guix/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch
Leo Famulari 4b96149d8b
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch,
gnu/packages/patches/libtiff-CVE-2016-10093.patch,
gnu/packages/patches/libtiff-CVE-2016-10094.patch,
gnu/packages/patches/libtiff-assertion-failure.patch,
gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
gnu/packages/patches/libtiff-divide-by-zero.patch,
gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
gnu/packages/patches/libtiff-invalid-read.patch,
gnu/packages/patches/libtiff-null-dereference.patch,
gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
2017-01-10 17:52:42 -05:00

63 lines
2 KiB
Diff

Fix divide-by-zero in OJPEGDecodeRaw():
http://bugzilla.maptools.org/show_bug.cgi?id=2611
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure
in
OJPEGPreDecode(). This will avoid a divide by zero, and potential other
issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1177; previous revision: 1.1176
/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
new revision: 1.66; previous revision: 1.65
Index: libtiff/libtiff/tif_ojpeg.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65
+++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
/* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
specification is now totally obsolete and deprecated for new applications and
@@ -244,6 +244,7 @@
typedef struct {
TIFF* tif;
+ int decoder_ok;
#ifndef LIBJPEG_ENCAP_EXTERNAL
JMP_BUF exit_jmpbuf;
#endif
@@ -722,6 +723,7 @@
}
sp->write_curstrile++;
}
+ sp->decoder_ok = 1;
return(1);
}
@@ -784,8 +786,14 @@
static int
OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
+ static const char module[]="OJPEGDecode";
OJPEGState* sp=(OJPEGState*)tif->tif_data;
(void)s;
+ if( !sp->decoder_ok )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+ return 0;
+ }
if (sp->libjpeg_jpeg_query_style==0)
{
if (OJPEGDecodeRaw(tif,buf,cc)==0)