summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-invalid-read.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-10 03:22:33 -0500
committerLeo Famulari <leo@famulari.name>2017-01-10 17:52:42 -0500
commit4b96149d8b199048aa526159120d14a44d6ee054 (patch)
tree1ffa03b2a425040f2b00578d417784bf69d1abc5 /gnu/packages/patches/libtiff-invalid-read.patch
parent8966c6b43989a0f7bca972f12b78567da7de3eec (diff)
downloadguix-patches-4b96149d8b199048aa526159120d14a44d6ee054.tar
guix-patches-4b96149d8b199048aa526159120d14a44d6ee054.tar.gz
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch, gnu/packages/patches/libtiff-CVE-2016-10093.patch, gnu/packages/patches/libtiff-CVE-2016-10094.patch, gnu/packages/patches/libtiff-assertion-failure.patch, gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch, gnu/packages/patches/libtiff-divide-by-zero.patch, gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch, gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch, gnu/packages/patches/libtiff-invalid-read.patch, gnu/packages/patches/libtiff-null-dereference.patch, gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable.
Diffstat (limited to 'gnu/packages/patches/libtiff-invalid-read.patch')
-rw-r--r--gnu/packages/patches/libtiff-invalid-read.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch
new file mode 100644
index 0000000000..92742d8757
--- /dev/null
+++ b/gnu/packages/patches/libtiff-invalid-read.patch
@@ -0,0 +1,64 @@
+Fix invalid read in t2p_writeproc():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: avoid potential invalid memory read in
+ t2p_writeproc.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1198; previous revision: 1.1197
+/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c
+new revision: 1.100; previous revision: 1.99
+
+Index: libtiff/tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.99
+retrieving revision 1.100
+diff -u -r1.99 -r1.100
+--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99
++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100
+@@ -2896,6 +2896,7 @@
+ }
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+ if (count >= 4) {
++ int retTIFFReadRawTile;
+ /* Ignore EOI marker of JpegTables */
+ _TIFFmemcpy(buffer, jpt, count - 2);
+ bufferoffset += count - 2;
+@@ -2903,22 +2904,23 @@
+ table_end[0] = buffer[bufferoffset-2];
+ table_end[1] = buffer[bufferoffset-1];
+ xuint32 = bufferoffset;
+- bufferoffset -= 2;
+- bufferoffset += TIFFReadRawTile(
++ bufferoffset -= 2;
++ retTIFFReadRawTile= TIFFReadRawTile(
+ input,
+ tile,
+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
+ -1);
++ if( retTIFFReadRawTile < 0 )
++ {
++ _TIFFfree(buffer);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return(0);
++ }
++ bufferoffset += retTIFFReadRawTile;
+ /* Overwrite SOI marker of image scan with previously */
+ /* saved end of JpegTables */
+ buffer[xuint32-2]=table_end[0];
+ buffer[xuint32-1]=table_end[1];
+- } else {
+- bufferoffset += TIFFReadRawTile(
+- input,
+- tile,
+- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
+- -1);
+ }
+ }
+ t2pWriteFile(output, (tdata_t) buffer, bufferoffset);