Sun Jul 19 11:45:09 2009 UTC ()
Apply fix for integer overflows in various inter-color space conversion
tools taken from MapTools Bugzilla. This fixes CVE-2009-2347.
(tron)
diff -r1.87 -r1.88 pkgsrc/graphics/tiff/Makefile
diff -r1.42 -r1.43 pkgsrc/graphics/tiff/distinfo
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-ca
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-cb
--- pkgsrc/graphics/tiff/Makefile 2009/06/22 14:54:44 1.87
+++ pkgsrc/graphics/tiff/Makefile 2009/07/19 11:45:09 1.88
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.87 2009/06/22 14:54:44 drochner Exp $ | | 1 | # $NetBSD: Makefile,v 1.88 2009/07/19 11:45:09 tron Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= tiff-3.8.2 | | 3 | DISTNAME= tiff-3.8.2 |
| 4 | PKGREVISION= 5 | | 4 | PKGREVISION= 6 |
| 5 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
| 6 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ | | 6 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ |
| 7 | http://libtiff.maptools.org/dl/ | | 7 | http://libtiff.maptools.org/dl/ |
| 8 | | | 8 | |
| 9 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 10 | HOMEPAGE= http://www.remotesensing.org/libtiff/ | | 10 | HOMEPAGE= http://www.remotesensing.org/libtiff/ |
| 11 | COMMENT= Library and tools for reading and writing TIFF data files | | 11 | COMMENT= Library and tools for reading and writing TIFF data files |
| 12 | | | 12 | |
| 13 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} | | 13 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} |
| 14 | | | 14 | |
| 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews | | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews |
| 16 | PKG_DESTDIR_SUPPORT= user-destdir | | 16 | PKG_DESTDIR_SUPPORT= user-destdir |
| 17 | | | 17 | |
--- pkgsrc/graphics/tiff/distinfo 2009/06/22 14:54:44 1.42
+++ pkgsrc/graphics/tiff/distinfo 2009/07/19 11:45:09 1.43
| @@ -1,18 +1,20 @@ | | | @@ -1,18 +1,20 @@ |
| 1 | $NetBSD: distinfo,v 1.42 2009/06/22 14:54:44 drochner Exp $ | | 1 | $NetBSD: distinfo,v 1.43 2009/07/19 11:45:09 tron Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb | | 3 | SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb |
| 4 | RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d | | 4 | RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d |
| 5 | Size (tiff-3.8.2.tar.gz) = 1336295 bytes | | 5 | Size (tiff-3.8.2.tar.gz) = 1336295 bytes |
| 6 | SHA1 (patch-aa) = edac79a6f3b61e9fc787fe14f750d88023a29bfa | | 6 | SHA1 (patch-aa) = edac79a6f3b61e9fc787fe14f750d88023a29bfa |
| 7 | SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72 | | 7 | SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72 |
| 8 | SHA1 (patch-ac) = 24bb2d78d63df7f02d128c7dc6a4c8db50fac891 | | 8 | SHA1 (patch-ac) = 24bb2d78d63df7f02d128c7dc6a4c8db50fac891 |
| 9 | SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347 | | 9 | SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347 |
| 10 | SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff | | 10 | SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff |
| 11 | SHA1 (patch-av) = 38852ef5028f6c0ad7a3e5497248f264f0cb7366 | | 11 | SHA1 (patch-av) = 38852ef5028f6c0ad7a3e5497248f264f0cb7366 |
| 12 | SHA1 (patch-aw) = 8df07a9bc23092cfde2b364a1965efcfdc848b1e | | 12 | SHA1 (patch-aw) = 8df07a9bc23092cfde2b364a1965efcfdc848b1e |
| 13 | SHA1 (patch-ax) = 1a111d7a80bf98a650d147c035cd719d34aafc8a | | 13 | SHA1 (patch-ax) = 1a111d7a80bf98a650d147c035cd719d34aafc8a |
| 14 | SHA1 (patch-ay) = db50f1d97b5d3b94e4d470b49642fe105977e0b7 | | 14 | SHA1 (patch-ay) = db50f1d97b5d3b94e4d470b49642fe105977e0b7 |
| 15 | SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8 | | 15 | SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8 |
| 16 | SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae | | 16 | SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae |
| 17 | SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08 | | 17 | SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08 |
| 18 | SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc | | 18 | SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc |
| | | 19 | SHA1 (patch-ca) = 3c90d9735f0586632db05ceb50b336cbfdf279b6 |
| | | 20 | SHA1 (patch-cb) = 349c8764091d69f5eca84588837022d218b2165c |
$NetBSD: patch-ca,v 1.1 2009/07/19 11:45:09 tron Exp $
Patch for CVE-2009-2347, taken from here:
http://bugzilla.maptools.org/show_bug.cgi?id=2079
--- tools/rgb2ycbcr.c.orig 2004-09-03 08:57:13.000000000 +0100
+++ tools/rgb2ycbcr.c 2009-07-19 12:39:06.000000000 +0100
@@ -202,6 +202,17 @@
#undef LumaBlue
#undef V2Code
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
/*
* Convert a strip of RGB data to YCbCr and
* sample to generate the output data.
@@ -278,10 +289,19 @@
float floatv;
char *stringv;
uint32 longv;
+ tsize_t raster_size;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
$NetBSD: patch-cb,v 1.1 2009/07/19 11:45:09 tron Exp $
Patch for CVE-2009-2347, taken from here:
http://bugzilla.maptools.org/show_bug.cgi?id=2079
--- tools/tiff2rgba.c.orig 2004-11-07 11:08:37.000000000 +0000
+++ tools/tiff2rgba.c 2009-07-19 12:39:06.000000000 +0100
@@ -124,6 +124,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -133,6 +144,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -150,7 +162,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -158,7 +177,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -226,6 +245,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -241,7 +261,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -249,7 +276,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {
@@ -328,14 +355,22 @@
uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */
uint32 row;
-
+ tsize_t raster_size;
+
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -353,7 +388,7 @@
*/
if( no_alpha )
{
- int pixel_count = width * height;
+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
unsigned char *src, *dst;
src = (unsigned char *) raster;