FreeBSD Bugzilla – Attachment 190171 Details for
Bug 225544
graphics/tiff: fix security vulnerabilities (CVE-2017-9935, CVE-2017-18013) and etc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch file
graphics_tiff.patch (text/plain), 7.19 KB, created by
Yasuhiro Kimura
on 2018-01-29 20:36:48 UTC
(
hide
)
Description:
patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2018-01-29 20:36:48 UTC
Size:
7.19 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 460313) >+++ Makefile (working copy) >@@ -3,6 +3,7 @@ > > PORTNAME= tiff > PORTVERSION= 4.0.9 >+PORTREVISION= 1 > CATEGORIES= graphics > MASTER_SITES= http://download.osgeo.org/libtiff/ > >@@ -109,12 +110,12 @@ > > post-install: > ( cd ${STAGEDIR}${PREFIX}/man/man3 && ${__pmlinks3} ) >-.if ${PORT_OPTIONS:MDOCS} >+ >+post-install-DOCS-on: > ${MKDIR} ${STAGEDIR}${DOCSDIR}/images ${STAGEDIR}${DOCSDIR}/man > ${INSTALL_DATA} ${WRKSRC}/html/*.html ${STAGEDIR}${DOCSDIR}/ > ${INSTALL_DATA} ${WRKSRC}/html/images/*.jpg ${STAGEDIR}${DOCSDIR}/images/ > ${INSTALL_DATA} ${WRKSRC}/html/images/*.gif ${STAGEDIR}${DOCSDIR}/images/ > ${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${STAGEDIR}${DOCSDIR}/man/ >-.endif > > .include <bsd.port.mk> >Index: files/patch-CVE-2017-18013 >=================================================================== >--- files/patch-CVE-2017-18013 (nonexistent) >+++ files/patch-CVE-2017-18013 (working copy) >@@ -0,0 +1,20 @@ >+--- libtiff/tif_print.c.orig 2016-11-25 17:26:23 UTC >++++ libtiff/tif_print.c >+@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, >+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) >+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", >+ (unsigned long) s, >+- (unsigned __int64) td->td_stripoffset[s], >+- (unsigned __int64) td->td_stripbytecount[s]); >++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, >++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); >+ #else >+ fprintf(fd, " %3lu: [%8llu, %8llu]\n", >+ (unsigned long) s, >+- (unsigned long long) td->td_stripoffset[s], >+- (unsigned long long) td->td_stripbytecount[s]); >++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, >++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); >+ #endif >+ } >+ } >Index: files/patch-CVE-2017-9935-1 >=================================================================== >--- files/patch-CVE-2017-9935-1 (nonexistent) >+++ files/patch-CVE-2017-9935-1 (working copy) >@@ -0,0 +1,12 @@ >+--- libtiff/tif_dir.c.orig 2017-07-17 13:31:36 UTC >++++ libtiff/tif_dir.c >+@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va >+ if (td->td_samplesperpixel - td->td_extrasamples > 1) { >+ *va_arg(ap, uint16**) = td->td_transferfunction[1]; >+ *va_arg(ap, uint16**) = td->td_transferfunction[2]; >++ } else { >++ *va_arg(ap, uint16**) = NULL; >++ *va_arg(ap, uint16**) = NULL; >+ } >+ break; >+ case TIFFTAG_REFERENCEBLACKWHITE: >Index: files/patch-CVE-2017-9935-2 >=================================================================== >--- files/patch-CVE-2017-9935-2 (nonexistent) >+++ files/patch-CVE-2017-9935-2 (working copy) >@@ -0,0 +1,101 @@ >+--- tools/tiff2pdf.c.orig 2017-10-29 18:50:41 UTC >++++ tools/tiff2pdf.c >+@@ -237,7 +237,7 @@ typedef struct { >+ float tiff_whitechromaticities[2]; >+ float tiff_primarychromaticities[6]; >+ float tiff_referenceblackwhite[2]; >+- float* tiff_transferfunction[3]; >++ uint16* tiff_transferfunction[3]; >+ int pdf_image_interpolate; /* 0 (default) : do not interpolate, >+ 1 : interpolate */ >+ uint16 tiff_transferfunctioncount; >+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* >+ uint16 pagen=0; >+ uint16 paged=0; >+ uint16 xuint16=0; >++ uint16 tiff_transferfunctioncount=0; >++ uint16* tiff_transferfunction[3]; >+ >+ directorycount=TIFFNumberOfDirectories(input); >+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); >+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* >+ } >+ #endif >+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, >+- &(t2p->tiff_transferfunction[0]), >+- &(t2p->tiff_transferfunction[1]), >+- &(t2p->tiff_transferfunction[2]))) { >+- if((t2p->tiff_transferfunction[1] != (float*) NULL) && >+- (t2p->tiff_transferfunction[2] != (float*) NULL) && >+- (t2p->tiff_transferfunction[1] != >+- t2p->tiff_transferfunction[0])) { >+- t2p->tiff_transferfunctioncount = 3; >+- t2p->tiff_pages[i].page_extra += 4; >+- t2p->pdf_xrefcount += 4; >+- } else { >+- t2p->tiff_transferfunctioncount = 1; >+- t2p->tiff_pages[i].page_extra += 2; >+- t2p->pdf_xrefcount += 2; >+- } >+- if(t2p->pdf_minorversion < 2) >+- t2p->pdf_minorversion = 2; >++ &(tiff_transferfunction[0]), >++ &(tiff_transferfunction[1]), >++ &(tiff_transferfunction[2]))) { >++ >++ if((tiff_transferfunction[1] != (uint16*) NULL) && >++ (tiff_transferfunction[2] != (uint16*) NULL) >++ ) { >++ tiff_transferfunctioncount=3; >++ } else { >++ tiff_transferfunctioncount=1; >++ } >+ } else { >+- t2p->tiff_transferfunctioncount=0; >++ tiff_transferfunctioncount=0; >+ } >++ >++ if (i > 0){ >++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ >++ TIFFError( >++ TIFF2PDF_MODULE, >++ "Different transfer function on page %d", >++ i); >++ t2p->t2p_error = T2P_ERR_ERROR; >++ return; >++ } >++ } >++ >++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; >++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; >++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; >++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; >++ if(tiff_transferfunctioncount == 3){ >++ t2p->tiff_pages[i].page_extra += 4; >++ t2p->pdf_xrefcount += 4; >++ if(t2p->pdf_minorversion < 2) >++ t2p->pdf_minorversion = 2; >++ } else if (tiff_transferfunctioncount == 1){ >++ t2p->tiff_pages[i].page_extra += 2; >++ t2p->pdf_xrefcount += 2; >++ if(t2p->pdf_minorversion < 2) >++ t2p->pdf_minorversion = 2; >++ } >++ >+ if( TIFFGetField( >+ input, >+ TIFFTAG_ICCPROFILE, >+@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* >+ &(t2p->tiff_transferfunction[0]), >+ &(t2p->tiff_transferfunction[1]), >+ &(t2p->tiff_transferfunction[2]))) { >+- if((t2p->tiff_transferfunction[1] != (float*) NULL) && >+- (t2p->tiff_transferfunction[2] != (float*) NULL) && >+- (t2p->tiff_transferfunction[1] != >+- t2p->tiff_transferfunction[0])) { >++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && >++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) >++ ) { >+ t2p->tiff_transferfunctioncount=3; >+ } else { >+ t2p->tiff_transferfunctioncount=1;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225544
: 190171