Change-Id: I4dc192b45765196d029b8adaa48039e4f72ed00e
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1515
Reviewed-by: Priyesh Padmavilasom <ppadmavilasom@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,78 @@ |
0 |
+--- a/tiff-4.0.6/tools/tiff2rgba.c 2015-08-28 15:17:08.259977000 -0700 |
|
1 |
+@@ -147,6 +147,7 @@ |
|
2 |
+ uint32 row, col; |
|
3 |
+ uint32 *wrk_line; |
|
4 |
+ int ok = 1; |
|
5 |
++ uint32 rastersize, wrk_linesize; |
|
6 |
+ |
|
7 |
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); |
|
8 |
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); |
|
9 |
+@@ -163,7 +164,13 @@ |
|
10 |
+ /* |
|
11 |
+ * Allocate tile buffer |
|
12 |
+ */ |
|
13 |
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); |
|
14 |
++ rastersize = tile_width * tile_height * sizeof (uint32); |
|
15 |
++ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) |
|
16 |
++ { |
|
17 |
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); |
|
18 |
++ exit(-1); |
|
19 |
++ } |
|
20 |
++ raster = (uint32*)_TIFFmalloc(rastersize); |
|
21 |
+ if (raster == 0) { |
|
22 |
+ TIFFError(TIFFFileName(in), "No space for raster buffer"); |
|
23 |
+ return (0); |
|
24 |
+@@ -173,7 +180,13 @@ |
|
25 |
+ * Allocate a scanline buffer for swapping during the vertical |
|
26 |
+ * mirroring pass. |
|
27 |
+ */ |
|
28 |
+- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); |
|
29 |
++ wrk_linesize = tile_width * sizeof (uint32); |
|
30 |
++ if (tile_width != wrk_linesize / sizeof (uint32)) |
|
31 |
++ { |
|
32 |
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); |
|
33 |
++ exit(-1); |
|
34 |
++ } |
|
35 |
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); |
|
36 |
+ if (!wrk_line) { |
|
37 |
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); |
|
38 |
+ ok = 0; |
|
39 |
+@@ -249,6 +262,7 @@ |
|
40 |
+ uint32 row; |
|
41 |
+ uint32 *wrk_line; |
|
42 |
+ int ok = 1; |
|
43 |
++ uint32 rastersize, wrk_linesize; |
|
44 |
+ |
|
45 |
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); |
|
46 |
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); |
|
47 |
+@@ -263,7 +277,13 @@ |
|
48 |
+ /* |
|
49 |
+ * Allocate strip buffer |
|
50 |
+ */ |
|
51 |
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); |
|
52 |
++ rastersize = width * rowsperstrip * sizeof (uint32); |
|
53 |
++ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) |
|
54 |
++ { |
|
55 |
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); |
|
56 |
++ exit(-1); |
|
57 |
++ } |
|
58 |
++ raster = (uint32*)_TIFFmalloc(rastersize); |
|
59 |
+ if (raster == 0) { |
|
60 |
+ TIFFError(TIFFFileName(in), "No space for raster buffer"); |
|
61 |
+ return (0); |
|
62 |
+@@ -273,7 +293,13 @@ |
|
63 |
+ * Allocate a scanline buffer for swapping during the vertical |
|
64 |
+ * mirroring pass. |
|
65 |
+ */ |
|
66 |
+- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); |
|
67 |
++ wrk_linesize = width * sizeof (uint32); |
|
68 |
++ if (width != wrk_linesize / sizeof (uint32)) |
|
69 |
++ { |
|
70 |
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); |
|
71 |
++ exit(-1); |
|
72 |
++ } |
|
73 |
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); |
|
74 |
+ if (!wrk_line) { |
|
75 |
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); |
|
76 |
+ ok = 0; |
0 | 77 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,17 @@ |
0 |
+--- a/tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-28 15:16:22.630733000 -0700 |
|
1 |
+@@ -1131,6 +1131,14 @@ |
|
2 |
+ } |
|
3 |
+ |
|
4 |
+ llen = sp->stride * td->td_imagewidth; |
|
5 |
++ |
|
6 |
++ /* Check against the number of elements (of size uint16) of sp->tbuf */ |
|
7 |
++ if( n > td->td_rowsperstrip * llen ) |
|
8 |
++ { |
|
9 |
++ TIFFErrorExt(tif->tif_clientdata, module, |
|
10 |
++ "Too many input bytes provided"); |
|
11 |
++ return 0; |
|
12 |
++ } |
|
13 |
+ |
|
14 |
+ for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { |
|
15 |
+ switch (sp->user_datafmt) { |
0 | 16 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,109 @@ |
0 |
+--- a/tiff-4.0.6/tools/tiffcrop.c 2015-08-28 15:17:08.312151000 -0700 |
|
1 |
+@@ -798,6 +798,11 @@ |
|
2 |
+ } |
|
3 |
+ |
|
4 |
+ tile_buffsize = tilesize; |
|
5 |
++ if (tilesize == 0 || tile_rowsize == 0) |
|
6 |
++ { |
|
7 |
++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); |
|
8 |
++ exit(-1); |
|
9 |
++ } |
|
10 |
+ |
|
11 |
+ if (tilesize < (tsize_t)(tl * tile_rowsize)) |
|
12 |
+ { |
|
13 |
+@@ -807,7 +812,12 @@ |
|
14 |
+ tilesize, tl * tile_rowsize); |
|
15 |
+ #endif |
|
16 |
+ tile_buffsize = tl * tile_rowsize; |
|
17 |
+- } |
|
18 |
++ if (tl != (tile_buffsize / tile_rowsize)) |
|
19 |
++ { |
|
20 |
++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); |
|
21 |
++ exit(-1); |
|
22 |
++ } |
|
23 |
++ } |
|
24 |
+ |
|
25 |
+ tilebuf = _TIFFmalloc(tile_buffsize); |
|
26 |
+ if (tilebuf == 0) |
|
27 |
+@@ -1210,6 +1220,12 @@ |
|
28 |
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) |
|
29 |
+ return 1; |
|
30 |
+ |
|
31 |
++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) |
|
32 |
++ { |
|
33 |
++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); |
|
34 |
++ exit(-1); |
|
35 |
++ } |
|
36 |
++ |
|
37 |
+ tile_buffsize = tilesize; |
|
38 |
+ if (tilesize < (tsize_t)(tl * tile_rowsize)) |
|
39 |
+ { |
|
40 |
+@@ -1219,6 +1235,11 @@ |
|
41 |
+ tilesize, tl * tile_rowsize); |
|
42 |
+ #endif |
|
43 |
+ tile_buffsize = tl * tile_rowsize; |
|
44 |
++ if (tl != tile_buffsize / tile_rowsize) |
|
45 |
++ { |
|
46 |
++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); |
|
47 |
++ exit(-1); |
|
48 |
++ } |
|
49 |
+ } |
|
50 |
+ |
|
51 |
+ tilebuf = _TIFFmalloc(tile_buffsize); |
|
52 |
+@@ -5945,12 +5966,27 @@ |
|
53 |
+ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); |
|
54 |
+ |
|
55 |
+ tile_rowsize = TIFFTileRowSize(in); |
|
56 |
++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) |
|
57 |
++ { |
|
58 |
++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); |
|
59 |
++ exit(-1); |
|
60 |
++ } |
|
61 |
+ buffsize = tlsize * ntiles; |
|
62 |
++ if (tlsize != (buffsize / ntiles)) |
|
63 |
++ { |
|
64 |
++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); |
|
65 |
++ exit(-1); |
|
66 |
++ } |
|
67 |
+ |
|
68 |
+- |
|
69 |
+ if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) |
|
70 |
+ { |
|
71 |
+ buffsize = ntiles * tl * tile_rowsize; |
|
72 |
++ if (ntiles != (buffsize / tl / tile_rowsize)) |
|
73 |
++ { |
|
74 |
++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); |
|
75 |
++ exit(-1); |
|
76 |
++ } |
|
77 |
++ |
|
78 |
+ #ifdef DEBUG2 |
|
79 |
+ TIFFError("loadImage", |
|
80 |
+ "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", |
|
81 |
+@@ -5969,8 +6005,25 @@ |
|
82 |
+ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); |
|
83 |
+ stsize = TIFFStripSize(in); |
|
84 |
+ nstrips = TIFFNumberOfStrips(in); |
|
85 |
++ if (nstrips == 0 || stsize == 0) |
|
86 |
++ { |
|
87 |
++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); |
|
88 |
++ exit(-1); |
|
89 |
++ } |
|
90 |
++ |
|
91 |
+ buffsize = stsize * nstrips; |
|
92 |
+- |
|
93 |
++ if (stsize != (buffsize / nstrips)) |
|
94 |
++ { |
|
95 |
++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); |
|
96 |
++ exit(-1); |
|
97 |
++ } |
|
98 |
++ uint32 buffsize_check; |
|
99 |
++ buffsize_check = ((length * width * spp * bps) + 7); |
|
100 |
++ if (length != ((buffsize_check - 7) / width / spp / bps)) |
|
101 |
++ { |
|
102 |
++ TIFFError("loadImage", "Integer overflow detected."); |
|
103 |
++ exit(-1); |
|
104 |
++ } |
|
105 |
+ if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) |
|
106 |
+ { |
|
107 |
+ buffsize = ((length * width * spp * bps) + 7) / 8; |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.6 |
4 |
-Release: 2%{?dist} |
|
4 |
+Release: 3%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.remotesensing.org/libtiff |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -14,6 +14,9 @@ Patch1: libtiff-4.0.6-CVE-2015-7554.patch |
14 | 14 |
Patch2: libtiff-4.0.6-CVE-2015-8683+CVE-2015-8665.patch |
15 | 15 |
Patch3: libtiff-4.0.6-CVE-2016-3186.patch |
16 | 16 |
Patch4: libtiff-4.0.6-CVE-2015-1547.patch |
17 |
+Patch5: libtiff-4.0.6-CVE-2016-3945.patch |
|
18 |
+Patch6: libtiff-4.0.6-CVE-2016-3990.patch |
|
19 |
+Patch7: libtiff-4.0.6-CVE-2016-3991.patch |
|
17 | 20 |
BuildRequires: libjpeg-turbo-devel |
18 | 21 |
Requires: libjpeg-turbo |
19 | 22 |
%description |
... | ... |
@@ -32,6 +35,9 @@ It contains the libraries and header files to create applications |
32 | 32 |
%patch2 -p1 |
33 | 33 |
%patch3 -p1 |
34 | 34 |
%patch4 -p1 |
35 |
+%patch5 -p2 |
|
36 |
+%patch6 -p2 |
|
37 |
+%patch7 -p2 |
|
35 | 38 |
|
36 | 39 |
%build |
37 | 40 |
./configure \ |
... | ... |
@@ -62,6 +68,8 @@ find %{buildroot} -name '*.la' -delete |
62 | 62 |
%{_libdir}/pkgconfig/*.pc |
63 | 63 |
|
64 | 64 |
%changelog |
65 |
+* Wed Oct 12 2016 Dheeraj Shetty <dheerajs@vmware.com> 4.0.6-3 |
|
66 |
+- Fixed security issues : CVE-2016-3945, CVE-2016-3990, CVE-2016-3991 |
|
65 | 67 |
* Thu Sep 22 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.6-2 |
66 | 68 |
- Fixed security issues : CVE-2015-8668, CVE-2015-7554, CVE-2015-8683+CVE-2015-8665,CVE-2016-3186 |
67 | 69 |
CVE-2015-1547 |