251 | + if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { | ||
252 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
253 | TIFFErrorExt(tif->tif_clientdata, module, | ||
254 | "%I64u: Invalid tile byte count, tile %lu", | ||
255 | @@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) | ||
256 | (bytecount - 4096) / 10 > (uint64)stripsize ) | ||
257 | { | ||
258 | uint64 newbytecount = (uint64)stripsize * 10 + 4096; | ||
259 | - if( (int64)newbytecount >= 0 ) | ||
260 | + if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) | ||
261 | { | ||
262 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
263 | TIFFWarningExt(tif->tif_clientdata, module, | ||
264 | diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c | ||
265 | index 5b76fba..2366acf 100644 | ||
266 | --- a/libtiff/tif_strip.c | ||
267 | +++ b/libtiff/tif_strip.c | ||
268 | @@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) | ||
269 | { | ||
270 | static const char module[] = "TIFFVStripSize"; | ||
271 | uint64 m; | ||
272 | - tmsize_t n; | ||
273 | m=TIFFVStripSize64(tif,nrows); | ||
274 | - n=(tmsize_t)m; | ||
275 | - if ((uint64)n!=m) | ||
276 | - { | ||
277 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
278 | - n=0; | ||
279 | - } | ||
280 | - return(n); | ||
281 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
282 | } | ||
283 | |||
284 | /* | ||
285 | @@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif) | ||
286 | { | ||
287 | static const char module[] = "TIFFStripSize"; | ||
288 | uint64 m; | ||
289 | - tmsize_t n; | ||
290 | m=TIFFStripSize64(tif); | ||
291 | - n=(tmsize_t)m; | ||
292 | - if ((uint64)n!=m) | ||
293 | - { | ||
294 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
295 | - n=0; | ||
296 | - } | ||
297 | - return(n); | ||
298 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
299 | } | ||
300 | |||
301 | /* | ||
302 | @@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif) | ||
303 | { | ||
304 | static const char module[] = "TIFFScanlineSize"; | ||
305 | uint64 m; | ||
306 | - tmsize_t n; | ||
307 | m=TIFFScanlineSize64(tif); | ||
308 | - n=(tmsize_t)m; | ||
309 | - if ((uint64)n!=m) { | ||
310 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
311 | - n=0; | ||
312 | - } | ||
313 | - return(n); | ||
314 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
315 | } | ||
316 | |||
317 | /* | ||
318 | @@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif) | ||
319 | { | ||
320 | static const char module[] = "TIFFRasterScanlineSize"; | ||
321 | uint64 m; | ||
322 | - tmsize_t n; | ||
323 | m=TIFFRasterScanlineSize64(tif); | ||
324 | - n=(tmsize_t)m; | ||
325 | - if ((uint64)n!=m) | ||
326 | - { | ||
327 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); | ||
328 | - n=0; | ||
329 | - } | ||
330 | - return(n); | ||
331 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
332 | } | ||
333 | |||
334 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
335 | diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c | ||
336 | index 58fe935..661cc77 100644 | ||
337 | --- a/libtiff/tif_tile.c | ||
338 | +++ b/libtiff/tif_tile.c | ||
339 | @@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) | ||
340 | { | ||
341 | static const char module[] = "TIFFTileRowSize"; | ||
342 | uint64 m; | ||
343 | - tmsize_t n; | ||
344 | m=TIFFTileRowSize64(tif); | ||
345 | - n=(tmsize_t)m; | ||
346 | - if ((uint64)n!=m) | ||
347 | - { | ||
348 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
349 | - n=0; | ||
350 | - } | ||
351 | - return(n); | ||
352 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
353 | } | ||
354 | |||
355 | /* | ||
356 | @@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) | ||
357 | { | ||
358 | static const char module[] = "TIFFVTileSize"; | ||
359 | uint64 m; | ||
360 | - tmsize_t n; | ||
361 | m=TIFFVTileSize64(tif,nrows); | ||
362 | - n=(tmsize_t)m; | ||
363 | - if ((uint64)n!=m) | ||
364 | - { | ||
365 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
366 | - n=0; | ||
367 | - } | ||
368 | - return(n); | ||
369 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
370 | } | ||
371 | |||
372 | /* | ||
373 | @@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) | ||
374 | { | ||
375 | static const char module[] = "TIFFTileSize"; | ||
376 | uint64 m; | ||
377 | - tmsize_t n; | ||
378 | m=TIFFTileSize64(tif); | ||
379 | - n=(tmsize_t)m; | ||
380 | - if ((uint64)n!=m) | ||
381 | - { | ||
382 | - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); | ||
383 | - n=0; | ||
384 | - } | ||
385 | - return(n); | ||
386 | + return _TIFFCastUInt64ToSSize(tif, m, module); | ||
387 | } | ||
388 | |||
389 | /* | ||
390 | diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h | ||
391 | index 186c291..558484f 100644 | ||
392 | --- a/libtiff/tiffiop.h | ||
393 | +++ b/libtiff/tiffiop.h | ||
394 | @@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); | ||
395 | #define FALSE 0 | ||
396 | #endif | ||
397 | |||
398 | +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
399 | +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
400 | + | ||
401 | typedef struct client_info { | ||
402 | struct client_info *next; | ||
403 | void *data; | ||
404 | @@ -258,7 +261,7 @@ struct tiff { | ||
405 | #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) | ||
406 | #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) | ||
407 | |||
408 | -/* Safe multiply which returns zero if there is an integer overflow */ | ||
409 | +/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ | ||
410 | #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) | ||
411 | |||
412 | #define TIFFmax(A,B) ((A)>(B)?(A):(B)) | ||
413 | @@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; | ||
414 | |||
415 | extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); | ||
416 | extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); | ||
417 | +extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); | ||
418 | +extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); | ||
419 | extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); | ||
420 | extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); | ||
421 | |||
422 | -- | ||
423 | 2.23.0 | ||
424 | |||
diff --git a/main/tiff/CVE-2019-17546.patch b/main/tiff/CVE-2019-17546.patch deleted file mode 100644 index c04f0a3428..0000000000 --- a/main/tiff/CVE-2019-17546.patch +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | From 4bb584a35f87af42d6cf09d15e9ce8909a839145 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 15 Aug 2019 15:05:28 +0200 | ||
4 | Subject: [PATCH] RGBA interface: fix integer overflow potentially causing | ||
5 | write heap buffer overflow, especially on 32 bit builds. Fixes | ||
6 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS | ||
7 | Fuzz | ||
8 | |||
9 | --- | ||
10 | libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ | ||
11 | 1 file changed, 20 insertions(+), 6 deletions(-) | ||
12 | |||
13 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
14 | index c88b5fa6..4da785d3 100644 | ||
15 | --- a/libtiff/tif_getimage.c | ||
16 | +++ b/libtiff/tif_getimage.c | ||
17 | @@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
18 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
19 | for (row = 0; row < h; row += nrow) | ||
20 | { | ||
21 | + uint32 temp; | ||
22 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
23 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
24 | nrowsub = nrow; | ||
25 | if ((nrowsub%subsamplingver)!=0) | ||
26 | nrowsub+=subsamplingver-nrowsub%subsamplingver; | ||
27 | + temp = (row + img->row_offset)%rowsperstrip + nrowsub; | ||
28 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
29 | + { | ||
30 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); | ||
31 | + return 0; | ||
32 | + } | ||
33 | if (_TIFFReadEncodedStripAndAllocBuffer(tif, | ||
34 | TIFFComputeStrip(tif,row+img->row_offset, 0), | ||
35 | (void**)(&buf), | ||
36 | maxstripsize, | ||
37 | - ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) | ||
38 | + temp * scanline)==(tmsize_t)(-1) | ||
39 | && (buf == NULL || img->stoponerr)) | ||
40 | { | ||
41 | ret = 0; | ||
42 | @@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
43 | fromskew = (w < imagewidth ? imagewidth - w : 0); | ||
44 | for (row = 0; row < h; row += nrow) | ||
45 | { | ||
46 | + uint32 temp; | ||
47 | rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; | ||
48 | nrow = (row + rowstoread > h ? h - row : rowstoread); | ||
49 | offset_row = row + img->row_offset; | ||
50 | + temp = (row + img->row_offset)%rowsperstrip + nrow; | ||
51 | + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) | ||
52 | + { | ||
53 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); | ||
54 | + return 0; | ||
55 | + } | ||
56 | if( buf == NULL ) | ||
57 | { | ||
58 | if (_TIFFReadEncodedStripAndAllocBuffer( | ||
59 | tif, TIFFComputeStrip(tif, offset_row, 0), | ||
60 | (void**) &buf, bufsize, | ||
61 | - ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
62 | + temp * scanline)==(tmsize_t)(-1) | ||
63 | && (buf == NULL || img->stoponerr)) | ||
64 | { | ||
65 | ret = 0; | ||
66 | @@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
67 | } | ||
68 | } | ||
69 | else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), | ||
70 | - p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
71 | + p0, temp * scanline)==(tmsize_t)(-1) | ||
72 | && img->stoponerr) | ||
73 | { | ||
74 | ret = 0; | ||
75 | @@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
76 | } | ||
77 | if (colorchannels > 1 | ||
78 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), | ||
79 | - p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
80 | + p1, temp * scanline) == (tmsize_t)(-1) | ||
81 | && img->stoponerr) | ||
82 | { | ||
83 | ret = 0; | ||
84 | @@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
85 | } | ||
86 | if (colorchannels > 1 | ||
87 | && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), | ||
88 | - p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) | ||
89 | + p2, temp * scanline) == (tmsize_t)(-1) | ||
90 | && img->stoponerr) | ||
91 | { | ||
92 | ret = 0; | ||
93 | @@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
94 | if (alpha) | ||
95 | { | ||
96 | if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), | ||
97 | - pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) | ||
98 | + pa, temp * scanline)==(tmsize_t)(-1) | ||
99 | && img->stoponerr) | ||
100 | { | ||
101 | ret = 0; | ||
102 | -- | ||
103 | 2.22.0 | ||
104 | |||
105 | |||