kumquat-buildroot/package/tiff/0005-tools-tiffcp.c-error-out-cleanly-in-cpContig2Separat.patch

From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 19:25:44 +0000
Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
 and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
 overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
 http://bugzilla.maptools.org/show_bug.cgi?id=2657

Fixes CVE-2017-5225

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 tools/tiffcp.c | 24 ++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index bdf754c3..8bbcd52f 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
-- 
2.11.0
tiff: add upstream security fixes Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 23:58:14 +02:00			`From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001`
			`From: erouault <erouault>`
			`Date: Wed, 11 Jan 2017 19:25:44 +0000`
			`Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow`
			`and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based`
			`overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and`
			`http://bugzilla.maptools.org/show_bug.cgi?id=2657`

			`Fixes CVE-2017-5225`

			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`tools/tiffcp.c \| 24 ++++++++++++++++++++++--`
			`1 file changed, 29 insertions(+), 2 deletions(-)`

			`diff --git a/tools/tiffcp.c b/tools/tiffcp.c`
			`index bdf754c3..8bbcd52f 100644`
			`--- a/tools/tiffcp.c`
			`+++ b/tools/tiffcp.c`
			`@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF, TIFF, uint16, uint16);`
			`static int`
			`tiffcp(TIFF* in, TIFF* out)`
			`{`
			`- uint16 bitspersample, samplesperpixel = 1;`
			`+ uint16 bitspersample = 1, samplesperpixel = 1;`
			`uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;`
			`copyFunc cf;`
			`uint32 width, length;`
			`@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)`
			`register uint32 n;`
			`uint32 row;`
			`tsample_t s;`
			`+ uint16 bps = 0;`
			`+`
			`+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);`
			`+ if( bps != 8 )`
			`+ {`
			`+ TIFFError(TIFFFileName(in),`
			`+ "Error, can only handle BitsPerSample=8 in %s",`
			`+ "cpContig2SeparateByRow");`
			`+ return 0;`
			`+ }`

			`inbuf = _TIFFmalloc(scanlinesizein);`
			`outbuf = _TIFFmalloc(scanlinesizeout);`
			`@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)`
			`register uint32 n;`
			`uint32 row;`
			`tsample_t s;`
			`+ uint16 bps = 0;`
			`+`
			`+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);`
			`+ if( bps != 8 )`
			`+ {`
			`+ TIFFError(TIFFFileName(in),`
			`+ "Error, can only handle BitsPerSample=8 in %s",`
			`+ "cpSeparate2ContigByRow");`
			`+ return 0;`
			`+ }`

			`inbuf = _TIFFmalloc(scanlinesizein);`
			`outbuf = _TIFFmalloc(scanlinesizeout);`
			`@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)`
			`uint32 w, l, tw, tl;`
			`int bychunk;`

			`- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);`
			`+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);`
			`if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {`
			`fprintf(stderr,`
			`"%s: Cannot handle different planar configuration w/ bits/sample != 8\n",`
			`--`
			`2.11.0`