diff options
-rw-r--r-- | graphics/tiff/Makefile | 7 | ||||
-rw-r--r-- | graphics/tiff/PLIST | 8 | ||||
-rw-r--r-- | graphics/tiff/distinfo | 21 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-11613 | 113 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-18013 | 24 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-9935 | 119 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-10963 | 20 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-17100 | 30 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-17101 | 56 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-5784 | 110 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-8905 | 40 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__jbig.c | 77 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__read.c | 23 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-tools_pal2rgb.c | 23 |
14 files changed, 12 insertions, 659 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 151545919eb..c739afff4a6 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.143 2018/10/28 09:45:07 spz Exp $ +# $NetBSD: Makefile,v 1.144 2018/11/10 21:14:53 maya Exp $ -DISTNAME= tiff-4.0.9 -PKGREVISION= 5 +DISTNAME= tiff-4.0.10 CATEGORIES= graphics -MASTER_SITES= ftp://download.osgeo.org/libtiff/ +MASTER_SITES= https://download.osgeo.org/libtiff/ MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://simplesystems.org/libtiff/ diff --git a/graphics/tiff/PLIST b/graphics/tiff/PLIST index 442bf8655a7..2a96854bf56 100644 --- a/graphics/tiff/PLIST +++ b/graphics/tiff/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.25 2017/11/19 16:31:04 he Exp $ +@comment $NetBSD: PLIST,v 1.26 2018/11/10 21:14:53 maya Exp $ bin/fax2ps bin/fax2tiff bin/pal2rgb @@ -90,8 +90,7 @@ man/man3/TIFFtile.3 man/man3/libtiff.3 share/doc/tiff/COPYRIGHT share/doc/tiff/ChangeLog -share/doc/tiff/README -share/doc/tiff/README.vms +share/doc/tiff/README.md share/doc/tiff/RELEASE-DATE share/doc/tiff/TODO share/doc/tiff/VERSION @@ -226,6 +225,7 @@ share/doc/tiff/html/v3.9.1.html share/doc/tiff/html/v3.9.2.html share/doc/tiff/html/v4.0.0.html share/doc/tiff/html/v4.0.1.html +share/doc/tiff/html/v${PKGVERSION}.html share/doc/tiff/html/v4.0.2.html share/doc/tiff/html/v4.0.3.html share/doc/tiff/html/v4.0.4.html @@ -234,4 +234,4 @@ share/doc/tiff/html/v4.0.5.html share/doc/tiff/html/v4.0.6.html share/doc/tiff/html/v4.0.7.html share/doc/tiff/html/v4.0.8.html -share/doc/tiff/html/v${PKGVERSION}.html +share/doc/tiff/html/v4.0.9.html diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index c4b272ccb74..5abafc2bffe 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,18 +1,7 @@ -$NetBSD: distinfo,v 1.92 2018/10/28 09:45:07 spz Exp $ +$NetBSD: distinfo,v 1.93 2018/11/10 21:14:53 maya Exp $ -SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296 -RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3 -SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd -Size (tiff-4.0.9.tar.gz) = 2305681 bytes -SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12 -SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96 -SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610 -SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee -SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e -SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a -SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661 -SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc +SHA1 (tiff-4.0.10.tar.gz) = c783b80f05cdacf282aa022dc5f5b0ede5e021ae +RMD160 (tiff-4.0.10.tar.gz) = b25cc4002f2493e71763d0a465a50e9d6ee2aff0 +SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 +Size (tiff-4.0.10.tar.gz) = 2402867 bytes SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 -SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3 -SHA1 (patch-libtiff_tif__read.c) = a69f7a462e0dfe6b01240816ed546d7e381044e8 -SHA1 (patch-tools_pal2rgb.c) = f91652e8013940c162add870ceb9845e2730bc2c diff --git a/graphics/tiff/patches/patch-CVE-2017-11613 b/graphics/tiff/patches/patch-CVE-2017-11613 deleted file mode 100644 index 3097d623c78..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-11613 +++ /dev/null @@ -1,113 +0,0 @@ -$NetBSD: patch-CVE-2017-11613,v 1.1 2018/10/28 09:45:07 spz Exp $ - -patch for CVE-2017-11613 taken from upstream git repo - ---- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000 -+++ libtiff/tif_dirread.c -@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI - } - - /* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ -+/* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. - */ -@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; - -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) -+ { -+ return; -+ } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/graphics/tiff/patches/patch-CVE-2017-18013 b/graphics/tiff/patches/patch-CVE-2017-18013 deleted file mode 100644 index 755fd323193..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-18013 +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-CVE-2017-18013,v 1.1 2018/10/28 09:45:07 spz Exp $ - -patch for patch-CVE-2017-18013 from upstream git repo - ---- libtiff/tif_print.c.orig 2016-11-25 17:26:23.000000000 +0000 -+++ libtiff/tif_print.c 2018-10-09 17:35:21.544815948 +0000 -@@ -667,13 +667,13 @@ - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } diff --git a/graphics/tiff/patches/patch-CVE-2017-9935 b/graphics/tiff/patches/patch-CVE-2017-9935 deleted file mode 100644 index dbfe53aa0f1..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-9935 +++ /dev/null @@ -1,119 +0,0 @@ -$NetBSD: patch-CVE-2017-9935,v 1.1 2018/01/16 23:52:06 tez Exp $ - -Patch for cve-2017-9935 from upstream git repo - - ---- libtiff/tif_dir.c.orig -+++ libtiff/tif_dir.c -@@ -1065,6 +1065,9 @@ - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: - ---- tools/tiff2pdf.c.orig 2017-10-29 18:50:41.000000000 +0000 -+++ tools/tiff2pdf.c -@@ -237,7 +237,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); -@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; diff --git a/graphics/tiff/patches/patch-CVE-2018-10963 b/graphics/tiff/patches/patch-CVE-2018-10963 deleted file mode 100644 index 1305c24a45a..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-10963 +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-CVE-2018-10963,v 1.1 2018/10/28 09:45:07 spz Exp $ - -patch for CVE-2018-10963 from upstream git repo - ---- libtiff/tif_dirwrite.c.orig 2017-08-29 13:39:48.000000000 +0000 -+++ libtiff/tif_dirwrite.c -@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } diff --git a/graphics/tiff/patches/patch-CVE-2018-17100 b/graphics/tiff/patches/patch-CVE-2018-17100 deleted file mode 100644 index d7b01b89640..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-17100 +++ /dev/null @@ -1,30 +0,0 @@ -$NetBSD: patch-CVE-2018-17100,v 1.1 2018/10/28 09:45:07 spz Exp $ - -Patch for CVE-2018-17100 from upstream git repo - ---- tools/ppm2tiff.c.orig 2015-08-28 22:17:08.000000000 +0000 -+++ tools/ppm2tiff.c 2018-10-09 17:20:10.068567016 +0000 -@@ -72,16 +72,17 @@ - exit(-2); - } - -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- tmsize_t bytes = m1 * m2; -- -- if (m1 && bytes / m1 != m2) -- bytes = 0; -+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -+ return 0; - -- return bytes; --} -+ return m1 * m2; -+} - - int - main(int argc, char* argv[]) diff --git a/graphics/tiff/patches/patch-CVE-2018-17101 b/graphics/tiff/patches/patch-CVE-2018-17101 deleted file mode 100644 index 76fc917f66e..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-17101 +++ /dev/null @@ -1,56 +0,0 @@ -$NetBSD: patch-CVE-2018-17101,v 1.1 2018/10/28 09:45:07 spz Exp $ - -Patch for CVE-2018-17101 from upstream git repo - ---- tools/pal2rgb.c.orig 2015-08-28 22:17:08.000000000 +0000 -+++ tools/pal2rgb.c -@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } - cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - ---- tools/tiff2bw.c.orig 2017-11-01 13:41:58.000000000 +0000 -+++ tools/tiff2bw.c -@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } - cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - diff --git a/graphics/tiff/patches/patch-CVE-2018-5784 b/graphics/tiff/patches/patch-CVE-2018-5784 deleted file mode 100644 index 5f56b4d7d68..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-5784 +++ /dev/null @@ -1,110 +0,0 @@ -$NetBSD: patch-CVE-2018-5784,v 1.1 2018/10/28 09:45:07 spz Exp $ - -patch for patch-CVE-2018-5784 from upstream git repo - ---- contrib/addtiffo/tif_overview.c.orig 2015-05-30 21:11:52.000000000 +0000 -+++ contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,9 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; -+ -+ - - (void) bUseSubIFDs; - -@@ -147,7 +152,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - ---- tools/tiff2pdf.c.orig 2017-10-29 18:50:41.000000000 +0000 -+++ tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1047,10 +1049,18 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; - uint16 tiff_transferfunctioncount=0; - uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( - ---- tools/tiffcrop.c.orig 2017-01-15 16:00:09.000000000 +0000 -+++ tools/tiffcrop.c -@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; diff --git a/graphics/tiff/patches/patch-CVE-2018-8905 b/graphics/tiff/patches/patch-CVE-2018-8905 deleted file mode 100644 index 5df66525568..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-8905 +++ /dev/null @@ -1,40 +0,0 @@ -$NetBSD: patch-CVE-2018-8905,v 1.1 2018/06/21 23:11:04 tez Exp $ - -fix CVE-2018-8905 from https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d - - ---- libtiff/tif_lzw.c.orig 2017-07-11 13:27:35.000000000 +0000 -+++ libtiff/tif_lzw.c -@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; diff --git a/graphics/tiff/patches/patch-libtiff_tif__jbig.c b/graphics/tiff/patches/patch-libtiff_tif__jbig.c deleted file mode 100644 index 38c4bb59ccc..00000000000 --- a/graphics/tiff/patches/patch-libtiff_tif__jbig.c +++ /dev/null @@ -1,77 +0,0 @@ -$NetBSD: patch-libtiff_tif__jbig.c,v 1.1 2018/10/25 22:58:05 maya Exp $ - -From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557) - -JBIGDecode doesn't check if the user provided buffer is large enough -to store the JBIG decoded image, which can potentially cause out-of-bounds -write in the buffer. -This issue was reported and analyzed by Thomas Dullien. - -Also fixes a (harmless) potential use of uninitialized memory when -tif->tif_rawsize > tif->tif_rawcc - ---- libtiff/tif_jbig.c.orig 2017-06-30 13:27:54.399206925 +0000 -+++ libtiff/tif_jbig.c -@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* - struct jbg_dec_state decoder; - int decodeStatus = 0; - unsigned char* pImage = NULL; -- (void) size, (void) s; -+ unsigned long decodedSize; -+ (void) s; - - if (isFillOrder(tif, tif->tif_dir.td_fillorder)) - { -- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); -+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); - } - - jbg_dec_init(&decoder); - - #if defined(HAVE_JBG_NEWLEN) -- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); -+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); - /* - * I do not check the return status of jbg_newlen because even if this - * function fails it does not necessarily mean that decoding the image -@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* - */ - #endif /* HAVE_JBG_NEWLEN */ - -- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, -- (size_t)tif->tif_rawdatasize, NULL); -+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, -+ (size_t)tif->tif_rawcc, NULL); - if (JBG_EOK != decodeStatus) - { - /* -@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* - return 0; - } - -+ decodedSize = jbg_dec_getsize(&decoder); -+ if( (tmsize_t)decodedSize < size ) -+ { -+ TIFFWarningExt(tif->tif_clientdata, "JBIG", -+ "Only decoded %lu bytes, whereas %lu requested", -+ decodedSize, (unsigned long)size); -+ } -+ else if( (tmsize_t)decodedSize > size ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "JBIG", -+ "Decoded %lu bytes, whereas %lu were requested", -+ decodedSize, (unsigned long)size); -+ jbg_dec_free(&decoder); -+ return 0; -+ } - pImage = jbg_dec_getimage(&decoder, 0); -- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); -+ _TIFFmemcpy(buffer, pImage, decodedSize); - jbg_dec_free(&decoder); -+ -+ tif->tif_rawcp += tif->tif_rawcc; -+ tif->tif_rawcc = 0; -+ - return 1; - } - diff --git a/graphics/tiff/patches/patch-libtiff_tif__read.c b/graphics/tiff/patches/patch-libtiff_tif__read.c deleted file mode 100644 index 10e0a9d4c17..00000000000 --- a/graphics/tiff/patches/patch-libtiff_tif__read.c +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-libtiff_tif__read.c,v 1.1 2018/10/25 22:58:05 maya Exp $ - -And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure -that whole strip data is provided to JBIGDecode() - -Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes -CVE-2018-18557 - ---- libtiff/tif_read.c.orig 2017-11-18 14:42:21.664534434 +0000 -+++ libtiff/tif_read.c -@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s - return 0; - whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 - || isMapped(tif); -+ if( td->td_compression == COMPRESSION_JBIG ) -+ { -+ /* Ideally plugins should have a way to declare they don't support -+ * chunk strip */ -+ whole_strip = 1; -+ } - #else - whole_strip = 1; - #endif diff --git a/graphics/tiff/patches/patch-tools_pal2rgb.c b/graphics/tiff/patches/patch-tools_pal2rgb.c deleted file mode 100644 index 43506087056..00000000000 --- a/graphics/tiff/patches/patch-tools_pal2rgb.c +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-tools_pal2rgb.c,v 1.1 2017/12/03 09:07:06 maya Exp $ - -CVE-2017-17095 Heap-based buffer overflow bug in pal2rgb - ---- tools/pal2rgb.c.orig 2015-08-28 22:17:08.172200823 +0000 -+++ tools/pal2rgb.c -@@ -39,6 +39,7 @@ - # include "libport.h" - #endif - -+#include "tiffiop.h" - #include "tiffio.h" - - #define streq(a,b) (strcmp(a,b) == 0) -@@ -185,7 +186,7 @@ - register unsigned char* pp; - register uint32 x; - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); -- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); -+ obuf = (unsigned char*)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, 3*sizeof(short))); - switch (config) { - case PLANARCONFIG_CONTIG: - for (row = 0; row < imagelength; row++) { |