diff options
Diffstat (limited to 'graphics/tiff/patches')
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-11613 | 113 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-18013 | 24 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2017-9935 | 119 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-10963 | 20 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-17100 | 30 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-17101 | 56 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-5784 | 110 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-CVE-2018-8905 | 40 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__jbig.c | 77 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__read.c | 23 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-tools_pal2rgb.c | 23 |
11 files changed, 0 insertions, 635 deletions
diff --git a/graphics/tiff/patches/patch-CVE-2017-11613 b/graphics/tiff/patches/patch-CVE-2017-11613 deleted file mode 100644 index a46137e48c0..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-11613 +++ /dev/null @@ -1,113 +0,0 @@ -$NetBSD: patch-CVE-2017-11613,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -patch for CVE-2017-11613 taken from upstream git repo - ---- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000 -+++ libtiff/tif_dirread.c -@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI - } - - /* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ -+/* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. - */ -@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; - -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) -+ { -+ return; -+ } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/graphics/tiff/patches/patch-CVE-2017-18013 b/graphics/tiff/patches/patch-CVE-2017-18013 deleted file mode 100644 index a29897c7cdf..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-18013 +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-CVE-2017-18013,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -patch for patch-CVE-2017-18013 from upstream git repo - ---- libtiff/tif_print.c.orig 2016-11-25 17:26:23.000000000 +0000 -+++ libtiff/tif_print.c 2018-10-09 17:35:21.544815948 +0000 -@@ -667,13 +667,13 @@ - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } diff --git a/graphics/tiff/patches/patch-CVE-2017-9935 b/graphics/tiff/patches/patch-CVE-2017-9935 deleted file mode 100644 index dbfe53aa0f1..00000000000 --- a/graphics/tiff/patches/patch-CVE-2017-9935 +++ /dev/null @@ -1,119 +0,0 @@ -$NetBSD: patch-CVE-2017-9935,v 1.1 2018/01/16 23:52:06 tez Exp $ - -Patch for cve-2017-9935 from upstream git repo - - ---- libtiff/tif_dir.c.orig -+++ libtiff/tif_dir.c -@@ -1065,6 +1065,9 @@ - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: - ---- tools/tiff2pdf.c.orig 2017-10-29 18:50:41.000000000 +0000 -+++ tools/tiff2pdf.c -@@ -237,7 +237,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); -@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; diff --git a/graphics/tiff/patches/patch-CVE-2018-10963 b/graphics/tiff/patches/patch-CVE-2018-10963 deleted file mode 100644 index 37aeb115e1a..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-10963 +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-CVE-2018-10963,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -patch for CVE-2018-10963 from upstream git repo - ---- libtiff/tif_dirwrite.c.orig 2017-08-29 13:39:48.000000000 +0000 -+++ libtiff/tif_dirwrite.c -@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } diff --git a/graphics/tiff/patches/patch-CVE-2018-17100 b/graphics/tiff/patches/patch-CVE-2018-17100 deleted file mode 100644 index 117c66e45fb..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-17100 +++ /dev/null @@ -1,30 +0,0 @@ -$NetBSD: patch-CVE-2018-17100,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -Patch for CVE-2018-17100 from upstream git repo - ---- tools/ppm2tiff.c.orig 2015-08-28 22:17:08.000000000 +0000 -+++ tools/ppm2tiff.c 2018-10-09 17:20:10.068567016 +0000 -@@ -72,16 +72,17 @@ - exit(-2); - } - -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- tmsize_t bytes = m1 * m2; -- -- if (m1 && bytes / m1 != m2) -- bytes = 0; -+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -+ return 0; - -- return bytes; --} -+ return m1 * m2; -+} - - int - main(int argc, char* argv[]) diff --git a/graphics/tiff/patches/patch-CVE-2018-17101 b/graphics/tiff/patches/patch-CVE-2018-17101 deleted file mode 100644 index 7a109e1c334..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-17101 +++ /dev/null @@ -1,56 +0,0 @@ -$NetBSD: patch-CVE-2018-17101,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -Patch for CVE-2018-17101 from upstream git repo - ---- tools/pal2rgb.c.orig 2015-08-28 22:17:08.000000000 +0000 -+++ tools/pal2rgb.c -@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } - cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - ---- tools/tiff2bw.c.orig 2017-11-01 13:41:58.000000000 +0000 -+++ tools/tiff2bw.c -@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } - cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - diff --git a/graphics/tiff/patches/patch-CVE-2018-5784 b/graphics/tiff/patches/patch-CVE-2018-5784 deleted file mode 100644 index 82bba8a9814..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-5784 +++ /dev/null @@ -1,110 +0,0 @@ -$NetBSD: patch-CVE-2018-5784,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $ - -patch for patch-CVE-2018-5784 from upstream git repo - ---- contrib/addtiffo/tif_overview.c.orig 2015-05-30 21:11:52.000000000 +0000 -+++ contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,9 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; -+ -+ - - (void) bUseSubIFDs; - -@@ -147,7 +152,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - ---- tools/tiff2pdf.c.orig 2017-10-29 18:50:41.000000000 +0000 -+++ tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1047,10 +1049,18 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; - uint16 tiff_transferfunctioncount=0; - uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( - ---- tools/tiffcrop.c.orig 2017-01-15 16:00:09.000000000 +0000 -+++ tools/tiffcrop.c -@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; diff --git a/graphics/tiff/patches/patch-CVE-2018-8905 b/graphics/tiff/patches/patch-CVE-2018-8905 deleted file mode 100644 index 5df66525568..00000000000 --- a/graphics/tiff/patches/patch-CVE-2018-8905 +++ /dev/null @@ -1,40 +0,0 @@ -$NetBSD: patch-CVE-2018-8905,v 1.1 2018/06/21 23:11:04 tez Exp $ - -fix CVE-2018-8905 from https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d - - ---- libtiff/tif_lzw.c.orig 2017-07-11 13:27:35.000000000 +0000 -+++ libtiff/tif_lzw.c -@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; diff --git a/graphics/tiff/patches/patch-libtiff_tif__jbig.c b/graphics/tiff/patches/patch-libtiff_tif__jbig.c deleted file mode 100644 index 98256dc29a4..00000000000 --- a/graphics/tiff/patches/patch-libtiff_tif__jbig.c +++ /dev/null @@ -1,77 +0,0 @@ -$NetBSD: patch-libtiff_tif__jbig.c,v 1.1.2.2 2018/10/26 07:02:56 spz Exp $ - -From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557) - -JBIGDecode doesn't check if the user provided buffer is large enough -to store the JBIG decoded image, which can potentially cause out-of-bounds -write in the buffer. -This issue was reported and analyzed by Thomas Dullien. - -Also fixes a (harmless) potential use of uninitialized memory when -tif->tif_rawsize > tif->tif_rawcc - ---- libtiff/tif_jbig.c.orig 2017-06-30 13:27:54.399206925 +0000 -+++ libtiff/tif_jbig.c -@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* - struct jbg_dec_state decoder; - int decodeStatus = 0; - unsigned char* pImage = NULL; -- (void) size, (void) s; -+ unsigned long decodedSize; -+ (void) s; - - if (isFillOrder(tif, tif->tif_dir.td_fillorder)) - { -- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); -+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); - } - - jbg_dec_init(&decoder); - - #if defined(HAVE_JBG_NEWLEN) -- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); -+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); - /* - * I do not check the return status of jbg_newlen because even if this - * function fails it does not necessarily mean that decoding the image -@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* - */ - #endif /* HAVE_JBG_NEWLEN */ - -- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, -- (size_t)tif->tif_rawdatasize, NULL); -+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, -+ (size_t)tif->tif_rawcc, NULL); - if (JBG_EOK != decodeStatus) - { - /* -@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* - return 0; - } - -+ decodedSize = jbg_dec_getsize(&decoder); -+ if( (tmsize_t)decodedSize < size ) -+ { -+ TIFFWarningExt(tif->tif_clientdata, "JBIG", -+ "Only decoded %lu bytes, whereas %lu requested", -+ decodedSize, (unsigned long)size); -+ } -+ else if( (tmsize_t)decodedSize > size ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "JBIG", -+ "Decoded %lu bytes, whereas %lu were requested", -+ decodedSize, (unsigned long)size); -+ jbg_dec_free(&decoder); -+ return 0; -+ } - pImage = jbg_dec_getimage(&decoder, 0); -- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); -+ _TIFFmemcpy(buffer, pImage, decodedSize); - jbg_dec_free(&decoder); -+ -+ tif->tif_rawcp += tif->tif_rawcc; -+ tif->tif_rawcc = 0; -+ - return 1; - } - diff --git a/graphics/tiff/patches/patch-libtiff_tif__read.c b/graphics/tiff/patches/patch-libtiff_tif__read.c deleted file mode 100644 index 529a4e3a5cb..00000000000 --- a/graphics/tiff/patches/patch-libtiff_tif__read.c +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-libtiff_tif__read.c,v 1.1.2.2 2018/10/26 07:02:56 spz Exp $ - -And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure -that whole strip data is provided to JBIGDecode() - -Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes -CVE-2018-18557 - ---- libtiff/tif_read.c.orig 2017-11-18 14:42:21.664534434 +0000 -+++ libtiff/tif_read.c -@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s - return 0; - whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 - || isMapped(tif); -+ if( td->td_compression == COMPRESSION_JBIG ) -+ { -+ /* Ideally plugins should have a way to declare they don't support -+ * chunk strip */ -+ whole_strip = 1; -+ } - #else - whole_strip = 1; - #endif diff --git a/graphics/tiff/patches/patch-tools_pal2rgb.c b/graphics/tiff/patches/patch-tools_pal2rgb.c deleted file mode 100644 index 43506087056..00000000000 --- a/graphics/tiff/patches/patch-tools_pal2rgb.c +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-tools_pal2rgb.c,v 1.1 2017/12/03 09:07:06 maya Exp $ - -CVE-2017-17095 Heap-based buffer overflow bug in pal2rgb - ---- tools/pal2rgb.c.orig 2015-08-28 22:17:08.172200823 +0000 -+++ tools/pal2rgb.c -@@ -39,6 +39,7 @@ - # include "libport.h" - #endif - -+#include "tiffiop.h" - #include "tiffio.h" - - #define streq(a,b) (strcmp(a,b) == 0) -@@ -185,7 +186,7 @@ - register unsigned char* pp; - register uint32 x; - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); -- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); -+ obuf = (unsigned char*)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, 3*sizeof(short))); - switch (config) { - case PLANARCONFIG_CONTIG: - for (row = 0; row < imagelength; row++) { |