Here's an update to graphics/tiff 4.0.7. Changes: http://www.simplesystems.org/libtiff/v4.0.7.html TL;DR: Numerous security fixes in the library; some tools were removed.
The changes to the port mostly consist of disentangling and removing various accumulated security patches. Unfortunately some symbols were removed, necessitating a major bump. This is problematic for -stable. Index: Makefile =================================================================== RCS file: /cvs/ports/graphics/tiff/Makefile,v retrieving revision 1.77 diff -u -p -r1.77 Makefile --- Makefile 1 Jul 2016 11:23:44 -0000 1.77 +++ Makefile 24 Nov 2016 21:20:44 -0000 @@ -2,15 +2,14 @@ COMMENT= tools and library routines for working with TIFF images -DISTNAME= tiff-4.0.6 -REVISION= 1 -SHARED_LIBS= tiff 39.2 # 7.4 -SHARED_LIBS+= tiffxx 40.1 # 7.4 +DISTNAME= tiff-4.0.7 +SHARED_LIBS= tiff 40.0 # 7.5 +SHARED_LIBS+= tiffxx 40.1 # 7.5 CATEGORIES= graphics MASTER_SITES= http://download.osgeo.org/libtiff/ -HOMEPAGE= http://www.remotesensing.org/libtiff/ +HOMEPAGE= http://www.simplesystems.org/libtiff/ LIB_DEPENDS= graphics/jpeg WANTLIB= c m stdc++ z jpeg Index: distinfo =================================================================== RCS file: /cvs/ports/graphics/tiff/distinfo,v retrieving revision 1.18 diff -u -p -r1.18 distinfo --- distinfo 4 Nov 2015 20:51:36 -0000 1.18 +++ distinfo 24 Nov 2016 21:20:44 -0000 @@ -1,2 +1,2 @@ -SHA256 (tiff-4.0.6.tar.gz) = TVelCQe1EOMEmku6DXiIkw/fwWzknxv2k+W2JHNw1ow= -SIZE (tiff-4.0.6.tar.gz) = 2192991 +SHA256 (tiff-4.0.7.tar.gz) = n0Oiz7lYnlzsqmbha/h/gUyUXyLfe6YA1jqsRjLE8Bk= +SIZE (tiff-4.0.7.tar.gz) = 2076392 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-Makefile_in,v retrieving revision 1.11 diff -u -p -r1.11 patch-Makefile_in --- patches/patch-Makefile_in 4 Nov 2015 20:51:36 -0000 1.11 +++ patches/patch-Makefile_in 24 Nov 2016 21:20:44 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-Makefile_in,v 1.11 2015/11/04 20:51:36 naddy Exp $ ---- Makefile.in.orig Sat Sep 12 21:48:44 2015 -+++ Makefile.in Wed Nov 4 17:33:52 2015 -@@ -435,7 +435,7 @@ EXTRA_DIST = \ +--- Makefile.in.orig Sat Nov 19 18:40:20 2016 ++++ Makefile.in Thu Nov 24 21:44:23 2016 +@@ -436,7 +436,7 @@ EXTRA_DIST = \ nmake.opt dist_doc_DATA = $(docfiles) Index: patches/patch-libtiff_tif_extension_c =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-libtiff_tif_extension_c,v retrieving revision 1.4 diff -u -p -r1.4 patch-libtiff_tif_extension_c --- patches/patch-libtiff_tif_extension_c 14 Apr 2012 15:09:55 -0000 1.4 +++ patches/patch-libtiff_tif_extension_c 24 Nov 2016 21:20:44 -0000 @@ -4,20 +4,20 @@ $OpenBSD: patch-libtiff_tif_extension_c, @@ -81,6 +81,7 @@ void TIFFSetClientInfo( TIFF *tif, void *data, const c { - TIFFClientInfoLink *link = tif->tif_clientinfo; + TIFFClientInfoLink *psLink = tif->tif_clientinfo; + size_t namelen = strlen(name); /* ** Do we have an existing link with this name? If so, just @@ -102,9 +103,9 @@ void TIFFSetClientInfo( TIFF *tif, void *data, const c - link = (TIFFClientInfoLink *) _TIFFmalloc(sizeof(TIFFClientInfoLink)); - assert (link != NULL); - link->next = tif->tif_clientinfo; -- link->name = (char *) _TIFFmalloc((tmsize_t)(strlen(name)+1)); -+ link->name = (char *) _TIFFmalloc((tmsize_t)(namelen+1)); - assert (link->name != NULL); -- strcpy(link->name, name); -+ strlcpy(link->name, name, namelen+1); - link->data = data; + psLink = (TIFFClientInfoLink *) _TIFFmalloc(sizeof(TIFFClientInfoLink)); + assert (psLink != NULL); + psLink->next = tif->tif_clientinfo; +- psLink->name = (char *) _TIFFmalloc((tmsize_t)(strlen(name)+1)); ++ psLink->name = (char *) _TIFFmalloc((tmsize_t)(namelen+1)); + assert (psLink->name != NULL); +- strcpy(psLink->name, name); ++ strlcpy(psLink->name, name, namelen+1); + psLink->data = data; - tif->tif_clientinfo = link; + tif->tif_clientinfo = psLink; Index: patches/patch-libtiff_tif_getimage_c =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-libtiff_tif_getimage_c,v retrieving revision 1.10 diff -u -p -r1.10 patch-libtiff_tif_getimage_c --- patches/patch-libtiff_tif_getimage_c 24 Jan 2016 16:48:49 -0000 1.10 +++ patches/patch-libtiff_tif_getimage_c 24 Nov 2016 21:20:44 -0000 @@ -1,17 +1,11 @@ -$OpenBSD: patch-libtiff_tif_getimage_c,v 1.10 2016/01/24 16:48:49 naddy Exp $ +$OpenBSD: patch-libtiff_tif_getimage_c,v 1.9 2015/03/29 17:39:22 naddy Exp $ -* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -interface in case of unsupported values of SamplesPerPixel/ExtraSamples -for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in -TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and -CVE-2015-8683 reported by zzf of Alibaba. +This one is slightly problematic. If an application allocates less +room for its error buffer than the recommended 1024, the error message +buffer will still overflow. -This snprintf conversion is slightly problematic. If an application -allocates less room for its error buffer than the recommended 1024, -the error message buffer will still overflow. - ---- libtiff/tif_getimage.c.orig Sat Aug 29 00:16:22 2015 -+++ libtiff/tif_getimage.c Sun Jan 24 17:04:12 2016 +--- libtiff/tif_getimage.c.orig Fri Nov 18 03:47:45 2016 ++++ libtiff/tif_getimage.c Thu Nov 24 22:01:47 2016 @@ -80,7 +80,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) int colorchannels; @@ -21,7 +15,7 @@ the error message buffer will still over return (0); } switch (td->td_bitspersample) { -@@ -91,7 +91,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -91,12 +91,12 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) case 16: break; default: @@ -30,7 +24,13 @@ the error message buffer will still over td->td_bitspersample); return (0); } -@@ -105,7 +105,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { +- sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); ++ snprintf(emsg, 1024, "Sorry, can not handle images with IEEE floating-point samples"); + return (0); + } + colorchannels = td->td_samplesperpixel - td->td_extrasamples; +@@ -109,7 +109,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) photometric = PHOTOMETRIC_RGB; break; default: @@ -39,7 +39,7 @@ the error message buffer will still over return (0); } } -@@ -116,7 +116,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -120,7 +120,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) if (td->td_planarconfig == PLANARCONFIG_CONTIG && td->td_samplesperpixel != 1 && td->td_bitspersample < 8 ) { @@ -48,7 +48,7 @@ the error message buffer will still over "Sorry, can not handle contiguous data with %s=%d, " "and %s=%d and Bits/Sample=%d", photoTag, photometric, -@@ -140,7 +140,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -144,7 +144,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) break; case PHOTOMETRIC_RGB: if (colorchannels < 3) { @@ -57,7 +57,7 @@ the error message buffer will still over "Color channels", colorchannels); return (0); } -@@ -150,13 +150,13 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -154,13 +154,13 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) uint16 inkset; TIFFGetFieldDefaulted(tif, TIFFTAG_INKSET, &inkset); if (inkset != INKSET_CMYK) { @@ -73,7 +73,7 @@ the error message buffer will still over "Sorry, can not handle separated image with %s=%d", "Samples/pixel", td->td_samplesperpixel); return 0; -@@ -165,7 +165,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -169,7 +169,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) } case PHOTOMETRIC_LOGL: if (td->td_compression != COMPRESSION_SGILOG) { @@ -82,7 +82,7 @@ the error message buffer will still over "Compression", COMPRESSION_SGILOG); return (0); } -@@ -173,35 +173,37 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) +@@ -177,17 +177,17 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) case PHOTOMETRIC_LOGLUV: if (td->td_compression != COMPRESSION_SGILOG && td->td_compression != COMPRESSION_SGILOG24) { @@ -97,50 +97,31 @@ the error message buffer will still over "Planarconfiguration", td->td_planarconfig); return (0); } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ snprintf(emsg, 1024, -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { +- sprintf(emsg, ++ snprintf(emsg, 1024, + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); +@@ -196,7 +196,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) break; case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { -- sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ snprintf(emsg, 1024, -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { +- sprintf(emsg, ++ snprintf(emsg, 1024, + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, +@@ -205,7 +205,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + } break; - default: + default: - sprintf(emsg, "Sorry, can not handle image with %s=%d", + snprintf(emsg, 1024, "Sorry, can not handle image with %s=%d", photoTag, photometric); return (0); } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -275,7 +280,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -296,7 +296,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int case 16: break; default: @@ -149,7 +130,7 @@ the error message buffer will still over img->bitspersample); goto fail_return; } -@@ -325,7 +330,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -346,7 +346,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int img->photometric = PHOTOMETRIC_RGB; break; default: @@ -158,7 +139,7 @@ the error message buffer will still over goto fail_return; } } -@@ -333,7 +338,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -354,7 +354,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int case PHOTOMETRIC_PALETTE: if (!TIFFGetField(tif, TIFFTAG_COLORMAP, &red_orig, &green_orig, &blue_orig)) { @@ -167,7 +148,7 @@ the error message buffer will still over goto fail_return; } -@@ -343,7 +348,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -364,7 +364,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int img->greencmap = (uint16 *) _TIFFmalloc(sizeof(uint16)*n_color); img->bluecmap = (uint16 *) _TIFFmalloc(sizeof(uint16)*n_color); if( !img->redcmap || !img->greencmap || !img->bluecmap ) { @@ -176,7 +157,7 @@ the error message buffer will still over goto fail_return; } -@@ -357,7 +362,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -378,7 +378,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int if (planarconfig == PLANARCONFIG_CONTIG && img->samplesperpixel != 1 && img->bitspersample < 8 ) { @@ -185,7 +166,7 @@ the error message buffer will still over "Sorry, can not handle contiguous data with %s=%d, " "and %s=%d and Bits/Sample=%d", photoTag, img->photometric, -@@ -394,7 +399,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -415,7 +415,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int break; case PHOTOMETRIC_RGB: if (colorchannels < 3) { @@ -194,7 +175,7 @@ the error message buffer will still over "Color channels", colorchannels); goto fail_return; } -@@ -404,12 +409,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -425,12 +425,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int uint16 inkset; TIFFGetFieldDefaulted(tif, TIFFTAG_INKSET, &inkset); if (inkset != INKSET_CMYK) { @@ -209,7 +190,7 @@ the error message buffer will still over "Samples/pixel", img->samplesperpixel); goto fail_return; } -@@ -417,7 +422,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -438,7 +438,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int break; case PHOTOMETRIC_LOGL: if (compress != COMPRESSION_SGILOG) { @@ -218,7 +199,7 @@ the error message buffer will still over "Compression", COMPRESSION_SGILOG); goto fail_return; } -@@ -427,12 +432,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -448,12 +448,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int break; case PHOTOMETRIC_LOGLUV: if (compress != COMPRESSION_SGILOG && compress != COMPRESSION_SGILOG24) { @@ -233,7 +214,7 @@ the error message buffer will still over "Planarconfiguration", planarconfig); return (0); } -@@ -443,7 +448,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -464,7 +464,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int case PHOTOMETRIC_CIELAB: break; default: @@ -242,7 +223,7 @@ the error message buffer will still over photoTag, img->photometric); goto fail_return; } -@@ -461,12 +466,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int +@@ -482,12 +482,12 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int !(planarconfig == PLANARCONFIG_SEPARATE && img->samplesperpixel > 1); if (img->isContig) { if (!PickContigCase(img)) { @@ -257,61 +238,3 @@ the error message buffer will still over goto fail_return; } } -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; Index: patches/patch-libtiff_tif_luv_c =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-libtiff_tif_luv_c,v retrieving revision 1.6 diff -u -p -r1.6 patch-libtiff_tif_luv_c --- patches/patch-libtiff_tif_luv_c 24 Jan 2016 16:48:49 -0000 1.6 +++ patches/patch-libtiff_tif_luv_c 24 Nov 2016 21:20:44 -0000 @@ -1,170 +1,7 @@ -$OpenBSD: patch-libtiff_tif_luv_c,v 1.6 2016/01/24 16:48:49 naddy Exp $ - -* libtiff/tif_luv.c: fix potential out-of-bound writes in decode -functions in non debug builds by replacing assert()s by regular if -checks (bugzilla #2522). -Fix potential out-of-bound reads in case of short input data. - -Avoid rand() warning in library. - ---- libtiff/tif_luv.c.orig Sat Aug 29 00:16:22 2015 -+++ libtiff/tif_luv.c Sun Jan 24 17:06:27 2016 -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint1 - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint1 - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint1 - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uin - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uin - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uin - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uin - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, ui - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -702,7 +735,7 @@ LogLuvEncodeTile(TIFF* tif, uint8* bp, tmsize_t cc, ui +$OpenBSD: patch-libtiff_tif_luv_c,v 1.5 2015/07/08 19:36:54 naddy Exp $ +--- libtiff/tif_luv.c.orig Thu Sep 8 15:23:57 2016 ++++ libtiff/tif_luv.c Thu Nov 24 21:44:23 2016 +@@ -743,7 +743,7 @@ LogLuvEncodeTile(TIFF* tif, uint8* bp, tmsize_t cc, ui #define itrunc(x,m) ((m)==SGILOGENCODE_NODITHER ? \ (int)(x) : \ Index: patches/patch-libtiff_tif_next_c =================================================================== RCS file: patches/patch-libtiff_tif_next_c diff -N patches/patch-libtiff_tif_next_c --- patches/patch-libtiff_tif_next_c 24 Jan 2016 16:48:49 -0000 1.5 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,42 +0,0 @@ -$OpenBSD: patch-libtiff_tif_next_c,v 1.5 2016/01/24 16:48:49 naddy Exp $ - -* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif -(bugzilla #2508) - ---- libtiff/tif_next.c.orig Sat Aug 29 00:16:22 2015 -+++ libtiff/tif_next.c Sun Jan 24 17:06:54 2016 -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; Index: patches/patch-libtiff_tif_pixarlog_c =================================================================== RCS file: patches/patch-libtiff_tif_pixarlog_c diff -N patches/patch-libtiff_tif_pixarlog_c --- patches/patch-libtiff_tif_pixarlog_c 1 Jul 2016 11:23:44 -0000 1.6 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,36 +0,0 @@ -$OpenBSD: patch-libtiff_tif_pixarlog_c,v 1.6 2016/07/01 11:23:44 jasper Exp $ - -CVE-2016-5875(, dup?) -https://marc.info/?l=oss-security&m=146720235906569&w=2 - ---- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015 -+++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016 -@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid - typedef struct { - TIFFPredictorState predict; - z_stream stream; -+ tmsize_t tbuf_size; /* only set/used on reading for now */ - uint16 *tbuf; - uint16 stride; - int state; -@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); - if (sp->tbuf == NULL) - return (0); -+ sp->tbuf_size = tbuf_size; - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) - sp->user_datafmt = PixarLogGuessDataFmt(td); - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { -@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin - if (sp->stream.avail_out != nsamples * sizeof(uint16)) - { - TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); -+ return (0); -+ } -+ /* Check that we will not fill more than what was allocated */ -+ if (sp->stream.avail_out > sp->tbuf_size) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); - return (0); - } - do { Index: patches/patch-man_Makefile_in =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-man_Makefile_in,v retrieving revision 1.15 diff -u -p -r1.15 patch-man_Makefile_in --- patches/patch-man_Makefile_in 4 Nov 2015 20:51:36 -0000 1.15 +++ patches/patch-man_Makefile_in 24 Nov 2016 21:20:44 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-man_Makefile_in,v 1.15 2 Replace .3tiff man page suffix with standard .3 ---- man/Makefile.in.orig Sat Sep 12 21:48:45 2015 -+++ man/Makefile.in Wed Nov 4 17:33:52 2015 -@@ -502,7 +502,7 @@ install-man3: $(dist_man3_MANS) +--- man/Makefile.in.orig Sat Nov 19 18:40:22 2016 ++++ man/Makefile.in Thu Nov 24 21:44:23 2016 +@@ -498,7 +498,7 @@ install-man3: $(dist_man3_MANS) if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ Index: patches/patch-test_Makefile_in =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-test_Makefile_in,v retrieving revision 1.8 diff -u -p -r1.8 patch-test_Makefile_in --- patches/patch-test_Makefile_in 4 Nov 2015 20:51:36 -0000 1.8 +++ patches/patch-test_Makefile_in 24 Nov 2016 21:20:44 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-test_Makefile_in,v 1.8 2 Avoid picking up an old libtiff in ${LOCALBASE}. ---- test/Makefile.in.orig Sat Sep 12 21:48:45 2015 -+++ test/Makefile.in Wed Nov 4 17:33:52 2015 -@@ -526,10 +526,10 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ +--- test/Makefile.in.orig Sat Nov 19 18:40:22 2016 ++++ test/Makefile.in Thu Nov 24 21:44:23 2016 +@@ -525,10 +525,10 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ Index: patches/patch-tools_Makefile_in =================================================================== RCS file: /cvs/ports/graphics/tiff/patches/patch-tools_Makefile_in,v retrieving revision 1.11 diff -u -p -r1.11 patch-tools_Makefile_in --- patches/patch-tools_Makefile_in 4 Nov 2015 20:51:36 -0000 1.11 +++ patches/patch-tools_Makefile_in 24 Nov 2016 21:20:44 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-tools_Makefile_in,v 1.11 Avoid picking up an old libtiff in ${LOCALBASE}. ---- tools/Makefile.in.orig Sat Sep 12 21:48:45 2015 -+++ tools/Makefile.in Wed Nov 4 17:33:52 2015 -@@ -353,10 +353,10 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ +--- tools/Makefile.in.orig Sat Nov 19 18:40:22 2016 ++++ tools/Makefile.in Thu Nov 24 21:44:23 2016 +@@ -332,10 +332,10 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ Index: patches/patch-tools_gif2tiff_c =================================================================== RCS file: patches/patch-tools_gif2tiff_c diff -N patches/patch-tools_gif2tiff_c --- patches/patch-tools_gif2tiff_c 1 Jul 2016 11:23:44 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-tools_gif2tiff_c,v 1.1 2016/07/01 11:23:44 jasper Exp $ - -CVE-2016-3186, patch from: -https://bugzilla.redhat.com/show_bug.cgi?id=1319666 - ---- tools/gif2tiff.c.orig Fri Jul 1 13:11:43 2016 -+++ tools/gif2tiff.c Fri Jul 1 13:12:07 2016 -@@ -349,7 +349,7 @@ readextension(void) - int status = 1; - - (void) getc(infile); -- while ((count = getc(infile)) && count <= 255) -+ while ((count = getc(infile)) && count >= 0 && count <= 255) - if (fread(buf, 1, count, infile) != (size_t) count) { - fprintf(stderr, "short read from file %s (%s)\n", - filename, strerror(errno)); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/graphics/tiff/pkg/PLIST,v retrieving revision 1.23 diff -u -p -r1.23 PLIST --- pkg/PLIST 4 Nov 2015 20:51:36 -0000 1.23 +++ pkg/PLIST 24 Nov 2016 21:20:44 -0000 @@ -1,14 +1,9 @@ @comment $OpenBSD: PLIST,v 1.23 2015/11/04 20:51:36 naddy Exp $ -@bin bin/bmp2tiff @bin bin/fax2ps @bin bin/fax2tiff -@bin bin/gif2tiff @bin bin/pal2rgb @bin bin/ppm2tiff -@bin bin/ras2tiff @bin bin/raw2tiff -@bin bin/rgb2ycbcr -@bin bin/thumbnail @bin bin/tiff2bw @bin bin/tiff2pdf @bin bin/tiff2ps @@ -34,16 +29,12 @@ lib/libtiffxx.a lib/libtiffxx.la @lib lib/libtiffxx.so.${LIBtiffxx_VERSION} lib/pkgconfig/libtiff-4.pc -@man man/man1/bmp2tiff.1 @man man/man1/fax2ps.1 @man man/man1/fax2tiff.1 -@man man/man1/gif2tiff.1 @man man/man1/pal2rgb.1 @man man/man1/ppm2tiff.1 -@man man/man1/ras2tiff.1 @man man/man1/raw2tiff.1 @man man/man1/rgb2ycbcr.1 -@man man/man1/sgi2tiff.1 @man man/man1/thumbnail.1 @man man/man1/tiff2bw.1 @man man/man1/tiff2pdf.1 @@ -59,7 +50,6 @@ lib/pkgconfig/libtiff-4.pc @man man/man1/tiffmedian.1 @man man/man1/tiffset.1 @man man/man1/tiffsplit.1 -@man man/man1/tiffsv.1 @man man/man3/TIFFClose.3 @man man/man3/TIFFDataWidth.3 @man man/man3/TIFFError.3 @@ -184,18 +174,14 @@ share/doc/tiff/man/TIFFsize.3tiff.html share/doc/tiff/man/TIFFstrip.3tiff.html share/doc/tiff/man/TIFFswab.3tiff.html share/doc/tiff/man/TIFFtile.3tiff.html -share/doc/tiff/man/bmp2tiff.1.html share/doc/tiff/man/fax2ps.1.html share/doc/tiff/man/fax2tiff.1.html -share/doc/tiff/man/gif2tiff.1.html share/doc/tiff/man/index.html share/doc/tiff/man/libtiff.3tiff.html share/doc/tiff/man/pal2rgb.1.html share/doc/tiff/man/ppm2tiff.1.html -share/doc/tiff/man/ras2tiff.1.html share/doc/tiff/man/raw2tiff.1.html share/doc/tiff/man/rgb2ycbcr.1.html -share/doc/tiff/man/sgi2tiff.1.html share/doc/tiff/man/thumbnail.1.html share/doc/tiff/man/tiff2bw.1.html share/doc/tiff/man/tiff2pdf.1.html @@ -211,7 +197,6 @@ share/doc/tiff/man/tiffinfo.1.html share/doc/tiff/man/tiffmedian.1.html share/doc/tiff/man/tiffset.1.html share/doc/tiff/man/tiffsplit.1.html -share/doc/tiff/man/tiffsv.1.html share/doc/tiff/misc.html share/doc/tiff/support.html share/doc/tiff/tools.html @@ -258,3 +243,4 @@ share/doc/tiff/v4.0.4.html share/doc/tiff/v4.0.4beta.html share/doc/tiff/v4.0.5.html share/doc/tiff/v4.0.6.html +share/doc/tiff/v4.0.7.html -- Christian "naddy" Weisgerber [email protected]
