Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Jan 2016 15:06:08 +0000 (UTC)
From:      Raphael Kubo da Costa <rakuco@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r405295 - in branches/2016Q1/graphics/tiff: . files
Message-ID:  <201601051506.u05F68k8063407@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rakuco
Date: Tue Jan  5 15:06:08 2016
New Revision: 405295
URL: https://svnweb.freebsd.org/changeset/ports/405295

Log:
  MFH: r405294
  
  Add fixes for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities.
  
  Besides fixing the two CVEs mentioned above, this change also pulls two
  other commits from libtiff upstream fixing other out-of-bounds reads that do
  not have corresponding CVEs and were reported directly in libtiff's bug
  tracker.
  
  PR:		205923
  Approved by:	portmgr (antoine)
  Obtained from:	libtiff CVS repository
  Security:	b65e4914-b3bc-11e5-8255-5453ed2e2b49
  Security:	bd349f7a-b3b9-11e5-8255-5453ed2e2b49
  
  Approved by:	portmgr blanket

Added:
  branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683
     - copied unchanged from r405294, head/graphics/tiff/files/patch-CVE-2015-8665_8683
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c
     - copied unchanged from r405294, head/graphics/tiff/files/patch-libtiff_tif__luv.c
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c
     - copied unchanged from r405294, head/graphics/tiff/files/patch-libtiff_tif__next.c
Modified:
  branches/2016Q1/graphics/tiff/Makefile
Directory Properties:
  branches/2016Q1/   (props changed)

Modified: branches/2016Q1/graphics/tiff/Makefile
==============================================================================
--- branches/2016Q1/graphics/tiff/Makefile	Tue Jan  5 15:04:58 2016	(r405294)
+++ branches/2016Q1/graphics/tiff/Makefile	Tue Jan  5 15:06:08 2016	(r405295)
@@ -3,6 +3,7 @@
 
 PORTNAME=	tiff
 PORTVERSION=	4.0.6
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/

Copied: branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683 (from r405294, head/graphics/tiff/files/patch-CVE-2015-8665_8683)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683	Tue Jan  5 15:06:08 2016	(r405295, copy of r405294, head/graphics/tiff/files/patch-CVE-2015-8665_8683)
@@ -0,0 +1,118 @@
+revision 1.94
+date: 2015-12-26 17:32:03 +0000;  author: erouault;  state: Exp;  lines: +23 -14;  commitid: ohB9uRxvIWq9YtOy;
+* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+CVE-2015-8683 reported by zzf of Alibaba.
+
+Index: libtiff/tif_getimage.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
+retrieving revision 1.93
+retrieving revision 1.94
+diff -u -r1.93 -r1.94
+--- libtiff/tif_getimage.c	22 Nov 2015 15:31:03 -0000	1.93
++++ libtiff/tif_getimage.c	26 Dec 2015 17:32:03 -0000	1.94
+@@ -1,4 +1,4 @@
+-/* $Id: tif_getimage.c,v 1.93 2015-11-22 15:31:03 erouault Exp $ */
++/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1991-1997 Sam Leffler
+@@ -182,20 +182,22 @@
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
+-			if( td->td_samplesperpixel != 3 )
++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel);
++                        "Sorry, can not handle image with %s=%d, %s=%d",
++                        "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels);
+                 return 0;
+             }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d and %s=%d",
++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                         "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels,
+                         "Bits/sample", td->td_bitspersample);
+                 return 0;
+             }
+@@ -255,6 +257,9 @@
+ 	int colorchannels;
+ 	uint16 *red_orig, *green_orig, *blue_orig;
+ 	int n_color;
++	
++	if( !TIFFRGBAImageOK(tif, emsg) )
++		return 0;
+ 
+ 	/* Initialize to normal values */
+ 	img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ 		case PHOTOMETRIC_RGB:
+ 			switch (img->bitspersample) {
+ 				case 8:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >= 4)
+ 						img->put.contig = putRGBAAcontig8bittile;
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >= 4)
+ 					{
+ 						if (BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig8bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >= 3 )
+ 						img->put.contig = putRGBcontig8bittile;
+ 					break;
+ 				case 16:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBAAcontig16bittile;
+ 					}
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img) &&
+ 						    BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig16bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >=3 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_SEPARATED:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel >=4 && buildMap(img)) {
+ 				if (img->bitspersample == 8) {
+ 					if (!img->Map)
+ 						img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel == 3 && buildMap(img)) {
+ 				if (img->bitspersample == 8)
+ 					img->put.contig = initCIELabConversion(img);
+ 				break;

Copied: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c (from r405294, head/graphics/tiff/files/patch-libtiff_tif__luv.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c	Tue Jan  5 15:06:08 2016	(r405295, copy of r405294, head/graphics/tiff/files/patch-libtiff_tif__luv.c)
@@ -0,0 +1,176 @@
+revision 1.41
+date: 2015-12-27 16:25:11 +0000;  author: erouault;  state: Exp;  lines: +45 -12;  commitid: gXczlJDfVlBdzBOy;
+* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+functions in non debug builds by replacing assert()s by regular if
+checks (bugzilla #2522).
+Fix potential out-of-bound reads in case of short input data.
+
+Index: libtiff/tif_luv.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v
+retrieving revision 1.40
+retrieving revision 1.41
+diff -u -r1.40 -r1.41
+--- libtiff/tif_luv.c	21 Jun 2015 01:09:09 -0000	1.40
++++ libtiff/tif_luv.c	27 Dec 2015 16:25:11 -0000	1.41
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1997 Greg Ward Larson
+@@ -202,7 +202,11 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ 		tp = (int16*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (int16*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 2*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
+-				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++				if( cc < 2 )
++					break;
++				rc = *bp++ + (2-128);
+ 				b = (int16)(*bp++ << shft);
+ 				cc -= 2;
+ 				while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (int16)*bp++ << shft;
+ 			}
++		}
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32 *)op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (uint32 *) sp->tbuf;
+ 	}
+ 	/* copy to array of uint32 */
+ 	bp = (unsigned char*) tif->tif_rawcp;
+ 	cc = tif->tif_rawcc;
+-	for (i = 0; i < npixels && cc > 0; i++) {
++	for (i = 0; i < npixels && cc >= 3; i++) {
+ 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ 		bp += 3;
+ 		cc -= 3;
+@@ -325,7 +336,11 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (uint32*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 4*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
++				if( cc < 2 )
++					break;
+ 				rc = *bp++ + (2-128);
+ 				b = (uint32)*bp++ << shft;
+-				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++				cc -= 2;
+ 				while (rc-- && i < npixels)
+ 					tp[i++] |= b;
+ 			} else {			/* non-run */
+@@ -346,6 +363,7 @@
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (uint32)*bp++ << shft;
+ 			}
++		}
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogL16Encode";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -433,7 +452,11 @@
+ 		tp = (int16*) bp;
+ 	else {
+ 		tp = (int16*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */
+@@ -506,6 +529,7 @@
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogLuvEncode24";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	tmsize_t i;
+ 	tmsize_t npixels;
+@@ -521,7 +545,11 @@
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* write out encoded pixels */
+@@ -553,6 +581,7 @@
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogLuvEncode32";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -574,7 +603,11 @@
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */

Copied: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c (from r405294, head/graphics/tiff/files/patch-libtiff_tif__next.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c	Tue Jan  5 15:06:08 2016	(r405295, copy of r405294, head/graphics/tiff/files/patch-libtiff_tif__next.c)
@@ -0,0 +1,54 @@
+revision 1.17
+date: 2015-12-27 16:55:20 +0000;  author: erouault;  state: Exp;  lines: +9 -3;  commitid: 4yLOaM0uFVPyJBOy;
+* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+(bugzilla #2508)
+
+Index: libtiff/tif_next.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_next.c,v
+retrieving revision 1.16
+retrieving revision 1.17
+diff -u -r1.16 -r1.17
+--- libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
++++ libtiff/tif_next.c	27 Dec 2015 16:55:20 -0000	1.17
+@@ -1,4 +1,4 @@
+-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
++/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -37,7 +37,7 @@
+ 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
+ 	case 1:	op[0] |= (v) << 4; break;	\
+ 	case 2:	op[0] |= (v) << 2; break;	\
+-	case 3:	*op++ |= (v);	   break;	\
++	case 3:	*op++ |= (v);	   op_offset++; break;	\
+ 	}					\
+ }
+ 
+@@ -106,6 +106,7 @@
+ 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
++            tmsize_t op_offset = 0;
+ 
+ 			/*
+ 			 * The scanline is composed of a sequence of constant
+@@ -122,10 +123,15 @@
+ 				 * bounds, potentially resulting in a security
+ 				 * issue.
+ 				 */
+-				while (n-- > 0 && npixels < imagewidth)
++				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= imagewidth)
+ 					break;
++                if (op_offset >= scanline ) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++                        (long) tif->tif_row);
++                    return (0);
++                }
+ 				if (cc == 0)
+ 					goto bad;
+ 				n = *bp++, cc--;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601051506.u05F68k8063407>