pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2017Q1] pkgsrc/graphics/tiff
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat May 6 15:08:52 UTC 2017
Modified Files:
pkgsrc/graphics/tiff [pkgsrc-2017Q1]: Makefile distinfo
pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]:
patch-libtiff_tif_dirread.c patch-tools_tiffcp.c
Added Files:
pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]: patch-libtiff_tif_dir.c
patch-libtiff_tif_dirwrite.c patch-tools_tiffcrop.c
Log Message:
Pullup ticket #5404 - requested by sevan
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.127-1.129
- graphics/tiff/distinfo 1.73-1.75
- graphics/tiff/patches/patch-libtiff_tif_dir.c 1.1
- graphics/tiff/patches/patch-libtiff_tif_dirread.c 1.2
- graphics/tiff/patches/patch-libtiff_tif_dirwrite.c 1.1
- graphics/tiff/patches/patch-tools_tiffcp.c 1.2
- graphics/tiff/patches/patch-tools_tiffcrop.c 1.1-1.2
---
Module Name: pkgsrc
Committed By: he
Date: Fri May 5 19:16:58 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile
Added Files:
pkgsrc/graphics/tiff/patches: patch-tools_tiffcrop.c
Log Message:
Apply fix from upstream to fix CVE-2016-10092, ref.
http://bugzilla.maptools.org/show_bug.cgi?id=2620 and
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Fri May 5 19:28:23 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: distinfo
Log Message:
Forgot "make mps", this one belongs to the previous update, 4.0.7nb3.
---
Module Name: pkgsrc
Committed By: he
Date: Fri May 5 20:06:03 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c
Log Message:
Apply fix for CVE-2016-10093
http://bugzilla.maptools.org/show_bug.cgi?id=2610
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: sevan
Date: Fri May 5 20:14:05 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
patch-tools_tiffcrop.c
Added Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dir.c
patch-libtiff_tif_dirwrite.c
Log Message:
CVE-2017-7596
CVE-2017-7597
CVE-2017-7599
CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Dependency for applying advisory patch.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
Bump rev.
To generate a diff of this commit:
cvs rdiff -u -r1.125.4.1 -r1.125.4.2 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.71.4.1 -r1.71.4.2 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c \
pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
cvs rdiff -u -r1.2.2.2 -r1.2.2.3 \
pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c \
pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
cvs rdiff -u -r0 -r1.2.2.2 \
pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.125.4.1 pkgsrc/graphics/tiff/Makefile:1.125.4.2
--- pkgsrc/graphics/tiff/Makefile:1.125.4.1 Sat May 6 15:01:21 2017
+++ pkgsrc/graphics/tiff/Makefile Sat May 6 15:08:52 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125.4.1 2017/05/06 15:01:21 bsiegert Exp $
+# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $
DISTNAME= tiff-4.0.7
-PKGREVISION= 2
+PKGREVISION= 5
CATEGORIES= graphics
MASTER_SITES= ftp://download.osgeo.org/libtiff/
Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.71.4.1 pkgsrc/graphics/tiff/distinfo:1.71.4.2
--- pkgsrc/graphics/tiff/distinfo:1.71.4.1 Sat May 6 15:01:21 2017
+++ pkgsrc/graphics/tiff/distinfo Sat May 6 15:08:52 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71.4.1 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $
SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,7 +6,9 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f
Size (tiff-4.0.7.tar.gz) = 2076392 bytes
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
-SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
+SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
@@ -15,4 +17,5 @@ SHA1 (patch-libtiff_tif_unix.c) = c83127
SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
-SHA1 (patch-tools_tiffcp.c) = fa4846cfb5a52eedfb6dc4ed1306f45e3988ddc3
+SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
+SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c
diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3
--- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.2 Sat May 6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c Sat May 6 15:08:52 2017
@@ -1,11 +1,40 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
+CVE-2017-7596
+CVE-2017-7597
CVE-2017-7598
+CVE-2017-7599
+CVE-2017-7600
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
---- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
+--- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000
+++ libtiff/tif_dirread.c
-@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -40,6 +40,7 @@
+ */
+
+ #include "tiffiop.h"
++#include <float.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFRead
+ ma=(double*)origdata;
+ mb=data;
+ for (n=0; n<count; n++)
+- *mb++=(float)(*ma++);
++ {
++ double val = *ma++;
++ if( val > FLT_MAX )
++ val = FLT_MAX;
++ else if( val < -FLT_MAX )
++ val = -FLT_MAX;
++ *mb++=(float)val;
++ }
+ }
+ break;
+ }
+@@ -2872,7 +2880,10 @@ static enum TIFFReadDirEntryErr TIFFRead
m.l = direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong(m.i,2);
@@ -17,7 +46,7 @@ https://github.com/vadz/libtiff/commit/3
*value=0.0;
else
*value=(double)m.i[0]/(double)m.i[1];
-@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -2900,7 +2911,10 @@ static enum TIFFReadDirEntryErr TIFFRead
m.l=direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong(m.i,2);
Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
diff -u pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.2 pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3
--- pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.2 Sat May 6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c Sat May 6 15:08:52 2017
@@ -1,10 +1,16 @@
-$NetBSD: patch-tools_tiffcp.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-tools_tiffcp.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
CVE-2017-5225
http://bugzilla.maptools.org/show_bug.cgi?id=2656
http://bugzilla.maptools.org/show_bug.cgi?id=2657
https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
+and
+
+CVE-2016-10093
+http://bugzilla.maptools.org/show_bug.cgi?id=2610
+https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
+
--- tools/tiffcp.c.orig 2016-10-12 01:45:17.000000000 +0000
+++ tools/tiffcp.c
@@ -592,7 +592,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF
@@ -50,6 +56,33 @@ https://github.com/vadz/libtiff/commit/5
inbuf = _TIFFmalloc(scanlinesizein);
outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1163,7 +1183,7 @@ bad:
+
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+- uint32 rows, uint32 cols, int outskew, int inskew)
++ uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+ while (rows-- > 0) {
+ uint32 j = cols;
+@@ -1320,7 +1340,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+ tdata_t tilebuf;
+ uint32 imagew = TIFFScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew;
++ int64 iskew = (int64)imagew - (int64)tilew;
+ uint8* bufp = (uint8*) buf;
+ uint32 tw, tl;
+ uint32 row;
+@@ -1348,7 +1368,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+ status = 0;
+ goto done;
+ }
+- if (colb + tilew > imagew) {
++ if (colb > iskew) {
+ uint32 width = imagew - colb;
+ uint32 oskew = tilew - width;
+ cpStripToTile(bufp + colb,
@@ -1763,7 +1783,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16
uint32 w, l, tw, tl;
int bychunk;
Added files:
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c:1.1.2.2
--- /dev/null Sat May 6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c Sat May 6 15:08:52 2017
@@ -0,0 +1,63 @@
+$NetBSD: patch-libtiff_tif_dir.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dir.c.orig 2016-10-29 23:03:18.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ /*
+ * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@ bad:
+ return (0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_xresolution = (float) dblval;
++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_yresolution = (float) dblval;
++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ td->td_planarconfig = (uint16) v;
+ break;
+ case TIFFTAG_XPOSITION:
+- td->td_xposition = (float) va_arg(ap, double);
++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_YPOSITION:
+- td->td_yposition = (float) va_arg(ap, double);
++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_RESOLUTIONUNIT:
+ v = (uint16) va_arg(ap, uint16_vap);
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c:1.1.2.2
--- /dev/null Sat May 6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c Sat May 6 15:08:52 2017
@@ -0,0 +1,192 @@
+$NetBSD: patch-libtiff_tif_dirwrite.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+Dependency for applying advisory patch below without creating a variant.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dirwrite.c.orig 2017-05-05 18:56:07.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -30,6 +30,7 @@
+ * Directory Write Support Routines.
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@ bad:
+ return(0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++ if( val > 127 )
++ return 127;
++ if( val < -128 || val != val )
++ return -128;
++ return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++ if( val > 32767 )
++ return 32767;
++ if( val < -32768 || val != val )
++ return -32768;
++ return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++ if( val > 0x7FFFFFFF )
++ return 0x7FFFFFFF;
++ if( val < -0x7FFFFFFF-1 || val != val )
++ return -0x7FFFFFFF-1;
++ return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 255 || val != val )
++ return 255;
++ return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 65535 || val != val )
++ return 65535;
++ return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ if (tif->tif_dir.td_bitspersample<=32)
+ {
+ for (i = 0; i < count; ++i)
+- ((float*)conv)[i] = (float)value[i];
++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ }
+ else
+@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((int8*)conv)[i] = (int8)value[i];
++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((int16*)conv)[i] = (int16)value[i];
++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((int32*)conv)[i] = (int32)value[i];
++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+ ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+ }
+ break;
+@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint8*)conv)[i] = (uint8)value[i];
++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+ ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint16*)conv)[i] = (uint16)value[i];
++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+ ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((uint32*)conv)[i] = (uint32)value[i];
++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+ ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+ }
+ break;
+@@ -2094,15 +2158,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(
+ static int
+ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
+ {
++ static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
+ uint32 m[2];
+- assert(value>=0.0);
+ assert(sizeof(uint32)==4);
+- if (value<=0.0)
++ if( value < 0 )
++ {
++ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
++ return 0;
++ }
++ else if( value != value )
++ {
++ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
++ return 0;
++ }
++ else if (value==0.0)
+ {
+ m[0]=0;
+ m[1]=1;
+ }
+- else if (value==(double)(uint32)value)
++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+ {
+ m[0]=(uint32)value;
+ m[1]=1;
+@@ -2143,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArra
+ }
+ for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+ {
+- if (*na<=0.0)
++ if (*na<=0.0 || *na != *na)
+ {
+ nb[0]=0;
+ nb[1]=1;
+ }
+- else if (*na==(float)(uint32)(*na))
++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++ *na==(float)(uint32)(*na))
+ {
+ nb[0]=(uint32)(*na);
+ nb[1]=1;
Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c:1.2.2.2
--- /dev/null Sat May 6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c Sat May 6 15:08:52 2017
@@ -0,0 +1,28 @@
+$NetBSD$
+
+CVE-2016-10092
+http://bugzilla.maptools.org/show_bug.cgi?id=2620
+https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
+Fix double free
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+--- tools/tiffcrop.c.orig 2016-11-19 01:45:30.000000000 +0000
++++ tools/tiffcrop.c
+@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (T
+ (unsigned long) strip, (unsigned long)rows);
+ return 0;
+ }
+- bufp += bytes_read;
++ bufp += stripsize;
+ }
+
+ return 1;
+@@ -7986,7 +7986,6 @@ writeCroppedImage(TIFF *in, TIFF *out, s
+ if (!TIFFWriteDirectory(out))
+ {
+ TIFFError("","Failed to write IFD for page number %d", pagenum);
+- TIFFClose(out);
+ return (-1);
+ }
+
Home |
Main Index |
Thread Index |
Old Index