Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Mar 2015 17:31:50 +0000 (UTC)
From:      Antoine Brodin <antoine@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r382617 - in head/graphics/tiff: . files
Message-ID:  <201503291731.t2THVogD033528@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: antoine
Date: Sun Mar 29 17:31:49 2015
New Revision: 382617
URL: https://svnweb.freebsd.org/changeset/ports/382617
QAT: https://qat.redports.org/buildarchive/r382617/

Log:
  tools/tiffdither.c: check memory allocations to avoid writing to
  NULL pointer. Also check multiplication overflow. Fixes #2501,
  CVE-2014-8128. Derived from patch by Petr Gajdos.
  
  Reported by:	naddy
  Obtained from:	https://github.com/vadz/libtiff/commit/147b2698c84004fe2da93c0fc7177a7c3797533d
  MFH:		2015Q1

Added:
  head/graphics/tiff/files/patch-tools_tiffdither.c   (contents, props changed)
Modified:
  head/graphics/tiff/Makefile

Modified: head/graphics/tiff/Makefile
==============================================================================
--- head/graphics/tiff/Makefile	Sun Mar 29 17:25:47 2015	(r382616)
+++ head/graphics/tiff/Makefile	Sun Mar 29 17:31:49 2015	(r382617)
@@ -3,6 +3,7 @@
 
 PORTNAME=	tiff
 DISTVERSION=	4.0.4beta
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/

Added: head/graphics/tiff/files/patch-tools_tiffdither.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/tiff/files/patch-tools_tiffdither.c	Sun Mar 29 17:31:49 2015	(r382617)
@@ -0,0 +1,70 @@
+--- tools/tiffdither.c.orig	2013-05-02 14:44:29 UTC
++++ tools/tiffdither.c
+@@ -39,6 +39,7 @@
+ #endif
+ 
+ #include "tiffio.h"
++#include "tiffiop.h"
+ 
+ #define	streq(a,b)	(strcmp(a,b) == 0)
+ #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+@@ -56,7 +57,7 @@ static	void usage(void);
+  * Floyd-Steinberg error propragation with threshold.
+  * This code is stolen from tiffmedian.
+  */
+-static void
++static int
+ fsdither(TIFF* in, TIFF* out)
+ {
+ 	unsigned char *outline, *inputline, *inptr;
+@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
+ 	int lastline, lastpixel;
+ 	int bit;
+ 	tsize_t outlinesize;
++	int errcode = 0;
+ 
+ 	imax = imagelength - 1;
+ 	jmax = imagewidth - 1;
+ 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+-	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
+-	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
++	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
++	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
+ 	outlinesize = TIFFScanlineSize(out);
+ 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
++	if (! (inputline && thisline && nextline && outline)) {
++	    fprintf(stderr, "Out of memory.\n");
++	    goto skip_on_error;
++	}
+ 
+ 	/*
+ 	 * Get first line
+@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
+ 		nextline = tmpptr;
+ 		lastline = (i == imax);
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++			goto skip_on_error;
+ 		inptr = inputline;
+ 		nextptr = nextline;
+ 		for (j = 0; j < imagewidth; ++j)
+@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
+ 			}
+ 		}
+ 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+-			break;
++			goto skip_on_error;
+ 	}
++	goto exit_label;
++
+   skip_on_error:
++	errcode = 1;
++  exit_label:
+ 	_TIFFfree(inputline);
+ 	_TIFFfree(thisline);
+ 	_TIFFfree(nextline);
+ 	_TIFFfree(outline);
++	return errcode;
+ }
+ 
+ static	uint16 compression = COMPRESSION_PACKBITS;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503291731.t2THVogD033528>