summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-06-16 00:59:15 -0400
committerMark H Weaver <mhw@netris.org>2015-06-16 01:02:01 -0400
commit8e28d22c914122aa7bfb70847370d8ae0f070688 (patch)
tree14ffa1b7954a3f67c4057bc03ab35c993e98120f /gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
parent7d02724b7bddb4d5e1cc93db99f737baa26840ca (diff)
downloadguix-8e28d22c914122aa7bfb70847370d8ae0f070688.tar.gz
gnu: libtiff: Add fixes for several CVEs.
* gnu/packages/patches/libtiff-CVE-2012-4564.patch,
  gnu/packages/patches/libtiff-CVE-2013-1960.patch,
  gnu/packages/patches/libtiff-CVE-2013-1961.patch,
  gnu/packages/patches/libtiff-CVE-2013-4231.patch,
  gnu/packages/patches/libtiff-CVE-2013-4232.patch,
  gnu/packages/patches/libtiff-CVE-2013-4243.patch,
  gnu/packages/patches/libtiff-CVE-2013-4244.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch,
  gnu/packages/patches/libtiff-CVE-2014-8129.patch,
  gnu/packages/patches/libtiff-CVE-2014-9330.patch,
  gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
new file mode 100644
index 0000000000..fda4045504
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
@@ -0,0 +1,77 @@
+Copied from Debian
+
+Picked from CVE: diff -u -r1.14 -r1.15
+http://bugzilla.maptools.org/show_bug.cgi?id=2501
+
+Author: Even Rouault <even.rouault@spatialys.com>
+
+--- tiff-4.0.3.orig/tools/tiffdither.c
++++ tiff-4.0.3/tools/tiffdither.c
+@@ -39,6 +39,7 @@
+ #endif
+ 
+ #include "tiffio.h"
++#include "tiffiop.h"
+ 
+ #define	streq(a,b)	(strcmp(a,b) == 0)
+ #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+@@ -56,7 +57,7 @@ static	void usage(void);
+  * Floyd-Steinberg error propragation with threshold.
+  * This code is stolen from tiffmedian.
+  */
+-static void
++static int
+ fsdither(TIFF* in, TIFF* out)
+ {
+ 	unsigned char *outline, *inputline, *inptr;
+@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
+ 	int lastline, lastpixel;
+ 	int bit;
+ 	tsize_t outlinesize;
++	int errcode = 0;
+ 
+ 	imax = imagelength - 1;
+ 	jmax = imagewidth - 1;
+ 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+-	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
+-	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
++	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
++	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
+ 	outlinesize = TIFFScanlineSize(out);
+ 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
++	if (! (inputline && thisline && nextline && outline)) {
++	    fprintf(stderr, "Out of memory.\n");
++	    goto skip_on_error;
++	}
+ 
+ 	/*
+ 	 * Get first line
+@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
+ 		nextline = tmpptr;
+ 		lastline = (i == imax);
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++			goto skip_on_error;
+ 		inptr = inputline;
+ 		nextptr = nextline;
+ 		for (j = 0; j < imagewidth; ++j)
+@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
+ 			}
+ 		}
+ 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+-			break;
++			goto skip_on_error;
+ 	}
++	goto exit_label;
++
+   skip_on_error:
++	errcode = 1;
++  exit_label:
+ 	_TIFFfree(inputline);
+ 	_TIFFfree(thisline);
+ 	_TIFFfree(nextline);
+ 	_TIFFfree(outline);
++	return errcode;
+ }
+ 
+ static	uint16 compression = COMPRESSION_PACKBITS;