From 4e93c8bf468bb1d368d60e34de85a807d292c5de Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 30 Jan 2018 15:13:05 +0100 Subject: [PATCH] tiff: version bump to address open CVEs - Version bump to 4.0.9, as otherwise ca. a dozen patches would need to be added to fix the open CVEs. There have been no API/ABI changes between 4.0.6 and 4.0.9, so this is OK. - Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935 on top. Signed-off-by: Sebastian Kemper --- libs/tiff/Makefile | 8 +- .../002-CVE-2015-8665_and_CVE-2015-8683.patch | 136 ------------ ...-of-bound_writes_in_decode_functions.patch | 193 ------------------ ...ial_out-of-bound_write_in_NeXTDecode.patch | 72 ------- libs/tiff/patches/005-fix-ftell-macro.patch | 2 +- libs/tiff/patches/019-CVE-2017-18013.patch | 34 +++ libs/tiff/patches/020-CVE-2017-9935.patch | 117 +++++++++++ 7 files changed, 156 insertions(+), 406 deletions(-) delete mode 100644 libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch delete mode 100644 libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch delete mode 100644 libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch create mode 100644 libs/tiff/patches/019-CVE-2017-18013.patch create mode 100644 libs/tiff/patches/020-CVE-2017-9935.patch diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile index 7c8d18e6b..6095cc762 100644 --- a/libs/tiff/Makefile +++ b/libs/tiff/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2016 OpenWrt.org +# Copyright (C) 2006-2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tiff -PKG_VERSION:=4.0.6 -PKG_RELEASE:=2 +PKG_VERSION:=4.0.9 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://download.osgeo.org/libtiff -PKG_MD5SUM:=d1d2e940dea0b5ad435f21f03d96dd72 +PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=autogen.sh aclocal.m4 diff --git a/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch b/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch deleted file mode 100644 index 15807e148..000000000 --- a/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch +++ /dev/null @@ -1,136 +0,0 @@ -From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_getimage.c | 37 +++++++++++++++++++++++-------------- - 2 files changed, 31 insertions(+), 14 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index a7d283a..4beb30b 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,11 @@ -+2015-12-26 Even Rouault -+ -+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples -+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in -+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and -+ CVE-2015-8683 reported by zzf of Alibaba. -+ - 2015-09-12 Bob Friesenhahn - - * libtiff 4.0.6 released. -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index fd0a4f9..fae1e31 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -1,4 +1,4 @@ --/* $Id: tif_getimage.c,v 1.90 2015-06-17 01:34:08 bfriesen Exp $ */ -+/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */ - - /* - * Copyright (c) 1991-1997 Sam Leffler -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; diff --git a/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch b/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch deleted file mode 100644 index 716ddfd0c..000000000 --- a/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch +++ /dev/null @@ -1,193 +0,0 @@ -From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - ---- - ChangeLog | 7 +++++++ - libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------ - 2 files changed, 52 insertions(+), 12 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 4beb30b..b8aa23c 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2015-12-27 Even Rouault -+ -+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode -+ functions in non debug builds by replacing assert()s by regular if -+ checks (bugzilla #2522). -+ Fix potential out-of-bound reads in case of short input data. -+ - 2015-12-26 Even Rouault - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 4e328ba..60a174d 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -1,4 +1,4 @@ --/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ -+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ - - /* - * Copyright (c) 1997 Greg Ward Larson -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch b/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch deleted file mode 100644 index f2b6b311d..000000000 --- a/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - ---- - ChangeLog | 6 ++++++ - libtiff/tif_next.c | 12 +++++++++--- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index b8aa23c..04926a3 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,11 @@ - 2015-12-27 Even Rouault - -+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif -+ (bugzilla #2508) -+ -+2015-12-27 Even Rouault -+ - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). -diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c -index 17e0311..1248caa 100644 ---- a/libtiff/tif_next.c -+++ b/libtiff/tif_next.c -@@ -1,4 +1,4 @@ --/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ -+/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/libs/tiff/patches/005-fix-ftell-macro.patch b/libs/tiff/patches/005-fix-ftell-macro.patch index 6ab093239..23e1e039a 100644 --- a/libs/tiff/patches/005-fix-ftell-macro.patch +++ b/libs/tiff/patches/005-fix-ftell-macro.patch @@ -1,6 +1,6 @@ --- a/libtiff/tiffiop.h +++ b/libtiff/tiffiop.h -@@ -284,7 +284,7 @@ struct tiff { +@@ -287,7 +287,7 @@ struct tiff { */ #if defined(HAVE_FSEEKO) # define fseek(stream,offset,whence) fseeko(stream,offset,whence) diff --git a/libs/tiff/patches/019-CVE-2017-18013.patch b/libs/tiff/patches/019-CVE-2017-18013.patch new file mode 100644 index 000000000..daaf41353 --- /dev/null +++ b/libs/tiff/patches/019-CVE-2017-18013.patch @@ -0,0 +1,34 @@ +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d35..8deceb2 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +libgit2 0.26.0 + diff --git a/libs/tiff/patches/020-CVE-2017-9935.patch b/libs/tiff/patches/020-CVE-2017-9935.patch new file mode 100644 index 000000000..d1082c09e --- /dev/null +++ b/libs/tiff/patches/020-CVE-2017-9935.patch @@ -0,0 +1,117 @@ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf44..cbf2b69 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b09..484776c 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -237,7 +237,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1;