From 9b755d5fc051291cb73c23a2c840cc36c452db5c Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 29 Mar 2024 15:58:04 +0300 Subject: [PATCH] import libtiff-4.0.9-31.el8 --- .gitignore | 1 + .libtiff.metadata | 1 + ...imum-required-automake-version-to-1..patch | 40 + SOURCES/0002-Fix-Makefile.patch | 21 + .../0003-CVE-2018-5784-Fix-for-bug-2772.patch | 127 +++ ...x-NULL-pointer-dereference-in-TIFFPr.patch | 170 ++++ ...2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch | 152 ++++ ...ff2pdf-Fix-apparent-incorrect-type-f.patch | 58 ++ ...ibtiff-tif_print.c-TIFFPrintDirector.patch | 34 + ...WDecodeCompat-fix-potential-index-ou.patch | 52 ++ ...IFFWriteDirectorySec-avoid-assertion.patch | 29 + ...void-potential-int32-overflows-in-mu.patch | 38 + ...BIG-fix-potential-out-of-bounds-writ.patch | 107 +++ ...iff2bw-avoid-null-pointer-dereferenc.patch | 119 +++ ...013-bz1602597-Fix-two-resource-leaks.patch | 40 + ...heck-that-Tile-Width-Samples-Pixel-d.patch | 47 ++ ...ix-integer-overflow-in-_TIFFCheckMal.patch | 423 ++++++++++ ...GBA-interface-fix-integer-overflow-p.patch | 102 +++ ...VE-2020-35522-enforce-configurable-m.patch | 86 ++ ...tTileContig-check-Tile-width-for-ove.patch | 50 ++ ...iff2pdf.c-properly-calculate-datasiz.patch | 38 + ...iffcrop.c-fix-invertImage-for-bps-2-.patch | 89 ++ ...FFFetchStripThing-avoid-calling-memc.patch | 27 + ...FFReadDirectory-avoid-calling-memcpy.patch | 25 + ...iffset-fix-global-buffer-overflow-fo.patch | 36 + ...f_jbig.c-fix-crash-when-reading-a-fi.patch | 33 + ...ffcrop-fix-issue-380-and-382-heap-bu.patch | 198 +++++ ...x-heap-buffer-overflow-in-tiffcp-278.patch | 51 ++ ...022-0909-fix-the-FPE-in-tiffcrop-393.patch | 30 + ...FFFetchNormalTag-avoid-calling-memcp.patch | 27 + ...ffcp-avoid-buffer-overflow-in-mode-s.patch | 55 ++ ..._TIFFClampDoubleToFloat-to-tif_aux.c.patch | 161 ++++ ...E-2022-2057-CVE-2022-2058-fix-the-FP.patch | 179 ++++ ...E-2022-2868-tiffcrop.c-Fix-issue-352.patch | 161 ++++ ...E-2022-2520-CVE-2022-2521-CVE-2022-2.patch | 92 ++ ...E-2022-2520-CVE-2022-2521-CVE-2022-2.patch | 32 + ...E-2022-3626-CVE-2022-3627-tiffcrop-d.patch | 97 +++ ...FFReadRGBATileExt-fix-unsigned-integ.patch | 37 + ...iffcrop-Correct-simple-copy-paste-er.patch | 24 + ...E-2023-0801-CVE-2023-0802-CVE-2023-0.patch | 128 +++ ...vised-handling-of-TIFFTAG_INKNAMES-a.patch | 260 ++++++ SPECS/libtiff.spec | 797 ++++++++++++++++++ 42 files changed, 4274 insertions(+) create mode 100644 .gitignore create mode 100644 .libtiff.metadata create mode 100644 SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch create mode 100644 SOURCES/0002-Fix-Makefile.patch create mode 100644 SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch create mode 100644 SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch create mode 100644 SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch create mode 100644 SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch create mode 100644 SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch create mode 100644 SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch create mode 100644 SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch create mode 100644 SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch create mode 100644 SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch create mode 100644 SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch create mode 100644 SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch create mode 100644 SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch create mode 100644 SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch create mode 100644 SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch create mode 100644 SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch create mode 100644 SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch create mode 100644 SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch create mode 100644 SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch create mode 100644 SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch create mode 100644 SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch create mode 100644 SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch create mode 100644 SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch create mode 100644 SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch create mode 100644 SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch create mode 100644 SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch create mode 100644 SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch create mode 100644 SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch create mode 100644 SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch create mode 100644 SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch create mode 100644 SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch create mode 100644 SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch create mode 100644 SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch create mode 100644 SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch create mode 100644 SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch create mode 100644 SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch create mode 100644 SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch create mode 100644 SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch create mode 100644 SPECS/libtiff.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0432824 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tiff-4.0.9.tar.gz diff --git a/.libtiff.metadata b/.libtiff.metadata new file mode 100644 index 0000000..0a25bcd --- /dev/null +++ b/.libtiff.metadata @@ -0,0 +1 @@ +87d4543579176cc568668617c22baceccd568296 SOURCES/tiff-4.0.9.tar.gz diff --git a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch new file mode 100644 index 0000000..922631b --- /dev/null +++ b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch @@ -0,0 +1,40 @@ +From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 5 May 2022 14:38:04 +0200 +Subject: [PATCH] Back off the minimum required automake version to 1.11. + +There isn't anything in libtiff currently that actually requires 1.12, +and changing this allows the package to be built on pre-F18 machines for +easier testing. This patch can go away once we no longer care about +testing on pre-F18. +--- + Makefile.am | 2 +- + test/Makefile.am | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 418a3b93..fa8bf4c0 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff --git a/test/Makefile.am b/test/Makefile.am +index 2052487c..227f228f 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/SOURCES/0002-Fix-Makefile.patch b/SOURCES/0002-Fix-Makefile.patch new file mode 100644 index 0000000..d237372 --- /dev/null +++ b/SOURCES/0002-Fix-Makefile.patch @@ -0,0 +1,21 @@ +From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 5 May 2022 14:42:52 +0200 +Subject: [PATCH] Fix Makefile + +--- + html/man/Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/html/man/Makefile.am b/html/man/Makefile.am +index 3ed00d44..8a64925a 100644 +--- a/html/man/Makefile.am ++++ b/html/man/Makefile.am +@@ -90,7 +90,6 @@ docfiles = \ + tiffcrop.1.html \ + tiffdither.1.html \ + tiffdump.1.html \ +- tiffgt.1.html \ + tiffinfo.1.html \ + tiffmedian.1.html \ + tiffset.1.html \ diff --git a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch new file mode 100644 index 0000000..1aaade9 --- /dev/null +++ b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch @@ -0,0 +1,127 @@ +From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001 +From: Nathan Baker +Date: Tue, 6 Feb 2018 10:13:57 -0500 +Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772 + +It is possible to craft a TIFF document where the IFD list is circular, +leading to an infinite loop while traversing the chain. The libtiff +directory reader has a failsafe that will break out of this loop after +reading 65535 directory entries, but it will continue processing, +consuming time and resources to process what is essentially a bogus TIFF +document. + +This change fixes the above behavior by breaking out of processing when +a TIFF document has >= 65535 directories and terminating with an error. + +(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef) +--- + contrib/addtiffo/tif_overview.c | 14 +++++++++++++- + tools/tiff2pdf.c | 10 ++++++++++ + tools/tiffcrop.c | 13 +++++++++++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +index c61ffbb8..03b35733 100644 +--- a/contrib/addtiffo/tif_overview.c ++++ b/contrib/addtiffo/tif_overview.c +@@ -65,6 +65,8 @@ + # define MAX(a,b) ((a>b) ? a : b) + #endif + ++#define TIFF_DIR_MAX 65534 ++ + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, + int (*)(double,void*), void * ); + +@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + { + toff_t nBaseDirOffset; + toff_t nOffset; ++ tdir_t iNumDir; + + (void) bUseSubIFDs; + +@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + return 0; + + TIFFWriteDirectory( hTIFF ); +- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); ++ iNumDir = TIFFNumberOfDirectories(hTIFF); ++ if( iNumDir > TIFF_DIR_MAX ) ++ { ++ TIFFErrorExt( TIFFClientdata(hTIFF), ++ "TIFF_WriteOverview", ++ "File `%s' has too many directories.\n", ++ TIFFFileName(hTIFF) ); ++ exit(-1); ++ } ++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); + + nOffset = TIFFCurrentDirOffset( hTIFF ); + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 454befbd..bdb91262 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); + + #define PS_UNIT_SIZE 72.0F + ++#define TIFF_DIR_MAX 65534 ++ + /* This type is of PDF color spaces. */ + typedef enum { + T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ +@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 xuint16=0; + + directorycount=TIFFNumberOfDirectories(input); ++ if(directorycount > TIFF_DIR_MAX) { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "TIFF contains too many directories, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); + if(t2p->tiff_pages==NULL){ + TIFFError( +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c69177e0..c60cb389 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define DUMP_TEXT 1 + #define DUMP_RAW 2 + ++#define TIFF_DIR_MAX 65534 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32 tmargin; +@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) + pageNum = -1; + else + total_images = 0; +- /* read multiple input files and write to output file(s) */ ++ /* Read multiple input files and write to output file(s) */ + while (optind < argc - 1) + { + in = TIFFOpen (argv[optind], "r"); +@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) + return (-3); + + /* If only one input file is specified, we can use directory count */ +- total_images = TIFFNumberOfDirectories(in); ++ total_images = TIFFNumberOfDirectories(in); ++ if (total_images > TIFF_DIR_MAX) ++ { ++ TIFFError (TIFFFileName(in), "File contains too many directories"); ++ if (out != NULL) ++ (void) TIFFClose(out); ++ return (1); ++ } + if (image_count == 0) + { + dirnum = 0; diff --git a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch new file mode 100644 index 0000000..8148474 --- /dev/null +++ b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch @@ -0,0 +1,170 @@ +From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Sun, 8 Apr 2018 14:07:08 -0400 +Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in + TIFFPrintDirectory + +The TIFFPrintDirectory function relies on the following assumptions, +supposed to be guaranteed by the specification: + +(a) A Transfer Function field is only present if the TIFF file has + photometric type < 3. + +(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field + has count SamplesPerPixel - (Color Channels) and contains + information about supplementary channels. + +While respect of (a) and (b) are essential for the well functioning of +TIFFPrintDirectory, no checks are realized neither by the callee nor +by TIFFPrintDirectory itself. Hence, following scenarios might happen +and trigger the NULL pointer dereference: + +(1) TIFF File of photometric type 4 or more has illegal Transfer + Function field. + +(2) TIFF File has photometric type 3 or less and defines a + SamplesPerPixel field such that SamplesPerPixel > Color Channels + without defining all extra samples in the ExtraSamples fields. + +In this patch, we address both issues with respect of the following +principles: + +(A) In the case of (1), the defined transfer table should be printed + safely even if it isn't 'legal'. This allows us to avoid expensive + checks in TIFFPrintDirectory. Also, it is quite possible that + an alternative photometric type would be developed (not part of the + standard) and would allow definition of Transfer Table. We want + libtiff to be able to handle this scenario out of the box. + +(B) In the case of (2), the transfer table should be printed at its + right size, that is if TIFF file has photometric type Palette + then the transfer table should have one row and not three, even + if two extra samples are declared. + +In order to fulfill (A) we simply add a new 'i < 3' end condition to +the broken TIFFPrintDirectory loop. This makes sure that in any case +where (b) would be respected but not (a), everything stays fine. + +(B) is fulfilled by the loop condition +'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as +long as (b) is respected. + +Naturally, we also make sure (b) is respected. This is done in the +TIFFReadDirectory function by making sure any non-color channel is +counted in ExtraSamples. + +This commit addresses CVE-2018-7456. + +(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b) +--- + libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++ + libtiff/tif_print.c | 2 +- + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 5e62e813..80aaf8d1 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin + static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); + static void ChopUpSingleUncompressedStrip(TIFF*); + static uint64 TIFFReadUInt64(const uint8 *value); ++static int _TIFFGetMaxColorChannels(uint16 photometric); + + static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); + +@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c + } + } + ++/* ++ * Return the maximum number of color channels specified for a given photometric ++ * type. 0 is returned if photometric type isn't supported or no default value ++ * is defined by the specification. ++ */ ++static int _TIFFGetMaxColorChannels( uint16 photometric ) ++{ ++ switch (photometric) { ++ case PHOTOMETRIC_PALETTE: ++ case PHOTOMETRIC_MINISWHITE: ++ case PHOTOMETRIC_MINISBLACK: ++ return 1; ++ case PHOTOMETRIC_YCBCR: ++ case PHOTOMETRIC_RGB: ++ case PHOTOMETRIC_CIELAB: ++ return 3; ++ case PHOTOMETRIC_SEPARATED: ++ case PHOTOMETRIC_MASK: ++ return 4; ++ case PHOTOMETRIC_LOGL: ++ case PHOTOMETRIC_LOGLUV: ++ case PHOTOMETRIC_CFA: ++ case PHOTOMETRIC_ITULAB: ++ case PHOTOMETRIC_ICCLAB: ++ default: ++ return 0; ++ } ++} ++ + /* + * Read the next TIFF directory from a file and convert it to the internal + * format. We read directories sequentially. +@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) + uint32 fii=FAILED_FII; + toff_t nextdiroff; + int bitspersample_read = FALSE; ++ int color_channels; + + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) +@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) + } + } + } ++ ++ /* ++ * Make sure all non-color channels are extrasamples. ++ * If it's not the case, define them as such. ++ */ ++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); ++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { ++ uint16 old_extrasamples; ++ uint16 *new_sampleinfo; ++ ++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " ++ "color channels and ExtraSamples doesn't match SamplesPerPixel. " ++ "Defining non-color channels as ExtraSamples."); ++ ++ old_extrasamples = tif->tif_dir.td_extrasamples; ++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); ++ ++ // sampleinfo should contain information relative to these new extra samples ++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); ++ if (!new_sampleinfo) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " ++ "temporary new sampleinfo array (%d 16 bit elements)", ++ tif->tif_dir.td_extrasamples); ++ goto bad; ++ } ++ ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); ++ _TIFFfree(new_sampleinfo); ++ } ++ + /* + * Verify Palette image has a Colormap. + */ +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 24d4b98a..10a588ea 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + uint16 i; + fprintf(fd, " %2ld: %5u", + l, td->td_transferfunction[0][l]); +- for (i = 1; i < td->td_samplesperpixel; i++) ++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) + fprintf(fd, " %5u", + td->td_transferfunction[i][l]); + fputc('\n', fd); diff --git a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch new file mode 100644 index 0000000..1021a29 --- /dev/null +++ b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch @@ -0,0 +1,152 @@ +From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. + +(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940) +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++--------------- + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f00f8080..c36a5f3f 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index bdb91262..ef5d6a01 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + if(directorycount > TIFF_DIR_MAX) { +@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; diff --git a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch new file mode 100644 index 0000000..e44206f --- /dev/null +++ b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch @@ -0,0 +1,58 @@ +From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:49:20 +1100 +Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for + transfer table + +The standard says the transfer table contains unsigned 16 bit values, +I have no idea why we refer to them as floats. + +(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9) +--- + tools/tiff2pdf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index ef5d6a01..bd23c9e5 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -239,7 +239,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 paged=0; + uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + if(directorycount > TIFF_DIR_MAX) { +@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + +- if((tiff_transferfunction[1] != (float*) NULL) && +- (tiff_transferfunction[2] != (float*) NULL) ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { +@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) + ) { + t2p->tiff_transferfunctioncount=3; + } else { diff --git a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch new file mode 100644 index 0000000..6c3816b --- /dev/null +++ b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch @@ -0,0 +1,34 @@ +From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory(): + fix null pointer dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01) +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 10a588ea..b9b53a0f 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } diff --git a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch new file mode 100644 index 0000000..e1c0322 --- /dev/null +++ b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch @@ -0,0 +1,52 @@ +From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential + index-out-of-bounds write. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. + +(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d) +--- + libtiff/tif_lzw.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index bc8f9c84..186ea3ca 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; diff --git a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch new file mode 100644 index 0000000..1fd8f7b --- /dev/null +++ b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch @@ -0,0 +1,29 @@ +From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 14:24:15 +0200 +Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 + +(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9) +--- + libtiff/tif_dirwrite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c68d6d21..5d0a6699 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + } + break; + default: +- assert(0); /* we should never get here */ +- break; ++ TIFFErrorExt(tif->tif_clientdata,module, ++ "Cannot write tag %d (%s)", ++ TIFFFieldTag(o), ++ o->field_name ? o->field_name : "unknown"); ++ goto bad; + } + } + } diff --git a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch new file mode 100644 index 0000000..67a79f0 --- /dev/null +++ b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch @@ -0,0 +1,38 @@ +From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001 +From: Young_X +Date: Sat, 8 Sep 2018 14:46:27 +0800 +Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in + multiply_ms() + +(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e) +--- + tools/ppm2tiff.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index 91415e96..81ffa3db 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int diff --git a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch new file mode 100644 index 0000000..0c75963 --- /dev/null +++ b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch @@ -0,0 +1,107 @@ +From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 14 Oct 2018 16:38:29 +0200 +Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in + JBIGDecode() + +JBIGDecode doesn't check if the user provided buffer is large enough +to store the JBIG decoded image, which can potentially cause out-of-bounds +write in the buffer. +This issue was reported and analyzed by Thomas Dullien. + +Also fixes a (harmless) potential use of uninitialized memory when +tif->tif_rawsize > tif->tif_rawcc + +And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure +that whole strip data is provided to JBIGDecode() + +(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66) +--- + libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ + libtiff/tif_read.c | 6 ++++++ + 2 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 7a14dd9a..8136c77b 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + struct jbg_dec_state decoder; + int decodeStatus = 0; + unsigned char* pImage = NULL; +- (void) size, (void) s; ++ unsigned long decodedSize; ++ (void) s; + + if (isFillOrder(tif, tif->tif_dir.td_fillorder)) + { +- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); ++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); + } + + jbg_dec_init(&decoder); + + #if defined(HAVE_JBG_NEWLEN) +- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); ++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); + /* + * I do not check the return status of jbg_newlen because even if this + * function fails it does not necessarily mean that decoding the image +@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + */ + #endif /* HAVE_JBG_NEWLEN */ + +- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, +- (size_t)tif->tif_rawdatasize, NULL); ++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, ++ (size_t)tif->tif_rawcc, NULL); + if (JBG_EOK != decodeStatus) + { + /* +@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + return 0; + } + ++ decodedSize = jbg_dec_getsize(&decoder); ++ if( (tmsize_t)decodedSize < size ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "JBIG", ++ "Only decoded %lu bytes, whereas %lu requested", ++ decodedSize, (unsigned long)size); ++ } ++ else if( (tmsize_t)decodedSize > size ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "JBIG", ++ "Decoded %lu bytes, whereas %lu were requested", ++ decodedSize, (unsigned long)size); ++ jbg_dec_free(&decoder); ++ return 0; ++ } + pImage = jbg_dec_getimage(&decoder, 0); +- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); ++ _TIFFmemcpy(buffer, pImage, decodedSize); + jbg_dec_free(&decoder); ++ ++ tif->tif_rawcp += tif->tif_rawcc; ++ tif->tif_rawcc = 0; ++ + return 1; + } + +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba985a7..04100f4d 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) + return 0; + whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 + || isMapped(tif); ++ if( td->td_compression == COMPRESSION_JBIG ) ++ { ++ /* Ideally plugins should have a way to declare they don't support ++ * chunk strip */ ++ whole_strip = 1; ++ } + #else + whole_strip = 1; + #endif diff --git a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch new file mode 100644 index 0000000..9ce55f9 --- /dev/null +++ b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch @@ -0,0 +1,119 @@ +From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 30 Oct 2018 18:50:27 +0100 +Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in + case of out of memory situation. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 + +(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f) +--- + libtiff/tiffiop.h | 1 + + tools/tiff2bw.c | 30 ++++++++++++++++++++++++++---- + tools/tiffcrop.c | 5 ----- + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index daa291c0..08e5dc44 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...); + #endif + + #define streq(a,b) (strcmp(a,b) == 0) ++#define strneq(a,b,n) (strncmp(a,b,n) == 0) + + #ifndef TRUE + #define TRUE 1 +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index dad54afa..1f3bb2cd 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -40,9 +40,7 @@ + #endif + + #include "tiffio.h" +- +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#define strneq(a,b,n) (strncmp(a,b,n) == 0) ++#include "tiffiop.h" + + /* x% weighting -> fraction of full color */ + #define PCT(x) (((x)*256+50)/100) +@@ -223,6 +221,11 @@ main(int argc, char* argv[]) + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ if( !outbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + +@@ -246,6 +249,11 @@ main(int argc, char* argv[]) + #undef CVT + } + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -256,6 +264,11 @@ main(int argc, char* argv[]) + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -265,8 +278,16 @@ main(int argc, char* argv[]) + } + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): ++ { ++ tmsize_t inbufsize; + rowsize = TIFFScanlineSize(in); +- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); ++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); ++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + for (s = 0; s < 3; s++) + if (TIFFReadScanline(in, +@@ -278,6 +299,7 @@ main(int argc, char* argv[]) + break; + } + break; ++ } + } + #undef pack + if (inbuf) +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c60cb389..3862b1ca 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + + #define TIFF_UINT32_MAX 0xFFFFFFFFU + +-#ifndef streq +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#endif +-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) +- + #define TRUE 1 + #define FALSE 0 + diff --git a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch new file mode 100644 index 0000000..6dbf46d --- /dev/null +++ b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch @@ -0,0 +1,40 @@ +From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Wed, 31 Oct 2018 11:50:48 +0100 +Subject: [PATCH] (bz1602597) Fix two resource leaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Nikola Forró +(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef) +--- + tools/ppm2tiff.c | 2 ++ + tools/tiff2pdf.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index 81ffa3db..a02e865a 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -285,6 +285,8 @@ main(int argc, char* argv[]) + if (TIFFWriteScanline(out, buf, row, 0) < 0) + break; + } ++ if (in != stdin) ++ fclose(in); + (void) TIFFClose(out); + if (buf) + _TIFFfree(buf); +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index bd23c9e5..ff7b9c22 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ + "for t2p_readwrite_pdf_image_tile, %s", + (unsigned long) t2p->tiff_datasize, + TIFFFileName(input)); ++ _TIFFfree(buffer); + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } diff --git a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch new file mode 100644 index 0000000..52c80b0 --- /dev/null +++ b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch @@ -0,0 +1,47 @@ +From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do + no overflow + +fixes bug 2833 + +(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d) +--- + tools/tiffcp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 489459a7..96f14728 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (tilew && spp > (INT_MAX / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; diff --git a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch new file mode 100644 index 0000000..8eca5e5 --- /dev/null +++ b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch @@ -0,0 +1,423 @@ +From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 10 Aug 2019 18:25:03 +0200 +Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc() + and other implementation-defined behaviour (CVE-2019-14973) + +_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow +in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus +signed), which was especially easily triggered on 32-bit builds (with recent +enough compilers that assume that signed multiplication cannot overflow, since +this is undefined behaviour by the C standard). The original issue which lead to +this fix was trigged from tif_fax3.c + +There were also unsafe (implementation defied), and broken in practice on 64bit +builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing +(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known +at that time exploits, but are better to fix in a more bullet-proof way. +Or similarly use of (int64)uint64_var <= 0. + +(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773) +--- + libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- + libtiff/tif_getimage.c | 6 ++---- + libtiff/tif_luv.c | 8 +------ + libtiff/tif_pixarlog.c | 7 +----- + libtiff/tif_read.c | 38 +++++++++----------------------- + libtiff/tif_strip.c | 35 ++++-------------------------- + libtiff/tif_tile.c | 27 +++-------------------- + libtiff/tiffiop.h | 7 +++++- + 8 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 10b8d00c..38a98b67 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) + return bytes; + } + ++tmsize_t ++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) ++{ ++ if( first <= 0 || second <= 0 ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Invalid argument to _TIFFMultiplySSize() in %s", where); ++ } ++ return 0; ++ } ++ ++ if( first > TIFF_TMSIZE_T_MAX / second ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Integer overflow in %s", where); ++ } ++ return 0; ++ } ++ return first * second; ++} ++ ++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) ++{ ++ if( val > (uint64)TIFF_TMSIZE_T_MAX ) ++ { ++ if( tif != NULL && module != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ } ++ return 0; ++ } ++ return (tmsize_t)val; ++} ++ + void* + _TIFFCheckRealloc(TIFF* tif, void* buffer, + tmsize_t nmemb, tmsize_t elem_size, const char* what) + { + void* cp = NULL; +- tmsize_t bytes = nmemb * elem_size; +- ++ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); + /* +- * XXX: Check for integer overflow. ++ * Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) +- cp = _TIFFrealloc(buffer, bytes); ++ if (count != 0) ++ { ++ cp = _TIFFrealloc(buffer, count); ++ } + + if (cp == NULL) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index fc554cca..ec09feaf 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 leftmost_tw; + + tilesize = TIFFTileSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + +@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint16 colorchannels; + + stripsize = TIFFStripSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 4b25244b..c4cb73a3 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) + return (SGILOGDATAFMT_UNKNOWN); + } + +- +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static int +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 979858da..8e9eaa1d 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) + return guess; + } + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static tmsize_t +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 04100f4d..9a0e6e95 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -31,9 +31,6 @@ + #include "tiffiop.h" + #include + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + int TIFFFillStrip(TIFF* tif, uint32 strip); + int TIFFFillTile(TIFF* tif, uint32 tile); + static int TIFFStartStrip(TIFF* tif, uint32 strip); +@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m + #define THRESHOLD_MULTIPLIER 10 + #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + ++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) ++ + /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' + * Returns 1 in case of success, 0 otherwise. */ + static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, +@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { +-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) +- TIFFErrorExt(tif->tif_clientdata, module, +- "%I64u: Invalid strip byte count, strip %lu", +- (unsigned __int64) bytecount, +- (unsigned long) strip); +-#else +- TIFFErrorExt(tif->tif_clientdata, module, +- "%llu: Invalid strip byte count, strip %lu", +- (unsigned long long) bytecount, +- (unsigned long) strip); +-#endif +- return ((tmsize_t)(-1)); +- } +- bytecountm = (tmsize_t)bytecount; +- if ((uint64)bytecountm!=bytecount) { +- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); ++ if (bytecountm == 0) { + return ((tmsize_t)(-1)); + } + if (size != (tmsize_t)(-1) && size < bytecountm) +@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) + bytecount64 = td->td_stripbytecount[tile]; + if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) + bytecount64 = (uint64)size; +- bytecountm = (tmsize_t)bytecount64; +- if ((uint64)bytecountm!=bytecount64) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); ++ if( bytecountm == 0 ) { + return ((tmsize_t)(-1)); + } + return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); +@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", +@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c +index 6e9f2ef6..321ad6b9 100644 +--- a/libtiff/tif_strip.c ++++ b/libtiff/tif_strip.c +@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFVStripSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif) + { + static const char module[] = "TIFFStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFStripSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFRasterScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFRasterScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* vim: set ts=8 sts=8 sw=8 noet: */ +diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c +index 388e168a..7d057509 100644 +--- a/libtiff/tif_tile.c ++++ b/libtiff/tif_tile.c +@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif) + { + static const char module[] = "TIFFTileRowSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileRowSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFVTileSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif) + { + static const char module[] = "TIFFTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 08e5dc44..d4b86314 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); + #define FALSE 0 + #endif + ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + typedef struct client_info { + struct client_info *next; + void *data; +@@ -260,7 +263,7 @@ struct tiff { + #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) + #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) + +-/* Safe multiply which returns zero if there is an integer overflow */ ++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ + #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) +@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; + + extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); + extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); ++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); ++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); + extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); + extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); + diff --git a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch new file mode 100644 index 0000000..9d0adc8 --- /dev/null +++ b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch @@ -0,0 +1,102 @@ +From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 15 Aug 2019 15:05:28 +0200 +Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow + potentially causing write heap buffer overflow, especially on 32 bit builds. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to + OSS Fuzz + +(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145) +--- + libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index ec09feaf..c6edd27c 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + nrowsub = nrow; + if ((nrowsub%subsamplingver)!=0) + nrowsub+=subsamplingver-nrowsub%subsamplingver; ++ temp = (row + img->row_offset)%rowsperstrip + nrowsub; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); ++ return 0; ++ } + if (_TIFFReadEncodedStripAndAllocBuffer(tif, + TIFFComputeStrip(tif,row+img->row_offset, 0), + (void**)(&buf), + maxstripsize, +- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + offset_row = row + img->row_offset; ++ temp = (row + img->row_offset)%rowsperstrip + nrow; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); ++ return 0; ++ } + if( buf == NULL ) + { + if (_TIFFReadEncodedStripAndAllocBuffer( + tif, TIFFComputeStrip(tif, offset_row, 0), + (void**) &buf, bufsize, +- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + } + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), +- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ p0, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), +- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p1, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), +- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p2, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + if (alpha) + { + if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), +- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ pa, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; diff --git a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch new file mode 100644 index 0000000..03f47a0 --- /dev/null +++ b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch @@ -0,0 +1,86 @@ +From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Sun, 15 Nov 2020 17:02:51 +0100 +Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory + limit in tiff2rgba + +fixes #207 +fixes #209 + +(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d) +--- + tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index 4de96aec..e6de2209 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1; + int process_by_block = 0; /* default is whole image at once */ + int no_alpha = 0; + int bigtiff_output = 0; ++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) ++/* malloc size limit (in bytes) ++ * disabled when set to 0 */ ++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; + + + static int tiffcvt(TIFF* in, TIFF* out); +@@ -70,8 +74,11 @@ main(int argc, char* argv[]) + extern char *optarg; + #endif + +- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) ++ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1) + switch (c) { ++ case 'M': ++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; ++ break; + case 'b': + process_by_block = 1; + break; +@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) + (unsigned long)width, (unsigned long)height); + return 0; + } ++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { ++ TIFFError(TIFFFileName(in), ++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", ++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); ++ return 0; ++ } + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); +@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out) + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); + CopyField(TIFFTAG_DOCUMENTNAME, stringv); + ++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) ++ { ++ TIFFError(TIFFFileName(in), ++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", ++ (uint64)TIFFStripSize(in), (uint64)maxMalloc); ++ return 0; ++ } + if( process_by_block && TIFFIsTiled( in ) ) + return( cvt_by_tile( in, out ) ); + else if( process_by_block ) +@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out) + } + + static char* stuff[] = { +- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", ++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", + "where comp is one of the following compression algorithms:", + " jpeg\t\tJPEG encoding", + " zip\t\tZip/Deflate encoding", +@@ -543,6 +563,7 @@ static char* stuff[] = { + " -b (progress by block rather than as a whole image)", + " -n don't emit alpha component.", + " -8 write BigTIFF file instead of ClassicTIFF", ++ " -M set the memory allocation limit in MiB. 0 to disable limit", + NULL + }; + diff --git a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch new file mode 100644 index 0000000..f150651 --- /dev/null +++ b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch @@ -0,0 +1,50 @@ +From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Tue, 10 Nov 2020 01:54:30 +0100 +Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for + overflow + +fixes #211 + +(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2) +--- + libtiff/tif_getimage.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index c6edd27c..b1f7cc95 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -31,6 +31,7 @@ + */ + #include "tiffiop.h" + #include ++#include + + static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); + static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + + flip = setorientation(img); + if (flip & FLIP_VERTICALLY) { +- y = h - 1; +- toskew = -(int32)(tw + w); ++ if ((tw + w) > INT_MAX) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = h - 1; ++ toskew = -(int32)(tw + w); + } + else { +- y = 0; +- toskew = -(int32)(tw - w); ++ if (tw > (INT_MAX + w)) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = 0; ++ toskew = -(int32)(tw - w); + } + + /* diff --git a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch new file mode 100644 index 0000000..59e4fbc --- /dev/null +++ b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch @@ -0,0 +1,38 @@ +From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Sat, 14 Nov 2020 12:53:01 +0000 +Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when + saving to JPEG YCbCr + +fixes #220 + +(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22) +--- + tools/tiff2pdf.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index ff7b9c22..a5db1f64 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ + #endif + (void) 0; + } +- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); +- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++#ifdef JPEG_SUPPORT ++ if(t2p->pdf_compression == T2P_COMPRESS_JPEG ++ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { ++ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); ++ } else ++#endif ++ { ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); ++ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } + } + if (k == 0) { + /* Assume we had overflow inside TIFFScanlineSize */ diff --git a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch new file mode 100644 index 0000000..094b908 --- /dev/null +++ b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch @@ -0,0 +1,89 @@ +From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 23:08:25 +0100 +Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and + 4 + +too much bytes were processed, causing a heap buffer overrun + http://bugzilla.maptools.org/show_bug.cgi?id=2831 +the loop counter must be + for (col = 0; col < width; col += 8 / bps) + +Also the values were not properly calculated. It should be +255-x, 15-x, 3-x for bps 8, 4, 2. + +But anyway it is easyer to invert all bits as 255-x = ~x, etc. +(substracting from a binary number composed of all 1 is like inverting +the bits) + +(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0) +--- + tools/tiffcrop.c | 37 ++++++------------------------------- + 1 file changed, 6 insertions(+), 31 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 3862b1ca..a6129148 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -9142,7 +9142,6 @@ static int + invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff) + { + uint32 row, col; +- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4; + unsigned char *src; + uint16 *src_uint16; + uint32 *src_uint32; +@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len + for (row = 0; row < length; row++) + for (col = 0; col < width; col++) + { +- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32; ++ *src_uint32 = ~(*src_uint32); + src_uint32++; + } + break; +@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len + for (row = 0; row < length; row++) + for (col = 0; col < width; col++) + { +- *src_uint16 = (uint16)0xFFFF - *src_uint16; ++ *src_uint16 = ~(*src_uint16); + src_uint16++; + } + break; +- case 8: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- *src = (uint8)255 - *src; +- src++; +- } +- break; +- case 4: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- bytebuff1 = 16 - (uint8)(*src & 240 >> 4); +- bytebuff2 = 16 - (*src & 15); +- *src = bytebuff1 << 4 & bytebuff2; +- src++; +- } +- break; +- case 2: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- bytebuff1 = 4 - (uint8)(*src & 192 >> 6); +- bytebuff2 = 4 - (uint8)(*src & 48 >> 4); +- bytebuff3 = 4 - (uint8)(*src & 12 >> 2); +- bytebuff4 = 4 - (uint8)(*src & 3); +- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4; +- src++; +- } +- break; ++ case 8: ++ case 4: ++ case 2: + case 1: for (row = 0; row < length; row++) +- for (col = 0; col < width; col += 8 /(spp * bps)) ++ for (col = 0; col < width; col += 8 / bps) + { + *src = ~(*src); + src++; diff --git a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch new file mode 100644 index 0000000..146f7b6 --- /dev/null +++ b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch @@ -0,0 +1,27 @@ +From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy() + with a null source pointer and size of zero (fixes #362) + +(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef) +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 80aaf8d1..1e6f1c2f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); +- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); ++ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); + _TIFFfree(data); + data=resizeddata; + } diff --git a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch new file mode 100644 index 0000000..26116a2 --- /dev/null +++ b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch @@ -0,0 +1,25 @@ +From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy() + with a null source pointer and size of zero (fixes #362) + +(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b) +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 1e6f1c2f..d68aecc5 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } diff --git a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch new file mode 100644 index 0000000..c07175a --- /dev/null +++ b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch @@ -0,0 +1,36 @@ +From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 25 Jan 2022 16:25:28 +0000 +Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for + ASCII tags where count is required (fixes #355) + +(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64) +--- + tools/tiffset.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 894c9f1f..e4b0d49f 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -134,9 +134,19 @@ main(int argc, char* argv[]) + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = strlen(argv[arg_index]) + 1; ++ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16)len, argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; diff --git a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch new file mode 100644 index 0000000..be0fa01 --- /dev/null +++ b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch @@ -0,0 +1,33 @@ +From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file + with multiple IFD in memory-mapped mode and when bit reversal is needed + (fixes #385) + +(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067) +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 8136c77b..698428f0 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; diff --git a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch new file mode 100644 index 0000000..d790f39 --- /dev/null +++ b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch @@ -0,0 +1,198 @@ +From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer + overflow in extractImageSection + +(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c) +--- + tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------ + 1 file changed, 32 insertions(+), 52 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index a6129148..83cf80ad 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32 img_length; + #endif +- uint32 j, shift1, shift2, trailing_bits; ++ uint32 j, shift1, trailing_bits; + uint32 row, first_row, last_row, first_col, last_col; + uint32 src_offset, dst_offset, row_offset, col_offset; +- uint32 offset1, offset2, full_bytes; ++ uint32 offset1, full_bytes; + uint32 sect_width; + #ifdef DEVELMODE + uint32 sect_length; +@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", +@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif +- } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); +@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { diff --git a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch new file mode 100644 index 0000000..bc3af27 --- /dev/null +++ b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch @@ -0,0 +1,51 @@ +From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278) + +(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a) +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 96f14728..d5f1d248 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32 row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8*) buf + row*rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %u", diff --git a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch new file mode 100644 index 0000000..70461d8 --- /dev/null +++ b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch @@ -0,0 +1,30 @@ +From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393) + +(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde) +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index c36a5f3f..f126f2aa 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = TIFFClampDoubleToFloat( dblval ); + break; diff --git a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch new file mode 100644 index 0000000..931a2fa --- /dev/null +++ b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch @@ -0,0 +1,27 @@ +From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy() + with a null source pointer and size of zero (fixes #383) + +(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85) +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index d68aecc5..b72e6a3b 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32)dp->tdir_count); ++ } + o[(uint32)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); diff --git a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch new file mode 100644 index 0000000..706254e --- /dev/null +++ b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch @@ -0,0 +1,55 @@ +From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Apr 2022 22:33:31 +0200 +Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode" + string (fixes #400) + +(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96) +--- + tools/tiffcp.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index d5f1d248..fb98bd57 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -249,19 +249,34 @@ main(int argc, char* argv[]) + deftilewidth = atoi(optarg); + break; + case 'B': +- *mp++ = 'b'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'b'; *mp = '\0'; ++ } + break; + case 'L': +- *mp++ = 'l'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'l'; *mp = '\0'; ++ } + break; + case 'M': +- *mp++ = 'm'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'm'; *mp = '\0'; ++ } + break; + case 'C': +- *mp++ = 'c'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'c'; *mp = '\0'; ++ } + break; + case '8': +- *mp++ = '8'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode)-1)) ++ { ++ *mp++ = '8'; *mp = '\0'; ++ } + break; + case 'x': + pageInSeq = 1; diff --git a/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch b/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch new file mode 100644 index 0000000..e8cbc0f --- /dev/null +++ b/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch @@ -0,0 +1,161 @@ +From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Tue, 12 Feb 2019 16:04:28 +0100 +Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c + +the same function was declared in tif_dir.c and tif_dirwrite.c + +see http://bugzilla.maptools.org/show_bug.cgi?id=2842 + +(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262) +--- + libtiff/tif_aux.c | 10 ++++++++++ + libtiff/tif_dir.c | 20 +++++--------------- + libtiff/tif_dirwrite.c | 12 +----------- + libtiff/tiffiop.h | 2 ++ + 4 files changed, 18 insertions(+), 26 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 38a98b67..2071d19c 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -32,6 +32,7 @@ + #include "tiffiop.h" + #include "tif_predict.h" + #include ++#include + + uint32 + _TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where) +@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64) + } + } + ++float _TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f126f2aa..ad550c65 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -31,7 +31,6 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" +-#include + + /* + * These are used in the backwards compatibility code... +@@ -155,15 +154,6 @@ bad: + return (0); + } + +-static float TIFFClampDoubleToFloat( double val ) +-{ +- if( val > FLT_MAX ) +- return FLT_MAX; +- if( val < -FLT_MAX ) +- return -FLT_MAX; +- return (float)val; +-} +- + static int + _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + { +@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + dblval = va_arg(ap, double); + if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; +- td->td_xresolution = TIFFClampDoubleToFloat( dblval ); ++ td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); + if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; +- td->td_yresolution = TIFFClampDoubleToFloat( dblval ); ++ td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + td->td_planarconfig = (uint16) v; + break; + case TIFFTAG_XPOSITION: +- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); ++ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_YPOSITION: +- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); ++ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_RESOLUTIONUNIT: + v = (uint16) va_arg(ap, uint16_vap); +@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + case TIFF_SRATIONAL: + case TIFF_FLOAT: + { +- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double)); ++ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double)); + _TIFFmemcpy(val, &v2, tv_size); + } + break; +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 5d0a6699..03a9f296 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -30,7 +30,6 @@ + * Directory Write Support Routines. + */ + #include "tiffiop.h" +-#include + + #ifdef HAVE_IEEEFP + #define TIFFCvtNativeToIEEEFloat(tif, n, fp) +@@ -948,15 +947,6 @@ bad: + return(0); + } + +-static float TIFFClampDoubleToFloat( double val ) +-{ +- if( val > FLT_MAX ) +- return FLT_MAX; +- if( val < -FLT_MAX ) +- return -FLT_MAX; +- return (float)val; +-} +- + static int8 TIFFClampDoubleToInt8( double val ) + { + if( val > 127 ) +@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di + if (tif->tif_dir.td_bitspersample<=32) + { + for (i = 0; i < count; ++i) +- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); ++ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]); + ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); + } + else +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index d4b86314..05ba735b 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); + extern double _TIFFUInt64ToDouble(uint64); + extern float _TIFFUInt64ToFloat(uint64); + ++extern float _TIFFClampDoubleToFloat(double); ++ + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, + void **buf, tmsize_t bufsizetoalloc, diff --git a/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch b/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch new file mode 100644 index 0000000..9e34aac --- /dev/null +++ b/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch @@ -0,0 +1,179 @@ +From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in + tiffcrop (#415, #427, and #428) + +(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab) +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 2071d19c..4d1869b4 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32 _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 05ba735b..5b106e03 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64); + extern float _TIFFUInt64ToFloat(uint64); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32 _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 83cf80ad..ea0b98be 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32) (crop->corners[i].X1); +- x2 = (uint32) (crop->corners[i].X2); +- y1 = (uint32) (crop->corners[i].Y1); +- y2 = (uint32) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + if (x1 < 1) + crop->regionlist[i].x1 = 0; +@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32)(crop->margins[0]); +- lmargin = (uint32)(crop->margins[1]); +- bmargin = (uint32)(crop->margins[2]); +- rmargin = (uint32)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32)(crop->margins[0] * scale * yres); +- lmargin = (uint32)(crop->margins[1] * scale * xres); +- bmargin = (uint32)(crop->margins[2] * scale * yres); +- rmargin = (uint32)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { diff --git a/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch b/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch new file mode 100644 index 0000000..15e8d00 --- /dev/null +++ b/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch @@ -0,0 +1,161 @@ +From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352 + heap-buffer-overflow by correcting uint32_t underflow. + +(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c) +--- + tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 53 insertions(+), 28 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ea0b98be..5801b8f6 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32 aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32)(x2 - 1); + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + if (dump->outfile != NULL) + dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d", + i + 1, (uint32)zwidth, (uint32)zlength, +- crop->regionlist[i].x1, crop->regionlist[i].x2, +- crop->regionlist[i].y1, crop->regionlist[i].y2); ++ crop->regionlist[i].x1, crop->regionlist[i].x2, ++ crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + diff --git a/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch new file mode 100644 index 0000000..d7f816a --- /dev/null +++ b/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch @@ -0,0 +1,92 @@ +From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?= + =?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?= + =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= + =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= + =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= + =?UTF-8?q?=20-Z=20and=20-z.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 + +(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf) +--- + tools/tiffcrop.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 5801b8f6..27e6f81c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -104,7 +104,10 @@ + * includes annotations for image parameters and scanline info. Level + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set +- * of messages to monitor progess without enabling dump logs. ++ * of messages to monitor progress without enabling dump logs. ++ * ++ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * In no case should the options be applied to a given selection successively. + */ + + static char tiffcrop_version_id[] = "2.4"; +@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -320,7 +323,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -751,6 +754,8 @@ static char* usage_info[] = { + " The four debug/dump options are independent, though it makes little sense to", + " specify a dump file without specifying a detail level.", + " ", ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." ++" ", + NULL + }; + +@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); ++ Z = (crop_data->crop_mode & CROP_ZONES); ++ R = (crop_data->crop_mode & CROP_REGIONS); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ exit(EXIT_FAILURE); ++ } + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or diff --git a/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch new file mode 100644 index 0000000..7fc4e5a --- /dev/null +++ b/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch @@ -0,0 +1,32 @@ +From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953) + tiffcrop -S option: Make decision simpler. + +(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba) +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 27e6f81c..ff118496 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } diff --git a/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch b/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch new file mode 100644 index 0000000..267a1e3 --- /dev/null +++ b/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch @@ -0,0 +1,97 @@ +From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 25 Aug 2022 16:11:41 +0200 +Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable + incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes + #411 and #413) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. + +Code analysis: + +With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. +In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . + +Execution of the else-clause often leads to buffer-overflows. + +Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. + +The MR solves issues #411 and #413. + +(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62) +--- + tools/tiffcrop.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ff118496..848b2b49 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -106,9 +106,11 @@ + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. + * +- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. +- */ ++ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++ */ + + static char tiffcrop_version_id[] = "2.4"; + static char tiffcrop_rev_date[] = "12-13-2010"; +@@ -754,7 +756,11 @@ static char* usage_info[] = { + " The four debug/dump options are independent, though it makes little sense to", + " specify a dump file without specifying a detail level.", + " ", +-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." ++"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.", ++" In no case should the options be applied to a given selection successively.", ++" ", ++"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options", ++" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.", + " ", + NULL + }; +@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; + if (XY + Z + R + S > 1) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); + exit(EXIT_FAILURE); + } ++ ++ /* Check for not allowed combination: ++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++. */ ++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { ++ TIFFError("tiffcrop input error", ++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); ++ exit(EXIT_FAILURE); ++ } ++ + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2381,6 +2398,7 @@ main(int argc, char* argv[]) + exit (-1); + } + ++ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ + if (crop.selections > 0) + { + if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) +@@ -2397,6 +2415,7 @@ main(int argc, char* argv[]) + exit (-1); + } + } ++ /* Format and write selected image parts to output file(s). */ + if (page.mode == PAGE_MODE_NONE) + { /* Whole image or sections not based on output page size */ + if (crop.selections > 0) diff --git a/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch b/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch new file mode 100644 index 0000000..ec774b4 --- /dev/null +++ b/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch @@ -0,0 +1,37 @@ +From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer + overflow on strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 + + (cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be) +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index b1f7cc95..00cd5510 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32) * tile_xsize ); + } + diff --git a/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch b/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch new file mode 100644 index 0000000..bb7d439 --- /dev/null +++ b/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch @@ -0,0 +1,24 @@ +From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 16 May 2023 13:04:55 +0200 +Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error. + Fix #488. + +(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5) +--- + tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 848b2b49..7f738d91 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + else + { +- prev_cropsize = seg_buffs[0].size; ++ prev_cropsize = seg_buffs[i].size; + if (prev_cropsize < cropsize) + { + next_buff = _TIFFrealloc(crop_buff, cropsize); diff --git a/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch b/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch new file mode 100644 index 0000000..ea6c797 --- /dev/null +++ b/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch @@ -0,0 +1,128 @@ +From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Feb 2023 15:53:16 +0000 +Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 + CVE-2023-0804) tiffcrop: added check for assumption on composite images + (fixes #496) + +Closes #501, #500, #498, #497 et #496 + +See merge request libtiff/libtiff!466 + +(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00) +--- + tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 66 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 7f738d91..77923cf3 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) + { + TIFFError ("extractCompositeRegions", + "Only equal width regions can be combined for -E top or bottom"); +@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + break; + case EDGE_LEFT: /* splice the pieces of each row together, side by side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) + { + TIFFError ("extractCompositeRegions", + "Only equal length regions can be combined for -E left or right"); diff --git a/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch b/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch new file mode 100644 index 0000000..d28098d --- /dev/null +++ b/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch @@ -0,0 +1,260 @@ +From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Tue, 30 Aug 2022 16:56:48 +0200 +Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and + related TIFFTAG_NUMBEROFINKS value + +In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: + +Behaviour for writing: + `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. + `NumberOfInks` is automatically set when `InkNames` is set. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +Behaviour for reading: + When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow + +This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. + +It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. + +(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d) +--- + libtiff/tif_dir.c | 118 ++++++++++++++++++++++++----------------- + libtiff/tif_dir.h | 2 + + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirwrite.c | 5 ++ + libtiff/tif_print.c | 4 ++ + 5 files changed, 82 insertions(+), 49 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index ad550c65..cb329fd8 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) + } + + /* +- * Confirm we have "samplesperpixel" ink names separated by \0. Returns ++ * Count ink names separated by \0. Returns + * zero if the ink names are not as expected. + */ +-static uint32 +-checkInkNamesString(TIFF* tif, uint32 slen, const char* s) ++static uint16 ++countInkNamesString(TIFF *tif, uint32 slen, const char *s) + { +- TIFFDirectory* td = &tif->tif_dir; +- uint16 i = td->td_samplesperpixel; ++ uint16 i = 0; ++ const char *ep = s + slen; ++ const char *cp = s; + + if (slen > 0) { +- const char* ep = s+slen; +- const char* cp = s; +- for (; i > 0; i--) { ++ do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) + goto bad; + cp++; /* skip \0 */ +- } +- return ((uint32)(cp-s)); ++ i++; ++ } while (cp < ep); ++ return (i); + } + bad: + TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", +- "%s: Invalid InkNames value; expecting %d names, found %d", +- tif->tif_name, +- td->td_samplesperpixel, +- td->td_samplesperpixel-i); ++ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink", ++ tif->tif_name, slen, i); + return (0); + } + +@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); + break; + case TIFFTAG_INKNAMES: +- v = (uint16) va_arg(ap, uint16_vap); +- s = va_arg(ap, char*); +- v = checkInkNamesString(tif, v, s); +- status = v > 0; +- if( v > 0 ) { +- _TIFFsetNString(&td->td_inknames, s, v); +- td->td_inknameslen = v; ++ { ++ v = (uint16) va_arg(ap, uint16_vap); ++ s = va_arg(ap, char*); ++ uint16 ninksinstring; ++ ninksinstring = countInkNamesString(tif, v, s); ++ status = ninksinstring > 0; ++ if(ninksinstring > 0 ) { ++ _TIFFsetNString(&td->td_inknames, s, v); ++ td->td_inknameslen = v; ++ /* Set NumberOfInks to the value ninksinstring */ ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (td->td_numberofinks != ninksinstring) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d", ++ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); ++ td->td_numberofinks = ninksinstring; ++ } ++ } else { ++ td->td_numberofinks = ninksinstring; ++ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); ++ } ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", ++ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); ++ } ++ } ++ } ++ } ++ break; ++ case TIFFTAG_NUMBEROFINKS: ++ v = (uint16)va_arg(ap, uint16_vap); ++ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ ++ if (TIFFFieldSet(tif, FIELD_INKNAMES)) ++ { ++ if (v != td->td_numberofinks) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)", ++ tif->tif_name, fip->field_name, v, td->td_numberofinks); ++ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ ++ status = 0; ++ } ++ } else { ++ td->td_numberofinks = (uint16)v; ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", ++ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); ++ } ++ } + } + break; + case TIFFTAG_PERSAMPLE: +@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ + return 0; + +- if( tag == TIFFTAG_NUMBEROFINKS ) +- { +- int i; +- for (i = 0; i < td->td_customValueCount; i++) { +- uint16 val; +- TIFFTagValue *tv = td->td_customValues + i; +- if (tv->info->field_tag != tag) +- continue; +- if( tv->value == NULL ) +- return 0; +- val = *(uint16 *)tv->value; +- /* Truncate to SamplesPerPixel, since the */ +- /* setting code for INKNAMES assume that there are SamplesPerPixel */ +- /* inknames. */ +- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ +- if( val > td->td_samplesperpixel ) +- { +- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", +- "Truncating NumberOfInks from %u to %u", +- val, td->td_samplesperpixel); +- val = td->td_samplesperpixel; +- } +- *va_arg(ap, uint16*) = val; +- return 1; +- } +- return 0; +- } + + /* + * We want to force the custom code to be used for custom +@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + case TIFFTAG_INKNAMES: + *va_arg(ap, char**) = td->td_inknames; + break; ++ case TIFFTAG_NUMBEROFINKS: ++ *va_arg(ap, uint16 *) = td->td_numberofinks; ++ break; + default: + { + int i; +diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h +index 5a380767..b5881b02 100644 +--- a/libtiff/tif_dir.h ++++ b/libtiff/tif_dir.h +@@ -113,6 +113,7 @@ typedef struct { + /* CMYK parameters */ + int td_inknameslen; + char* td_inknames; ++ uint16 td_numberofinks; /* number of inks in InkNames string */ + + int td_customValueCount; + TIFFTagValue *td_customValues; +@@ -168,6 +169,7 @@ typedef struct { + #define FIELD_TRANSFERFUNCTION 44 + #define FIELD_INKNAMES 46 + #define FIELD_SUBIFD 49 ++#define FIELD_NUMBEROFINKS 50 + /* FIELD_CUSTOM (see tiffio.h) 65 */ + /* end of support for well-known tags; codec-private tags follow */ + #define FIELD_CODEC 66 /* base of codec-private tags */ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 4904f540..8bbc8323 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -106,7 +106,7 @@ tiffFields[] = { + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, + { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, + { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, +- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, ++ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, + { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, + { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 03a9f296..994fa57a 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) + goto bad; + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) ++ goto bad; ++ } + if (TIFFFieldSet(tif,FIELD_SUBIFD)) + { + if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index b9b53a0f..9caba038 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + } + fputs("\n", fd); + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { ++ fprintf(fd, " NumberOfInks: %d\n", ++ td->td_numberofinks); ++ } + if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { + fprintf(fd, " Thresholding: "); + switch (td->td_threshholding) { diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec new file mode 100644 index 0000000..2279722 --- /dev/null +++ b/SPECS/libtiff.spec @@ -0,0 +1,797 @@ +Summary: Library of functions for manipulating TIFF format image files +Name: libtiff +Version: 4.0.9 +Release: 31%{?dist} +License: libtiff +Group: System Environment/Libraries +URL: http://www.simplesystems.org/libtiff/ + +Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz + + +# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0 +# Patches were generated by: git format-patch -N --no-signature ... +Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch +Patch0002: 0002-Fix-Makefile.patch +Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch +Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch +Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch +Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch +Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch +Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch +Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch +Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch +Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch +Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch +Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch +Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch +Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch +Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch +Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch +Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch +Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch +Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch +Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch +Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch +Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch +Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch +Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch +Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch +Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch +Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch +Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch +Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch +Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch +Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch +Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch +Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch +Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch +Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch +Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch + + +BuildRequires: gcc, gcc-c++ +BuildRequires: zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: libtool automake autoconf pkgconfig + +%description +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%package devel +Summary: Development tools for programs which will use the libtiff library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig%{?_isa} + +%description devel +This package contains the header files and documentation necessary for +developing programs which will manipulate TIFF format image files +using the libtiff library. + +If you need to develop programs which will manipulate TIFF format +image files, you should install this package. You'll also need to +install the libtiff package. + +%package static +Summary: Static TIFF image format file library +Group: Development/Libraries +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The libtiff-static package contains the statically linkable version of libtiff. +Linking to static libraries is discouraged for most applications, but it is +necessary for some boot packages. + +%package tools +Summary: Command-line utility programs for manipulating TIFF files +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +This package contains command-line programs for manipulating TIFF format +image files using the libtiff library. + +%prep +%autosetup -p1 -n tiff-%{version} + +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + +%build +export CFLAGS="%{optflags} -fno-strict-aliasing" +%configure --enable-ld-version-script +make %{?_smp_mflags} + +%install +make DESTDIR=$RPM_BUILD_ROOT install + +# remove what we didn't want installed +rm $RPM_BUILD_ROOT%{_libdir}/*.la +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/ + +# no libGL dependency, please +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt + +# no sgi2tiff or tiffsv, either +rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv + +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 +rm -f html/man/tiffgt.1.html +rm -f html/man/sgi2tiff.1.html +rm -f html/man/tiffsv.1.html + +# multilib header hack +# we only apply this to known Red Hat multilib arches, per bug #233091 +case `uname -i` in + i386 | ppc | s390 | sparc ) + wordsize="32" + ;; + x86_64 | ppc64 | s390x | sparc64 ) + wordsize="64" + ;; + *) + wordsize="" + ;; +esac + +if test -n "$wordsize" +then + mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \ + $RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h + + cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h < + +#if __WORDSIZE == 32 +# include "tiffconf-32.h" +#elif __WORDSIZE == 64 +# include "tiffconf-64.h" +#else +# error "unexpected value for __WORDSIZE macro" +#endif + +#endif +EOF + +fi + +%ldconfig_scriptlets + +%check +LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check + +# don't include documentation Makefiles, they are a multilib hazard +find html -name 'Makefile*' | xargs rm + +%files +%doc COPYRIGHT README RELEASE-DATE VERSION +%{_libdir}/libtiff.so.* +%{_libdir}/libtiffxx.so.* + +%files devel +%doc TODO ChangeLog html +%{_includedir}/* +%{_libdir}/libtiff.so +%{_libdir}/libtiffxx.so +%{_libdir}/pkgconfig/libtiff*.pc +%{_mandir}/man3/* + +%files static +%{_libdir}/*.a + +%files tools +%{_bindir}/* +%{_mandir}/man1/* + +%changelog +* Fri Mar 29 2024 MSVSphere Packaging Team - 4.0.9-31 +- Rebuilt for MSVSphere 8.10 beta + +* Fri Jan 05 2024 Matej Mužila - 4.0.9-31 +- Fix CVE-2022-3599 CVE-2022-4645 +- Resolves: RHEL-5399 + +* Thu Sep 21 2023 Ondrej Sloup - 4.0.9-30 +- Bump specfile to retrigger gating +- Add tests folder for standard beakerlib +- Related: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688 + +* Tue Aug 08 2023 Matej Mužila - 4.0.9-29 +- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 +- Resolves: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688 + +* Tue May 16 2023 Matej Mužila - 4.0.9-28 +- Fix CVE-2022-48281 +- Resolves: CVE-2022-48281 + +* Mon Jan 16 2023 Matej Mužila - 4.0.9-27 +- Fix various CVEs +- Resolves: CVE-2022-3627 CVE-2022-3970 + +* Mon Oct 24 2022 Matej Mužila - 4.0.9-26 +- Fix various CVEs +- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953 + +* Tue Sep 06 2022 Matej Mužila - 4.0.9-25 +- Fix CVE-2022-2867 (#2118857) +- Fix CVE-2022-2868 (#2118882) +- Fix CVE-2022-2869 (#2118878) + +* Mon Jul 18 2022 Matej Mužila - 4.0.9-24 +- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 +- Resolves: #2103222 + +* Thu May 12 2022 Matej Mužila - 4.0.9-23 +- Fix various CVEs +- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865 + CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355 + +* Wed Sep 29 2021 Nikola Forró - 4.0.9-21 +- Fix CVE-2020-19131 (#2006535) + +* Thu Apr 29 2021 Nikola Forró - 4.0.9-20 +- Rebuild for fixed binutils (#1954437) + +* Fri Apr 09 2021 Nikola Forró - 4.0.9-19 +- Fix CVE-2020-35521 (#1945539) +- Fix CVE-2020-35522 (#1945555) +- Fix CVE-2020-35523 (#1945542) +- Fix CVE-2020-35524 (#1945546) + +* Thu Feb 20 2020 Nikola Forró - 4.0.9-18 +- Fix CVE-2019-17546 (#1771372) + +* Thu Nov 28 2019 Nikola Forró - 4.0.9-17 +- Add upstream test suite and enable it in gating + +* Wed Nov 27 2019 Nikola Forró - 4.0.9-16 +- Fix CVE-2019-14973 (#1755705) + +* Wed Jun 12 2019 Nikola Forró - 4.0.9-15 +- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579) + +* Thu Jun 06 2019 Nikola Forró - 4.0.9-14 +- Fix CVE-2018-12900 (#1595579) + +* Thu Dec 13 2018 Nikola Forró - 4.0.9-13 +- Fix compiler warning introduced by patch for CVE-2018-18661 + +* Wed Nov 14 2018 Nikola Forró - 4.0.9-12 +- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452) + +* Mon Oct 15 2018 Nikola Forró - 4.0.9-11 +- Fix important Covscan defects (#1602597) + +* Mon Oct 15 2018 Nikola Forró - 4.0.9-10 +- Fix CVE-2018-17100 (#1631073) + +* Wed May 30 2018 Nikola Forró - 4.0.9-9 +- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708) + and CVE-2018-10963 (#1579060) + +* Tue Apr 17 2018 Nikola Forró - 4.0.9-8 +- Fix CVE-2018-7456 (#1556709) + +* Fri Mar 23 2018 Nikola Forró - 4.0.9-7 +- Fix CVE-2018-5784 (#1537742) + +* Tue Feb 20 2018 Nikola Forró - 4.0.9-6 +- Add missing gcc-c++ build dependency + +* Tue Feb 20 2018 Nikola Forró - 4.0.9-5 +- Add missing gcc build dependency + +* Wed Feb 07 2018 Fedora Release Engineering - 4.0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 4.0.9-3 +- Switch to %%ldconfig_scriptlets + +* Mon Dec 11 2017 Nikola Forró - 4.0.9-2 +- Fix unescaped macro in changelog entry (#1523643) + +* Thu Nov 23 2017 Nikola Forró - 4.0.9-1 +- New upstream version libtiff-4.0.9 (#1514863) + +* Thu Aug 03 2017 Fedora Release Engineering - 4.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 4.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon May 22 2017 Nikola Forró - 4.0.8-1 +- New upstream version libtiff-4.0.8 (#1453030) + +* Wed Apr 12 2017 Nikola Forró - 4.0.7-5 +- Fix CVE-2017-759{2,3,4,5,6,7,8,9}, CVE-2017-760{0,1,2} (#1441273) + +* Wed Apr 05 2017 Nikola Forró - 4.0.7-4 +- Fix CVE-2016-1026{6,7,8,9}, CVE-2016-1027{0,1,2} (#1438464) + +* Fri Feb 10 2017 Fedora Release Engineering - 4.0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 24 2017 Nikola Forró - 4.0.7-2 +- Fix Hylafax breakage (#1416042) + +* Mon Nov 21 2016 Nikola Forró - 4.0.7-1 +- New upstream version libtiff-4.0.7 (#1396769) + +* Thu Feb 04 2016 Fedora Release Engineering - 4.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Oct 09 2015 Petr Hracek - 4.0.6-1 +- New upstream version libtiff-4.0.6 (#1262585) + +* Wed Sep 09 2015 Petr Hracek - 4.0.5-1 +- New upstream version libtiff-4.0.5 (#1258286) + +* Mon Jun 22 2015 Petr Hracek - 4.0.4-1 +- New upstream version libtiff-4.0.4 (#1234191) + +* Fri Jun 19 2015 Petr Hracek - 4.0.4beta-1 +- New upstream version libtiff-4.0.4beta (#1186219) + +* Wed Jun 17 2015 Fedora Release Engineering - 4.0.3-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 19 2015 Petr Hracek - 4.0.3-20 +- CVE-2014-9655 and CVE-2015-1547 #1190710 + +* Sat May 02 2015 Kalev Lember - 4.0.3-19 +- Rebuilt for GCC 5 C++11 ABI change + +* Sun Aug 17 2014 Fedora Release Engineering - 4.0.3-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Kalev Lember - 4.0.3-17 +- Rebuilt for libjbig soname bump + +* Sat Jun 07 2014 Fedora Release Engineering - 4.0.3-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 21 2014 Petr Hracek - 4.0.3-15 +- Add upstream patches for CVE-2013-4243 (#996832) + +* Thu Dec 19 2013 Petr Hracek - 4.0.3-14 +- Fix: #1044609 Can't install both architectures + +* Wed Dec 18 2013 Petr Hracek - 4.0.3-13 +- Fix #510240 Correct tiff2ps man option -W + +* Wed Oct 16 2013 Petr Hracek - 4.0.3-12 +- make check moved to %%check section (#1017070) + +* Tue Oct 08 2013 Petr Hracek - 4.0.3-11 +- Resolves: #510258, #510240 - man page corrections + +* Mon Aug 19 2013 Petr Hracek 4.0.3-10 +- Add upstream patches for CVE-2013-4244 +Resolves: #996468 + +* Wed Aug 14 2013 Petr Hracek 4.0.3-9 +- Add upstream patches for CVE-2013-4231 CVE-2013-4232 +Resolves: #995965 #995975 + +* Mon Aug 12 2013 Petr Hracek - 4.0.3-8 +- Manpage fixing (#510240, #510258) + +* Sat Aug 03 2013 Fedora Release Engineering - 4.0.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu May 2 2013 Tom Lane 4.0.3-6 +- Add upstream patches for CVE-2013-1960, CVE-2013-1961 +Resolves: #958609 + +* Thu Feb 14 2013 Fedora Release Engineering - 4.0.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 4.0.3-4 +- rebuild due to "jpeg8-ABI" feature drop + +* Wed Dec 19 2012 Tom Lane 4.0.3-3 +- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8 + +* Thu Dec 13 2012 Tom Lane 4.0.3-2 +- Add upstream patches for CVE-2012-4447, CVE-2012-4564 + (note: CVE-2012-5581 is already fixed in 4.0.3) +Resolves: #880907 + +* Thu Oct 4 2012 Tom Lane 4.0.3-1 +- Update to libtiff 4.0.3 + +* Fri Aug 3 2012 Tom Lane 4.0.2-6 +- Remove compat subpackage; no longer needed +- Minor specfile cleanup per suggestions from Tom Callaway +Related: #845110 + +* Thu Aug 2 2012 Tom Lane 4.0.2-5 +- Add accessor functions for opaque type TIFFField (backport of not-yet-released + upstream feature addition; needed to fix freeimage) + +* Sun Jul 22 2012 Tom Lane 4.0.2-4 +- Add patches for CVE-2012-3401 +Resolves: #841736 + +* Thu Jul 19 2012 Fedora Release Engineering - 4.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Karsten Hopp 4.0.2-2 +- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390* + +* Thu Jun 28 2012 Tom Lane 4.0.2-1 +- Update to libtiff 4.0.2, includes fix for CVE-2012-2113 + (note that CVE-2012-2088 does not apply to 4.0.x) +- Update libtiff-compat to 3.9.6 and add patches to it for + CVE-2012-2088, CVE-2012-2113 +Resolves: #832866 + +* Fri Jun 1 2012 Tom Lane 4.0.1-2 +- Enable JBIG support +Resolves: #826240 + +* Sun May 6 2012 Tom Lane 4.0.1-1 +- Update to libtiff 4.0.1, adds BigTIFF support and other features; + library soname is bumped from libtiff.so.3 to libtiff.so.5 +Resolves: #782383 +- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage + so that dependent packages won't be broken while rebuilding proceeds + +* Thu Apr 5 2012 Tom Lane 3.9.5-3 +- Add fix for CVE-2012-1173 +Resolves: #CVE-2012-1173 + +* Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Apr 12 2011 Tom Lane 3.9.5-1 +- Update to libtiff 3.9.5, incorporating all our previous patches plus other + fixes, notably the fix for CVE-2009-5022 +Related: #695885 + +* Mon Mar 21 2011 Tom Lane 3.9.4-4 +- Fix incorrect fix for CVE-2011-0192 +Resolves: #684007 +Related: #688825 +- Add fix for CVE-2011-1167 +Resolves: #689574 + +* Wed Mar 2 2011 Tom Lane 3.9.4-3 +- Add patch for CVE-2011-0192 +Resolves: #681672 +- Fix non-security-critical potential SIGSEGV in gif2tiff +Related: #648820 + +* Tue Feb 08 2011 Fedora Release Engineering - 3.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jun 22 2010 Tom Lane 3.9.4-1 +- Update to libtiff 3.9.4, for numerous bug fixes including fixes for + CVE-2010-1411, CVE-2010-2065, CVE-2010-2067 +Resolves: #554371 +Related: #460653, #588784, #601274, #599576, #592361, #603024 +- Add fixes for multiple SIGSEGV problems +Resolves: #583081 +Related: #603081, #603699, #603703 + +* Tue Jan 5 2010 Tom Lane 3.9.2-3 +- Apply Adam Goode's fix for Warmerdam's fix +Resolves: #552360 +Resolves: #533353 +- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG + images; this isn't enough to make it really work correctly though +Related: #460322 + +* Wed Dec 16 2009 Tom Lane 3.9.2-2 +- Apply Warmerdam's partial fix for bug #460322 ... better than nothing. +Related: #460322 + +* Thu Dec 3 2009 Tom Lane 3.9.2-1 +- Update to libtiff 3.9.2; stop carrying a lot of old patches +Resolves: #520734 +- Split command-line tools into libtiff-tools subpackage +Resolves: #515170 +- Use build system's libtool instead of what package contains; + among other cleanup this gets rid of unwanted rpath specs in executables +Related: #226049 + +* Thu Oct 15 2009 Tom Lane 3.8.2-16 +- add sparc/sparc64 to multilib header support + +* Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Tom Lane 3.8.2-14 +- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347) +Related: #510041 + +* Wed Jul 1 2009 Tom Lane 3.8.2-13 +- Fix some more LZW decoding vulnerabilities (CVE-2009-2285) +Related: #507465 +- Update upstream URL + +* Wed Feb 25 2009 Fedora Release Engineering - 3.8.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 26 2008 Tom Lane 3.8.2-11 +- Fix LZW decoding vulnerabilities (CVE-2008-2327) +Related: #458674 +- Use -fno-strict-aliasing per rpmdiff recommendation + +* Tue Feb 19 2008 Fedora Release Engineering - 3.8.2-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Tom Lane 3.8.2-9 +- Update License tag +- Rebuild to fix Fedora toolchain issues + +* Thu Jul 19 2007 Tom Lane 3.8.2-8 +- Restore static library to distribution, in a separate -static subpackage +Resolves: #219905 +- Don't apply multilib header hack to unrecognized architectures +Resolves: #233091 +- Remove documentation for programs we don't ship +Resolves: #205079 +Related: #185145 + +* Tue Jan 16 2007 Tom Lane 3.8.2-7 +- Remove Makefiles from the shipped /usr/share/doc/html directories +Resolves: bz #222729 + +* Tue Sep 5 2006 Jindrich Novy - 3.8.2-6 +- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362) +- fix typo in man page for tiffset (#186297) +- use %%{?dist} + +* Mon Jul 24 2006 Matthias Clasen +- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461 + CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) + +* Wed Jul 12 2006 Jesse Keating - 3.8.2-4.1 +- rebuild + +* Fri Jun 2 2006 Matthias Clasen - 3.8.2-3 +- Fix multilib conflict + +* Thu May 25 2006 Matthias Clasen - 3.8.2-3 +- Fix overflows in tiffsplit + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-2 +- Drop tiffgt to get rid of the libGL dependency (#190768) + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-1 +- Update to 3.8.2 + +* Fri Feb 10 2006 Jesse Keating - 3.7.4-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.7.4-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 16 2005 Matthias Clasen 3.7.4-3 +- Don't ship static libs + +* Fri Nov 11 2005 Matthias Saou 3.7.4-2 +- Remove useless explicit dependencies. +- Minor spec file cleanups. +- Move make check to %%check. +- Add _smp_mflags. + +* Thu Sep 29 2005 Matthias Clasen - 3.7.4-1 +- Update to 3.7.4 +- Drop upstreamed patches + +* Wed Jun 29 2005 Matthias Clasen - 3.7.2-1 +- Update to 3.7.2 +- Drop upstreamed patches + +* Fri May 6 2005 Matthias Clasen - 3.7.1-6 +- Fix a stack overflow + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-5 +- Don't use mktemp + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-4 +- Rebuild with gcc4 + +* Wed Jan 5 2005 Matthias Clasen - 3.7.1-3 +- Drop the largefile patch again +- Fix a problem with the handling of alpha channels +- Fix an integer overflow in tiffdump (#143576) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-2 +- Readd the largefile patch (#143560) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-1 +- Upgrade to 3.7.1 +- Remove upstreamed patches +- Remove specfile cruft +- make check + +* Thu Oct 14 2004 Matthias Clasen 3.6.1-7 +- fix some integer and buffer overflows (#134853, #134848) + +* Tue Oct 12 2004 Matthias Clasen 3.6.1-6 +- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483 + +* Mon Sep 27 2004 Rik van Riel 3.6.1-4 +- compile using RPM_OPT_FLAGS (bz #133650) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 20 2004 Matthias Clasen 3.6.1-2 +- Fix and use the makeflags patch + +* Wed May 19 2004 Matthias Clasen 3.6.1-1 +- Upgrade to 3.6.1 +- Adjust patches +- Don't install tiffgt man page (#104864) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sat Feb 21 2004 Florian La Roche +- really add symlink to shared lib by running ldconfig at compile time + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Oct 09 2003 Florian La Roche +- link shared lib against -lm (Jakub Jelinek) + +* Thu Sep 25 2003 Jeremy Katz 3.5.7-13 +- rebuild to fix gzipped file md5sum (#91281) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Feb 11 2003 Phil Knirsch 3.5.7-11 +- Fixed rebuild problems. + +* Tue Feb 04 2003 Florian La Roche +- add symlink to shared lib + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Tim Powers 3.5.7-8 +- rebuild on all arches + +* Mon Aug 19 2002 Phil Knirsch 3.5.7-7 +- Added LFS support (#71593) + +* Tue Jun 25 2002 Phil Knirsch 3.5.7-6 +- Fixed wrong exit code of tiffcp app (#67240) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed May 15 2002 Phil Knirsch +- Fixed segfault in fax2tiff tool (#64708). + +* Mon Feb 25 2002 Phil Knirsch +- Fixed problem with newer bash versions setting CDPATH (#59741) + +* Tue Feb 19 2002 Phil Knirsch +- Update to current release 3.5.7 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Tue Aug 28 2001 Phil Knirsch +- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x + and ia64 were missing (#52129). + +* Tue Jun 26 2001 Philipp Knirsch +- Hopefully final symlink fix + +* Thu Jun 21 2001 Than Ngo +- add missing libtiff symlink + +* Fri Mar 16 2001 Crutcher Dunnavant +- killed tiff-to-ps.fpi filter + +* Wed Feb 28 2001 Philipp Knirsch +- Fixed missing devel version dependancy. + +* Tue Dec 19 2000 Philipp Knirsch +- rebuild + +* Mon Aug 7 2000 Crutcher Dunnavant +- added a tiff-to-ps.fpi filter for printing + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Thu Jul 13 2000 Nalin Dahyabhai +- apply Peter Skarpetis's fix for the 32-bit conversion + +* Mon Jul 3 2000 Nalin Dahyabhai +- make man pages non-executable (#12811) + +* Mon Jun 12 2000 Nalin Dahyabhai +- remove CVS repo info from data directories + +* Thu May 18 2000 Nalin Dahyabhai +- fix build rooting +- fix syntax error in configure script +- move man pages to {_mandir} + +* Wed May 17 2000 Nalin Dahyabhai +- rebuild for an errata release + +* Wed Mar 29 2000 Nalin Dahyabhai +- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix + +* Tue Mar 28 2000 Nalin Dahyabhai +- fix fax2ps swapping height and width in the bounding box + +* Mon Mar 27 2000 Nalin Dahyabhai +- move man pages from devel package to the regular one +- integrate Frank Warmerdam's fixed .fax handling code (keep until next release + of libtiff) +- fix fax2ps breakage (bug #8345) + +* Sat Feb 05 2000 Nalin Dahyabhai +- set MANDIR=man3 to make multifunction man pages friendlier + +* Mon Jan 31 2000 Nalin Dahyabhai +- fix URLs + +* Fri Jan 28 2000 Nalin Dahyabhai +- link shared library against libjpeg and libz + +* Tue Jan 18 2000 Nalin Dahyabhai +- enable zip and jpeg codecs +- change defattr in normal package to 0755 +- add defattr to -devel package + +* Wed Dec 22 1999 Bill Nottingham +- update to 3.5.4 + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 6) + +* Wed Jan 13 1999 Cristian Gafton +- build for glibc 2.1 + +* Wed Jun 10 1998 Prospector System +- translations modified for de + +* Wed Jun 10 1998 Michael Fulbright +- rebuilt against fixed jpeg libs (libjpeg-6b) + +* Thu May 07 1998 Prospector System +- translations modified for de, fr, tr + +* Mon Oct 13 1997 Donnie Barnes +- new version to replace the one from libgr +- patched for glibc +- added shlib support