diff options
Diffstat (limited to 'graphics/tiff/patches/patch-CVE-2018-19210')
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-19210 | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-CVE-2018-19210 b/graphics/tiff/patches/patch-CVE-2018-19210 new file mode 100644 index 00000000000..c64811fcd55 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2018-19210 @@ -0,0 +1,74 @@ +$NetBSD: patch-CVE-2018-19210,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $ + +Fixes CVE-2018-19210 + +Upstream commits: +https://gitlab.com/libtiff/libtiff/commit/1edeee44c8b9cb3f647ac175d434f5d9f2b03aeb.patch +https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668.patch + +--- libtiff/tif_dir.c.orig 2018-05-05 13:50:35.000000000 +0000 ++++ libtiff/tif_dir.c +@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, dou + * Install extra samples information. + */ + static int +-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) ++setExtraSamples(TIFF* tif, va_list ap, uint32* v) + { + /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ + #define EXTRASAMPLE_COREL_UNASSALPHA 999 + + uint16* va; + uint32 i; ++ TIFFDirectory* td = &tif->tif_dir; ++ static const char module[] = "setExtraSamples"; + + *v = (uint16) va_arg(ap, uint16_vap); + if ((uint16) *v > td->td_samplesperpixel) +@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_li + return 0; + } + } ++ ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } ++ + td->td_extrasamples = (uint16) *v; + _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); + return 1; +@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } ++ /* Test if 3 transfer functions instead of just one are now needed ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ ++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + } + td->td_samplesperpixel = (uint16) v; + break; +@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: +- if (!setExtraSamples(td, ap, &v)) ++ if (!setExtraSamples(tif, ap, &v)) + goto badvalue; + break; + case TIFFTAG_MATTEING: |