graphics/tiff: Patch vulnerabilities
These two patches were obtained from OpenBSD. An additional CVE is not yet addressed, but upstream indicates they are removing the gif2tiff utility as the mitigation in the upcoming 4.0.7. PR: 211113 MFH: 2016Q3 Security: CVE-2016-5875 Security: CVE-2016-3186
This commit is contained in:
parent
34cd680a2d
commit
7419bfc443
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=418585
@ -3,7 +3,7 @@
|
||||
|
||||
PORTNAME= tiff
|
||||
PORTVERSION= 4.0.6
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 2
|
||||
CATEGORIES= graphics
|
||||
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
|
||||
http://download.osgeo.org/libtiff/
|
||||
|
34
graphics/tiff/files/patch-libtiff_tif__pixarlog.c
Normal file
34
graphics/tiff/files/patch-libtiff_tif__pixarlog.c
Normal file
@ -0,0 +1,34 @@
|
||||
CVE-2016-5875(, dup?)
|
||||
https://marc.info/?l=oss-security&m=146720235906569&w=2
|
||||
|
||||
--- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015
|
||||
+++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016
|
||||
@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
|
||||
typedef struct {
|
||||
TIFFPredictorState predict;
|
||||
z_stream stream;
|
||||
+ tmsize_t tbuf_size; /* only set/used on reading for now */
|
||||
uint16 *tbuf;
|
||||
uint16 stride;
|
||||
int state;
|
||||
@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
|
||||
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
|
||||
if (sp->tbuf == NULL)
|
||||
return (0);
|
||||
+ sp->tbuf_size = tbuf_size;
|
||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
|
||||
sp->user_datafmt = PixarLogGuessDataFmt(td);
|
||||
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
|
||||
@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
|
||||
if (sp->stream.avail_out != nsamples * sizeof(uint16))
|
||||
{
|
||||
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
|
||||
+ return (0);
|
||||
+ }
|
||||
+ /* Check that we will not fill more than what was allocated */
|
||||
+ if (sp->stream.avail_out > sp->tbuf_size)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
|
||||
return (0);
|
||||
}
|
||||
do {
|
14
graphics/tiff/files/patch-tools_gif2tiff.c
Normal file
14
graphics/tiff/files/patch-tools_gif2tiff.c
Normal file
@ -0,0 +1,14 @@
|
||||
CVE-2016-3186, patch from:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1319666
|
||||
|
||||
--- tools/gif2tiff.c.orig Fri Jul 1 13:11:43 2016
|
||||
+++ tools/gif2tiff.c Fri Jul 1 13:12:07 2016
|
||||
@@ -349,7 +349,7 @@ readextension(void)
|
||||
int status = 1;
|
||||
|
||||
(void) getc(infile);
|
||||
- while ((count = getc(infile)) && count <= 255)
|
||||
+ while ((count = getc(infile)) && count >= 0 && count <= 255)
|
||||
if (fread(buf, 1, count, infile) != (size_t) count) {
|
||||
fprintf(stderr, "short read from file %s (%s)\n",
|
||||
filename, strerror(errno));
|
Loading…
Reference in New Issue
Block a user