diff options
author | Leo Famulari <leo@famulari.name> | 2017-01-10 03:22:33 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-01-10 17:52:42 -0500 |
commit | 4b96149d8b199048aa526159120d14a44d6ee054 (patch) | |
tree | 1ffa03b2a425040f2b00578d417784bf69d1abc5 /gnu/packages/patches/libtiff-divide-by-zero.patch | |
parent | 8966c6b43989a0f7bca972f12b78567da7de3eec (diff) | |
download | guix-4b96149d8b199048aa526159120d14a44d6ee054.tar.gz |
gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.
* gnu/packages/patches/libtiff-CVE-2016-10092.patch, gnu/packages/patches/libtiff-CVE-2016-10093.patch, gnu/packages/patches/libtiff-CVE-2016-10094.patch, gnu/packages/patches/libtiff-assertion-failure.patch, gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch, gnu/packages/patches/libtiff-divide-by-zero.patch, gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch, gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch, gnu/packages/patches/libtiff-invalid-read.patch, gnu/packages/patches/libtiff-null-dereference.patch, gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable.
Diffstat (limited to 'gnu/packages/patches/libtiff-divide-by-zero.patch')
-rw-r--r-- | gnu/packages/patches/libtiff-divide-by-zero.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch new file mode 100644 index 0000000000..6dbd4666cd --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero.patch @@ -0,0 +1,67 @@ +Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: + +http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1173; previous revision: 1.1172 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c +new revision: 1.50; previous revision: 1.49 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h +new revision: 1.90; previous revision: 1.89 + +Index: libtiff/libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.49 +retrieving revision 1.50 +diff -u -r1.49 -r1.50 +--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 ++++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -346,7 +346,7 @@ + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: libtiff/libtiff/tiffiop.h +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v +retrieving revision 1.89 +retrieving revision 1.90 +diff -u -r1.89 -r1.90 +--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 ++++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 +@@ -1,4 +1,4 @@ +-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -250,6 +250,10 @@ + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) |