From owner-svn-ports-all@freebsd.org  Sun Dec 13 20:26:26 2015
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 462C5A42B3B;
 Sun, 13 Dec 2015 20:26:26 +0000 (UTC) (envelope-from kwm@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 05686101E;
 Sun, 13 Dec 2015 20:26:25 +0000 (UTC) (envelope-from kwm@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tBDKQP28069498;
 Sun, 13 Dec 2015 20:26:25 GMT (envelope-from kwm@FreeBSD.org)
Received: (from kwm@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id tBDKQOoM069495;
 Sun, 13 Dec 2015 20:26:24 GMT (envelope-from kwm@FreeBSD.org)
Message-Id: <201512132026.tBDKQOoM069495@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kwm set sender to kwm@FreeBSD.org
 using -f
From: Koop Mast <kwm@FreeBSD.org>
Date: Sun, 13 Dec 2015 20:26:24 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r403688 - in head/graphics/freeimage: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2015 20:26:26 -0000

Author: kwm
Date: Sun Dec 13 20:26:24 2015
New Revision: 403688
URL: https://svnweb.freebsd.org/changeset/ports/403688

Log:
  Fix included dcraw vulnability.
  Fix integer overflow in PluginPCX.cpp. [1]
  
  Add dcraw files to dos2unix so patching is easier.
  
  Obtained from:	Debian freeimage package (both patches)
  Security:	33459061-a1d6-11e5-8794-bcaec565249c [1]

Added:
  head/graphics/freeimage/files/patch-integer_overflow   (contents, props changed)
  head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start   (contents, props changed)
Modified:
  head/graphics/freeimage/Makefile

Modified: head/graphics/freeimage/Makefile
==============================================================================
--- head/graphics/freeimage/Makefile	Sun Dec 13 20:23:41 2015	(r403687)
+++ head/graphics/freeimage/Makefile	Sun Dec 13 20:26:24 2015	(r403688)
@@ -3,6 +3,7 @@
 
 PORTNAME=	freeimage
 PORTVERSION=	3.16.0
+PORTREVISION=	1
 # Version 3.17.0 is available, but does not build on i386 (and probably
 # other 32-bit arches) without some not-quite-trivial patching.  If one
 # decides to update the port, please make sure 32-bit builds are tested!
@@ -14,7 +15,9 @@ MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Simple C/C++ bitmap graphics library
 
 USES=		dos2unix gmake zip
-DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h
+DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h \
+		Source/LibRawLite/dcraw/dcraw.c \
+		Source/LibRawLite/internal/dcraw_common.cpp
 USE_LDCONFIG=	yes
 WRKSRC=		${WRKDIR}/FreeImage
 MAKE_ARGS=	CC="${CC}" CPP="${CPP}" CXX="${CXX}"

Added: head/graphics/freeimage/files/patch-integer_overflow
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/freeimage/files/patch-integer_overflow	Sun Dec 13 20:26:24 2015	(r403688)
@@ -0,0 +1,129 @@
+CVE-2015-0852
+
+Description: fix integer overflow
+Origin: upstream
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
+Bug-Debian: https://bugs.debian.org/797165
+Last-Update: 2015-09-14
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: freeimage/Source/FreeImage/PluginPCX.cpp
+===================================================================
+--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
++++ Source/FreeImage/PluginPCX.cpp
+@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 	try {
+ 		// check PCX identifier
+-
+-		long start_pos = io->tell_proc(handle);
+-		BOOL validated = pcx_validate(io, handle);		
+-		io->seek_proc(handle, start_pos, SEEK_SET);
+-		if(!validated) {
+-			throw FI_MSG_ERROR_MAGIC_NUMBER;
++		// (note: should have been already validated using FreeImage_GetFileType but check again)
++		{
++			long start_pos = io->tell_proc(handle);
++			BOOL validated = pcx_validate(io, handle);
++			io->seek_proc(handle, start_pos, SEEK_SET);
++			if(!validated) {
++				throw FI_MSG_ERROR_MAGIC_NUMBER;
++			}
+ 		}
+ 
+ 		// process the header
+@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		SwapHeader(&header);
+ #endif
+ 
+-		// allocate a new DIB
++		// process the window
++		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
++		const int left		= window[0];
++		const int top		= window[1];
++		const int right		= window[2];
++		const int bottom	= window[3];
+ 
+-		unsigned width = header.window[2] - header.window[0] + 1;
+-		unsigned height = header.window[3] - header.window[1] + 1;
+-		unsigned bitcount = header.bpp * header.planes;
+-
+-		if (bitcount == 24) {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+-		} else {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
++		// check image size
++		if((left >= right) || (top >= bottom)) {
++			throw FI_MSG_ERROR_PARSING;
+ 		}
+ 
+-		// if the dib couldn't be allocated, throw an error
++		const unsigned width = right - left + 1;
++		const unsigned height = bottom - top + 1;
++		const unsigned bitcount = header.bpp * header.planes;
++
++		// allocate a new DIB
++		switch(bitcount) {
++			case 1:
++			case 4:
++			case 8:
++				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
++				break;
++			case 24:
++				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
++				break;
++			default:
++				throw FI_MSG_ERROR_DIB_MEMORY;
++				break;
++		}
+ 
++		// if the dib couldn't be allocated, throw an error
+ 		if (!dib) {
+ 			throw FI_MSG_ERROR_DIB_MEMORY;
+ 		}
+@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 				if (palette_id == 0x0C) {
+ 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
+-					io->read_proc(cmap, 768, 1, handle);
+ 
+-					pal = FreeImage_GetPalette(dib);
+-					BYTE *pColormap = &cmap[0];
++					if(cmap) {
++						io->read_proc(cmap, 768, 1, handle);
+ 
+-					for(int i = 0; i < 256; i++) {
+-						pal[i].rgbRed   = pColormap[0];
+-						pal[i].rgbGreen = pColormap[1];
+-						pal[i].rgbBlue  = pColormap[2];
+-						pColormap += 3;
++						pal = FreeImage_GetPalette(dib);
++						BYTE *pColormap = &cmap[0];
++
++						for(int i = 0; i < 256; i++) {
++							pal[i].rgbRed   = pColormap[0];
++							pal[i].rgbGreen = pColormap[1];
++							pal[i].rgbBlue  = pColormap[2];
++							pColormap += 3;
++						}
++
++						free(cmap);
+ 					}
+ 
+-					free(cmap);
+ 				}
+ 
+ 				// wrong palette ID, perhaps a gray scale is needed ?
+@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		// calculate the line length for the PCX and the DIB
+ 
+ 		// length of raster line in bytes
+-		unsigned linelength = header.bytes_per_line * header.planes;
++		const unsigned linelength = header.bytes_per_line * header.planes;
+ 		// length of DIB line (rounded to DWORD) in bytes
+-		unsigned pitch = FreeImage_GetPitch(dib);
++		const unsigned pitch = FreeImage_GetPitch(dib);
+ 
+ 		// run-length encoding ?
+ 

Added: head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start	Sun Dec 13 20:26:24 2015	(r403688)
@@ -0,0 +1,34 @@
+Description: Fix integer overflow in the ljpeg_start function in dcraw
+Author: Alex Tutubalin <lexa@lexa.ru>
+Bug-Debian: https://bugs.debian.org/786790
+Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
+	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
+Reviewed-By: Anton Gladky <gladk@debian.org>
+Last-Update: 2015-10-29
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
++++ Source/LibRawLite/dcraw/dcraw.c
+@@ -768,7 +768,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
++++ Source/LibRawLite/internal/dcraw_common.cpp
+@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+