mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-15 19:35:25 -05:00
4b96149d8b
* gnu/packages/patches/libtiff-CVE-2016-10092.patch, gnu/packages/patches/libtiff-CVE-2016-10093.patch, gnu/packages/patches/libtiff-CVE-2016-10094.patch, gnu/packages/patches/libtiff-assertion-failure.patch, gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch, gnu/packages/patches/libtiff-divide-by-zero.patch, gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch, gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch, gnu/packages/patches/libtiff-invalid-read.patch, gnu/packages/patches/libtiff-null-dereference.patch, gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable.
67 lines
2.6 KiB
Diff
67 lines
2.6 KiB
Diff
Fix heap buffer overflow in tiffcp when parsing number of inks:
|
|
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2599
|
|
|
|
2016-12-03 Even Rouault <even.rouault at spatialys.com>
|
|
|
|
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
|
|
called,
|
|
limit the return number of inks to SamplesPerPixel, so that code that
|
|
parses
|
|
ink names doesn't go past the end of the buffer.
|
|
Reported by Agostino Sarubbo.
|
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
|
|
|
|
|
|
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
|
|
new revision: 1.1184; previous revision: 1.1183
|
|
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
|
|
new revision: 1.128; previous revision: 1.127
|
|
|
|
Index: libtiff/libtiff/tif_dir.c
|
|
===================================================================
|
|
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
|
|
retrieving revision 1.127
|
|
retrieving revision 1.128
|
|
diff -u -r1.127 -r1.128
|
|
--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127
|
|
+++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
|
|
@@ -1,4 +1,4 @@
|
|
-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
|
|
+/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 1988-1997 Sam Leffler
|
|
@@ -854,6 +854,32 @@
|
|
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
|
|
return 0;
|
|
|
|
+ if( tag == TIFFTAG_NUMBEROFINKS )
|
|
+ {
|
|
+ int i;
|
|
+ for (i = 0; i < td->td_customValueCount; i++) {
|
|
+ uint16 val;
|
|
+ TIFFTagValue *tv = td->td_customValues + i;
|
|
+ if (tv->info->field_tag != tag)
|
|
+ continue;
|
|
+ val = *(uint16 *)tv->value;
|
|
+ /* Truncate to SamplesPerPixel, since the */
|
|
+ /* setting code for INKNAMES assume that there are SamplesPerPixel */
|
|
+ /* inknames. */
|
|
+ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
|
|
+ if( val > td->td_samplesperpixel )
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
|
|
+ "Truncating NumberOfInks from %u to %u",
|
|
+ val, td->td_samplesperpixel);
|
|
+ val = td->td_samplesperpixel;
|
|
+ }
|
|
+ *va_arg(ap, uint16*) = val;
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
/*
|
|
* We want to force the custom code to be used for custom
|
|
* fields even if the tag happens to match a well known
|