package-update/graphic/libtiff/libtiff-4.0.3-0100-CVE-2012...

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../libtiff/libtiff-4.0.3-0100-CVE-2012-4564.patch
# Copyright (C) 2013 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---

From fd1356f7003d47cf59392679c08a2dacc556bce4 Mon Sep 17 00:00:00 2001
From: fwarmerdam <fwarmerdam>
Date: Fri, 2 Nov 2012 05:13:24 +0000
Subject: [PATCH] ppm2tiff: fix zero size buffer exploit (CVE-2012-4564)

original commit message: fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff
original ChangeLog entry:
----------------------------------------------------------------------------
2012-11-01  Frank Warmerdam  <warmerdam@pobox.com>

  * tools/ppm2tiff.c: avoid zero size buffer vulnerability.
  CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the
  Red Hat Security Response team for the fix.
----------------------------------------------------------------------------

original commit message: Improve previous patch for CVE-2012-4564.
original ChangeLog entry:
----------------------------------------------------------------------------
2012-12-10  Tom Lane  <tgl@sss.pgh.pa.us>

 * tools/ppm2tiff.c: Improve previous patch for CVE-2012-4564:
   check the linebytes calculation too, get the max() calculation
   straight, avoid redundant error messages, check for malloc
   failure.
----------------------------------------------------------------------------

diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 8910e76..d2f72a2 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -72,6 +72,17 @@ BadPPM(char* file)
 	exit(-2);
 }
 
+static tmsize_t
+multiply_ms(tmsize_t m1, tmsize_t m2)
+{
+	tmsize_t bytes = m1 * m2;
+
+	if (m1 && bytes / m1 != m2)
+		bytes = 0;
+
+	return bytes;
+}
+
 int
 main(int argc, char* argv[])
 {
@@ -79,7 +90,7 @@ main(int argc, char* argv[])
 	uint32 rowsperstrip = (uint32) -1;
 	double resolution = -1;
 	unsigned char *buf = NULL;
-	tsize_t linebytes = 0;
+	tmsize_t linebytes = 0;
 	uint16 spp = 1;
 	uint16 bpp = 8;
 	TIFF *out;
@@ -89,6 +100,7 @@ main(int argc, char* argv[])
 	int c;
 	extern int optind;
 	extern char* optarg;
+	tmsize_t scanline_size;
 
 	if (argc < 2) {
 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@@ -221,7 +233,8 @@ main(int argc, char* argv[])
 	}
 	switch (bpp) {
 		case 1:
-			linebytes = (spp * w + (8 - 1)) / 8;
+			/* if round-up overflows, result will be zero, OK */
+			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
 			if (rowsperstrip == (uint32) -1) {
 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
 			} else {
@@ -230,15 +243,31 @@ main(int argc, char* argv[])
 			}
 			break;
 		case 8:
-			linebytes = spp * w;
+			linebytes = multiply_ms(spp, w);
 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
 			    TIFFDefaultStripSize(out, rowsperstrip));
 			break;
 	}
-	if (TIFFScanlineSize(out) > linebytes)
+	if (linebytes == 0) {
+		fprintf(stderr, "%s: scanline size overflow\n", infile);
+		(void) TIFFClose(out);
+		exit(-2);					
+	}
+	scanline_size = TIFFScanlineSize(out);
+	if (scanline_size == 0) {
+		/* overflow - TIFFScanlineSize already printed a message */
+		(void) TIFFClose(out);
+		exit(-2);					
+	}
+	if (scanline_size < linebytes)
 		buf = (unsigned char *)_TIFFmalloc(linebytes);
 	else
-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+		buf = (unsigned char *)_TIFFmalloc(scanline_size);
+	if (buf == NULL) {
+		fprintf(stderr, "%s: Not enough memory\n", infile);
+		(void) TIFFClose(out);
+		exit(-2);
+	}
 	if (resolution > 0) {
 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
-- 
1.7.10.2
libtiff: add security fixes from upstream for CVE-2012-4564, CVE-2012-4447, CVE-2013-1961, CVE-2013-1960 12 years ago			`# --- SDE-COPYRIGHT-NOTE-BEGIN ---`
			`# This copyright note is auto-generated by ./scripts/Create-CopyPatch.`
			`#`
			`# Filename: package/.../libtiff/libtiff-4.0.3-0100-CVE-2012-4564.patch`
			`# Copyright (C) 2013 The OpenSDE Project`
			`#`
			`# More information can be found in the files COPYING and README.`
			`#`
			`# This patch file is dual-licensed. It is available under the license the`
			`# patched project is licensed under, as long as it is an OpenSource license`
			`# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms`
			`# of the GNU General Public License as published by the Free Software`
			`# Foundation; either version 2 of the License, or (at your option) any later`
			`# version.`
			`# --- SDE-COPYRIGHT-NOTE-END ---`

			`From fd1356f7003d47cf59392679c08a2dacc556bce4 Mon Sep 17 00:00:00 2001`
			`From: fwarmerdam <fwarmerdam>`
			`Date: Fri, 2 Nov 2012 05:13:24 +0000`
			`Subject: [PATCH] ppm2tiff: fix zero size buffer exploit (CVE-2012-4564)`

			`original commit message: fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff`
			`original ChangeLog entry:`
			`----------------------------------------------------------------------------`
			`2012-11-01 Frank Warmerdam <warmerdam@pobox.com>`

			`* tools/ppm2tiff.c: avoid zero size buffer vulnerability.`
			`CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the`
			`Red Hat Security Response team for the fix.`
			`----------------------------------------------------------------------------`

			`original commit message: Improve previous patch for CVE-2012-4564.`
			`original ChangeLog entry:`
			`----------------------------------------------------------------------------`
			`2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>`

			`* tools/ppm2tiff.c: Improve previous patch for CVE-2012-4564:`
			`check the linebytes calculation too, get the max() calculation`
			`straight, avoid redundant error messages, check for malloc`
			`failure.`
			`----------------------------------------------------------------------------`

			`diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c`
			`index 8910e76..d2f72a2 100644`
			`--- a/tools/ppm2tiff.c`
			`+++ b/tools/ppm2tiff.c`
			`@@ -72,6 +72,17 @@ BadPPM(char* file)`
			`exit(-2);`
			`}`

			`+static tmsize_t`
			`+multiply_ms(tmsize_t m1, tmsize_t m2)`
			`+{`
			`+ tmsize_t bytes = m1 * m2;`
			`+`
			`+ if (m1 && bytes / m1 != m2)`
			`+ bytes = 0;`
			`+`
			`+ return bytes;`
			`+}`
			`+`
			`int`
			`main(int argc, char* argv[])`
			`{`
			`@@ -79,7 +90,7 @@ main(int argc, char* argv[])`
			`uint32 rowsperstrip = (uint32) -1;`
			`double resolution = -1;`
			`unsigned char *buf = NULL;`
			`- tsize_t linebytes = 0;`
			`+ tmsize_t linebytes = 0;`
			`uint16 spp = 1;`
			`uint16 bpp = 8;`
			`TIFF *out;`
			`@@ -89,6 +100,7 @@ main(int argc, char* argv[])`
			`int c;`
			`extern int optind;`
			`extern char* optarg;`
			`+ tmsize_t scanline_size;`

			`if (argc < 2) {`
			`fprintf(stderr, "%s: Too few arguments\n", argv[0]);`
			`@@ -221,7 +233,8 @@ main(int argc, char* argv[])`
			`}`
			`switch (bpp) {`
			`case 1:`
			`- linebytes = (spp * w + (8 - 1)) / 8;`
			`+ /* if round-up overflows, result will be zero, OK */`
			`+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;`
			`if (rowsperstrip == (uint32) -1) {`
			`TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);`
			`} else {`
			`@@ -230,15 +243,31 @@ main(int argc, char* argv[])`
			`}`
			`break;`
			`case 8:`
			`- linebytes = spp * w;`
			`+ linebytes = multiply_ms(spp, w);`
			`TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,`
			`TIFFDefaultStripSize(out, rowsperstrip));`
			`break;`
			`}`
			`- if (TIFFScanlineSize(out) > linebytes)`
			`+ if (linebytes == 0) {`
			`+ fprintf(stderr, "%s: scanline size overflow\n", infile);`
			`+ (void) TIFFClose(out);`
			`+ exit(-2);`
			`+ }`
			`+ scanline_size = TIFFScanlineSize(out);`
			`+ if (scanline_size == 0) {`
			`+ /* overflow - TIFFScanlineSize already printed a message */`
			`+ (void) TIFFClose(out);`
			`+ exit(-2);`
			`+ }`
			`+ if (scanline_size < linebytes)`
			`buf = (unsigned char *)_TIFFmalloc(linebytes);`
			`else`
			`- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));`
			`+ buf = (unsigned char *)_TIFFmalloc(scanline_size);`
			`+ if (buf == NULL) {`
			`+ fprintf(stderr, "%s: Not enough memory\n", infile);`
			`+ (void) TIFFClose(out);`
			`+ exit(-2);`
			`+ }`
			`if (resolution > 0) {`
			`TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);`
			`TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);`
			`--`
			`1.7.10.2`