Thu Mar 31 11:05:45 2011 UTC ()
add patch from upstream
(http://bugzilla.maptools.org/show_bug.cgi?id=2300)
to fix possible buffer overflow in the "thunder" decoder (CVE-2011-1167)
bump PKGREV
(drochner)
diff -r1.99 -r1.100 pkgsrc/graphics/tiff/Makefile
diff -r1.50 -r1.51 pkgsrc/graphics/tiff/distinfo
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-CVE-2011-1167
--- pkgsrc/graphics/tiff/Makefile 2011/03/12 16:10:42 1.99
+++ pkgsrc/graphics/tiff/Makefile 2011/03/31 11:05:44 1.100
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.99 2011/03/12 16:10:42 tron Exp $ | | 1 | # $NetBSD: Makefile,v 1.100 2011/03/31 11:05:44 drochner Exp $ |
2 | | | 2 | |
3 | DISTNAME= tiff-3.9.4 | | 3 | DISTNAME= tiff-3.9.4 |
4 | PKGREVISION= 2 | | 4 | PKGREVISION= 3 |
5 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
6 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ | | 6 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ |
7 | http://libtiff.maptools.org/dl/ | | 7 | http://libtiff.maptools.org/dl/ |
8 | | | 8 | |
9 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
10 | HOMEPAGE= http://www.remotesensing.org/libtiff/ | | 10 | HOMEPAGE= http://www.remotesensing.org/libtiff/ |
11 | COMMENT= Library and tools for reading and writing TIFF data files | | 11 | COMMENT= Library and tools for reading and writing TIFF data files |
12 | | | 12 | |
13 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} | | 13 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} |
14 | | | 14 | |
15 | PKG_INSTALLATION_TYPES= overwrite pkgviews | | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews |
16 | PKG_DESTDIR_SUPPORT= user-destdir | | 16 | PKG_DESTDIR_SUPPORT= user-destdir |
17 | | | 17 | |
--- pkgsrc/graphics/tiff/distinfo 2011/03/12 16:10:42 1.50
+++ pkgsrc/graphics/tiff/distinfo 2011/03/31 11:05:44 1.51
| @@ -1,11 +1,12 @@ | | | @@ -1,11 +1,12 @@ |
1 | $NetBSD: distinfo,v 1.50 2011/03/12 16:10:42 tron Exp $ | | 1 | $NetBSD: distinfo,v 1.51 2011/03/31 11:05:44 drochner Exp $ |
2 | | | 2 | |
3 | SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de | | 3 | SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de |
4 | RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de | | 4 | RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de |
5 | Size (tiff-3.9.4.tar.gz) = 1436968 bytes | | 5 | Size (tiff-3.9.4.tar.gz) = 1436968 bytes |
| | | 6 | SHA1 (patch-CVE-2011-1167) = 30099dc0e1a8271d65799365ce81fda3081f5d5b |
6 | SHA1 (patch-SA43593) = d24ff27a7a2e659c632d5a5fb720a908915e8595 | | 7 | SHA1 (patch-SA43593) = d24ff27a7a2e659c632d5a5fb720a908915e8595 |
7 | SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822 | | 8 | SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822 |
8 | SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0 | | 9 | SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0 |
9 | SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95 | | 10 | SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95 |
10 | SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1 | | 11 | SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1 |
11 | SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc | | 12 | SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc |
$NetBSD: patch-CVE-2011-1167,v 1.1 2011/03/31 11:05:45 drochner Exp $
--- libtiff/tif_thunder.c.orig 2010-06-08 18:50:43.000000000 +0000
+++ libtiff/tif_thunder.c
@@ -25,6 +25,7 @@
*/
#include "tiffiop.h"
+#include <assert.h>
#ifdef THUNDER_SUPPORT
/*
* TIFF Library.
@@ -55,12 +56,32 @@
static const int twobitdeltas[4] = { 0, 1, 0, -1 };
static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
-#define SETPIXEL(op, v) { \
- lastpixel = (v) & 0xf; \
- if (npixels++ & 1) \
- *op++ |= lastpixel; \
- else \
+#define SETPIXEL(op, v) { \
+ lastpixel = (v) & 0xf; \
+ if ( npixels < maxpixels ) \
+ { \
+ if (npixels++ & 1) \
+ *op++ |= lastpixel; \
+ else \
op[0] = (tidataval_t) (lastpixel << 4); \
+ } \
+}
+
+static int
+ThunderSetupDecode(TIFF* tif)
+{
+ static const char module[] = "ThunderSetupDecode";
+
+ if( tif->tif_dir.td_bitspersample != 4 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
+ (int) tif->tif_dir.td_bitspersample );
+ return 0;
+ }
+
+
+ return (1);
}
static int
@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
occ -= tif->tif_scanlinesize;
row += tif->tif_scanlinesize;
}
- return (1);
+
+ return (1);
}
int
@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
(void) scheme;
tif->tif_decoderow = ThunderDecodeRow;
tif->tif_decodestrip = ThunderDecodeRow;
+ tif->tif_setupdecode = ThunderSetupDecode;
return (1);
}
#endif /* THUNDER_SUPPORT */
@@ -163,3 +186,4 @@ TIFFInitThunderScan(TIFF* tif, int schem
* fill-column: 78
* End:
*/
+