1 |
commit: 2b07bec238b4b2e98288cf4880faad4b504366ee |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jan 29 21:43:33 2020 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jan 29 21:44:32 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b07bec2 |
7 |
|
8 |
media-libs/tiff: 4.0.10-r2 security cleanup |
9 |
|
10 |
If no one else will do it... |
11 |
|
12 |
Bug: https://bugs.gentoo.org/699868 |
13 |
Package-Manager: Portage-2.3.86, Repoman-2.3.20 |
14 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
15 |
|
16 |
media-libs/tiff/Manifest | 1 - |
17 |
...-2018-17000-tif_dirwrite-null-dereference.patch | 33 -- |
18 |
....0.10-CVE-2019-14973-fix-integer-overflow.patch | 395 --------------------- |
19 |
.../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 --- |
20 |
....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ---- |
21 |
media-libs/tiff/tiff-4.0.10-r2.ebuild | 86 ----- |
22 |
6 files changed, 636 deletions(-) |
23 |
|
24 |
diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest |
25 |
index 189741c8a7c..facf160fb14 100644 |
26 |
--- a/media-libs/tiff/Manifest |
27 |
+++ b/media-libs/tiff/Manifest |
28 |
@@ -1,2 +1 @@ |
29 |
-DIST tiff-4.0.10.tar.gz 2402867 BLAKE2B 0305453f22150c31d00d2de756736f58c49a288e19b2a66bdd01319ce4688742f6eab4009eaf1817125d41f53a23de17eb6265a3ebae458ec24f5dbb3d49764e SHA512 d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 |
30 |
DIST tiff-4.1.0.tar.gz 2421581 BLAKE2B 1f9b92d08dc95633bb005a635bbcecd8fa5e4f30c14f059b42aafbb4a52b4fb1b84b1e97cea33f3102f5808cb28f93bc8fcbae2b041c6227c97f90b4f9b8e631 SHA512 fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6 |
31 |
|
32 |
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch |
33 |
deleted file mode 100644 |
34 |
index 321c6a428af..00000000000 |
35 |
--- a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch |
36 |
+++ /dev/null |
37 |
@@ -1,33 +0,0 @@ |
38 |
-https://crbug.com/901306 |
39 |
- |
40 |
-commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 |
41 |
-Author: Thomas Bernard <miniupnp@××××.fr> |
42 |
-Date: Tue Jan 29 11:21:47 2019 +0100 |
43 |
- |
44 |
- TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing |
45 |
- |
46 |
- http://bugzilla.maptools.org/show_bug.cgi?id=2833 |
47 |
- |
48 |
- we must check the pointer is not NULL before memcmp() the memory |
49 |
- |
50 |
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
51 |
-index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644 |
52 |
---- a/libtiff/tif_dirwrite.c |
53 |
-+++ b/libtiff/tif_dirwrite.c |
54 |
-@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir |
55 |
- n=3; |
56 |
- if (n==3) |
57 |
- { |
58 |
-- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) |
59 |
-+ if (tif->tif_dir.td_transferfunction[2] == NULL || |
60 |
-+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) |
61 |
- n=2; |
62 |
- } |
63 |
- if (n==2) |
64 |
- { |
65 |
-- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) |
66 |
-+ if (tif->tif_dir.td_transferfunction[1] == NULL || |
67 |
-+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) |
68 |
- n=1; |
69 |
- } |
70 |
- if (n==0) |
71 |
|
72 |
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch |
73 |
deleted file mode 100644 |
74 |
index cbcbfd9d7f0..00000000000 |
75 |
--- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch |
76 |
+++ /dev/null |
77 |
@@ -1,395 +0,0 @@ |
78 |
-From 6ebfcac47224d3b8661c501967d495135449883e Mon Sep 17 00:00:00 2001 |
79 |
-From: Even Rouault <even.rouault@×××××××××.com> |
80 |
-Date: Sat, 10 Aug 2019 18:25:03 +0200 |
81 |
-Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other |
82 |
- implementation-defined behaviour (CVE-2019-14973) |
83 |
- |
84 |
-_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow |
85 |
-in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus |
86 |
-signed), which was especially easily triggered on 32-bit builds (with recent |
87 |
-enough compilers that assume that signed multiplication cannot overflow, since |
88 |
-this is undefined behaviour by the C standard). The original issue which lead to |
89 |
-this fix was trigged from tif_fax3.c |
90 |
- |
91 |
-There were also unsafe (implementation defied), and broken in practice on 64bit |
92 |
-builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing |
93 |
-(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known |
94 |
-at that time exploits, but are better to fix in a more bullet-proof way. |
95 |
-Or similarly use of (int64)uint64_var <= 0. |
96 |
- |
97 |
---- a/libtiff/tif_aux.c |
98 |
-+++ b/libtiff/tif_aux.c |
99 |
-@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) |
100 |
- return bytes; |
101 |
- } |
102 |
- |
103 |
-+tmsize_t |
104 |
-+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) |
105 |
-+{ |
106 |
-+ if( first <= 0 || second <= 0 ) |
107 |
-+ { |
108 |
-+ if( tif != NULL && where != NULL ) |
109 |
-+ { |
110 |
-+ TIFFErrorExt(tif->tif_clientdata, where, |
111 |
-+ "Invalid argument to _TIFFMultiplySSize() in %s", where); |
112 |
-+ } |
113 |
-+ return 0; |
114 |
-+ } |
115 |
-+ |
116 |
-+ if( first > TIFF_TMSIZE_T_MAX / second ) |
117 |
-+ { |
118 |
-+ if( tif != NULL && where != NULL ) |
119 |
-+ { |
120 |
-+ TIFFErrorExt(tif->tif_clientdata, where, |
121 |
-+ "Integer overflow in %s", where); |
122 |
-+ } |
123 |
-+ return 0; |
124 |
-+ } |
125 |
-+ return first * second; |
126 |
-+} |
127 |
-+ |
128 |
-+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) |
129 |
-+{ |
130 |
-+ if( val > (uint64)TIFF_TMSIZE_T_MAX ) |
131 |
-+ { |
132 |
-+ if( tif != NULL && module != NULL ) |
133 |
-+ { |
134 |
-+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
135 |
-+ } |
136 |
-+ return 0; |
137 |
-+ } |
138 |
-+ return (tmsize_t)val; |
139 |
-+} |
140 |
-+ |
141 |
- void* |
142 |
- _TIFFCheckRealloc(TIFF* tif, void* buffer, |
143 |
- tmsize_t nmemb, tmsize_t elem_size, const char* what) |
144 |
- { |
145 |
- void* cp = NULL; |
146 |
-- tmsize_t bytes = nmemb * elem_size; |
147 |
-- |
148 |
-+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); |
149 |
- /* |
150 |
-- * XXX: Check for integer overflow. |
151 |
-+ * Check for integer overflow. |
152 |
- */ |
153 |
-- if (nmemb && elem_size && bytes / elem_size == nmemb) |
154 |
-- cp = _TIFFrealloc(buffer, bytes); |
155 |
-+ if (count != 0) |
156 |
-+ { |
157 |
-+ cp = _TIFFrealloc(buffer, count); |
158 |
-+ } |
159 |
- |
160 |
- if (cp == NULL) { |
161 |
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
162 |
---- a/libtiff/tif_getimage.c |
163 |
-+++ b/libtiff/tif_getimage.c |
164 |
-@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) |
165 |
- uint32 leftmost_tw; |
166 |
- |
167 |
- tilesize = TIFFTileSize(tif); |
168 |
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); |
169 |
-+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); |
170 |
- if (bufsize == 0) { |
171 |
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); |
172 |
- return (0); |
173 |
- } |
174 |
- |
175 |
-@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) |
176 |
- uint16 colorchannels; |
177 |
- |
178 |
- stripsize = TIFFStripSize(tif); |
179 |
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); |
180 |
-+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); |
181 |
- if (bufsize == 0) { |
182 |
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); |
183 |
- return (0); |
184 |
- } |
185 |
- |
186 |
---- a/libtiff/tif_luv.c |
187 |
-+++ b/libtiff/tif_luv.c |
188 |
-@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) |
189 |
- return (SGILOGDATAFMT_UNKNOWN); |
190 |
- } |
191 |
- |
192 |
-- |
193 |
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
194 |
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
195 |
-- |
196 |
- static tmsize_t |
197 |
- multiply_ms(tmsize_t m1, tmsize_t m2) |
198 |
- { |
199 |
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) |
200 |
-- return 0; |
201 |
-- return m1 * m2; |
202 |
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); |
203 |
- } |
204 |
- |
205 |
- static int |
206 |
---- a/libtiff/tif_pixarlog.c |
207 |
-+++ b/libtiff/tif_pixarlog.c |
208 |
-@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) |
209 |
- return guess; |
210 |
- } |
211 |
- |
212 |
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
213 |
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
214 |
-- |
215 |
- static tmsize_t |
216 |
- multiply_ms(tmsize_t m1, tmsize_t m2) |
217 |
- { |
218 |
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) |
219 |
-- return 0; |
220 |
-- return m1 * m2; |
221 |
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); |
222 |
- } |
223 |
- |
224 |
- static tmsize_t |
225 |
---- a/libtiff/tif_read.c |
226 |
-+++ b/libtiff/tif_read.c |
227 |
-@@ -29,9 +29,6 @@ |
228 |
- #include "tiffiop.h" |
229 |
- #include <stdio.h> |
230 |
- |
231 |
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
232 |
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
233 |
-- |
234 |
- int TIFFFillStrip(TIFF* tif, uint32 strip); |
235 |
- int TIFFFillTile(TIFF* tif, uint32 tile); |
236 |
- static int TIFFStartStrip(TIFF* tif, uint32 strip); |
237 |
-@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m |
238 |
- #define THRESHOLD_MULTIPLIER 10 |
239 |
- #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) |
240 |
- |
241 |
-+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) |
242 |
-+ |
243 |
- /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' |
244 |
- * Returns 1 in case of success, 0 otherwise. */ |
245 |
- static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, |
246 |
-@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) |
247 |
- return ((tmsize_t)(-1)); |
248 |
- } |
249 |
- bytecount = td->td_stripbytecount[strip]; |
250 |
-- if ((int64)bytecount <= 0) { |
251 |
--#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
252 |
-- TIFFErrorExt(tif->tif_clientdata, module, |
253 |
-- "%I64u: Invalid strip byte count, strip %lu", |
254 |
-- (unsigned __int64) bytecount, |
255 |
-- (unsigned long) strip); |
256 |
--#else |
257 |
-- TIFFErrorExt(tif->tif_clientdata, module, |
258 |
-- "%llu: Invalid strip byte count, strip %lu", |
259 |
-- (unsigned long long) bytecount, |
260 |
-- (unsigned long) strip); |
261 |
--#endif |
262 |
-- return ((tmsize_t)(-1)); |
263 |
-- } |
264 |
-- bytecountm = (tmsize_t)bytecount; |
265 |
-- if ((uint64)bytecountm!=bytecount) { |
266 |
-- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); |
267 |
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); |
268 |
-+ if (bytecountm == 0) { |
269 |
- return ((tmsize_t)(-1)); |
270 |
- } |
271 |
- if (size != (tmsize_t)(-1) && size < bytecountm) |
272 |
-@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) |
273 |
- if ((tif->tif_flags&TIFF_NOREADRAW)==0) |
274 |
- { |
275 |
- uint64 bytecount = td->td_stripbytecount[strip]; |
276 |
-- if ((int64)bytecount <= 0) { |
277 |
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { |
278 |
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
279 |
- TIFFErrorExt(tif->tif_clientdata, module, |
280 |
- "Invalid strip byte count %I64u, strip %lu", |
281 |
-@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) |
282 |
- (bytecount - 4096) / 10 > (uint64)stripsize ) |
283 |
- { |
284 |
- uint64 newbytecount = (uint64)stripsize * 10 + 4096; |
285 |
-- if( (int64)newbytecount >= 0 ) |
286 |
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) |
287 |
- { |
288 |
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
289 |
- TIFFWarningExt(tif->tif_clientdata, module, |
290 |
-@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) |
291 |
- bytecount64 = td->td_stripbytecount[tile]; |
292 |
- if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) |
293 |
- bytecount64 = (uint64)size; |
294 |
-- bytecountm = (tmsize_t)bytecount64; |
295 |
-- if ((uint64)bytecountm!=bytecount64) |
296 |
-- { |
297 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
298 |
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); |
299 |
-+ if( bytecountm == 0 ) { |
300 |
- return ((tmsize_t)(-1)); |
301 |
- } |
302 |
- return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); |
303 |
-@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) |
304 |
- if ((tif->tif_flags&TIFF_NOREADRAW)==0) |
305 |
- { |
306 |
- uint64 bytecount = td->td_stripbytecount[tile]; |
307 |
-- if ((int64)bytecount <= 0) { |
308 |
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { |
309 |
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
310 |
- TIFFErrorExt(tif->tif_clientdata, module, |
311 |
- "%I64u: Invalid tile byte count, tile %lu", |
312 |
-@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) |
313 |
- (bytecount - 4096) / 10 > (uint64)stripsize ) |
314 |
- { |
315 |
- uint64 newbytecount = (uint64)stripsize * 10 + 4096; |
316 |
-- if( (int64)newbytecount >= 0 ) |
317 |
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) |
318 |
- { |
319 |
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
320 |
- TIFFWarningExt(tif->tif_clientdata, module, |
321 |
---- a/libtiff/tif_strip.c |
322 |
-+++ b/libtiff/tif_strip.c |
323 |
-@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) |
324 |
- { |
325 |
- static const char module[] = "TIFFVStripSize"; |
326 |
- uint64 m; |
327 |
-- tmsize_t n; |
328 |
- m=TIFFVStripSize64(tif,nrows); |
329 |
-- n=(tmsize_t)m; |
330 |
-- if ((uint64)n!=m) |
331 |
-- { |
332 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
333 |
-- n=0; |
334 |
-- } |
335 |
-- return(n); |
336 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
337 |
- } |
338 |
- |
339 |
- /* |
340 |
-@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif) |
341 |
- { |
342 |
- static const char module[] = "TIFFStripSize"; |
343 |
- uint64 m; |
344 |
-- tmsize_t n; |
345 |
- m=TIFFStripSize64(tif); |
346 |
-- n=(tmsize_t)m; |
347 |
-- if ((uint64)n!=m) |
348 |
-- { |
349 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
350 |
-- n=0; |
351 |
-- } |
352 |
-- return(n); |
353 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
354 |
- } |
355 |
- |
356 |
- /* |
357 |
-@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif) |
358 |
- { |
359 |
- static const char module[] = "TIFFScanlineSize"; |
360 |
- uint64 m; |
361 |
-- tmsize_t n; |
362 |
- m=TIFFScanlineSize64(tif); |
363 |
-- n=(tmsize_t)m; |
364 |
-- if ((uint64)n!=m) { |
365 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); |
366 |
-- n=0; |
367 |
-- } |
368 |
-- return(n); |
369 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
370 |
- } |
371 |
- |
372 |
- /* |
373 |
-@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif) |
374 |
- { |
375 |
- static const char module[] = "TIFFRasterScanlineSize"; |
376 |
- uint64 m; |
377 |
-- tmsize_t n; |
378 |
- m=TIFFRasterScanlineSize64(tif); |
379 |
-- n=(tmsize_t)m; |
380 |
-- if ((uint64)n!=m) |
381 |
-- { |
382 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); |
383 |
-- n=0; |
384 |
-- } |
385 |
-- return(n); |
386 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
387 |
- } |
388 |
- |
389 |
- /* vim: set ts=8 sts=8 sw=8 noet: */ |
390 |
---- a/libtiff/tif_tile.c |
391 |
-+++ b/libtiff/tif_tile.c |
392 |
-@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) |
393 |
- { |
394 |
- static const char module[] = "TIFFTileRowSize"; |
395 |
- uint64 m; |
396 |
-- tmsize_t n; |
397 |
- m=TIFFTileRowSize64(tif); |
398 |
-- n=(tmsize_t)m; |
399 |
-- if ((uint64)n!=m) |
400 |
-- { |
401 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
402 |
-- n=0; |
403 |
-- } |
404 |
-- return(n); |
405 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
406 |
- } |
407 |
- |
408 |
- /* |
409 |
-@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) |
410 |
- { |
411 |
- static const char module[] = "TIFFVTileSize"; |
412 |
- uint64 m; |
413 |
-- tmsize_t n; |
414 |
- m=TIFFVTileSize64(tif,nrows); |
415 |
-- n=(tmsize_t)m; |
416 |
-- if ((uint64)n!=m) |
417 |
-- { |
418 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
419 |
-- n=0; |
420 |
-- } |
421 |
-- return(n); |
422 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
423 |
- } |
424 |
- |
425 |
- /* |
426 |
-@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) |
427 |
- { |
428 |
- static const char module[] = "TIFFTileSize"; |
429 |
- uint64 m; |
430 |
-- tmsize_t n; |
431 |
- m=TIFFTileSize64(tif); |
432 |
-- n=(tmsize_t)m; |
433 |
-- if ((uint64)n!=m) |
434 |
-- { |
435 |
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
436 |
-- n=0; |
437 |
-- } |
438 |
-- return(n); |
439 |
-+ return _TIFFCastUInt64ToSSize(tif, m, module); |
440 |
- } |
441 |
- |
442 |
- /* |
443 |
---- a/libtiff/tiffiop.h |
444 |
-+++ b/libtiff/tiffiop.h |
445 |
-@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); |
446 |
- #define FALSE 0 |
447 |
- #endif |
448 |
- |
449 |
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
450 |
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
451 |
-+ |
452 |
- typedef struct client_info { |
453 |
- struct client_info *next; |
454 |
- void *data; |
455 |
-@@ -258,7 +261,7 @@ struct tiff { |
456 |
- #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) |
457 |
- #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) |
458 |
- |
459 |
--/* Safe multiply which returns zero if there is an integer overflow */ |
460 |
-+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ |
461 |
- #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) |
462 |
- |
463 |
- #define TIFFmax(A,B) ((A)>(B)?(A):(B)) |
464 |
-@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; |
465 |
- |
466 |
- extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); |
467 |
- extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); |
468 |
-+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); |
469 |
-+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); |
470 |
- extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); |
471 |
- extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); |
472 |
- |
473 |
|
474 |
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch |
475 |
deleted file mode 100644 |
476 |
index 38d020fec24..00000000000 |
477 |
--- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch |
478 |
+++ /dev/null |
479 |
@@ -1,48 +0,0 @@ |
480 |
-https://crbug.com/923647 |
481 |
- |
482 |
-commit ae0bed1fe530a82faf2e9ea1775109dbf301a971 |
483 |
-Merge: 933784a1 0c74a9f4 |
484 |
-Author: Even Rouault <even.rouault@×××××××××.com> |
485 |
-Date: Sat Feb 2 14:46:05 2019 +0000 |
486 |
- |
487 |
- Merge branch 'master' into 'master' |
488 |
- |
489 |
- Fix for simple memory leak that was assigned CVE-2019-6128. |
490 |
- |
491 |
- See merge request libtiff/libtiff!50 |
492 |
- |
493 |
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c |
494 |
-index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644 |
495 |
---- a/tools/pal2rgb.c |
496 |
-+++ b/tools/pal2rgb.c |
497 |
-@@ -118,12 +118,14 @@ main(int argc, char* argv[]) |
498 |
- shortv != PHOTOMETRIC_PALETTE) { |
499 |
- fprintf(stderr, "%s: Expecting a palette image.\n", |
500 |
- argv[optind]); |
501 |
-+ (void) TIFFClose(in); |
502 |
- return (-1); |
503 |
- } |
504 |
- if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { |
505 |
- fprintf(stderr, |
506 |
- "%s: No colormap (not a valid palette image).\n", |
507 |
- argv[optind]); |
508 |
-+ (void) TIFFClose(in); |
509 |
- return (-1); |
510 |
- } |
511 |
- bitspersample = 0; |
512 |
-@@ -131,11 +133,14 @@ main(int argc, char* argv[]) |
513 |
- if (bitspersample != 8) { |
514 |
- fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", |
515 |
- argv[optind]); |
516 |
-+ (void) TIFFClose(in); |
517 |
- return (-1); |
518 |
- } |
519 |
- out = TIFFOpen(argv[optind+1], "w"); |
520 |
-- if (out == NULL) |
521 |
-+ if (out == NULL) { |
522 |
-+ (void) TIFFClose(in); |
523 |
- return (-2); |
524 |
-+ } |
525 |
- cpTags(in, out); |
526 |
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); |
527 |
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); |
528 |
|
529 |
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch |
530 |
deleted file mode 100644 |
531 |
index a68ba2f4bbd..00000000000 |
532 |
--- a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch |
533 |
+++ /dev/null |
534 |
@@ -1,73 +0,0 @@ |
535 |
-From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001 |
536 |
-From: Thomas Bernard <miniupnp@××××.fr> |
537 |
-Date: Mon, 11 Feb 2019 10:05:33 +0100 |
538 |
-Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow |
539 |
- |
540 |
-fixes bug 2833 |
541 |
---- |
542 |
- tools/tiffcp.c | 8 +++++++- |
543 |
- 1 file changed, 7 insertions(+), 1 deletion(-) |
544 |
- |
545 |
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
546 |
-index 2f406e2d7..f0ee2c029 100644 |
547 |
---- a/tools/tiffcp.c |
548 |
-+++ b/tools/tiffcp.c |
549 |
-@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) |
550 |
- int status = 1; |
551 |
- uint32 imagew = TIFFRasterScanlineSize(in); |
552 |
- uint32 tilew = TIFFTileRowSize(in); |
553 |
-- int iskew = imagew - tilew*spp; |
554 |
-+ int iskew; |
555 |
- tsize_t tilesize = TIFFTileSize(in); |
556 |
- tdata_t tilebuf; |
557 |
- uint8* bufp = (uint8*) buf; |
558 |
-@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) |
559 |
- uint32 row; |
560 |
- uint16 bps = 0, bytes_per_sample; |
561 |
- |
562 |
-+ if (spp > (0x7fffffff / tilew)) |
563 |
-+ { |
564 |
-+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); |
565 |
-+ return 0; |
566 |
-+ } |
567 |
-+ iskew = imagew - tilew*spp; |
568 |
- tilebuf = _TIFFmalloc(tilesize); |
569 |
- if (tilebuf == 0) |
570 |
- return 0; |
571 |
--- |
572 |
-2.21.0 |
573 |
- |
574 |
- |
575 |
-From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001 |
576 |
-From: Thomas Bernard <miniupnp@××××.fr> |
577 |
-Date: Mon, 11 Feb 2019 21:42:03 +0100 |
578 |
-Subject: [PATCH 2/2] tiffcp.c: use INT_MAX |
579 |
- |
580 |
---- |
581 |
- tools/tiffcp.c | 3 ++- |
582 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
583 |
- |
584 |
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
585 |
-index f0ee2c029..8c81aa4f2 100644 |
586 |
---- a/tools/tiffcp.c |
587 |
-+++ b/tools/tiffcp.c |
588 |
-@@ -41,6 +41,7 @@ |
589 |
- #include <stdio.h> |
590 |
- #include <stdlib.h> |
591 |
- #include <string.h> |
592 |
-+#include <limits.h> |
593 |
- |
594 |
- #include <ctype.h> |
595 |
- |
596 |
-@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) |
597 |
- uint32 row; |
598 |
- uint16 bps = 0, bytes_per_sample; |
599 |
- |
600 |
-- if (spp > (0x7fffffff / tilew)) |
601 |
-+ if (spp > (INT_MAX / tilew)) |
602 |
- { |
603 |
- TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); |
604 |
- return 0; |
605 |
--- |
606 |
-2.21.0 |
607 |
- |
608 |
|
609 |
diff --git a/media-libs/tiff/tiff-4.0.10-r2.ebuild b/media-libs/tiff/tiff-4.0.10-r2.ebuild |
610 |
deleted file mode 100644 |
611 |
index b4932f3df86..00000000000 |
612 |
--- a/media-libs/tiff/tiff-4.0.10-r2.ebuild |
613 |
+++ /dev/null |
614 |
@@ -1,86 +0,0 @@ |
615 |
-# Copyright 1999-2019 Gentoo Authors |
616 |
-# Distributed under the terms of the GNU General Public License v2 |
617 |
- |
618 |
-EAPI=7 |
619 |
- |
620 |
-inherit autotools libtool multilib-minimal |
621 |
- |
622 |
-DESCRIPTION="Tag Image File Format (TIFF) library" |
623 |
-HOMEPAGE="http://libtiff.maptools.org" |
624 |
-SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz" |
625 |
- |
626 |
-LICENSE="libtiff" |
627 |
-SLOT="0" |
628 |
-KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
629 |
-IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd" |
630 |
-RESTRICT="!test? ( test )" |
631 |
- |
632 |
-RDEPEND=" |
633 |
- jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) |
634 |
- jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) |
635 |
- lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] ) |
636 |
- webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) |
637 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) |
638 |
- zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] ) |
639 |
-" |
640 |
-DEPEND="${RDEPEND}" |
641 |
- |
642 |
-REQUIRED_USE="test? ( jpeg )" #483132 |
643 |
- |
644 |
-PATCHES=( |
645 |
- "${FILESDIR}"/${PN}-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch |
646 |
- "${FILESDIR}"/${PN}-4.0.10-CVE-2019-6128-pal2rgb-leak.patch |
647 |
- "${FILESDIR}"/${PN}-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch |
648 |
- "${FILESDIR}"/${P}-CVE-2019-14973-fix-integer-overflow.patch |
649 |
-) |
650 |
- |
651 |
-MULTILIB_WRAPPED_HEADERS=( |
652 |
- /usr/include/tiffconf.h |
653 |
-) |
654 |
- |
655 |
-src_prepare() { |
656 |
- default |
657 |
- |
658 |
- # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7 |
659 |
- sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die |
660 |
- |
661 |
- eautoreconf |
662 |
-} |
663 |
- |
664 |
-multilib_src_configure() { |
665 |
- local myeconfargs=( |
666 |
- --without-x |
667 |
- --with-docdir="${EPREFIX}"/usr/share/doc/${PF} |
668 |
- $(use_enable cxx) |
669 |
- $(use_enable jbig) |
670 |
- $(use_enable jpeg) |
671 |
- $(use_enable lzma) |
672 |
- $(use_enable static-libs static) |
673 |
- $(use_enable webp) |
674 |
- $(use_enable zlib) |
675 |
- $(use_enable zstd) |
676 |
- ) |
677 |
- ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
678 |
- |
679 |
- # remove useless subdirs |
680 |
- if ! multilib_is_native_abi ; then |
681 |
- sed -i \ |
682 |
- -e 's/ tools//' \ |
683 |
- -e 's/ contrib//' \ |
684 |
- -e 's/ man//' \ |
685 |
- -e 's/ html//' \ |
686 |
- Makefile || die |
687 |
- fi |
688 |
-} |
689 |
- |
690 |
-multilib_src_test() { |
691 |
- if ! multilib_is_native_abi ; then |
692 |
- emake -C tools |
693 |
- fi |
694 |
- emake check |
695 |
-} |
696 |
- |
697 |
-multilib_src_install_all() { |
698 |
- find "${ED}" -name '*.la' -delete || die |
699 |
- rm "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} || die |
700 |
-} |