FreeBSD Bugzilla – Attachment 165108 Details for
Bug 205923
graphics/tiff: Add patches for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
tiff-multiple-vulns.diff (text/plain), 13.52 KB, created by
Raphael Kubo da Costa
on 2016-01-05 14:34:53 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Raphael Kubo da Costa
Created:
2016-01-05 14:34:53 UTC
Size:
13.52 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 405292) >+++ Makefile (working copy) >@@ -3,6 +3,7 @@ > > PORTNAME= tiff > PORTVERSION= 4.0.6 >+PORTREVISION= 1 > CATEGORIES= graphics > MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ > http://download.osgeo.org/libtiff/ >Index: files/patch-CVE-2015-8665_8683 >=================================================================== >--- files/patch-CVE-2015-8665_8683 (nonexistent) >+++ files/patch-CVE-2015-8665_8683 (working copy) >@@ -0,0 +1,118 @@ >+revision 1.94 >+date: 2015-12-26 17:32:03 +0000; author: erouault; state: Exp; lines: +23 -14; commitid: ohB9uRxvIWq9YtOy; >+* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage >+interface in case of unsupported values of SamplesPerPixel/ExtraSamples >+for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in >+TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and >+CVE-2015-8683 reported by zzf of Alibaba. >+ >+Index: libtiff/tif_getimage.c >+=================================================================== >+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v >+retrieving revision 1.93 >+retrieving revision 1.94 >+diff -u -r1.93 -r1.94 >+--- libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93 >++++ libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94 >+@@ -1,4 +1,4 @@ >+-/* $Id: tif_getimage.c,v 1.93 2015-11-22 15:31:03 erouault Exp $ */ >++/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */ >+ >+ /* >+ * Copyright (c) 1991-1997 Sam Leffler >+@@ -182,20 +182,22 @@ >+ "Planarconfiguration", td->td_planarconfig); >+ return (0); >+ } >+- if( td->td_samplesperpixel != 3 ) >++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) >+ { >+ sprintf(emsg, >+- "Sorry, can not handle image with %s=%d", >+- "Samples/pixel", td->td_samplesperpixel); >++ "Sorry, can not handle image with %s=%d, %s=%d", >++ "Samples/pixel", td->td_samplesperpixel, >++ "colorchannels", colorchannels); >+ return 0; >+ } >+ break; >+ case PHOTOMETRIC_CIELAB: >+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) >++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) >+ { >+ sprintf(emsg, >+- "Sorry, can not handle image with %s=%d and %s=%d", >++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", >+ "Samples/pixel", td->td_samplesperpixel, >++ "colorchannels", colorchannels, >+ "Bits/sample", td->td_bitspersample); >+ return 0; >+ } >+@@ -255,6 +257,9 @@ >+ int colorchannels; >+ uint16 *red_orig, *green_orig, *blue_orig; >+ int n_color; >++ >++ if( !TIFFRGBAImageOK(tif, emsg) ) >++ return 0; >+ >+ /* Initialize to normal values */ >+ img->row_offset = 0; >+@@ -2509,29 +2514,33 @@ >+ case PHOTOMETRIC_RGB: >+ switch (img->bitspersample) { >+ case 8: >+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) >++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && >++ img->samplesperpixel >= 4) >+ img->put.contig = putRGBAAcontig8bittile; >+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) >++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && >++ img->samplesperpixel >= 4) >+ { >+ if (BuildMapUaToAa(img)) >+ img->put.contig = putRGBUAcontig8bittile; >+ } >+- else >++ else if( img->samplesperpixel >= 3 ) >+ img->put.contig = putRGBcontig8bittile; >+ break; >+ case 16: >+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) >++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && >++ img->samplesperpixel >=4 ) >+ { >+ if (BuildMapBitdepth16To8(img)) >+ img->put.contig = putRGBAAcontig16bittile; >+ } >+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) >++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && >++ img->samplesperpixel >=4 ) >+ { >+ if (BuildMapBitdepth16To8(img) && >+ BuildMapUaToAa(img)) >+ img->put.contig = putRGBUAcontig16bittile; >+ } >+- else >++ else if( img->samplesperpixel >=3 ) >+ { >+ if (BuildMapBitdepth16To8(img)) >+ img->put.contig = putRGBcontig16bittile; >+@@ -2540,7 +2549,7 @@ >+ } >+ break; >+ case PHOTOMETRIC_SEPARATED: >+- if (buildMap(img)) { >++ if (img->samplesperpixel >=4 && buildMap(img)) { >+ if (img->bitspersample == 8) { >+ if (!img->Map) >+ img->put.contig = putRGBcontig8bitCMYKtile; >+@@ -2636,7 +2645,7 @@ >+ } >+ break; >+ case PHOTOMETRIC_CIELAB: >+- if (buildMap(img)) { >++ if (img->samplesperpixel == 3 && buildMap(img)) { >+ if (img->bitspersample == 8) >+ img->put.contig = initCIELabConversion(img); >+ break; > >Property changes on: files/patch-CVE-2015-8665_8683 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-libtiff_tif__luv.c >=================================================================== >--- files/patch-libtiff_tif__luv.c (nonexistent) >+++ files/patch-libtiff_tif__luv.c (working copy) >@@ -0,0 +1,176 @@ >+revision 1.41 >+date: 2015-12-27 16:25:11 +0000; author: erouault; state: Exp; lines: +45 -12; commitid: gXczlJDfVlBdzBOy; >+* libtiff/tif_luv.c: fix potential out-of-bound writes in decode >+functions in non debug builds by replacing assert()s by regular if >+checks (bugzilla #2522). >+Fix potential out-of-bound reads in case of short input data. >+ >+Index: libtiff/tif_luv.c >+=================================================================== >+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v >+retrieving revision 1.40 >+retrieving revision 1.41 >+diff -u -r1.40 -r1.41 >+--- libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40 >++++ libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41 >+@@ -1,4 +1,4 @@ >+-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ >++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ >+ >+ /* >+ * Copyright (c) 1997 Greg Ward Larson >+@@ -202,7 +202,11 @@ >+ if (sp->user_datafmt == SGILOGDATAFMT_16BIT) >+ tp = (int16*) op; >+ else { >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ tp = (int16*) sp->tbuf; >+ } >+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); >+@@ -211,9 +215,11 @@ >+ cc = tif->tif_rawcc; >+ /* get each byte string */ >+ for (shft = 2*8; (shft -= 8) >= 0; ) { >+- for (i = 0; i < npixels && cc > 0; ) >++ for (i = 0; i < npixels && cc > 0; ) { >+ if (*bp >= 128) { /* run */ >+- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ >++ if( cc < 2 ) >++ break; >++ rc = *bp++ + (2-128); >+ b = (int16)(*bp++ << shft); >+ cc -= 2; >+ while (rc-- && i < npixels) >+@@ -223,6 +229,7 @@ >+ while (--cc && rc-- && i < npixels) >+ tp[i++] |= (int16)*bp++ << shft; >+ } >++ } >+ if (i != npixels) { >+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) >+ TIFFErrorExt(tif->tif_clientdata, module, >+@@ -268,13 +275,17 @@ >+ if (sp->user_datafmt == SGILOGDATAFMT_RAW) >+ tp = (uint32 *)op; >+ else { >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ tp = (uint32 *) sp->tbuf; >+ } >+ /* copy to array of uint32 */ >+ bp = (unsigned char*) tif->tif_rawcp; >+ cc = tif->tif_rawcc; >+- for (i = 0; i < npixels && cc > 0; i++) { >++ for (i = 0; i < npixels && cc >= 3; i++) { >+ tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; >+ bp += 3; >+ cc -= 3; >+@@ -325,7 +336,11 @@ >+ if (sp->user_datafmt == SGILOGDATAFMT_RAW) >+ tp = (uint32*) op; >+ else { >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ tp = (uint32*) sp->tbuf; >+ } >+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); >+@@ -334,11 +349,13 @@ >+ cc = tif->tif_rawcc; >+ /* get each byte string */ >+ for (shft = 4*8; (shft -= 8) >= 0; ) { >+- for (i = 0; i < npixels && cc > 0; ) >++ for (i = 0; i < npixels && cc > 0; ) { >+ if (*bp >= 128) { /* run */ >++ if( cc < 2 ) >++ break; >+ rc = *bp++ + (2-128); >+ b = (uint32)*bp++ << shft; >+- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ >++ cc -= 2; >+ while (rc-- && i < npixels) >+ tp[i++] |= b; >+ } else { /* non-run */ >+@@ -346,6 +363,7 @@ >+ while (--cc && rc-- && i < npixels) >+ tp[i++] |= (uint32)*bp++ << shft; >+ } >++ } >+ if (i != npixels) { >+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) >+ TIFFErrorExt(tif->tif_clientdata, module, >+@@ -413,6 +431,7 @@ >+ static int >+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) >+ { >++ static const char module[] = "LogL16Encode"; >+ LogLuvState* sp = EncoderState(tif); >+ int shft; >+ tmsize_t i; >+@@ -433,7 +452,11 @@ >+ tp = (int16*) bp; >+ else { >+ tp = (int16*) sp->tbuf; >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ (*sp->tfunc)(sp, bp, npixels); >+ } >+ /* compress each byte string */ >+@@ -506,6 +529,7 @@ >+ static int >+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) >+ { >++ static const char module[] = "LogLuvEncode24"; >+ LogLuvState* sp = EncoderState(tif); >+ tmsize_t i; >+ tmsize_t npixels; >+@@ -521,7 +545,11 @@ >+ tp = (uint32*) bp; >+ else { >+ tp = (uint32*) sp->tbuf; >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ (*sp->tfunc)(sp, bp, npixels); >+ } >+ /* write out encoded pixels */ >+@@ -553,6 +581,7 @@ >+ static int >+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) >+ { >++ static const char module[] = "LogLuvEncode32"; >+ LogLuvState* sp = EncoderState(tif); >+ int shft; >+ tmsize_t i; >+@@ -574,7 +603,11 @@ >+ tp = (uint32*) bp; >+ else { >+ tp = (uint32*) sp->tbuf; >+- assert(sp->tbuflen >= npixels); >++ if(sp->tbuflen < npixels) { >++ TIFFErrorExt(tif->tif_clientdata, module, >++ "Translation buffer too short"); >++ return (0); >++ } >+ (*sp->tfunc)(sp, bp, npixels); >+ } >+ /* compress each byte string */ > >Property changes on: files/patch-libtiff_tif__luv.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-libtiff_tif__next.c >=================================================================== >--- files/patch-libtiff_tif__next.c (nonexistent) >+++ files/patch-libtiff_tif__next.c (working copy) >@@ -0,0 +1,54 @@ >+revision 1.17 >+date: 2015-12-27 16:55:20 +0000; author: erouault; state: Exp; lines: +9 -3; commitid: 4yLOaM0uFVPyJBOy; >+* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() >+triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif >+(bugzilla #2508) >+ >+Index: libtiff/tif_next.c >+=================================================================== >+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_next.c,v >+retrieving revision 1.16 >+retrieving revision 1.17 >+diff -u -r1.16 -r1.17 >+--- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 >++++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 >+@@ -1,4 +1,4 @@ >+-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ >++/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */ >+ >+ /* >+ * Copyright (c) 1988-1997 Sam Leffler >+@@ -37,7 +37,7 @@ >+ case 0: op[0] = (unsigned char) ((v) << 6); break; \ >+ case 1: op[0] |= (v) << 4; break; \ >+ case 2: op[0] |= (v) << 2; break; \ >+- case 3: *op++ |= (v); break; \ >++ case 3: *op++ |= (v); op_offset++; break; \ >+ } \ >+ } >+ >+@@ -106,6 +106,7 @@ >+ uint32 imagewidth = tif->tif_dir.td_imagewidth; >+ if( isTiled(tif) ) >+ imagewidth = tif->tif_dir.td_tilewidth; >++ tmsize_t op_offset = 0; >+ >+ /* >+ * The scanline is composed of a sequence of constant >+@@ -122,10 +123,15 @@ >+ * bounds, potentially resulting in a security >+ * issue. >+ */ >+- while (n-- > 0 && npixels < imagewidth) >++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) >+ SETPIXEL(op, grey); >+ if (npixels >= imagewidth) >+ break; >++ if (op_offset >= scanline ) { >++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", >++ (long) tif->tif_row); >++ return (0); >++ } >+ if (cc == 0) >+ goto bad; >+ n = *bp++, cc--; > >Property changes on: files/patch-libtiff_tif__next.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 205923
: 165108