diff options
Diffstat (limited to 'media-libs/tiff/files')
8 files changed, 300 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch new file mode 100644 index 000000000000..afb0151f9632 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch @@ -0,0 +1,20 @@ +https://codereview.chromium.org/2204793002 +https://crbug.com/633387 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: thestig <thestig@chromium.org> +Date: Mon Aug 1 19:36:27 2016 -0700 + +Fix a memory leak in libtiff. + +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) + static const char module[] = "TIFFFetchStripThing"; + enum TIFFReadDirEntryErr err; + uint64* data; ++ _TIFFfree(*lpp); ++ *lpp = 0; + err=TIFFReadDirEntryLong8Array(tif,dir,&data); + if (err!=TIFFReadDirEntryErrOk) + { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 000000000000..f573fd9deb33 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,34 @@ +https://codereview.chromium.org/2284063002 +https://crbug.com/618267 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: tracy_jiang <tracy_jiang@foxitsoftware.com> +Date: Mon Aug 29 13:42:56 2016 -0700 + +Fix for #618267. Adding a method to determine if multiplication has +overflow. + +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) ++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { +--- a/libtiff/tiffio.h ++++ b/libtiff/tiffio.h +@@ -298,6 +298,10 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); + extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); + extern void _TIFFfree(void* p); ++#include <limits.h> ++static inline int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { ++ return op1 > SSIZE_MAX / op2; ++} + + /* + ** Stuff, related to tag handling and creating custom tags. diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch new file mode 100644 index 000000000000..ab5627f5c169 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2389993002 +https://crbug.com/651632 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: dsinclair <dsinclair@chromium.org> +Date: Mon Oct 3 13:59:57 2016 -0700 + +Fix potentially uninitialized value. + +Depending on what ReadOK does it's possible for |dircount16| to be used without +being initialized. The read code calls back into PDFium specific code which then +calls into the stream reading code. + +Initialize the value to be sure it is set. + +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, + static const char module[] = "TIFFFetchDirectory"; + + void* origdir; +- uint16 dircount16; ++ uint16 dircount16 = 0; + uint32 dirsize; + TIFFDirEntry* dir; + uint8* ma; diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 000000000000..35f59b9bffd9 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2405693002 +https://crbug.com/654169 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: stackexploit <stackexploit@gmail.com> +Date: Mon Oct 10 10:58:25 2016 -0700 + +libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. + +The patch (https://codereview.chromium.org/2284063002) for Issue 618267 +was insufficient. The integer overflow still could be triggered and could +lead to heap buffer overflow. + +This CL strengthens integer overflow check in function _TIFFCheckRealloc. + +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) ++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch new file mode 100644 index 000000000000..47a3db06431a --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch @@ -0,0 +1,41 @@ +https://pdfium-review.googlesource.com/2151 +https://crbug.com/632883 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Dan Sinclair <dsinclair@chromium.org> +Date: Mon Jan 9 09:50:50 2017 -0500 + +[libtiff] Validate refblackwhite values + +The td_refblackwhite value is currently assigned without validation. This +may pose an issue as the image can specify the value as nan. This will cause +problems later when we use the nan in calcluations. + +This CL validates each of the float values are not nan and if they are sets +them to the default provided by the TIFF spec v6. + +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -31,6 +31,7 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" ++#include <math.h> + #include <float.h> + + /* +@@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + case TIFFTAG_REFERENCEBLACKWHITE: + /* XXX should check for null range */ + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); ++ for (int i = 0; i < 6; i++) { ++ if (isnan(td->td_refblackwhite[i])) { ++ if (i % 2 == 0) ++ td->td_refblackwhite[i] = 0; ++ else ++ td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1; ++ } ++ } + break; + case TIFFTAG_INKNAMES: + v = (uint16) va_arg(ap, uint16_vap); diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch new file mode 100644 index 000000000000..7914743393ff --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch @@ -0,0 +1,97 @@ +https://pdfium-review.googlesource.com/2355 +https://crbug.com/681300 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <npm@chromium.org> +Date: Wed Jan 25 10:41:06 2017 -0500 + +Prevent skew overflows in gtTileContig + +Using int64 to check whether uint32 operations have overflowed. + +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -31,6 +31,7 @@ + */ + #include "tiffiop.h" + #include <stdio.h> ++#include <limits.h> + + static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); + static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 tw, th; + unsigned char* buf; + int32 fromskew, toskew; ++ int64 safeskew; + uint32 nrow; + int ret = 1, flip; + uint32 this_tw, tocol; +@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + flip = setorientation(img); + if (flip & FLIP_VERTICALLY) { + y = h - 1; +- toskew = -(int32)(tw + w); ++ safeskew = 0; ++ safeskew -= tw; ++ safeskew -= w; + } + else { + y = 0; +- toskew = -(int32)(tw - w); ++ safeskew = 0; ++ safeskew -= tw; ++ safeskew +=w; + } + ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ toskew = safeskew; ++ + /* + * Leftmost tile is clipped on left side if col_offset > 0. + */ + leftmost_fromskew = img->col_offset % tw; + leftmost_tw = tw - leftmost_fromskew; +- leftmost_toskew = toskew + leftmost_fromskew; ++ safeskew = toskew; ++ safeskew += leftmost_fromskew; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ leftmost_toskew = safeskew; + for (row = 0; row < h; row += nrow) + { + rowstoread = th - (row + img->row_offset) % th; +@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + /* + * Rightmost tile is clipped on right side. + */ +- fromskew = tw - (w - tocol); ++ safeskew = tw; ++ safeskew -= w; ++ safeskew += tocol; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ fromskew = safeskew; + this_tw = tw - fromskew; +- this_toskew = toskew + fromskew; ++ safeskew = toskew; ++ safeskew += fromskew; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ this_toskew = safeskew; + } + (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos); + tocol += this_tw; diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch new file mode 100644 index 000000000000..b74ddc5c499c --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch @@ -0,0 +1,27 @@ +https://pdfium-review.googlesource.com/2432 +https://crbug.com/683834 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <npm@chromium.org> +Date: Thu Jan 26 15:45:02 2017 -0500 + +Fix leak in PredictorSetupDecode by calling tif_cleanup on failure + +tif_data and tif_cleanup are both set on the TIFFInit methods, see for +instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was +filled on tif_data should be cleaned up. The previous leak fix from +PixarLogSetupDecode is no longer necessary. + +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -118,7 +118,10 @@ PredictorSetupDecode(TIFF* tif) + TIFFDirectory* td = &tif->tif_dir; + + if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) ++ { ++ (*tif->tif_cleanup)(tif); + return 0; ++ } + + if (sp->predictor == 2) { + switch (td->td_bitspersample) { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch new file mode 100644 index 000000000000..11975cf38acf --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch @@ -0,0 +1,29 @@ +https://pdfium-review.googlesource.com/3811 +https://crbug.com/707431 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <npm@chromium.org> +Date: Wed Apr 5 15:50:53 2017 -0400 + +Libtiff: Prevent OOM in TIFFFillStrip + +In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of +memory. In this CL we do sanity checks on the claimed size of the raw strip +data before that happens, to prevent out-of-memory. + +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); + return(0); + } ++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif); ++ if (bytecountm > size) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Requested read strip size %lu is too large", ++ (unsigned long) strip); ++ return (0); ++ } + if (bytecountm > tif->tif_rawdatasize) { + tif->tif_curstrip = NOSTRIP; + if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { |