CVE-2017-7596

CVE-2017-7597
CVE-2017-7599
CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Dependency for applying advisory patch.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
Bump rev.

6 files changed, 308 insertions, 11 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index c44c4d632ca..2197fa80358 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.128 2017/05/05 20:06:02 he Exp $
+# $NetBSD: Makefile,v 1.129 2017/05/05 20:14:05 sevan Exp $
 
 DISTNAME=	tiff-4.0.7
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index c99854119be..5e924a9f053 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.74 2017/05/05 20:06:02 he Exp $
+$NetBSD: distinfo,v 1.75 2017/05/05 20:14:05 sevan Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,7 +6,9 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981d
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
-SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
+SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
 SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
 SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
@@ -16,4 +18,4 @@ SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
 SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
 SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
-SHA1 (patch-tools_tiffcrop.c) = 68ccbde2dc447dfbfb3e15a5c9cfaf2538f27e60
+SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dir.c b/graphics/tiff/patches/patch-libtiff_tif_dir.c
new file mode 100644
index 00000000000..05551f99e0f
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dir.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-libtiff_tif_dir.c,v 1.1 2017/05/05 20:14:05 sevan Exp $
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dir.c.orig	2016-10-29 23:03:18.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -31,6 +31,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ /*
+  * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@ bad:
+ 	return (0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-		td->td_xresolution = (float) dblval;
++		td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-		td->td_yresolution = (float) dblval;
++		td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_PLANARCONFIG:
+ 		v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ 		td->td_planarconfig = (uint16) v;
+ 		break;
+ 	case TIFFTAG_XPOSITION:
+-		td->td_xposition = (float) va_arg(ap, double);
++		td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ 		break;
+ 	case TIFFTAG_YPOSITION:
+-		td->td_yposition = (float) va_arg(ap, double);
++		td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ 		break;
+ 	case TIFFTAG_RESOLUTIONUNIT:
+ 		v = (uint16) va_arg(ap, uint16_vap);
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirread.c b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
index 9f688f115ae..52f9d9ad26a 100644
--- a/graphics/tiff/patches/patch-libtiff_tif_dirread.c
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
@@ -1,11 +1,40 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2 2017/05/05 20:14:05 sevan Exp $
 
+CVE-2017-7596
+CVE-2017-7597
 CVE-2017-7598
+CVE-2017-7599
+CVE-2017-7600
 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
 
---- libtiff/tif_dirread.c.orig	2016-11-18 02:42:46.000000000 +0000
+--- libtiff/tif_dirread.c.orig	2017-05-05 18:56:15.000000000 +0000
 +++ libtiff/tif_dirread.c
-@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -40,6 +40,7 @@
+  */
+ 
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 				ma=(double*)origdata;
+ 				mb=data;
+ 				for (n=0; n<count; n++)
+-					*mb++=(float)(*ma++);
++                                {
++                                    double val = *ma++;
++                                    if( val > FLT_MAX )
++                                        val = FLT_MAX;
++                                    else if( val < -FLT_MAX )
++                                        val = -FLT_MAX;
++                                    *mb++=(float)val;
++                                }
+ 			}
+ 			break;
+ 	}
+@@ -2872,7 +2880,10 @@ static enum TIFFReadDirEntryErr TIFFRead
  		m.l = direntry->tdir_offset.toff_long8;
  	if (tif->tif_flags&TIFF_SWAB)
  		TIFFSwabArrayOfLong(m.i,2);
@@ -17,7 +46,7 @@ https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
  		*value=0.0;
  	else
  		*value=(double)m.i[0]/(double)m.i[1];
-@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -2900,7 +2911,10 @@ static enum TIFFReadDirEntryErr TIFFRead
  		m.l=direntry->tdir_offset.toff_long8;
  	if (tif->tif_flags&TIFF_SWAB)
  		TIFFSwabArrayOfLong(m.i,2);
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c b/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
new file mode 100644
index 00000000000..2181abf395c
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
@@ -0,0 +1,192 @@
+$NetBSD: patch-libtiff_tif_dirwrite.c,v 1.1 2017/05/05 20:14:05 sevan Exp $
+
+Dependency for applying advisory patch below without creating a variant.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dirwrite.c.orig	2017-05-05 18:56:07.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -30,6 +30,7 @@
+  * Directory Write Support Routines.
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@ bad:
+ 	return(0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++    if( val > 127 )
++        return 127;
++    if( val < -128 || val != val )
++        return -128;
++    return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++    if( val > 32767 )
++        return 32767;
++    if( val < -32768 || val != val )
++        return -32768;
++    return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++    if( val > 0x7FFFFFFF )
++        return 0x7FFFFFFF;
++    if( val < -0x7FFFFFFF-1 || val != val )
++        return -0x7FFFFFFF-1;
++    return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 255 || val != val )
++        return 255;
++    return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 65535 || val != val )
++        return 65535;
++    return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val != val )
++        return 0xFFFFFFFFU;
++    return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ 			if (tif->tif_dir.td_bitspersample<=32)
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((float*)conv)[i] = (float)value[i];
++					((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ 				ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ 			}
+ 			else
+@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ 			if (tif->tif_dir.td_bitspersample<=8)
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((int8*)conv)[i] = (int8)value[i];
++					((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ 				ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ 			}
+ 			else if (tif->tif_dir.td_bitspersample<=16)
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((int16*)conv)[i] = (int16)value[i];
++					((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ 				ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ 			}
+ 			else
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((int32*)conv)[i] = (int32)value[i];
++					((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+ 				ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+ 			}
+ 			break;
+@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ 			if (tif->tif_dir.td_bitspersample<=8)
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((uint8*)conv)[i] = (uint8)value[i];
++					((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+ 				ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+ 			}
+ 			else if (tif->tif_dir.td_bitspersample<=16)
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((uint16*)conv)[i] = (uint16)value[i];
++					((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+ 				ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+ 			}
+ 			else
+ 			{
+ 				for (i = 0; i < count; ++i)
+-					((uint32*)conv)[i] = (uint32)value[i];
++					((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+ 				ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+ 			}
+ 			break;
+@@ -2094,15 +2158,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(
+ static int
+ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
+ {
++        static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
+ 	uint32 m[2];
+-	assert(value>=0.0);
+ 	assert(sizeof(uint32)==4);
+-	if (value<=0.0)
++        if( value < 0 )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
++            return 0;
++        }
++        else if( value != value )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
++            return 0;
++        }
++	else if (value==0.0)
+ 	{
+ 		m[0]=0;
+ 		m[1]=1;
+ 	}
+-	else if (value==(double)(uint32)value)
++	else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+ 	{
+ 		m[0]=(uint32)value;
+ 		m[1]=1;
+@@ -2143,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArra
+ 	}
+ 	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+ 	{
+-		if (*na<=0.0)
++		if (*na<=0.0 || *na != *na)
+ 		{
+ 			nb[0]=0;
+ 			nb[1]=1;
+ 		}
+-		else if (*na==(float)(uint32)(*na))
++		else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++                         *na==(float)(uint32)(*na))
+ 		{
+ 			nb[0]=(uint32)(*na);
+ 			nb[1]=1;
diff --git a/graphics/tiff/patches/patch-tools_tiffcrop.c b/graphics/tiff/patches/patch-tools_tiffcrop.c
index 9c3a6230d84..026b4659a6b 100644
--- a/graphics/tiff/patches/patch-tools_tiffcrop.c
+++ b/graphics/tiff/patches/patch-tools_tiffcrop.c
@@ -1,8 +1,11 @@
 $NetBSD$
 
-Fix for CVE-2016-10092, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2620
-and
+CVE-2016-10092
+http://bugzilla.maptools.org/show_bug.cgi?id=2620
 https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
+Fix double free
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
 
 --- tools/tiffcrop.c.orig	2016-11-19 01:45:30.000000000 +0000
 +++ tools/tiffcrop.c
@@ -15,3 +18,11 @@ https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
          }
  
          return 1;
+@@ -7986,7 +7986,6 @@ writeCroppedImage(TIFF *in, TIFF *out, s
+   if (!TIFFWriteDirectory(out))
+     {
+     TIFFError("","Failed to write IFD for page number %d", pagenum);
+-    TIFFClose(out);
+     return (-1);
+     }
+