1. photon
  2. Commit 319c57e1739c6d79e9b43592f95698d9793810bc
Browse code

libtiff : Fix CVE-2018-7456, CVE-2018-8905

Change-Id: I90e94761c0c77f52690096e89d5e050052d140ca
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5160
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Ashok Venkiteswaran
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

Xiaolin Li authored on 2018/05/15 03:22:59
Showing 3 changed files
SPECS/libtiff/libtiff-4.0-9-CVE-2018-7456.patch
History View file @ 319c57e
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,107 @@
0 
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
1 
+index 6baa7b3..af5b84a 100644
2 
+--- a/libtiff/tif_dirread.c
3 
+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
4 
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
5 
+ static void ChopUpSingleUncompressedStrip(TIFF*);
6 
+ static uint64 TIFFReadUInt64(const uint8 *value);
7 
++static int _TIFFGetMaxColorChannels(uint16 photometric);
8 
+
9 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
10 
+
11 
+@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
12 
+ }
13 
+
14 
+ /*
15 
++ * Return the maximum number of color channels specified for a given photometric
16 
++ * type. 0 is returned if photometric type isn't supported or no default value
17 
++ * is defined by the specification.
18 
++ */
19 
++static int _TIFFGetMaxColorChannels( uint16 photometric )
20 
++{
21 
++    switch (photometric) {
22 
++	case PHOTOMETRIC_PALETTE:
23 
++	case PHOTOMETRIC_MINISWHITE:
24 
++	case PHOTOMETRIC_MINISBLACK:
25 
++            return 1;
26 
++	case PHOTOMETRIC_YCBCR:
27 
++	case PHOTOMETRIC_RGB:
28 
++	case PHOTOMETRIC_CIELAB:
29 
++            return 3;
30 
++	case PHOTOMETRIC_SEPARATED:
31 
++	case PHOTOMETRIC_MASK:
32 
++            return 4;
33 
++	case PHOTOMETRIC_LOGL:
34 
++	case PHOTOMETRIC_LOGLUV:
35 
++	case PHOTOMETRIC_CFA:
36 
++	case PHOTOMETRIC_ITULAB:
37 
++	case PHOTOMETRIC_ICCLAB:
38 
++	default:
39 
++            return 0;
40 
++    }
41 
++}
42 
++
43 
++/*
44 
+  * Read the next TIFF directory from a file and convert it to the internal
45 
+  * format. We read directories sequentially.
46 
+  */
47 
+@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
48 
+ 	uint32 fii=FAILED_FII;
49 
+         toff_t nextdiroff;
50 
+     int bitspersample_read = FALSE;
51 
++        int color_channels;
52 
+
53 
+ 	tif->tif_diroff=tif->tif_nextdiroff;
54 
+ 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
55 
+@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
56 
+ 			}
57 
+ 		}
58 
+ 	}
59 
++
60 
++	/*
61 
++	 * Make sure all non-color channels are extrasamples.
62 
++	 * If it's not the case, define them as such.
63 
++	 */
64 
++        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
65 
++        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
66 
++                uint16 old_extrasamples;
67 
++                uint16 *new_sampleinfo;
68 
++
69 
++                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
70 
++                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
71 
++                    "Defining non-color channels as ExtraSamples.");
72 
++
73 
++                old_extrasamples = tif->tif_dir.td_extrasamples;
74 
++                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
75 
++
76 
++                // sampleinfo should contain information relative to these new extra samples
77 
++                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
78 
++                if (!new_sampleinfo) {
79 
++                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
80 
++                                "temporary new sampleinfo array (%d 16 bit elements)",
81 
++                                tif->tif_dir.td_extrasamples);
82 
++                    goto bad;
83 
++                }
84 
++
85 
++                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
86 
++                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
87 
++                _TIFFfree(new_sampleinfo);
88 
++        }
89 
++
90 
+ 	/*
91 
+ 	 * Verify Palette image has a Colormap.
92 
+ 	 */
93 
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
94 
+index 8deceb2..1d86adb 100644
95 
+--- a/libtiff/tif_print.c
96 
+@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
97 
+ 				uint16 i;
98 
+ 				fprintf(fd, "    %2ld: %5u",
99 
+ 				    l, td->td_transferfunction[0][l]);
100 
+-				for (i = 1; i < td->td_samplesperpixel; i++)
101 
++				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
102 
+ 					fprintf(fd, " %5u",
103 
+ 					    td->td_transferfunction[i][l]);
104 
+ 				fputc('\n', fd);
SPECS/libtiff/libtiff-4.0.9-CVE-2018-8905.patch
History View file @ 319c57e
0 105 
new file mode 100644
... ... 
@@ -0,0 +1,37 @@
0 
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
1 
+index 4ccb443..94d85e3 100644
2 
+--- a/libtiff/tif_lzw.c
3 
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
4 
+ 	char *tp;
5 
+ 	unsigned char *bp;
6 
+ 	int code, nbits;
7 
++	int len;
8 
+ 	long nextbits, nextdata, nbitsmask;
9 
+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
10 
+
11 
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
12 
+ 				}  while (--occ);
13 
+ 				break;
14 
+ 			}
15 
+-			assert(occ >= codep->length);
16 
+-			op += codep->length;
17 
+-			occ -= codep->length;
18 
+-			tp = op;
19 
++			len = codep->length;
20 
++			tp = op + len;
21 
+ 			do {
22 
+-				*--tp = codep->value;
23 
+-			} while( (codep = codep->next) != NULL );
24 
++				int t;
25 
++				--tp;
26 
++				t = codep->value;
27 
++				codep = codep->next;
28 
++				*tp = (char)t;
29 
++			} while (codep && tp > op);
30 
++			assert(occ >= len);
31 
++			op += len;
32 
++			occ -= len;
33 
+ 		} else {
34 
+ 			*op++ = (char)code;
35 
+ 			occ--;
SPECS/libtiff/libtiff.spec
History View file @ 319c57e
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        TIFF libraries and associated utilities.
2 2 
 Name:           libtiff
3 3 
 Version:        4.0.9
4 
-Release:        4%{?dist}
4 
+Release:        5%{?dist}
5 5 
 License:        libtiff
6 6 
 URL:            http://www.simplesystems.org/libtiff/
7 7 
 Group:          System Environment/Libraries
... ... 
@@ -16,6 +16,9 @@ Patch2:         libtiff-4.0.9-CVE-2017-17095.patch
16 16 
 Patch3:         libtiff-4.0.9-CVE-2018-5784.patch
17 17 
 Patch4:         libtiff-4.0-9-CVE-2017-11613-1.patch
18 18 
 Patch5:         libtiff-4.0-9-CVE-2017-11613-2.patch
19 
+Patch6:         libtiff-4.0-9-CVE-2018-7456.patch
20 
+Patch7:         libtiff-4.0.9-CVE-2018-8905.patch
21 
+
19 22 
 BuildRequires:  libjpeg-turbo-devel
20 23 
 Requires:       libjpeg-turbo
21 24 
 %description
... ... 
@@ -36,6 +39,8 @@ It contains the libraries and header files to create applications
36 36 
 %patch3 -p1
37 37 
 %patch4 -p1
38 38 
 %patch5 -p1
39 
+%patch6 -p1
40 
+%patch7 -p1
39 41 
 %build
40 42 
 %configure \
41 43 
     --disable-static
... ... 
@@ -69,6 +74,8 @@ make %{?_smp_mflags} -k check
69 69 
 %{_datadir}/man/man3/*
70 70
71 71 
 %changelog
72 
+*   Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-5
73 
+-   Fix CVE-2018-7456, CVE-2018-8905
72 74 
 *   Fri Apr 20 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4
73 75 
 -   Patches for CVE-2018-5784, CVE-2017-11613
74 76 
 *   Wed Feb 14 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-3