new file mode 100644

@@ -0,0 +1,153 @@

+From faf20bd484aece918692831da5fad236b983fa08 Mon Sep 17 00:00:00 2001

+From: Brian May <brian@linuxpenguins.xyz>

+Date: Thu, 7 Dec 2017 07:46:47 +1100

+Subject: [PATCH] Fix CVE-2017-9935

+

+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

+

+This vulnerability - at least for the supplied test case - is because we

+assume that a tiff will only have one transfer function that is the same

+for all pages. This is not required by the TIFF standards.

+

+We than read the transfer function for every page.  Depending on the

+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.

+We allocate this memory after we read in the transfer function for the

+page.

+

+For the first exploit - POC1, this file has 3 pages. For the first page

+we allocate 2 extra extra XREF entries. Then for the next page 2 more

+entries. Then for the last page the transfer function changes and we

+allocate 4 more entries.

+

+When we read the file into memory, we assume we have 4 bytes extra for

+each and every page (as per the last transfer function we read). Which

+is not correct, we only have 2 bytes extra for the first 2 pages. As a

+result, we end up writing past the end of the buffer.

+

+There are also some related issues that this also fixes. For example,

+TIFFGetField can return uninitalized pointer values, and the logic to

+detect a N=3 vs N=1 transfer function seemed rather strange.

+

+It is also strange that we declare the transfer functions to be of type

+float, when the standard says they are unsigned 16 bit values. This is

+fixed in another patch.

+

+This patch will check to ensure that the N value for every transfer

+function is the same for every page. If this changes, we abort with an

+error. In theory, we should perhaps check that the transfer function

+itself is identical for every page, however we don't do that due to the

+confusion of the type of the data in the transfer function.

+---

+ libtiff/tif_dir.c |  3 +++

+ tools/tiff2pdf.c  | 65 ++++++++++++++++++++++++++++++++++++++++++++---------------------

+ 2 files changed, 47 insertions(+), 21 deletions(-)

+

+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c

+index 2ccaf44..cbf2b69 100644

+--- a/libtiff/tif_dir.c

+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)

+ 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {

+ 				*va_arg(ap, uint16**) = td->td_transferfunction[1];

+ 				*va_arg(ap, uint16**) = td->td_transferfunction[2];

++			} else {

++				*va_arg(ap, uint16**) = NULL;

++				*va_arg(ap, uint16**) = NULL;

+ 			}

+ 			break;

+ 		case TIFFTAG_REFERENCEBLACKWHITE:

+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c

+index d1a9b09..c3ec074 100644

+--- a/tools/tiff2pdf.c

+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){

+ 	uint16 pagen=0;

+ 	uint16 paged=0;

+ 	uint16 xuint16=0;

++	uint16 tiff_transferfunctioncount=0;

++	float* tiff_transferfunction[3];

+ 

+ 	directorycount=TIFFNumberOfDirectories(input);

+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));

+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){

+                 }

+ #endif

+ 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,

+-                                 &(t2p->tiff_transferfunction[0]),

+-                                 &(t2p->tiff_transferfunction[1]),

+-                                 &(t2p->tiff_transferfunction[2]))) {

+-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&

+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&

+-                           (t2p->tiff_transferfunction[1] !=

+-                            t2p->tiff_transferfunction[0])) {

+-				t2p->tiff_transferfunctioncount = 3;

+-				t2p->tiff_pages[i].page_extra += 4;

+-				t2p->pdf_xrefcount += 4;

+-			} else {

+-				t2p->tiff_transferfunctioncount = 1;

+-				t2p->tiff_pages[i].page_extra += 2;

+-				t2p->pdf_xrefcount += 2;

+-			}

+-			if(t2p->pdf_minorversion < 2)

+-				t2p->pdf_minorversion = 2;

++                                 &(tiff_transferfunction[0]),

++                                 &(tiff_transferfunction[1]),

++                                 &(tiff_transferfunction[2]))) {

++

++                        if((tiff_transferfunction[1] != (float*) NULL) &&

++                           (tiff_transferfunction[2] != (float*) NULL)

++                          ) {

++                            tiff_transferfunctioncount=3;

++                        } else {

++                            tiff_transferfunctioncount=1;

++                        }

+                 } else {

+-			t2p->tiff_transferfunctioncount=0;

++			tiff_transferfunctioncount=0;

+ 		}

++

++                if (i > 0){

++                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){

++                        TIFFError(

++                            TIFF2PDF_MODULE,

++                            "Different transfer function on page %d",

++                            i);

++                        t2p->t2p_error = T2P_ERR_ERROR;

++                        return;

++                    }

++                }

++

++                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;

++                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];

++                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];

++                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];

++                if(tiff_transferfunctioncount == 3){

++                        t2p->tiff_pages[i].page_extra += 4;

++                        t2p->pdf_xrefcount += 4;

++                        if(t2p->pdf_minorversion < 2)

++                                t2p->pdf_minorversion = 2;

++                } else if (tiff_transferfunctioncount == 1){

++                        t2p->tiff_pages[i].page_extra += 2;

++                        t2p->pdf_xrefcount += 2;

++                        if(t2p->pdf_minorversion < 2)

++                                t2p->pdf_minorversion = 2;

++                }

++

+ 		if( TIFFGetField(

+ 			input, 

+ 			TIFFTAG_ICCPROFILE, 

+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){

+ 			 &(t2p->tiff_transferfunction[1]),

+ 			 &(t2p->tiff_transferfunction[2]))) {

+ 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&

+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&

+-                   (t2p->tiff_transferfunction[1] !=

+-                    t2p->tiff_transferfunction[0])) {

++                   (t2p->tiff_transferfunction[2] != (float*) NULL)

++                  ) {

+ 			t2p->tiff_transferfunctioncount=3;

+ 		} else {

+ 			t2p->tiff_transferfunctioncount=1;

+--

+libgit2 0.26.0

+

@@ -1,7 +1,7 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

 Version:        4.0.8

-Release:        6%{?dist}

+Release:        7%{?dist}

 License:        libtiff

 URL:            http://www.simplesystems.org/libtiff/

 Group:          System Environment/Libraries

@@ -18,6 +18,7 @@ Patch4:         libtiff-4.0.8-CVE-2017-11335.patch

 Patch5:         libtiff-4.0.8-CVE-2017-12944.patch

 Patch6:         libtiff-4.0.8-CVE-2017-13726.patch

 Patch7:         libtiff-4.0.8-CVE-2017-13727.patch

+Patch8:         libtiff-4.0.8-CVE-2017-9935.patch

 BuildRequires:  libjpeg-turbo-devel

 Requires:       libjpeg-turbo

 %description

@@ -40,6 +41,7 @@ It contains the libraries and header files to create applications

 %patch5 -p1

 %patch6 -p1

 %patch7 -p1

+%patch8 -p1

 %build

 %configure \

     --disable-static

@@ -73,6 +75,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Mon Dec 11 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-7

+-   Added patch for CVE-2017-9935

 *   Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-6

 -   Added patches for CVE-2017-13726, CVE-2017-13727

 *   Mon Nov 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.8-5