Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=a8cb26f25393ed6e763af907f22555c43ffa29c1
commit a8cb26f25393ed6e763af907f22555c43ffa29c1 Author: András VöröskÅi <voros...@frugalware.org> Date: Mon Jul 13 23:44:58 2009 +0200 libtiff-3.8.2-4-i686 add libtiff-3.8.2-CVE-2009-2347.patch closes #3862 diff --git a/source/lib/libtiff/FrugalBuild b/source/lib/libtiff/FrugalBuild index ec89f0a..c5b9adf 100644 --- a/source/lib/libtiff/FrugalBuild +++ b/source/lib/libtiff/FrugalBuild @@ -4,7 +4,7 @@ pkgname=libtiff pkgver=3.8.2 -pkgrel=3 +pkgrel=4 pkgdesc="Library for manipulation of TIFF images" url="http://libtiff.maptools.org" depends=('libstdc++' 'zlib') @@ -12,7 +12,13 @@ groups=('lib') archs=('i686' 'x86_64' 'ppc') up2date="lynx -dump 'http://libtiff.maptools.org/' | grep 'Stable Release' | cut -d v -f 2" source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-$pkgver.tar.gz CVE-2006-2193.patch \ - libtiff-3.8.2-ormandy.patch tiffsplit-overflow.patch) + libtiff-3.8.2-ormandy.patch tiffsplit-overflow.patch \ + libtiff-3.8.2-CVE-2009-2347.patch) +sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' \ + 'f4af800713a048dd4db5ce9a2cb39c87ebf0c9dc' \ + '61c5f52e1182a6ca7b59045ae76609e16ef4b3a0' \ + 'eba26a1340806b89e4305cc0cf9d6485f69a610f' \ + 'b202adf57a61587c809795d731cc3cb5939e646d') build() { Fcd tiff-"$pkgver" @@ -21,7 +27,3 @@ build() { } # optimization OK -sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' \ - 'f4af800713a048dd4db5ce9a2cb39c87ebf0c9dc' \ - '61c5f52e1182a6ca7b59045ae76609e16ef4b3a0' \ - 'eba26a1340806b89e4305cc0cf9d6485f69a610f') diff --git a/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch b/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch new file mode 100644 index 0000000..d631b6e --- /dev/null +++ b/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch @@ -0,0 +1,169 @@ +Fix several places in tiff2rgba and rgb2ycbcr that were being careless about +possible integer overflow in calculation of buffer sizes. + +CVE-2009-2347 + + +diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c +--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c +--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster;
_______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git