Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/tiff: security fixes #6012

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Fri, 16 Dec 2016 14:36:01 +0000

CVE-2015-7554, CVE-2015-8668, CVE-2016-3945,
CVE-2016-3632, CVE-2016-3990, CVE-2016-3991
---
 main/tiff/APKBUILD            |  43 +++++++++++---
 main/tiff/CVE-2015-7554.patch |  25 +++++++++
 main/tiff/CVE-2015-8668.patch |  42 ++++++++++++++
 main/tiff/CVE-2016-3632.patch |  23 ++++++++
 main/tiff/CVE-2016-3945.patch |  97 ++++++++++++++++++++++++++++++++
 main/tiff/CVE-2016-3990.patch |  37 +++++++++++++
 main/tiff/CVE-2016-3991.patch | 126 ++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 384 insertions(+), 9 deletions(-)
 create mode 100644 main/tiff/CVE-2015-7554.patch
 create mode 100644 main/tiff/CVE-2015-8668.patch
 create mode 100644 main/tiff/CVE-2016-3632.patch
 create mode 100644 main/tiff/CVE-2016-3945.patch
 create mode 100644 main/tiff/CVE-2016-3990.patch
 create mode 100644 main/tiff/CVE-2016-3991.patch
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index caf0a48..86d423d 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
_at_@ -1,8 +1,9 @@
 # Contributor: Leonardo Arena <rnalrd_at_alpinelinux.org>
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 # Maintainer: Michael Mason <ms13sp_at_gmail.com>
 pkgname=tiff
 pkgver=4.0.6
-pkgrel=1
+pkgrel=2
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
_at_@ -11,17 +12,23 @@ depends=
 depends_dev="zlib-dev libjpeg-turbo-dev"
 makedepends="libtool autoconf automake $depends_dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
-source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
+source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
+	CVE-2015-7554.patch
 	CVE-2015-8665.patch
+	CVE-2015-8668.patch
 	CVE-2015-8781-8782-8783.patch
 	CVE-2015-8784.patch
+	CVE-2016-3632.patch
+	CVE-2016-3945.patch
+	CVE-2016-3990.patch
+	CVE-2016-3991.patch
 	"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
 
 prepare() {
 	local _failed=
-	cd "$_builddir"
+	cd "$builddir"
 	update_config_sub || return 1
 	for i in $source; do
 		case $i in
_at_@ -31,7 +38,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 
 	./configure \
 		--build=$CBUILD \
_at_@ -46,7 +53,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 	rm -f "$pkgdir"/usr/lib/*.la
 }
_at_@ -58,14 +65,32 @@ tools() {
 }
 
 md5sums="d1d2e940dea0b5ad435f21f03d96dd72  tiff-4.0.6.tar.gz
+1023c7deacbb5d8dc61e6d1e9959b172  CVE-2015-7554.patch
 1ed2295ff179a6b64803d33f0f865740  CVE-2015-8665.patch
+b6e064713f307a2bbf815fb6f46f5317  CVE-2015-8668.patch
 96d2a934914a548d244e0a055f370334  CVE-2015-8781-8782-8783.patch
-8b3e84314fc2c0eeabd8d2c410f85727  CVE-2015-8784.patch"
+8b3e84314fc2c0eeabd8d2c410f85727  CVE-2015-8784.patch
+0bf7599f2d566038fb583250590716d3  CVE-2016-3632.patch
+e1de46d39bda11acf73d6430f5108d19  CVE-2016-3945.patch
+ee98f9ec234ac11bd5764b1d3ae0aa00  CVE-2016-3990.patch
+f060dad3d0bc8a65e2dba9bb4cba4ff4  CVE-2016-3991.patch"
 sha256sums="4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c  tiff-4.0.6.tar.gz
+2da0ab2927cdaebc790d4cf80a674124a3a08e511bbf6a39a5b232df46068b1b  CVE-2015-7554.patch
 1e4158f2a85e4c597b2a6d290c54d4ee815c8930f80824363945506bda3fc798  CVE-2015-8665.patch
+962abf920444bc02d4086d17acfc24d6a163010b1639384fecff1460dca07f7d  CVE-2015-8668.patch
 f7c953c51f4f14b8627aad9bfe5b183b5d56e62e96e24d80a233e0b849c0c743  CVE-2015-8781-8782-8783.patch
-504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972  CVE-2015-8784.patch"
+504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972  CVE-2015-8784.patch
+de53c724507a2ab2796b4ae52bd12e8ca358aa03a3ea69664e3986804b9c1b38  CVE-2016-3632.patch
+e89921b4e26ffc49fb37a219fa6fc6078949f6f62154e037dbbe66051b97f731  CVE-2016-3945.patch
+28a16234ea69877de83ee5e269929b7a05fcce1ff6400db3005c94328c9e1751  CVE-2016-3990.patch
+e85df1c5ae13cd6fbf38f13cdb34e6fc7e744005bd8948d97751be1a18208870  CVE-2016-3991.patch"
 sha512sums="2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8  tiff-4.0.6.tar.gz
+4d902d55d3f796f6f6e266ee1c1237a765ffb0595e0af8c325d08ad3eff76d87409ae4edae5bf3f8adb06796e2ddd2439f598c24760aa2444e30efb3f78e8ce8  CVE-2015-7554.patch
 4507d3852d57922574897d53f366d80d71d0d83850aa3c3993b956fabce26165f315838c17430d1abd41f160c40a4e3d8e6b31ff150e81059669ccfe29f90126  CVE-2015-8665.patch
+aaa315f45a0410a4173afbd0c913891d9a0df0c447b09fd1be6080ee78366294909b2d599b7908b591b7e3911ed6f5b6d97c054bb5a1e17540204b7542268d23  CVE-2015-8668.patch
 4ca7823f666df8f29eba0f62a14f71e440eef20fcc8d3a1a77cf65a07e1e737bdcfb49641ee5b62ce28877ef428106996254989d2100615dc7cf2be7aa903002  CVE-2015-8781-8782-8783.patch
-46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f  CVE-2015-8784.patch"
+46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f  CVE-2015-8784.patch
+93dfd29c884daaaa72196cc66537dba25d088ab86f09e8f9a69a3cb91e380e1b62860ae8aa459c4972c609422ac3a026e3a8b0e384438f48e697ab56c6af71f1  CVE-2016-3632.patch
+5aa686e8164eea39c0968d2748dcd02f536741b1d2c387dee60891f8768bc343c34f0851fe700f1457949bf3f534f49370f8b114663af977cb45d9a431b38425  CVE-2016-3945.patch
+289651ae11fc5c6ddfbab94af7f598165637cf8b827b1cffb5e4522c7d566c96a4fd07acc7195705a655e4c8f95ef0957df8d924f76bdf2bebcf918f4cec3a9d  CVE-2016-3990.patch
+048cff76de85f51a942e15e5b2d72b63b75a79adba5e9d4a7a7fac8ca47b1caf48c4a4af28b226c3146a235aba7734f525b40f1274bc4f639bb9d870a637aa84  CVE-2016-3991.patch"
diff --git a/main/tiff/CVE-2015-7554.patch b/main/tiff/CVE-2015-7554.patch
new file mode 100644
index 0000000..426a8ea
--- /dev/null
+++ b/main/tiff/CVE-2015-7554.patch
_at_@ -0,0 +1,25 @@
+https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch
+
+diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
+--- tiff-4.0.4/tools/tiffsplit.c	2015-05-28 15:10:26.000000000 +0200
++++ tiff-4.0.4_patch/tools/tiffsplit.c	2016-02-12 19:15:30.532005041 +0100
+_at_@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
+ 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
+ 		}
+ 	}
++	uint32 count = 0;
+         CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+-	CopyField(TIFFTAG_PREDICTOR, shortv);
++	CopyField2(TIFFTAG_PREDICTOR, count, shortv);
+ 	CopyField(TIFFTAG_THRESHHOLDING, shortv);
+ 	CopyField(TIFFTAG_FILLORDER, shortv);
+ 	CopyField(TIFFTAG_ORIENTATION, shortv);
+_at_@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
+ 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
+ 	CopyField(TIFFTAG_XRESOLUTION, floatv);
+ 	CopyField(TIFFTAG_YRESOLUTION, floatv);
+-	CopyField(TIFFTAG_GROUP3OPTIONS, longv);
++	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
+ 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);
+ 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
+ 	CopyField(TIFFTAG_PLANARCONFIG, shortv);
diff --git a/main/tiff/CVE-2015-8668.patch b/main/tiff/CVE-2015-8668.patch
new file mode 100644
index 0000000..3f2f4e4
--- /dev/null
+++ b/main/tiff/CVE-2015-8668.patch
_at_@ -0,0 +1,42 @@
+https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch
+
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index 376f4e6..c747c13 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+_at_@ -614,18 +614,27 @@ main(int argc, char* argv[])
+ 			    || info_hdr.iCompression == BMPC_RLE4 ) {
+ 			uint32		i, j, k, runlength;
+ 			uint32		compr_size, uncompr_size;
++			uint32      bits = 0;
+ 			unsigned char   *comprbuf;
+ 			unsigned char   *uncomprbuf;
+ 
+ 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
+-			uncompr_size = width * length;
+-                        /* Detect int overflow */
+-                        if( uncompr_size / width != length ) {
+-                                TIFFError(infilename,
+-                                          "Invalid dimensions of BMP file" );
+-                                close(fd);
+-                                return -1;
+-                        }
++
++			bits = info_hdr.iBitCount;
++
++			if (bits > 8) // bit depth is > 8bit, adjust size
++			{
++				uncompr_size = width * length * (bits / 8);
++				/* Detect int overflow */
++				if (uncompr_size / width / (bits / 8) != length) {
++					TIFFError(infilename,
++							   "Invalid dimensions of BMP file");
++					close(fd);
++					return -1;
++				}
++			}
++			else
++				uncompr_size = width * length;
+                         if ( (compr_size == 0) ||
+                              (compr_size > ((uint32) ~0) >> 1) ||
+                              (uncompr_size == 0) ||
diff --git a/main/tiff/CVE-2016-3632.patch b/main/tiff/CVE-2016-3632.patch
new file mode 100644
index 0000000..7640d1b
--- /dev/null
+++ b/main/tiff/CVE-2016-3632.patch
_at_@ -0,0 +1,23 @@
+https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3632.patch
+
+From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro_at_redhat.com>
+Date: Mon, 11 Jul 2016 16:04:34 +0200
+Subject: [PATCH 4/8] Fix CVE-2016-3632
+---
+ tools/thumbnail.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..75e7009 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+_at_@ -253,7 +253,8 @@ static struct cpTag {
+     { TIFFTAG_WHITEPOINT,		2, TIFF_RATIONAL },
+     { TIFFTAG_PRIMARYCHROMATICITIES,	(uint16) -1,TIFF_RATIONAL },
+     { TIFFTAG_HALFTONEHINTS,		2, TIFF_SHORT },
+-    { TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
++    // disable BADFAXLINES, CVE-2016-3632
++    //{ TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
+     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
+     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
+     { TIFFTAG_INKSET,			1, TIFF_SHORT },
diff --git a/main/tiff/CVE-2016-3945.patch b/main/tiff/CVE-2016-3945.patch
new file mode 100644
index 0000000..53c6dc5
--- /dev/null
+++ b/main/tiff/CVE-2016-3945.patch
_at_@ -0,0 +1,97 @@
+https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3945.patch;jsessionid=1rcllyzw1i6tk1nli211rmjqnf
+
+From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 20:06:40 +0000
+Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
+ allocated buffer, when -b mode is enabled, that could result in out-of-bounds
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
+ tests that rejected valid files.
+
+CVE: CVE-2016-3945
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
+
+Signed-off-by: Yi Zhao <yi.zhao_at_windirver.com>
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index b7a81eb..16e3dc4 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+_at_@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     uint32  row, col;
+     uint32  *wrk_line;
+     int	    ok = 1;
++    uint32  rastersize, wrk_linesize;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+_at_@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    rastersize = tile_width * tile_height * sizeof (uint32);
++    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
++    {
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++	exit(-1);
++    }
++    raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+_at_@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+      * Allocate a scanline buffer for swapping during the vertical
+      * mirroring pass.
+      */
+-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++    wrk_linesize = tile_width * sizeof (uint32);
++    if (tile_width != wrk_linesize / sizeof (uint32))
++    {
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++	exit(-1);
++    }
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+         ok = 0;
+_at_@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     uint32  row;
+     uint32  *wrk_line;
+     int	    ok = 1;
++    uint32  rastersize, wrk_linesize;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+_at_@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    rastersize = width * rowsperstrip * sizeof (uint32);
++    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++    {
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++	exit(-1);
++    }
++    raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+_at_@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+      * Allocate a scanline buffer for swapping during the vertical
+      * mirroring pass.
+      */
+-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++    wrk_linesize = width * sizeof (uint32);
++    if (width != wrk_linesize / sizeof (uint32))
++    {
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++	exit(-1);
++    }
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+         ok = 0;
diff --git a/main/tiff/CVE-2016-3990.patch b/main/tiff/CVE-2016-3990.patch
new file mode 100644
index 0000000..b198014
--- /dev/null
+++ b/main/tiff/CVE-2016-3990.patch
_at_@ -0,0 +1,37 @@
+https://patchwork.openembedded.org/patch/133225/
+
+From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 20:49:48 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
+ PixarLogEncode if more input samples are provided than expected by
+ PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
+ simpler check. (bugzilla #2544)
+
+invalid tests that rejected valid files. (bugzilla #2545)
+
+CVE: CVE-2016-3990
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
+
+Signed-off-by: Yi Zhao <yi.zhao_at_windirver.com>
+---
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index e78f788..28329d1 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+_at_@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 	}
+ 
+ 	llen = sp->stride * td->td_imagewidth;
++    /* Check against the number of elements (of size uint16) of sp->tbuf */
++    if( n > td->td_rowsperstrip * llen )
++    {
++        TIFFErrorExt(tif->tif_clientdata, module,
++                     "Too many input bytes provided");
++        return 0;
++    }
+ 
+ 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
+ 		switch (sp->user_datafmt)  {
diff --git a/main/tiff/CVE-2016-3991.patch b/main/tiff/CVE-2016-3991.patch
new file mode 100644
index 0000000..0a75bba
--- /dev/null
+++ b/main/tiff/CVE-2016-3991.patch
_at_@ -0,0 +1,126 @@
+https://patchwork.openembedded.org/patch/133226/
+
+From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 21:05:40 +0000
+Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
+ loadImage(). From patch libtiff-CVE-2016-3991.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
+
+CVE: CVE-2016-3991
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
+
+Signed-off-by: Yi Zhao <yi.zhao_at_windirver.com>
+---
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 27abc0b..ddba7b9 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+_at_@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+     }
+ 
+   tile_buffsize = tilesize;
++  if (tilesize == 0 || tile_rowsize == 0)
++  {
++     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
++     exit(-1);
++  }
+ 
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
+     {
+_at_@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+               tilesize, tl * tile_rowsize);
+ #endif
+     tile_buffsize = tl * tile_rowsize;
+-    } 
++    if (tl != (tile_buffsize / tile_rowsize))
++    {
++    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
++        exit(-1);
++    }
++    }
+ 
+   tilebuf = _TIFFmalloc(tile_buffsize);
+   if (tilebuf == 0)
+_at_@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+       return 1;
+ 
++  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
++  {
++    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
++    exit(-1);
++  }
++
+   tile_buffsize = tilesize;
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
+     {
+_at_@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+               tilesize, tl * tile_rowsize);
+ #endif
+     tile_buffsize = tl * tile_rowsize;
++    if (tl != tile_buffsize / tile_rowsize)
++    {
++	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
+     }
+ 
+   tilebuf = _TIFFmalloc(tile_buffsize);
+_at_@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+ 
+     tile_rowsize  = TIFFTileRowSize(in);      
++    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
++    {
++	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
++	exit(-1);
++    }
+     buffsize = tlsize * ntiles;
++    if (tlsize != (buffsize / ntiles))
++    {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
+ 
+-        
+     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
+       {
+       buffsize = ntiles * tl * tile_rowsize;
++      if (ntiles != (buffsize / tl / tile_rowsize))
++      {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++      }
++      
+ #ifdef DEBUG2
+       TIFFError("loadImage",
+ 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+_at_@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+     stsize = TIFFStripSize(in);
+     nstrips = TIFFNumberOfStrips(in);
++    if (nstrips == 0 || stsize == 0)
++    {
++	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
++	exit(-1);
++    }
++
+     buffsize = stsize * nstrips;
+-    
++    if (stsize != (buffsize / nstrips))
++    {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
++    uint32 buffsize_check;
++    buffsize_check = ((length * width * spp * bps) + 7);
++    if (length != ((buffsize_check - 7) / width / spp / bps))
++    {
++	TIFFError("loadImage", "Integer overflow detected.");
++	exit(-1);
++    }
+     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+       {
+       buffsize =  ((length * width * spp * bps) + 7) / 8;
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Fri Dec 16 2016 - 14:36:01 GMT