commit 20671c6b0ec6e3bbfe4970b9baf25a79fbc36b44
Author: Fredrik Rinnestam <fredrik(a)crux.nu>
Date: Thu Jul 5 20:14:53 2012 +0200
[notify] libtiff: resolves CVE-2012-2088 and CVE-2012-2113
diff --git a/libtiff/.md5sum b/libtiff/.md5sum
index fef759e..93348c1 100644
--- a/libtiff/.md5sum
+++ b/libtiff/.md5sum
@@ -1 +1,3 @@
+f8f762ce62748d4d39d753823158342b CVE-2012-2088.patch
+45e96e9c6f56a16dd3f7d3b7cca61bc5 CVE-2012-2113.patch
6920f3bf628d791d49f268b83612ed23 tiff-3.9.6.tar.gz
diff --git a/libtiff/CVE-2012-2088.patch b/libtiff/CVE-2012-2088.patch
new file mode 100644
index 0000000..2484b78
--- /dev/null
+++ b/libtiff/CVE-2012-2088.patch
@@ -0,0 +1,162 @@
+Index: libtiff/tif_strip.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
+retrieving revision 1.19.2.3
+diff -c -r1.19.2.3 tif_strip.c
+*** libtiff/tif_strip.c 15 Dec 2010 00:50:30 -0000 1.19.2.3
+--- libtiff/tif_strip.c 17 Apr 2012 18:14:22 -0000
+***************
+*** 107,112 ****
+--- 107,113 ----
+ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
++ uint32 stripsize;
+
+ if (nrows == (uint32) -1)
+ nrows = td->td_imagelength;
+***************
+*** 122,128 ****
+ * YCbCr data for the extended image.
+ */
+ uint16 ycbcrsubsampling[2];
+! tsize_t w, scanline, samplingarea;
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+--- 123,129 ----
+ * YCbCr data for the extended image.
+ */
+ uint16 ycbcrsubsampling[2];
+! uint32 w, scanline, samplingarea;
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+***************
+*** 141,153 ****
+ nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
+ /* NB: don't need TIFFhowmany here 'cuz everything is rounded */
+ scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
+! return ((tsize_t)
+ summarize(tif, scanline,
+ multiply(tif, 2, scanline / samplingarea,
+! "TIFFVStripSize"), "TIFFVStripSize"));
+ } else
+! return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif),
+! "TIFFVStripSize"));
+ }
+
+
+--- 142,160 ----
+ nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
+ /* NB: don't need TIFFhowmany here 'cuz everything is rounded */
+ scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
+! stripsize =
+ summarize(tif, scanline,
+ multiply(tif, 2, scanline / samplingarea,
+! "TIFFVStripSize"), "TIFFVStripSize");
+ } else
+! stripsize = multiply(tif, nrows, TIFFScanlineSize(tif),
+! "TIFFVStripSize");
+! /* Because tsize_t is signed, we might have conversion overflow */
+! if (((tsize_t) stripsize) < 0) {
+! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize");
+! stripsize = 0;
+! }
+! return (tsize_t) stripsize;
+ }
+
+
+Index: libtiff/tif_tile.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_tile.c,v
+retrieving revision 1.12.2.1
+diff -c -r1.12.2.1 tif_tile.c
+*** libtiff/tif_tile.c 8 Jun 2010 18:50:43 -0000 1.12.2.1
+--- libtiff/tif_tile.c 17 Apr 2012 18:14:22 -0000
+***************
+*** 174,180 ****
+ TIFFTileRowSize(TIFF* tif)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+! tsize_t rowsize;
+
+ if (td->td_tilelength == 0 || td->td_tilewidth == 0)
+ return ((tsize_t) 0);
+--- 174,180 ----
+ TIFFTileRowSize(TIFF* tif)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+! uint32 rowsize;
+
+ if (td->td_tilelength == 0 || td->td_tilewidth == 0)
+ return ((tsize_t) 0);
+***************
+*** 193,199 ****
+ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+! tsize_t tilesize;
+
+ if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||
+ td->td_tiledepth == 0)
+--- 193,199 ----
+ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+! uint32 tilesize;
+
+ if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||
+ td->td_tiledepth == 0)
+***************
+*** 209,220 ****
+ * horizontal/vertical subsampling area include
+ * YCbCr data for the extended image.
+ */
+! tsize_t w =
+ TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);
+! tsize_t rowsize =
+ TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
+ "TIFFVTileSize"));
+! tsize_t samplingarea =
+ td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];
+ if (samplingarea == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");
+--- 209,220 ----
+ * horizontal/vertical subsampling area include
+ * YCbCr data for the extended image.
+ */
+! uint32 w =
+ TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);
+! uint32 rowsize =
+ TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
+ "TIFFVTileSize"));
+! uint32 samplingarea =
+ td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];
+ if (samplingarea == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");
+***************
+*** 230,237 ****
+ } else
+ tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),
+ "TIFFVTileSize");
+! return ((tsize_t)
+! multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"));
+ }
+
+ /*
+--- 230,242 ----
+ } else
+ tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),
+ "TIFFVTileSize");
+! tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize");
+! /* Because tsize_t is signed, we might have conversion overflow */
+! if (((tsize_t) tilesize) < 0) {
+! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize");
+! tilesize = 0;
+! }
+! return (tsize_t) tilesize;
+ }
+
+ /*
+
diff --git a/libtiff/CVE-2012-2113.patch b/libtiff/CVE-2012-2113.patch
new file mode 100644
index 0000000..c5063fd
--- /dev/null
+++ b/libtiff/CVE-2012-2113.patch
@@ -0,0 +1,340 @@
+mv Index: tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.37.2.19
+diff -c -r1.37.2.19 tiff2pdf.c
+*** tools/tiff2pdf.c 13 Dec 2010 05:41:11 -0000 1.37.2.19
+--- tools/tiff2pdf.c 17 Apr 2012 20:15:03 -0000
+***************
+*** 431,436 ****
+--- 431,464 ----
+ (void) handle, (void) data, (void) offset;
+ }
+
++ static uint64
++ checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p)
++ {
++ uint64 bytes = summand1 + summand2;
++
++ if (bytes - summand1 != summand2) {
++ TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++ t2p->t2p_error = T2P_ERR_ERROR;
++ bytes = 0;
++ }
++
++ return bytes;
++ }
++
++ static uint64
++ checkMultiply64(uint64 first, uint64 second, T2P* t2p)
++ {
++ uint64 bytes = first * second;
++
++ if (second && bytes / second != first) {
++ TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++ t2p->t2p_error = T2P_ERR_ERROR;
++ bytes = 0;
++ }
++
++ return bytes;
++ }
++
+ /*
+
+ This is the main function.
+***************
+*** 1773,1781 ****
+ tstrip_t i=0;
+ tstrip_t stripcount=0;
+ #endif
+! #ifdef OJPEG_SUPPORT
+! tsize_t k = 0;
+! #endif
+
+ if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
+ #ifdef CCITT_SUPPORT
+--- 1801,1807 ----
+ tstrip_t i=0;
+ tstrip_t stripcount=0;
+ #endif
+! uint64 k = 0;
+
+ if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
+ #ifdef CCITT_SUPPORT
+***************
+*** 1803,1821 ****
+ }
+ stripcount=TIFFNumberOfStrips(input);
+ for(i=0;i<stripcount;i++){
+! k += sbc[i];
+ }
+ if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){
+ if(t2p->tiff_dataoffset != 0){
+ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){
+ if(t2p->tiff_datasize < k) {
+- t2p->pdf_ojpegiflength=t2p->tiff_datasize;
+- t2p->tiff_datasize+=k;
+- t2p->tiff_datasize+=6;
+- t2p->tiff_datasize+=2*stripcount;
+ TIFFWarning(TIFF2PDF_MODULE,
+ "Input file %s has short JPEG interchange file byte count",
+ TIFFFileName(input));
+ return;
+ }
+ return;
+--- 1829,1853 ----
+ }
+ stripcount=TIFFNumberOfStrips(input);
+ for(i=0;i<stripcount;i++){
+! k = checkAdd64(k, sbc[i], t2p);
+ }
+ if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){
+ if(t2p->tiff_dataoffset != 0){
+ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){
+ if(t2p->tiff_datasize < k) {
+ TIFFWarning(TIFF2PDF_MODULE,
+ "Input file %s has short JPEG interchange file byte count",
+ TIFFFileName(input));
++ t2p->pdf_ojpegiflength=t2p->tiff_datasize;
++ k = checkAdd64(k, t2p->tiff_datasize, t2p);
++ k = checkAdd64(k, 6, t2p);
++ k = checkAdd64(k, stripcount, t2p);
++ k = checkAdd64(k, stripcount, t2p);
++ t2p->tiff_datasize = (tsize_t) k;
++ if ((uint64) t2p->tiff_datasize != k) {
++ TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++ t2p->t2p_error = T2P_ERR_ERROR;
++ }
+ return;
+ }
+ return;
+***************
+*** 1828,1836 ****
+ }
+ }
+ }
+! t2p->tiff_datasize+=k;
+! t2p->tiff_datasize+=2*stripcount;
+! t2p->tiff_datasize+=2048;
+ return;
+ }
+ #endif
+--- 1860,1873 ----
+ }
+ }
+ }
+! k = checkAdd64(k, stripcount, t2p);
+! k = checkAdd64(k, stripcount, t2p);
+! k = checkAdd64(k, 2048, t2p);
+! t2p->tiff_datasize = (tsize_t) k;
+! if ((uint64) t2p->tiff_datasize != k) {
+! TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+! t2p->t2p_error = T2P_ERR_ERROR;
+! }
+ return;
+ }
+ #endif
+***************
+*** 1839,1849 ****
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){
+ if(count > 4){
+! t2p->tiff_datasize += count;
+! t2p->tiff_datasize -= 2; /* don't use EOI of header */
+ }
+ } else {
+! t2p->tiff_datasize = 2; /* SOI for first strip */
+ }
+ stripcount=TIFFNumberOfStrips(input);
+ if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
+--- 1876,1886 ----
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){
+ if(count > 4){
+! k += count;
+! k -= 2; /* don't use EOI of header */
+ }
+ } else {
+! k = 2; /* SOI for first strip */
+ }
+ stripcount=TIFFNumberOfStrips(input);
+ if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
+***************
+*** 1854,1871 ****
+ return;
+ }
+ for(i=0;i<stripcount;i++){
+! t2p->tiff_datasize += sbc[i];
+! t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */
+ }
+- t2p->tiff_datasize +=2; /* use EOI of last strip */
+ return;
+ }
+ #endif
+ (void) 0;
+ }
+! t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length;
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+! t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
+ }
+
+ return;
+--- 1891,1923 ----
+ return;
+ }
+ for(i=0;i<stripcount;i++){
+! k = checkAdd64(k, sbc[i], t2p);
+! k -=4; /* don't use SOI or EOI of strip */
+! }
+! k = checkAdd64(k, 2, t2p); /* use EOI of last strip */
+! t2p->tiff_datasize = (tsize_t) k;
+! if ((uint64) t2p->tiff_datasize != k) {
+! TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+! t2p->t2p_error = T2P_ERR_ERROR;
+ }
+ return;
+ }
+ #endif
+ (void) 0;
+ }
+! k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+! }
+! if (k == 0) {
+! /* Assume we had overflow inside TIFFScanlineSize */
+! t2p->t2p_error = T2P_ERR_ERROR;
+! }
+!
+! t2p->tiff_datasize = (tsize_t) k;
+! if ((uint64) t2p->tiff_datasize != k) {
+! TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+! t2p->t2p_error = T2P_ERR_ERROR;
+ }
+
+ return;
+***************
+*** 1883,1888 ****
+--- 1935,1941 ----
+ #ifdef JPEG_SUPPORT
+ unsigned char* jpt;
+ #endif
++ uint64 k;
+
+ edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+***************
+*** 1894,1907 ****
+ #endif
+ ){
+ t2p->tiff_datasize=TIFFTileSize(input);
+ return;
+ } else {
+ TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc);
+! t2p->tiff_datasize=tbc[tile];
+ #ifdef OJPEG_SUPPORT
+ if(t2p->tiff_compression==COMPRESSION_OJPEG){
+! t2p->tiff_datasize+=2048;
+! return;
+ }
+ #endif
+ #ifdef JPEG_SUPPORT
+--- 1947,1963 ----
+ #endif
+ ){
+ t2p->tiff_datasize=TIFFTileSize(input);
++ if (t2p->tiff_datasize == 0) {
++ /* Assume we had overflow inside TIFFTileSize */
++ t2p->t2p_error = T2P_ERR_ERROR;
++ }
+ return;
+ } else {
+ TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc);
+! k=tbc[tile];
+ #ifdef OJPEG_SUPPORT
+ if(t2p->tiff_compression==COMPRESSION_OJPEG){
+! k = checkAdd64(k, 2048, t2p);
+ }
+ #endif
+ #ifdef JPEG_SUPPORT
+***************
+*** 1909,1926 ****
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){
+ if(count > 4){
+! t2p->tiff_datasize += count;
+! t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */
+ }
+ }
+ }
+ #endif
+ return;
+ }
+ }
+! t2p->tiff_datasize=TIFFTileSize(input);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+! t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
+ }
+
+ return;
+--- 1965,1997 ----
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){
+ if(count > 4){
+! k = checkAdd64(k, count, t2p);
+! k -= 2; /* don't use EOI of header or SOI of tile */
+ }
+ }
+ }
+ #endif
++ t2p->tiff_datasize = (tsize_t) k;
++ if ((uint64) t2p->tiff_datasize != k) {
++ TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++ t2p->t2p_error = T2P_ERR_ERROR;
++ }
+ return;
+ }
+ }
+! k = TIFFTileSize(input);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+! }
+! if (k == 0) {
+! /* Assume we had overflow inside TIFFTileSize */
+! t2p->t2p_error = T2P_ERR_ERROR;
+! }
+!
+! t2p->tiff_datasize = (tsize_t) k;
+! if ((uint64) t2p->tiff_datasize != k) {
+! TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+! t2p->t2p_error = T2P_ERR_ERROR;
+ }
+
+ return;
+***************
+*** 2013,2018 ****
+--- 2084,2093 ----
+ uint32 max_striplength=0;
+ #endif
+
++ /* Fail if prior error (in particular, can't trust tiff_datasize) */
++ if (t2p->t2p_error != T2P_ERR_OK)
++ return(0);
++
+ if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
+ #ifdef CCITT_SUPPORT
+ if(t2p->pdf_compression == T2P_COMPRESS_G4){
+***************
+*** 2586,2591 ****
+--- 2661,2670 ----
+ uint32 xuint32=0;
+ #endif
+
++ /* Fail if prior error (in particular, can't trust tiff_datasize) */
++ if (t2p->t2p_error != T2P_ERR_OK)
++ return(0);
++
+ edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+
+
diff --git a/libtiff/Pkgfile b/libtiff/Pkgfile
index 2de0c74..9ee323c 100644
--- a/libtiff/Pkgfile
+++ b/libtiff/Pkgfile
@@ -5,11 +5,14 @@
name=libtiff
version=3.9.6
-release=1
-source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz)
+release=2
+source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz \
+ CVE-2012-2088.patch CVE-2012-2113.patch)
build() {
cd tiff-$version
+ patch -p0 -i $SRC/CVE-2012-2088.patch
+ patch -p0 -i $SRC/CVE-2012-2113.patch
./configure --prefix=/usr --mandir=/usr/man
make
make DESTDIR=$PKG install