From fc637fb28da700da71ec2064d65ca5a7a31b9c6c Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 18 Aug 2019 18:16:17 +0100 Subject: gentoo resync : 18.08.2019 --- ...-2018-17000-tif_dirwrite-null-dereference.patch | 33 ++++++++++ .../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 ++++++++++++++ ....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ++++++++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch (limited to 'media-libs/tiff/files') diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch new file mode 100644 index 000000000000..321c6a428afa --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch @@ -0,0 +1,33 @@ +https://crbug.com/901306 + +commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 +Author: Thomas Bernard +Date: Tue Jan 29 11:21:47 2019 +0100 + + TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing + + http://bugzilla.maptools.org/show_bug.cgi?id=2833 + + we must check the pointer is not NULL before memcmp() the memory + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch new file mode 100644 index 000000000000..38d020fec246 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch @@ -0,0 +1,48 @@ +https://crbug.com/923647 + +commit ae0bed1fe530a82faf2e9ea1775109dbf301a971 +Merge: 933784a1 0c74a9f4 +Author: Even Rouault +Date: Sat Feb 2 14:46:05 2019 +0000 + + Merge branch 'master' into 'master' + + Fix for simple memory leak that was assigned CVE-2019-6128. + + See merge request libtiff/libtiff!50 + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch new file mode 100644 index 000000000000..a68ba2f4bbd2 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch @@ -0,0 +1,73 @@ +From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d7..f0ee2c029 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.21.0 + + +From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH 2/2] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c029..8c81aa4f2 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.21.0 + -- cgit v1.2.3