Hello community,

here is the log from the commit of package tiff for openSUSE:Factory checked in 
at 2016-10-14 03:37:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
 and      /work/SRC/openSUSE:Factory/.tiff.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tiff"

Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes        2016-09-05 
21:17:03.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes   2016-10-14 
03:37:23.000000000 +0200
@@ -1,0 +2,11 @@
+Thu Oct  6 07:47:19 UTC 2016 - fst...@suse.com
+
+- Added patches:
+  * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
+    - Upstream fixes for MSVR 35093, MSVR 35094, MSVR 35095,
+      MSVR 35096, MSVR 35097, MSVR 35098.
+  * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
+    - Enforce bits-per-sample requirements of floating point
+      predictor. Fixes CVE-2016-3622 [bsc#974449]
+
+-------------------------------------------------------------------

New:
----
  tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
  tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.rKSpxg/_old  2016-10-14 03:37:26.000000000 +0200
+++ /var/tmp/diff_new_pack.rKSpxg/_new  2016-10-14 03:37:26.000000000 +0200
@@ -46,6 +46,9 @@
 Patch10:        tiff-4.0.6-CVE-2016-3945.patch
 Patch11:        tiff-4.0.6-CVE-2016-3990.patch
 Patch12:        tiff-4.0.6-CVE-2016-3991.patch
+#
+Patch13:        
tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
+Patch14:        
tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
 
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
@@ -120,6 +123,8 @@
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE"

++++++ tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch 
++++++
--- tiff-4.0.6/libtiff/tif_getimage.c   2015-08-29 00:16:22.517401728 +0200
+++ tiff-4.0.6/libtiff/tif_getimage.c   2016-10-06 09:42:41.204607032 +0200
@@ -95,6 +95,10 @@
                            td->td_bitspersample);
                        return (0);
        }
+        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+                sprintf(emsg, "Sorry, can not handle images with IEEE 
floating-point samples");
+                return (0);
+        }
        colorchannels = td->td_samplesperpixel - td->td_extrasamples;
        if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
                switch (colorchannels) {
--- tiff-4.0.6/libtiff/tif_predict.c    2015-09-01 04:39:39.547152871 +0200
+++ tiff-4.0.6/libtiff/tif_predict.c    2016-10-06 09:42:41.204607032 +0200
@@ -80,6 +80,15 @@
                                    td->td_sampleformat);
                                return 0;
                        }
+                        if (td->td_bitspersample != 16
+                            && td->td_bitspersample != 24
+                            && td->td_bitspersample != 32
+                            && td->td_bitspersample != 64) { /* Should 64 be 
allowed? */
+                                TIFFErrorExt(tif->tif_clientdata, module,
+                                             "Floating point \"Predictor\" not 
supported with %d-bit samples",
+                                             td->td_bitspersample);
+                               return 0;
+                            }
                        break;
                default:
                        TIFFErrorExt(tif->tif_clientdata, module,
++++++ tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch 
++++++
--- tiff-4.0.6/libtiff/tif_pixarlog.c   2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c   2016-10-06 09:33:52.616248149 +0200
@@ -973,17 +973,14 @@
                a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
            }
        } else {
-           ip += n - 1;        /* point to last one */
-           wp += n - 1;        /* point to last one */
+        REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
            n -= stride;
            while (n > 0) {
-               REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
-                               wp[stride] -= wp[0];
-                               wp[stride] &= mask;
-                               wp--; ip--)
+            REPEAT(stride,
+                wp[0] = 
(uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
                n -= stride;
            }
-           REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
        }
     }
 }
@@ -1026,17 +1023,14 @@
                a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
            }
        } else {
-           ip += n - 1;        /* point to last one */
-           wp += n - 1;        /* point to last one */
+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
            n -= stride;
            while (n > 0) {
-               REPEAT(stride, wp[0] = CLAMP(ip[0]);
-                               wp[stride] -= wp[0];
-                               wp[stride] &= mask;
-                               wp--; ip--)
+            REPEAT(stride,
+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
                n -= stride;
            }
-           REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
        }
     }
 }
@@ -1079,17 +1073,14 @@
                ip += 4;
            }
        } else {
-           wp += n + stride - 1;       /* point to last one */
-           ip += n + stride - 1;       /* point to last one */
+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
            n -= stride;
            while (n > 0) {
-               REPEAT(stride, wp[0] = CLAMP(ip[0]);
-                               wp[stride] -= wp[0];
-                               wp[stride] &= mask;
-                               wp--; ip--)
+            REPEAT(stride,
+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
                n -= stride;
            }
-           REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
        }
     }
 }
--- tiff-4.0.6/libtiff/tif_write.c      2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c      2016-10-06 09:33:52.616248149 +0200
@@ -764,7 +764,14 @@
                if (!TIFFAppendToStrip(tif,
                    isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
                    tif->tif_rawdata, tif->tif_rawcc))
+        {
+            /* We update those variables even in case of error since there's */
+            /* code that doesn't really check the return code of this */
+            /* function */
+            tif->tif_rawcc = 0;
+            tif->tif_rawcp = tif->tif_rawdata;
                        return (0);
+        }
                tif->tif_rawcc = 0;
                tif->tif_rawcp = tif->tif_rawdata;
        }
--- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200
+++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200
@@ -286,7 +286,7 @@
 int t2p_process_ojpeg_tables(T2P*, TIFF*);
 #endif
 #ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, 
tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, 
tsize_t*, tstrip_t, uint32);
 #endif
 void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
 void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2409,6 +2409,7 @@
                                        stripbuffer, 
                                        &striplength, 
                                        buffer, 
+                    t2p->tiff_datasize,
                                        &bufferoffset, 
                                        i, 
                                        t2p->tiff_length)){
@@ -3439,6 +3440,7 @@
        unsigned char* strip, 
        tsize_t* striplength, 
        unsigned char* buffer, 
+    tsize_t buffersize,
        tsize_t* bufferoffset, 
        tstrip_t no, 
        uint32 height){
@@ -3473,6 +3475,8 @@
                }
                switch( strip[i] ){
                        case 0xd8:      /* SOI - start of image */
+                if( *bufferoffset + 2 > buffersize )
+                    return(0);
                                _TIFFmemcpy(&(buffer[*bufferoffset]), 
&(strip[i-1]), 2);
                                *bufferoffset+=2;
                                break;
@@ -3482,12 +3486,18 @@
                        case 0xc9:      /* SOF9 */
                        case 0xca:      /* SOF10 */
                                if(no==0){
+                    if( *bufferoffset + datalen + 2 + 6 > buffersize )
+                        return(0);
                                        _TIFFmemcpy(&(buffer[*bufferoffset]), 
&(strip[i-1]), datalen+2);
+                    if( *bufferoffset + 9 >= buffersize )
+                        return(0);
                                        ncomp = buffer[*bufferoffset+9];
                                        if (ncomp < 1 || ncomp > 4)
                                                return(0);
                                        v_samp=1;
                                        h_samp=1;
+                    if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+                        return(0);
                                        for(j=0;j<ncomp;j++){
                                                uint16 samp = 
buffer[*bufferoffset+11+(3*j)];
                                                if( (samp>>4) > h_samp) 
@@ -3519,20 +3529,28 @@
                                break;
                        case 0xc4: /* DHT */
                        case 0xdb: /* DQT */
+                if( *bufferoffset + datalen + 2 > buffersize )
+                    return(0);
                                _TIFFmemcpy(&(buffer[*bufferoffset]), 
&(strip[i-1]), datalen+2);
                                *bufferoffset+=datalen+2;
                                break;
                        case 0xda: /* SOS */
                                if(no==0){
+                    if( *bufferoffset + datalen + 2 > buffersize )
+                        return(0);
                                        _TIFFmemcpy(&(buffer[*bufferoffset]), 
&(strip[i-1]), datalen+2);
                                        *bufferoffset+=datalen+2;
                                } else {
+                    if( *bufferoffset + 2 > buffersize )
+                        return(0);
                                        buffer[(*bufferoffset)++]=0xff;
                                        buffer[(*bufferoffset)++]=
                                             (unsigned char)(0xd0 | ((no-1)%8));
                                }
                                i += datalen + 1;
                                /* copy remainder of strip */
+                if( *bufferoffset + *striplength - i > buffersize )
+                    return(0);
                                _TIFFmemcpy(&(buffer[*bufferoffset]), 
&(strip[i]), *striplength - i);
                                *bufferoffset+= *striplength - i;
                                return(1);
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200
@@ -5737,7 +5737,8 @@
   {
   uint32   i;
   float    xres = 0.0, yres = 0.0;
-  uint16   nstrips = 0, ntiles = 0, planar = 0;
+  uint32   nstrips = 0, ntiles = 0;
+  uint16   planar = 0;
   uint16   bps = 0, spp = 0, res_unit = 0;
   uint16   orientation = 0;
   uint16   input_compression = 0, input_photometric = 0;
@@ -6013,11 +6014,23 @@
   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
   /* outside buffer */
   if (!read_buff)
+  {
+    if( buffsize > 0xFFFFFFFFU - 3 )
+    {
+        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+        return (-1);
+    }
     read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+  }
   else
     {
     if (prev_readsize < buffsize)
       {
+      if( buffsize > 0xFFFFFFFFU - 3 )
+      {
+          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+          return (-1);
+      }
       new_buff = _TIFFrealloc(read_buff, buffsize+3);
       if (!new_buff)
         {
@@ -8859,6 +8872,11 @@
     }
 
   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+  if( bytes_per_pixel > sizeof(swapbuff) )
+  {
+    TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+    return (1);
+  }
   switch (bps / 8)
      {
      case 8:  /* Use memcpy for multiple bytes per sample data */

Reply via email to