projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #4853 from StevenHessing/noddos
[feed/packages.git] / libs / tiff / patches / 013-CVE-2016-10095_CVE-2017-9147.patch
1 commit 40448d58fbfad52d2dde5bd18daa30b17fe35fcd
2 Author: erouault <erouault>
3 Date: Thu Jun 1 12:44:04 2017 +0000
4
5 * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
6 and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
7 codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
8 to behave differently depending on whether the codec is enabled or not, and
9 thus can avoid stack based buffer overflows in a number of TIFF utilities
10 such as tiffsplit, tiffcmp, thumbnail, etc.
11 Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
12 (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
13 Fixes:
14 http://bugzilla.maptools.org/show_bug.cgi?id=2580
15 http://bugzilla.maptools.org/show_bug.cgi?id=2693
16 http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
17 http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
18 http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
19 http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
20 http://bugzilla.maptools.org/show_bug.cgi?id=2441
21 http://bugzilla.maptools.org/show_bug.cgi?id=2433
22
23 diff --git a/ChangeLog b/ChangeLog
24 index 04881ba7..ebd1a3c0 100644
25 --- a/ChangeLog
26 +++ b/ChangeLog
27 @@ -1,3 +1,23 @@
28 +2017-06-01 Even Rouault <even.rouault at spatialys.com>
29 +
30 + * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
31 + and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
32 + codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
33 + to behave differently depending on whether the codec is enabled or not, and
34 + thus can avoid stack based buffer overflows in a number of TIFF utilities
35 + such as tiffsplit, tiffcmp, thumbnail, etc.
36 + Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
37 + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
38 + Fixes:
39 + http://bugzilla.maptools.org/show_bug.cgi?id=2580
40 + http://bugzilla.maptools.org/show_bug.cgi?id=2693
41 + http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
42 + http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
43 + http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
44 + http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
45 + http://bugzilla.maptools.org/show_bug.cgi?id=2441
46 + http://bugzilla.maptools.org/show_bug.cgi?id=2433
47 +
48 2017-05-29 Even Rouault <even.rouault at spatialys.com>
49
50 * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
51 diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
52 index 6af5f3dc..5a380767 100644
53 --- a/libtiff/tif_dir.h
54 +++ b/libtiff/tif_dir.h
55 @@ -1,4 +1,4 @@
56 -/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
57 +/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
58
59 /*
60 * Copyright (c) 1988-1997 Sam Leffler
61 @@ -291,6 +291,7 @@ struct _TIFFField {
62 extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
63 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
64 extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
65 +extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
66
67 #if defined(__cplusplus)
68 }
69 diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
70 index 23ad0020..4904f540 100644
71 --- a/libtiff/tif_dirinfo.c
72 +++ b/libtiff/tif_dirinfo.c
73 @@ -1,4 +1,4 @@
74 -/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
75 +/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
76
77 /*
78 * Copyright (c) 1988-1997 Sam Leffler
79 @@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
80 return 0;
81 }
82
83 +int
84 +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
85 +{
86 + /* Filter out non-codec specific tags */
87 + switch (tag) {
88 + /* Shared tags */
89 + case TIFFTAG_PREDICTOR:
90 + /* JPEG tags */
91 + case TIFFTAG_JPEGTABLES:
92 + /* OJPEG tags */
93 + case TIFFTAG_JPEGIFOFFSET:
94 + case TIFFTAG_JPEGIFBYTECOUNT:
95 + case TIFFTAG_JPEGQTABLES:
96 + case TIFFTAG_JPEGDCTABLES:
97 + case TIFFTAG_JPEGACTABLES:
98 + case TIFFTAG_JPEGPROC:
99 + case TIFFTAG_JPEGRESTARTINTERVAL:
100 + /* CCITT* */
101 + case TIFFTAG_BADFAXLINES:
102 + case TIFFTAG_CLEANFAXDATA:
103 + case TIFFTAG_CONSECUTIVEBADFAXLINES:
104 + case TIFFTAG_GROUP3OPTIONS:
105 + case TIFFTAG_GROUP4OPTIONS:
106 + break;
107 + default:
108 + return 1;
109 + }
110 + /* Check if codec specific tags are allowed for the current
111 + * compression scheme (codec) */
112 + switch (tif->tif_dir.td_compression) {
113 + case COMPRESSION_LZW:
114 + if (tag == TIFFTAG_PREDICTOR)
115 + return 1;
116 + break;
117 + case COMPRESSION_PACKBITS:
118 + /* No codec-specific tags */
119 + break;
120 + case COMPRESSION_THUNDERSCAN:
121 + /* No codec-specific tags */
122 + break;
123 + case COMPRESSION_NEXT:
124 + /* No codec-specific tags */
125 + break;
126 + case COMPRESSION_JPEG:
127 + if (tag == TIFFTAG_JPEGTABLES)
128 + return 1;
129 + break;
130 + case COMPRESSION_OJPEG:
131 + switch (tag) {
132 + case TIFFTAG_JPEGIFOFFSET:
133 + case TIFFTAG_JPEGIFBYTECOUNT:
134 + case TIFFTAG_JPEGQTABLES:
135 + case TIFFTAG_JPEGDCTABLES:
136 + case TIFFTAG_JPEGACTABLES:
137 + case TIFFTAG_JPEGPROC:
138 + case TIFFTAG_JPEGRESTARTINTERVAL:
139 + return 1;
140 + }
141 + break;
142 + case COMPRESSION_CCITTRLE:
143 + case COMPRESSION_CCITTRLEW:
144 + case COMPRESSION_CCITTFAX3:
145 + case COMPRESSION_CCITTFAX4:
146 + switch (tag) {
147 + case TIFFTAG_BADFAXLINES:
148 + case TIFFTAG_CLEANFAXDATA:
149 + case TIFFTAG_CONSECUTIVEBADFAXLINES:
150 + return 1;
151 + case TIFFTAG_GROUP3OPTIONS:
152 + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
153 + return 1;
154 + break;
155 + case TIFFTAG_GROUP4OPTIONS:
156 + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
157 + return 1;
158 + break;
159 + }
160 + break;
161 + case COMPRESSION_JBIG:
162 + /* No codec-specific tags */
163 + break;
164 + case COMPRESSION_DEFLATE:
165 + case COMPRESSION_ADOBE_DEFLATE:
166 + if (tag == TIFFTAG_PREDICTOR)
167 + return 1;
168 + break;
169 + case COMPRESSION_PIXARLOG:
170 + if (tag == TIFFTAG_PREDICTOR)
171 + return 1;
172 + break;
173 + case COMPRESSION_SGILOG:
174 + case COMPRESSION_SGILOG24:
175 + /* No codec-specific tags */
176 + break;
177 + case COMPRESSION_LZMA:
178 + if (tag == TIFFTAG_PREDICTOR)
179 + return 1;
180 + break;
181 +
182 + }
183 + return 0;
184 +}
185 +
186 /* vim: set ts=8 sts=8 sw=8 noet: */
187
188 /*
189 diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
190 index 772ebaf7..acde78b5 100644
191 --- a/libtiff/tif_dirread.c
192 +++ b/libtiff/tif_dirread.c
193 @@ -1,4 +1,4 @@
194 -/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
195 +/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
196
197 /*
198 * Copyright (c) 1988-1997 Sam Leffler
199 @@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
200 goto bad;
201 dp->tdir_tag=IGNORE;
202 break;
203 + default:
204 + if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
205 + dp->tdir_tag=IGNORE;
206 + break;
207 }
208 }
209 }
Mirror of packages feed