ports/opt (3.0): [notify] libtiff: patches for CVE-2013-1960, CVE-2013-4243

24 Oct 2013

commit 51fee6388cace7612faba0f0deed6fa67ecf387f
Author: Fredrik Rinnestam <fredrik@crux.nu>
Date:   Thu Oct 24 14:31:38 2013 +0200

    [notify] libtiff: patches for CVE-2013-1960, CVE-2013-4243

diff --git a/libtiff/.md5sum b/libtiff/.md5sum
index 502f704..a2bbf63 100644
--- a/libtiff/.md5sum
+++ b/libtiff/.md5sum
@@ -1,4 +1,6 @@
 6c1189a715708edc8ba926977b33895f  gif2tiff-buffer-overflow.patch
 2c0dabc854c95e7453fc56d2fd50a503  lzw-oob-write.patch
+e9de577a81571ab8ffac84aac8c64381  tiff-4.0.3-CVE-2013-1960.patch
+682ee6498fe06ffe0b44370164acf0b4  tiff-4.0.3-CVE-2013-4243.patch
 051c1068e6a0627f461948c365290410  tiff-4.0.3.tar.gz
 35aee7eea6949c2d26ffa52872991115  tiff2pdf_use-after-free.patch
diff --git a/libtiff/Pkgfile b/libtiff/Pkgfile
index fa8a104..8ffc376 100644
--- a/libtiff/Pkgfile
+++ b/libtiff/Pkgfile
@@ -5,15 +5,18 @@
 
 name=libtiff
 version=4.0.3
-release=3
+release=4
 source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz \
-        gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch lzw-oob-write.patch)
+        gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch lzw-oob-write.patch \
+	tiff-4.0.3-CVE-2013-4243.patch tiff-4.0.3-CVE-2013-1960.patch )
 
 build() {
     cd tiff-$version
     patch -d tools -p0 -i $SRC/tiff2pdf_use-after-free.patch
     patch -d tools -p0 -i $SRC/gif2tiff-buffer-overflow.patch
     patch -d tools -p0 -i $SRC/lzw-oob-write.patch
+    patch -p0 -i $SRC/tiff-4.0.3-CVE-2013-4243.patch
+    patch -p1 -i $SRC/tiff-4.0.3-CVE-2013-1960.patch
 
     ./configure --prefix=/usr --mandir=/usr/man
     make
diff --git a/libtiff/tiff-4.0.3-CVE-2013-1960.patch b/libtiff/tiff-4.0.3-CVE-2013-1960.patch
new file mode 100644
index 0000000..1c8dfb7
--- /dev/null
+++ b/libtiff/tiff-4.0.3-CVE-2013-1960.patch
@@ -0,0 +1,145 @@
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c	2012-07-25 22:56:43.000000000 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c	2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ 	uint32 height){
+ 
+ 	tsize_t i=0;
+-	uint16 ri =0;
+-	uint16 v_samp=1;
+-	uint16 h_samp=1;
+-	int j=0;
+-	
+-	i++;
+-	
+-	while(i<(*striplength)){
++
++	while (i < *striplength) {
++		tsize_t datalen;
++		uint16 ri;
++		uint16 v_samp;
++		uint16 h_samp;
++		int j;
++		int ncomp;
++
++		/* marker header: one or more FFs */
++		if (strip[i] != 0xff)
++			return(0);
++		i++;
++		while (i < *striplength && strip[i] == 0xff)
++			i++;
++		if (i >= *striplength)
++			return(0);
++		/* SOI is the only pre-SOS marker without a length word */
++		if (strip[i] == 0xd8)
++			datalen = 0;
++		else {
++			if ((*striplength - i) <= 2)
++				return(0);
++			datalen = (strip[i+1] << 8) | strip[i+2];
++			if (datalen < 2 || datalen >= (*striplength - i))
++				return(0);
++		}
+ 		switch( strip[i] ){
+-			case 0xd8:
+-				/* SOI - start of image */
++			case 0xd8:	/* SOI - start of image */
+ 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ 				*bufferoffset+=2;
+-				i+=2;
+ 				break;
+-			case 0xc0:
+-			case 0xc1:
+-			case 0xc3:
+-			case 0xc9:
+-			case 0xca:
++			case 0xc0:	/* SOF0 */
++			case 0xc1:	/* SOF1 */
++			case 0xc3:	/* SOF3 */
++			case 0xc9:	/* SOF9 */
++			case 0xca:	/* SOF10 */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					for(j=0;j<buffer[*bufferoffset+9];j++){
+-						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
+-							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+-						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
+-							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					ncomp = buffer[*bufferoffset+9];
++					if (ncomp < 1 || ncomp > 4)
++						return(0);
++					v_samp=1;
++					h_samp=1;
++					for(j=0;j<ncomp;j++){
++						uint16 samp = buffer[*bufferoffset+11+(3*j)];
++						if( (samp>>4) > h_samp) 
++							h_samp = (samp>>4);
++						if( (samp & 0x0f) > v_samp) 
++							v_samp = (samp & 0x0f);
+ 					}
+ 					v_samp*=8;
+ 					h_samp*=8;
+@@ -3381,45 +3404,43 @@
+                                           (unsigned char) ((height>>8) & 0xff);
+ 					buffer[*bufferoffset+6]=
+                                             (unsigned char) (height & 0xff);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
+-
++					*bufferoffset+=datalen+2;
++					/* insert a DRI marker */
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=0xdd;
+ 					buffer[(*bufferoffset)++]=0x00;
+ 					buffer[(*bufferoffset)++]=0x04;
+ 					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ 					buffer[(*bufferoffset)++]= ri & 0xff;
+-				} else {
+-					i+=strip[i+2]+2;
+ 				}
+ 				break;
+-			case 0xc4:
+-			case 0xdb:
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-				*bufferoffset+=strip[i+2]+2;
+-				i+=strip[i+2]+2;
++			case 0xc4: /* DHT */
++			case 0xdb: /* DQT */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++				*bufferoffset+=datalen+2;
+ 				break;
+-			case 0xda:
++			case 0xda: /* SOS */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					*bufferoffset+=datalen+2;
+ 				} else {
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=
+                                             (unsigned char)(0xd0 | ((no-1)%8));
+-					i+=strip[i+2]+2;
+ 				}
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+-				*bufferoffset+=(*striplength)-i-1;
++				i += datalen + 1;
++				/* copy remainder of strip */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++				*bufferoffset+= *striplength - i;
+ 				return(1);
+ 			default:
+-				i+=strip[i+2]+2;
++				/* ignore any other marker */
++				break;
+ 		}
++		i += datalen + 1;
+ 	}
+-	
+ 
++	/* failed to find SOS marker */
+ 	return(0);
+ }
+ #endif
diff --git a/libtiff/tiff-4.0.3-CVE-2013-4243.patch b/libtiff/tiff-4.0.3-CVE-2013-4243.patch
new file mode 100644
index 0000000..fdcfe6b
--- /dev/null
+++ b/libtiff/tiff-4.0.3-CVE-2013-4243.patch
@@ -0,0 +1,37 @@
+Index: tools/gif2tiff.c
+===================================================================
+--- tools/gif2tiff.c.orig
++++ tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
++    if (width == 0 || height == 0) {
++        fprintf(stderr, "Invalid value of width or height\n");
++        return(0);
++    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -406,6 +410,10 @@ process(register int code, unsigned char
+             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+             return 0;
+         }
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
+@@ -436,6 +444,10 @@ process(register int code, unsigned char
+     }
+     oldcode = incode;
+     do {
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;

    

ports/opt (3.0): [notify] libtiff: patches for CVE-2013-1960, CVE-2013-4243

crux＠crux.nu