diff options
| author | taca <taca@pkgsrc.org> | 2012-04-10 14:13:04 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2012-04-10 14:13:04 +0000 |
| commit | a70dfa2f02d79a399b51acc1836ed57708337ddc (patch) | |
| tree | 829fa6bd94bc176a07c9e238711a5d917e230650 | |
| parent | 95ef5b5471258caa68de389280480c08997ff359 (diff) | |
| download | pkgsrc-a70dfa2f02d79a399b51acc1836ed57708337ddc.tar.gz | |
Add fix for CVE-2012-1173 from upstream.
Bump PKGREVISION.
| -rw-r--r-- | graphics/tiff/Makefile | 3 | ||||
| -rw-r--r-- | graphics/tiff/distinfo | 4 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__getimage.c | 60 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-libtiff_tiffiop.h | 15 |
4 files changed, 80 insertions, 2 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 2d20ae933d9..69b7abae6f8 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.103 2012/02/21 13:03:00 drochner Exp $ +# $NetBSD: Makefile,v 1.104 2012/04/10 14:13:04 taca Exp $ DISTNAME= tiff-4.0.1 +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://libtiff.maptools.org/dl/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index 3f00399c78d..fb72d178956 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,6 +1,8 @@ -$NetBSD: distinfo,v 1.54 2012/02/21 13:03:00 drochner Exp $ +$NetBSD: distinfo,v 1.55 2012/04/10 14:13:04 taca Exp $ SHA1 (tiff-4.0.1.tar.gz) = 8baf382231c9051a1b3eb294581289aa21447171 RMD160 (tiff-4.0.1.tar.gz) = abf98ab277edaee302b432dbcecfe68061dd91dc Size (tiff-4.0.1.tar.gz) = 1991580 bytes SHA1 (patch-configure) = 0e86c6d69783333c03d6241e1824f68602f3c732 +SHA1 (patch-libtiff_tif__getimage.c) = fc1f63b669fb8871935d4bf12e09dc1c78150f91 +SHA1 (patch-libtiff_tiffiop.h) = 8729e474106a0edce4284004f6f6d95b97c4a544 diff --git a/graphics/tiff/patches/patch-libtiff_tif__getimage.c b/graphics/tiff/patches/patch-libtiff_tif__getimage.c new file mode 100644 index 00000000000..813df6c76ed --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tif__getimage.c @@ -0,0 +1,60 @@ +$NetBSD: patch-libtiff_tif__getimage.c,v 1.1 2012/04/10 14:13:04 taca Exp $ + +Fix for CVE-2012-1173 from upstream. + +--- libtiff/tif_getimage.c.orig 2011-02-25 03:34:02.000000000 +0000 ++++ libtiff/tif_getimage.c +@@ -692,6 +692,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint3 + unsigned char* p2; + unsigned char* pa; + tmsize_t tilesize; ++ tmsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; +@@ -699,12 +700,17 @@ gtTileSeparate(TIFFRGBAImage* img, uint3 + int colorchannels; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -917,17 +923,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tmsize_t stripsize; ++ tmsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip, colorchannels; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); diff --git a/graphics/tiff/patches/patch-libtiff_tiffiop.h b/graphics/tiff/patches/patch-libtiff_tiffiop.h new file mode 100644 index 00000000000..39141dada5d --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tiffiop.h @@ -0,0 +1,15 @@ +$NetBSD: patch-libtiff_tiffiop.h,v 1.1 2012/04/10 14:13:04 taca Exp $ + +Fix for CVE-2012-1173 from upstream. + +--- libtiff/tiffiop.h.orig 2011-02-19 16:26:09.000000000 +0000 ++++ libtiff/tiffiop.h +@@ -250,7 +250,7 @@ struct tiff { + #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) |