graphics/tiff: Patch vulnerabilities

These two patches were obtained from OpenBSD. An additional CVE is not yet addressed, but upstream indicates they are removing the gif2tiff utility as the mitigation in the upcoming 4.0.7. PR: 211113 MFH: 2016Q3 Security: CVE-2016-5875 Security: CVE-2016-3186
svn path=/head/; revision=418585
2016-07-15 16:22:53 +00:00 · 2016-07-15 16:22:53 +00:00 · 7419bfc443 · 2021-03-31 03:12:20 +00:00
commit 7419bfc443
parent 34cd680a2d
3 changed files with 49 additions and 1 deletions
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	tiff
 PORTVERSION=	4.0.6
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/
--- a/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
+++ b/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
@ -0,0 +1,34 @@
+CVE-2016-5875(, dup?)
+https://marc.info/?l=oss-security&m=146720235906569&w=2
+
+--- libtiff/tif_pixarlog.c.orig	Sat Aug 29 00:16:22 2015
+++ libtiff/tif_pixarlog.c	Fri Jul  1 13:04:52 2016
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
+ typedef	struct {
+ 	TIFFPredictorState	predict;
+ 	z_stream		stream;
+	tmsize_t		tbuf_size; /* only set/used on reading for now */
+ 	uint16			*tbuf; 
+ 	uint16			stride;
+ 	int			state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+	sp->tbuf_size = tbuf_size;
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = PixarLogGuessDataFmt(td);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
+ 	if (sp->stream.avail_out != nsamples * sizeof(uint16))
+ 	{
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+		return (0);
+	}
+	/* Check that we will not fill more than what was allocated */
+	if (sp->stream.avail_out > sp->tbuf_size)
+	{
+		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ 		return (0);
+ 	}
+ 	do {
--- a/graphics/tiff/files/patch-tools_gif2tiff.c
+++ b/graphics/tiff/files/patch-tools_gif2tiff.c
@ -0,0 +1,14 @@
+CVE-2016-3186, patch from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1319666
+
+--- tools/gif2tiff.c.orig	Fri Jul  1 13:11:43 2016
+++ tools/gif2tiff.c	Fri Jul  1 13:12:07 2016
+@@ -349,7 +349,7 @@ readextension(void)
+     int status = 1;
+ 
+     (void) getc(infile);
+-    while ((count = getc(infile)) && count <= 255)
+    while ((count = getc(infile)) && count >= 0 && count <= 255)
+         if (fread(buf, 1, count, infile) != (size_t) count) {
+             fprintf(stderr, "short read from file %s (%s)\n",
+                     filename, strerror(errno));