summaryrefslogtreecommitdiff
path: root/graphics/tiff
diff options
context:
space:
mode:
authortron <tron@pkgsrc.org>2009-07-19 11:45:09 +0000
committertron <tron@pkgsrc.org>2009-07-19 11:45:09 +0000
commitb91b13f2686e96dcc75eab71c7ad5de84b7ad9c4 (patch)
tree365621cabf0ba74d83ae4f9bfa73c672120f7c19 /graphics/tiff
parentfc8fba4c5c6f5d8408fec6290f7579fc78ea2617 (diff)
downloadpkgsrc-b91b13f2686e96dcc75eab71c7ad5de84b7ad9c4.tar.gz
Apply fix for integer overflows in various inter-color space conversion
tools taken from MapTools Bugzilla. This fixes CVE-2009-2347.
Diffstat (limited to 'graphics/tiff')
-rw-r--r--graphics/tiff/Makefile4
-rw-r--r--graphics/tiff/distinfo4
-rw-r--r--graphics/tiff/patches/patch-ca47
-rw-r--r--graphics/tiff/patches/patch-cb126
4 files changed, 178 insertions, 3 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index a27ae0d2c7a..027e56627d3 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.87 2009/06/22 14:54:44 drochner Exp $
+# $NetBSD: Makefile,v 1.88 2009/07/19 11:45:09 tron Exp $
DISTNAME= tiff-3.8.2
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index 9f2242ce614..c16a1ffa02a 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.42 2009/06/22 14:54:44 drochner Exp $
+$NetBSD: distinfo,v 1.43 2009/07/19 11:45:09 tron Exp $
SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb
RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d
@@ -16,3 +16,5 @@ SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8
SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae
SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08
SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc
+SHA1 (patch-ca) = 3c90d9735f0586632db05ceb50b336cbfdf279b6
+SHA1 (patch-cb) = 349c8764091d69f5eca84588837022d218b2165c
diff --git a/graphics/tiff/patches/patch-ca b/graphics/tiff/patches/patch-ca
new file mode 100644
index 00000000000..c56310fffaf
--- /dev/null
+++ b/graphics/tiff/patches/patch-ca
@@ -0,0 +1,47 @@
+$NetBSD: patch-ca,v 1.1 2009/07/19 11:45:09 tron Exp $
+
+Patch for CVE-2009-2347, taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+--- tools/rgb2ycbcr.c.orig 2004-09-03 08:57:13.000000000 +0100
++++ tools/rgb2ycbcr.c 2009-07-19 12:39:06.000000000 +0100
+@@ -202,6 +202,17 @@
+ #undef LumaBlue
+ #undef V2Code
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++ tsize_t prod = m1 * m2;
++
++ if (m1 && prod / m1 != m2)
++ prod = 0; /* overflow */
++
++ return prod;
++}
++
+ /*
+ * Convert a strip of RGB data to YCbCr and
+ * sample to generate the output data.
+@@ -278,10 +289,19 @@
+ float floatv;
+ char *stringv;
+ uint32 longv;
++ tsize_t raster_size;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++
++ raster_size = multiply(multiply(width, height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
diff --git a/graphics/tiff/patches/patch-cb b/graphics/tiff/patches/patch-cb
new file mode 100644
index 00000000000..1a9db26dd2d
--- /dev/null
+++ b/graphics/tiff/patches/patch-cb
@@ -0,0 +1,126 @@
+$NetBSD: patch-cb,v 1.1 2009/07/19 11:45:09 tron Exp $
+
+Patch for CVE-2009-2347, taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+--- tools/tiff2rgba.c.orig 2004-11-07 11:08:37.000000000 +0000
++++ tools/tiff2rgba.c 2009-07-19 12:39:06.000000000 +0100
+@@ -124,6 +124,17 @@
+ return (0);
+ }
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++ tsize_t prod = m1 * m2;
++
++ if (m1 && prod / m1 != m2)
++ prod = 0; /* overflow */
++
++ return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+
+@@ -133,6 +144,7 @@
+ uint32 tile_width, tile_height;
+ uint32 row, col;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -150,7 +162,14 @@
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) tile_width, (unsigned long) tile_height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -158,7 +177,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ if (!wrk_line) {
+@@ -226,6 +245,7 @@
+ uint32 width, height; /* image width & height */
+ uint32 row;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -241,7 +261,14 @@
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) rowsperstrip);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -249,7 +276,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ if (!wrk_line) {
+@@ -328,14 +355,22 @@
+ uint32* raster; /* retrieve RGBA image */
+ uint32 width, height; /* image width & height */
+ uint32 row;
+-
++ tsize_t raster_size;
++
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++ raster_size = multiply(multiply(width, height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -353,7 +388,7 @@
+ */
+ if( no_alpha )
+ {
+- int pixel_count = width * height;
++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
+ unsigned char *src, *dst;
+
+ src = (unsigned char *) raster;