add patch from upstream

(http://bugzilla.maptools.org/show_bug.cgi?id=2300)
to fix possible buffer overflow in the "thunder" decoder (CVE-2011-1167)
bump PKGREV

3 files changed, 77 insertions, 3 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 892b4c096d3..712045b9ecd 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.99 2011/03/12 16:10:42 tron Exp $
+# $NetBSD: Makefile,v 1.100 2011/03/31 11:05:44 drochner Exp $
 
 DISTNAME=	tiff-3.9.4
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://libtiff.maptools.org/dl/
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index c21a3ae8976..e89adbe8c9f 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.50 2011/03/12 16:10:42 tron Exp $
+$NetBSD: distinfo,v 1.51 2011/03/31 11:05:44 drochner Exp $
 
 SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de
 RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de
 Size (tiff-3.9.4.tar.gz) = 1436968 bytes
+SHA1 (patch-CVE-2011-1167) = 30099dc0e1a8271d65799365ce81fda3081f5d5b
 SHA1 (patch-SA43593) = d24ff27a7a2e659c632d5a5fb720a908915e8595
 SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822
 SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0
diff --git a/graphics/tiff/patches/patch-CVE-2011-1167 b/graphics/tiff/patches/patch-CVE-2011-1167
new file mode 100644
index 00000000000..33e7be1ea7b
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2011-1167
@@ -0,0 +1,73 @@
+$NetBSD: patch-CVE-2011-1167,v 1.1 2011/03/31 11:05:45 drochner Exp $
+
+--- libtiff/tif_thunder.c.orig	2010-06-08 18:50:43.000000000 +0000
++++ libtiff/tif_thunder.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "tiffiop.h"
++#include <assert.h>
+ #ifdef THUNDER_SUPPORT
+ /*
+  * TIFF Library.
+@@ -55,12 +56,32 @@
+ static const int twobitdeltas[4] = { 0, 1, 0, -1 };
+ static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
+ 
+-#define	SETPIXEL(op, v) { \
+-	lastpixel = (v) & 0xf; \
+-	if (npixels++ & 1) \
+-	    *op++ |= lastpixel; \
+-	else \
++#define	SETPIXEL(op, v) {                     \
++	lastpixel = (v) & 0xf;                \
++        if ( npixels < maxpixels )         \
++        {                                     \
++	  if (npixels++ & 1)                  \
++	    *op++ |= lastpixel;               \
++	  else                                \
+ 	    op[0] = (tidataval_t) (lastpixel << 4); \
++        }                                     \
++}
++
++static int
++ThunderSetupDecode(TIFF* tif)
++{
++	static const char module[] = "ThunderSetupDecode";
++
++        if( tif->tif_dir.td_bitspersample != 4 )
++        {
++                TIFFErrorExt(tif->tif_clientdata, module,
++                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
++                             (int) tif->tif_dir.td_bitspersample );
++                return 0;
++        }
++        
++
++	return (1);
+ }
+ 
+ static int
+@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
+ 		occ -= tif->tif_scanlinesize;
+ 		row += tif->tif_scanlinesize;
+ 	}
+-	return (1);
++
++        return (1);
+ }
+ 
+ int
+@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
+ 	(void) scheme;
+ 	tif->tif_decoderow = ThunderDecodeRow;
+ 	tif->tif_decodestrip = ThunderDecodeRow;
++        tif->tif_setupdecode = ThunderSetupDecode;
+ 	return (1);
+ }
+ #endif /* THUNDER_SUPPORT */
+@@ -163,3 +186,4 @@ TIFFInitThunderScan(TIFF* tif, int schem
+  * fill-column: 78
+  * End:
+  */
++