~alpine/aports

v3.3: main/tiff: security upgrade to 4.0.7 - fixes #6666 v1 PROPOSED

Sergei Lukin: 1
 main/tiff: security upgrade to 4.0.7 - fixes #6666

 10 files changed, 31 insertions(+), 727 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1601/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH v3.3] main/tiff: security upgrade to 4.0.7 - fixes #6666 Export this patch

CVE-2016-9273: heap-buffer-overflow in cpStrips
CVE-2016-9297: segfault in _TIFFPrintField
CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag
CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool
CVE-2016-3622: Divide By Zero in the tiff2rgba tool
CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool
CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool
CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c
CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes
CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
  bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1)
CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function
CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function
CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow
---
CVE-2016-5318 remains unfixed still (http://bugzilla.maptools.org/show_bug.cgi?id=2561)
 #6661 could not be marked as fixed for now

4.0.7 contains lots of fixes:
http://libtiff.maptools.org/v4.0.7.html
https://fossies.org/diffs/tiff/4.0.6_vs_4.0.7/ChangeLog-diff.html
There is only one major change mentioned: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution. These tools were written in the late 1980s and early 1990s for test and demonstration purposes. In some cases the tools were never updated to support updates to the file format, or the file formats are now rarely used. In all cases these tools increased the libtiff security and maintenance exposure beyond the value offered by the tool.
http://libtiff.maptools.org/v4.0.7.html

Patches: CVE-2015-7554.patch, CVE-2015-8665.patch, CVE-2015-8668.patch, CVE-2015-8781-8782-8783.patch, CVE-2015-8784.patch, CVE-2016-3632.patch, CVE-2016-3945.patch, CVE-2016-3990.patch, CVE-2016-3991.patch
are not needed anymore, because these issues were fixed in 4.0.7

 main/tiff/APKBUILD                      |  75 ++++++--------
 main/tiff/CVE-2015-7554.patch           |  25 -----
 main/tiff/CVE-2015-8665.patch           | 113 ---------------------
 main/tiff/CVE-2015-8668.patch           |  42 --------
 main/tiff/CVE-2015-8781-8782-8783.patch | 171 --------------------------------
 main/tiff/CVE-2015-8784.patch           |  49 ---------
 main/tiff/CVE-2016-3632.patch           |  23 -----
 main/tiff/CVE-2016-3945.patch           |  97 ------------------
 main/tiff/CVE-2016-3990.patch           |  37 -------
 main/tiff/CVE-2016-3991.patch           | 126 -----------------------
 10 files changed, 31 insertions(+), 727 deletions(-)
 delete mode 100644 main/tiff/CVE-2015-7554.patch
 delete mode 100644 main/tiff/CVE-2015-8665.patch
 delete mode 100644 main/tiff/CVE-2015-8668.patch
 delete mode 100644 main/tiff/CVE-2015-8781-8782-8783.patch
 delete mode 100644 main/tiff/CVE-2015-8784.patch
 delete mode 100644 main/tiff/CVE-2016-3632.patch
 delete mode 100644 main/tiff/CVE-2016-3945.patch
 delete mode 100644 main/tiff/CVE-2016-3990.patch
 delete mode 100644 main/tiff/CVE-2016-3991.patch

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 85efc94..4d002ec 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.6
pkgrel=4
pkgver=4.0.7
pkgrel=0
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -12,17 +12,31 @@ depends=
depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
	CVE-2015-7554.patch
	CVE-2015-8665.patch
	CVE-2015-8668.patch
	CVE-2015-8781-8782-8783.patch
	CVE-2015-8784.patch
	CVE-2016-3632.patch
	CVE-2016-3945.patch
	CVE-2016-3990.patch
	CVE-2016-3991.patch
	"
source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz"

# secfixes:
#   4.0.7-r0:
#     - CVE-2016-9273
#     - CVE-2016-9297
#     - CVE-2016-9448
#     - CVE-2016-9453
#     - CVE-2016-3186
#     - CVE-2016-3621
#     - CVE-2016-3622
#     - CVE-2016-3623
#     - CVE-2016-3624
#     - CVE-2016-3625
#     - CVE-2016-3658
#     - CVE-2014-8127
#     - CVE-2016-5314
#     - CVE-2016-5315
#     - CVE-2016-5316
#     - CVE-2016-5317
#     - CVE-2016-5320
#     - CVE-2016-5875
#     - CVE-2016-5321
#     - CVE-2016-5323
#     - CVE-2016-5652

builddir="$srcdir"/$pkgname-$pkgver

@@ -63,33 +77,6 @@ tools() {
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

md5sums="d1d2e940dea0b5ad435f21f03d96dd72  tiff-4.0.6.tar.gz
1023c7deacbb5d8dc61e6d1e9959b172  CVE-2015-7554.patch
1ed2295ff179a6b64803d33f0f865740  CVE-2015-8665.patch
b6e064713f307a2bbf815fb6f46f5317  CVE-2015-8668.patch
96d2a934914a548d244e0a055f370334  CVE-2015-8781-8782-8783.patch
8b3e84314fc2c0eeabd8d2c410f85727  CVE-2015-8784.patch
0bf7599f2d566038fb583250590716d3  CVE-2016-3632.patch
e1de46d39bda11acf73d6430f5108d19  CVE-2016-3945.patch
ee98f9ec234ac11bd5764b1d3ae0aa00  CVE-2016-3990.patch
f060dad3d0bc8a65e2dba9bb4cba4ff4  CVE-2016-3991.patch"
sha256sums="4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c  tiff-4.0.6.tar.gz
2da0ab2927cdaebc790d4cf80a674124a3a08e511bbf6a39a5b232df46068b1b  CVE-2015-7554.patch
1e4158f2a85e4c597b2a6d290c54d4ee815c8930f80824363945506bda3fc798  CVE-2015-8665.patch
962abf920444bc02d4086d17acfc24d6a163010b1639384fecff1460dca07f7d  CVE-2015-8668.patch
f7c953c51f4f14b8627aad9bfe5b183b5d56e62e96e24d80a233e0b849c0c743  CVE-2015-8781-8782-8783.patch
504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972  CVE-2015-8784.patch
de53c724507a2ab2796b4ae52bd12e8ca358aa03a3ea69664e3986804b9c1b38  CVE-2016-3632.patch
e89921b4e26ffc49fb37a219fa6fc6078949f6f62154e037dbbe66051b97f731  CVE-2016-3945.patch
28a16234ea69877de83ee5e269929b7a05fcce1ff6400db3005c94328c9e1751  CVE-2016-3990.patch
e85df1c5ae13cd6fbf38f13cdb34e6fc7e744005bd8948d97751be1a18208870  CVE-2016-3991.patch"
sha512sums="2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8  tiff-4.0.6.tar.gz
4d902d55d3f796f6f6e266ee1c1237a765ffb0595e0af8c325d08ad3eff76d87409ae4edae5bf3f8adb06796e2ddd2439f598c24760aa2444e30efb3f78e8ce8  CVE-2015-7554.patch
4507d3852d57922574897d53f366d80d71d0d83850aa3c3993b956fabce26165f315838c17430d1abd41f160c40a4e3d8e6b31ff150e81059669ccfe29f90126  CVE-2015-8665.patch
aaa315f45a0410a4173afbd0c913891d9a0df0c447b09fd1be6080ee78366294909b2d599b7908b591b7e3911ed6f5b6d97c054bb5a1e17540204b7542268d23  CVE-2015-8668.patch
4ca7823f666df8f29eba0f62a14f71e440eef20fcc8d3a1a77cf65a07e1e737bdcfb49641ee5b62ce28877ef428106996254989d2100615dc7cf2be7aa903002  CVE-2015-8781-8782-8783.patch
46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f  CVE-2015-8784.patch
93dfd29c884daaaa72196cc66537dba25d088ab86f09e8f9a69a3cb91e380e1b62860ae8aa459c4972c609422ac3a026e3a8b0e384438f48e697ab56c6af71f1  CVE-2016-3632.patch
5aa686e8164eea39c0968d2748dcd02f536741b1d2c387dee60891f8768bc343c34f0851fe700f1457949bf3f534f49370f8b114663af977cb45d9a431b38425  CVE-2016-3945.patch
289651ae11fc5c6ddfbab94af7f598165637cf8b827b1cffb5e4522c7d566c96a4fd07acc7195705a655e4c8f95ef0957df8d924f76bdf2bebcf918f4cec3a9d  CVE-2016-3990.patch
048cff76de85f51a942e15e5b2d72b63b75a79adba5e9d4a7a7fac8ca47b1caf48c4a4af28b226c3146a235aba7734f525b40f1274bc4f639bb9d870a637aa84  CVE-2016-3991.patch"
md5sums="77ae928d2c6b7fb46a21c3a29325157b  tiff-4.0.7.tar.gz"
sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019  tiff-4.0.7.tar.gz"
sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz"
diff --git a/main/tiff/CVE-2015-7554.patch b/main/tiff/CVE-2015-7554.patch
deleted file mode 100644
index 426a8ea..0000000
--- a/main/tiff/CVE-2015-7554.patch
@@ -1,25 +0,0 @@
https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch

diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
--- tiff-4.0.4/tools/tiffsplit.c	2015-05-28 15:10:26.000000000 +0200
+++ tiff-4.0.4_patch/tools/tiffsplit.c	2016-02-12 19:15:30.532005041 +0100
@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
 		}
 	}
+	uint32 count = 0;
         CopyField(TIFFTAG_PHOTOMETRIC, shortv);
-	CopyField(TIFFTAG_PREDICTOR, shortv);
+	CopyField2(TIFFTAG_PREDICTOR, count, shortv);
 	CopyField(TIFFTAG_THRESHHOLDING, shortv);
 	CopyField(TIFFTAG_FILLORDER, shortv);
 	CopyField(TIFFTAG_ORIENTATION, shortv);
@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
 	CopyField(TIFFTAG_XRESOLUTION, floatv);
 	CopyField(TIFFTAG_YRESOLUTION, floatv);
-	CopyField(TIFFTAG_GROUP3OPTIONS, longv);
+	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);
 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
 	CopyField(TIFFTAG_PLANARCONFIG, shortv);
diff --git a/main/tiff/CVE-2015-8665.patch b/main/tiff/CVE-2015-8665.patch
deleted file mode 100644
index f80d736..0000000
--- a/main/tiff/CVE-2015-8665.patch
@@ -1,113 +0,0 @@
From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 26 Dec 2015 17:32:03 +0000
Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
 TIFFRGBAImage interface in case of unsupported values of
 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
 limingxing and CVE-2015-8683 reported by zzf of Alibaba.

---
 libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
 2 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index cdeff08..261aad6 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
 				    "Planarconfiguration", td->td_planarconfig);
 				return (0);
 			}
-			if( td->td_samplesperpixel != 3 )
+			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
             {
                 sprintf(emsg,
-                        "Sorry, can not handle image with %s=%d",
-                        "Samples/pixel", td->td_samplesperpixel);
+                        "Sorry, can not handle image with %s=%d, %s=%d",
+                        "Samples/pixel", td->td_samplesperpixel,
+                        "colorchannels", colorchannels);
                 return 0;
             }
 			break;
 		case PHOTOMETRIC_CIELAB:
-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
             {
                 sprintf(emsg,
-                        "Sorry, can not handle image with %s=%d and %s=%d",
+                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
                         "Samples/pixel", td->td_samplesperpixel,
+                        "colorchannels", colorchannels,
                         "Bits/sample", td->td_bitspersample);
                 return 0;
             }
@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
 	int colorchannels;
 	uint16 *red_orig, *green_orig, *blue_orig;
 	int n_color;
+	
+	if( !TIFFRGBAImageOK(tif, emsg) )
+		return 0;
 
 	/* Initialize to normal values */
 	img->row_offset = 0;
@@ -2509,29 +2514,33 @@ PickContigCase(TIFFRGBAImage* img)
 		case PHOTOMETRIC_RGB:
 			switch (img->bitspersample) {
 				case 8:
-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+						img->samplesperpixel >= 4)
 						img->put.contig = putRGBAAcontig8bittile;
-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+							 img->samplesperpixel >= 4)
 					{
 						if (BuildMapUaToAa(img))
 							img->put.contig = putRGBUAcontig8bittile;
 					}
-					else
+					else if( img->samplesperpixel >= 3 )
 						img->put.contig = putRGBcontig8bittile;
 					break;
 				case 16:
-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+						img->samplesperpixel >=4 )
 					{
 						if (BuildMapBitdepth16To8(img))
 							img->put.contig = putRGBAAcontig16bittile;
 					}
-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+							 img->samplesperpixel >=4 )
 					{
 						if (BuildMapBitdepth16To8(img) &&
 						    BuildMapUaToAa(img))
 							img->put.contig = putRGBUAcontig16bittile;
 					}
-					else
+					else if( img->samplesperpixel >=3 )
 					{
 						if (BuildMapBitdepth16To8(img))
 							img->put.contig = putRGBcontig16bittile;
@@ -2540,7 +2549,7 @@ PickContigCase(TIFFRGBAImage* img)
 			}
 			break;
 		case PHOTOMETRIC_SEPARATED:
-			if (buildMap(img)) {
+			if (img->samplesperpixel >=4 && buildMap(img)) {
 				if (img->bitspersample == 8) {
 					if (!img->Map)
 						img->put.contig = putRGBcontig8bitCMYKtile;
@@ -2636,7 +2645,7 @@ PickContigCase(TIFFRGBAImage* img)
 			}
 			break;
 		case PHOTOMETRIC_CIELAB:
-			if (buildMap(img)) {
+			if (img->samplesperpixel == 3 && buildMap(img)) {
 				if (img->bitspersample == 8)
 					img->put.contig = initCIELabConversion(img);
 				break;
diff --git a/main/tiff/CVE-2015-8668.patch b/main/tiff/CVE-2015-8668.patch
deleted file mode 100644
index 3f2f4e4..0000000
--- a/main/tiff/CVE-2015-8668.patch
@@ -1,42 +0,0 @@
https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch

diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
index 376f4e6..c747c13 100644
--- a/tools/bmp2tiff.c
+++ b/tools/bmp2tiff.c
@@ -614,18 +614,27 @@ main(int argc, char* argv[])
 			    || info_hdr.iCompression == BMPC_RLE4 ) {
 			uint32		i, j, k, runlength;
 			uint32		compr_size, uncompr_size;
+			uint32      bits = 0;
 			unsigned char   *comprbuf;
 			unsigned char   *uncomprbuf;
 
 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
-			uncompr_size = width * length;
-                        /* Detect int overflow */
-                        if( uncompr_size / width != length ) {
-                                TIFFError(infilename,
-                                          "Invalid dimensions of BMP file" );
-                                close(fd);
-                                return -1;
-                        }
+
+			bits = info_hdr.iBitCount;
+
+			if (bits > 8) // bit depth is > 8bit, adjust size
+			{
+				uncompr_size = width * length * (bits / 8);
+				/* Detect int overflow */
+				if (uncompr_size / width / (bits / 8) != length) {
+					TIFFError(infilename,
+							   "Invalid dimensions of BMP file");
+					close(fd);
+					return -1;
+				}
+			}
+			else
+				uncompr_size = width * length;
                         if ( (compr_size == 0) ||
                              (compr_size > ((uint32) ~0) >> 1) ||
                              (uncompr_size == 0) ||
diff --git a/main/tiff/CVE-2015-8781-8782-8783.patch b/main/tiff/CVE-2015-8781-8782-8783.patch
deleted file mode 100644
index c8073ba..0000000
--- a/main/tiff/CVE-2015-8781-8782-8783.patch
@@ -1,171 +0,0 @@
From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:25:11 +0000
Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
 decode functions in non debug builds by replacing assert()s by regular if
 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
 input data.

---
 libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 3dc13f1..b66ff64 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
 		tp = (int16*) op;
 	else {
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		tp = (int16*) sp->tbuf;
 	}
 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 	cc = tif->tif_rawcc;
 	/* get each byte string */
 	for (shft = 2*8; (shft -= 8) >= 0; ) {
-		for (i = 0; i < npixels && cc > 0; )
+		for (i = 0; i < npixels && cc > 0; ) {
 			if (*bp >= 128) {		/* run */
-				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+				if( cc < 2 )
+					break;
+				rc = *bp++ + (2-128);
 				b = (int16)(*bp++ << shft);
 				cc -= 2;
 				while (rc-- && i < npixels)
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 				while (--cc && rc-- && i < npixels)
 					tp[i++] |= (int16)*bp++ << shft;
 			}
+		}
 		if (i != npixels) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
 		tp = (uint32 *)op;
 	else {
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		tp = (uint32 *) sp->tbuf;
 	}
 	/* copy to array of uint32 */
 	bp = (unsigned char*) tif->tif_rawcp;
 	cc = tif->tif_rawcc;
-	for (i = 0; i < npixels && cc > 0; i++) {
+	for (i = 0; i < npixels && cc >= 3; i++) {
 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
 		bp += 3;
 		cc -= 3;
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
 		tp = (uint32*) op;
 	else {
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		tp = (uint32*) sp->tbuf;
 	}
 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 	cc = tif->tif_rawcc;
 	/* get each byte string */
 	for (shft = 4*8; (shft -= 8) >= 0; ) {
-		for (i = 0; i < npixels && cc > 0; )
+		for (i = 0; i < npixels && cc > 0; ) {
 			if (*bp >= 128) {		/* run */
+				if( cc < 2 )
+					break;
 				rc = *bp++ + (2-128);
 				b = (uint32)*bp++ << shft;
-				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+				cc -= 2;
 				while (rc-- && i < npixels)
 					tp[i++] |= b;
 			} else {			/* non-run */
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 				while (--cc && rc-- && i < npixels)
 					tp[i++] |= (uint32)*bp++ << shft;
 			}
+		}
 		if (i != npixels) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 static int
 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 {
+	static const char module[] = "LogL16Encode";
 	LogLuvState* sp = EncoderState(tif);
 	int shft;
 	tmsize_t i;
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 		tp = (int16*) bp;
 	else {
 		tp = (int16*) sp->tbuf;
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		(*sp->tfunc)(sp, bp, npixels);
 	}
 	/* compress each byte string */
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 static int
 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 {
+	static const char module[] = "LogLuvEncode24";
 	LogLuvState* sp = EncoderState(tif);
 	tmsize_t i;
 	tmsize_t npixels;
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 		tp = (uint32*) bp;
 	else {
 		tp = (uint32*) sp->tbuf;
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		(*sp->tfunc)(sp, bp, npixels);
 	}
 	/* write out encoded pixels */
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 static int
 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 {
+	static const char module[] = "LogLuvEncode32";
 	LogLuvState* sp = EncoderState(tif);
 	int shft;
 	tmsize_t i;
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 		tp = (uint32*) bp;
 	else {
 		tp = (uint32*) sp->tbuf;
-		assert(sp->tbuflen >= npixels);
+		if(sp->tbuflen < npixels) {
+			TIFFErrorExt(tif->tif_clientdata, module,
+						 "Translation buffer too short");
+			return (0);
+		}
 		(*sp->tfunc)(sp, bp, npixels);
 	}
 	/* compress each byte string */
diff --git a/main/tiff/CVE-2015-8784.patch b/main/tiff/CVE-2015-8784.patch
deleted file mode 100644
index ab48ddf..0000000
--- a/main/tiff/CVE-2015-8784.patch
@@ -1,49 +0,0 @@
From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:55:20 +0000
Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
 NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
 (bugzilla #2508)

---
 libtiff/tif_next.c | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
index dd669cc..0a5b635 100644
--- a/libtiff/tif_next.c
+++ b/libtiff/tif_next.c
@@ -37,7 +37,7 @@
 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
 	case 1:	op[0] |= (v) << 4; break;	\
 	case 2:	op[0] |= (v) << 2; break;	\
-	case 3:	*op++ |= (v);	   break;	\
+	case 3:	*op++ |= (v);	   op_offset++; break;	\
 	}					\
 }
 
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
             if( isTiled(tif) )
                 imagewidth = tif->tif_dir.td_tilewidth;
+            tmsize_t op_offset = 0;
 
 			/*
 			 * The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 				 * bounds, potentially resulting in a security
 				 * issue.
 				 */
-				while (n-- > 0 && npixels < imagewidth)
+				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
 					SETPIXEL(op, grey);
 				if (npixels >= imagewidth)
 					break;
+                if (op_offset >= scanline ) {
+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+                        (long) tif->tif_row);
+                    return (0);
+                }
 				if (cc == 0)
 					goto bad;
 				n = *bp++, cc--;
diff --git a/main/tiff/CVE-2016-3632.patch b/main/tiff/CVE-2016-3632.patch
deleted file mode 100644
index 7640d1b..0000000
--- a/main/tiff/CVE-2016-3632.patch
@@ -1,23 +0,0 @@
https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3632.patch

From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:04:34 +0200
Subject: [PATCH 4/8] Fix CVE-2016-3632
---
 tools/thumbnail.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
index fd1cba5..75e7009 100644
--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
@@ -253,7 +253,8 @@ static struct cpTag {
     { TIFFTAG_WHITEPOINT,		2, TIFF_RATIONAL },
     { TIFFTAG_PRIMARYCHROMATICITIES,	(uint16) -1,TIFF_RATIONAL },
     { TIFFTAG_HALFTONEHINTS,		2, TIFF_SHORT },
-    { TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
+    // disable BADFAXLINES, CVE-2016-3632
+    //{ TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
     { TIFFTAG_INKSET,			1, TIFF_SHORT },
diff --git a/main/tiff/CVE-2016-3945.patch b/main/tiff/CVE-2016-3945.patch
deleted file mode 100644
index 53c6dc5..0000000
--- a/main/tiff/CVE-2016-3945.patch
@@ -1,97 +0,0 @@
https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2016-3945.patch;jsessionid=1rcllyzw1i6tk1nli211rmjqnf

From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 20:06:40 +0000
Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
 allocated buffer, when -b mode is enabled, that could result in out-of-bounds
 write. Based initially on patch tiff-CVE-2016-3945.patch from
 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
 tests that rejected valid files.

CVE: CVE-2016-3945
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6

Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index b7a81eb..16e3dc4 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
     uint32  row, col;
     uint32  *wrk_line;
     int	    ok = 1;
+    uint32  rastersize, wrk_linesize;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
     /*
      * Allocate tile buffer
      */
-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+    rastersize = tile_width * tile_height * sizeof (uint32);
+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+    {
+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+	exit(-1);
+    }
+    raster = (uint32*)_TIFFmalloc(rastersize);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
      * Allocate a scanline buffer for swapping during the vertical
      * mirroring pass.
      */
-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+    wrk_linesize = tile_width * sizeof (uint32);
+    if (tile_width != wrk_linesize / sizeof (uint32))
+    {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+	exit(-1);
+    }
+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
     if (!wrk_line) {
         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
         ok = 0;
@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
     uint32  row;
     uint32  *wrk_line;
     int	    ok = 1;
+    uint32  rastersize, wrk_linesize;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
     /*
      * Allocate strip buffer
      */
-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+    rastersize = width * rowsperstrip * sizeof (uint32);
+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+    {
+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+	exit(-1);
+    }
+    raster = (uint32*)_TIFFmalloc(rastersize);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
      * Allocate a scanline buffer for swapping during the vertical
      * mirroring pass.
      */
-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+    wrk_linesize = width * sizeof (uint32);
+    if (width != wrk_linesize / sizeof (uint32))
+    {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+	exit(-1);
+    }
+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
     if (!wrk_line) {
         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
         ok = 0;
diff --git a/main/tiff/CVE-2016-3990.patch b/main/tiff/CVE-2016-3990.patch
deleted file mode 100644
index b198014..0000000
--- a/main/tiff/CVE-2016-3990.patch
@@ -1,37 +0,0 @@
https://patchwork.openembedded.org/patch/133225/

From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 20:49:48 +0000
Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
 PixarLogEncode if more input samples are provided than expected by
 PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
 simpler check. (bugzilla #2544)

invalid tests that rejected valid files. (bugzilla #2545)

CVE: CVE-2016-3990
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1

Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index e78f788..28329d1 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 	}
 
 	llen = sp->stride * td->td_imagewidth;
+    /* Check against the number of elements (of size uint16) of sp->tbuf */
+    if( n > td->td_rowsperstrip * llen )
+    {
+        TIFFErrorExt(tif->tif_clientdata, module,
+                     "Too many input bytes provided");
+        return 0;
+    }
 
 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
 		switch (sp->user_datafmt)  {
diff --git a/main/tiff/CVE-2016-3991.patch b/main/tiff/CVE-2016-3991.patch
deleted file mode 100644
index 0a75bba..0000000
--- a/main/tiff/CVE-2016-3991.patch
@@ -1,126 +0,0 @@
https://patchwork.openembedded.org/patch/133226/

From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 15 Aug 2016 21:05:40 +0000
Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
 loadImage(). From patch libtiff-CVE-2016-3991.patch from
 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)

CVE: CVE-2016-3991
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba

Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 27abc0b..ddba7b9 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
     }
 
   tile_buffsize = tilesize;
+  if (tilesize == 0 || tile_rowsize == 0)
+  {
+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
+     exit(-1);
+  }
 
   if (tilesize < (tsize_t)(tl * tile_rowsize))
     {
@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
               tilesize, tl * tile_rowsize);
 #endif
     tile_buffsize = tl * tile_rowsize;
-    } 
+    if (tl != (tile_buffsize / tile_rowsize))
+    {
+    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+        exit(-1);
+    }
+    }
 
   tilebuf = _TIFFmalloc(tile_buffsize);
   if (tilebuf == 0)
@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
       return 1;
 
+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
+  {
+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
+    exit(-1);
+  }
+
   tile_buffsize = tilesize;
   if (tilesize < (tsize_t)(tl * tile_rowsize))
     {
@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
               tilesize, tl * tile_rowsize);
 #endif
     tile_buffsize = tl * tile_rowsize;
+    if (tl != tile_buffsize / tile_rowsize)
+    {
+	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
+	exit(-1);
+    }
     }
 
   tilebuf = _TIFFmalloc(tile_buffsize);
@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
 
     tile_rowsize  = TIFFTileRowSize(in);      
+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
+    {
+	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
+	exit(-1);
+    }
     buffsize = tlsize * ntiles;
+    if (tlsize != (buffsize / ntiles))
+    {
+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
+	exit(-1);
+    }
 
--        
     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
       {
       buffsize = ntiles * tl * tile_rowsize;
+      if (ntiles != (buffsize / tl / tile_rowsize))
+      {
+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
+	exit(-1);
+      }
+      
 #ifdef DEBUG2
       TIFFError("loadImage",
 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
     stsize = TIFFStripSize(in);
     nstrips = TIFFNumberOfStrips(in);
+    if (nstrips == 0 || stsize == 0)
+    {
+	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
+	exit(-1);
+    }
+
     buffsize = stsize * nstrips;
--    
+    if (stsize != (buffsize / nstrips))
+    {
+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
+	exit(-1);
+    }
+    uint32 buffsize_check;
+    buffsize_check = ((length * width * spp * bps) + 7);
+    if (length != ((buffsize_check - 7) / width / spp / bps))
+    {
+	TIFFError("loadImage", "Integer overflow detected.");
+	exit(-1);
+    }
     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
       {
       buffsize =  ((length * width * spp * bps) + 7) / 8;
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---