Thu Mar 31 11:05:45 2011 UTC ()

add patch from upstream
(http://bugzilla.maptools.org/show_bug.cgi?id=2300)
to fix possible buffer overflow in the "thunder" decoder (CVE-2011-1167)
bump PKGREV


(drochner)

diff -r1.99 -r1.100 pkgsrc/graphics/tiff/Makefile
diff -r1.50 -r1.51 pkgsrc/graphics/tiff/distinfo
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-CVE-2011-1167

--- pkgsrc/graphics/tiff/Makefile 2011/03/12 16:10:42 1.99
+++ pkgsrc/graphics/tiff/Makefile 2011/03/31 11:05:44 1.100

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.99 2011/03/12 16:10:42 tron Exp $
+# $NetBSD: Makefile,v 1.100 2011/03/31 11:05:44 drochner Exp $
 DISTNAME=	tiff-3.9.4
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://libtiff.maptools.org/dl/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.remotesensing.org/libtiff/
 COMMENT=	Library and tools for reading and writing TIFF data files
 EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 PKG_INSTALLATION_TYPES=	overwrite pkgviews
 PKG_DESTDIR_SUPPORT=	user-destdir

--- pkgsrc/graphics/tiff/distinfo 2011/03/12 16:10:42 1.50
+++ pkgsrc/graphics/tiff/distinfo 2011/03/31 11:05:44 1.51

 @@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.50 2011/03/12 16:10:42 tron Exp $
+$NetBSD: distinfo,v 1.51 2011/03/31 11:05:44 drochner Exp $
 SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de
 RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de
 Size (tiff-3.9.4.tar.gz) = 1436968 bytes
 SHA1 (patch-CVE-2011-1167) = 30099dc0e1a8271d65799365ce81fda3081f5d5b
 SHA1 (patch-SA43593) = d24ff27a7a2e659c632d5a5fb720a908915e8595
 SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822
 SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0
 SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95
 SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1
 SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc

$NetBSD: patch-CVE-2011-1167,v 1.1 2011/03/31 11:05:45 drochner Exp $

--- libtiff/tif_thunder.c.orig	2010-06-08 18:50:43.000000000 +0000
+++ libtiff/tif_thunder.c
@@ -25,6 +25,7 @@
  */
 
 #include "tiffiop.h"
+#include <assert.h>
 #ifdef THUNDER_SUPPORT
 /*
  * TIFF Library.
@@ -55,12 +56,32 @@
 static const int twobitdeltas[4] = { 0, 1, 0, -1 };
 static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
 
-#define	SETPIXEL(op, v) { \
-	lastpixel = (v) & 0xf; \
-	if (npixels++ & 1) \
-	    *op++ |= lastpixel; \
-	else \
+#define	SETPIXEL(op, v) {                     \
+	lastpixel = (v) & 0xf;                \
+        if ( npixels < maxpixels )         \
+        {                                     \
+	  if (npixels++ & 1)                  \
+	    *op++ |= lastpixel;               \
+	  else                                \
 	    op[0] = (tidataval_t) (lastpixel << 4); \
+        }                                     \
+}
+
+static int
+ThunderSetupDecode(TIFF* tif)
+{
+	static const char module[] = "ThunderSetupDecode";
+
+        if( tif->tif_dir.td_bitspersample != 4 )
+        {
+                TIFFErrorExt(tif->tif_clientdata, module,
+                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
+                             (int) tif->tif_dir.td_bitspersample );
+                return 0;
+        }
+        
+
+	return (1);
 }
 
 static int
@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
 		occ -= tif->tif_scanlinesize;
 		row += tif->tif_scanlinesize;
 	}
-	return (1);
+
+        return (1);
 }
 
 int
@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
 	(void) scheme;
 	tif->tif_decoderow = ThunderDecodeRow;
 	tif->tif_decodestrip = ThunderDecodeRow;
+        tif->tif_setupdecode = ThunderSetupDecode;
 	return (1);
 }
 #endif /* THUNDER_SUPPORT */
@@ -163,3 +186,4 @@ TIFFInitThunderScan(TIFF* tif, int schem
  * fill-column: 78
  * End:
  */
+