1. photon
  2. Commit 1bd89841b776c2a0fac7e0d3b03a084641c19833
Browse code

CVE 3945, 3990, 3991 fixed in libtiff

Change-Id: I4dc192b45765196d029b8adaa48039e4f72ed00e
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1515
Reviewed-by: Priyesh Padmavilasom <ppadmavilasom@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>

DheerajSShetty authored on 2016/10/13 08:17:42
Showing 4 changed files
SPECS/libtiff/libtiff-4.0.6-CVE-2016-3945.patch
History View file @ 1bd8984
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,78 @@
0 
+--- a/tiff-4.0.6/tools/tiff2rgba.c	2015-08-28 15:17:08.259977000 -0700
1 
+@@ -147,6 +147,7 @@
2 
+     uint32  row, col;
3 
+     uint32  *wrk_line;
4 
+     int	    ok = 1;
5 
++    uint32  rastersize, wrk_linesize;
6 
+
7 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
8 
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
9 
+@@ -163,7 +164,13 @@
10 
+     /*
11 
+      * Allocate tile buffer
12 
+      */
13 
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
14 
++    rastersize = tile_width * tile_height * sizeof (uint32);
15 
++    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
16 
++    {
17 
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
18 
++	exit(-1);
19 
++    }
20 
++    raster = (uint32*)_TIFFmalloc(rastersize);
21 
+     if (raster == 0) {
22 
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
23 
+         return (0);
24 
+@@ -173,7 +180,13 @@
25 
+      * Allocate a scanline buffer for swapping during the vertical
26 
+      * mirroring pass.
27 
+      */
28 
+-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
29 
++    wrk_linesize = tile_width * sizeof (uint32);
30 
++    if (tile_width != wrk_linesize / sizeof (uint32))
31 
++    {
32 
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
33 
++	exit(-1);
34 
++    }
35 
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
36 
+     if (!wrk_line) {
37 
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
38 
+         ok = 0;
39 
+@@ -249,6 +262,7 @@
40 
+     uint32  row;
41 
+     uint32  *wrk_line;
42 
+     int	    ok = 1;
43 
++    uint32  rastersize, wrk_linesize;
44 
+
45 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
46 
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
47 
+@@ -263,7 +277,13 @@
48 
+     /*
49 
+      * Allocate strip buffer
50 
+      */
51 
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
52 
++    rastersize = width * rowsperstrip * sizeof (uint32);
53 
++    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
54 
++    {
55 
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
56 
++	exit(-1);
57 
++    }
58 
++    raster = (uint32*)_TIFFmalloc(rastersize);
59 
+     if (raster == 0) {
60 
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
61 
+         return (0);
62 
+@@ -273,7 +293,13 @@
63 
+      * Allocate a scanline buffer for swapping during the vertical
64 
+      * mirroring pass.
65 
+      */
66 
+-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
67 
++    wrk_linesize = width * sizeof (uint32);
68 
++    if (width != wrk_linesize / sizeof (uint32))
69 
++    {
70 
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
71 
++	exit(-1);
72 
++    }
73 
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
74 
+     if (!wrk_line) {
75 
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
76 
+         ok = 0;
SPECS/libtiff/libtiff-4.0.6-CVE-2016-3990.patch
History View file @ 1bd8984
0 77 
new file mode 100644
... ... 
@@ -0,0 +1,17 @@
0 
+--- a/tiff-4.0.6/libtiff/tif_pixarlog.c	2015-08-28 15:16:22.630733000 -0700
1 
+@@ -1131,6 +1131,14 @@
2 
+ 	}
3 
+
4 
+ 	llen = sp->stride * td->td_imagewidth;
5 
++
6 
++        /* Check against the number of elements (of size uint16) of sp->tbuf */
7 
++	if( n > td->td_rowsperstrip * llen )
8 
++	{
9 
++		TIFFErrorExt(tif->tif_clientdata, module,
10 
++			     "Too many input bytes provided");
11 
++		return 0;
12 
++	}
13 
+
14 
+ 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
15 
+ 		switch (sp->user_datafmt)  {
SPECS/libtiff/libtiff-4.0.6-CVE-2016-3991.patch
History View file @ 1bd8984
0 16 
new file mode 100644
... ... 
@@ -0,0 +1,109 @@
0 
+--- a/tiff-4.0.6/tools/tiffcrop.c	2015-08-28 15:17:08.312151000 -0700
1 
+@@ -798,6 +798,11 @@
2 
+     }
3 
+
4 
+   tile_buffsize = tilesize;
5 
++  if (tilesize == 0 || tile_rowsize == 0)
6 
++  {
7 
++     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
8 
++     exit(-1);
9 
++  }
10 
+
11 
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
12 
+     {
13 
+@@ -807,7 +812,12 @@
14 
+               tilesize, tl * tile_rowsize);
15 
+ #endif
16 
+     tile_buffsize = tl * tile_rowsize;
17 
+-    }
18 
++    if (tl != (tile_buffsize / tile_rowsize))
19 
++    {
20 
++    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
21 
++        exit(-1);
22 
++    }
23 
++    }
24 
+
25 
+   tilebuf = _TIFFmalloc(tile_buffsize);
26 
+   if (tilebuf == 0)
27 
+@@ -1210,6 +1220,12 @@
28 
+       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
29 
+       return 1;
30 
+
31 
++  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
32 
++  {
33 
++    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
34 
++    exit(-1);
35 
++  }
36 
++
37 
+   tile_buffsize = tilesize;
38 
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
39 
+     {
40 
+@@ -1219,6 +1235,11 @@
41 
+               tilesize, tl * tile_rowsize);
42 
+ #endif
43 
+     tile_buffsize = tl * tile_rowsize;
44 
++    if (tl != tile_buffsize / tile_rowsize)
45 
++    {
46 
++	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
47 
++	exit(-1);
48 
++    }
49 
+     }
50 
+
51 
+   tilebuf = _TIFFmalloc(tile_buffsize);
52 
+@@ -5945,12 +5966,27 @@
53 
+     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
54 
+
55 
+     tile_rowsize  = TIFFTileRowSize(in);
56 
++    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
57 
++    {
58 
++	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
59 
++	exit(-1);
60 
++    }
61 
+     buffsize = tlsize * ntiles;
62 
++    if (tlsize != (buffsize / ntiles))
63 
++    {
64 
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
65 
++	exit(-1);
66 
++    }
67 
+
68 
+-
69 
+     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
70 
+       {
71 
+       buffsize = ntiles * tl * tile_rowsize;
72 
++      if (ntiles != (buffsize / tl / tile_rowsize))
73 
++      {
74 
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
75 
++	exit(-1);
76 
++      }
77 
++
78 
+ #ifdef DEBUG2
79 
+       TIFFError("loadImage",
80 
+ 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
81 
+@@ -5969,8 +6005,25 @@
82 
+     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
83 
+     stsize = TIFFStripSize(in);
84 
+     nstrips = TIFFNumberOfStrips(in);
85 
++    if (nstrips == 0 || stsize == 0)
86 
++    {
87 
++	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
88 
++	exit(-1);
89 
++    }
90 
++
91 
+     buffsize = stsize * nstrips;
92 
+-
93 
++    if (stsize != (buffsize / nstrips))
94 
++    {
95 
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
96 
++	exit(-1);
97 
++    }
98 
++    uint32 buffsize_check;
99 
++    buffsize_check = ((length * width * spp * bps) + 7);
100 
++    if (length != ((buffsize_check - 7) / width / spp / bps))
101 
++    {
102 
++	TIFFError("loadImage", "Integer overflow detected.");
103 
++	exit(-1);
104 
++    }
105 
+     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
106 
+       {
107 
+       buffsize =  ((length * width * spp * bps) + 7) / 8;
SPECS/libtiff/libtiff.spec
History View file @ 1bd8984
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:	TIFF libraries and associated utilities.
2 2 
 Name:		libtiff
3 3 
 Version:	4.0.6
4 
-Release:	2%{?dist}
4 
+Release:	3%{?dist}
5 5 
 License:	libtiff
6 6 
 URL:		http://www.remotesensing.org/libtiff
7 7 
 Group:		System Environment/Libraries
... ... 
@@ -14,6 +14,9 @@ Patch1:		libtiff-4.0.6-CVE-2015-7554.patch
14 14 
 Patch2:		libtiff-4.0.6-CVE-2015-8683+CVE-2015-8665.patch
15 15 
 Patch3:     	libtiff-4.0.6-CVE-2016-3186.patch
16 16 
 Patch4:     	libtiff-4.0.6-CVE-2015-1547.patch
17 
+Patch5:     	libtiff-4.0.6-CVE-2016-3945.patch
18 
+Patch6:     	libtiff-4.0.6-CVE-2016-3990.patch
19 
+Patch7:     	libtiff-4.0.6-CVE-2016-3991.patch
17 20 
 BuildRequires:	libjpeg-turbo-devel
18 21 
 Requires:	libjpeg-turbo
19 22 
 %description
... ... 
@@ -32,6 +35,9 @@ It contains the libraries and header files to create applications
32 32 
 %patch2 -p1
33 33 
 %patch3 -p1
34 34 
 %patch4 -p1
35 
+%patch5 -p2
36 
+%patch6 -p2
37 
+%patch7 -p2
35 38
36 39 
 %build
37 40 
 ./configure \
... ... 
@@ -62,6 +68,8 @@ find %{buildroot} -name '*.la' -delete
62 62 
 %{_libdir}/pkgconfig/*.pc
63 63
64 64 
 %changelog
65 
+*       Wed Oct 12 2016 Dheeraj Shetty <dheerajs@vmware.com> 4.0.6-3
66 
+-       Fixed security issues : CVE-2016-3945, CVE-2016-3990, CVE-2016-3991
65 67 
 *       Thu Sep 22 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.6-2
66 68 
 -       Fixed security issues : CVE-2015-8668, CVE-2015-7554, CVE-2015-8683+CVE-2015-8665,CVE-2016-3186
67 69 
         CVE-2015-1547