aboutsummaryrefslogtreecommitdiff
path: root/graphics/tiff
diff options
context:
space:
mode:
authorDirk Meyer <dinoex@FreeBSD.org>2012-04-13 04:09:25 +0000
committerDirk Meyer <dinoex@FreeBSD.org>2012-04-13 04:09:25 +0000
commit7ad83a4877fc91ae59642f8f82040eca3bf7a5ee (patch)
treecdb9320808956dab27e16a979219501e67ae96f0 /graphics/tiff
parent7d0707649f53f9bbd5d9a872168f10c3f8d00384 (diff)
downloadports-7ad83a4877fc91ae59642f8f82040eca3bf7a5ee.tar.gz
ports-7ad83a4877fc91ae59642f8f82040eca3bf7a5ee.zip
Notes
Diffstat (limited to 'graphics/tiff')
-rw-r--r--graphics/tiff/Makefile1
-rw-r--r--graphics/tiff/files/patch-CVE-2012-117377
2 files changed, 78 insertions, 0 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index d89ce0e9dfdb..94fd96e22a8c 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -9,6 +9,7 @@
PORTNAME= tiff
PORTVERSION= 4.0.1
+PORTREVISION= 1
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://download.osgeo.org/libtiff/
diff --git a/graphics/tiff/files/patch-CVE-2012-1173 b/graphics/tiff/files/patch-CVE-2012-1173
new file mode 100644
index 000000000000..90b4987f7982
--- /dev/null
+++ b/graphics/tiff/files/patch-CVE-2012-1173
@@ -0,0 +1,77 @@
+--- ChangeLog.orig 2012-02-18 23:02:33.000000000 +0100
++++ ChangeLog 2012-04-13 06:01:25.000000000 +0200
+@@ -1,4 +1,9 @@
+ 2012-02-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
++2012-03-30 Frank Warmerdam <warmerdam@google.com>
++
++ * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173)
++ care of Tom Lane @ Red Hat.
++
+
+ * libtiff 4.0.1 released.
+
+--- libtiff/tif_getimage.c.orig 2011-02-25 04:34:02.000000000 +0100
++++ libtiff/tif_getimage.c 2012-04-13 06:01:25.000000000 +0200
+@@ -693,18 +693,24 @@
+ unsigned char* pa;
+ tmsize_t tilesize;
+ int32 fromskew, toskew;
++ tmsize_t bufsize;
+ int alpha = img->alpha;
+ uint32 nrow;
+ int ret = 1, flip;
+ int colorchannels;
+
+ tilesize = TIFFTileSize(tif);
+- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
++ return (0);
++ }
++ buf = (unsigned char*) _TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
++ _TIFFmemset(buf, 0, bufsize);
+ p0 = buf;
+ p1 = p0 + tilesize;
+ p2 = p1 + tilesize;
+@@ -918,16 +924,22 @@
+ uint32 imagewidth = img->width;
+ tmsize_t stripsize;
+ int32 fromskew, toskew;
++ tmsize_t bufsize;
+ int alpha = img->alpha;
+ int ret = 1, flip, colorchannels;
+
+ stripsize = TIFFStripSize(tif);
+- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
++ return (0);
++ }
++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
++ _TIFFmemset(buf, 0, bufsize);
+ p1 = p0 + stripsize;
+ p2 = p1 + stripsize;
+ pa = (alpha?(p2+stripsize):NULL);
+--- libtiff/tiffiop.h.orig 2011-02-19 17:26:09.000000000 +0100
++++ libtiff/tiffiop.h 2012-04-13 06:01:25.000000000 +0200
+@@ -250,7 +250,7 @@
+ #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))