Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Andreas Sturmlechner <asturm@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/, media-libs/tiff/
Date: Wed, 29 Jan 2020 21:44:50
Message-Id: 1580334272.2b07bec238b4b2e98288cf4880faad4b504366ee.asturm@gentoo
1 commit: 2b07bec238b4b2e98288cf4880faad4b504366ee
2 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 29 21:43:33 2020 +0000
4 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 29 21:44:32 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b07bec2
7
8 media-libs/tiff: 4.0.10-r2 security cleanup
9
10 If no one else will do it...
11
12 Bug: https://bugs.gentoo.org/699868
13 Package-Manager: Portage-2.3.86, Repoman-2.3.20
14 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
15
16 media-libs/tiff/Manifest | 1 -
17 ...-2018-17000-tif_dirwrite-null-dereference.patch | 33 --
18 ....0.10-CVE-2019-14973-fix-integer-overflow.patch | 395 ---------------------
19 .../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 ---
20 ....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ----
21 media-libs/tiff/tiff-4.0.10-r2.ebuild | 86 -----
22 6 files changed, 636 deletions(-)
23
24 diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
25 index 189741c8a7c..facf160fb14 100644
26 --- a/media-libs/tiff/Manifest
27 +++ b/media-libs/tiff/Manifest
28 @@ -1,2 +1 @@
29 -DIST tiff-4.0.10.tar.gz 2402867 BLAKE2B 0305453f22150c31d00d2de756736f58c49a288e19b2a66bdd01319ce4688742f6eab4009eaf1817125d41f53a23de17eb6265a3ebae458ec24f5dbb3d49764e SHA512 d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
30 DIST tiff-4.1.0.tar.gz 2421581 BLAKE2B 1f9b92d08dc95633bb005a635bbcecd8fa5e4f30c14f059b42aafbb4a52b4fb1b84b1e97cea33f3102f5808cb28f93bc8fcbae2b041c6227c97f90b4f9b8e631 SHA512 fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6
31
32 diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
33 deleted file mode 100644
34 index 321c6a428af..00000000000
35 --- a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
36 +++ /dev/null
37 @@ -1,33 +0,0 @@
38 -https://crbug.com/901306
39 -
40 -commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39
41 -Author: Thomas Bernard <miniupnp@××××.fr>
42 -Date: Tue Jan 29 11:21:47 2019 +0100
43 -
44 - TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing
45 -
46 - http://bugzilla.maptools.org/show_bug.cgi?id=2833
47 -
48 - we must check the pointer is not NULL before memcmp() the memory
49 -
50 -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
51 -index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644
52 ---- a/libtiff/tif_dirwrite.c
53 -+++ b/libtiff/tif_dirwrite.c
54 -@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
55 - n=3;
56 - if (n==3)
57 - {
58 -- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
59 -+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
60 -+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
61 - n=2;
62 - }
63 - if (n==2)
64 - {
65 -- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
66 -+ if (tif->tif_dir.td_transferfunction[1] == NULL ||
67 -+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
68 - n=1;
69 - }
70 - if (n==0)
71
72 diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch
73 deleted file mode 100644
74 index cbcbfd9d7f0..00000000000
75 --- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch
76 +++ /dev/null
77 @@ -1,395 +0,0 @@
78 -From 6ebfcac47224d3b8661c501967d495135449883e Mon Sep 17 00:00:00 2001
79 -From: Even Rouault <even.rouault@×××××××××.com>
80 -Date: Sat, 10 Aug 2019 18:25:03 +0200
81 -Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
82 - implementation-defined behaviour (CVE-2019-14973)
83 -
84 -_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
85 -in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
86 -signed), which was especially easily triggered on 32-bit builds (with recent
87 -enough compilers that assume that signed multiplication cannot overflow, since
88 -this is undefined behaviour by the C standard). The original issue which lead to
89 -this fix was trigged from tif_fax3.c
90 -
91 -There were also unsafe (implementation defied), and broken in practice on 64bit
92 -builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
93 -(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
94 -at that time exploits, but are better to fix in a more bullet-proof way.
95 -Or similarly use of (int64)uint64_var <= 0.
96 -
97 ---- a/libtiff/tif_aux.c
98 -+++ b/libtiff/tif_aux.c
99 -@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
100 - return bytes;
101 - }
102 -
103 -+tmsize_t
104 -+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
105 -+{
106 -+ if( first <= 0 || second <= 0 )
107 -+ {
108 -+ if( tif != NULL && where != NULL )
109 -+ {
110 -+ TIFFErrorExt(tif->tif_clientdata, where,
111 -+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
112 -+ }
113 -+ return 0;
114 -+ }
115 -+
116 -+ if( first > TIFF_TMSIZE_T_MAX / second )
117 -+ {
118 -+ if( tif != NULL && where != NULL )
119 -+ {
120 -+ TIFFErrorExt(tif->tif_clientdata, where,
121 -+ "Integer overflow in %s", where);
122 -+ }
123 -+ return 0;
124 -+ }
125 -+ return first * second;
126 -+}
127 -+
128 -+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
129 -+{
130 -+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
131 -+ {
132 -+ if( tif != NULL && module != NULL )
133 -+ {
134 -+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
135 -+ }
136 -+ return 0;
137 -+ }
138 -+ return (tmsize_t)val;
139 -+}
140 -+
141 - void*
142 - _TIFFCheckRealloc(TIFF* tif, void* buffer,
143 - tmsize_t nmemb, tmsize_t elem_size, const char* what)
144 - {
145 - void* cp = NULL;
146 -- tmsize_t bytes = nmemb * elem_size;
147 --
148 -+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
149 - /*
150 -- * XXX: Check for integer overflow.
151 -+ * Check for integer overflow.
152 - */
153 -- if (nmemb && elem_size && bytes / elem_size == nmemb)
154 -- cp = _TIFFrealloc(buffer, bytes);
155 -+ if (count != 0)
156 -+ {
157 -+ cp = _TIFFrealloc(buffer, count);
158 -+ }
159 -
160 - if (cp == NULL) {
161 - TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
162 ---- a/libtiff/tif_getimage.c
163 -+++ b/libtiff/tif_getimage.c
164 -@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
165 - uint32 leftmost_tw;
166 -
167 - tilesize = TIFFTileSize(tif);
168 -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
169 -+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
170 - if (bufsize == 0) {
171 -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
172 - return (0);
173 - }
174 -
175 -@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
176 - uint16 colorchannels;
177 -
178 - stripsize = TIFFStripSize(tif);
179 -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
180 -+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
181 - if (bufsize == 0) {
182 -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
183 - return (0);
184 - }
185 -
186 ---- a/libtiff/tif_luv.c
187 -+++ b/libtiff/tif_luv.c
188 -@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
189 - return (SGILOGDATAFMT_UNKNOWN);
190 - }
191 -
192 --
193 --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
194 --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
195 --
196 - static tmsize_t
197 - multiply_ms(tmsize_t m1, tmsize_t m2)
198 - {
199 -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
200 -- return 0;
201 -- return m1 * m2;
202 -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
203 - }
204 -
205 - static int
206 ---- a/libtiff/tif_pixarlog.c
207 -+++ b/libtiff/tif_pixarlog.c
208 -@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
209 - return guess;
210 - }
211 -
212 --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
213 --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
214 --
215 - static tmsize_t
216 - multiply_ms(tmsize_t m1, tmsize_t m2)
217 - {
218 -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
219 -- return 0;
220 -- return m1 * m2;
221 -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
222 - }
223 -
224 - static tmsize_t
225 ---- a/libtiff/tif_read.c
226 -+++ b/libtiff/tif_read.c
227 -@@ -29,9 +29,6 @@
228 - #include "tiffiop.h"
229 - #include <stdio.h>
230 -
231 --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
232 --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
233 --
234 - int TIFFFillStrip(TIFF* tif, uint32 strip);
235 - int TIFFFillTile(TIFF* tif, uint32 tile);
236 - static int TIFFStartStrip(TIFF* tif, uint32 strip);
237 -@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
238 - #define THRESHOLD_MULTIPLIER 10
239 - #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
240 -
241 -+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
242 -+
243 - /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
244 - * Returns 1 in case of success, 0 otherwise. */
245 - static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
246 -@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
247 - return ((tmsize_t)(-1));
248 - }
249 - bytecount = td->td_stripbytecount[strip];
250 -- if ((int64)bytecount <= 0) {
251 --#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
252 -- TIFFErrorExt(tif->tif_clientdata, module,
253 -- "%I64u: Invalid strip byte count, strip %lu",
254 -- (unsigned __int64) bytecount,
255 -- (unsigned long) strip);
256 --#else
257 -- TIFFErrorExt(tif->tif_clientdata, module,
258 -- "%llu: Invalid strip byte count, strip %lu",
259 -- (unsigned long long) bytecount,
260 -- (unsigned long) strip);
261 --#endif
262 -- return ((tmsize_t)(-1));
263 -- }
264 -- bytecountm = (tmsize_t)bytecount;
265 -- if ((uint64)bytecountm!=bytecount) {
266 -- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
267 -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
268 -+ if (bytecountm == 0) {
269 - return ((tmsize_t)(-1));
270 - }
271 - if (size != (tmsize_t)(-1) && size < bytecountm)
272 -@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
273 - if ((tif->tif_flags&TIFF_NOREADRAW)==0)
274 - {
275 - uint64 bytecount = td->td_stripbytecount[strip];
276 -- if ((int64)bytecount <= 0) {
277 -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
278 - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
279 - TIFFErrorExt(tif->tif_clientdata, module,
280 - "Invalid strip byte count %I64u, strip %lu",
281 -@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
282 - (bytecount - 4096) / 10 > (uint64)stripsize )
283 - {
284 - uint64 newbytecount = (uint64)stripsize * 10 + 4096;
285 -- if( (int64)newbytecount >= 0 )
286 -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
287 - {
288 - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
289 - TIFFWarningExt(tif->tif_clientdata, module,
290 -@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
291 - bytecount64 = td->td_stripbytecount[tile];
292 - if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
293 - bytecount64 = (uint64)size;
294 -- bytecountm = (tmsize_t)bytecount64;
295 -- if ((uint64)bytecountm!=bytecount64)
296 -- {
297 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
298 -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
299 -+ if( bytecountm == 0 ) {
300 - return ((tmsize_t)(-1));
301 - }
302 - return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
303 -@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
304 - if ((tif->tif_flags&TIFF_NOREADRAW)==0)
305 - {
306 - uint64 bytecount = td->td_stripbytecount[tile];
307 -- if ((int64)bytecount <= 0) {
308 -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
309 - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
310 - TIFFErrorExt(tif->tif_clientdata, module,
311 - "%I64u: Invalid tile byte count, tile %lu",
312 -@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
313 - (bytecount - 4096) / 10 > (uint64)stripsize )
314 - {
315 - uint64 newbytecount = (uint64)stripsize * 10 + 4096;
316 -- if( (int64)newbytecount >= 0 )
317 -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
318 - {
319 - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
320 - TIFFWarningExt(tif->tif_clientdata, module,
321 ---- a/libtiff/tif_strip.c
322 -+++ b/libtiff/tif_strip.c
323 -@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
324 - {
325 - static const char module[] = "TIFFVStripSize";
326 - uint64 m;
327 -- tmsize_t n;
328 - m=TIFFVStripSize64(tif,nrows);
329 -- n=(tmsize_t)m;
330 -- if ((uint64)n!=m)
331 -- {
332 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
333 -- n=0;
334 -- }
335 -- return(n);
336 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
337 - }
338 -
339 - /*
340 -@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
341 - {
342 - static const char module[] = "TIFFStripSize";
343 - uint64 m;
344 -- tmsize_t n;
345 - m=TIFFStripSize64(tif);
346 -- n=(tmsize_t)m;
347 -- if ((uint64)n!=m)
348 -- {
349 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
350 -- n=0;
351 -- }
352 -- return(n);
353 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
354 - }
355 -
356 - /*
357 -@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
358 - {
359 - static const char module[] = "TIFFScanlineSize";
360 - uint64 m;
361 -- tmsize_t n;
362 - m=TIFFScanlineSize64(tif);
363 -- n=(tmsize_t)m;
364 -- if ((uint64)n!=m) {
365 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
366 -- n=0;
367 -- }
368 -- return(n);
369 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
370 - }
371 -
372 - /*
373 -@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
374 - {
375 - static const char module[] = "TIFFRasterScanlineSize";
376 - uint64 m;
377 -- tmsize_t n;
378 - m=TIFFRasterScanlineSize64(tif);
379 -- n=(tmsize_t)m;
380 -- if ((uint64)n!=m)
381 -- {
382 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
383 -- n=0;
384 -- }
385 -- return(n);
386 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
387 - }
388 -
389 - /* vim: set ts=8 sts=8 sw=8 noet: */
390 ---- a/libtiff/tif_tile.c
391 -+++ b/libtiff/tif_tile.c
392 -@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
393 - {
394 - static const char module[] = "TIFFTileRowSize";
395 - uint64 m;
396 -- tmsize_t n;
397 - m=TIFFTileRowSize64(tif);
398 -- n=(tmsize_t)m;
399 -- if ((uint64)n!=m)
400 -- {
401 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
402 -- n=0;
403 -- }
404 -- return(n);
405 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
406 - }
407 -
408 - /*
409 -@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
410 - {
411 - static const char module[] = "TIFFVTileSize";
412 - uint64 m;
413 -- tmsize_t n;
414 - m=TIFFVTileSize64(tif,nrows);
415 -- n=(tmsize_t)m;
416 -- if ((uint64)n!=m)
417 -- {
418 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
419 -- n=0;
420 -- }
421 -- return(n);
422 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
423 - }
424 -
425 - /*
426 -@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
427 - {
428 - static const char module[] = "TIFFTileSize";
429 - uint64 m;
430 -- tmsize_t n;
431 - m=TIFFTileSize64(tif);
432 -- n=(tmsize_t)m;
433 -- if ((uint64)n!=m)
434 -- {
435 -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
436 -- n=0;
437 -- }
438 -- return(n);
439 -+ return _TIFFCastUInt64ToSSize(tif, m, module);
440 - }
441 -
442 - /*
443 ---- a/libtiff/tiffiop.h
444 -+++ b/libtiff/tiffiop.h
445 -@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
446 - #define FALSE 0
447 - #endif
448 -
449 -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
450 -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
451 -+
452 - typedef struct client_info {
453 - struct client_info *next;
454 - void *data;
455 -@@ -258,7 +261,7 @@ struct tiff {
456 - #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
457 - #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
458 -
459 --/* Safe multiply which returns zero if there is an integer overflow */
460 -+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
461 - #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
462 -
463 - #define TIFFmax(A,B) ((A)>(B)?(A):(B))
464 -@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
465 -
466 - extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
467 - extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
468 -+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
469 -+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
470 - extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
471 - extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
472 -
473
474 diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
475 deleted file mode 100644
476 index 38d020fec24..00000000000
477 --- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
478 +++ /dev/null
479 @@ -1,48 +0,0 @@
480 -https://crbug.com/923647
481 -
482 -commit ae0bed1fe530a82faf2e9ea1775109dbf301a971
483 -Merge: 933784a1 0c74a9f4
484 -Author: Even Rouault <even.rouault@×××××××××.com>
485 -Date: Sat Feb 2 14:46:05 2019 +0000
486 -
487 - Merge branch 'master' into 'master'
488 -
489 - Fix for simple memory leak that was assigned CVE-2019-6128.
490 -
491 - See merge request libtiff/libtiff!50
492 -
493 -diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
494 -index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644
495 ---- a/tools/pal2rgb.c
496 -+++ b/tools/pal2rgb.c
497 -@@ -118,12 +118,14 @@ main(int argc, char* argv[])
498 - shortv != PHOTOMETRIC_PALETTE) {
499 - fprintf(stderr, "%s: Expecting a palette image.\n",
500 - argv[optind]);
501 -+ (void) TIFFClose(in);
502 - return (-1);
503 - }
504 - if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
505 - fprintf(stderr,
506 - "%s: No colormap (not a valid palette image).\n",
507 - argv[optind]);
508 -+ (void) TIFFClose(in);
509 - return (-1);
510 - }
511 - bitspersample = 0;
512 -@@ -131,11 +133,14 @@ main(int argc, char* argv[])
513 - if (bitspersample != 8) {
514 - fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
515 - argv[optind]);
516 -+ (void) TIFFClose(in);
517 - return (-1);
518 - }
519 - out = TIFFOpen(argv[optind+1], "w");
520 -- if (out == NULL)
521 -+ if (out == NULL) {
522 -+ (void) TIFFClose(in);
523 - return (-2);
524 -+ }
525 - cpTags(in, out);
526 - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
527 - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
528
529 diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
530 deleted file mode 100644
531 index a68ba2f4bbd..00000000000
532 --- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
533 +++ /dev/null
534 @@ -1,73 +0,0 @@
535 -From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001
536 -From: Thomas Bernard <miniupnp@××××.fr>
537 -Date: Mon, 11 Feb 2019 10:05:33 +0100
538 -Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
539 -
540 -fixes bug 2833
541 ----
542 - tools/tiffcp.c | 8 +++++++-
543 - 1 file changed, 7 insertions(+), 1 deletion(-)
544 -
545 -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
546 -index 2f406e2d7..f0ee2c029 100644
547 ---- a/tools/tiffcp.c
548 -+++ b/tools/tiffcp.c
549 -@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
550 - int status = 1;
551 - uint32 imagew = TIFFRasterScanlineSize(in);
552 - uint32 tilew = TIFFTileRowSize(in);
553 -- int iskew = imagew - tilew*spp;
554 -+ int iskew;
555 - tsize_t tilesize = TIFFTileSize(in);
556 - tdata_t tilebuf;
557 - uint8* bufp = (uint8*) buf;
558 -@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
559 - uint32 row;
560 - uint16 bps = 0, bytes_per_sample;
561 -
562 -+ if (spp > (0x7fffffff / tilew))
563 -+ {
564 -+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
565 -+ return 0;
566 -+ }
567 -+ iskew = imagew - tilew*spp;
568 - tilebuf = _TIFFmalloc(tilesize);
569 - if (tilebuf == 0)
570 - return 0;
571 ---
572 -2.21.0
573 -
574 -
575 -From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001
576 -From: Thomas Bernard <miniupnp@××××.fr>
577 -Date: Mon, 11 Feb 2019 21:42:03 +0100
578 -Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
579 -
580 ----
581 - tools/tiffcp.c | 3 ++-
582 - 1 file changed, 2 insertions(+), 1 deletion(-)
583 -
584 -diff --git a/tools/tiffcp.c b/tools/tiffcp.c
585 -index f0ee2c029..8c81aa4f2 100644
586 ---- a/tools/tiffcp.c
587 -+++ b/tools/tiffcp.c
588 -@@ -41,6 +41,7 @@
589 - #include <stdio.h>
590 - #include <stdlib.h>
591 - #include <string.h>
592 -+#include <limits.h>
593 -
594 - #include <ctype.h>
595 -
596 -@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
597 - uint32 row;
598 - uint16 bps = 0, bytes_per_sample;
599 -
600 -- if (spp > (0x7fffffff / tilew))
601 -+ if (spp > (INT_MAX / tilew))
602 - {
603 - TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
604 - return 0;
605 ---
606 -2.21.0
607 -
608
609 diff --git a/media-libs/tiff/tiff-4.0.10-r2.ebuild b/media-libs/tiff/tiff-4.0.10-r2.ebuild
610 deleted file mode 100644
611 index b4932f3df86..00000000000
612 --- a/media-libs/tiff/tiff-4.0.10-r2.ebuild
613 +++ /dev/null
614 @@ -1,86 +0,0 @@
615 -# Copyright 1999-2019 Gentoo Authors
616 -# Distributed under the terms of the GNU General Public License v2
617 -
618 -EAPI=7
619 -
620 -inherit autotools libtool multilib-minimal
621 -
622 -DESCRIPTION="Tag Image File Format (TIFF) library"
623 -HOMEPAGE="http://libtiff.maptools.org"
624 -SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz"
625 -
626 -LICENSE="libtiff"
627 -SLOT="0"
628 -KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
629 -IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd"
630 -RESTRICT="!test? ( test )"
631 -
632 -RDEPEND="
633 - jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
634 - jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
635 - lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] )
636 - webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] )
637 - zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
638 - zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] )
639 -"
640 -DEPEND="${RDEPEND}"
641 -
642 -REQUIRED_USE="test? ( jpeg )" #483132
643 -
644 -PATCHES=(
645 - "${FILESDIR}"/${PN}-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
646 - "${FILESDIR}"/${PN}-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
647 - "${FILESDIR}"/${PN}-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
648 - "${FILESDIR}"/${P}-CVE-2019-14973-fix-integer-overflow.patch
649 -)
650 -
651 -MULTILIB_WRAPPED_HEADERS=(
652 - /usr/include/tiffconf.h
653 -)
654 -
655 -src_prepare() {
656 - default
657 -
658 - # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7
659 - sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die
660 -
661 - eautoreconf
662 -}
663 -
664 -multilib_src_configure() {
665 - local myeconfargs=(
666 - --without-x
667 - --with-docdir="${EPREFIX}"/usr/share/doc/${PF}
668 - $(use_enable cxx)
669 - $(use_enable jbig)
670 - $(use_enable jpeg)
671 - $(use_enable lzma)
672 - $(use_enable static-libs static)
673 - $(use_enable webp)
674 - $(use_enable zlib)
675 - $(use_enable zstd)
676 - )
677 - ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
678 -
679 - # remove useless subdirs
680 - if ! multilib_is_native_abi ; then
681 - sed -i \
682 - -e 's/ tools//' \
683 - -e 's/ contrib//' \
684 - -e 's/ man//' \
685 - -e 's/ html//' \
686 - Makefile || die
687 - fi
688 -}
689 -
690 -multilib_src_test() {
691 - if ! multilib_is_native_abi ; then
692 - emake -C tools
693 - fi
694 - emake check
695 -}
696 -
697 -multilib_src_install_all() {
698 - find "${ED}" -name '*.la' -delete || die
699 - rm "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} || die
700 -}
Report Message
Find on MARC Find on Google Groups