Hello community, here is the log from the commit of package tiff.5577 for openSUSE:13.2:Update checked in at 2016-09-09 10:48:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/tiff.5577 (Old) and /work/SRC/openSUSE:13.2:Update/.tiff.5577.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.5577" Changes: -------- New Changes file: --- /dev/null 2016-07-07 10:01:34.856033756 +0200 +++ /work/SRC/openSUSE:13.2:Update/.tiff.5577.new/tiff.changes 2016-09-09 10:48:45.000000000 +0200 @@ -0,0 +1,721 @@ +------------------------------------------------------------------- +Thu Sep 1 14:35:57 UTC 2016 - fst...@suse.com + +- Added patches: + * tiff-4.0.6-CVE-2016-3623.patch + * tiff-4.0.6-CVE-2016-3945.patch + * tiff-4.0.6-CVE-2016-3990.patch + * tiff-4.0.6-CVE-2016-3991.patch + - Upstream commits to fix CVE-2016-3623 [bsc#974618], + CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069], + CVE-2016-3991 [bsc#975070] + +------------------------------------------------------------------- +Tue Jul 12 09:20:56 UTC 2016 - fst...@suse.com + +- Added patches: + * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch + * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch + * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch + - Upstream commits to fix CVE-2016-5314 [bsc#984831], + CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842], + CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351] + +------------------------------------------------------------------- +Wed Apr 6 13:56:19 UTC 2016 - fst...@suse.com + +- Added patch: + * tiff-4.0.6-CVE-2016-3186.patch + - fix CVE-2016-3186: buffer overflow in gif2tiff [bsc#973340] + +------------------------------------------------------------------- +Mon Feb 1 08:01:19 UTC 2016 - fst...@suse.com + +- Added patch: + * tiff-4.0.6-CVE-2015-8782.patch + - fix CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds + writes for invalid images (upstream bug #2522) [bsc#964225] + +------------------------------------------------------------------- +Wed Jan 13 17:03:31 UTC 2016 - fst...@suse.com + +- Added patch: + * tiff-4.0.6-CVE-2015-7554.patch + - fix CVE-2015-7554: Out-of-bounds Write in the thumbnail and + tiffcmp tools (upsteam bug #2499) [bsc#960341] + +------------------------------------------------------------------- +Mon Jan 11 13:53:42 UTC 2016 - kstreit...@suse.com + +- Added patch: + * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch + - fix uninitialized memory in NeXTDecode (upstream bug #2508) + [bsc#942690] + +------------------------------------------------------------------- +Tue Dec 8 15:55:30 UTC 2015 - p.drou...@gmail.com + +- Update to version 4.0.6 + * Supports CMake 2.8.9 and later. + * Add missing file which wasn't being distributed, causing unit + tests to fail. + * Make shared/static library building configurable. + * CMake reads all version information directly from configure.ac + to avoid duplication of values. + * CMake builds are now included in 'distcheck' target. + * Autotools 'make distcheck' now tests the CMake-based build if + CMake is available. + * Fixes to avoid undefined behaviour of signed types (C standard + compliance). + * Fixes to avoid possible isses when casting to unsigned char. + * Fixes to avoid undefined behaviour with shifts. + * Fix generation of output with 16 bit or 32 bit integer, when + byte swapping is needed, in horizontal predictor (#2521). + * Fix decoding when there is a single pixel to decode + (unlikely case...) and byte swapping is involved. + * Add add explicit masking with 0xff before casting to uchar in + floating-point horizontal differencing and accumulation routines. + * Eliminate requirement for and use of 64-bit constant values. + * tiffgt : Silence glut API deprecation warnings on MacOS X. + * fax2ps : Detect failure to write to temporary file. +- Changes from version 4.0.5 + * Support for configure/build using CMake. + * Support for large (> 2GB) files under Microsoft Windows. + * Configuration and building using CMake is now supported under + Microsoft Windows and on Unix-type systems. + * Test for and use fseeko() if it is available. This allows supporting + large files on Unix-type systems with a 32-bit 'long' type and a + 64-bit 'off_t' type. + * tiffiop.h: Macros added to use 64-bit equivalents for all standard + I/O and POSIX APIs used by libtiff and its tools which are limited + to 2GB in Windows builds. Note that these 64-bit equivalents were + introduced by the CRT provided with Visual Studio 2005 and if the + necessary CRT is not installed on the target computer, the program + will not run. The wrapper macros will not be activated unless the + definition _MSC_VER is at least 1400 or __MSVCRT_VERSION__ is at + least 0x800. + * tif_unix.c: Updated to support large files under Microsoft Windows. + This makes tif_unix.c a completely viable candidate for use under + Windows (in spite of its name) if the CRT is modern enough. Please + note that tif_win32.c already supported large files, but only + 'tiffinfo' and 'tiffdump' made any provision to support large files + under Windows. + * _tiffReadProc() and _tiffWriteProc() are modified to chunk I/O to a + maximum size of 2GB for extremely large I/O requests. This surmounts + limitations in the Microsoft Windows read() and write() APIs (which + are limited to the range of a 32-bit 'int'), and may avoid poor + behavior with extremely large I/O requests on other systems. + * Updated to use I/O wrapper macros from tiffiop.h in order to + support large files under Microsoft Windows. + +------------------------------------------------------------------- +Tue Aug 4 08:17:35 UTC 2015 - kstreit...@suse.com + +- use spec-cleaner + +------------------------------------------------------------------- +Wed Jul 1 07:17:13 UTC 2015 - pgaj...@suse.com + +- update to 4.0.4 +D tiff-4.0.3-double-free.patch +D tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch +D tiff-4.0.3-CVE-2013-1961.patch +D erouault.2862.patch +D bfriesen.2805.patch +D tiff-4.0.3-CVE-2013-4232.patch +D tiff-4.0.3-CVE-2013-4244.patch +D erouault.2861.patch +D erouault.2857.patch +D erouault.2856.patch +D erouault.2859.patch +D tiff-4.0.3-CVE-2012-4564.patch +D tiff-4.0.3-tiff2pdf-colors.patch +D erouault.2876.patch +D erouault.2860.patch +D tiff-dither-malloc-check.patch +D tiff-4.0.3-CVE-2013-1960.patch +D erouault.2858.patch +D tiff-handle-TIFFTAG_PREDICTOR.patch +D tiff-4.0.3-CVE-2013-4231.patch +D tiff-4.0.3-CVE-2013-4243.patch +D erouault.2863.patch +D tiff-4.0.3-test-jpeg-turbo.patch + +------------------------------------------------------------------- +Thu Feb 26 13:58:54 UTC 2015 - pgaj...@suse.com + +- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, + CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 + bnc#914890, bnc#916925, bnc#916927 + + erouault.2856.patch + + erouault.2857.patch + + erouault.2858.patch + + erouault.2859.patch + + erouault.2860.patch + + erouault.2861.patch + + erouault.2862.patch + + erouault.2863.patch + + erouault.2876.patch + + bfriesen.2805.patch + + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + + tiff-handle-TIFFTAG_PREDICTOR.patch + + tiff-dither-malloc-check.patch + +------------------------------------------------------------------- +Mon Dec 22 19:58:43 UTC 2014 - meiss...@suse.com + +- build with PIE + +------------------------------------------------------------------- +Wed Aug 21 12:57:57 UTC 2013 - pgaj...@suse.com + +- security update + * CVE-2013-4232.patch [bnc#834477] + * CVE-2013-4231.patch [bnc#834477] + * CVE-2013-4244.patch [bnc#834788] + * CVE-2013-4243.patch [bnc#834779] + +------------------------------------------------------------------- +Wed Jun 26 10:48:50 UTC 2013 - pgaj...@suse.com + +- tiff2pdf: introduced warning when the compression isn't lzw or + none [bnc#819142] +- tiff2pdf: fixed crash [bnc#821872] + +------------------------------------------------------------------- +Tue Apr 30 13:20:50 UTC 2013 - pgaj...@suse.com + +- security update + * CVE-2013-1961.patch [bnc#818117] + * CVE-2013-1960.patch [bnc#817573] + +------------------------------------------------------------------- +Fri Apr 5 10:23:51 UTC 2013 - idon...@suse.com + +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- ++++ 524 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.tiff.5577.new/tiff.changes New: ---- README.SUSE baselibs.conf tiff-4.0.3-compress-warning.patch tiff-4.0.3-seek.patch tiff-4.0.4-uninitialized_mem_NeXTDecode.patch tiff-4.0.6-CVE-2015-7554.patch tiff-4.0.6-CVE-2015-8782.patch tiff-4.0.6-CVE-2016-3186.patch tiff-4.0.6-CVE-2016-3623.patch tiff-4.0.6-CVE-2016-3945.patch tiff-4.0.6-CVE-2016-3990.patch tiff-4.0.6-CVE-2016-3991.patch tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch tiff-4.0.6.tar.gz tiff.changes tiff.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ # # spec file for package tiff # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tiff Version: 4.0.6 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: HPND Group: Productivity/Graphics/Convertors Url: http://www.remotesensing.org/libtiff Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Source2: README.SUSE Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2499 Patch3: tiff-4.0.6-CVE-2015-7554.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2522 Patch4: tiff-4.0.6-CVE-2015-8782.patch # Patch5: tiff-4.0.6-CVE-2016-3186.patch # Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch # Patch9: tiff-4.0.6-CVE-2016-3623.patch Patch10: tiff-4.0.6-CVE-2016-3945.patch Patch11: tiff-4.0.6-CVE-2016-3990.patch Patch12: tiff-4.0.6-CVE-2016-3991.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} > 1030 BuildRequires: lzma-devel %endif %if 0%{?suse_version} <= 1000 BuildRequires: pkgconfig %endif %if 0%{?suse_version} > 1000 BuildRequires: pkg-config %endif # bug437293 %ifarch ppc64 Obsoletes: tiff-64bit %endif %if 0%{?suse_version} > 1210 BuildRequires: libjbig-devel %endif %description This package contains the library and support programs for the TIFF image format. %package -n libtiff5 Summary: The Tiff Library (with JPEG and compression support) Group: System/Libraries Provides: libtiff = %{version} # bug437293 %ifarch ppc64 Obsoletes: libtiff-64bit %endif # %description -n libtiff5 This package includes the tiff libraries. To link a program with libtiff, you will have to add -ljpeg and -lz to include the necessary libjpeg and libz in the linking process. %package -n libtiff-devel Summary: Development Tools for Programs which will use the libtiff Library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libstdc++-devel Requires: libtiff5 = %{version} # bug437293 %ifarch ppc64 Obsoletes: tiff-devel-64bit %endif # %description -n libtiff-devel This package contains the header files and static libraries for developing programs which will manipulate TIFF format image files using the libtiff library. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 %patch3 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %build CFLAGS="%{optflags} -fPIE" %configure --disable-static --with-pic make %{?_smp_mflags} LDFLAGS="-pie" %install mkdir -p %{buildroot}/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} make DESTDIR=%{buildroot} install %{?_smp_mflags} for f in `find %{buildroot}/%{_mandir} -type f -print ` ; do if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then linkto=`sed -e "s|^\.so ||" $f` [ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f fi done cp %{SOURCE2} . rm -rf %{buildroot}%{_datadir}/doc/tiff* find %{buildroot} -type f -name "*.la" -delete -print find html -name "Makefile*" | xargs rm %check cd test make %{?_smp_mflags} check %post -n libtiff5 -p /sbin/ldconfig %postun -n libtiff5 -p /sbin/ldconfig %files %defattr(-,root,root) %{_bindir}/* %doc html %doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %{_mandir}/man1/* %files -n libtiff5 %defattr(-,root,root) %doc README COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/* %changelog ++++++ README.SUSE ++++++ The documentation for tiff programs and library is in package tiff in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++ libtiff5 obsoletes "libtiff-<targettype> <= <version>" provides "libtiff-<targettype> = <version>" libtiff-devel requires -libtiff-<targettype> requires "libtiff5-<targettype> = <version>" ++++++ tiff-4.0.3-compress-warning.patch ++++++ Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c +++ tiff-4.0.3/tools/tiff2pdf.c @@ -1264,6 +1264,15 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* return; } + if(t2p->tiff_compression != COMPRESSION_LZW && + t2p->tiff_compression != COMPRESSION_NONE){ + TIFFWarning( + TIFF2PDF_MODULE, + "%s is not compressed with LZW or NONE.\n" + "tiff2pdf result may be incorrect in that case.\n" + "Consider to use tiffcp(1) to change compress algorithm first.", + TIFFFileName(input) ); + } if( TIFFIsCODECConfigured(t2p->tiff_compression) == 0){ TIFFError( TIFF2PDF_MODULE, ++++++ tiff-4.0.3-seek.patch ++++++ Index: tiff-4.0.1/libtiff/tiffiop.h =================================================================== --- tiff-4.0.1.orig/libtiff/tiffiop.h +++ tiff-4.0.1/libtiff/tiffiop.h @@ -213,7 +213,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,(buf),(size))) #define TIFFSeekFile(tif, off, whence) \ - ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(off),(whence))) + ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0) #define TIFFCloseFile(tif) \ ((*(tif)->tif_closeproc)((tif)->tif_clientdata)) #define TIFFGetFileSize(tif) \ ++++++ tiff-4.0.4-uninitialized_mem_NeXTDecode.patch ++++++ --- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 +++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 @@ -37,7 +37,7 @@ case 0: op[0] = (unsigned char) ((v) << 6); break; \ case 1: op[0] |= (v) << 4; break; \ case 2: op[0] |= (v) << 2; break; \ - case 3: *op++ |= (v); break; \ + case 3: *op++ |= (v); op_offset++; break; \ } \ } @@ -106,6 +106,7 @@ uint32 imagewidth = tif->tif_dir.td_imagewidth; if( isTiled(tif) ) imagewidth = tif->tif_dir.td_tilewidth; + tmsize_t op_offset = 0; /* * The scanline is composed of a sequence of constant @@ -122,10 +123,15 @@ * bounds, potentially resulting in a security * issue. */ - while (n-- > 0 && npixels < imagewidth) + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) SETPIXEL(op, grey); if (npixels >= imagewidth) break; + if (op_offset >= scanline ) { + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", + (long) tif->tif_row); + return (0); + } if (cc == 0) goto bad; n = *bp++, cc--; ++++++ tiff-4.0.6-CVE-2015-7554.patch ++++++ --- libtiff/tif_dirinfo.c 12 Dec 2015 18:04:26 -0000 1.124 +++ libtiff/tif_dirinfo.c 12 Jan 2016 15:01:21 -0000 @@ -87,6 +87,7 @@ { TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL }, { TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL }, { TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL }, + { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL }, { TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL }, { TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL }, { TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL }, @@ -95,6 +96,7 @@ { TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL }, { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, ++++++ tiff-4.0.6-CVE-2015-8782.patch ++++++ --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_16BIT) tp = (int16*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (int16*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 2*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + if( cc < 2 ) + break; + rc = *bp++ + (2-128); b = (int16)(*bp++ << shft); cc -= 2; while (rc-- && i < npixels) @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (int16)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32 *)op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32 *) sp->tbuf; } /* copy to array of uint32 */ bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; - for (i = 0; i < npixels && cc > 0; i++) { + for (i = 0; i < npixels && cc >= 3; i++) { tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; bp += 3; cc -= 3; @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 4*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ + if( cc < 2 ) + break; rc = *bp++ + (2-128); b = (uint32)*bp++ << shft; - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + cc -= 2; while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (uint32)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogL16Encode"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (int16*) bp; else { tp = (int16*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode24"; LogLuvState* sp = EncoderState(tif); tmsize_t i; tmsize_t npixels; @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* write out encoded pixels */ @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode32"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ ++++++ tiff-4.0.6-CVE-2016-3186.patch ++++++ --- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 +++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 @@ -349,7 +349,7 @@ int status = 1; (void) getc(infile); - while ((count = getc(infile)) && count <= 255) + while ((count = getc(infile)) && count > 0 && count <= 255) if (fread(buf, 1, count, infile) != (size_t) count) { fprintf(stderr, "short read from file %s (%s)\n", filename, strerror(errno)); ++++++ tiff-4.0.6-CVE-2016-3623.patch ++++++ --- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200 +++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200 @@ -95,9 +95,13 @@ break; case 'h': horizSubSampling = atoi(optarg); + if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) + usage(-1); break; case 'v': vertSubSampling = atoi(optarg); + if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) + usage(-1); break; case 'r': rowsperstrip = atoi(optarg); ++++++ tiff-4.0.6-CVE-2016-3945.patch ++++++ --- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200 +++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200 @@ -147,6 +147,7 @@ uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -163,7 +164,13 @@ /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -173,7 +180,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; @@ -249,6 +262,7 @@ uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -263,7 +277,13 @@ /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -273,7 +293,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; ++++++ tiff-4.0.6-CVE-2016-3990.patch ++++++ --- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 +++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200 @@ -1131,6 +1131,13 @@ } llen = sp->stride * td->td_imagewidth; + /* Check against the number of elements (of size uint16) of sp->tbuf */ + if( n > (tmsize_t)(td->td_rowsperstrip * llen) ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Too many input bytes provided"); + return 0; + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) { Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig ++++++ tiff-4.0.6-CVE-2016-3991.patch ++++++ --- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 +++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200 @@ -798,6 +798,11 @@ } tile_buffsize = tilesize; + if (tilesize == 0 || tile_rowsize == 0) + { + TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); + exit(-1); + } if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -807,6 +812,11 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; + if (tl != (tile_buffsize / tile_rowsize)) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } } tilebuf = _TIFFmalloc(tile_buffsize); @@ -1210,6 +1220,12 @@ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) return 1; + if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) + { + TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); + exit(-1); + } + tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -1219,6 +1235,11 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; + if (tl != tile_buffsize / tile_rowsize) + { + TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); + exit(-1); + } } tilebuf = _TIFFmalloc(tile_buffsize); @@ -5945,12 +5966,27 @@ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); + if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) + { + TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); + exit(-1); + } buffsize = tlsize * ntiles; - + if (tlsize != (buffsize / ntiles)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) { buffsize = ntiles * tl * tile_rowsize; + if (ntiles != (buffsize / tl / tile_rowsize)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", @@ -5965,12 +6001,29 @@ } else { + uint32 buffsize_check; readunit = STRIP; TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); - buffsize = stsize * nstrips; + if (nstrips == 0 || stsize == 0) + { + TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); + exit(-1); + } + buffsize = stsize * nstrips; + if (stsize != (buffsize / nstrips)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + buffsize_check = ((length * width * spp * bps) + 7); + if (length != ((buffsize_check - 7) / width / spp / bps)) + { + TIFFError("loadImage", "Integer overflow detected."); + exit(-1); + } if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8; ++++++ tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch ++++++ --- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200 +++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200 @@ -1243,6 +1243,14 @@ assert(sp != NULL); assert(td->td_photometric == PHOTOMETRIC_LOGL); + if( td->td_samplesperpixel != 1 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Sorry, can not handle LogL image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } + /* for some reason, we can't do this in TIFFInitLogL16 */ if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) sp->user_datafmt = LogL16GuessDataFmt(td); ++++++ tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch ++++++ --- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 +++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200 @@ -457,6 +457,7 @@ typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -692,6 +693,7 @@ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -781,6 +783,12 @@ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { ++++++ tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch ++++++ --- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200 +++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200 @@ -38,6 +38,8 @@ static int TIFFCheckRead(TIFF*, int); static tmsize_t TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module); +static tmsize_t +TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module); #define NOSTRIP ((uint32)(-1)) /* undefined state */ #define NOTILE ((uint32)(-1)) /* undefined state */ @@ -350,6 +352,24 @@ stripsize=TIFFVStripSize(tif,rows); if (stripsize==0) return((tmsize_t)(-1)); + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE && + size!=(tmsize_t)(-1) && size >= stripsize && + !isMapped(tif) && + ((tif->tif_flags&TIFF_NOREADRAW)==0) ) + { + if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize) + return ((tmsize_t)(-1)); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits(buf,stripsize); + + (*tif->tif_postdecode)(tif,buf,stripsize); + return (stripsize); + } + if ((size!=(tmsize_t)(-1))&&(size<stripsize)) stripsize=size; if (!TIFFFillStrip(tif,strip)) @@ -661,6 +681,24 @@ (unsigned long) tile, (unsigned long) td->td_nstrips); return ((tmsize_t)(-1)); } + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE && + size!=(tmsize_t)(-1) && size >= tilesize && + !isMapped(tif) && + ((tif->tif_flags&TIFF_NOREADRAW)==0) ) + { + if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize) + return ((tmsize_t)(-1)); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits(buf,tilesize); + + (*tif->tif_postdecode)(tif,buf,tilesize); + return (tilesize); + } + if (size == (tmsize_t)(-1)) size = tilesize; else if (size > tilesize) --- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 +++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200 @@ -258,6 +258,23 @@ tif->tif_rawcp = tif->tif_rawdata; tif->tif_flags &= ~TIFF_POSTENCODE; + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE ) + { + /* swab if needed - note that source buffer will be altered */ + tif->tif_postdecode( tif, (uint8*) data, cc ); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits((uint8*) data, cc); + + if (cc > 0 && + !TIFFAppendToStrip(tif, strip, (uint8*) data, cc)) + return ((tmsize_t) -1); + return (cc); + } + sample = (uint16)(strip / td->td_stripsperimage); if (!(*tif->tif_preencode)(tif, sample)) return ((tmsize_t) -1); @@ -431,9 +448,7 @@ tif->tif_flags |= TIFF_CODERSETUP; } tif->tif_flags &= ~TIFF_POSTENCODE; - sample = (uint16)(tile/td->td_stripsperimage); - if (!(*tif->tif_preencode)(tif, sample)) - return ((tmsize_t)(-1)); + /* * Clamp write amount to the tile size. This is mostly * done so that callers can pass in some large number @@ -442,6 +457,25 @@ if ( cc < 1 || cc > tif->tif_tilesize) cc = tif->tif_tilesize; + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE ) + { + /* swab if needed - note that source buffer will be altered */ + tif->tif_postdecode( tif, (uint8*) data, cc ); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits((uint8*) data, cc); + + if (cc > 0 && + !TIFFAppendToStrip(tif, tile, (uint8*) data, cc)) + return ((tmsize_t) -1); + return (cc); + } + + sample = (uint16)(tile/td->td_stripsperimage); + if (!(*tif->tif_preencode)(tif, sample)) + return ((tmsize_t)(-1)); /* swab if needed - note that source buffer will be altered */ tif->tif_postdecode( tif, (uint8*) data, cc );