[Frugalware-git] frugalware-current: libtiff-3.8.2-4-i686

Mon, 13 Jul 2009 14:46:35 -0700 

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=a8cb26f25393ed6e763af907f22555c43ffa29c1

commit a8cb26f25393ed6e763af907f22555c43ffa29c1
Author: András Vöröskői <voros...@frugalware.org>
Date:   Mon Jul 13 23:44:58 2009 +0200

libtiff-3.8.2-4-i686

add libtiff-3.8.2-CVE-2009-2347.patch
closes #3862

diff --git a/source/lib/libtiff/FrugalBuild b/source/lib/libtiff/FrugalBuild
index ec89f0a..c5b9adf 100644
--- a/source/lib/libtiff/FrugalBuild
+++ b/source/lib/libtiff/FrugalBuild
@@ -4,7 +4,7 @@

pkgname=libtiff
pkgver=3.8.2
-pkgrel=3
+pkgrel=4
pkgdesc="Library for manipulation of TIFF images"
url="http://libtiff.maptools.org";
depends=('libstdc++' 'zlib')
@@ -12,7 +12,13 @@ groups=('lib')
archs=('i686' 'x86_64' 'ppc')
up2date="lynx -dump 'http://libtiff.maptools.org/' | grep 'Stable Release' | 
cut -d v -f 2"
source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-$pkgver.tar.gz 
CVE-2006-2193.patch \
-       libtiff-3.8.2-ormandy.patch tiffsplit-overflow.patch)
+       libtiff-3.8.2-ormandy.patch tiffsplit-overflow.patch \
+       libtiff-3.8.2-CVE-2009-2347.patch)
+sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' \
+          'f4af800713a048dd4db5ce9a2cb39c87ebf0c9dc' \
+          '61c5f52e1182a6ca7b59045ae76609e16ef4b3a0' \
+          'eba26a1340806b89e4305cc0cf9d6485f69a610f' \
+          'b202adf57a61587c809795d731cc3cb5939e646d')

build() {
Fcd tiff-"$pkgver"
@@ -21,7 +27,3 @@ build() {
}

# optimization OK
-sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' \
-         'f4af800713a048dd4db5ce9a2cb39c87ebf0c9dc' \
-         '61c5f52e1182a6ca7b59045ae76609e16ef4b3a0' \
-         'eba26a1340806b89e4305cc0cf9d6485f69a610f')
diff --git a/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch 
b/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch
new file mode 100644
index 0000000..d631b6e
--- /dev/null
+++ b/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch
@@ -0,0 +1,169 @@
+Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
+possible integer overflow in calculation of buffer sizes.
+
+CVE-2009-2347
+
+
+diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
+--- tiff-3.8.2.orig/tools/rgb2ycbcr.c  2004-09-03 03:57:13.000000000 -0400
++++ tiff-3.8.2/tools/rgb2ycbcr.c       2009-07-10 17:12:32.000000000 -0400
+@@ -202,6 +202,17 @@
+ #undef LumaBlue
+ #undef V2Code
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;             /* overflow */
++
++    return prod;
++}
++
+ /*
+  * Convert a strip of RGB data to YCbCr and
+  * sample to generate the output data.
+@@ -278,10 +289,19 @@
+       float floatv;
+       char *stringv;
+       uint32 longv;
++      tsize_t raster_size;
+
+       TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+       TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+-      raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++
++      raster_size = multiply(multiply(width, height), sizeof (uint32));
++      if (!raster_size) {
++              TIFFError(TIFFFileName(in),
++                        "Can't allocate buffer for raster of size %lux%lu",
++                        (unsigned long) width, (unsigned long) height);
++              return (0);
++      }
++      raster = (uint32*)_TIFFmalloc(raster_size);
+       if (raster == 0) {
+               TIFFError(TIFFFileName(in), "No space for raster buffer");
+               return (0);
+diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
+--- tiff-3.8.2.orig/tools/tiff2rgba.c  2004-11-07 06:08:37.000000000 -0500
++++ tiff-3.8.2/tools/tiff2rgba.c       2009-07-10 17:06:42.000000000 -0400
+@@ -124,6 +124,17 @@
+     return (0);
+ }
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;             /* overflow */
++
++    return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+
+@@ -133,6 +144,7 @@
+     uint32  tile_width, tile_height;
+     uint32  row, col;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int           ok = 1;
+
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -150,7 +162,14 @@
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    raster_size = multiply(multiply(tile_width, tile_height), sizeof 
(uint32));
++    if (!raster_size) {
++      TIFFError(TIFFFileName(in),
++                "Can't allocate buffer for raster of size %lux%lu",
++                (unsigned long) tile_width, (unsigned long) tile_height);
++      return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -158,7 +177,7 @@
+
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -226,6 +245,7 @@
+     uint32  width, height;            /* image width & height */
+     uint32  row;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int           ok = 1;
+
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -241,7 +261,14 @@
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++    if (!raster_size) {
++      TIFFError(TIFFFileName(in),
++                "Can't allocate buffer for raster of size %lux%lu",
++                (unsigned long) width, (unsigned long) rowsperstrip);
++      return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -249,7 +276,7 @@
+
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -328,14 +355,22 @@
+     uint32* raster;                   /* retrieve RGBA image */
+     uint32  width, height;            /* image width & height */
+     uint32  row;
+-
++    tsize_t raster_size;
++
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++    raster_size = multiply(multiply(width, height), sizeof (uint32));
++    if (!raster_size) {
++      TIFFError(TIFFFileName(in),
++                "Can't allocate buffer for raster of size %lux%lu",
++                (unsigned long) width, (unsigned long) height);
++      return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -353,7 +388,7 @@
+     */
+     if( no_alpha )
+     {
+-        int   pixel_count = width * height;
++        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
+         unsigned char *src, *dst;
+
+         src = (unsigned char *) raster;

_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to