cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixes for CVE-2016-3186 and CVE-2016-5875

Browse Source
This commit is contained in:
jasper 2016-07-01 11:23:44 +00:00
parent 0c49cf5a0e
commit a5f9cad7b7
3 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graphics/tiff/Makefile
View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.76 2016/03/11 20:28:26 naddy Exp $
# $OpenBSD: Makefile,v 1.77 2016/07/01 11:23:44 jasper Exp $
COMMENT= tools and library routines for working with TIFF images
DISTNAME= tiff-4.0.6
REVISION= 0
REVISION= 1
SHARED_LIBS= tiff 39.2 # 7.4
SHARED_LIBS+= tiffxx 40.1 # 7.4
CATEGORIES= graphics

36
graphics/tiff/patches/patch-libtiff_tif_pixarlog_c Normal file
View File

@ -0,0 +1,36 @@
$OpenBSD: patch-libtiff_tif_pixarlog_c,v 1.6 2016/07/01 11:23:44 jasper Exp $
CVE-2016-5875(, dup?)
https://marc.info/?l=oss-security&m=146720235906569&w=2
--- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015
+++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016
@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
if (sp->stream.avail_out != nsamples * sizeof(uint16))
{
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ return (0);
+ }
+ /* Check that we will not fill more than what was allocated */
+ if (sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
return (0);
}
do {

16
graphics/tiff/patches/patch-tools_gif2tiff_c Normal file
View File

@ -0,0 +1,16 @@
$OpenBSD: patch-tools_gif2tiff_c,v 1.1 2016/07/01 11:23:44 jasper Exp $
CVE-2016-3186, patch from:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666
--- tools/gif2tiff.c.orig Fri Jul 1 13:11:43 2016
+++ tools/gif2tiff.c Fri Jul 1 13:12:07 2016
@@ -349,7 +349,7 @@ readextension(void)
int status = 1;
(void) getc(infile);
- while ((count = getc(infile)) && count <= 255)
+ while ((count = getc(infile)) && count >= 0 && count <= 255)
if (fread(buf, 1, count, infile) != (size_t) count) {
fprintf(stderr, "short read from file %s (%s)\n",
filename, strerror(errno));