tiff: apply fix for CVE-2018-18557

From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 1/1] JBIG: fix potential out-of-bounds write in JBIGDecode()

JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.

Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc

And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()

The last part (CHUNKY_STRIP_READ_SUPPORT) was adapted by myself to fit
the libtiff release.

Bump PKGREVISION.

4 files changed, 105 insertions, 3 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index cbc0f4798ee..51e0ec10285 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141 2018/06/21 23:11:04 tez Exp $
+# $NetBSD: Makefile,v 1.142 2018/10/25 22:58:05 maya Exp $
 
 DISTNAME=	tiff-4.0.9
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index c563fb3afb5..cdaaca616b0 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.90 2018/06/21 23:11:04 tez Exp $
+$NetBSD: distinfo,v 1.91 2018/10/25 22:58:05 maya Exp $
 
 SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
@@ -7,4 +7,6 @@ Size (tiff-4.0.9.tar.gz) = 2305681 bytes
 SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
+SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
+SHA1 (patch-libtiff_tif__read.c) = a69f7a462e0dfe6b01240816ed546d7e381044e8
 SHA1 (patch-tools_pal2rgb.c) = f91652e8013940c162add870ceb9845e2730bc2c
diff --git a/graphics/tiff/patches/patch-libtiff_tif__jbig.c b/graphics/tiff/patches/patch-libtiff_tif__jbig.c
new file mode 100644
index 00000000000..38c4bb59ccc
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif__jbig.c
@@ -0,0 +1,77 @@
+$NetBSD: patch-libtiff_tif__jbig.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557)
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+--- libtiff/tif_jbig.c.orig	2017-06-30 13:27:54.399206925 +0000
++++ libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* 
+ 	struct jbg_dec_state decoder;
+ 	int decodeStatus = 0;
+ 	unsigned char* pImage = NULL;
+-	(void) size, (void) s;
++	unsigned long decodedSize;
++	(void) s;
+ 
+ 	if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+ 	{
+-		TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++		TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+ 	}
+ 
+ 	jbg_dec_init(&decoder);
+ 
+ #if defined(HAVE_JBG_NEWLEN)
+-	jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++	jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+ 	/*
+ 	 * I do not check the return status of jbg_newlen because even if this
+ 	 * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* 
+ 	 */
+ #endif /* HAVE_JBG_NEWLEN */
+ 
+-	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+-				  (size_t)tif->tif_rawdatasize, NULL);
++	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++				  (size_t)tif->tif_rawcc, NULL);
+ 	if (JBG_EOK != decodeStatus)
+ 	{
+ 		/*
+@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* 
+ 		return 0;
+ 	}
+ 
++	decodedSize = jbg_dec_getsize(&decoder);
++	if( (tmsize_t)decodedSize < size )
++	{
++	    TIFFWarningExt(tif->tif_clientdata, "JBIG",
++	                   "Only decoded %lu bytes, whereas %lu requested",
++	                   decodedSize, (unsigned long)size);
++	}
++	else if( (tmsize_t)decodedSize > size )
++	{
++	    TIFFErrorExt(tif->tif_clientdata, "JBIG",
++	                 "Decoded %lu bytes, whereas %lu were requested",
++	                 decodedSize, (unsigned long)size);
++	    jbg_dec_free(&decoder);
++	    return 0;
++	}
+ 	pImage = jbg_dec_getimage(&decoder, 0);
+-	_TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++	_TIFFmemcpy(buffer, pImage, decodedSize);
+ 	jbg_dec_free(&decoder);
++
++        tif->tif_rawcp += tif->tif_rawcc;
++        tif->tif_rawcc = 0;
++
+ 	return 1;
+ }
+ 
diff --git a/graphics/tiff/patches/patch-libtiff_tif__read.c b/graphics/tiff/patches/patch-libtiff_tif__read.c
new file mode 100644
index 00000000000..10e0a9d4c17
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif__read.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif__read.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+
+Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes
+CVE-2018-18557
+
+--- libtiff/tif_read.c.orig	2017-11-18 14:42:21.664534434 +0000
++++ libtiff/tif_read.c
+@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s
+             return 0;
+         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
+                 || isMapped(tif);
++        if( td->td_compression == COMPRESSION_JBIG )
++        {
++            /* Ideally plugins should have a way to declare they don't support
++             * chunk strip */
++            whole_strip = 1;
++        }
+ #else
+         whole_strip = 1;
+ #endif