Tue Apr 10 14:13:04 2012 UTC ()
Add fix for CVE-2012-1173 from upstream.
Bump PKGREVISION.
(taca)
diff -r1.103 -r1.104 pkgsrc/graphics/tiff/Makefile
diff -r1.54 -r1.55 pkgsrc/graphics/tiff/distinfo
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-libtiff_tif__getimage.c
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h
--- pkgsrc/graphics/tiff/Makefile 2012/02/21 13:03:00 1.103
+++ pkgsrc/graphics/tiff/Makefile 2012/04/10 14:13:04 1.104
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.103 2012/02/21 13:03:00 drochner Exp $ | | 1 | # $NetBSD: Makefile,v 1.104 2012/04/10 14:13:04 taca Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= tiff-4.0.1 | | 3 | DISTNAME= tiff-4.0.1 |
| | | 4 | PKGREVISION= 1 |
| 4 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
| 5 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ | | 6 | MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ |
| 6 | http://libtiff.maptools.org/dl/ | | 7 | http://libtiff.maptools.org/dl/ |
| 7 | | | 8 | |
| 8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 9 | HOMEPAGE= http://www.remotesensing.org/libtiff/ | | 10 | HOMEPAGE= http://www.remotesensing.org/libtiff/ |
| 10 | COMMENT= Library and tools for reading and writing TIFF data files | | 11 | COMMENT= Library and tools for reading and writing TIFF data files |
| 11 | | | 12 | |
| 12 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} | | 13 | EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} |
| 13 | | | 14 | |
| 14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews |
| 15 | PKG_DESTDIR_SUPPORT= user-destdir | | 16 | PKG_DESTDIR_SUPPORT= user-destdir |
| 16 | | | 17 | |
--- pkgsrc/graphics/tiff/distinfo 2012/02/21 13:03:00 1.54
+++ pkgsrc/graphics/tiff/distinfo 2012/04/10 14:13:04 1.55
| @@ -1,6 +1,8 @@ | | | @@ -1,6 +1,8 @@ |
| 1 | $NetBSD: distinfo,v 1.54 2012/02/21 13:03:00 drochner Exp $ | | 1 | $NetBSD: distinfo,v 1.55 2012/04/10 14:13:04 taca Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (tiff-4.0.1.tar.gz) = 8baf382231c9051a1b3eb294581289aa21447171 | | 3 | SHA1 (tiff-4.0.1.tar.gz) = 8baf382231c9051a1b3eb294581289aa21447171 |
| 4 | RMD160 (tiff-4.0.1.tar.gz) = abf98ab277edaee302b432dbcecfe68061dd91dc | | 4 | RMD160 (tiff-4.0.1.tar.gz) = abf98ab277edaee302b432dbcecfe68061dd91dc |
| 5 | Size (tiff-4.0.1.tar.gz) = 1991580 bytes | | 5 | Size (tiff-4.0.1.tar.gz) = 1991580 bytes |
| 6 | SHA1 (patch-configure) = 0e86c6d69783333c03d6241e1824f68602f3c732 | | 6 | SHA1 (patch-configure) = 0e86c6d69783333c03d6241e1824f68602f3c732 |
| | | 7 | SHA1 (patch-libtiff_tif__getimage.c) = fc1f63b669fb8871935d4bf12e09dc1c78150f91 |
| | | 8 | SHA1 (patch-libtiff_tiffiop.h) = 8729e474106a0edce4284004f6f6d95b97c4a544 |
$NetBSD: patch-libtiff_tif__getimage.c,v 1.1 2012/04/10 14:13:04 taca Exp $
Fix for CVE-2012-1173 from upstream.
--- libtiff/tif_getimage.c.orig 2011-02-25 03:34:02.000000000 +0000
+++ libtiff/tif_getimage.c
@@ -692,6 +692,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint3
unsigned char* p2;
unsigned char* pa;
tmsize_t tilesize;
+ tmsize_t bufsize;
int32 fromskew, toskew;
int alpha = img->alpha;
uint32 nrow;
@@ -699,12 +700,17 @@ gtTileSeparate(TIFFRGBAImage* img, uint3
int colorchannels;
tilesize = TIFFTileSize(tif);
- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
+ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
+ if (bufsize == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+ return (0);
+ }
+ buf = (unsigned char*) _TIFFmalloc(bufsize);
if (buf == 0) {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
return (0);
}
- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
+ _TIFFmemset(buf, 0, bufsize);
p0 = buf;
p1 = p0 + tilesize;
p2 = p1 + tilesize;
@@ -917,17 +923,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint
uint32 rowsperstrip, offset_row;
uint32 imagewidth = img->width;
tmsize_t stripsize;
+ tmsize_t bufsize;
int32 fromskew, toskew;
int alpha = img->alpha;
int ret = 1, flip, colorchannels;
stripsize = TIFFStripSize(tif);
- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
+ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
+ if (bufsize == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+ return (0);
+ }
+ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
if (buf == 0) {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
return (0);
}
- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
+ _TIFFmemset(buf, 0, bufsize);
p1 = p0 + stripsize;
p2 = p1 + stripsize;
pa = (alpha?(p2+stripsize):NULL);
$NetBSD: patch-libtiff_tiffiop.h,v 1.1 2012/04/10 14:13:04 taca Exp $
Fix for CVE-2012-1173 from upstream.
--- libtiff/tiffiop.h.orig 2011-02-19 16:26:09.000000000 +0000
+++ libtiff/tiffiop.h
@@ -250,7 +250,7 @@ struct tiff {
#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
/* Safe multiply which returns zero if there is an integer overflow */
-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
#define TIFFmin(A,B) ((A)<(B)?(A):(B))