From 4a78ac5d93c2bc415cdee31da9fcefd8700adf0a Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Sun, 27 Sep 2009 15:34:20 +0000 Subject: [PATCH] [packages] tiff: fix another buffer overflow - CVE-2009-2347 SVN-Revision: 17766 --- libs/tiff/Makefile | 2 +- libs/tiff/patches/904-cve-2009-2347.patch | 163 ++++++++++++++++++++++ 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 libs/tiff/patches/904-cve-2009-2347.patch diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile index 6e9e0cd03a..2f9f8c2078 100644 --- a/libs/tiff/Makefile +++ b/libs/tiff/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tiff PKG_VERSION:=3.8.2 -PKG_RELEASE:=1.1 +PKG_RELEASE:=1.2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://libtiff.maptools.org/dl/ diff --git a/libs/tiff/patches/904-cve-2009-2347.patch b/libs/tiff/patches/904-cve-2009-2347.patch new file mode 100644 index 0000000000..2ac9fbfa31 --- /dev/null +++ b/libs/tiff/patches/904-cve-2009-2347.patch @@ -0,0 +1,163 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2347 + +--- a/tools/rgb2ycbcr.c ++++ b/tools/rgb2ycbcr.c +@@ -202,6 +202,17 @@ cvtClump(unsigned char* op, uint32* rast + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ tiffcvt(TIFF* in, TIFF* out) + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -124,6 +124,17 @@ main(int argc, char* argv[]) + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ cvt_by_tile( TIFF *in, TIFF *out ) + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ cvt_by_strip( TIFF *in, TIFF *out ) + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ cvt_whole_image( TIFF *in, TIFF *out ) + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ cvt_whole_image( TIFF *in, TIFF *out ) + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; -- 2.30.2