kumquat-buildroot/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch

From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 12:15:01 +0000
Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in
 JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2653

Fixes CVE-2017-7595

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 libtiff/tif_jpeg.c | 7 +++++++
 1 file changed, 13 insertions(+)

diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 38595f98..6c17c388 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)
 	case PHOTOMETRIC_YCBCR:
 		sp->h_sampling = td->td_ycbcrsubsampling[0];
 		sp->v_sampling = td->td_ycbcrsubsampling[1];
+                if( sp->h_sampling == 0 || sp->v_sampling == 0 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                            "Invalig horizontal/vertical sampling value");
+                    return (0);
+                }
+
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the
 		 * default value is inappropriate for YCbCr.  Fill in the
-- 
2.11.0
tiff: add upstream security fixes Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 23:58:14 +02:00			`From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001`
			`From: erouault <erouault>`
			`Date: Wed, 11 Jan 2017 12:15:01 +0000`
			`Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in`
			`JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes`
			`http://bugzilla.maptools.org/show_bug.cgi?id=2653`

			`Fixes CVE-2017-7595`

			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`libtiff/tif_jpeg.c \| 7 +++++++`
			`1 file changed, 13 insertions(+)`

			`diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c`
			`index 38595f98..6c17c388 100644`
			`--- a/libtiff/tif_jpeg.c`
			`+++ b/libtiff/tif_jpeg.c`
			`@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)`
			`case PHOTOMETRIC_YCBCR:`
			`sp->h_sampling = td->td_ycbcrsubsampling[0];`
			`sp->v_sampling = td->td_ycbcrsubsampling[1];`
			`+ if( sp->h_sampling == 0 \|\| sp->v_sampling == 0 )`
			`+ {`
			`+ TIFFErrorExt(tif->tif_clientdata, module,`
			`+ "Invalig horizontal/vertical sampling value");`
			`+ return (0);`
			`+ }`
			`+`
			`/*`
			`* A ReferenceBlackWhite field must be present since the`
			`* default value is inappropriate for YCbCr. Fill in the`
			`--`
			`2.11.0`