libs/tiff/patches/123-CVE-2017-7593.patch

   1 From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
   2 From: erouault <erouault>
   3 Date: Wed, 11 Jan 2017 19:02:49 +0000
   4 Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
   5  _TIFFcalloc()
   6
   7 * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
   8 initialize tif_rawdata.
   9 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
  10 ---
  11  ChangeLog           | 8 ++++++++
  12  libtiff/tif_read.c  | 4 +++-
  13  libtiff/tif_unix.c  | 8 ++++++++
  14  libtiff/tif_vms.c   | 8 ++++++++
  15  libtiff/tif_win32.c | 8 ++++++++
  16  libtiff/tiffio.h    | 1 +
  17  6 files changed, 36 insertions(+), 1 deletion(-)
  18
  19 diff --git a/ChangeLog b/ChangeLog
  20 index 6a342e5..abd75d7 100644
  21 --- a/ChangeLog
  22 +++ b/ChangeLog
  23 @@ -1,5 +1,13 @@
  24  2017-01-11 Even Rouault <even.rouault at spatialys.com>
  25
  26 +       * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
  27 +
  28 +       * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
  29 +       initialize tif_rawdata.
  30 +       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
  31 +
  32 +2017-01-11 Even Rouault <even.rouault at spatialys.com>
  33 +
  34         * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
  35         avoid UndefinedBehaviorSanitizer warning.
  36         Patch by Nicolás Peña.
  37 diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
  38 index 277fdd6..4535ccb 100644
  39 --- a/libtiff/tif_read.c
  40 +++ b/libtiff/tif_read.c
  41 @@ -985,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
  42                                  "Invalid buffer size");
  43                     return (0);
  44                 }
  45 -               tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
  46 +               /* Initialize to zero to avoid uninitialized buffers in case of */
  47 +                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
  48 +               tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
  49                 tif->tif_flags |= TIFF_MYBUFFER;
  50         }
  51         if (tif->tif_rawdata == NULL) {
  52 diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
  53 index 7c7bc96..89dd32e 100644
  54 --- a/libtiff/tif_unix.c
  55 +++ b/libtiff/tif_unix.c
  56 @@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
  57         return (malloc((size_t) s));
  58  }
  59
  60 +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
  61 +{
  62 +    if( nmemb == 0 || siz == 0 )
  63 +        return ((void *) NULL);
  64 +
  65 +    return calloc((size_t) nmemb, (size_t)siz);
  66 +}
  67 +
  68  void
  69  _TIFFfree(void* p)
  70  {
  71 diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
  72 index d730b3a..3e9001b 100644
  73 --- a/libtiff/tif_win32.c
  74 +++ b/libtiff/tif_win32.c
  75 @@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
  76         return (malloc((size_t) s));
  77  }
  78
  79 +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
  80 +{
  81 +    if( nmemb == 0 || siz == 0 )
  82 +        return ((void *) NULL);
  83 +
  84 +    return calloc((size_t) nmemb, (size_t)siz);
  85 +}
  86 +
  87  void
  88  _TIFFfree(void* p)
  89  {
  90 diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
  91 index 732da17..fbd9171 100644
  92 --- a/libtiff/tiffio.h
  93 +++ b/libtiff/tiffio.h
  94 @@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
  95   */
  96
  97  extern void* _TIFFmalloc(tmsize_t s);
  98 +extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
  99  extern void* _TIFFrealloc(void* p, tmsize_t s);
 100  extern void _TIFFmemset(void* p, int v, tmsize_t c);
 101  extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);