kumquat-buildroot/package/tiff/0001-libtiff-tif_read.c-libtiff-tiffiop.h-fix-uint32-over.patch

From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 2 Dec 2016 21:56:56 +0000
Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
 in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596

Fixes CVE-2016-10266

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 libtiff/tif_read.c | 2 +-
 libtiff/tiffiop.h  | 4 ++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index c26c55f4..52bbf507 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
 	rowsperstrip=td->td_rowsperstrip;
 	if (rowsperstrip>td->td_imagelength)
 		rowsperstrip=td->td_imagelength;
-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
 	stripinplane=(strip%stripsperplane);
 	plane=(uint16)(strip/stripsperplane);
 	rows=td->td_imagelength-stripinplane*rowsperstrip;
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index ffbb647b..cb59460a 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -250,6 +250,10 @@ struct tiff {
 #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
 			   0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
 #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
 #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
 #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
-- 
2.11.0
tiff: add upstream security fixes Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 23:58:14 +02:00			`From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001`
			`From: erouault <erouault>`
			`Date: Fri, 2 Dec 2016 21:56:56 +0000`
			`Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow`
			`in TIFFReadEncodedStrip() that caused an integer division by zero. Reported`
			`by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596`

			`Fixes CVE-2016-10266`

			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`libtiff/tif_read.c \| 2 +-`
			`libtiff/tiffiop.h \| 4 ++++`
			`2 files changed, 12 insertions(+), 1 deletion(-)`

			`diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c`
			`index c26c55f4..52bbf507 100644`
			`--- a/libtiff/tif_read.c`
			`+++ b/libtiff/tif_read.c`
			`@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)`
			`rowsperstrip=td->td_rowsperstrip;`
			`if (rowsperstrip>td->td_imagelength)`
			`rowsperstrip=td->td_imagelength;`
			`- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);`
			`+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);`
			`stripinplane=(strip%stripsperplane);`
			`plane=(uint16)(strip/stripsperplane);`
			`rows=td->td_imagelength-stripinplane*rowsperstrip;`
			`diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h`
			`index ffbb647b..cb59460a 100644`
			`--- a/libtiff/tiffiop.h`
			`+++ b/libtiff/tiffiop.h`
			`@@ -250,6 +250,10 @@ struct tiff {`
			`#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \`
			`((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \`
			`0U)`
			`+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */`
			`+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)y might overflow /`
			`+#define TIFFhowmany_32_maxuint_compat(x, y) \`
			`+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))`
			`#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)`
			`#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))`
			`#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))`
			`--`
			`2.11.0`