package-update/graphic/libtiff/libtiff-4.0.3-0101-CVE-2012...

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../libtiff/libtiff-4.0.3-0101-CVE-2012-4447.patch
# Copyright (C) 2013 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---

From ea1f57c13f083528b6b38350aa00c3c0f44a1c9d Mon Sep 17 00:00:00 2001
From: tgl <tgl>
Date: Mon, 10 Dec 2012 17:27:13 +0000
Subject: [PATCH] Detect integer overflow in addition when computing buffer
 size.

original ChangeLog entry:
----------------------------------------------------------------------------
2012-12-10  Tom Lane  <tgl@sss.pgh.pa.us>

 * libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447
   (to enlarge tbuf for possible partial stride at end) so that
   overflow in the integer addition is detected.  Per gripe from
   Huzaifa Sidhpurwala.
----------------------------------------------------------------------------

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 572dc7f..ba554e7 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2)
 	return bytes;
 }
 
+static tmsize_t
+add_ms(tmsize_t m1, tmsize_t m2)
+{
+	tmsize_t bytes = m1 + m2;
+
+	/* if either input is zero, assume overflow already occurred */
+	if (m1 == 0 || m2 == 0)
+		bytes = 0;
+	else if (bytes <= m1 || bytes <= m2)
+		bytes = 0;
+
+	return bytes;
+}
+
 static int
 PixarLogFixupTags(TIFF* tif)
 {
@@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif)
 	    td->td_samplesperpixel : 1);
 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
 				      td->td_rowsperstrip), sizeof(uint16));
+	/* add one more stride in case input ends mid-stride */
+	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
 	if (tbuf_size == 0)
 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
 	if (sp->tbuf == NULL)
 		return (0);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
-- 
1.7.10.2
libtiff: add security fixes from upstream for CVE-2012-4564, CVE-2012-4447, CVE-2013-1961, CVE-2013-1960 12 years ago			`# --- SDE-COPYRIGHT-NOTE-BEGIN ---`
			`# This copyright note is auto-generated by ./scripts/Create-CopyPatch.`
			`#`
			`# Filename: package/.../libtiff/libtiff-4.0.3-0101-CVE-2012-4447.patch`
			`# Copyright (C) 2013 The OpenSDE Project`
			`#`
			`# More information can be found in the files COPYING and README.`
			`#`
			`# This patch file is dual-licensed. It is available under the license the`
			`# patched project is licensed under, as long as it is an OpenSource license`
			`# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms`
			`# of the GNU General Public License as published by the Free Software`
			`# Foundation; either version 2 of the License, or (at your option) any later`
			`# version.`
			`# --- SDE-COPYRIGHT-NOTE-END ---`

			`From ea1f57c13f083528b6b38350aa00c3c0f44a1c9d Mon Sep 17 00:00:00 2001`
			`From: tgl <tgl>`
			`Date: Mon, 10 Dec 2012 17:27:13 +0000`
			`Subject: [PATCH] Detect integer overflow in addition when computing buffer`
			`size.`

			`original ChangeLog entry:`
			`----------------------------------------------------------------------------`
			`2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>`

			`* libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447`
			`(to enlarge tbuf for possible partial stride at end) so that`
			`overflow in the integer addition is detected. Per gripe from`
			`Huzaifa Sidhpurwala.`
			`----------------------------------------------------------------------------`

			`diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c`
			`index 572dc7f..ba554e7 100644`
			`--- a/libtiff/tif_pixarlog.c`
			`+++ b/libtiff/tif_pixarlog.c`
			`@@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2)`
			`return bytes;`
			`}`

			`+static tmsize_t`
			`+add_ms(tmsize_t m1, tmsize_t m2)`
			`+{`
			`+ tmsize_t bytes = m1 + m2;`
			`+`
			`+ /* if either input is zero, assume overflow already occurred */`
			`+ if (m1 == 0 \|\| m2 == 0)`
			`+ bytes = 0;`
			`+ else if (bytes <= m1 \|\| bytes <= m2)`
			`+ bytes = 0;`
			`+`
			`+ return bytes;`
			`+}`
			`+`
			`static int`
			`PixarLogFixupTags(TIFF* tif)`
			`{`
			`@@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif)`
			`td->td_samplesperpixel : 1);`
			`tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),`
			`td->td_rowsperstrip), sizeof(uint16));`
			`+ /* add one more stride in case input ends mid-stride */`
			`+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);`
			`if (tbuf_size == 0)`
			`return (0); /* TODO: this is an error return without error report through TIFFErrorExt */`
			`- sp->tbuf = (uint16 ) _TIFFmalloc(tbuf_size+sizeof(uint16)sp->stride);`
			`+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);`
			`if (sp->tbuf == NULL)`
			`return (0);`
			`if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)`
			`--`
			`1.7.10.2`