From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57344) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d70zB-0008KD-9J for guix-patches@gnu.org; Sat, 06 May 2017 10:47:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d70z8-0001sS-1S for guix-patches@gnu.org; Sat, 06 May 2017 10:47:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:59982) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d70z7-0001sO-TX for guix-patches@gnu.org; Sat, 06 May 2017 10:47:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d70z7-00017N-NJ for guix-patches@gnu.org; Sat, 06 May 2017 10:47:01 -0400 Subject: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57185) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d70yM-0008El-EX for guix-patches@gnu.org; Sat, 06 May 2017 10:46:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d70yI-0001Vs-J4 for guix-patches@gnu.org; Sat, 06 May 2017 10:46:14 -0400 Received: from lb1.openmailbox.org ([5.79.108.160]:53911 helo=mail.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d70yI-0001UO-4R for guix-patches@gnu.org; Sat, 06 May 2017 10:46:10 -0400 From: Kei Kebreau Date: Sat, 6 May 2017 10:45:57 -0400 Message-Id: <20170506144557.28785-1-kei@openmailbox.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 26804@debbugs.gnu.org Cc: Kei Kebreau * gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file. * gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file. * gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[source]: Use them. --- gnu/local.mk | 3 + gnu/packages/image.scm | 7 +- gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 ++++++ gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 +++ .../patches/libtiff-multiple-UBSAN-crashes.patch | 449 +++++++++++++++= ++++++ 5 files changed, 624 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.p= atch diff --git a/gnu/local.mk b/gnu/local.mk index c93dca64c..d983d62fd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -739,6 +739,9 @@ dist_patch_DATA =3D \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ %D%/packages/patches/libtiff-CVE-2017-5225.patch \ + %D%/packages/patches/libtiff-CVE-2017-7593.patch \ + %D%/packages/patches/libtiff-CVE-2017-7594.patch \ + %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 2027395ca..a8cc837d5 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -13,7 +13,7 @@ ;;; Copyright =C2=A9 2016 Tobias Geerinckx-Rice ;;; Copyright =C2=A9 2016 Eric Bavier ;;; Copyright =C2=A9 2016 Arun Isaac -;;; Copyright =C2=A9 2016 Kei Kebreau +;;; Copyright =C2=A9 2016, 2017 Kei Kebreau ;;; Copyright =C2=A9 2017 ng0 ;;; ;;; This file is part of GNU Guix. @@ -319,7 +319,10 @@ extracting icontainer icon files.") "libtiff-divide-by-zero-tiffcp.patc= h" "libtiff-assertion-failure.patch" "libtiff-CVE-2016-10094.patch" - "libtiff-CVE-2017-5225.patch")) + "libtiff-CVE-2017-5225.patch" + "libtiff-CVE-2017-7593.patch" + "libtiff-CVE-2017-7594.patch" + "libtiff-multiple-UBSAN-crashes.pat= ch")) (sha256 (base32 "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packa= ges/patches/libtiff-CVE-2017-7593.patch new file mode 100644 index 000000000..496efb73b --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch @@ -0,0 +1,113 @@ +Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawd= ata): + +http://bugzilla.maptools.org/show_bug.cgi?id=3D2651 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7593 +https://security-tracker.debian.org/tracker/CVE-2017-7593 + +2017-01-11 Even Rouault + + * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add + _TIFFcalloc() + + * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() t= o zero + initialize tif_rawdata. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2651 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1208; previous revision: 1.1207 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_rea= d.c +new revision: 1.53; previous revision: 1.52 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_uni= x.c +new revision: 1.28; previous revision: 1.27 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.= c +new revision: 1.14; previous revision: 1.13 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_wi= n32.c +new revision: 1.42; previous revision: 1.41 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h +new revision: 1.94; previous revision: 1.93 + +diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h +--- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500 ++++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400 +@@ -1,4 +1,4 @@ +-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -293,6 +293,7 @@ + */ +=20 + extern void* _TIFFmalloc(tmsize_t s); ++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); + extern void* _TIFFrealloc(void* p, tmsize_t s); + extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); +diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c +--- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400 ++++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -040= 0 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -976,7 +976,9 @@ + "Invalid buffer size"); + return (0); + } +- tif->tif_rawdata =3D (uint8*) _TIFFmalloc(tif->tif_rawdatasize); ++ /* Initialize to zero to avoid uninitialized buffers in case of */ ++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=3D2651) = */ ++ tif->tif_rawdata =3D (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); + tif->tif_flags |=3D TIFF_MYBUFFER; + } + if (tif->tif_rawdata =3D=3D NULL) { +diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c +--- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500 ++++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -040= 0 +@@ -1,4 +1,4 @@ +-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */ ++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -316,6 +316,14 @@ + return (malloc((size_t) s)); + } +=20 ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb =3D=3D 0 || siz =3D=3D 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { +diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32= .c +--- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500 ++++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -04= 00 +@@ -1,4 +1,4 @@ +-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */ ++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -360,6 +360,14 @@ + return (malloc((size_t) s)); + } +=20 ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb =3D=3D 0 || siz =3D=3D 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packa= ges/patches/libtiff-CVE-2017-7594.patch new file mode 100644 index 000000000..d17997d44 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch @@ -0,0 +1,54 @@ +Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c): + +http://bugzilla.maptools.org/show_bug.cgi?id=3D2659 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7594 +https://security-tracker.debian.org/tracker/CVE-2017-7594 + +2017-01-12 Even Rouault + + * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesA= cTable + when read fails. + Patch by Nicol=C3=A1s Pe=C3=B1a. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2659 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1212; previous revision: 1.1211 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_oj= peg.c +new revision: 1.67; previous revision: 1.66 + +Index: libtiff/libtiff/tif_ojpeg.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.67 +retrieving revision 1.68 +diff -u -r1.67 -r1.68 +--- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67 ++++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68 +@@ -1,4 +1,4 @@ +-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ ++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */ +=20 + /* WARNING: The type of JPEG encapsulation defined by the TIFF Version = 6.0 + specification is now totally obsolete and deprecated for new applica= tions and +@@ -1790,7 +1790,10 @@ + TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);=20 + p=3D(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); + if (p!=3D64) ++ { ++ _TIFFfree(ob); + return(0); ++ } + sp->qtable[m]=3Dob; + sp->sof_tq[m]=3Dm; + } +@@ -1854,7 +1857,10 @@ + rb[sizeof(uint32)+5+n]=3Do[n]; + p=3D(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); + if (p!=3Dq) ++ { ++ _TIFFfree(rb); + return(0); ++ } + sp->dctable[m]=3Drb; + sp->sos_tda[m]=3D(m<<4); + } diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/= gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch new file mode 100644 index 000000000..2f4509f38 --- /dev/null +++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch @@ -0,0 +1,449 @@ +Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7595 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7596 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7597 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7598 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7599 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7600 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7601 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7602 + +2017-01-11 Even Rouault + + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement va= rious + clampings + of double to other data types to avoid undefined behaviour if th= e + output range + isn't big enough to hold the input value. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2643 + http://bugzilla.maptools.org/show_bug.cgi?id=3D2642 + http://bugzilla.maptools.org/show_bug.cgi?id=3D2646 + http://bugzilla.maptools.org/show_bug.cgi?id=3D2647 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1204; previous revision: 1.1203 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.= c +new revision: 1.129; previous revision: 1.128 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_d= irread.c +new revision: 1.207; previous revision: 1.206 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_= dirwrite.c +new revision: 1.85; previous revision: 1.84 + +2017-01-11 Even Rouault + + * libtiff/tif_dirread.c: avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and + TIFFReadDirEntryCheckedSrational(), + and return 0 in that case (instead of infinity as before presuma= bly) + Apparently some sanitizers do not like those divisions by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2644 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1203; previous revision: 1.1202 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_d= irread.c +new revision: 1.206; previous revision: 1.205 + +2017-01-11 Even Rouault + + * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode(= ) to + avoid undefined behaviour caused by invalid shift exponent. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2648 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1205; previous revision: 1.1204 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg= .c +new revision: 1.126; previous revision: 1.125 + +2017-01-11 Even Rouault + + * libtiff/tif_read.c: avoid potential undefined behaviour on sig= ned + integer addition in TIFFReadRawStrip1() in isMapped() case. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2650 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1206; previous revision: 1.1205 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read= .c +new revision: 1.51; previous revision: 1.50 + +Index: libtiff/libtiff/tif_dir.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -u -r1.128 -r1.129 +--- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 ++++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ ++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -31,6 +31,7 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" ++#include +=20 + /* + * These are used in the backwards compatibility code... +@@ -154,6 +155,15 @@ + return (0); + } +=20 ++static float TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ + static int + _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + { +@@ -312,13 +322,13 @@ + dblval =3D va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; +- td->td_xresolution =3D (float) dblval; ++ td->td_xresolution =3D TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval =3D va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; +- td->td_yresolution =3D (float) dblval; ++ td->td_yresolution =3D TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_PLANARCONFIG: + v =3D (uint16) va_arg(ap, uint16_vap); +@@ -327,10 +337,10 @@ + td->td_planarconfig =3D (uint16) v; + break; + case TIFFTAG_XPOSITION: +- td->td_xposition =3D (float) va_arg(ap, double); ++ td->td_xposition =3D TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_YPOSITION: +- td->td_yposition =3D (float) va_arg(ap, double); ++ td->td_yposition =3D TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_RESOLUTIONUNIT: + v =3D (uint16) va_arg(ap, uint16_vap); +Index: libtiff/libtiff/tif_dirread.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.206 +retrieving revision 1.207 +diff -u -r1.206 -r1.207 +--- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 ++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ ++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -40,6 +40,7 @@ + */ +=20 + #include "tiffiop.h" ++#include +=20 + #define IGNORE 0 /* tag placeholder used below */ + #define FAILED_FII ((uint32) -1) +@@ -2406,7 +2407,14 @@ + ma=3D(double*)origdata; + mb=3Ddata; + for (n=3D0; n FLT_MAX ) ++ val =3D FLT_MAX; ++ else if( val < -FLT_MAX ) ++ val =3D -FLT_MAX; ++ *mb++=3D(float)val; ++ } + } + break; + } +Index: libtiff/libtiff/tif_dirwrite.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v +retrieving revision 1.84 +retrieving revision 1.85 +diff -u -r1.84 -r1.85 +--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84 ++++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */ ++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ +=20 + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -30,6 +30,7 @@ + * Directory Write Support Routines. + */ + #include "tiffiop.h" ++#include +=20 + #ifdef HAVE_IEEEFP + #define TIFFCvtNativeToIEEEFloat(tif, n, fp) +@@ -939,6 +940,69 @@ + return(0); + } +=20 ++static float TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ ++static int8 TIFFClampDoubleToInt8( double val ) ++{ ++ if( val > 127 ) ++ return 127; ++ if( val < -128 || val !=3D val ) ++ return -128; ++ return (int8)val; ++} ++ ++static int16 TIFFClampDoubleToInt16( double val ) ++{ ++ if( val > 32767 ) ++ return 32767; ++ if( val < -32768 || val !=3D val ) ++ return -32768; ++ return (int16)val; ++} ++ ++static int32 TIFFClampDoubleToInt32( double val ) ++{ ++ if( val > 0x7FFFFFFF ) ++ return 0x7FFFFFFF; ++ if( val < -0x7FFFFFFF-1 || val !=3D val ) ++ return -0x7FFFFFFF-1; ++ return (int32)val; ++} ++ ++static uint8 TIFFClampDoubleToUInt8( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 255 || val !=3D val ) ++ return 255; ++ return (uint8)val; ++} ++ ++static uint16 TIFFClampDoubleToUInt16( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 65535 || val !=3D val ) ++ return 65535; ++ return (uint16)val; ++} ++ ++static uint32 TIFFClampDoubleToUInt32( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val !=3D val ) ++ return 0xFFFFFFFFU; ++ return (uint32)val; ++} ++ + static int + TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDir= Entry* dir, uint16 tag, uint32 count, double* value) + { +@@ -959,7 +1023,7 @@ + if (tif->tif_dir.td_bitspersample<=3D32) + { + for (i =3D 0; i < count; ++i) +- ((float*)conv)[i] =3D (float)value[i]; ++ ((float*)conv)[i] =3D TIFFClampDoubleToFloat(value[i]); + ok =3D TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(floa= t*)conv); + } + else +@@ -971,19 +1035,19 @@ + if (tif->tif_dir.td_bitspersample<=3D8) + { + for (i =3D 0; i < count; ++i) +- ((int8*)conv)[i] =3D (int8)value[i]; ++ ((int8*)conv)[i] =3D TIFFClampDoubleToInt8(value[i]); + ok =3D TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8= *)conv); + } + else if (tif->tif_dir.td_bitspersample<=3D16) + { + for (i =3D 0; i < count; ++i) +- ((int16*)conv)[i] =3D (int16)value[i]; ++ ((int16*)conv)[i] =3D TIFFClampDoubleToInt16(value[i]); + ok =3D TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int= 16*)conv); + } + else + { + for (i =3D 0; i < count; ++i) +- ((int32*)conv)[i] =3D (int32)value[i]; ++ ((int32*)conv)[i] =3D TIFFClampDoubleToInt32(value[i]); + ok =3D TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int3= 2*)conv); + } + break; +@@ -991,19 +1055,19 @@ + if (tif->tif_dir.td_bitspersample<=3D8) + { + for (i =3D 0; i < count; ++i) +- ((uint8*)conv)[i] =3D (uint8)value[i]; ++ ((uint8*)conv)[i] =3D TIFFClampDoubleToUInt8(value[i]); + ok =3D TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8= *)conv); + } + else if (tif->tif_dir.td_bitspersample<=3D16) + { + for (i =3D 0; i < count; ++i) +- ((uint16*)conv)[i] =3D (uint16)value[i]; ++ ((uint16*)conv)[i] =3D TIFFClampDoubleToUInt16(value[i]); + ok =3D TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint= 16*)conv); + } + else + { + for (i =3D 0; i < count; ++i) +- ((uint32*)conv)[i] =3D (uint32)value[i]; ++ ((uint32*)conv)[i] =3D TIFFClampDoubleToUInt32(value[i]); + ok =3D TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint3= 2*)conv); + } + break; +@@ -2102,7 +2102,7 @@ + m[0]=3D0; + m[1]=3D1; + } +- else if (value=3D=3D(double)(uint32)value) ++ else if (value <=3D 0xFFFFFFFFU && value=3D=3D(double)(uint32)value) + { + m[0]=3D(uint32)value; + m[1]=3D1; +@@ -2148,12 +2217,13 @@ + } + for (na=3Dvalue, nb=3Dm, nc=3D0; nc=3D 0 && *na <=3D (float)0xFFFFFFFFU && ++ *na=3D=3D(float)(uint32)(*na)) + { + nb[0]=3D(uint32)(*na); + nb[1]=3D1; +Index: libtiff/libtiff/tif_dirread.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.205 +retrieving revision 1.206 +diff -u -r1.205 -r1.206 +--- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 ++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 +@@ -2872,7 +2872,10 @@ + m.l =3D direntry->tdir_offset.toff_long8; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong(m.i,2); +- if (m.i[0]=3D=3D0) ++ /* Not completely sure what we should do when m.i[1]=3D=3D0, bu= t some */ ++ /* sanitizers do not like division by 0.0: */ ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=3D2644 */ ++ if (m.i[0]=3D=3D0 || m.i[1]=3D=3D0) + *value=3D0.0; + else + *value=3D(double)m.i[0]/(double)m.i[1]; +@@ -2900,7 +2903,10 @@ + m.l=3Ddirentry->tdir_offset.toff_long8; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong(m.i,2); +- if ((int32)m.i[0]=3D=3D0) ++ /* Not completely sure what we should do when m.i[1]=3D=3D0, bu= t some */ ++ /* sanitizers do not like division by 0.0: */ ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=3D2644 */ ++ if ((int32)m.i[0]=3D=3D0 || m.i[1]=3D=3D0) + *value=3D0.0; + else + *value=3D(double)((int32)m.i[0])/(double)m.i[1]; +Index: libtiff/libtiff/tif_jpeg.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v +retrieving revision 1.125 +retrieving revision 1.126 +diff -u -r1.125 -r1.126 +--- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125 ++++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126 +@@ -1,4 +1,4 @@ +-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */ +=20 + /* + * Copyright (c) 1994-1997 Sam Leffler +@@ -1632,6 +1632,13 @@ + "Invalig horizontal/vertical sampling value= "); + return (0); + } ++ if( td->td_bitspersample > 16 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "BitsPerSample %d not allowed for JPEG= ", ++ td->td_bitspersample); ++ return (0); ++ } +=20 + /* + * A ReferenceBlackWhite field *must* be present since the +Index: libtiff/libtiff/tif_read.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.50 +retrieving revision 1.51 +diff -u -r1.50 -r1.51 +--- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 ++++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51 +@@ -420,16 +420,25 @@ + return ((tmsize_t)(-1)); + } + } else { +- tmsize_t ma,mb; ++ tmsize_t ma; + tmsize_t n; +- ma=3D(tmsize_t)td->td_stripoffset[strip]; +- mb=3Dma+size; +- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif-= >tif_size)) +- n=3D0; +- else if ((mbtif->tif_size)) +- n=3Dtif->tif_size-ma; +- else +- n=3Dsize; ++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| ++ ((ma=3D(tmsize_t)td->td_stripoffset[strip])>tif->ti= f_size)) ++ { ++ n=3D0; ++ } ++ else if( ma > TIFF_TMSIZE_T_MAX - size ) ++ { ++ n=3D0; ++ } ++ else ++ { ++ tmsize_t mb=3Dma+size; ++ if (mb>tif->tif_size) ++ n=3Dtif->tif_size-ma; ++ else ++ n=3Dsize; ++ } + if (n!=3Dsize) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, --=20 2.12.2