diff options
-rw-r--r-- | main/tiff/APKBUILD | 14 | ||||
-rw-r--r-- | main/tiff/CVE-2012-3401.patch | 11 | ||||
-rw-r--r-- | main/tiff/CVE-2012-4447.patch | 13 | ||||
-rw-r--r-- | main/tiff/CVE-2012-4564.patch | 30 | ||||
-rw-r--r-- | main/tiff/libtiff-negsize-3.9.patch | 161 |
5 files changed, 50 insertions, 179 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 4d0e0e111a1..9138618baae 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Leonardo Arena <rnalrd@gmail.com> # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff -pkgver=3.9.6 -pkgrel=1 +pkgver=3.9.7 +pkgrel=0 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -12,8 +12,8 @@ depends_dev="zlib-dev jpeg-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz - libtiff-negsize-3.9.patch - CVE-2012-3401.patch + CVE-2012-4447.patch + CVE-2012-4564.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -50,6 +50,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="6920f3bf628d791d49f268b83612ed23 tiff-3.9.6.tar.gz -a0742e7c81551c51438a8d6fa5d68676 libtiff-negsize-3.9.patch -8c862de25b906d3fcefce2fb06c7b604 CVE-2012-3401.patch" +md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz +f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch +e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch" diff --git a/main/tiff/CVE-2012-3401.patch b/main/tiff/CVE-2012-3401.patch deleted file mode 100644 index 847bd0d1382..00000000000 --- a/main/tiff/CVE-2012-3401.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Naur tiff-4.0.2.orig/tools/tiff2pdf.c tiff-4.0.2/tools/tiff2pdf.c ---- tiff-4.0.2.orig/tools/tiff2pdf.c 2012-06-15 17:51:54.000000000 -0400 -+++ tiff-4.0.2/tools/tiff2pdf.c 2012-07-05 13:34:36.569691068 -0400 -@@ -1066,6 +1066,7 @@ - "Can't set directory %u of input file %s", - i, - TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; - return; - } - if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ diff --git a/main/tiff/CVE-2012-4447.patch b/main/tiff/CVE-2012-4447.patch new file mode 100644 index 00000000000..29271ee57c6 --- /dev/null +++ b/main/tiff/CVE-2012-4447.patch @@ -0,0 +1,13 @@ +Index: tiff-3.9.4/libtiff/tif_pixarlog.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-10-05 16:51:49.201609547 -0400 +@@ -663,7 +663,7 @@ + td->td_rowsperstrip), sizeof(uint16)); + if (tbuf_size == 0) + return (0); +- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); ++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) diff --git a/main/tiff/CVE-2012-4564.patch b/main/tiff/CVE-2012-4564.patch new file mode 100644 index 00000000000..9de7385cdef --- /dev/null +++ b/main/tiff/CVE-2012-4564.patch @@ -0,0 +1,30 @@ +diff -u -r1.16 ppm2tiff.c +--- ./tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 ++++ ./tools/ppm2tiff.c 31 Oct 2012 06:25:13 -0000 +@@ -89,6 +89,7 @@ + int c; + extern int optind; + extern char* optarg; ++ size_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -237,8 +238,16 @@ + } + if (TIFFScanlineSize(out) > linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); +- else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size != 0) ++ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ fprintf(stderr, "%s: scanline size overflow\n",infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/main/tiff/libtiff-negsize-3.9.patch b/main/tiff/libtiff-negsize-3.9.patch deleted file mode 100644 index 75a42fabc7d..00000000000 --- a/main/tiff/libtiff-negsize-3.9.patch +++ /dev/null @@ -1,161 +0,0 @@ -Index: libtiff/tif_strip.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v -retrieving revision 1.19.2.3 -diff -c -r1.19.2.3 tif_strip.c -*** ./libtiff/tif_strip.c 15 Dec 2010 00:50:30 -0000 1.19.2.3 ---- ./libtiff/tif_strip.c 17 Apr 2012 18:14:22 -0000 -*************** -*** 107,112 **** ---- 107,113 ---- - TIFFVStripSize(TIFF* tif, uint32 nrows) - { - TIFFDirectory *td = &tif->tif_dir; -+ uint32 stripsize; - - if (nrows == (uint32) -1) - nrows = td->td_imagelength; -*************** -*** 122,128 **** - * YCbCr data for the extended image. - */ - uint16 ycbcrsubsampling[2]; -! tsize_t w, scanline, samplingarea; - - TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, - ycbcrsubsampling + 0, ---- 123,129 ---- - * YCbCr data for the extended image. - */ - uint16 ycbcrsubsampling[2]; -! uint32 w, scanline, samplingarea; - - TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, - ycbcrsubsampling + 0, -*************** -*** 141,153 **** - nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); - /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ - scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); -! return ((tsize_t) - summarize(tif, scanline, - multiply(tif, 2, scanline / samplingarea, -! "TIFFVStripSize"), "TIFFVStripSize")); - } else -! return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), -! "TIFFVStripSize")); - } - - ---- 142,160 ---- - nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); - /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ - scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); -! stripsize = - summarize(tif, scanline, - multiply(tif, 2, scanline / samplingarea, -! "TIFFVStripSize"), "TIFFVStripSize"); - } else -! stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), -! "TIFFVStripSize"); -! /* Because tsize_t is signed, we might have conversion overflow */ -! if (((tsize_t) stripsize) < 0) { -! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); -! stripsize = 0; -! } -! return (tsize_t) stripsize; - } - - -Index: libtiff/tif_tile.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_tile.c,v -retrieving revision 1.12.2.1 -diff -c -r1.12.2.1 tif_tile.c -*** ./libtiff/tif_tile.c 8 Jun 2010 18:50:43 -0000 1.12.2.1 ---- ./libtiff/tif_tile.c 17 Apr 2012 18:14:22 -0000 -*************** -*** 174,180 **** - TIFFTileRowSize(TIFF* tif) - { - TIFFDirectory *td = &tif->tif_dir; -! tsize_t rowsize; - - if (td->td_tilelength == 0 || td->td_tilewidth == 0) - return ((tsize_t) 0); ---- 174,180 ---- - TIFFTileRowSize(TIFF* tif) - { - TIFFDirectory *td = &tif->tif_dir; -! uint32 rowsize; - - if (td->td_tilelength == 0 || td->td_tilewidth == 0) - return ((tsize_t) 0); -*************** -*** 193,199 **** - TIFFVTileSize(TIFF* tif, uint32 nrows) - { - TIFFDirectory *td = &tif->tif_dir; -! tsize_t tilesize; - - if (td->td_tilelength == 0 || td->td_tilewidth == 0 || - td->td_tiledepth == 0) ---- 193,199 ---- - TIFFVTileSize(TIFF* tif, uint32 nrows) - { - TIFFDirectory *td = &tif->tif_dir; -! uint32 tilesize; - - if (td->td_tilelength == 0 || td->td_tilewidth == 0 || - td->td_tiledepth == 0) -*************** -*** 209,220 **** - * horizontal/vertical subsampling area include - * YCbCr data for the extended image. - */ -! tsize_t w = - TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); -! tsize_t rowsize = - TIFFhowmany8(multiply(tif, w, td->td_bitspersample, - "TIFFVTileSize")); -! tsize_t samplingarea = - td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; - if (samplingarea == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); ---- 209,220 ---- - * horizontal/vertical subsampling area include - * YCbCr data for the extended image. - */ -! uint32 w = - TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); -! uint32 rowsize = - TIFFhowmany8(multiply(tif, w, td->td_bitspersample, - "TIFFVTileSize")); -! uint32 samplingarea = - td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; - if (samplingarea == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); -*************** -*** 230,237 **** - } else - tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), - "TIFFVTileSize"); -! return ((tsize_t) -! multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); - } - - /* ---- 230,242 ---- - } else - tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), - "TIFFVTileSize"); -! tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); -! /* Because tsize_t is signed, we might have conversion overflow */ -! if (((tsize_t) tilesize) < 0) { -! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); -! tilesize = 0; -! } -! return (tsize_t) tilesize; - } - - /* |