LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9023 Commits
1 Branch
46 MiB
Tree: 1bceb95ff4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1bceb95ff4'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/013-CVE-2016-10095_CVE-2017...

209 lines
7.0 KiB
Raw Normal View History

tiff: update package to version 4.0.8 Signed-off-by: Jiri Slachta <jiri@slachta.eu>
7 years ago
 
  1. commit 40448d58fbfad52d2dde5bd18daa30b17fe35fcd
  2. Author: erouault <erouault>
  3. Date:   Thu Jun 1 12:44:04 2017 +0000
  4. 

  5.     * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
  6.     and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
  7.     codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
  8.     to behave differently depending on whether the codec is enabled or not, and
  9.     thus can avoid stack based buffer overflows in a number of TIFF utilities
  10.     such as tiffsplit, tiffcmp, thumbnail, etc.
  11.     Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
  12.     (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
  13.     Fixes:
  14.     http://bugzilla.maptools.org/show_bug.cgi?id=2580
  15.     http://bugzilla.maptools.org/show_bug.cgi?id=2693
  16.     http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
  17.     http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
  18.     http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
  19.     http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
  20.     http://bugzilla.maptools.org/show_bug.cgi?id=2441
  21.     http://bugzilla.maptools.org/show_bug.cgi?id=2433
  22. 

  23. diff --git a/ChangeLog b/ChangeLog

  24. index 04881ba7..ebd1a3c0 100644

  25. --- a/ChangeLog

  26. +++ b/ChangeLog

  27. @@ -1,3 +1,23 @@

  28. +2017-06-01  Even Rouault <even.rouault at spatialys.com>

  29. +

  30. +	* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),

  31. +	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a

  32. +	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()

  33. +	to behave differently depending on whether the codec is enabled or not, and

  34. +	thus can avoid stack based buffer overflows in a number of TIFF utilities

  35. +	such as tiffsplit, tiffcmp, thumbnail, etc.

  36. +	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch

  37. +	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.

  38. +	Fixes:

  39. +	http://bugzilla.maptools.org/show_bug.cgi?id=2580

  40. +	http://bugzilla.maptools.org/show_bug.cgi?id=2693

  41. +	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)

  42. +	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)

  43. +	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)

  44. +	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)

  45. +	http://bugzilla.maptools.org/show_bug.cgi?id=2441

  46. +	http://bugzilla.maptools.org/show_bug.cgi?id=2433

  47. +

  48.  2017-05-29  Even Rouault <even.rouault at spatialys.com>
  49.  
  50.  	* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
  51. diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h

  52. index 6af5f3dc..5a380767 100644

  53. --- a/libtiff/tif_dir.h

  54. +++ b/libtiff/tif_dir.h

  55. @@ -1,4 +1,4 @@

  56. -/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */

  57. +/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */

  58.  
  59.  /*
  60.   * Copyright (c) 1988-1997 Sam Leffler
  61. @@ -291,6 +291,7 @@ struct _TIFFField {

  62.  extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
  63.  extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
  64.  extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
  65. +extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);

  66.  
  67.  #if defined(__cplusplus)
  68.  }
  69. diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c

  70. index 23ad0020..4904f540 100644

  71. --- a/libtiff/tif_dirinfo.c

  72. +++ b/libtiff/tif_dirinfo.c

  73. @@ -1,4 +1,4 @@

  74. -/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */

  75. +/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */

  76.  
  77.  /*
  78.   * Copyright (c) 1988-1997 Sam Leffler
  79. @@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)

  80.  	return 0;
  81.  }
  82.  
  83. +int

  84. +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)

  85. +{

  86. +	/* Filter out non-codec specific tags */

  87. +	switch (tag) {

  88. +	    /* Shared tags */

  89. +	    case TIFFTAG_PREDICTOR:

  90. +	    /* JPEG tags */

  91. +	    case TIFFTAG_JPEGTABLES:

  92. +	    /* OJPEG tags */

  93. +	    case TIFFTAG_JPEGIFOFFSET:

  94. +	    case TIFFTAG_JPEGIFBYTECOUNT:

  95. +	    case TIFFTAG_JPEGQTABLES:

  96. +	    case TIFFTAG_JPEGDCTABLES:

  97. +	    case TIFFTAG_JPEGACTABLES:

  98. +	    case TIFFTAG_JPEGPROC:

  99. +	    case TIFFTAG_JPEGRESTARTINTERVAL:

  100. +	    /* CCITT* */

  101. +	    case TIFFTAG_BADFAXLINES:

  102. +	    case TIFFTAG_CLEANFAXDATA:

  103. +	    case TIFFTAG_CONSECUTIVEBADFAXLINES:

  104. +	    case TIFFTAG_GROUP3OPTIONS:

  105. +	    case TIFFTAG_GROUP4OPTIONS:

  106. +		break;

  107. +	    default:

  108. +		return 1;

  109. +	}

  110. +	/* Check if codec specific tags are allowed for the current

  111. +	 * compression scheme (codec) */

  112. +	switch (tif->tif_dir.td_compression) {

  113. +	    case COMPRESSION_LZW:

  114. +		if (tag == TIFFTAG_PREDICTOR)

  115. +		    return 1;

  116. +		break;

  117. +	    case COMPRESSION_PACKBITS:

  118. +		/* No codec-specific tags */

  119. +		break;

  120. +	    case COMPRESSION_THUNDERSCAN:

  121. +		/* No codec-specific tags */

  122. +		break;

  123. +	    case COMPRESSION_NEXT:

  124. +		/* No codec-specific tags */

  125. +		break;

  126. +	    case COMPRESSION_JPEG:

  127. +		if (tag == TIFFTAG_JPEGTABLES)

  128. +		    return 1;

  129. +		break;

  130. +	    case COMPRESSION_OJPEG:

  131. +		switch (tag) {

  132. +		    case TIFFTAG_JPEGIFOFFSET:

  133. +		    case TIFFTAG_JPEGIFBYTECOUNT:

  134. +		    case TIFFTAG_JPEGQTABLES:

  135. +		    case TIFFTAG_JPEGDCTABLES:

  136. +		    case TIFFTAG_JPEGACTABLES:

  137. +		    case TIFFTAG_JPEGPROC:

  138. +		    case TIFFTAG_JPEGRESTARTINTERVAL:

  139. +			return 1;

  140. +		}

  141. +		break;

  142. +	    case COMPRESSION_CCITTRLE:

  143. +	    case COMPRESSION_CCITTRLEW:

  144. +	    case COMPRESSION_CCITTFAX3:

  145. +	    case COMPRESSION_CCITTFAX4:

  146. +		switch (tag) {

  147. +		    case TIFFTAG_BADFAXLINES:

  148. +		    case TIFFTAG_CLEANFAXDATA:

  149. +		    case TIFFTAG_CONSECUTIVEBADFAXLINES:

  150. +			return 1;

  151. +		    case TIFFTAG_GROUP3OPTIONS:

  152. +			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)

  153. +			    return 1;

  154. +			break;

  155. +		    case TIFFTAG_GROUP4OPTIONS:

  156. +			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)

  157. +			    return 1;

  158. +			break;

  159. +		}

  160. +		break;

  161. +	    case COMPRESSION_JBIG:

  162. +		/* No codec-specific tags */

  163. +		break;

  164. +	    case COMPRESSION_DEFLATE:

  165. +	    case COMPRESSION_ADOBE_DEFLATE:

  166. +		if (tag == TIFFTAG_PREDICTOR)

  167. +		    return 1;

  168. +		break;

  169. +	   case COMPRESSION_PIXARLOG:

  170. +		if (tag == TIFFTAG_PREDICTOR)

  171. +		    return 1;

  172. +		break;

  173. +	    case COMPRESSION_SGILOG:

  174. +	    case COMPRESSION_SGILOG24:

  175. +		/* No codec-specific tags */

  176. +		break;

  177. +	    case COMPRESSION_LZMA:

  178. +		if (tag == TIFFTAG_PREDICTOR)

  179. +		    return 1;

  180. +		break;

  181. +

  182. +	}

  183. +	return 0;

  184. +}

  185. +

  186.  /* vim: set ts=8 sts=8 sw=8 noet: */
  187.  
  188.  /*
  189. diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

  190. index 772ebaf7..acde78b5 100644

  191. --- a/libtiff/tif_dirread.c

  192. +++ b/libtiff/tif_dirread.c

  193. @@ -1,4 +1,4 @@

  194. -/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */

  195. +/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */

  196.  
  197.  /*
  198.   * Copyright (c) 1988-1997 Sam Leffler
  199. @@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)

  200.  							goto bad;
  201.  						dp->tdir_tag=IGNORE;
  202.  						break;
  203. +                                        default:

  204. +                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )

  205. +                                                dp->tdir_tag=IGNORE;

  206. +                                            break;

  207.  				}
  208.  			}
  209.  		}