tiff: apply fixes for CVE-2022-0561 CVE-2022-0907 CVE-2022-0891

CVE-2022-0907 CVE-2022-0909 bump PKGREVISION again...
author: nia <nia@pkgsrc.org> 2022-03-25 09:32:49 +0000
committer: nia <nia@pkgsrc.org> 2022-03-25 09:32:49 +0000
commit: 6c06a79c7a5170b420337cf1a7df4b78e27d18f6 (patch)
tree: 9302643319b41c20fc0593a5e8a4ed09a9e05cf5 /graphics/tiff
parent: 169c7df06fd301131c91982764636d7937b91220 (diff)
download: pkgsrc-6c06a79c7a5170b420337cf1a7df4b78e27d18f6.tar.gz
6 files changed, 369 insertions, 6 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index fd6a3f5372c..5c95f4df421 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.151 2022/03/25 08:36:37 nia Exp $
+# $NetBSD: Makefile,v 1.152 2022/03/25 09:32:49 nia Exp $
 
 DISTNAME=	tiff-4.3.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	https://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index e6c112c2dec..5dc4398123a 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,8 +1,11 @@
-$NetBSD: distinfo,v 1.101 2022/03/25 08:36:37 nia Exp $
+$NetBSD: distinfo,v 1.102 2022/03/25 09:32:49 nia Exp $
 
 BLAKE2s (tiff-4.3.0.tar.gz) = 28ba59df6d3d7a967dc168645bfc78f047ac8f7f548050abbbd0560f9dd21c75
 SHA512 (tiff-4.3.0.tar.gz) = e04a4a6c542e58a174c1e9516af3908acf1d3d3e1096648c5514f4963f73e7af27387a76b0fbabe43cf867a18874088f963796a7cd6e45deb998692e3e235493
 Size (tiff-4.3.0.tar.gz) = 2808254 bytes
-SHA1 (patch-CVE-2022-0561) = ceb02d9fb6a897a50d65fd3f46ab527ea84562a4
+SHA1 (patch-CVE-2022-0561) = a40f12dc11d431d6373d7799d1d2664ea3eabee1
+SHA1 (patch-CVE-2022-0907) = 92a50bbba3cd0aa6b0bf3b85ce46d3948d4dd19d
+SHA1 (patch-CVE-2022-0909) = 747db983e9dd0b79860eaaf975f698a129bf044d
+SHA1 (patch-CVE-2022-0924) = 82ecc85556f01e6363694c86465bc20723ac3261
 SHA1 (patch-CVE-2022-22844) = 268d67ea1a24c6078006c37bf5c56b00a6a0183f
 SHA1 (patch-Makefile.in) = de93f4a2cea4bffc117482fdc6875adfb9aa67e0
diff --git a/graphics/tiff/patches/patch-CVE-2022-0561 b/graphics/tiff/patches/patch-CVE-2022-0561
index 250818c866f..3699da0c787 100644
--- a/graphics/tiff/patches/patch-CVE-2022-0561
+++ b/graphics/tiff/patches/patch-CVE-2022-0561
@@ -1,4 +1,4 @@
-$NetBSD: patch-CVE-2022-0561,v 1.1 2022/03/25 08:36:37 nia Exp $
+$NetBSD: patch-CVE-2022-0561,v 1.2 2022/03/25 09:32:49 nia Exp $
 
 https://gitlab.com/libtiff/libtiff/-/issues/362
 
@@ -16,7 +16,19 @@ This fixes CVE-2022-0561 and CVE-2022-0562.
                  _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
                  _TIFFfree(new_sampleinfo);
          }
-@@ -5765,8 +5766,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+@@ -5079,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++						if (dp->tdir_count > 0 )
++						{
++							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++						}
+ 						o[(uint32_t)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
+@@ -5765,8 +5769,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
  			_TIFFfree(data);
  			return(0);
  		}
diff --git a/graphics/tiff/patches/patch-CVE-2022-0907 b/graphics/tiff/patches/patch-CVE-2022-0907
new file mode 100644
index 00000000000..74320d41000
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2022-0907
@@ -0,0 +1,281 @@
+$NetBSD: patch-CVE-2022-0907,v 1.1 2022/03/25 09:32:49 nia Exp $
+
+[PATCH] add checks for return value of limitMalloc (CVE-2022-0907)
+https://gitlab.com/libtiff/libtiff/-/merge_requests/314.patch
+
+[PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
+ extractImageSection (CVE-2022-0891)
+https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch
+
+--- tools/tiffcrop.c.orig	2021-03-07 18:09:46.000000000 +0000
++++ tools/tiffcrop.c
+@@ -105,8 +105,8 @@
+  *                of messages to monitor progress without enabling dump logs.
+  */
+ 
+-static   char tiffcrop_version_id[] = "2.4";
+-static   char tiffcrop_rev_date[] = "12-13-2010";
++static   char tiffcrop_version_id[] = "2.4.1";
++static   char tiffcrop_rev_date[] = "03-03-2010";
+ 
+ #include "tif_config.h"
+ #include "libport.h"
+@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *i
+ #ifdef DEVELMODE
+   uint32_t    img_length;
+ #endif
+-  uint32_t    j, shift1, shift2, trailing_bits;
++  uint32_t    j, shift1, trailing_bits;
+   uint32_t    row, first_row, last_row, first_col, last_col;
+   uint32_t    src_offset, dst_offset, row_offset, col_offset;
+-  uint32_t    offset1, offset2, full_bytes;
++  uint32_t    offset1, full_bytes;
+   uint32_t    sect_width;
+ #ifdef DEVELMODE
+   uint32_t    sect_length;
+@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *i
+ #ifdef DEVELMODE
+   int      k;
+   unsigned char bitset;
+-  static char *bitarray = NULL;
+ #endif
+ 
+   img_width = image->width;
+@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *i
+   dst_offset = 0;
+ 
+ #ifdef DEVELMODE
+-  if (bitarray == NULL)
+-    {
+-    if ((bitarray = (char *)malloc(img_width)) == NULL)
+-      {
+-      TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+-      return (-1);
+-      }
+-    }
++  char bitarray[39];
+ #endif
+ 
+-  /* rows, columns, width, length are expressed in pixels */
++  /* rows, columns, width, length are expressed in pixels
++   * first_row, last_row, .. are index into image array starting at 0 to width-1,
++   * last_col shall be also extracted.  */
+   first_row = section->y1;
+   last_row  = section->y2;
+   first_col = section->x1;
+@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *i
+ #ifdef DEVELMODE
+   sect_length = last_row - first_row + 1;
+ #endif
+-  img_rowsize = ((img_width * bps + 7) / 8) * spp;
+-  full_bytes = (sect_width * spp * bps) / 8;   /* number of COMPLETE bytes per row in section */
+-  trailing_bits = (sect_width * bps) % 8;
++    /* The read function loadImage() used copy separate plane data into a buffer as interleaved
++     * samples rather than separate planes so the same logic works to extract regions
++     * regardless of the way the data are organized in the input file.
++     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
++     */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
++    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
++    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *i
+ 
+   if ((bps % 8) == 0)
+     {
+-    col_offset = first_col * spp * bps / 8;
++    col_offset = (first_col * spp * bps) / 8;
+     for (row = first_row; row <= last_row; row++)
+       {
+-      /* row_offset = row * img_width * spp * bps / 8; */
+       row_offset = row * img_rowsize;
+       src_offset = row_offset + col_offset;
+ 
+@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *i
+     }
+   else
+     { /* bps != 8 */
+-    shift1  = spp * ((first_col * bps) % 8);
+-    shift2  = spp * ((last_col * bps) % 8);
++    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/
+     for (row = first_row; row <= last_row; row++)
+       {
+       /* pull out the first byte */
+       row_offset = row * img_rowsize;
+-      offset1 = row_offset + (first_col * bps / 8);
+-      offset2 = row_offset + (last_col * bps / 8);
++      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */
+ 
+ #ifdef DEVELMODE
+       for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *i
+       sprintf(&bitarray[9], " ");
+       for (j = 10, k = 7; j < 18; j++, k--)
+         {
+-        bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
++        bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+         sprintf(&bitarray[j], (bitset) ? "1" : "0");
+         }
+       bitarray[18] = '\0';
+-      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Shift2:  %"PRIu32"\n", 
+-                 row, offset1, shift1, offset2, shift2); 
++      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n", 
++                 row, offset1, shift1, offset1+full_bytes, trailing_bits); 
+ #endif
+ 
+       bytebuff1 = bytebuff2 = 0;
+@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *i
+ 
+         if (trailing_bits != 0)
+           {
+-	  bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
++      /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++	  bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+           sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+ 	  TIFFError ("", "        Trailing bits src offset:  %8"PRIu32", Dst offset: %8"PRIu32"\n",
+-                              offset2, dst_offset); 
++          offset1 + full_bytes, dst_offset);
+           for (j = 30, k = 7; j < 38; j++, k--)
+             {
+             bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *i
+ #endif
+         for (j = 0; j <= full_bytes; j++) 
+           {
+-	  bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+-	  bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
++          /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
++          /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
++          bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
++          bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+           }
+ #ifdef DEVELMODE
+@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *i
+ #endif
+         dst_offset += full_bytes;
+ 
++        /* Copy the trailing_bits for the last byte in the destination buffer. 
++           Could come from one ore two bytes of the source buffer. */
+         if (trailing_bits != 0)
+           {
+ #ifdef DEVELMODE
+-	    TIFFError ("", "        Trailing bits   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
+-#endif
+-	  if (shift2 > shift1)
+-            {
+-	    bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+-            bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+-            sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+-	    TIFFError ("", "        Shift2 > Shift1\n"); 
++          TIFFError("", "        Trailing bits %4"PRIu32"   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
++          /* More than necessary bits are already copied into last destination buffer, 
++           * only masking of last byte in destination buffer is necessary.*/ 
++          sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+             }
+-          else
+-            {
+-	    if (shift2 < shift1)
+-              {
+-              bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+-	      sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+-	      TIFFError ("", "        Shift2 < Shift1\n"); 
+-#endif
+-              }
+-#ifdef DEVELMODE
+-            else
+-	      TIFFError ("", "        Shift2 == Shift1\n"); 
+-#endif
+-            }
+-	  }
+ #ifdef DEVELMODE
+ 	  sprintf(&bitarray[28], " ");
+ 	  sprintf(&bitarray[29], " ");
+@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, 
+     width  = sections[i].x2 - sections[i].x1 + 1;
+     length = sections[i].y2 - sections[i].y1 + 1;
+     sectsize = (uint32_t)
+-	    ceil((width * image->bps + 7) / (double)8) * image->spp * length;
++	    ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+     /* allocate a buffer if we don't have one already */
+     if (createImageSection(sectsize, sect_buff_ptr))
+       {
+@@ -7377,7 +7357,11 @@ createImageSection(uint32_t sectsize, un
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)limitMalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
++    if (!sect_buff)
++    {
++        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++        return (-1);
++    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7393,15 +7377,15 @@ createImageSection(uint32_t sectsize, un
+       else
+         sect_buff = new_buff;
+ 
++      if (!sect_buff)
++      {
++          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++          return (-1);
++      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7668,7 +7652,11 @@ createCroppedImage(struct image_data *im
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)limitMalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
++    if (!crop_buff)
++    {
++        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++        return (-1);
++    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7684,15 +7672,15 @@ createCroppedImage(struct image_data *im
+         }
+       else
+         crop_buff = new_buff;
++      if (!crop_buff)
++      {
++          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++          return (-1);
++      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9251,3 +9239,4 @@ invertImage(uint16_t photometric, uint16
+  * fill-column: 78
+  * End:
+  */
++
diff --git a/graphics/tiff/patches/patch-CVE-2022-0909 b/graphics/tiff/patches/patch-CVE-2022-0909
new file mode 100644
index 00000000000..f3ea46591d6
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2022-0909
@@ -0,0 +1,23 @@
+$NetBSD: patch-CVE-2022-0909,v 1.1 2022/03/25 09:32:49 nia Exp $
+
+[PATCH] fix FPE in tiffcrop
+https://gitlab.com/libtiff/libtiff/-/merge_requests/310.patch
+
+--- libtiff/tif_dir.c.orig	2021-03-05 13:01:43.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, 
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
diff --git a/graphics/tiff/patches/patch-CVE-2022-0924 b/graphics/tiff/patches/patch-CVE-2022-0924
new file mode 100644
index 00000000000..1be217ae2bf
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2022-0924
@@ -0,0 +1,44 @@
+$NetBSD: patch-CVE-2022-0924,v 1.1 2022/03/25 09:32:49 nia Exp $
+
+[PATCH] fix heap buffer overflow in tiffcp
+https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665.patch
+
+--- tools/tiffcp.c.orig	2021-04-08 21:48:47.000000000 +0000
++++ tools/tiffcp.c
+@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 	tdata_t obuf;
+ 	tstrip_t strip = 0;
+ 	tsample_t s;
++	uint16_t bps = 0, bytes_per_sample;
+ 
+ 	obuf = limitMalloc(stripsize);
+ 	if (obuf == NULL)
+ 		return (0);
+ 	_TIFFmemset(obuf, 0, stripsize);
+ 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++	if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
++	bytes_per_sample = bps/8;
+ 	for (s = 0; s < spp; s++) {
+ 		uint32_t row;
+ 		for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 
+ 			cpContigBufToSeparateBuf(
+ 			    obuf, (uint8_t*) buf + row * rowsize + s,
+-			    nrows, imagewidth, 0, 0, spp, 1);
++			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ 				TIFFError(TIFFFileName(out),
+ 				    "Error, can't write strip %"PRIu32,
author	nia <nia@pkgsrc.org>	2022-03-25 09:32:49 +0000
committer	nia <nia@pkgsrc.org>	2022-03-25 09:32:49 +0000
commit	6c06a79c7a5170b420337cf1a7df4b78e27d18f6 (patch)
tree	9302643319b41c20fc0593a5e8a4ed09a9e05cf5 /graphics/tiff
parent	169c7df06fd301131c91982764636d7937b91220 (diff)
download	pkgsrc-6c06a79c7a5170b420337cf1a7df4b78e27d18f6.tar.gz