summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files')
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch20
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch34
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch26
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch26
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch41
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch97
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch27
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch29
8 files changed, 300 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch
new file mode 100644
index 000000000000..afb0151f9632
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch
@@ -0,0 +1,20 @@
+https://codereview.chromium.org/2204793002
+https://crbug.com/633387
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: thestig <thestig@chromium.org>
+Date: Mon Aug 1 19:36:27 2016 -0700
+
+Fix a memory leak in libtiff.
+
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
+ static const char module[] = "TIFFFetchStripThing";
+ enum TIFFReadDirEntryErr err;
+ uint64* data;
++ _TIFFfree(*lpp);
++ *lpp = 0;
+ err=TIFFReadDirEntryLong8Array(tif,dir,&data);
+ if (err!=TIFFReadDirEntryErrOk)
+ {
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 000000000000..f573fd9deb33
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,34 @@
+https://codereview.chromium.org/2284063002
+https://crbug.com/618267
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: tracy_jiang <tracy_jiang@foxitsoftware.com>
+Date: Mon Aug 29 13:42:56 2016 -0700
+
+Fix for #618267. Adding a method to determine if multiplication has
+overflow.
+
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && bytes / elem_size == nmemb)
++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
+--- a/libtiff/tiffio.h
++++ b/libtiff/tiffio.h
+@@ -298,6 +298,10 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+ extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c);
+ extern void _TIFFfree(void* p);
++#include <limits.h>
++static inline int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) {
++ return op1 > SSIZE_MAX / op2;
++}
+
+ /*
+ ** Stuff, related to tag handling and creating custom tags.
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch
new file mode 100644
index 000000000000..ab5627f5c169
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch
@@ -0,0 +1,26 @@
+https://codereview.chromium.org/2389993002
+https://crbug.com/651632
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: dsinclair <dsinclair@chromium.org>
+Date: Mon Oct 3 13:59:57 2016 -0700
+
+Fix potentially uninitialized value.
+
+Depending on what ReadOK does it's possible for |dircount16| to be used without
+being initialized. The read code calls back into PDFium specific code which then
+calls into the stream reading code.
+
+Initialize the value to be sure it is set.
+
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir,
+ static const char module[] = "TIFFFetchDirectory";
+
+ void* origdir;
+- uint16 dircount16;
++ uint16 dircount16 = 0;
+ uint32 dirsize;
+ TIFFDirEntry* dir;
+ uint8* ma;
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 000000000000..35f59b9bffd9
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,26 @@
+https://codereview.chromium.org/2405693002
+https://crbug.com/654169
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: stackexploit <stackexploit@gmail.com>
+Date: Mon Oct 10 10:58:25 2016 -0700
+
+libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.
+
+The patch (https://codereview.chromium.org/2284063002) for Issue 618267
+was insufficient. The integer overflow still could be triggered and could
+lead to heap buffer overflow.
+
+This CL strengthens integer overflow check in function _TIFFCheckRealloc.
+
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch
new file mode 100644
index 000000000000..47a3db06431a
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch
@@ -0,0 +1,41 @@
+https://pdfium-review.googlesource.com/2151
+https://crbug.com/632883
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Dan Sinclair <dsinclair@chromium.org>
+Date: Mon Jan 9 09:50:50 2017 -0500
+
+[libtiff] Validate refblackwhite values
+
+The td_refblackwhite value is currently assigned without validation. This
+may pose an issue as the image can specify the value as nan. This will cause
+problems later when we use the nan in calcluations.
+
+This CL validates each of the float values are not nan and if they are sets
+them to the default provided by the TIFF spec v6.
+
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <math.h>
+ #include <float.h>
+
+ /*
+@@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ case TIFFTAG_REFERENCEBLACKWHITE:
+ /* XXX should check for null range */
+ _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
++ for (int i = 0; i < 6; i++) {
++ if (isnan(td->td_refblackwhite[i])) {
++ if (i % 2 == 0)
++ td->td_refblackwhite[i] = 0;
++ else
++ td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1;
++ }
++ }
+ break;
+ case TIFFTAG_INKNAMES:
+ v = (uint16) va_arg(ap, uint16_vap);
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
new file mode 100644
index 000000000000..7914743393ff
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
@@ -0,0 +1,97 @@
+https://pdfium-review.googlesource.com/2355
+https://crbug.com/681300
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Nicolas Pena <npm@chromium.org>
+Date: Wed Jan 25 10:41:06 2017 -0500
+
+Prevent skew overflows in gtTileContig
+
+Using int64 to check whether uint32 operations have overflowed.
+
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+ */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ uint32 tw, th;
+ unsigned char* buf;
+ int32 fromskew, toskew;
++ int64 safeskew;
+ uint32 nrow;
+ int ret = 1, flip;
+ uint32 this_tw, tocol;
+@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ flip = setorientation(img);
+ if (flip & FLIP_VERTICALLY) {
+ y = h - 1;
+- toskew = -(int32)(tw + w);
++ safeskew = 0;
++ safeskew -= tw;
++ safeskew -= w;
+ }
+ else {
+ y = 0;
+- toskew = -(int32)(tw - w);
++ safeskew = 0;
++ safeskew -= tw;
++ safeskew +=w;
+ }
+
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ toskew = safeskew;
++
+ /*
+ * Leftmost tile is clipped on left side if col_offset > 0.
+ */
+ leftmost_fromskew = img->col_offset % tw;
+ leftmost_tw = tw - leftmost_fromskew;
+- leftmost_toskew = toskew + leftmost_fromskew;
++ safeskew = toskew;
++ safeskew += leftmost_fromskew;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ leftmost_toskew = safeskew;
+ for (row = 0; row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ /*
+ * Rightmost tile is clipped on right side.
+ */
+- fromskew = tw - (w - tocol);
++ safeskew = tw;
++ safeskew -= w;
++ safeskew += tocol;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ fromskew = safeskew;
+ this_tw = tw - fromskew;
+- this_toskew = toskew + fromskew;
++ safeskew = toskew;
++ safeskew += fromskew;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ this_toskew = safeskew;
+ }
+ (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
+ tocol += this_tw;
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch
new file mode 100644
index 000000000000..b74ddc5c499c
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch
@@ -0,0 +1,27 @@
+https://pdfium-review.googlesource.com/2432
+https://crbug.com/683834
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Nicolas Pena <npm@chromium.org>
+Date: Thu Jan 26 15:45:02 2017 -0500
+
+Fix leak in PredictorSetupDecode by calling tif_cleanup on failure
+
+tif_data and tif_cleanup are both set on the TIFFInit methods, see for
+instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was
+filled on tif_data should be cleaned up. The previous leak fix from
+PixarLogSetupDecode is no longer necessary.
+
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -118,7 +118,10 @@ PredictorSetupDecode(TIFF* tif)
+ TIFFDirectory* td = &tif->tif_dir;
+
+ if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
++ {
++ (*tif->tif_cleanup)(tif);
+ return 0;
++ }
+
+ if (sp->predictor == 2) {
+ switch (td->td_bitspersample) {
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
new file mode 100644
index 000000000000..11975cf38acf
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
@@ -0,0 +1,29 @@
+https://pdfium-review.googlesource.com/3811
+https://crbug.com/707431
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Nicolas Pena <npm@chromium.org>
+Date: Wed Apr 5 15:50:53 2017 -0400
+
+Libtiff: Prevent OOM in TIFFFillStrip
+
+In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of
+memory. In this CL we do sanity checks on the claimed size of the raw strip
+data before that happens, to prevent out-of-memory.
+
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+ return(0);
+ }
++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
++ if (bytecountm > size) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Requested read strip size %lu is too large",
++ (unsigned long) strip);
++ return (0);
++ }
+ if (bytecountm > tif->tif_rawdatasize) {
+ tif->tif_curstrip = NOSTRIP;
+ if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {