LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8406 Commits
1 Branch
46 MiB
Tree: 45b88fc5d7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '45b88fc5d7'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/102-CVE.patch

131 lines
4.8 KiB
Raw Normal View History

tiff: update to version 4.0.7 with CVE fixes Signed-off-by: Jiri Slachta <jiri@slachta.eu>
7 years ago
 
  1. commit da99990ba6e1203798a59eb836fc6433ed6e3d66
  2. Author: erouault <erouault>
  3. Date:   Fri Dec 2 23:05:51 2016 +0000
  4. 

  5.     * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
  6.     overflow on generation of PixarLog / LUV compressed files, with
  7.     ColorMap, TransferFunction attached and nasty plays with bitspersample.
  8.     The fix for LUV has not been tested, but suffers from the same kind
  9.     of issue of PixarLog.
  10.     Reported by Agostino Sarubbo.
  11.     Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
  12. 

  13. diff --git a/ChangeLog b/ChangeLog

  14. index 0f154d6..93c01f8 100644

  15. --- a/ChangeLog

  16. +++ b/ChangeLog

  17. @@ -1,3 +1,13 @@

  18. +2016-12-03 Even Rouault <even.rouault at spatialys.com>

  19. +

  20. +	* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer

  21. +	overflow on generation of PixarLog / LUV compressed files, with

  22. +	ColorMap, TransferFunction attached and nasty plays with bitspersample.

  23. +	The fix for LUV has not been tested, but suffers from the same kind

  24. +	of issue of PixarLog.

  25. +	Reported by Agostino Sarubbo.

  26. +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604

  27. +

  28.  2016-12-02 Even Rouault <even.rouault at spatialys.com>
  29.  
  30.  	* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
  31. diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c

  32. index ca08f30..f42ac01 100644

  33. --- a/libtiff/tif_luv.c

  34. +++ b/libtiff/tif_luv.c

  35. @@ -1,4 +1,4 @@

  36. -/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */

  37. +/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */

  38.  
  39.  /*
  40.   * Copyright (c) 1997 Greg Ward Larson
  41. @@ -158,6 +158,7 @@

  42.  typedef struct logLuvState LogLuvState;
  43.  
  44.  struct logLuvState {
  45. +        int                     encoder_state;  /* 1 if encoder correctly initialized */

  46.  	int                     user_datafmt;   /* user data format */
  47.  	int                     encode_meth;    /* encoding method */
  48.  	int                     pixel_size;     /* bytes per pixel */
  49. @@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)

  50.  		    td->td_photometric, "must be either LogLUV or LogL");
  51.  		break;
  52.  	}
  53. +	sp->encoder_state = 1;

  54.  	return (1);
  55.  notsupported:
  56.  	TIFFErrorExt(tif->tif_clientdata, module,
  57. @@ -1563,19 +1565,27 @@ notsupported:

  58.  static void
  59.  LogLuvClose(TIFF* tif)
  60.  {
  61. +        LogLuvState* sp = (LogLuvState*) tif->tif_data;

  62.  	TIFFDirectory *td = &tif->tif_dir;
  63.  
  64. +	assert(sp != 0);

  65.  	/*
  66.  	 * For consistency, we always want to write out the same
  67.  	 * bitspersample and sampleformat for our TIFF file,
  68.  	 * regardless of the data format being used by the application.
  69.  	 * Since this routine is called after tags have been set but
  70.  	 * before they have been recorded in the file, we reset them here.
  71. +         * Note: this is really a nasty approach. See PixarLogClose

  72.  	 */
  73. -	td->td_samplesperpixel =

  74. -	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;

  75. -	td->td_bitspersample = 16;

  76. -	td->td_sampleformat = SAMPLEFORMAT_INT;

  77. +        if( sp->encoder_state )

  78. +        {

  79. +            /* See PixarLogClose. Might avoid issues with tags whose size depends

  80. +             * on those below, but not completely sure this is enough. */

  81. +            td->td_samplesperpixel =

  82. +                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;

  83. +            td->td_bitspersample = 16;

  84. +            td->td_sampleformat = SAMPLEFORMAT_INT;

  85. +        }

  86.  }
  87.  
  88.  static void
  89. diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c

  90. index f4af2ba..9836dce 100644

  91. --- a/libtiff/tif_pixarlog.c

  92. +++ b/libtiff/tif_pixarlog.c

  93. @@ -1,4 +1,4 @@

  94. -/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */

  95. +/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */

  96.  
  97.  /*
  98.   * Copyright (c) 1996-1997 Sam Leffler
  99. @@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)

  100.  static void
  101.  PixarLogClose(TIFF* tif)
  102.  {
  103. +        PixarLogState* sp = (PixarLogState*) tif->tif_data;

  104.  	TIFFDirectory *td = &tif->tif_dir;
  105.  
  106. +	assert(sp != 0);

  107.  	/* In a really sneaky (and really incorrect, and untruthful, and
  108.  	 * troublesome, and error-prone) maneuver that completely goes against
  109.  	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
  110. @@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)

  111.  	 * readers that don't know about PixarLog, or how to set
  112.  	 * the PIXARLOGDATFMT pseudo-tag.
  113.  	 */
  114. -	td->td_bitspersample = 8;

  115. -	td->td_sampleformat = SAMPLEFORMAT_UINT;

  116. +

  117. +        if (sp->state&PLSTATE_INIT) {

  118. +            /* We test the state to avoid an issue such as in

  119. +             * http://bugzilla.maptools.org/show_bug.cgi?id=2604

  120. +             * What appends in that case is that the bitspersample is 1 and

  121. +             * a TransferFunction is set. The size of the TransferFunction

  122. +             * depends on 1<<bitspersample. So if we increase it, an access

  123. +             * out of the buffer will happen at directory flushing.

  124. +             * Another option would be to clear those targs. 

  125. +             */

  126. +            td->td_bitspersample = 8;

  127. +            td->td_sampleformat = SAMPLEFORMAT_UINT;

  128. +        }

  129.  }
  130.  
  131.  static void