pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2017Q1] pkgsrc/graphics/tiff



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat May  6 15:08:52 UTC 2017

Modified Files:
        pkgsrc/graphics/tiff [pkgsrc-2017Q1]: Makefile distinfo
        pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]:
            patch-libtiff_tif_dirread.c patch-tools_tiffcp.c
Added Files:
        pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]: patch-libtiff_tif_dir.c
            patch-libtiff_tif_dirwrite.c patch-tools_tiffcrop.c

Log Message:
Pullup ticket #5404 - requested by sevan
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.127-1.129
- graphics/tiff/distinfo                                        1.73-1.75
- graphics/tiff/patches/patch-libtiff_tif_dir.c                 1.1
- graphics/tiff/patches/patch-libtiff_tif_dirread.c             1.2
- graphics/tiff/patches/patch-libtiff_tif_dirwrite.c            1.1
- graphics/tiff/patches/patch-tools_tiffcp.c                    1.2
- graphics/tiff/patches/patch-tools_tiffcrop.c                  1.1-1.2

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 19:16:58 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-tools_tiffcrop.c

   Log Message:
   Apply fix from upstream to fix CVE-2016-10092, ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2620 and
   https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 19:28:23 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: distinfo

   Log Message:
   Forgot "make mps", this one belongs to the previous update, 4.0.7nb3.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 20:06:03 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c

   Log Message:
   Apply fix for CVE-2016-10093
   http://bugzilla.maptools.org/show_bug.cgi?id=2610
   https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Fri May  5 20:14:05 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
               patch-tools_tiffcrop.c
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dir.c
               patch-libtiff_tif_dirwrite.c

   Log Message:
   CVE-2017-7596
   CVE-2017-7597
   CVE-2017-7599
   CVE-2017-7600
   https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
   Dependency for applying advisory patch.
   +http://bugzilla.maptools.org/show_bug.cgi?id=2535
   +https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
   Bump rev.


To generate a diff of this commit:
cvs rdiff -u -r1.125.4.1 -r1.125.4.2 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.71.4.1 -r1.71.4.2 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
cvs rdiff -u -r1.2.2.2 -r1.2.2.3 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c \
    pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
cvs rdiff -u -r0 -r1.2.2.2 \
    pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.125.4.1 pkgsrc/graphics/tiff/Makefile:1.125.4.2
--- pkgsrc/graphics/tiff/Makefile:1.125.4.1     Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/Makefile       Sat May  6 15:08:52 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125.4.1 2017/05/06 15:01:21 bsiegert Exp $
+# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.7
-PKGREVISION=   2
+PKGREVISION=   5
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 

Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.71.4.1 pkgsrc/graphics/tiff/distinfo:1.71.4.2
--- pkgsrc/graphics/tiff/distinfo:1.71.4.1      Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/distinfo       Sat May  6 15:08:52 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71.4.1 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,7 +6,9 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
-SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
+SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
 SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
 SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
@@ -15,4 +17,5 @@ SHA1 (patch-libtiff_tif_unix.c) = c83127
 SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
 SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
-SHA1 (patch-tools_tiffcp.c) = fa4846cfb5a52eedfb6dc4ed1306f45e3988ddc3
+SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
+SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c
diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3
--- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.2    Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c    Sat May  6 15:08:52 2017
@@ -1,11 +1,40 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
 
+CVE-2017-7596
+CVE-2017-7597
 CVE-2017-7598
+CVE-2017-7599
+CVE-2017-7600
 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
 
---- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
+--- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000
 +++ libtiff/tif_dirread.c
-@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -40,6 +40,7 @@
+  */
+ 
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFRead
+                               ma=(double*)origdata;
+                               mb=data;
+                               for (n=0; n<count; n++)
+-                                      *mb++=(float)(*ma++);
++                                {
++                                    double val = *ma++;
++                                    if( val > FLT_MAX )
++                                        val = FLT_MAX;
++                                    else if( val < -FLT_MAX )
++                                        val = -FLT_MAX;
++                                    *mb++=(float)val;
++                                }
+                       }
+                       break;
+       }
+@@ -2872,7 +2880,10 @@ static enum TIFFReadDirEntryErr TIFFRead
                m.l = direntry->tdir_offset.toff_long8;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong(m.i,2);
@@ -17,7 +46,7 @@ https://github.com/vadz/libtiff/commit/3
                *value=0.0;
        else
                *value=(double)m.i[0]/(double)m.i[1];
-@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -2900,7 +2911,10 @@ static enum TIFFReadDirEntryErr TIFFRead
                m.l=direntry->tdir_offset.toff_long8;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong(m.i,2);
Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
diff -u pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.2 pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3
--- pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.2   Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c   Sat May  6 15:08:52 2017
@@ -1,10 +1,16 @@
-$NetBSD: patch-tools_tiffcp.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-tools_tiffcp.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
 
 CVE-2017-5225
 http://bugzilla.maptools.org/show_bug.cgi?id=2656
 http://bugzilla.maptools.org/show_bug.cgi?id=2657
 https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
 
+and
+
+CVE-2016-10093
+http://bugzilla.maptools.org/show_bug.cgi?id=2610
+https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
+
 --- tools/tiffcp.c.orig        2016-10-12 01:45:17.000000000 +0000
 +++ tools/tiffcp.c
 @@ -592,7 +592,7 @@ static     copyFunc pickCopyFunc(TIFF*, TIFF
@@ -50,6 +56,33 @@ https://github.com/vadz/libtiff/commit/5
  
        inbuf = _TIFFmalloc(scanlinesizein);
        outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1163,7 +1183,7 @@ bad:
+ 
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+-    uint32 rows, uint32 cols, int outskew, int inskew)
++    uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+       while (rows-- > 0) {
+               uint32 j = cols;
+@@ -1320,7 +1340,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+       tdata_t tilebuf;
+       uint32 imagew = TIFFScanlineSize(in);
+       uint32 tilew  = TIFFTileRowSize(in);
+-      int iskew = imagew - tilew;
++      int64 iskew = (int64)imagew - (int64)tilew;
+       uint8* bufp = (uint8*) buf;
+       uint32 tw, tl;
+       uint32 row;
+@@ -1348,7 +1368,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+                               status = 0;
+                               goto done;
+                       }
+-                      if (colb + tilew > imagew) {
++                      if (colb > iskew) {
+                               uint32 width = imagew - colb;
+                               uint32 oskew = tilew - width;
+                               cpStripToTile(bufp + colb,
 @@ -1763,7 +1783,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16
        uint32 w, l, tw, tl;
        int bychunk;

Added files:

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c:1.1.2.2
--- /dev/null   Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dir.c        Sat May  6 15:08:52 2017
@@ -0,0 +1,63 @@
+$NetBSD: patch-libtiff_tif_dir.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dir.c.orig     2016-10-29 23:03:18.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -31,6 +31,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ /*
+  * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@ bad:
+       return (0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-              td->td_xresolution = (float) dblval;
++              td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+               break;
+       case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-              td->td_yresolution = (float) dblval;
++              td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+               break;
+       case TIFFTAG_PLANARCONFIG:
+               v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+               td->td_planarconfig = (uint16) v;
+               break;
+       case TIFFTAG_XPOSITION:
+-              td->td_xposition = (float) va_arg(ap, double);
++              td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+               break;
+       case TIFFTAG_YPOSITION:
+-              td->td_yposition = (float) va_arg(ap, double);
++              td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+               break;
+       case TIFFTAG_RESOLUTIONUNIT:
+               v = (uint16) va_arg(ap, uint16_vap);
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c:1.1.2.2
--- /dev/null   Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c   Sat May  6 15:08:52 2017
@@ -0,0 +1,192 @@
+$NetBSD: patch-libtiff_tif_dirwrite.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+Dependency for applying advisory patch below without creating a variant.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dirwrite.c.orig        2017-05-05 18:56:07.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -30,6 +30,7 @@
+  * Directory Write Support Routines.
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@ bad:
+       return(0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++    if( val > 127 )
++        return 127;
++    if( val < -128 || val != val )
++        return -128;
++    return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++    if( val > 32767 )
++        return 32767;
++    if( val < -32768 || val != val )
++        return -32768;
++    return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++    if( val > 0x7FFFFFFF )
++        return 0x7FFFFFFF;
++    if( val < -0x7FFFFFFF-1 || val != val )
++        return -0x7FFFFFFF-1;
++    return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 255 || val != val )
++        return 255;
++    return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 65535 || val != val )
++        return 65535;
++    return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val != val )
++        return 0xFFFFFFFFU;
++    return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=32)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((float*)conv)[i] = (float)value[i];
++                                      ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+                               ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+                       }
+                       else
+@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=8)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int8*)conv)[i] = (int8)value[i];
++                                      ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+                               ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+                       }
+                       else if (tif->tif_dir.td_bitspersample<=16)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int16*)conv)[i] = (int16)value[i];
++                                      ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+                               ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+                       }
+                       else
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int32*)conv)[i] = (int32)value[i];
++                                      ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+                               ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+                       }
+                       break;
+@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=8)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((uint8*)conv)[i] = (uint8)value[i];
++                                      ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+                               ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+                       }
+                       else if (tif->tif_dir.td_bitspersample<=16)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((uint16*)conv)[i] = (uint16)value[i];
++                                      ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+                               ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+                       }
+                       else
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((uint32*)conv)[i] = (uint32)value[i];
++                                      ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+                               ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+                       }
+                       break;
+@@ -2094,15 +2158,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(
+ static int
+ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
+ {
++        static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
+       uint32 m[2];
+-      assert(value>=0.0);
+       assert(sizeof(uint32)==4);
+-      if (value<=0.0)
++        if( value < 0 )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
++            return 0;
++        }
++        else if( value != value )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
++            return 0;
++        }
++      else if (value==0.0)
+       {
+               m[0]=0;
+               m[1]=1;
+       }
+-      else if (value==(double)(uint32)value)
++      else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+       {
+               m[0]=(uint32)value;
+               m[1]=1;
+@@ -2143,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArra
+       }
+       for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+       {
+-              if (*na<=0.0)
++              if (*na<=0.0 || *na != *na)
+               {
+                       nb[0]=0;
+                       nb[1]=1;
+               }
+-              else if (*na==(float)(uint32)(*na))
++              else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++                         *na==(float)(uint32)(*na))
+               {
+                       nb[0]=(uint32)(*na);
+                       nb[1]=1;

Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c:1.2.2.2
--- /dev/null   Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcrop.c Sat May  6 15:08:52 2017
@@ -0,0 +1,28 @@
+$NetBSD$
+
+CVE-2016-10092
+http://bugzilla.maptools.org/show_bug.cgi?id=2620
+https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
+Fix double free
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+--- tools/tiffcrop.c.orig      2016-11-19 01:45:30.000000000 +0000
++++ tools/tiffcrop.c
+@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (T
+                                   (unsigned long) strip, (unsigned long)rows);
+                         return 0;
+                 }
+-                bufp += bytes_read;
++                bufp += stripsize;
+         }
+ 
+         return 1;
+@@ -7986,7 +7986,6 @@ writeCroppedImage(TIFF *in, TIFF *out, s
+   if (!TIFFWriteDirectory(out))
+     {
+     TIFFError("","Failed to write IFD for page number %d", pagenum);
+-    TIFFClose(out);
+     return (-1);
+     }
+ 



Home | Main Index | Thread Index | Old Index