kumquat-buildroot/package/tiff/0004-libtiff-tif_dirread.c-modify-ChopUpSingleUncompresse.patch

From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 3 Dec 2016 11:02:15 +0000
Subject: [PATCH] * libtiff/tif_dirread.c: modify
 ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
 TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
 the total size of data. Which is faulty is the total size of data is not
 sufficient to fill the whole image, and thus results in reading outside of
 the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.

* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.

Fixes CVE-2016-10270

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 libtiff/tif_dirread.c | 22 ++++++++++------------
 libtiff/tif_strip.c   |  9 ---------
 2 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 3eec79c9..570d0c32 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	uint64 rowblockbytes;
 	uint64 stripbytes;
 	uint32 strip;
-	uint64 nstrips64;
-	uint32 nstrips32;
+	uint32 nstrips;
 	uint32 rowsperstrip;
 	uint64* newcounts;
 	uint64* newoffsets;
@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	    return;
 
 	/*
-	 * never increase the number of strips in an image
+	 * never increase the number of rows per strip
 	 */
 	if (rowsperstrip >= td->td_rowsperstrip)
 		return;
-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
-	    return;
-	nstrips32 = (uint32)nstrips64;
+        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+        if( nstrips == 0 )
+            return;
 
-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripByteCounts\" array");
-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripOffsets\" array");
 	if (newcounts == NULL || newoffsets == NULL) {
 		/*
@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	 * Fill the strip information arrays with new bytecounts and offsets
 	 * that reflect the broken-up format.
 	 */
-	for (strip = 0; strip < nstrips32; strip++) {
+	for (strip = 0; strip < nstrips; strip++) {
 		if (stripbytes > bytecount)
 			stripbytes = bytecount;
 		newcounts[strip] = stripbytes;
-		newoffsets[strip] = offset;
+		newoffsets[strip] = stripbytes ? offset : 0;
 		offset += stripbytes;
 		bytecount -= stripbytes;
 	}
 	/*
 	 * Replace old single strip info with multi-strip info.
 	 */
-	td->td_stripsperimage = td->td_nstrips = nstrips32;
+	td->td_stripsperimage = td->td_nstrips = nstrips;
 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
 	_TIFFfree(td->td_stripbytecount);
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index 4c46ecf5..1676e47d 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
 	TIFFDirectory *td = &tif->tif_dir;
 	uint32 nstrips;
 
-    /* If the value was already computed and store in td_nstrips, then return it,
-       since ChopUpSingleUncompressedStrip might have altered and resized the
-       since the td_stripbytecount and td_stripoffset arrays to the new value
-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-       tif_dirread.c ~line 3612.
-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-    if( td->td_nstrips )
-        return td->td_nstrips;
-
 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
-- 
2.11.0
tiff: add upstream security fixes Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 23:58:14 +02:00			`From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001`
			`From: erouault <erouault>`
			`Date: Sat, 3 Dec 2016 11:02:15 +0000`
			`Subject: [PATCH] * libtiff/tif_dirread.c: modify`
			`ChopUpSingleUncompressedStrip() to instanciate compute ntrips as`
			`TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on`
			`the total size of data. Which is faulty is the total size of data is not`
			`sufficient to fill the whole image, and thus results in reading outside of`
			`the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported`
			`by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.`

			`* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done`
			`for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since`
			`the above change is a better fix that makes it unnecessary.`

			`Fixes CVE-2016-10270`

			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`libtiff/tif_dirread.c \| 22 ++++++++++------------`
			`libtiff/tif_strip.c \| 9 ---------`
			`2 files changed, 25 insertions(+), 21 deletions(-)`

			`diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c`
			`index 3eec79c9..570d0c32 100644`
			`--- a/libtiff/tif_dirread.c`
			`+++ b/libtiff/tif_dirread.c`
			`@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)`
			`uint64 rowblockbytes;`
			`uint64 stripbytes;`
			`uint32 strip;`
			`- uint64 nstrips64;`
			`- uint32 nstrips32;`
			`+ uint32 nstrips;`
			`uint32 rowsperstrip;`
			`uint64* newcounts;`
			`uint64* newoffsets;`
			`@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)`
			`return;`

			`/*`
			`- * never increase the number of strips in an image`
			`+ * never increase the number of rows per strip`
			`*/`
			`if (rowsperstrip >= td->td_rowsperstrip)`
			`return;`
			`- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);`
			`- if ((nstrips64==0)\|\|(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */`
			`- return;`
			`- nstrips32 = (uint32)nstrips64;`
			`+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);`
			`+ if( nstrips == 0 )`
			`+ return;`

			`- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),`
			`+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),`
			`"for chopped \"StripByteCounts\" array");`
			`- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),`
			`+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),`
			`"for chopped \"StripOffsets\" array");`
			`if (newcounts == NULL \|\| newoffsets == NULL) {`
			`/*`
			`@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)`
			`* Fill the strip information arrays with new bytecounts and offsets`
			`* that reflect the broken-up format.`
			`*/`
			`- for (strip = 0; strip < nstrips32; strip++) {`
			`+ for (strip = 0; strip < nstrips; strip++) {`
			`if (stripbytes > bytecount)`
			`stripbytes = bytecount;`
			`newcounts[strip] = stripbytes;`
			`- newoffsets[strip] = offset;`
			`+ newoffsets[strip] = stripbytes ? offset : 0;`
			`offset += stripbytes;`
			`bytecount -= stripbytes;`
			`}`
			`/*`
			`* Replace old single strip info with multi-strip info.`
			`*/`
			`- td->td_stripsperimage = td->td_nstrips = nstrips32;`
			`+ td->td_stripsperimage = td->td_nstrips = nstrips;`
			`TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);`

			`_TIFFfree(td->td_stripbytecount);`
			`diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c`
			`index 4c46ecf5..1676e47d 100644`
			`--- a/libtiff/tif_strip.c`
			`+++ b/libtiff/tif_strip.c`
			`@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)`
			`TIFFDirectory *td = &tif->tif_dir;`
			`uint32 nstrips;`

			`- /* If the value was already computed and store in td_nstrips, then return it,`
			`- since ChopUpSingleUncompressedStrip might have altered and resized the`
			`- since the td_stripbytecount and td_stripoffset arrays to the new value`
			`- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in`
			`- tif_dirread.c ~line 3612.`
			`- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */`
			`- if( td->td_nstrips )`
			`- return td->td_nstrips;`
			`-`
			`nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :`
			`TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));`
			`if (td->td_planarconfig == PLANARCONFIG_SEPARATE)`
			`--`
			`2.11.0`