guix-play/gnu/packages/patches/libtiff-divide-by-zero.patch
Leo Famulari 4b96149d8b
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch,
gnu/packages/patches/libtiff-CVE-2016-10093.patch,
gnu/packages/patches/libtiff-CVE-2016-10094.patch,
gnu/packages/patches/libtiff-assertion-failure.patch,
gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
gnu/packages/patches/libtiff-divide-by-zero.patch,
gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
gnu/packages/patches/libtiff-invalid-read.patch,
gnu/packages/patches/libtiff-null-dereference.patch,
gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
2017-01-10 17:52:42 -05:00

68 lines
2.9 KiB
Diff

Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero:
http://bugzilla.maptools.org/show_bug.cgi?id=2596
2016-12-02 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1173; previous revision: 1.1172
/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
new revision: 1.50; previous revision: 1.49
/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h
new revision: 1.90; previous revision: 1.89
Index: libtiff/libtiff/tif_read.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49
+++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
+/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -346,7 +346,7 @@
rowsperstrip=td->td_rowsperstrip;
if (rowsperstrip>td->td_imagelength)
rowsperstrip=td->td_imagelength;
- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
stripinplane=(strip%stripsperplane);
plane=(uint16)(strip/stripsperplane);
rows=td->td_imagelength-stripinplane*rowsperstrip;
Index: libtiff/libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89
+++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -250,6 +250,10 @@
#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))