openwrt-packages-dist/libs/tiff/patches/103-CVE.patch

commit c533d200ecc45e00892a94f9bb2e762a5aa0b2ce
Author: erouault <erouault>
Date:   Sat Dec 3 11:02:15 2016 +0000

    * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
    instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
    instead of a logic based on the total size of data. Which is faulty is
    the total size of data is not sufficient to fill the whole image, and thus
    results in reading outside of the StripByCounts/StripOffsets arrays when
    using TIFFReadScanline().
    Reported by Agostino Sarubbo.
    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
    
    * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
    for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
    the above change is a better fix that makes it unnecessary.

diff --git a/ChangeLog b/ChangeLog
index 93c01f8..9dbc7a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
 2016-12-03 Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+	instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
+	instead of a logic based on the total size of data. Which is faulty is
+	the total size of data is not sufficient to fill the whole image, and thus
+	results in reading outside of the StripByCounts/StripOffsets arrays when
+	using TIFFReadScanline().
+	Reported by Agostino Sarubbo.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+	* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+	for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+	the above change is a better fix that makes it unnecessary.
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
 	overflow on generation of PixarLog / LUV compressed files, with
 	ColorMap, TransferFunction attached and nasty plays with bitspersample.
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 01070f2..f290528 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	uint64 rowblockbytes;
 	uint64 stripbytes;
 	uint32 strip;
-	uint64 nstrips64;
-	uint32 nstrips32;
+	uint32 nstrips;
 	uint32 rowsperstrip;
 	uint64* newcounts;
 	uint64* newoffsets;
@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	    return;
 
 	/*
-	 * never increase the number of strips in an image
+	 * never increase the number of rows per strip
 	 */
 	if (rowsperstrip >= td->td_rowsperstrip)
 		return;
-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
-	    return;
-	nstrips32 = (uint32)nstrips64;
+        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+        if( nstrips == 0 )
+            return;
 
-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripByteCounts\" array");
-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripOffsets\" array");
 	if (newcounts == NULL || newoffsets == NULL) {
 		/*
@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	 * Fill the strip information arrays with new bytecounts and offsets
 	 * that reflect the broken-up format.
 	 */
-	for (strip = 0; strip < nstrips32; strip++) {
+	for (strip = 0; strip < nstrips; strip++) {
 		if (stripbytes > bytecount)
 			stripbytes = bytecount;
 		newcounts[strip] = stripbytes;
-		newoffsets[strip] = offset;
+		newoffsets[strip] = stripbytes ? offset : 0;
 		offset += stripbytes;
 		bytecount -= stripbytes;
 	}
 	/*
 	 * Replace old single strip info with multi-strip info.
 	 */
-	td->td_stripsperimage = td->td_nstrips = nstrips32;
+	td->td_stripsperimage = td->td_nstrips = nstrips;
 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
 	_TIFFfree(td->td_stripbytecount);
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index b6098dd..6e9f2ef 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -1,4 +1,4 @@
-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
+/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
 
 /*
  * Copyright (c) 1991-1997 Sam Leffler
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
 	TIFFDirectory *td = &tif->tif_dir;
 	uint32 nstrips;
 
-    /* If the value was already computed and store in td_nstrips, then return it,
-       since ChopUpSingleUncompressedStrip might have altered and resized the
-       since the td_stripbytecount and td_stripoffset arrays to the new value
-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-       tif_dirread.c ~line 3612.
-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-    if( td->td_nstrips )
-        return td->td_nstrips;
-
 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)