patches from upstream for

CVE-2017-11613 CVE-2017-18013 CVE-2018-5784 CVE-2018-10963 CVE-2018-17100 CVE-2018-17101
author: spz <spz@pkgsrc.org> 2018-10-28 09:45:07 +0000
committer: spz <spz@pkgsrc.org> 2018-10-28 09:45:07 +0000
commit: ae382bbf8437a323954db66e5341fa94aaa3bbe3 (patch)
tree: d87bdff0e8b27c1777b51bae70cbf7e38547fd0e /graphics/tiff
parent: 1828d02bb12090fc2faf942e2329c22d622c1ad3 (diff)
download: pkgsrc-ae382bbf8437a323954db66e5341fa94aaa3bbe3.tar.gz
8 files changed, 362 insertions, 3 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 51e0ec10285..151545919eb 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.142 2018/10/25 22:58:05 maya Exp $
+# $NetBSD: Makefile,v 1.143 2018/10/28 09:45:07 spz Exp $
 
 DISTNAME=	tiff-4.0.9
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index cdaaca616b0..c4b272ccb74 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.91 2018/10/25 22:58:05 maya Exp $
+$NetBSD: distinfo,v 1.92 2018/10/28 09:45:07 spz Exp $
 
 SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
 SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
 Size (tiff-4.0.9.tar.gz) = 2305681 bytes
+SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12
+SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96
 SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
+SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee
+SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e
+SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a
+SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661
 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
diff --git a/graphics/tiff/patches/patch-CVE-2017-11613 b/graphics/tiff/patches/patch-CVE-2017-11613
new file mode 100644
index 00000000000..3097d623c78
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2017-11613
@@ -0,0 +1,113 @@
+$NetBSD: patch-CVE-2017-11613,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+patch for CVE-2017-11613 taken from upstream git repo
+
+--- libtiff/tif_dirread.c.orig	2017-09-16 19:07:56.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI
+ }
+ 
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++    switch (photometric) {
++	case PHOTOMETRIC_PALETTE:
++	case PHOTOMETRIC_MINISWHITE:
++	case PHOTOMETRIC_MINISBLACK:
++	    return 1;
++	case PHOTOMETRIC_YCBCR:
++	case PHOTOMETRIC_RGB:
++	case PHOTOMETRIC_CIELAB:
++	    return 3;
++	case PHOTOMETRIC_SEPARATED:
++	case PHOTOMETRIC_MASK:
++	    return 4;
++	case PHOTOMETRIC_LOGL:
++	case PHOTOMETRIC_LOGLUV:
++	case PHOTOMETRIC_CFA:
++	case PHOTOMETRIC_ITULAB:
++	case PHOTOMETRIC_ICCLAB:
++	default:
++	    return 0;
++    }
++}
++	
++/*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+  */
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+ 	uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
++	int color_channels;
+ 
+ 	tif->tif_diroff=tif->tif_nextdiroff;
+ 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+ 			}
+ 		}
+ 	}
++
++	/*
++	 * Make sure all non-color channels are extrasamples.
++	 * If it's not the case, define them as such.
++	 */
++	color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++	if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++		uint16 old_extrasamples;
++		uint16 *new_sampleinfo;
++
++		TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++		    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++		    "Defining non-color channels as ExtraSamples.");
++
++		old_extrasamples = tif->tif_dir.td_extrasamples;
++		tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++		// sampleinfo should contain information relative to these new extra samples
++		new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++		if (!new_sampleinfo) {
++		    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++				"temporary new sampleinfo array (%d 16 bit elements)",
++				tif->tif_dir.td_extrasamples);
++		    goto bad;
++		}
++
++		memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++		_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++		_TIFFfree(new_sampleinfo);
++	}
++
+ 	/*
+ 	 * Verify Palette image has a Colormap.
+ 	 */
+@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         if( nstrips == 0 )
+             return;
+ 
++        /* If we are going to allocate a lot of memory, make sure that the */
++	/* file is as big as needed */
++	if( tif->tif_mode == O_RDONLY &&
++	    nstrips > 1000000 &&
++	    (offset >= TIFFGetFileSize(tif) ||
++	     stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
++	{
++	    return;
++	}
++
+ 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+ 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/graphics/tiff/patches/patch-CVE-2017-18013 b/graphics/tiff/patches/patch-CVE-2017-18013
new file mode 100644
index 00000000000..755fd323193
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2017-18013
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2017-18013,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+patch for patch-CVE-2017-18013 from upstream git repo
+
+--- libtiff/tif_print.c.orig	2016-11-25 17:26:23.000000000 +0000
++++ libtiff/tif_print.c	2018-10-09 17:35:21.544815948 +0000
+@@ -667,13 +667,13 @@
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+ 			    (unsigned long) s,
+-			    (unsigned __int64) td->td_stripoffset[s],
+-			    (unsigned __int64) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+ 			    (unsigned long) s,
+-			    (unsigned long long) td->td_stripoffset[s],
+-			    (unsigned long long) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ 	}
+ }
diff --git a/graphics/tiff/patches/patch-CVE-2018-10963 b/graphics/tiff/patches/patch-CVE-2018-10963
new file mode 100644
index 00000000000..1305c24a45a
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2018-10963
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2018-10963,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+patch for CVE-2018-10963 from upstream git repo
+
+--- libtiff/tif_dirwrite.c.orig	2017-08-29 13:39:48.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
+ 								}
+ 								break;
+ 							default:
+-								assert(0);   /* we should never get here */
+-								break;
++								TIFFErrorExt(tif->tif_clientdata,module,
++								"Cannot write tag %d (%s)",
++								TIFFFieldTag(o),
++								o->field_name ? o->field_name : "unknown");
++																		goto bad;
+ 						}
+ 					}
+ 				}
diff --git a/graphics/tiff/patches/patch-CVE-2018-17100 b/graphics/tiff/patches/patch-CVE-2018-17100
new file mode 100644
index 00000000000..d7b01b89640
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2018-17100
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2018-17100,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+Patch for CVE-2018-17100 from upstream git repo
+
+--- tools/ppm2tiff.c.orig	2015-08-28 22:17:08.000000000 +0000
++++ tools/ppm2tiff.c	2018-10-09 17:20:10.068567016 +0000
+@@ -72,16 +72,17 @@
+ 	exit(-2);
+ }
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-	tmsize_t bytes = m1 * m2;
+-
+-	if (m1 && bytes / m1 != m2)
+-		bytes = 0;
++	if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++	    return 0;
+ 
+-	return bytes;
+-}
++	return m1 * m2;
++}  
+ 
+ int
+ main(int argc, char* argv[])
diff --git a/graphics/tiff/patches/patch-CVE-2018-17101 b/graphics/tiff/patches/patch-CVE-2018-17101
new file mode 100644
index 00000000000..76fc917f66e
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2018-17101
@@ -0,0 +1,56 @@
+$NetBSD: patch-CVE-2018-17101,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+Patch for CVE-2018-17101 from upstream git repo
+
+--- tools/pal2rgb.c.orig	2015-08-28 22:17:08.000000000 +0000
++++ tools/pal2rgb.c
+@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++	if( p->tag == TIFFTAG_GROUP3OPTIONS )
++	{
++	    uint16 compression;
++	    if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++		    compression != COMPRESSION_CCITTFAX3 )
++		continue;
++	}
++	if( p->tag == TIFFTAG_GROUP4OPTIONS )
++	{
++	    uint16 compression;
++	    if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++		    compression != COMPRESSION_CCITTFAX4 )
++		continue;
++	}
+ 	cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
+--- tools/tiff2bw.c.orig	2017-11-01 13:41:58.000000000 +0000
++++ tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
++	{
++	    uint16 compression;
++	    if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++		    compression != COMPRESSION_CCITTFAX3 )
++		continue;
++	}
++	if( p->tag == TIFFTAG_GROUP4OPTIONS )
++	{
++	    uint16 compression;
++	    if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++		    compression != COMPRESSION_CCITTFAX4 )
++		continue;
++	}
+ 	cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
diff --git a/graphics/tiff/patches/patch-CVE-2018-5784 b/graphics/tiff/patches/patch-CVE-2018-5784
new file mode 100644
index 00000000000..5f56b4d7d68
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2018-5784
@@ -0,0 +1,110 @@
+$NetBSD: patch-CVE-2018-5784,v 1.1 2018/10/28 09:45:07 spz Exp $
+
+patch for patch-CVE-2018-5784 from upstream git repo
+
+--- contrib/addtiffo/tif_overview.c.orig	2015-05-30 21:11:52.000000000 +0000
++++ contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ #  define MAX(a,b)      ((a>b) ? a : b)
+ #endif
+ 
++#define TIFF_DIR_MAX  65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+                          int (*)(double,void*), void * );
+ 
+@@ -91,6 +93,9 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, 
+ {
+     toff_t	nBaseDirOffset;
+     toff_t	nOffset;
++    tdir_t	iNumDir;
++	
++	
+ 
+     (void) bUseSubIFDs;
+ 
+@@ -147,7 +152,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, 
+         return 0;
+ 
+     TIFFWriteDirectory( hTIFF );
+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++    iNumDir = TIFFNumberOfDirectories(hTIFF);
++    if( iNumDir > TIFF_DIR_MAX )
++    {
++	TIFFErrorExt( TIFFClientdata(hTIFF),
++		      "TIFF_WriteOverview",
++		      "File `%s' has too many directories.\n",
++		      TIFFFileName(hTIFF) );
++	exit(-1);
++    }
++    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+ 
+     nOffset = TIFFCurrentDirOffset( hTIFF );
+ 
+--- tools/tiff2pdf.c.orig	2017-10-29 18:50:41.000000000 +0000
++++ tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+ 
+ #define PS_UNIT_SIZE	72.0F
+ 
++#define TIFF_DIR_MAX    65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+ 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */
+@@ -1047,10 +1049,18 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* 
+ 	uint16 pagen=0;
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
+ 	uint16 tiff_transferfunctioncount=0;
+ 	uint16* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
++	if(directorycount > TIFF_DIR_MAX) {
++		TIFFError(
++			TIFF2PDF_MODULE,
++			"TIFF contains too many directories, %s",
++			TIFFFileName(input));
++		t2p->t2p_error = T2P_ERR_ERROR;
++		return;
++	}
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ 	if(t2p->tiff_pages==NULL){
+ 		TIFFError(
+
+--- tools/tiffcrop.c.orig	2017-01-15 16:00:09.000000000 +0000
++++ tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const
+ #define DUMP_TEXT   1
+ #define DUMP_RAW    2
+ 
++#define TIFF_DIR_MAX  65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+     pageNum = -1;
+   else
+     total_images = 0;
+-  /* read multiple input files and write to output file(s) */
++  /* Read multiple input files and write to output file(s) */
+   while (optind < argc - 1)
+     {
+     in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+       return (-3);
+ 
+     /* If only one input file is specified, we can use directory count */
+-    total_images = TIFFNumberOfDirectories(in); 
++    total_images = TIFFNumberOfDirectories(in);
++    if (total_images > TIFF_DIR_MAX)
++      {
++      TIFFError (TIFFFileName(in), "File contains too many directories");
++      if (out != NULL)
++	(void) TIFFClose(out);
++      return (1);
++      }
+     if (image_count == 0)
+       {
+       dirnum = 0;
author	spz <spz@pkgsrc.org>	2018-10-28 09:45:07 +0000
committer	spz <spz@pkgsrc.org>	2018-10-28 09:45:07 +0000
commit	ae382bbf8437a323954db66e5341fa94aaa3bbe3 (patch)
tree	d87bdff0e8b27c1777b51bae70cbf7e38547fd0e /graphics/tiff
parent	1828d02bb12090fc2faf942e2329c22d622c1ad3 (diff)
download	pkgsrc-ae382bbf8437a323954db66e5341fa94aaa3bbe3.tar.gz