X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f66.google.com (mail-lf0-f66.google.com [209.85.215.66]) by lists.alpinelinux.org (Postfix) with ESMTP id 999F95C419F for ; Thu, 19 Jan 2017 14:13:23 +0000 (GMT) Received: by mail-lf0-f66.google.com with SMTP id x1so5588816lff.0 for ; Thu, 19 Jan 2017 06:13:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=BTNxwp/ZM5tB5WaN5BXRaEFNCcHo1YTnPCJO0bAafTI=; b=jm3u/r2da9coAIWmWGKWmccqx8Yrezj4wLgh03hqjWMVETVGJk1w3IyCJYFJOYW50G CpEJlz0DmQvGCM76Z43ufS0CJ4HM4yiwdX15x9lJfre/tugoIiow+oXEhb1kGtqbGHey Zjy2Kl+E2bZH/bz1e3fPqESzR4eZOtse6eyJpR6hggnJWYwn9rEXrLoMtWKht9rcyFLn qv0Dvd3gc7vrnhyPUmzXupqQjpBGEdcK0nw8i3M5k1ue0flE+cO4lrUDcgmXjTVflMrM SZJ5AbP75CVbQSVt80HBK4MU/SbUGxfUsXWZB+BVPmCPWr0gefdhyKQHy1I0XpcKrI1G 3bLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=BTNxwp/ZM5tB5WaN5BXRaEFNCcHo1YTnPCJO0bAafTI=; b=mQMfr9VWXz/9peDy5egQciz5/h5skNDEfa7gm5F/aHj+ZI5di3f2FpsoYsHTbNDwE/ 9PIgkuj7tXC6oLqbYK0lsutSMPADr0cFFR9mNfBnwd3zTydc9gXGoX1aIL2fG9LdDVN+ WAbMiTin5LUjz3g7p1l+8G+blmJEYpDFS+It6Wh3lwP9S8PvGPbJl35YDco4J8VM5Pez weg+NmAzcYLgk7nkCB9UT1gNN6d2poFetkuoAiLkQufyj/rxTodeo4gDiZNx5Efb+EqH vxvVGoGnDSO1zq1OUnpzf26EeaMxMTD+qsWhzkdh4pZE60hSuWiir3Sx5i9Asxj3o8Fm uEog== X-Gm-Message-State: AIkVDXJw6qlpfx6anbIWjWPJ5NTVoDak4d+7Ejwov35oEsjNr0C8H0uOnycpFeoX3PsdaQ== X-Received: by 10.25.0.140 with SMTP id 134mr3040745lfa.156.1484835202062; Thu, 19 Jan 2017 06:13:22 -0800 (PST) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id z1sm1919961lja.10.2017.01.19.06.13.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Jan 2017 06:13:21 -0800 (PST) From: Sergei Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergei Lukin Subject: [alpine-aports] [PATCH v3.3] main/tiff: security upgrade to 4.0.7 - fixes #6666 Date: Thu, 19 Jan 2017 14:13:04 +0000 Message-Id: <1484835184-169-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-9273: heap-buffer-overflow in cpStrips CVE-2016-9297: segfault in _TIFFPrintField CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool CVE-2016-3622: Divide By Zero in the tiff2rgba tool CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1) CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow --- CVE-2016-5318 remains unfixed still (http://bugzilla.maptools.org/show_bug.cgi?id=2561) #6662 could not be marked as fixed for now 4.0.7 contains lots of fixes: http://libtiff.maptools.org/v4.0.7.html https://fossies.org/diffs/tiff/4.0.6_vs_4.0.7/ChangeLog-diff.html There is only one major change mentioned: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution. These tools were written in the late 1980s and early 1990s for test and demonstration purposes. In some cases the tools were never updated to support updates to the file format, or the file formats are now rarely used. In all cases these tools increased the libtiff security and maintenance exposure beyond the value offered by the tool. http://libtiff.maptools.org/v4.0.7.html Patches: CVE-2015-7554.patch, CVE-2015-8665.patch, CVE-2015-8668.patch, CVE-2015-8781-8782-8783.patch, CVE-2015-8784.patch, CVE-2016-3632.patch, CVE-2016-3945.patch, CVE-2016-3990.patch, CVE-2016-3991.patch are not needed anymore, because these issues were fixed in 4.0.7 main/tiff/APKBUILD | 75 ++++++-------- main/tiff/CVE-2015-7554.patch | 25 ----- main/tiff/CVE-2015-8665.patch | 113 --------------------- main/tiff/CVE-2015-8668.patch | 42 -------- main/tiff/CVE-2015-8781-8782-8783.patch | 171 -------------------------------- main/tiff/CVE-2015-8784.patch | 49 --------- main/tiff/CVE-2016-3632.patch | 23 ----- main/tiff/CVE-2016-3945.patch | 97 ------------------ main/tiff/CVE-2016-3990.patch | 37 ------- main/tiff/CVE-2016-3991.patch | 126 ----------------------- 10 files changed, 31 insertions(+), 727 deletions(-) delete mode 100644 main/tiff/CVE-2015-7554.patch delete mode 100644 main/tiff/CVE-2015-8665.patch delete mode 100644 main/tiff/CVE-2015-8668.patch delete mode 100644 main/tiff/CVE-2015-8781-8782-8783.patch delete mode 100644 main/tiff/CVE-2015-8784.patch delete mode 100644 main/tiff/CVE-2016-3632.patch delete mode 100644 main/tiff/CVE-2016-3945.patch delete mode 100644 main/tiff/CVE-2016-3990.patch delete mode 100644 main/tiff/CVE-2016-3991.patch diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 85efc94..4d002ec 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -1,9 +1,9 @@ +# Contributor: Sergei Lukin # Contributor: Leonardo Arena -# Contributor: Sergey Lukin # Maintainer: Michael Mason pkgname=tiff -pkgver=4.0.6 -pkgrel=4 +pkgver=4.0.7 +pkgrel=0 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -12,17 +12,31 @@ depends= depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" -source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz - CVE-2015-7554.patch - CVE-2015-8665.patch - CVE-2015-8668.patch - CVE-2015-8781-8782-8783.patch - CVE-2015-8784.patch - CVE-2016-3632.patch - CVE-2016-3945.patch - CVE-2016-3990.patch - CVE-2016-3991.patch - " +source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz" + +# secfixes: +# 4.0.7-r0: +# - CVE-2016-9273 +# - CVE-2016-9297 +# - CVE-2016-9448 +# - CVE-2016-9453 +# - CVE-2016-3186 +# - CVE-2016-3621 +# - CVE-2016-3622 +# - CVE-2016-3623 +# - CVE-2016-3624 +# - CVE-2016-3625 +# - CVE-2016-3658 +# - CVE-2014-8127 +# - CVE-2016-5314 +# - CVE-2016-5315 +# - CVE-2016-5316 +# - CVE-2016-5317 +# - CVE-2016-5320 +# - CVE-2016-5875 +# - CVE-2016-5321 +# - CVE-2016-5323 +# - CVE-2016-5652 builddir="$srcdir"/$pkgname-$pkgver @@ -63,33 +77,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="d1d2e940dea0b5ad435f21f03d96dd72 tiff-4.0.6.tar.gz -1023c7deacbb5d8dc61e6d1e9959b172 CVE-2015-7554.patch -1ed2295ff179a6b64803d33f0f865740 CVE-2015-8665.patch -b6e064713f307a2bbf815fb6f46f5317 CVE-2015-8668.patch -96d2a934914a548d244e0a055f370334 CVE-2015-8781-8782-8783.patch -8b3e84314fc2c0eeabd8d2c410f85727 CVE-2015-8784.patch -0bf7599f2d566038fb583250590716d3 CVE-2016-3632.patch -e1de46d39bda11acf73d6430f5108d19 CVE-2016-3945.patch -ee98f9ec234ac11bd5764b1d3ae0aa00 CVE-2016-3990.patch -f060dad3d0bc8a65e2dba9bb4cba4ff4 CVE-2016-3991.patch" -sha256sums="4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c tiff-4.0.6.tar.gz -2da0ab2927cdaebc790d4cf80a674124a3a08e511bbf6a39a5b232df46068b1b CVE-2015-7554.patch -1e4158f2a85e4c597b2a6d290c54d4ee815c8930f80824363945506bda3fc798 CVE-2015-8665.patch -962abf920444bc02d4086d17acfc24d6a163010b1639384fecff1460dca07f7d CVE-2015-8668.patch -f7c953c51f4f14b8627aad9bfe5b183b5d56e62e96e24d80a233e0b849c0c743 CVE-2015-8781-8782-8783.patch -504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972 CVE-2015-8784.patch -de53c724507a2ab2796b4ae52bd12e8ca358aa03a3ea69664e3986804b9c1b38 CVE-2016-3632.patch -e89921b4e26ffc49fb37a219fa6fc6078949f6f62154e037dbbe66051b97f731 CVE-2016-3945.patch -28a16234ea69877de83ee5e269929b7a05fcce1ff6400db3005c94328c9e1751 CVE-2016-3990.patch -e85df1c5ae13cd6fbf38f13cdb34e6fc7e744005bd8948d97751be1a18208870 CVE-2016-3991.patch" -sha512sums="2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8 tiff-4.0.6.tar.gz -4d902d55d3f796f6f6e266ee1c1237a765ffb0595e0af8c325d08ad3eff76d87409ae4edae5bf3f8adb06796e2ddd2439f598c24760aa2444e30efb3f78e8ce8 CVE-2015-7554.patch -4507d3852d57922574897d53f366d80d71d0d83850aa3c3993b956fabce26165f315838c17430d1abd41f160c40a4e3d8e6b31ff150e81059669ccfe29f90126 CVE-2015-8665.patch -aaa315f45a0410a4173afbd0c913891d9a0df0c447b09fd1be6080ee78366294909b2d599b7908b591b7e3911ed6f5b6d97c054bb5a1e17540204b7542268d23 CVE-2015-8668.patch -4ca7823f666df8f29eba0f62a14f71e440eef20fcc8d3a1a77cf65a07e1e737bdcfb49641ee5b62ce28877ef428106996254989d2100615dc7cf2be7aa903002 CVE-2015-8781-8782-8783.patch -46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f CVE-2015-8784.patch -93dfd29c884daaaa72196cc66537dba25d088ab86f09e8f9a69a3cb91e380e1b62860ae8aa459c4972c609422ac3a026e3a8b0e384438f48e697ab56c6af71f1 CVE-2016-3632.patch -5aa686e8164eea39c0968d2748dcd02f536741b1d2c387dee60891f8768bc343c34f0851fe700f1457949bf3f534f49370f8b114663af977cb45d9a431b38425 CVE-2016-3945.patch -289651ae11fc5c6ddfbab94af7f598165637cf8b827b1cffb5e4522c7d566c96a4fd07acc7195705a655e4c8f95ef0957df8d924f76bdf2bebcf918f4cec3a9d CVE-2016-3990.patch -048cff76de85f51a942e15e5b2d72b63b75a79adba5e9d4a7a7fac8ca47b1caf48c4a4af28b226c3146a235aba7734f525b40f1274bc4f639bb9d870a637aa84 CVE-2016-3991.patch" +md5sums="77ae928d2c6b7fb46a21c3a29325157b tiff-4.0.7.tar.gz" +sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 tiff-4.0.7.tar.gz" +sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc tiff-4.0.7.tar.gz" diff --git a/main/tiff/CVE-2015-7554.patch b/main/tiff/CVE-2015-7554.patch deleted file mode 100644 index 426a8ea..0000000 --- a/main/tiff/CVE-2015-7554.patch +++ /dev/null @@ -1,25 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch - -diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c ---- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 -+++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 -@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); - } - } -+ uint32 count = 0; - CopyField(TIFFTAG_PHOTOMETRIC, shortv); -- CopyField(TIFFTAG_PREDICTOR, shortv); -+ CopyField2(TIFFTAG_PREDICTOR, count, shortv); - CopyField(TIFFTAG_THRESHHOLDING, shortv); - CopyField(TIFFTAG_FILLORDER, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); -@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) - CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); - CopyField(TIFFTAG_XRESOLUTION, floatv); - CopyField(TIFFTAG_YRESOLUTION, floatv); -- CopyField(TIFFTAG_GROUP3OPTIONS, longv); -+ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); - CopyField(TIFFTAG_GROUP4OPTIONS, longv); - CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); - CopyField(TIFFTAG_PLANARCONFIG, shortv); diff --git a/main/tiff/CVE-2015-8665.patch b/main/tiff/CVE-2015-8665.patch deleted file mode 100644 index f80d736..0000000 --- a/main/tiff/CVE-2015-8665.patch +++ /dev/null @@ -1,113 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - ---- - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- - 2 files changed, 30 insertions(+), 13 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index cdeff08..261aad6 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2509,29 +2514,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2540,7 +2549,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2636,7 +2645,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; diff --git a/main/tiff/CVE-2015-8668.patch b/main/tiff/CVE-2015-8668.patch deleted file mode 100644 index 3f2f4e4..0000000 --- a/main/tiff/CVE-2015-8668.patch +++ /dev/null @@ -1,42 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch - -diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c -index 376f4e6..c747c13 100644 ---- a/tools/bmp2tiff.c -+++ b/tools/bmp2tiff.c -@@ -614,18 +614,27 @@ main(int argc, char* argv[]) - || info_hdr.iCompression == BMPC_RLE4 ) { - uint32 i, j, k, runlength; - uint32 compr_size, uncompr_size; -+ uint32 bits = 0; - unsigned char *comprbuf; - unsigned char *uncomprbuf; - - compr_size = file_hdr.iSize - file_hdr.iOffBits; -- uncompr_size = width * length; -- /* Detect int overflow */ -- if( uncompr_size / width != length ) { -- TIFFError(infilename, -- "Invalid dimensions of BMP file" ); -- close(fd); -- return -1; -- } -+ -+ bits = info_hdr.iBitCount; -+ -+ if (bits > 8) // bit depth is > 8bit, adjust size -+ { -+ uncompr_size = width * length * (bits / 8); -+ /* Detect int overflow */ -+ if (uncompr_size / width / (bits / 8) != length) { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file"); -+ close(fd); -+ return -1; -+ } -+ } -+ else -+ uncompr_size = width * length; - if ( (compr_size == 0) || - (compr_size > ((uint32) ~0) >> 1) || - (uncompr_size == 0) || diff --git a/main/tiff/CVE-2015-8781-8782-8783.patch b/main/tiff/CVE-2015-8781-8782-8783.patch deleted file mode 100644 index c8073ba..0000000 --- a/main/tiff/CVE-2015-8781-8782-8783.patch +++ /dev/null @@ -1,171 +0,0 @@ -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - ---- - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- - 2 files changed, 51 insertions(+), 11 deletions(-) - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 3dc13f1..b66ff64 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/main/tiff/CVE-2015-8784.patch b/main/tiff/CVE-2015-8784.patch deleted file mode 100644 index ab48ddf..0000000 --- a/main/tiff/CVE-2015-8784.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - ---- - libtiff/tif_next.c | 10 ++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c -index dd669cc..0a5b635 100644 ---- a/libtiff/tif_next.c -+++ b/libtiff/tif_next.c -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/main/tiff/CVE-2016-3632.patch b/main/tiff/CVE-2016-3632.patch deleted file mode 100644 index 7640d1b..0000000 --- a/main/tiff/CVE-2016-3632.patch +++ /dev/null @@ -1,23 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3632.patch - -From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Mon, 11 Jul 2016 16:04:34 +0200 -Subject: [PATCH 4/8] Fix CVE-2016-3632 ---- - tools/thumbnail.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/tools/thumbnail.c b/tools/thumbnail.c -index fd1cba5..75e7009 100644 ---- a/tools/thumbnail.c -+++ b/tools/thumbnail.c -@@ -253,7 +253,8 @@ static struct cpTag { - { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, - { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, - { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, -- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, -+ // disable BADFAXLINES, CVE-2016-3632 -+ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, - { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, - { TIFFTAG_INKSET, 1, TIFF_SHORT }, diff --git a/main/tiff/CVE-2016-3945.patch b/main/tiff/CVE-2016-3945.patch deleted file mode 100644 index 53c6dc5..0000000 --- a/main/tiff/CVE-2016-3945.patch +++ /dev/null @@ -1,97 +0,0 @@ -https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3945.patch;jsessionid=1rcllyzw1i6tk1nli211rmjqnf - -From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 20:06:40 +0000 -Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of - allocated buffer, when -b mode is enabled, that could result in out-of-bounds - write. Based initially on patch tiff-CVE-2016-3945.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid - tests that rejected valid files. - -CVE: CVE-2016-3945 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 - -Signed-off-by: Yi Zhao ---- -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index b7a81eb..16e3dc4 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; diff --git a/main/tiff/CVE-2016-3990.patch b/main/tiff/CVE-2016-3990.patch deleted file mode 100644 index b198014..0000000 --- a/main/tiff/CVE-2016-3990.patch +++ /dev/null @@ -1,37 +0,0 @@ -https://patchwork.openembedded.org/patch/133225/ - -From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 20:49:48 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in - PixarLogEncode if more input samples are provided than expected by - PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and - simpler check. (bugzilla #2544) - -invalid tests that rejected valid files. (bugzilla #2545) - -CVE: CVE-2016-3990 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 - -Signed-off-by: Yi Zhao ---- -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index e78f788..28329d1 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { diff --git a/main/tiff/CVE-2016-3991.patch b/main/tiff/CVE-2016-3991.patch deleted file mode 100644 index 0a75bba..0000000 --- a/main/tiff/CVE-2016-3991.patch +++ /dev/null @@ -1,126 +0,0 @@ -https://patchwork.openembedded.org/patch/133226/ - -From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 15 Aug 2016 21:05:40 +0000 -Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in - loadImage(). From patch libtiff-CVE-2016-3991.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) - -CVE: CVE-2016-3991 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba - -Signed-off-by: Yi Zhao ---- -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 27abc0b..ddba7b9 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - } - - tile_buffsize = tilesize; -+ if (tilesize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); -+ exit(-1); -+ } - - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -- } -+ if (tl != (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ } - - tilebuf = _TIFFmalloc(tile_buffsize); - if (tilebuf == 0) -@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; - -+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); -+ exit(-1); -+ } -+ - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - - tile_rowsize = TIFFTileRowSize(in); -+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize = tlsize * ntiles; -+ if (tlsize != (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - -- - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize = ntiles * tl * tile_rowsize; -+ if (ntiles != (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize = TIFFStripSize(in); - nstrips = TIFFNumberOfStrips(in); -+ if (nstrips == 0 || stsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); -+ exit(-1); -+ } -+ - buffsize = stsize * nstrips; -- -+ if (stsize != (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ uint32 buffsize_check; -+ buffsize_check = ((length * width * spp * bps) + 7); -+ if (length != ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize = ((length * width * spp * bps) + 7) / 8; -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---