Change-Id: I5b1f0db1f55a6cb92cf5aa13fd85ddc58e995a66
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4291
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,122 @@ |
0 |
+diff -dupr a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
|
1 |
+--- a/libtiff/tif_dirread.c 2017-05-20 10:55:48.229231053 -0700 |
|
2 |
+@@ -765,6 +765,67 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
3 |
+ } |
|
4 |
+ } |
|
5 |
+ |
|
6 |
++#define INITIAL_THRESHOLD (1024 * 1024) |
|
7 |
++#define THRESHOLD_MULTIPLIER 10 |
|
8 |
++#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) |
|
9 |
++ |
|
10 |
++static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc( |
|
11 |
++ TIFF* tif, uint64 offset, tmsize_t size, void** pdest) |
|
12 |
++{ |
|
13 |
++#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 |
|
14 |
++ tmsize_t threshold = INITIAL_THRESHOLD; |
|
15 |
++#endif |
|
16 |
++ tmsize_t already_read = 0; |
|
17 |
++ |
|
18 |
++ assert( !isMapped(tif) ); |
|
19 |
++ |
|
20 |
++ if (!SeekOK(tif,offset)) |
|
21 |
++ return(TIFFReadDirEntryErrIo); |
|
22 |
++ |
|
23 |
++ /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ |
|
24 |
++ /* so as to avoid allocating too much memory in case the file is too */ |
|
25 |
++ /* short. We could ask for the file size, but this might be */ |
|
26 |
++ /* expensive with some I/O layers (think of reading a gzipped file) */ |
|
27 |
++ /* Restrict to 64 bit processes, so as to avoid reallocs() */ |
|
28 |
++ /* on 32 bit processes where virtual memory is scarce. */ |
|
29 |
++ while( already_read < size ) |
|
30 |
++ { |
|
31 |
++ void* new_dest; |
|
32 |
++ tmsize_t bytes_read; |
|
33 |
++ tmsize_t to_read = size - already_read; |
|
34 |
++#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 |
|
35 |
++ if( to_read >= threshold && threshold < MAX_THRESHOLD ) |
|
36 |
++ { |
|
37 |
++ to_read = threshold; |
|
38 |
++ threshold *= THRESHOLD_MULTIPLIER; |
|
39 |
++ } |
|
40 |
++#endif |
|
41 |
++ |
|
42 |
++ new_dest = (uint8*) _TIFFrealloc( |
|
43 |
++ *pdest, already_read + to_read); |
|
44 |
++ if( new_dest == NULL ) |
|
45 |
++ { |
|
46 |
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
|
47 |
++ "Failed to allocate memory for %s " |
|
48 |
++ "(%ld elements of %ld bytes each)", |
|
49 |
++ "TIFFReadDirEntryArray", |
|
50 |
++ (long) 1, (long) already_read + to_read); |
|
51 |
++ return TIFFReadDirEntryErrAlloc; |
|
52 |
++ } |
|
53 |
++ *pdest = new_dest; |
|
54 |
++ |
|
55 |
++ bytes_read = TIFFReadFile(tif, |
|
56 |
++ (char*)*pdest + already_read, to_read); |
|
57 |
++ already_read += bytes_read; |
|
58 |
++ if (bytes_read != to_read) { |
|
59 |
++ return TIFFReadDirEntryErrIo; |
|
60 |
++ } |
|
61 |
++ } |
|
62 |
++ return TIFFReadDirEntryErrOk; |
|
63 |
++} |
|
64 |
++ |
|
65 |
++ |
|
66 |
++ |
|
67 |
+ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value) |
|
68 |
+ { |
|
69 |
+ int typesize; |
|
70 |
+@@ -791,9 +852,23 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
71 |
+ *count=(uint32)direntry->tdir_count; |
|
72 |
+ datasize=(*count)*typesize; |
|
73 |
+ assert((tmsize_t)datasize>0); |
|
74 |
+- data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); |
|
75 |
+- if (data==0) |
|
76 |
+- return(TIFFReadDirEntryErrAlloc); |
|
77 |
++ |
|
78 |
++ if( isMapped(tif) && datasize > tif->tif_size ) |
|
79 |
++ return TIFFReadDirEntryErrIo; |
|
80 |
++ |
|
81 |
++ if( !isMapped(tif) && |
|
82 |
++ (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || |
|
83 |
++ (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) ) |
|
84 |
++ { |
|
85 |
++ data = NULL; |
|
86 |
++ } |
|
87 |
++ else |
|
88 |
++ { |
|
89 |
++ data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); |
|
90 |
++ if (data==0) |
|
91 |
++ return(TIFFReadDirEntryErrAlloc); |
|
92 |
++ } |
|
93 |
++ |
|
94 |
+ if (!(tif->tif_flags&TIFF_BIGTIFF)) |
|
95 |
+ { |
|
96 |
+ if (datasize<=4) |
|
97 |
+@@ -804,7 +879,10 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
98 |
+ uint32 offset = direntry->tdir_offset.toff_long; |
|
99 |
+ if (tif->tif_flags&TIFF_SWAB) |
|
100 |
+ TIFFSwabLong(&offset); |
|
101 |
+- err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
102 |
++ if( isMapped(tif) ) |
|
103 |
++ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
104 |
++ else |
|
105 |
++ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); |
|
106 |
+ if (err!=TIFFReadDirEntryErrOk) |
|
107 |
+ { |
|
108 |
+ _TIFFfree(data); |
|
109 |
+@@ -822,7 +900,10 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
110 |
+ uint64 offset = direntry->tdir_offset.toff_long8; |
|
111 |
+ if (tif->tif_flags&TIFF_SWAB) |
|
112 |
+ TIFFSwabLong8(&offset); |
|
113 |
+- err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data); |
|
114 |
++ if( isMapped(tif) ) |
|
115 |
++ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
116 |
++ else |
|
117 |
++ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); |
|
118 |
+ if (err!=TIFFReadDirEntryErrOk) |
|
119 |
+ { |
|
120 |
+ _TIFFfree(data); |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.8 |
4 |
-Release: 4%{?dist} |
|
4 |
+Release: 5%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -15,6 +15,7 @@ Patch1: libtiff-4.0.6-CVE-2015-1547.patch |
15 | 15 |
Patch2: libtiff-CVE-2017-10688.patch |
16 | 16 |
Patch3: libtiff-4.0.8-CVE-2017-9936.patch |
17 | 17 |
Patch4: libtiff-4.0.8-CVE-2017-11335.patch |
18 |
+Patch5: libtiff-4.0.8-CVE-2017-12944.patch |
|
18 | 19 |
BuildRequires: libjpeg-turbo-devel |
19 | 20 |
Requires: libjpeg-turbo |
20 | 21 |
%description |
... | ... |
@@ -34,6 +35,7 @@ It contains the libraries and header files to create applications |
34 | 34 |
%patch2 -p1 |
35 | 35 |
%patch3 -p1 |
36 | 36 |
%patch4 -p1 |
37 |
+%patch5 -p1 |
|
37 | 38 |
%build |
38 | 39 |
%configure \ |
39 | 40 |
--disable-static |
... | ... |
@@ -67,6 +69,8 @@ make %{?_smp_mflags} -k check |
67 | 67 |
%{_datadir}/man/man3/* |
68 | 68 |
|
69 | 69 |
%changelog |
70 |
+* Mon Nov 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.8-5 |
|
71 |
+- Patch : CVE-2017-12944 |
|
70 | 72 |
* Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 4.0.8-4 |
71 | 73 |
- Use standard configure macros |
72 | 74 |
* Wed Aug 09 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.8-3 |