cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SECURITY fixes for CVE-2006-2656 and CVE-2006-3459 through 3465.

Browse Source 
Man page fixes.

Mostly via FreeBSD.  Approving noises from bernd@ and jasper@
This commit is contained in:
naddy 2008-10-25 09:39:29 +00:00
parent 32b353e61f
commit fab96bfad1
19 changed files with 839 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graphics/tiff/Makefile
View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.48 2008/08/27 18:09:36 jasper Exp $
# $OpenBSD: Makefile,v 1.49 2008/10/25 09:39:29 naddy Exp $
COMMENT= tools and library routines for working with TIFF images
DISTNAME= tiff-3.8.2
PKGNAME= ${DISTNAME}p1
PKGNAME= ${DISTNAME}p2
SHARED_LIBS= tiff 38.2 \
tiffxx 39.2
CATEGORIES= graphics

96
graphics/tiff/patches/patch-libtiff_tif_dir_c Normal file
View File

@ -0,0 +1,96 @@
$OpenBSD: patch-libtiff_tif_dir_c,v 1.3 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3464,3465
--- libtiff/tif_dir.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_dir.c Fri Oct 24 18:52:56 2008
@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -195,10 +196,12 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
break;
case TIFFTAG_ORIENTATION:
v = va_arg(ap, uint32);
+ const TIFFFieldInfo* fip;
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
@@ -387,11 +390,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +475,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +570,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +579,12 @@ end:
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +820,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va_list ap)
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}

26
graphics/tiff/patches/patch-libtiff_tif_dirinfo_c Normal file
View File

@ -0,0 +1,26 @@
$OpenBSD: patch-libtiff_tif_dirinfo_c,v 1.3 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3464,3465
--- libtiff/tif_dirinfo.c.orig Tue Feb 7 14:51:03 2006
+++ libtiff/tif_dirinfo.c Fri Oct 24 18:53:28 2008
@@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char *field_name)
if (!fip) {
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);

324
graphics/tiff/patches/patch-libtiff_tif_dirread_c Normal file
View File

@ -0,0 +1,324 @@
$OpenBSD: patch-libtiff_tif_dirread_c,v 1.5 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3459,3463,3464,3465
--- libtiff/tif_dirread.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_dirread.c Fri Oct 24 18:54:00 2008
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
*/
+
+#include <limits.h>
+
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
@@ -81,6 +84,7 @@ TIFFReadDirectory(TIFF* tif)
uint16 dircount;
toff_t nextdiroff;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -147,13 +151,20 @@ TIFFReadDirectory(TIFF* tif)
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Can not read TIFF directory count",
- tif->tif_name);
- return (0);
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso@google.com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off > (UINT_MAX - sizeof(uint16))) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
} else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -254,6 +265,7 @@ TIFFReadDirectory(TIFF* tif)
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -264,17 +276,23 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_tag,
dp->tdir_tag,
dp->tdir_type);
-
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
+ /*
+ * creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
+
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
}
+
/*
* Null out old tags that we ignore.
*/
@@ -326,6 +344,7 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -540,6 +559,7 @@ TIFFReadDirectory(TIFF* tif)
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -556,7 +576,7 @@ TIFFReadDirectory(TIFF* tif)
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -580,6 +600,7 @@ TIFFReadDirectory(TIFF* tif)
} else if (td->td_nstrips == 1
&& td->td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Plexus (and others) sometimes give a value of zero for
* a tag when they don't know what the correct value is! Try
@@ -589,13 +610,14 @@ TIFFReadDirectory(TIFF* tif)
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
&& td->td_nstrips > 2
&& td->td_compression == COMPRESSION_NONE
&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Some vendors fill StripByteCount array with absolutely
* wrong values (it can be equal to StripOffset array, for
@@ -604,7 +626,7 @@ TIFFReadDirectory(TIFF* tif)
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -870,8 +892,14 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir,
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ uint32 i;
+
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
td->td_stripbytecount = (uint32*)
@@ -947,16 +975,18 @@ MissingRequired(TIFF* tif, const char* tagname)
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -970,6 +1000,7 @@ static tsize_t
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -1013,7 +1044,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
bad:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (tsize_t) 0;
}
@@ -1039,10 +1070,12 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry* dir, char* cp
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -1159,6 +1192,20 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEntry* dir, uint
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso@google.com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
@@ -1329,14 +1376,15 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntry* dir, double
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
dir->tdir_type,
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- return (0);
+ fip ? fip->field_name : "Unknown");
+ return (0); }
}
return (1);
}
@@ -1351,6 +1399,9 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp)
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1493,6 +1544,7 @@ static int
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1510,9 +1562,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir,
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1534,6 +1587,7 @@ static int
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1551,9 +1605,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir,
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1574,6 +1629,7 @@ static int
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1591,9 +1647,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, d
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];

29
graphics/tiff/patches/patch-libtiff_tif_fax3_c Normal file
View File

@ -0,0 +1,29 @@
$OpenBSD: patch-libtiff_tif_fax3_c,v 1.7 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3464,3465
--- libtiff/tif_fax3.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_fax3.c Fri Oct 24 18:54:16 2008
@@ -1136,6 +1136,7 @@ static int
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1181,7 +1182,13 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}

123
graphics/tiff/patches/patch-libtiff_tif_jpeg_c Normal file
View File

@ -0,0 +1,123 @@
$OpenBSD: patch-libtiff_tif_jpeg_c,v 1.3 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3460,3464,3465
--- libtiff/tif_jpeg.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_jpeg.c Fri Oct 24 18:54:26 2008
@@ -722,15 +722,31 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarningExt(tif->tif_clientdata, module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
+ }
+
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
}
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -761,6 +777,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
sp->cinfo.d.comp_info[0].v_samp_factor,
sp->h_sampling, sp->v_sampling);
+ /*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso@google.com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
/*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
@@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif)
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
+ if (sp != NULL) {
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
@@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_list ap)
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
assert(sp != NULL);
@@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_list ap)
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
@@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long flags)
{
JPEGState* sp = JState(tif);
- assert(sp != NULL);
+ /* assert(sp != NULL); */
+ if (sp == NULL) {
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))

24
graphics/tiff/patches/patch-libtiff_tif_next_c Normal file
View File

@ -0,0 +1,24 @@
$OpenBSD: patch-libtiff_tif_next_c,v 1.3 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3462
--- libtiff/tif_next.c.orig Wed Dec 21 13:33:56 2005
+++ libtiff/tif_next.c Fri Oct 24 18:54:53 2008
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsamp
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;

27
graphics/tiff/patches/patch-libtiff_tif_pixarlog_c Normal file
View File

@ -0,0 +1,27 @@
$OpenBSD: patch-libtiff_tif_pixarlog_c,v 1.4 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3461
--- libtiff/tif_pixarlog.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_pixarlog.c Fri Oct 24 18:55:09 2008
@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, ts
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,

15
graphics/tiff/patches/patch-libtiff_tif_print_c Normal file
View File

@ -0,0 +1,15 @@
$OpenBSD: patch-libtiff_tif_print_c,v 1.1 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3464,3465
--- libtiff/tif_print.c.orig Mon Mar 13 15:11:30 2006
+++ libtiff/tif_print.c Fri Oct 24 18:55:21 2008
@@ -491,7 +491,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
} else
fprintf(fd, "(present)\n");
}
- if (TIFFFieldSet(tif, FIELD_SUBIFD)) {
+ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) {
fprintf(fd, " SubIFD Offsets:");
for (i = 0; i < td->td_nsubifd; i++)
fprintf(fd, " %5lu", (long) td->td_subifd[i]);

45
graphics/tiff/patches/patch-libtiff_tif_read_c Normal file
View File

@ -0,0 +1,45 @@
$OpenBSD: patch-libtiff_tif_read_c,v 1.1 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3464,3465
--- libtiff/tif_read.c.orig Wed Dec 21 13:33:56 2005
+++ libtiff/tif_read.c Fri Oct 24 18:55:36 2008
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
+
int TIFFFillStrip(TIFF*, tstrip_t);
int TIFFFillTile(TIFF*, ttile_t);
static int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +478,13 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
tif->tif_curtile = NOTILE;
return (0);
}

12
graphics/tiff/patches/patch-man_TIFFClose_3tiff Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-man_TIFFClose_3tiff,v 1.1 2008/10/25 09:39:29 naddy Exp $
--- man/TIFFClose.3tiff.orig Fri Oct 24 18:13:32 2008
+++ man/TIFFClose.3tiff Fri Oct 24 18:13:54 2008
@@ -40,7 +40,7 @@ Any buffered data are flushed to the file, including t
current directory (if modified); and all resources are reclaimed.
.SH DIAGNOSTICS
All error messages are directed to the
-.bR TIFFError (3TIFF)
+.BR TIFFError (3TIFF)
routine.
Likewise, warning messages are directed to the
.BR TIFFWarning (3TIFF)

21
graphics/tiff/patches/patch-man_fax2ps_1
View File

@ -1,12 +1,11 @@
$OpenBSD: patch-man_fax2ps_1,v 1.1 2006/03/26 10:45:18 espie Exp $
--- man/fax2ps.1.orig Sun Mar 26 12:33:21 2006
+++ man/fax2ps.1 Sun Mar 26 12:33:33 2006
@@ -27,7 +27,7 @@
$OpenBSD: patch-man_fax2ps_1,v 1.2 2008/10/25 09:39:29 naddy Exp $
--- man/fax2ps.1.orig Fri Dec 2 17:01:33 2005
+++ man/fax2ps.1 Fri Oct 24 18:25:45 2008
@@ -22,6 +22,7 @@
.\" LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
.\" OF THIS SOFTWARE.
.\"
+.ds Ps PostScript
.if n .po 0
.TH FAX2PS 1 "November 2, 2005" "libtiff"
.SH NAME
fax2ps \- convert a
.SM TIFF
-facsimile to compressed \*(Ps\(tm
+facsimile to compressed PostScript tm
.SH SYNOPSIS
.B fax2ps
[

12
graphics/tiff/patches/patch-man_raw2tiff_1 Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-man_raw2tiff_1,v 1.1 2008/10/25 09:39:29 naddy Exp $
--- man/raw2tiff.1.orig Fri Oct 24 18:21:07 2008
+++ man/raw2tiff.1 Fri Oct 24 18:21:17 2008
@@ -184,7 +184,7 @@ There is no magic, it is just a mathematical statistic
in some cases. But for most ordinary images guessing method will work fine.
.SH "SEE ALSO"
.BR pal2rgb (1),
-.bR tiffinfo (1),
+.BR tiffinfo (1),
.BR tiffcp (1),
.BR tiffmedian (1),
.BR libtiff (3)

12
graphics/tiff/patches/patch-man_tiffcmp_1 Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-man_tiffcmp_1,v 1.1 2008/10/25 09:39:29 naddy Exp $
--- man/tiffcmp.1.orig Fri Oct 24 18:26:44 2008
+++ man/tiffcmp.1 Fri Oct 24 18:26:52 2008
@@ -77,7 +77,7 @@ The pixel and/or sample number reported in differences
in some exotic cases.
.SH "SEE ALSO"
.BR pal2rgb (1),
-.bR tiffinfo (1),
+.BR tiffinfo (1),
.BR tiffcp (1),
.BR tiffmedian (1),
.BR libtiff (3TIFF)

12
graphics/tiff/patches/patch-man_tiffsplit_1 Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-man_tiffsplit_1,v 1.1 2008/10/25 09:39:29 naddy Exp $
--- man/tiffsplit.1.orig Fri Oct 24 18:27:26 2008
+++ man/tiffsplit.1 Fri Oct 24 18:27:47 2008
@@ -50,7 +50,7 @@ suffix in the range [\fIaaa\fP-\fIzzz\fP], the suffix
(e.g.
.IR xaaa.tif ,
.IR xaab.tif ,
-\...
+.IR ... ,
.IR xzzz.tif ).
If a prefix is not specified on the command line,
the default prefix of

21
graphics/tiff/patches/patch-test_strip_c Normal file
View File

@ -0,0 +1,21 @@
$OpenBSD: patch-test_strip_c,v 1.1 2008/10/25 09:39:29 naddy Exp $
--- test/strip.c.orig Fri Oct 24 19:41:37 2008
+++ test/strip.c Fri Oct 24 19:42:55 2008
@@ -171,7 +171,7 @@ failure:
TIFFClose(tif);
openfailure:
fprintf (stderr, "Can't create test TIFF file %s:\n"
-" ImageWidth=%ld, ImageLength=%ld, RowsPerStrip=%ld, Compression=%d,\n"
+" ImageWidth=%d, ImageLength=%d, RowsPerStrip=%d, Compression=%d,\n"
" BitsPerSample=%d, SamplesPerPixel=%d, SampleFormat=%d,\n"
" PlanarConfiguration=%d, PhotometricInterpretation=%d.\n",
name, width, length, rowsperstrip, compression,
@@ -249,7 +249,7 @@ failure:
TIFFClose(tif);
openfailure:
fprintf (stderr, "Can't read test TIFF file %s:\n"
-" ImageWidth=%ld, ImageLength=%ld, RowsPerStrip=%ld, Compression=%d,\n"
+" ImageWidth=%d, ImageLength=%d, RowsPerStrip=%d, Compression=%d,\n"
" BitsPerSample=%d, SamplesPerPixel=%d, SampleFormat=%d,\n"
" PlanarConfiguration=%d, PhotometricInterpretation=%d.\n",
name, width, length, rowsperstrip, compression,

19
graphics/tiff/patches/patch-tools_fax2ps_c Normal file
View File

@ -0,0 +1,19 @@
$OpenBSD: patch-tools_fax2ps_c,v 1.5 2008/10/25 09:39:29 naddy Exp $
--- tools/fax2ps.c.orig Fri Oct 24 18:41:45 2008
+++ tools/fax2ps.c Fri Oct 24 18:44:21 2008
@@ -373,11 +373,12 @@ main(int argc, char** argv)
int n;
FILE* fd;
char buf[16*1024];
+ char temp[22];
- fd = tmpfile();
+ strlcpy(temp, "/tmp/fax2psXXXXXXXXXX", sizeof(temp));
+ fd = fdopen(mkstemp(temp), "w+");
if (fd == NULL) {
- fprintf(stderr, "Could not create temporary file, exiting.\n");
- fclose(fd);
+ fprintf(stderr, "Could not create temporary file \"%s\".\n", temp);
exit(-2);
}
while ((n = read(fileno(stdin), buf, sizeof (buf))) > 0)

12
graphics/tiff/patches/patch-tools_tiff2pdf_c
View File

@ -1,7 +1,7 @@
$OpenBSD: patch-tools_tiff2pdf_c,v 1.1 2006/06/12 17:31:34 naddy Exp $
--- tools/tiff2pdf.c.orig Sun Jun 11 15:58:06 2006
+++ tools/tiff2pdf.c Sun Jun 11 16:00:21 2006
@@ -279,8 +279,8 @@ tsize_t t2p_sample_lab_signed_to_unsigne
$OpenBSD: patch-tools_tiff2pdf_c,v 1.2 2008/10/25 09:39:29 naddy Exp $
--- tools/tiff2pdf.c.orig Tue Mar 21 17:42:51 2006
+++ tools/tiff2pdf.c Fri Oct 24 18:08:47 2008
@@ -279,8 +279,8 @@ tsize_t t2p_sample_lab_signed_to_unsigned(tdata_t, uin
tsize_t t2p_write_pdf_header(T2P*, TIFF*);
tsize_t t2p_write_pdf_obj_start(uint32, TIFF*);
tsize_t t2p_write_pdf_obj_end(TIFF*);
@ -12,7 +12,7 @@ $OpenBSD: patch-tools_tiff2pdf_c,v 1.1 2006/06/12 17:31:34 naddy Exp $
tsize_t t2p_write_pdf_stream(tdata_t, tsize_t, TIFF*);
tsize_t t2p_write_pdf_stream_start(TIFF*);
tsize_t t2p_write_pdf_stream_end(TIFF*);
@@ -3572,7 +3572,7 @@ tsize_t t2p_write_pdf_obj_end(TIFF* outp
@@ -3572,7 +3572,7 @@ tsize_t t2p_write_pdf_obj_end(TIFF* output){
This function writes a PDF name object to output.
*/
@ -21,7 +21,7 @@ $OpenBSD: patch-tools_tiff2pdf_c,v 1.1 2006/06/12 17:31:34 naddy Exp $
tsize_t written=0;
uint32 i=0;
@@ -3657,7 +3657,7 @@ tsize_t t2p_write_pdf_name(char* name, T
@@ -3657,7 +3657,7 @@ tsize_t t2p_write_pdf_name(char* name, TIFF* output){
This function writes a PDF string object to output.
*/

24
graphics/tiff/patches/patch-tools_tiffsplit_c Normal file
View File

@ -0,0 +1,24 @@
$OpenBSD: patch-tools_tiffsplit_c,v 1.1 2008/10/25 09:39:29 naddy Exp $
CVE-2006-2656
--- tools/tiffsplit.c.orig Fri Oct 24 19:10:43 2008
+++ tools/tiffsplit.c Fri Oct 24 19:12:12 2008
@@ -61,14 +61,14 @@ main(int argc, char* argv[])
return (-3);
}
if (argc > 2)
- strcpy(fname, argv[2]);
+ strlcpy(fname, argv[2], sizeof(fname));
in = TIFFOpen(argv[1], "r");
if (in != NULL) {
do {
char path[1024+1];
newfilename();
- strcpy(path, fname);
- strcat(path, ".tif");
+ strlcpy(path, fname, sizeof(path));
+ strlcat(path, ".tif", sizeof(path));
out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
if (out == NULL)
return (-2);