diff --git a/libs/libssh2/Makefile b/libs/libssh2/Makefile index 99ae7afa1..e996dfadf 100644 --- a/libs/libssh2/Makefile +++ b/libs/libssh2/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2015-2016 OpenWrt.org +# Copyright (C) 2015-2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh2 -PKG_VERSION:=1.7.0 +PKG_VERSION:=1.8.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://www.libssh2.org/download -PKG_HASH:=e4561fd43a50539a8c2ceb37841691baf03ecb7daf043766da1b112e4280d584 +PKG_SOURCE_URL:=https://www.libssh2.org/download +PKG_HASH:=39f34e2f6835f4b992cafe8625073a88e5a28ba78f83e8099610a7b3af4676d4 + +PKG_FIXUP:=autoreconf PKG_INSTALL:=1 @@ -26,8 +28,8 @@ define Package/libssh2 SECTION:=libs CATEGORY:=Libraries TITLE:=SSH2 library - URL:=http://www.libssh2.org/ - DEPENDS:=+libopenssl +zlib + URL:=https://www.libssh2.org/ + DEPENDS:=+libmbedtls +zlib MAINTAINER:=Jiri Slachta endef @@ -39,7 +41,10 @@ TARGET_CFLAGS += $(FPIC) CONFIGURE_ARGS += \ --disable-examples-build \ - --with-libssl-prefix=$(STAGING_DIR)/usr + --disable-silent-rules \ + --with-mbedtls \ + --with-libmbedtls-prefix=$(STAGING_DIR)/usr \ + --with-libz-prefix=$(STAGING_DIR)/usr define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include diff --git a/libs/libssh2/patches/01-fix-acinclude-m4.patch b/libs/libssh2/patches/01-fix-acinclude-m4.patch new file mode 100644 index 000000000..d4e11827d --- /dev/null +++ b/libs/libssh2/patches/01-fix-acinclude-m4.patch @@ -0,0 +1,28 @@ +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -386,9 +386,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ + + old_LDFLAGS=$LDFLAGS + old_CFLAGS=$CFLAGS +- if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then +- LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" +- CFLAGS="$CFLAGS -I$use_mbedtls/include" ++ if test -n "$with_libmbedtls_prefix" && test "$use_mbedtls" != "no"; then ++ LDFLAGS="$LDFLAGS -L$with_libmbedtls_prefix/lib" ++ CFLAGS="$CFLAGS -I$with_libmbedtls_prefix/include" + fi + + AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ +@@ -412,9 +412,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ + + old_LDFLAGS=$LDFLAGS + old_CFLAGS=$CFLAGS +- if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then +- LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" +- CFLAGS="$CFLAGS -I$use_libgcrypt/include" ++ if test -n "$with_libgcrypt_prefix" && test "$use_libgcrypt" != "no"; then ++ LDFLAGS="$LDFLAGS -L$with_libgcrypt_prefix/lib" ++ CFLAGS="$CFLAGS -I$with_libgcrypt_prefix/include" + fi + AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ + #include diff --git a/libs/libxslt/Makefile b/libs/libxslt/Makefile index 77e99735e..9f276d3fd 100644 --- a/libs/libxslt/Makefile +++ b/libs/libxslt/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2014 OpenWrt.org +# Copyright (C) 2014 - 2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libxslt -PKG_VERSION:=1.1.31 +PKG_VERSION:=1.1.32 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://xmlsoft.org/sources/ \ ftp://fr.rpmfind.net/pub/libxml/ -PKG_HASH:=db25e96b6b801144277e67c05b10560ac09dfff82ccd53a154ce86e43622f3ab +PKG_HASH:=526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING @@ -64,6 +64,7 @@ define Package/xsltproc/description endef CONFIGURE_ARGS+= \ + --disable-silent-rules \ --enable-shared \ --enable-static \ --without-python \ diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile index 226ea44ea..79c8f0b94 100644 --- a/libs/tiff/Makefile +++ b/libs/tiff/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2017 OpenWrt.org +# Copyright (C) 2006-2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tiff -PKG_VERSION:=4.0.8 +PKG_VERSION:=4.0.9 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://download.osgeo.org/libtiff -PKG_HASH:=59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 +PKG_HASH:=6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=autogen.sh aclocal.m4 diff --git a/libs/tiff/patches/005-fix-ftell-macro.patch b/libs/tiff/patches/005-fix-ftell-macro.patch index 6ab093239..23e1e039a 100644 --- a/libs/tiff/patches/005-fix-ftell-macro.patch +++ b/libs/tiff/patches/005-fix-ftell-macro.patch @@ -1,6 +1,6 @@ --- a/libtiff/tiffiop.h +++ b/libtiff/tiffiop.h -@@ -284,7 +284,7 @@ struct tiff { +@@ -287,7 +287,7 @@ struct tiff { */ #if defined(HAVE_FSEEKO) # define fseek(stream,offset,whence) fseeko(stream,offset,whence) diff --git a/libs/tiff/patches/010-CVE-2015-7554.patch b/libs/tiff/patches/010-CVE-2015-7554.patch deleted file mode 100644 index cc7604701..000000000 --- a/libs/tiff/patches/010-CVE-2015-7554.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c ---- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 -+++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 -@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); - } - } -+ uint32 count = 0; - CopyField(TIFFTAG_PHOTOMETRIC, shortv); -- CopyField(TIFFTAG_PREDICTOR, shortv); -+ CopyField2(TIFFTAG_PREDICTOR, count, shortv); - CopyField(TIFFTAG_THRESHHOLDING, shortv); - CopyField(TIFFTAG_FILLORDER, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); -@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) - CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); - CopyField(TIFFTAG_XRESOLUTION, floatv); - CopyField(TIFFTAG_YRESOLUTION, floatv); -- CopyField(TIFFTAG_GROUP3OPTIONS, longv); -+ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); - CopyField(TIFFTAG_GROUP4OPTIONS, longv); - CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); - CopyField(TIFFTAG_PLANARCONFIG, shortv); diff --git a/libs/tiff/patches/011-CVE.patch b/libs/tiff/patches/011-CVE.patch deleted file mode 100644 index 4106fea73..000000000 --- a/libs/tiff/patches/011-CVE.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 02669064e927074819ce1ed39aba0fccaa167717 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 29 May 2017 10:12:54 +0000 -Subject: [PATCH] * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter - clamping to avoid int32 overflow in TIFFYCbCrtoRGB(). Fixes - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 Credit to OSS Fuzz - ---- - ChangeLog | 7 +++++++ - libtiff/tif_color.c | 6 +++--- - 2 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index ee8d9d08..61116596 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-05-29 Even Rouault -+ -+ * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid -+ int32 overflow in TIFFYCbCrtoRGB(). -+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 -+ Credit to OSS Fuzz -+ - 2017-05-21 Bob Friesenhahn - - * configure.ac: libtiff 4.0.8 released. -diff --git a/libtiff/tif_color.c b/libtiff/tif_color.c -index 055ed3b2..10a5e66e 100644 ---- a/libtiff/tif_color.c -+++ b/libtiff/tif_color.c -@@ -275,10 +275,10 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite) - for (i = 0, x = -128; i < 256; i++, x++) { - int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F, - refBlackWhite[5] - 128.0F, 127), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F, - refBlackWhite[3] - 128.0F, 127), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - - ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT); - ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT); -@@ -286,7 +286,7 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite) - ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF; - ycbcr->Y_tab[i] = - (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - } - } - diff --git a/libs/tiff/patches/012-CVE.patch b/libs/tiff/patches/012-CVE.patch deleted file mode 100644 index 30e183e5d..000000000 --- a/libs/tiff/patches/012-CVE.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 468988860e0dae62ebbf991627c74bcbb4bd256f Mon Sep 17 00:00:00 2001 -From: erouault -Date: Mon, 29 May 2017 11:29:06 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: initYCbCrConversion(): stricter - validation for refBlackWhite coefficients values. To avoid invalid - float->int32 conversion (when refBlackWhite[0] == 2147483648.f) Fixes - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 Credit to OSS Fuzz - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_getimage.c | 2 +- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index a2ddaac2..04881ba7 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,13 @@ - 2017-05-29 Even Rouault - -+ * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for -+ refBlackWhite coefficients values. To avoid invalid float->int32 conversion -+ (when refBlackWhite[0] == 2147483648.f) -+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 -+ Credit to OSS Fuzz -+ -+2017-05-29 Even Rouault -+ - * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid - int32 overflow in TIFFYCbCrtoRGB(). - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index dc373abc..a209a7a7 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -2241,7 +2241,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile) - - static int isInRefBlackWhiteRange(float f) - { -- return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF; -+ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF; - } - - static int diff --git a/libs/tiff/patches/013-CVE-2016-10095_CVE-2017-9147.patch b/libs/tiff/patches/013-CVE-2016-10095_CVE-2017-9147.patch deleted file mode 100644 index b673b439c..000000000 --- a/libs/tiff/patches/013-CVE-2016-10095_CVE-2017-9147.patch +++ /dev/null @@ -1,209 +0,0 @@ -commit 40448d58fbfad52d2dde5bd18daa30b17fe35fcd -Author: erouault -Date: Thu Jun 1 12:44:04 2017 +0000 - - * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), - and use it in TIFFReadDirectory() so as to ignore fields whose tag is a - codec-specified tag but this codec is not enabled. This avoids TIFFGetField() - to behave differently depending on whether the codec is enabled or not, and - thus can avoid stack based buffer overflows in a number of TIFF utilities - such as tiffsplit, tiffcmp, thumbnail, etc. - Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch - (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. - Fixes: - http://bugzilla.maptools.org/show_bug.cgi?id=2580 - http://bugzilla.maptools.org/show_bug.cgi?id=2693 - http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) - http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) - http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) - http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) - http://bugzilla.maptools.org/show_bug.cgi?id=2441 - http://bugzilla.maptools.org/show_bug.cgi?id=2433 - -diff --git a/ChangeLog b/ChangeLog -index 04881ba7..ebd1a3c0 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,23 @@ -+2017-06-01 Even Rouault -+ -+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -+ to behave differently depending on whether the codec is enabled or not, and -+ thus can avoid stack based buffer overflows in a number of TIFF utilities -+ such as tiffsplit, tiffcmp, thumbnail, etc. -+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. -+ Fixes: -+ http://bugzilla.maptools.org/show_bug.cgi?id=2580 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2693 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2441 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2433 -+ - 2017-05-29 Even Rouault - - * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for -diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h -index 6af5f3dc..5a380767 100644 ---- a/libtiff/tif_dir.h -+++ b/libtiff/tif_dir.h -@@ -1,4 +1,4 @@ --/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */ -+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -291,6 +291,7 @@ struct _TIFFField { - extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); - extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); - extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); -+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); - - #if defined(__cplusplus) - } -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 23ad0020..4904f540 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -1,4 +1,4 @@ --/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */ -+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) - return 0; - } - -+int -+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) -+{ -+ /* Filter out non-codec specific tags */ -+ switch (tag) { -+ /* Shared tags */ -+ case TIFFTAG_PREDICTOR: -+ /* JPEG tags */ -+ case TIFFTAG_JPEGTABLES: -+ /* OJPEG tags */ -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ /* CCITT* */ -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ case TIFFTAG_GROUP3OPTIONS: -+ case TIFFTAG_GROUP4OPTIONS: -+ break; -+ default: -+ return 1; -+ } -+ /* Check if codec specific tags are allowed for the current -+ * compression scheme (codec) */ -+ switch (tif->tif_dir.td_compression) { -+ case COMPRESSION_LZW: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PACKBITS: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_THUNDERSCAN: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_NEXT: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_JPEG: -+ if (tag == TIFFTAG_JPEGTABLES) -+ return 1; -+ break; -+ case COMPRESSION_OJPEG: -+ switch (tag) { -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ return 1; -+ } -+ break; -+ case COMPRESSION_CCITTRLE: -+ case COMPRESSION_CCITTRLEW: -+ case COMPRESSION_CCITTFAX3: -+ case COMPRESSION_CCITTFAX4: -+ switch (tag) { -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ return 1; -+ case TIFFTAG_GROUP3OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) -+ return 1; -+ break; -+ case TIFFTAG_GROUP4OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) -+ return 1; -+ break; -+ } -+ break; -+ case COMPRESSION_JBIG: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_DEFLATE: -+ case COMPRESSION_ADOBE_DEFLATE: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PIXARLOG: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_SGILOG: -+ case COMPRESSION_SGILOG24: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_LZMA: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ -+ } -+ return 0; -+} -+ - /* vim: set ts=8 sts=8 sw=8 noet: */ - - /* -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 772ebaf7..acde78b5 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -1,4 +1,4 @@ --/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */ -+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - dp->tdir_tag=IGNORE; - break; -+ default: -+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) -+ dp->tdir_tag=IGNORE; -+ break; - } - } - } diff --git a/libs/tiff/patches/014-CVE-2017-9936.patch b/libs/tiff/patches/014-CVE-2017-9936.patch deleted file mode 100644 index 803d4f2ae..000000000 --- a/libs/tiff/patches/014-CVE-2017-9936.patch +++ /dev/null @@ -1,39 +0,0 @@ -From fe8d7165956b88df4837034a9161dc5fd20cf67a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 26 Jun 2017 15:19:59 +0000 -Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of - JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported - by team OWL337 - -* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg ---- - ChangeLog | 8 +++++++- - libtiff/tif_jbig.c | 1 + - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index bc5096e7..ecd70534 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+2017-06-26 Even Rouault -+ -+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 -+ Reported by team OWL337 -+ - 2017-06-01 Even Rouault - - * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 5f5f75e2..c75f31d9 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - jbg_strerror(decodeStatus) - #endif - ); -+ jbg_dec_free(&decoder); - return 0; - } - diff --git a/libs/tiff/patches/015-OOM_in_gtTileContig.patch b/libs/tiff/patches/015-OOM_in_gtTileContig.patch deleted file mode 100644 index 204508acc..000000000 --- a/libs/tiff/patches/015-OOM_in_gtTileContig.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 1077fad562e03d1cad591dd10163dd80ad63ab0e Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 30 Jun 2017 13:11:18 +0000 -Subject: [PATCH] * libtiff/tif_read.c, tiffiop.h: add a - _TIFFReadEncodedStripAndAllocBuffer() function, variant of - TIFFReadEncodedStrip() that allocates the decoded buffer only after a first - successful TIFFFillStrip(). This avoids excessive memory allocation on - corrupted files. * libtiff/tif_getimage.c: use - _TIFFReadEncodedStripAndAllocBuffer(). Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2708 and - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . Credit to OSS - Fuzz - ---- - ChangeLog | 11 +++++++ - libtiff/tif_getimage.c | 59 ++++++++++++++++++++++---------------- - libtiff/tif_read.c | 78 +++++++++++++++++++++++++++++++++++++++++++------- - libtiff/tiffiop.h | 5 ++++ - 4 files changed, 118 insertions(+), 35 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index c969f9e2..6f085e09 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,14 @@ -+2017-06-30 Even Rouault -+ -+ * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() -+ function, variant of TIFFReadEncodedStrip() that allocates the -+ decoded buffer only after a first successful TIFFFillStrip(). This avoids -+ excessive memory allocation on corrupted files. -+ * libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and -+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . -+ Credit to OSS Fuzz -+ - 2017-06-26 Even Rouault - - * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index cee8e930..cc6e8f30 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -905,26 +905,22 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - tileContigRoutine put = img->put.contig; - uint32 row, y, nrow, nrowsub, rowstoread; - tmsize_t pos; -- unsigned char* buf; -+ unsigned char* buf = NULL; - uint32 rowsperstrip; - uint16 subsamplinghor,subsamplingver; - uint32 imagewidth = img->width; - tmsize_t scanline; - int32 fromskew, toskew; - int ret = 1, flip; -+ tmsize_t maxstripsize; - - TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); - if( subsamplingver == 0 ) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); - return (0); - } -- -- buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); -- if (buf == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); -- return (0); -- } -- _TIFFmemset(buf, 0, TIFFStripSize(tif)); -+ -+ maxstripsize = TIFFStripSize(tif); - - flip = setorientation(img); - if (flip & FLIP_VERTICALLY) { -@@ -946,11 +942,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - nrowsub = nrow; - if ((nrowsub%subsamplingver)!=0) - nrowsub+=subsamplingver-nrowsub%subsamplingver; -- if (TIFFReadEncodedStrip(tif, -+ if (_TIFFReadEncodedStripAndAllocBuffer(tif, - TIFFComputeStrip(tif,row+img->row_offset, 0), -- buf, -+ (void**)(&buf), -+ maxstripsize, - ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) -- && img->stoponerr) -+ && (buf == NULL || img->stoponerr)) - { - ret = 0; - break; -@@ -994,8 +991,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - { - TIFF* tif = img->tif; - tileSeparateRoutine put = img->put.separate; -- unsigned char *buf; -- unsigned char *p0, *p1, *p2, *pa; -+ unsigned char *buf = NULL; -+ unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL; - uint32 row, y, nrow, rowstoread; - tmsize_t pos; - tmsize_t scanline; -@@ -1014,15 +1011,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); - return (0); - } -- p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); -- if (buf == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); -- return (0); -- } -- _TIFFmemset(buf, 0, bufsize); -- p1 = p0 + stripsize; -- p2 = p1 + stripsize; -- pa = (alpha?(p2+stripsize):NULL); - - flip = setorientation(img); - if (flip & FLIP_VERTICALLY) { -@@ -1040,7 +1028,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - case PHOTOMETRIC_MINISBLACK: - case PHOTOMETRIC_PALETTE: - colorchannels = 1; -- p2 = p1 = p0; - break; - - default: -@@ -1056,7 +1043,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - offset_row = row + img->row_offset; -- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), -+ if( buf == NULL ) -+ { -+ if (_TIFFReadEncodedStripAndAllocBuffer( -+ tif, TIFFComputeStrip(tif, offset_row, 0), -+ (void**) &buf, bufsize, -+ ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ && (buf == NULL || img->stoponerr)) -+ { -+ ret = 0; -+ break; -+ } -+ p0 = buf; -+ if( colorchannels == 1 ) -+ { -+ p2 = p1 = p0; -+ pa = (alpha?(p0+3*stripsize):NULL); -+ } -+ else -+ { -+ p1 = p0 + stripsize; -+ p2 = p1 + stripsize; -+ pa = (alpha?(p2+stripsize):NULL); -+ } -+ } -+ else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), - p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index fc0072e7..047305ab 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample) - } - - /* -- * Read a strip of data and decompress the specified -- * amount into the user-supplied buffer. -+ * Calculate the strip size according to the number of -+ * rows in the strip (check for truncated last strip on any -+ * of the separations). - */ --tmsize_t --TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) -+static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane) - { - static const char module[] = "TIFFReadEncodedStrip"; - TIFFDirectory *td = &tif->tif_dir; - uint32 rowsperstrip; - uint32 stripsperplane; - uint32 stripinplane; -- uint16 plane; - uint32 rows; - tmsize_t stripsize; - if (!TIFFCheckRead(tif,0)) -@@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - (unsigned long)td->td_nstrips); - return((tmsize_t)(-1)); - } -- /* -- * Calculate the strip size according to the number of -- * rows in the strip (check for truncated last strip on any -- * of the separations). -- */ -+ - rowsperstrip=td->td_rowsperstrip; - if (rowsperstrip>td->td_imagelength) - rowsperstrip=td->td_imagelength; - stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); - stripinplane=(strip%stripsperplane); -- plane=(uint16)(strip/stripsperplane); -+ if( pplane ) *pplane=(uint16)(strip/stripsperplane); - rows=td->td_imagelength-stripinplane*rowsperstrip; - if (rows>rowsperstrip) - rows=rowsperstrip; - stripsize=TIFFVStripSize(tif,rows); - if (stripsize==0) - return((tmsize_t)(-1)); -+ return stripsize; -+} -+ -+/* -+ * Read a strip of data and decompress the specified -+ * amount into the user-supplied buffer. -+ */ -+tmsize_t -+TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) -+{ -+ static const char module[] = "TIFFReadEncodedStrip"; -+ TIFFDirectory *td = &tif->tif_dir; -+ tmsize_t stripsize; -+ uint16 plane; -+ -+ stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); -+ if (stripsize==((tmsize_t)(-1))) -+ return((tmsize_t)(-1)); - - /* shortcut to avoid an extra memcpy() */ - if( td->td_compression == COMPRESSION_NONE && -@@ -510,6 +523,49 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - return(stripsize); - } - -+/* Variant of TIFFReadEncodedStrip() that does -+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has -+ * suceeded. This avoid excessive memory allocation in case of truncated -+ * file. -+ * * calls regular TIFFReadEncodedStrip() if *buf != NULL -+ */ -+tmsize_t -+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, -+ void **buf, tmsize_t bufsizetoalloc, -+ tmsize_t size_to_read) -+{ -+ tmsize_t this_stripsize; -+ uint16 plane; -+ -+ if( *buf != NULL ) -+ { -+ return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read); -+ } -+ -+ this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); -+ if (this_stripsize==((tmsize_t)(-1))) -+ return((tmsize_t)(-1)); -+ -+ if ((size_to_read!=(tmsize_t)(-1))&&(size_to_readtif_clientdata, TIFFFileName(tif), "No space for strip buffer"); -+ return((tmsize_t)(-1)); -+ } -+ _TIFFmemset(*buf, 0, bufsizetoalloc); -+ -+ if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0) -+ return((tmsize_t)(-1)); -+ (*tif->tif_postdecode)(tif,*buf,this_stripsize); -+ return(this_stripsize); -+ -+ -+} -+ - static tmsize_t - TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, - const char* module) -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index 846ade03..7f0b90f7 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -365,6 +365,11 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); - extern double _TIFFUInt64ToDouble(uint64); - extern float _TIFFUInt64ToFloat(uint64); - -+extern tmsize_t -+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, -+ void **buf, tmsize_t bufsizetoalloc, -+ tmsize_t size_to_read); -+ - extern int TIFFInitDumpMode(TIFF*, int); - #ifdef PACKBITS_SUPPORT - extern int TIFFInitPackBits(TIFF*, int); diff --git a/libs/tiff/patches/016-CVE-2017-10688.patch b/libs/tiff/patches/016-CVE-2017-10688.patch deleted file mode 100644 index 9775f69bc..000000000 --- a/libs/tiff/patches/016-CVE-2017-10688.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 30 Jun 2017 17:29:44 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: in - TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 - data type, replace assertion that the file is BigTIFF, by a non-fatal error. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team - OWL337 - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- - 2 files changed, 24 insertions(+), 4 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 6f085e09..77a64385 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,13 @@ - 2017-06-30 Even Rouault - -+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -+ functions associated with LONG8/SLONG8 data type, replace assertion that -+ the file is BigTIFF, by a non-fatal error. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 -+ Reported by team OWL337 -+ -+2017-06-30 Even Rouault -+ - * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() - function, variant of TIFFReadEncodedStrip() that allocates the - decoded buffer only after a first successful TIFFFillStrip(). This avoids -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 2967da58..8d6686ba 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui - { - uint64 m; - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8(&m); -@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di - { - assert(count<0x20000000); - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8(value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); -@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u - { - int64 m; - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8((uint64*)(&m)); -@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d - { - assert(count<0x20000000); - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8((uint64*)value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); diff --git a/libs/tiff/patches/017-LZW_compression_regression.patch b/libs/tiff/patches/017-LZW_compression_regression.patch deleted file mode 100644 index 525bab316..000000000 --- a/libs/tiff/patches/017-LZW_compression_regression.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9c45d2395863b793528518d64ddb97d8fdc200dd Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 11 Jul 2017 08:55:07 +0000 -Subject: [PATCH] * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of - old-style LZW compressed files. - ---- - ChangeLog | 5 +++++ - libtiff/tif_lzw.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index b0c84977..c5c74af7 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,8 @@ -+2017-07-11 Even Rouault -+ -+ * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW -+ compressed files. -+ - 2017-06-30 Even Rouault - - * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index a2d01c90..f62b9e58 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -655,6 +655,9 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } - - bp = (unsigned char *)tif->tif_rawcp; -+#ifdef LZW_CHECKEOS -+ sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3); -+#endif - nbits = sp->lzw_nbits; - nextdata = sp->lzw_nextdata; - nextbits = sp->lzw_nextbits; -@@ -764,6 +767,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } - } - -+ tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp ); - tif->tif_rawcp = (uint8*) bp; - sp->lzw_nbits = (unsigned short)nbits; - sp->lzw_nextdata = nextdata; diff --git a/libs/tiff/patches/018-CVE-2017-11335.patch b/libs/tiff/patches/018-CVE-2017-11335.patch deleted file mode 100644 index c94c0e8da..000000000 --- a/libs/tiff/patches/018-CVE-2017-11335.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 69bfeec247899776b1b396651adb47436e5f1556 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 15 Jul 2017 11:13:46 +0000 -Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in - "Raw" mode on PlanarConfig=Contig input images. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 - ---- - ChangeLog | 7 +++++++ - tools/tiff2pdf.c | 7 ++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index b4771234..1b5490f3 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-07-15 Even Rouault -+ -+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" -+ mode on PlanarConfig=Contig input images. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 -+ Reported by team OWL337 -+ - 2017-07-11 Even Rouault - - * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index db196e04..cd1e2358 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - return; - - t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; -- if(t2p->pdf_nopassthrough==0){ -+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ -+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ -+ /* do not take into account the number of samples, and thus */ -+ /* that can cause heap buffer overflows such as in */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ -+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ - #ifdef CCITT_SUPPORT - if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 - ){ diff --git a/libs/tiff/patches/019-CVE-2017-18013.patch b/libs/tiff/patches/019-CVE-2017-18013.patch new file mode 100644 index 000000000..0be96fb6a --- /dev/null +++ b/libs/tiff/patches/019-CVE-2017-18013.patch @@ -0,0 +1,29 @@ +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } diff --git a/libs/tiff/patches/020-CVE-2017-9935.patch b/libs/tiff/patches/020-CVE-2017-9935.patch new file mode 100644 index 000000000..9fd76e9b0 --- /dev/null +++ b/libs/tiff/patches/020-CVE-2017-9935.patch @@ -0,0 +1,113 @@ +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -237,7 +237,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1;