From daac7c494df970a6e5065d53809c4e09d7b5acc9 Mon Sep 17 00:00:00 2001 From: Lucio Andrés Illanes Albornoz Date: Sep 07 2018 19:06:53 +0000 Subject: patches/tiff/CVE-{2017-{11613,17095,9935},2018-{10963,8905}}.patch: imported from aports (via Redfoxmoon.) --- diff --git a/patches/tiff/CVE-2017-11613.patch b/patches/tiff/CVE-2017-11613.patch new file mode 100644 index 0000000..b3f600a --- /dev/null +++ b/patches/tiff/CVE-2017-11613.patch @@ -0,0 +1,44 @@ +From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 11 Mar 2018 11:14:01 +0100 +Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion + (CVE-2017-11613) + +In ChopUpSingleUncompressedStrip(), if the computed number of strips is big +enough and we are in read only mode, validate that the file size is consistent +with that number of strips to avoid useless attempts at allocating a lot of +memory for the td_stripbytecount and td_stripoffset arrays. + +Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more +cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. +Credit to OSS Fuzz + +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 +--- + libtiff/tif_dirread.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 80aaf8d..5896a78 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + if( nstrips == 0 ) + return; + ++ /* If we are going to allocate a lot of memory, make sure that the */ ++ /* file is as big as needed */ ++ if( tif->tif_mode == O_RDONLY && ++ nstrips > 1000000 && ++ (offset >= TIFFGetFileSize(tif) || ++ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) ++ { ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), +-- +2.17.1 + diff --git a/patches/tiff/CVE-2017-17095.patch b/patches/tiff/CVE-2017-17095.patch new file mode 100644 index 0000000..760c955 --- /dev/null +++ b/patches/tiff/CVE-2017-17095.patch @@ -0,0 +1,28 @@ +Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5 + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 7a57800..8443fce 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -184,8 +184,19 @@ main(int argc, char* argv[]) + { unsigned char *ibuf, *obuf; + register unsigned char* pp; + register uint32 x; +- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); +- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); ++ tmsize_t tss_in = TIFFScanlineSize(in); ++ tmsize_t tss_out = TIFFScanlineSize(out); ++ if (tss_out / tss_in < 3) { ++ /* ++ * BUG 2750: The following code assumes the output buffer is 3x the ++ * length of the input buffer due to exploding the palette into ++ * RGB tuples. If this doesn't happen, fail now. ++ */ ++ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); ++ return -1; ++ } ++ ibuf = (unsigned char*)_TIFFmalloc(tss_in); ++ obuf = (unsigned char*)_TIFFmalloc(tss_out); + switch (config) { + case PLANARCONFIG_CONTIG: + for (row = 0; row < imagelength; row++) { diff --git a/patches/tiff/CVE-2017-9935.patch b/patches/tiff/CVE-2017-9935.patch new file mode 100644 index 0000000..39327ff --- /dev/null +++ b/patches/tiff/CVE-2017-9935.patch @@ -0,0 +1,164 @@ +From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- + 2 files changed, 49 insertions(+), 23 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f00f808..c36a5f3 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index bdb9126..bd23c9e 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -239,7 +239,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + if(directorycount > TIFF_DIR_MAX) { +@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.17.0 + diff --git a/patches/tiff/CVE-2018-10963.patch b/patches/tiff/CVE-2018-10963.patch new file mode 100644 index 0000000..039b7c1 --- /dev/null +++ b/patches/tiff/CVE-2018-10963.patch @@ -0,0 +1,31 @@ +From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 14:24:15 +0200 +Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 + +--- + libtiff/tif_dirwrite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c68d6d2..5d0a669 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + } + break; + default: +- assert(0); /* we should never get here */ +- break; ++ TIFFErrorExt(tif->tif_clientdata,module, ++ "Cannot write tag %d (%s)", ++ TIFFFieldTag(o), ++ o->field_name ? o->field_name : "unknown"); ++ goto bad; + } + } + } +-- +2.17.0 + diff --git a/patches/tiff/CVE-2018-8905.patch b/patches/tiff/CVE-2018-8905.patch new file mode 100644 index 0000000..f951092 --- /dev/null +++ b/patches/tiff/CVE-2018-8905.patch @@ -0,0 +1,51 @@ +From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. +--- + libtiff/tif_lzw.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index 4ccb443..94d85e3 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; +-- +libgit2 0.27.0 +