diff options
author | Dirk Meyer <dinoex@FreeBSD.org> | 2012-04-13 04:09:25 +0000 |
---|---|---|
committer | Dirk Meyer <dinoex@FreeBSD.org> | 2012-04-13 04:09:25 +0000 |
commit | 7ad83a4877fc91ae59642f8f82040eca3bf7a5ee (patch) | |
tree | cdb9320808956dab27e16a979219501e67ae96f0 /graphics | |
parent | 7d0707649f53f9bbd5d9a872168f10c3f8d00384 (diff) | |
download | ports-7ad83a4877fc91ae59642f8f82040eca3bf7a5ee.tar.gz ports-7ad83a4877fc91ae59642f8f82040eca3bf7a5ee.zip |
Notes
Diffstat (limited to 'graphics')
-rw-r--r-- | graphics/tiff/Makefile | 1 | ||||
-rw-r--r-- | graphics/tiff/files/patch-CVE-2012-1173 | 77 |
2 files changed, 78 insertions, 0 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index d89ce0e9dfdb..94fd96e22a8c 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -9,6 +9,7 @@ PORTNAME= tiff PORTVERSION= 4.0.1 +PORTREVISION= 1 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://download.osgeo.org/libtiff/ diff --git a/graphics/tiff/files/patch-CVE-2012-1173 b/graphics/tiff/files/patch-CVE-2012-1173 new file mode 100644 index 000000000000..90b4987f7982 --- /dev/null +++ b/graphics/tiff/files/patch-CVE-2012-1173 @@ -0,0 +1,77 @@ +--- ChangeLog.orig 2012-02-18 23:02:33.000000000 +0100 ++++ ChangeLog 2012-04-13 06:01:25.000000000 +0200 +@@ -1,4 +1,9 @@ + 2012-02-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> ++2012-03-30 Frank Warmerdam <warmerdam@google.com> ++ ++ * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173) ++ care of Tom Lane @ Red Hat. ++ + + * libtiff 4.0.1 released. + +--- libtiff/tif_getimage.c.orig 2011-02-25 04:34:02.000000000 +0100 ++++ libtiff/tif_getimage.c 2012-04-13 06:01:25.000000000 +0200 +@@ -693,18 +693,24 @@ + unsigned char* pa; + tmsize_t tilesize; + int32 fromskew, toskew; ++ tmsize_t bufsize; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + int colorchannels; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -918,16 +924,22 @@ + uint32 imagewidth = img->width; + tmsize_t stripsize; + int32 fromskew, toskew; ++ tmsize_t bufsize; + int alpha = img->alpha; + int ret = 1, flip, colorchannels; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); +--- libtiff/tiffiop.h.orig 2011-02-19 17:26:09.000000000 +0100 ++++ libtiff/tiffiop.h 2012-04-13 06:01:25.000000000 +0200 +@@ -250,7 +250,7 @@ + #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) |