diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-11-30 11:53:35 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-12-07 08:26:06 +0100 |
commit | 42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e (patch) | |
tree | cafe23056362f0d20831021e82ddbd2348412868 | |
parent | b0243d03648d68851d3b5edb68da29eaae5c9f0f (diff) | |
download | alpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.tar.bz2 alpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.tar.xz alpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.zip |
main/tiff: security upgrade to 4.0.10
CVE-2018-12900, CVE-2018-18557, CVE-2018-18661
fixes #9716
-rw-r--r-- | main/tiff/APKBUILD | 37 | ||||
-rw-r--r-- | main/tiff/CVE-2017-11613.patch | 44 | ||||
-rw-r--r-- | main/tiff/CVE-2017-17095.patch | 28 | ||||
-rw-r--r-- | main/tiff/CVE-2017-18013.patch | 34 | ||||
-rw-r--r-- | main/tiff/CVE-2017-9935.patch | 164 | ||||
-rw-r--r-- | main/tiff/CVE-2018-10779.patch | 32 | ||||
-rw-r--r-- | main/tiff/CVE-2018-10963.patch | 31 | ||||
-rw-r--r-- | main/tiff/CVE-2018-12900.patch | 29 | ||||
-rw-r--r-- | main/tiff/CVE-2018-17100-1.patch | 112 | ||||
-rw-r--r-- | main/tiff/CVE-2018-5784.patch | 128 | ||||
-rw-r--r-- | main/tiff/CVE-2018-7456.patch | 170 | ||||
-rw-r--r-- | main/tiff/CVE-2018-8905.patch | 51 |
12 files changed, 38 insertions, 822 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 3a0ccc8d72..8a16a653ee 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
@@ -2,8 +2,8 @@ | |||
2 | # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> | 2 | # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> |
3 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 3 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
4 | pkgname=tiff | 4 | pkgname=tiff |
5 | pkgver=4.0.9 | 5 | pkgver=4.0.10 |
6 | pkgrel=7 | 6 | pkgrel=0 |
7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
8 | url="http://www.libtiff.org" | 8 | url="http://www.libtiff.org" |
9 | arch="all" | 9 | arch="all" |
@@ -14,19 +14,14 @@ makedepends="libtool autoconf automake $depends_dev" | |||
14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" | 14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" |
15 | builddir="$srcdir/$pkgname-$pkgver" | 15 | builddir="$srcdir/$pkgname-$pkgver" |
16 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz | 16 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz |
17 | CVE-2017-9935.patch | 17 | CVE-2018-12900.patch |
18 | CVE-2017-11613.patch | ||
19 | CVE-2017-17095.patch | ||
20 | CVE-2017-18013.patch | ||
21 | CVE-2018-5784.patch | ||
22 | CVE-2018-7456.patch | ||
23 | CVE-2018-8905.patch | ||
24 | CVE-2018-10779.patch | ||
25 | CVE-2018-10963.patch | ||
26 | CVE-2018-17100-1.patch | ||
27 | " | 18 | " |
28 | 19 | ||
29 | # secfixes: | 20 | # secfixes: |
21 | # 4.0.10-r0: | ||
22 | # - CVE-2018-12900 | ||
23 | # - CVE-2018-18557 | ||
24 | # - CVE-2018-18661 | ||
30 | # 4.0.9-r7: | 25 | # 4.0.9-r7: |
31 | # - CVE-2018-10779 | 26 | # - CVE-2018-10779 |
32 | # - CVE-2018-17100 | 27 | # - CVE-2018-17100 |
@@ -62,11 +57,6 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz | |||
62 | # 4.0.7-r1: | 57 | # 4.0.7-r1: |
63 | # - CVE-2017-5225 | 58 | # - CVE-2017-5225 |
64 | 59 | ||
65 | prepare() { | ||
66 | default_prepare | ||
67 | update_config_sub | ||
68 | } | ||
69 | |||
70 | build() { | 60 | build() { |
71 | cd "$builddir" | 61 | cd "$builddir" |
72 | ./configure \ | 62 | ./configure \ |
@@ -96,14 +86,5 @@ tools() { | |||
96 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ | 86 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ |
97 | } | 87 | } |
98 | 88 | ||
99 | sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz | 89 | sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz |
100 | 75160265be98350706b90f69e0a432183ce51105b713da32a50030ed3123b956e68c19a21540a5c7fb02253bf33ddfb3e0ea4f3a0977aa7b19404ea3e6d6d5d8 CVE-2017-9935.patch | 90 | c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch" |
101 | 61fbc0fa3256ebdde2a42a482a39d4c63d68e16fc47e3e9f76f5719e7c7dce01f5d3897b53280494334f8be33d48517c24a9739f3be8118f097ff3a7814f0326 CVE-2017-11613.patch | ||
102 | 78c8593033a5c8b91a03bbca7dd05f3de2abfc2965096cc8e828df50a66069544e0221fd573f25eda0726cd5fd8b527bd018bfd74f3e8aac8816f6cc9b462489 CVE-2017-17095.patch | ||
103 | 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch | ||
104 | c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch | ||
105 | 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch | ||
106 | ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch | ||
107 | aceae14ec9c6dcbaeb51a3d5527d0da1b0c3f1ef1e87f301615be745f9535be23305e8409105740e615f09d80642d7f84897a89cb98327ad8313d11d877f7e35 CVE-2018-10779.patch | ||
108 | 8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch | ||
109 | d19f584bc70bb8b0c1da910cb8642ff2e41741aaa85b23213c6cc27959d6133275b0124c6e779effeb447c559f3debfd04f377b69b8acb9fa5da8fe182c3f2aa CVE-2018-17100-1.patch" | ||
diff --git a/main/tiff/CVE-2017-11613.patch b/main/tiff/CVE-2017-11613.patch deleted file mode 100644 index b3f600a974..0000000000 --- a/main/tiff/CVE-2017-11613.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 11 Mar 2018 11:14:01 +0100 | ||
4 | Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion | ||
5 | (CVE-2017-11613) | ||
6 | |||
7 | In ChopUpSingleUncompressedStrip(), if the computed number of strips is big | ||
8 | enough and we are in read only mode, validate that the file size is consistent | ||
9 | with that number of strips to avoid useless attempts at allocating a lot of | ||
10 | memory for the td_stripbytecount and td_stripoffset arrays. | ||
11 | |||
12 | Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more | ||
13 | cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. | ||
14 | Credit to OSS Fuzz | ||
15 | |||
16 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 | ||
17 | --- | ||
18 | libtiff/tif_dirread.c | 10 ++++++++++ | ||
19 | 1 file changed, 10 insertions(+) | ||
20 | |||
21 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
22 | index 80aaf8d..5896a78 100644 | ||
23 | --- a/libtiff/tif_dirread.c | ||
24 | +++ b/libtiff/tif_dirread.c | ||
25 | @@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
26 | if( nstrips == 0 ) | ||
27 | return; | ||
28 | |||
29 | + /* If we are going to allocate a lot of memory, make sure that the */ | ||
30 | + /* file is as big as needed */ | ||
31 | + if( tif->tif_mode == O_RDONLY && | ||
32 | + nstrips > 1000000 && | ||
33 | + (offset >= TIFFGetFileSize(tif) || | ||
34 | + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) | ||
35 | + { | ||
36 | + return; | ||
37 | + } | ||
38 | + | ||
39 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
40 | "for chopped \"StripByteCounts\" array"); | ||
41 | newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||
diff --git a/main/tiff/CVE-2017-17095.patch b/main/tiff/CVE-2017-17095.patch deleted file mode 100644 index 760c9553d9..0000000000 --- a/main/tiff/CVE-2017-17095.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5 | ||
2 | |||
3 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
4 | index 7a57800..8443fce 100644 | ||
5 | --- a/tools/pal2rgb.c | ||
6 | +++ b/tools/pal2rgb.c | ||
7 | @@ -184,8 +184,19 @@ main(int argc, char* argv[]) | ||
8 | { unsigned char *ibuf, *obuf; | ||
9 | register unsigned char* pp; | ||
10 | register uint32 x; | ||
11 | - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); | ||
12 | - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); | ||
13 | + tmsize_t tss_in = TIFFScanlineSize(in); | ||
14 | + tmsize_t tss_out = TIFFScanlineSize(out); | ||
15 | + if (tss_out / tss_in < 3) { | ||
16 | + /* | ||
17 | + * BUG 2750: The following code assumes the output buffer is 3x the | ||
18 | + * length of the input buffer due to exploding the palette into | ||
19 | + * RGB tuples. If this doesn't happen, fail now. | ||
20 | + */ | ||
21 | + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); | ||
22 | + return -1; | ||
23 | + } | ||
24 | + ibuf = (unsigned char*)_TIFFmalloc(tss_in); | ||
25 | + obuf = (unsigned char*)_TIFFmalloc(tss_out); | ||
26 | switch (config) { | ||
27 | case PLANARCONFIG_CONTIG: | ||
28 | for (row = 0; row < imagelength; row++) { | ||
diff --git a/main/tiff/CVE-2017-18013.patch b/main/tiff/CVE-2017-18013.patch deleted file mode 100644 index 5f56ff2593..0000000000 --- a/main/tiff/CVE-2017-18013.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 31 Dec 2017 15:09:41 +0100 | ||
4 | Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 | ||
5 | |||
6 | --- | ||
7 | libtiff/tif_print.c | 8 ++++---- | ||
8 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
9 | |||
10 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
11 | index 9959d35..8deceb2 100644 | ||
12 | --- a/libtiff/tif_print.c | ||
13 | +++ b/libtiff/tif_print.c | ||
14 | @@ -667,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
15 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) | ||
16 | fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", | ||
17 | (unsigned long) s, | ||
18 | - (unsigned __int64) td->td_stripoffset[s], | ||
19 | - (unsigned __int64) td->td_stripbytecount[s]); | ||
20 | + td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, | ||
21 | + td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); | ||
22 | #else | ||
23 | fprintf(fd, " %3lu: [%8llu, %8llu]\n", | ||
24 | (unsigned long) s, | ||
25 | - (unsigned long long) td->td_stripoffset[s], | ||
26 | - (unsigned long long) td->td_stripbytecount[s]); | ||
27 | + td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, | ||
28 | + td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); | ||
29 | #endif | ||
30 | } | ||
31 | } | ||
32 | -- | ||
33 | libgit2 0.26.0 | ||
34 | |||
diff --git a/main/tiff/CVE-2017-9935.patch b/main/tiff/CVE-2017-9935.patch deleted file mode 100644 index 39327ffb92..0000000000 --- a/main/tiff/CVE-2017-9935.patch +++ /dev/null | |||
@@ -1,164 +0,0 @@ | |||
1 | From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 | ||
2 | From: Brian May <brian@linuxpenguins.xyz> | ||
3 | Date: Thu, 7 Dec 2017 07:46:47 +1100 | ||
4 | Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 | ||
5 | |||
6 | Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 | ||
7 | |||
8 | This vulnerability - at least for the supplied test case - is because we | ||
9 | assume that a tiff will only have one transfer function that is the same | ||
10 | for all pages. This is not required by the TIFF standards. | ||
11 | |||
12 | We than read the transfer function for every page. Depending on the | ||
13 | transfer function, we allocate either 2 or 4 bytes to the XREF buffer. | ||
14 | We allocate this memory after we read in the transfer function for the | ||
15 | page. | ||
16 | |||
17 | For the first exploit - POC1, this file has 3 pages. For the first page | ||
18 | we allocate 2 extra extra XREF entries. Then for the next page 2 more | ||
19 | entries. Then for the last page the transfer function changes and we | ||
20 | allocate 4 more entries. | ||
21 | |||
22 | When we read the file into memory, we assume we have 4 bytes extra for | ||
23 | each and every page (as per the last transfer function we read). Which | ||
24 | is not correct, we only have 2 bytes extra for the first 2 pages. As a | ||
25 | result, we end up writing past the end of the buffer. | ||
26 | |||
27 | There are also some related issues that this also fixes. For example, | ||
28 | TIFFGetField can return uninitalized pointer values, and the logic to | ||
29 | detect a N=3 vs N=1 transfer function seemed rather strange. | ||
30 | |||
31 | It is also strange that we declare the transfer functions to be of type | ||
32 | float, when the standard says they are unsigned 16 bit values. This is | ||
33 | fixed in another patch. | ||
34 | |||
35 | This patch will check to ensure that the N value for every transfer | ||
36 | function is the same for every page. If this changes, we abort with an | ||
37 | error. In theory, we should perhaps check that the transfer function | ||
38 | itself is identical for every page, however we don't do that due to the | ||
39 | confusion of the type of the data in the transfer function. | ||
40 | --- | ||
41 | libtiff/tif_dir.c | 3 +++ | ||
42 | tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- | ||
43 | 2 files changed, 49 insertions(+), 23 deletions(-) | ||
44 | |||
45 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
46 | index f00f808..c36a5f3 100644 | ||
47 | --- a/libtiff/tif_dir.c | ||
48 | +++ b/libtiff/tif_dir.c | ||
49 | @@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
50 | if (td->td_samplesperpixel - td->td_extrasamples > 1) { | ||
51 | *va_arg(ap, uint16**) = td->td_transferfunction[1]; | ||
52 | *va_arg(ap, uint16**) = td->td_transferfunction[2]; | ||
53 | + } else { | ||
54 | + *va_arg(ap, uint16**) = NULL; | ||
55 | + *va_arg(ap, uint16**) = NULL; | ||
56 | } | ||
57 | break; | ||
58 | case TIFFTAG_REFERENCEBLACKWHITE: | ||
59 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
60 | index bdb9126..bd23c9e 100644 | ||
61 | --- a/tools/tiff2pdf.c | ||
62 | +++ b/tools/tiff2pdf.c | ||
63 | @@ -239,7 +239,7 @@ typedef struct { | ||
64 | float tiff_whitechromaticities[2]; | ||
65 | float tiff_primarychromaticities[6]; | ||
66 | float tiff_referenceblackwhite[2]; | ||
67 | - float* tiff_transferfunction[3]; | ||
68 | + uint16* tiff_transferfunction[3]; | ||
69 | int pdf_image_interpolate; /* 0 (default) : do not interpolate, | ||
70 | 1 : interpolate */ | ||
71 | uint16 tiff_transferfunctioncount; | ||
72 | @@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
73 | uint16 pagen=0; | ||
74 | uint16 paged=0; | ||
75 | uint16 xuint16=0; | ||
76 | + uint16 tiff_transferfunctioncount=0; | ||
77 | + uint16* tiff_transferfunction[3]; | ||
78 | |||
79 | directorycount=TIFFNumberOfDirectories(input); | ||
80 | if(directorycount > TIFF_DIR_MAX) { | ||
81 | @@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
82 | } | ||
83 | #endif | ||
84 | if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, | ||
85 | - &(t2p->tiff_transferfunction[0]), | ||
86 | - &(t2p->tiff_transferfunction[1]), | ||
87 | - &(t2p->tiff_transferfunction[2]))) { | ||
88 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
89 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
90 | - (t2p->tiff_transferfunction[1] != | ||
91 | - t2p->tiff_transferfunction[0])) { | ||
92 | - t2p->tiff_transferfunctioncount = 3; | ||
93 | - t2p->tiff_pages[i].page_extra += 4; | ||
94 | - t2p->pdf_xrefcount += 4; | ||
95 | - } else { | ||
96 | - t2p->tiff_transferfunctioncount = 1; | ||
97 | - t2p->tiff_pages[i].page_extra += 2; | ||
98 | - t2p->pdf_xrefcount += 2; | ||
99 | - } | ||
100 | - if(t2p->pdf_minorversion < 2) | ||
101 | - t2p->pdf_minorversion = 2; | ||
102 | + &(tiff_transferfunction[0]), | ||
103 | + &(tiff_transferfunction[1]), | ||
104 | + &(tiff_transferfunction[2]))) { | ||
105 | + | ||
106 | + if((tiff_transferfunction[1] != (uint16*) NULL) && | ||
107 | + (tiff_transferfunction[2] != (uint16*) NULL) | ||
108 | + ) { | ||
109 | + tiff_transferfunctioncount=3; | ||
110 | + } else { | ||
111 | + tiff_transferfunctioncount=1; | ||
112 | + } | ||
113 | } else { | ||
114 | - t2p->tiff_transferfunctioncount=0; | ||
115 | + tiff_transferfunctioncount=0; | ||
116 | } | ||
117 | + | ||
118 | + if (i > 0){ | ||
119 | + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ | ||
120 | + TIFFError( | ||
121 | + TIFF2PDF_MODULE, | ||
122 | + "Different transfer function on page %d", | ||
123 | + i); | ||
124 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
125 | + return; | ||
126 | + } | ||
127 | + } | ||
128 | + | ||
129 | + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; | ||
130 | + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; | ||
131 | + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; | ||
132 | + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; | ||
133 | + if(tiff_transferfunctioncount == 3){ | ||
134 | + t2p->tiff_pages[i].page_extra += 4; | ||
135 | + t2p->pdf_xrefcount += 4; | ||
136 | + if(t2p->pdf_minorversion < 2) | ||
137 | + t2p->pdf_minorversion = 2; | ||
138 | + } else if (tiff_transferfunctioncount == 1){ | ||
139 | + t2p->tiff_pages[i].page_extra += 2; | ||
140 | + t2p->pdf_xrefcount += 2; | ||
141 | + if(t2p->pdf_minorversion < 2) | ||
142 | + t2p->pdf_minorversion = 2; | ||
143 | + } | ||
144 | + | ||
145 | if( TIFFGetField( | ||
146 | input, | ||
147 | TIFFTAG_ICCPROFILE, | ||
148 | @@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ | ||
149 | &(t2p->tiff_transferfunction[0]), | ||
150 | &(t2p->tiff_transferfunction[1]), | ||
151 | &(t2p->tiff_transferfunction[2]))) { | ||
152 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
153 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
154 | - (t2p->tiff_transferfunction[1] != | ||
155 | - t2p->tiff_transferfunction[0])) { | ||
156 | + if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && | ||
157 | + (t2p->tiff_transferfunction[2] != (uint16*) NULL) | ||
158 | + ) { | ||
159 | t2p->tiff_transferfunctioncount=3; | ||
160 | } else { | ||
161 | t2p->tiff_transferfunctioncount=1; | ||
162 | -- | ||
163 | 2.17.0 | ||
164 | |||
diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch deleted file mode 100644 index 828d684708..0000000000 --- a/main/tiff/CVE-2018-10779.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Wed, 15 Aug 2018 16:34:40 +0200 | ||
4 | Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit | ||
5 | systems with large number of strips. Probably relates to | ||
6 | http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 | ||
7 | |||
8 | --- | ||
9 | libtiff/tif_write.c | 6 ++++-- | ||
10 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
11 | |||
12 | diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c | ||
13 | index 586f6fdf..a31ecd12 100644 | ||
14 | --- a/libtiff/tif_write.c | ||
15 | +++ b/libtiff/tif_write.c | ||
16 | @@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif) | ||
17 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) | ||
18 | td->td_stripsperimage /= td->td_samplesperpixel; | ||
19 | td->td_stripoffset = (uint64 *) | ||
20 | - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); | ||
21 | + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), | ||
22 | + "for \"StripOffsets\" array"); | ||
23 | td->td_stripbytecount = (uint64 *) | ||
24 | - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); | ||
25 | + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), | ||
26 | + "for \"StripByteCounts\" array"); | ||
27 | if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) | ||
28 | return (0); | ||
29 | /* | ||
30 | -- | ||
31 | 2.18.1 | ||
32 | |||
diff --git a/main/tiff/CVE-2018-10963.patch b/main/tiff/CVE-2018-10963.patch deleted file mode 100644 index 039b7c1a16..0000000000 --- a/main/tiff/CVE-2018-10963.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 14:24:15 +0200 | ||
4 | Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes | ||
5 | http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 | ||
6 | |||
7 | --- | ||
8 | libtiff/tif_dirwrite.c | 7 +++++-- | ||
9 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
10 | |||
11 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
12 | index c68d6d2..5d0a669 100644 | ||
13 | --- a/libtiff/tif_dirwrite.c | ||
14 | +++ b/libtiff/tif_dirwrite.c | ||
15 | @@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
16 | } | ||
17 | break; | ||
18 | default: | ||
19 | - assert(0); /* we should never get here */ | ||
20 | - break; | ||
21 | + TIFFErrorExt(tif->tif_clientdata,module, | ||
22 | + "Cannot write tag %d (%s)", | ||
23 | + TIFFFieldTag(o), | ||
24 | + o->field_name ? o->field_name : "unknown"); | ||
25 | + goto bad; | ||
26 | } | ||
27 | } | ||
28 | } | ||
29 | -- | ||
30 | 2.17.0 | ||
31 | |||
diff --git a/main/tiff/CVE-2018-12900.patch b/main/tiff/CVE-2018-12900.patch new file mode 100644 index 0000000000..f95cd06a52 --- /dev/null +++ b/main/tiff/CVE-2018-12900.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001 | ||
2 | From: pgajdos <pgajdos@suse.cz> | ||
3 | Date: Tue, 13 Nov 2018 09:03:31 +0100 | ||
4 | Subject: [PATCH] prevent integer overflow | ||
5 | |||
6 | --- | ||
7 | tools/tiffcp.c | 6 ++++++ | ||
8 | 1 file changed, 6 insertions(+) | ||
9 | |||
10 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
11 | index 2f406e2d..ece7ba13 100644 | ||
12 | --- a/tools/tiffcp.c | ||
13 | +++ b/tools/tiffcp.c | ||
14 | @@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
15 | status = 0; | ||
16 | goto done; | ||
17 | } | ||
18 | + if (0xFFFFFFFF / tilew < spp) | ||
19 | + { | ||
20 | + TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); | ||
21 | + status = 0; | ||
22 | + goto done; | ||
23 | + } | ||
24 | bytes_per_sample = bps/8; | ||
25 | |||
26 | for (row = 0; row < imagelength; row += tl) { | ||
27 | -- | ||
28 | 2.18.1 | ||
29 | |||
diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch deleted file mode 100644 index f5a9e1a915..0000000000 --- a/main/tiff/CVE-2018-17100-1.patch +++ /dev/null | |||
@@ -1,112 +0,0 @@ | |||
1 | From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001 | ||
2 | From: Young_X <YangX92@hotmail.com> | ||
3 | Date: Sat, 8 Sep 2018 14:36:12 +0800 | ||
4 | Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or | ||
5 | TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or | ||
6 | COMPRESSION_CCITTFAX4 | ||
7 | |||
8 | --- | ||
9 | tools/pal2rgb.c | 18 +++++++++++++++++- | ||
10 | tools/tiff2bw.c | 18 +++++++++++++++++- | ||
11 | 2 files changed, 34 insertions(+), 2 deletions(-) | ||
12 | |||
13 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
14 | index 01fcf941..01d8502e 100644 | ||
15 | --- a/tools/pal2rgb.c | ||
16 | +++ b/tools/pal2rgb.c | ||
17 | @@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) | ||
18 | { | ||
19 | struct cpTag *p; | ||
20 | for (p = tags; p < &tags[NTAGS]; p++) | ||
21 | - cpTag(in, out, p->tag, p->count, p->type); | ||
22 | + { | ||
23 | + if( p->tag == TIFFTAG_GROUP3OPTIONS ) | ||
24 | + { | ||
25 | + uint16 compression; | ||
26 | + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || | ||
27 | + compression != COMPRESSION_CCITTFAX3 ) | ||
28 | + continue; | ||
29 | + } | ||
30 | + if( p->tag == TIFFTAG_GROUP4OPTIONS ) | ||
31 | + { | ||
32 | + uint16 compression; | ||
33 | + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || | ||
34 | + compression != COMPRESSION_CCITTFAX4 ) | ||
35 | + continue; | ||
36 | + } | ||
37 | + cpTag(in, out, p->tag, p->count, p->type); | ||
38 | + } | ||
39 | } | ||
40 | #undef NTAGS | ||
41 | |||
42 | diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c | ||
43 | index 05faba87..5bef3142 100644 | ||
44 | --- a/tools/tiff2bw.c | ||
45 | +++ b/tools/tiff2bw.c | ||
46 | @@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) | ||
47 | { | ||
48 | struct cpTag *p; | ||
49 | for (p = tags; p < &tags[NTAGS]; p++) | ||
50 | - cpTag(in, out, p->tag, p->count, p->type); | ||
51 | + { | ||
52 | + if( p->tag == TIFFTAG_GROUP3OPTIONS ) | ||
53 | + { | ||
54 | + uint16 compression; | ||
55 | + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || | ||
56 | + compression != COMPRESSION_CCITTFAX3 ) | ||
57 | + continue; | ||
58 | + } | ||
59 | + if( p->tag == TIFFTAG_GROUP4OPTIONS ) | ||
60 | + { | ||
61 | + uint16 compression; | ||
62 | + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || | ||
63 | + compression != COMPRESSION_CCITTFAX4 ) | ||
64 | + continue; | ||
65 | + } | ||
66 | + cpTag(in, out, p->tag, p->count, p->type); | ||
67 | + } | ||
68 | } | ||
69 | #undef NTAGS | ||
70 | |||
71 | -- | ||
72 | 2.18.1 | ||
73 | |||
74 | |||
75 | From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001 | ||
76 | From: Young_X <YangX92@hotmail.com> | ||
77 | Date: Sat, 8 Sep 2018 14:46:27 +0800 | ||
78 | Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms() | ||
79 | |||
80 | --- | ||
81 | tools/ppm2tiff.c | 13 +++++++------ | ||
82 | 1 file changed, 7 insertions(+), 6 deletions(-) | ||
83 | |||
84 | diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c | ||
85 | index af6e4124..c2d59257 100644 | ||
86 | --- a/tools/ppm2tiff.c | ||
87 | +++ b/tools/ppm2tiff.c | ||
88 | @@ -70,15 +70,16 @@ BadPPM(char* file) | ||
89 | exit(-2); | ||
90 | } | ||
91 | |||
92 | + | ||
93 | +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) | ||
94 | +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) | ||
95 | + | ||
96 | static tmsize_t | ||
97 | multiply_ms(tmsize_t m1, tmsize_t m2) | ||
98 | { | ||
99 | - tmsize_t bytes = m1 * m2; | ||
100 | - | ||
101 | - if (m1 && bytes / m1 != m2) | ||
102 | - bytes = 0; | ||
103 | - | ||
104 | - return bytes; | ||
105 | + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) | ||
106 | + return 0; | ||
107 | + return m1 * m2; | ||
108 | } | ||
109 | |||
110 | int | ||
111 | -- | ||
112 | 2.18.1 | ||
diff --git a/main/tiff/CVE-2018-5784.patch b/main/tiff/CVE-2018-5784.patch deleted file mode 100644 index 92fc2daf35..0000000000 --- a/main/tiff/CVE-2018-5784.patch +++ /dev/null | |||
@@ -1,128 +0,0 @@ | |||
1 | From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Baker <nathanb@lenovo-chrome.com> | ||
3 | Date: Tue, 6 Feb 2018 10:13:57 -0500 | ||
4 | Subject: [PATCH] Fix for bug 2772 | ||
5 | |||
6 | It is possible to craft a TIFF document where the IFD list is circular, | ||
7 | leading to an infinite loop while traversing the chain. The libtiff | ||
8 | directory reader has a failsafe that will break out of this loop after | ||
9 | reading 65535 directory entries, but it will continue processing, | ||
10 | consuming time and resources to process what is essentially a bogus TIFF | ||
11 | document. | ||
12 | |||
13 | This change fixes the above behavior by breaking out of processing when | ||
14 | a TIFF document has >= 65535 directories and terminating with an error. | ||
15 | --- | ||
16 | contrib/addtiffo/tif_overview.c | 14 +++++++++++++- | ||
17 | tools/tiff2pdf.c | 10 ++++++++++ | ||
18 | tools/tiffcrop.c | 13 +++++++++++-- | ||
19 | 3 files changed, 34 insertions(+), 3 deletions(-) | ||
20 | |||
21 | diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c | ||
22 | index c61ffbb..03b3573 100644 | ||
23 | --- a/contrib/addtiffo/tif_overview.c | ||
24 | +++ b/contrib/addtiffo/tif_overview.c | ||
25 | @@ -65,6 +65,8 @@ | ||
26 | # define MAX(a,b) ((a>b) ? a : b) | ||
27 | #endif | ||
28 | |||
29 | +#define TIFF_DIR_MAX 65534 | ||
30 | + | ||
31 | void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, | ||
32 | int (*)(double,void*), void * ); | ||
33 | |||
34 | @@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, | ||
35 | { | ||
36 | toff_t nBaseDirOffset; | ||
37 | toff_t nOffset; | ||
38 | + tdir_t iNumDir; | ||
39 | |||
40 | (void) bUseSubIFDs; | ||
41 | |||
42 | @@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, | ||
43 | return 0; | ||
44 | |||
45 | TIFFWriteDirectory( hTIFF ); | ||
46 | - TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); | ||
47 | + iNumDir = TIFFNumberOfDirectories(hTIFF); | ||
48 | + if( iNumDir > TIFF_DIR_MAX ) | ||
49 | + { | ||
50 | + TIFFErrorExt( TIFFClientdata(hTIFF), | ||
51 | + "TIFF_WriteOverview", | ||
52 | + "File `%s' has too many directories.\n", | ||
53 | + TIFFFileName(hTIFF) ); | ||
54 | + exit(-1); | ||
55 | + } | ||
56 | + TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); | ||
57 | |||
58 | nOffset = TIFFCurrentDirOffset( hTIFF ); | ||
59 | |||
60 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
61 | index 984ef65..832a247 100644 | ||
62 | --- a/tools/tiff2pdf.c | ||
63 | +++ b/tools/tiff2pdf.c | ||
64 | @@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); | ||
65 | |||
66 | #define PS_UNIT_SIZE 72.0F | ||
67 | |||
68 | +#define TIFF_DIR_MAX 65534 | ||
69 | + | ||
70 | /* This type is of PDF color spaces. */ | ||
71 | typedef enum { | ||
72 | T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ | ||
73 | @@ -1049,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
74 | uint16* tiff_transferfunction[3]; | ||
75 | |||
76 | directorycount=TIFFNumberOfDirectories(input); | ||
77 | + if(directorycount > TIFF_DIR_MAX) { | ||
78 | + TIFFError( | ||
79 | + TIFF2PDF_MODULE, | ||
80 | + "TIFF contains too many directories, %s", | ||
81 | + TIFFFileName(input)); | ||
82 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
83 | + return; | ||
84 | + } | ||
85 | t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); | ||
86 | if(t2p->tiff_pages==NULL){ | ||
87 | TIFFError( | ||
88 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
89 | index 91a38f6..e466dae 100644 | ||
90 | --- a/tools/tiffcrop.c | ||
91 | +++ b/tools/tiffcrop.c | ||
92 | @@ -217,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); | ||
93 | #define DUMP_TEXT 1 | ||
94 | #define DUMP_RAW 2 | ||
95 | |||
96 | +#define TIFF_DIR_MAX 65534 | ||
97 | + | ||
98 | /* Offsets into buffer for margins and fixed width and length segments */ | ||
99 | struct offset { | ||
100 | uint32 tmargin; | ||
101 | @@ -2233,7 +2234,7 @@ main(int argc, char* argv[]) | ||
102 | pageNum = -1; | ||
103 | else | ||
104 | total_images = 0; | ||
105 | - /* read multiple input files and write to output file(s) */ | ||
106 | + /* Read multiple input files and write to output file(s) */ | ||
107 | while (optind < argc - 1) | ||
108 | { | ||
109 | in = TIFFOpen (argv[optind], "r"); | ||
110 | @@ -2241,7 +2242,14 @@ main(int argc, char* argv[]) | ||
111 | return (-3); | ||
112 | |||
113 | /* If only one input file is specified, we can use directory count */ | ||
114 | - total_images = TIFFNumberOfDirectories(in); | ||
115 | + total_images = TIFFNumberOfDirectories(in); | ||
116 | + if (total_images > TIFF_DIR_MAX) | ||
117 | + { | ||
118 | + TIFFError (TIFFFileName(in), "File contains too many directories"); | ||
119 | + if (out != NULL) | ||
120 | + (void) TIFFClose(out); | ||
121 | + return (1); | ||
122 | + } | ||
123 | if (image_count == 0) | ||
124 | { | ||
125 | dirnum = 0; | ||
126 | -- | ||
127 | libgit2 0.26.0 | ||
128 | |||
diff --git a/main/tiff/CVE-2018-7456.patch b/main/tiff/CVE-2018-7456.patch deleted file mode 100644 index b2d081a5d7..0000000000 --- a/main/tiff/CVE-2018-7456.patch +++ /dev/null | |||
@@ -1,170 +0,0 @@ | |||
1 | From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001 | ||
2 | From: Hugo Lefeuvre <hle@debian.org> | ||
3 | Date: Sun, 8 Apr 2018 14:07:08 -0400 | ||
4 | Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory | ||
5 | |||
6 | The TIFFPrintDirectory function relies on the following assumptions, | ||
7 | supposed to be guaranteed by the specification: | ||
8 | |||
9 | (a) A Transfer Function field is only present if the TIFF file has | ||
10 | photometric type < 3. | ||
11 | |||
12 | (b) If SamplesPerPixel > Color Channels, then the ExtraSamples field | ||
13 | has count SamplesPerPixel - (Color Channels) and contains | ||
14 | information about supplementary channels. | ||
15 | |||
16 | While respect of (a) and (b) are essential for the well functioning of | ||
17 | TIFFPrintDirectory, no checks are realized neither by the callee nor | ||
18 | by TIFFPrintDirectory itself. Hence, following scenarios might happen | ||
19 | and trigger the NULL pointer dereference: | ||
20 | |||
21 | (1) TIFF File of photometric type 4 or more has illegal Transfer | ||
22 | Function field. | ||
23 | |||
24 | (2) TIFF File has photometric type 3 or less and defines a | ||
25 | SamplesPerPixel field such that SamplesPerPixel > Color Channels | ||
26 | without defining all extra samples in the ExtraSamples fields. | ||
27 | |||
28 | In this patch, we address both issues with respect of the following | ||
29 | principles: | ||
30 | |||
31 | (A) In the case of (1), the defined transfer table should be printed | ||
32 | safely even if it isn't 'legal'. This allows us to avoid expensive | ||
33 | checks in TIFFPrintDirectory. Also, it is quite possible that | ||
34 | an alternative photometric type would be developed (not part of the | ||
35 | standard) and would allow definition of Transfer Table. We want | ||
36 | libtiff to be able to handle this scenario out of the box. | ||
37 | |||
38 | (B) In the case of (2), the transfer table should be printed at its | ||
39 | right size, that is if TIFF file has photometric type Palette | ||
40 | then the transfer table should have one row and not three, even | ||
41 | if two extra samples are declared. | ||
42 | |||
43 | In order to fulfill (A) we simply add a new 'i < 3' end condition to | ||
44 | the broken TIFFPrintDirectory loop. This makes sure that in any case | ||
45 | where (b) would be respected but not (a), everything stays fine. | ||
46 | |||
47 | (B) is fulfilled by the loop condition | ||
48 | 'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as | ||
49 | long as (b) is respected. | ||
50 | |||
51 | Naturally, we also make sure (b) is respected. This is done in the | ||
52 | TIFFReadDirectory function by making sure any non-color channel is | ||
53 | counted in ExtraSamples. | ||
54 | |||
55 | This commit addresses CVE-2018-7456. | ||
56 | --- | ||
57 | libtiff/tif_dirread.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
58 | libtiff/tif_print.c | 2 +- | ||
59 | 2 files changed, 63 insertions(+), 1 deletion(-) | ||
60 | |||
61 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
62 | index 6baa7b3..af5b84a 100644 | ||
63 | --- a/libtiff/tif_dirread.c | ||
64 | +++ b/libtiff/tif_dirread.c | ||
65 | @@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin | ||
66 | static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); | ||
67 | static void ChopUpSingleUncompressedStrip(TIFF*); | ||
68 | static uint64 TIFFReadUInt64(const uint8 *value); | ||
69 | +static int _TIFFGetMaxColorChannels(uint16 photometric); | ||
70 | |||
71 | static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); | ||
72 | |||
73 | @@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c | ||
74 | } | ||
75 | |||
76 | /* | ||
77 | + * Return the maximum number of color channels specified for a given photometric | ||
78 | + * type. 0 is returned if photometric type isn't supported or no default value | ||
79 | + * is defined by the specification. | ||
80 | + */ | ||
81 | +static int _TIFFGetMaxColorChannels( uint16 photometric ) | ||
82 | +{ | ||
83 | + switch (photometric) { | ||
84 | + case PHOTOMETRIC_PALETTE: | ||
85 | + case PHOTOMETRIC_MINISWHITE: | ||
86 | + case PHOTOMETRIC_MINISBLACK: | ||
87 | + return 1; | ||
88 | + case PHOTOMETRIC_YCBCR: | ||
89 | + case PHOTOMETRIC_RGB: | ||
90 | + case PHOTOMETRIC_CIELAB: | ||
91 | + return 3; | ||
92 | + case PHOTOMETRIC_SEPARATED: | ||
93 | + case PHOTOMETRIC_MASK: | ||
94 | + return 4; | ||
95 | + case PHOTOMETRIC_LOGL: | ||
96 | + case PHOTOMETRIC_LOGLUV: | ||
97 | + case PHOTOMETRIC_CFA: | ||
98 | + case PHOTOMETRIC_ITULAB: | ||
99 | + case PHOTOMETRIC_ICCLAB: | ||
100 | + default: | ||
101 | + return 0; | ||
102 | + } | ||
103 | +} | ||
104 | + | ||
105 | +/* | ||
106 | * Read the next TIFF directory from a file and convert it to the internal | ||
107 | * format. We read directories sequentially. | ||
108 | */ | ||
109 | @@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) | ||
110 | uint32 fii=FAILED_FII; | ||
111 | toff_t nextdiroff; | ||
112 | int bitspersample_read = FALSE; | ||
113 | + int color_channels; | ||
114 | |||
115 | tif->tif_diroff=tif->tif_nextdiroff; | ||
116 | if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) | ||
117 | @@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) | ||
118 | } | ||
119 | } | ||
120 | } | ||
121 | + | ||
122 | + /* | ||
123 | + * Make sure all non-color channels are extrasamples. | ||
124 | + * If it's not the case, define them as such. | ||
125 | + */ | ||
126 | + color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); | ||
127 | + if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { | ||
128 | + uint16 old_extrasamples; | ||
129 | + uint16 *new_sampleinfo; | ||
130 | + | ||
131 | + TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " | ||
132 | + "color channels and ExtraSamples doesn't match SamplesPerPixel. " | ||
133 | + "Defining non-color channels as ExtraSamples."); | ||
134 | + | ||
135 | + old_extrasamples = tif->tif_dir.td_extrasamples; | ||
136 | + tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); | ||
137 | + | ||
138 | + // sampleinfo should contain information relative to these new extra samples | ||
139 | + new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); | ||
140 | + if (!new_sampleinfo) { | ||
141 | + TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " | ||
142 | + "temporary new sampleinfo array (%d 16 bit elements)", | ||
143 | + tif->tif_dir.td_extrasamples); | ||
144 | + goto bad; | ||
145 | + } | ||
146 | + | ||
147 | + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); | ||
148 | + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); | ||
149 | + _TIFFfree(new_sampleinfo); | ||
150 | + } | ||
151 | + | ||
152 | /* | ||
153 | * Verify Palette image has a Colormap. | ||
154 | */ | ||
155 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
156 | index 8deceb2..1d86adb 100644 | ||
157 | --- a/libtiff/tif_print.c | ||
158 | +++ b/libtiff/tif_print.c | ||
159 | @@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
160 | uint16 i; | ||
161 | fprintf(fd, " %2ld: %5u", | ||
162 | l, td->td_transferfunction[0][l]); | ||
163 | - for (i = 1; i < td->td_samplesperpixel; i++) | ||
164 | + for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) | ||
165 | fprintf(fd, " %5u", | ||
166 | td->td_transferfunction[i][l]); | ||
167 | fputc('\n', fd); | ||
168 | -- | ||
169 | libgit2 0.27.0 | ||
170 | |||
diff --git a/main/tiff/CVE-2018-8905.patch b/main/tiff/CVE-2018-8905.patch deleted file mode 100644 index f951092c1f..0000000000 --- a/main/tiff/CVE-2018-8905.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 15:32:31 +0200 | ||
4 | Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 | ||
5 | |||
6 | The fix consists in using the similar code LZWDecode() to validate we | ||
7 | don't write outside of the output buffer. | ||
8 | --- | ||
9 | libtiff/tif_lzw.c | 18 ++++++++++++------ | ||
10 | 1 file changed, 12 insertions(+), 6 deletions(-) | ||
11 | |||
12 | diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c | ||
13 | index 4ccb443..94d85e3 100644 | ||
14 | --- a/libtiff/tif_lzw.c | ||
15 | +++ b/libtiff/tif_lzw.c | ||
16 | @@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
17 | char *tp; | ||
18 | unsigned char *bp; | ||
19 | int code, nbits; | ||
20 | + int len; | ||
21 | long nextbits, nextdata, nbitsmask; | ||
22 | code_t *codep, *free_entp, *maxcodep, *oldcodep; | ||
23 | |||
24 | @@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
25 | } while (--occ); | ||
26 | break; | ||
27 | } | ||
28 | - assert(occ >= codep->length); | ||
29 | - op += codep->length; | ||
30 | - occ -= codep->length; | ||
31 | - tp = op; | ||
32 | + len = codep->length; | ||
33 | + tp = op + len; | ||
34 | do { | ||
35 | - *--tp = codep->value; | ||
36 | - } while( (codep = codep->next) != NULL ); | ||
37 | + int t; | ||
38 | + --tp; | ||
39 | + t = codep->value; | ||
40 | + codep = codep->next; | ||
41 | + *tp = (char)t; | ||
42 | + } while (codep && tp > op); | ||
43 | + assert(occ >= len); | ||
44 | + op += len; | ||
45 | + occ -= len; | ||
46 | } else { | ||
47 | *op++ = (char)code; | ||
48 | occ--; | ||
49 | -- | ||
50 | libgit2 0.27.0 | ||
51 | |||