Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-10-14 03:37:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-09-05 21:17:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-10-14 03:37:23.000000000 +0200 @@ -1,0 +2,11 @@ +Thu Oct 6 07:47:19 UTC 2016 - [email protected] + +- Added patches: + * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch + - Upstream fixes for MSVR 35093, MSVR 35094, MSVR 35095, + MSVR 35096, MSVR 35097, MSVR 35098. + * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch + - Enforce bits-per-sample requirements of floating point + predictor. Fixes CVE-2016-3622 [bsc#974449] + +------------------------------------------------------------------- New: ---- tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.rKSpxg/_old 2016-10-14 03:37:26.000000000 +0200 +++ /var/tmp/diff_new_pack.rKSpxg/_new 2016-10-14 03:37:26.000000000 +0200 @@ -46,6 +46,9 @@ Patch10: tiff-4.0.6-CVE-2016-3945.patch Patch11: tiff-4.0.6-CVE-2016-3990.patch Patch12: tiff-4.0.6-CVE-2016-3991.patch +# +Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch +Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -120,6 +123,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch ++++++ --- tiff-4.0.6/libtiff/tif_getimage.c 2015-08-29 00:16:22.517401728 +0200 +++ tiff-4.0.6/libtiff/tif_getimage.c 2016-10-06 09:42:41.204607032 +0200 @@ -95,6 +95,10 @@ td->td_bitspersample); return (0); } + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { + sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); + return (0); + } colorchannels = td->td_samplesperpixel - td->td_extrasamples; if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { switch (colorchannels) { --- tiff-4.0.6/libtiff/tif_predict.c 2015-09-01 04:39:39.547152871 +0200 +++ tiff-4.0.6/libtiff/tif_predict.c 2016-10-06 09:42:41.204607032 +0200 @@ -80,6 +80,15 @@ td->td_sampleformat); return 0; } + if (td->td_bitspersample != 16 + && td->td_bitspersample != 24 + && td->td_bitspersample != 32 + && td->td_bitspersample != 64) { /* Should 64 be allowed? */ + TIFFErrorExt(tif->tif_clientdata, module, + "Floating point \"Predictor\" not supported with %d-bit samples", + td->td_bitspersample); + return 0; + } break; default: TIFFErrorExt(tif->tif_clientdata, module, ++++++ tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch ++++++ --- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 +++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200 @@ -973,17 +973,14 @@ a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; } } else { - ip += n - 1; /* point to last one */ - wp += n - 1; /* point to last one */ + REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) n -= stride; while (n > 0) { - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) + REPEAT(stride, + wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); + wp++; ip++) n -= stride; } - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) } } } @@ -1026,17 +1023,14 @@ a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; } } else { - ip += n - 1; /* point to last one */ - wp += n - 1; /* point to last one */ + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) n -= stride; while (n > 0) { - REPEAT(stride, wp[0] = CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) + REPEAT(stride, + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); + wp++; ip++) n -= stride; } - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) } } } @@ -1079,17 +1073,14 @@ ip += 4; } } else { - wp += n + stride - 1; /* point to last one */ - ip += n + stride - 1; /* point to last one */ + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) n -= stride; while (n > 0) { - REPEAT(stride, wp[0] = CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) + REPEAT(stride, + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); + wp++; ip++) n -= stride; } - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) } } } --- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 +++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200 @@ -764,7 +764,14 @@ if (!TIFFAppendToStrip(tif, isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, tif->tif_rawdata, tif->tif_rawcc)) + { + /* We update those variables even in case of error since there's */ + /* code that doesn't really check the return code of this */ + /* function */ + tif->tif_rawcc = 0; + tif->tif_rawcp = tif->tif_rawdata; return (0); + } tif->tif_rawcc = 0; tif->tif_rawcp = tif->tif_rawdata; } --- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200 +++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200 @@ -286,7 +286,7 @@ int t2p_process_ojpeg_tables(T2P*, TIFF*); #endif #ifdef JPEG_SUPPORT -int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); +int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); #endif void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); void t2p_write_advance_directory(T2P*, TIFF*); @@ -2409,6 +2409,7 @@ stripbuffer, &striplength, buffer, + t2p->tiff_datasize, &bufferoffset, i, t2p->tiff_length)){ @@ -3439,6 +3440,7 @@ unsigned char* strip, tsize_t* striplength, unsigned char* buffer, + tsize_t buffersize, tsize_t* bufferoffset, tstrip_t no, uint32 height){ @@ -3473,6 +3475,8 @@ } switch( strip[i] ){ case 0xd8: /* SOI - start of image */ + if( *bufferoffset + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; break; @@ -3482,12 +3486,18 @@ case 0xc9: /* SOF9 */ case 0xca: /* SOF10 */ if(no==0){ + if( *bufferoffset + datalen + 2 + 6 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + if( *bufferoffset + 9 >= buffersize ) + return(0); ncomp = buffer[*bufferoffset+9]; if (ncomp < 1 || ncomp > 4) return(0); v_samp=1; h_samp=1; + if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) + return(0); for(j=0;j<ncomp;j++){ uint16 samp = buffer[*bufferoffset+11+(3*j)]; if( (samp>>4) > h_samp) @@ -3519,20 +3529,28 @@ break; case 0xc4: /* DHT */ case 0xdb: /* DQT */ + if( *bufferoffset + datalen + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); *bufferoffset+=datalen+2; break; case 0xda: /* SOS */ if(no==0){ + if( *bufferoffset + datalen + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); *bufferoffset+=datalen+2; } else { + if( *bufferoffset + 2 > buffersize ) + return(0); buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); } i += datalen + 1; /* copy remainder of strip */ + if( *bufferoffset + *striplength - i > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); *bufferoffset+= *striplength - i; return(1); --- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 +++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200 @@ -5737,7 +5737,8 @@ { uint32 i; float xres = 0.0, yres = 0.0; - uint16 nstrips = 0, ntiles = 0, planar = 0; + uint32 nstrips = 0, ntiles = 0; + uint16 planar = 0; uint16 bps = 0, spp = 0, res_unit = 0; uint16 orientation = 0; uint16 input_compression = 0, input_photometric = 0; @@ -6013,11 +6014,23 @@ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ /* outside buffer */ if (!read_buff) + { + if( buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + } else { if (prev_readsize < buffsize) { + if( buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } new_buff = _TIFFrealloc(read_buff, buffsize+3); if (!new_buff) { @@ -8859,6 +8872,11 @@ } bytes_per_pixel = ((bps * spp) + 7) / 8; + if( bytes_per_pixel > sizeof(swapbuff) ) + { + TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); + return (1); + } switch (bps / 8) { case 8: /* Use memcpy for multiple bytes per sample data */
