commit: 9108af32a69a8d05b8d03b3b9adb9e0a7a5783bb Author: Mike Frysinger <vapier <AT> chromium <DOT> org> AuthorDate: Mon Apr 10 21:42:58 2017 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Mon Apr 10 21:45:14 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9108af32
media-libs/tiff: pull in pdfium security patches ....0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch | 20 ++++ ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 34 ++++++ ...iff-4.0.7-pdfium-0007-uninitialized-value.patch | 26 +++++ ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 26 +++++ ...-4.0.7-pdfium-0013-validate-refblackwhite.patch | 41 +++++++ ....7-pdfium-0017-safe_skews_in_gtTileContig.patch | 97 +++++++++++++++++ ...ium-0018-fix-leak-in-PredictorSetupDecode.patch | 27 +++++ .../tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch | 29 +++++ media-libs/tiff/tiff-4.0.7-r2.ebuild | 121 +++++++++++++++++++++ 9 files changed, 421 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch new file mode 100644 index 00000000000..afb0151f963 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch @@ -0,0 +1,20 @@ +https://codereview.chromium.org/2204793002 +https://crbug.com/633387 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: thestig <[email protected]> +Date: Mon Aug 1 19:36:27 2016 -0700 + +Fix a memory leak in libtiff. + +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) + static const char module[] = "TIFFFetchStripThing"; + enum TIFFReadDirEntryErr err; + uint64* data; ++ _TIFFfree(*lpp); ++ *lpp = 0; + err=TIFFReadDirEntryLong8Array(tif,dir,&data); + if (err!=TIFFReadDirEntryErrOk) + { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 00000000000..f573fd9deb3 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,34 @@ +https://codereview.chromium.org/2284063002 +https://crbug.com/618267 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: tracy_jiang <[email protected]> +Date: Mon Aug 29 13:42:56 2016 -0700 + +Fix for #618267. Adding a method to determine if multiplication has +overflow. + +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) ++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { +--- a/libtiff/tiffio.h ++++ b/libtiff/tiffio.h +@@ -298,6 +298,10 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); + extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); + extern void _TIFFfree(void* p); ++#include <limits.h> ++static inline int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { ++ return op1 > SSIZE_MAX / op2; ++} + + /* + ** Stuff, related to tag handling and creating custom tags. diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch new file mode 100644 index 00000000000..ab5627f5c16 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2389993002 +https://crbug.com/651632 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: dsinclair <[email protected]> +Date: Mon Oct 3 13:59:57 2016 -0700 + +Fix potentially uninitialized value. + +Depending on what ReadOK does it's possible for |dircount16| to be used without +being initialized. The read code calls back into PDFium specific code which then +calls into the stream reading code. + +Initialize the value to be sure it is set. + +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, + static const char module[] = "TIFFFetchDirectory"; + + void* origdir; +- uint16 dircount16; ++ uint16 dircount16 = 0; + uint32 dirsize; + TIFFDirEntry* dir; + uint8* ma; diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 00000000000..35f59b9bffd --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2405693002 +https://crbug.com/654169 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: stackexploit <[email protected]> +Date: Mon Oct 10 10:58:25 2016 -0700 + +libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. + +The patch (https://codereview.chromium.org/2284063002) for Issue 618267 +was insufficient. The integer overflow still could be triggered and could +lead to heap buffer overflow. + +This CL strengthens integer overflow check in function _TIFFCheckRealloc. + +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) ++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch new file mode 100644 index 00000000000..47a3db06431 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch @@ -0,0 +1,41 @@ +https://pdfium-review.googlesource.com/2151 +https://crbug.com/632883 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Dan Sinclair <[email protected]> +Date: Mon Jan 9 09:50:50 2017 -0500 + +[libtiff] Validate refblackwhite values + +The td_refblackwhite value is currently assigned without validation. This +may pose an issue as the image can specify the value as nan. This will cause +problems later when we use the nan in calcluations. + +This CL validates each of the float values are not nan and if they are sets +them to the default provided by the TIFF spec v6. + +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -31,6 +31,7 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" ++#include <math.h> + #include <float.h> + + /* +@@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + case TIFFTAG_REFERENCEBLACKWHITE: + /* XXX should check for null range */ + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); ++ for (int i = 0; i < 6; i++) { ++ if (isnan(td->td_refblackwhite[i])) { ++ if (i % 2 == 0) ++ td->td_refblackwhite[i] = 0; ++ else ++ td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1; ++ } ++ } + break; + case TIFFTAG_INKNAMES: + v = (uint16) va_arg(ap, uint16_vap); diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch new file mode 100644 index 00000000000..7914743393f --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch @@ -0,0 +1,97 @@ +https://pdfium-review.googlesource.com/2355 +https://crbug.com/681300 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <[email protected]> +Date: Wed Jan 25 10:41:06 2017 -0500 + +Prevent skew overflows in gtTileContig + +Using int64 to check whether uint32 operations have overflowed. + +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -31,6 +31,7 @@ + */ + #include "tiffiop.h" + #include <stdio.h> ++#include <limits.h> + + static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); + static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 tw, th; + unsigned char* buf; + int32 fromskew, toskew; ++ int64 safeskew; + uint32 nrow; + int ret = 1, flip; + uint32 this_tw, tocol; +@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + flip = setorientation(img); + if (flip & FLIP_VERTICALLY) { + y = h - 1; +- toskew = -(int32)(tw + w); ++ safeskew = 0; ++ safeskew -= tw; ++ safeskew -= w; + } + else { + y = 0; +- toskew = -(int32)(tw - w); ++ safeskew = 0; ++ safeskew -= tw; ++ safeskew +=w; + } + ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ toskew = safeskew; ++ + /* + * Leftmost tile is clipped on left side if col_offset > 0. + */ + leftmost_fromskew = img->col_offset % tw; + leftmost_tw = tw - leftmost_fromskew; +- leftmost_toskew = toskew + leftmost_fromskew; ++ safeskew = toskew; ++ safeskew += leftmost_fromskew; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ leftmost_toskew = safeskew; + for (row = 0; row < h; row += nrow) + { + rowstoread = th - (row + img->row_offset) % th; +@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + /* + * Rightmost tile is clipped on right side. + */ +- fromskew = tw - (w - tocol); ++ safeskew = tw; ++ safeskew -= w; ++ safeskew += tocol; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ fromskew = safeskew; + this_tw = tw - fromskew; +- this_toskew = toskew + fromskew; ++ safeskew = toskew; ++ safeskew += fromskew; ++ if(safeskew > INT_MAX || safeskew < INT_MIN){ ++ _TIFFfree(buf); ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); ++ return (0); ++ } ++ this_toskew = safeskew; + } + (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos); + tocol += this_tw; diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch new file mode 100644 index 00000000000..b74ddc5c499 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch @@ -0,0 +1,27 @@ +https://pdfium-review.googlesource.com/2432 +https://crbug.com/683834 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <[email protected]> +Date: Thu Jan 26 15:45:02 2017 -0500 + +Fix leak in PredictorSetupDecode by calling tif_cleanup on failure + +tif_data and tif_cleanup are both set on the TIFFInit methods, see for +instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was +filled on tif_data should be cleaned up. The previous leak fix from +PixarLogSetupDecode is no longer necessary. + +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -118,7 +118,10 @@ PredictorSetupDecode(TIFF* tif) + TIFFDirectory* td = &tif->tif_dir; + + if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) ++ { ++ (*tif->tif_cleanup)(tif); + return 0; ++ } + + if (sp->predictor == 2) { + switch (td->td_bitspersample) { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch new file mode 100644 index 00000000000..11975cf38ac --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch @@ -0,0 +1,29 @@ +https://pdfium-review.googlesource.com/3811 +https://crbug.com/707431 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: Nicolas Pena <[email protected]> +Date: Wed Apr 5 15:50:53 2017 -0400 + +Libtiff: Prevent OOM in TIFFFillStrip + +In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of +memory. In this CL we do sanity checks on the claimed size of the raw strip +data before that happens, to prevent out-of-memory. + +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); + return(0); + } ++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif); ++ if (bytecountm > size) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Requested read strip size %lu is too large", ++ (unsigned long) strip); ++ return (0); ++ } + if (bytecountm > tif->tif_rawdatasize) { + tif->tif_curstrip = NOSTRIP; + if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { diff --git a/media-libs/tiff/tiff-4.0.7-r2.ebuild b/media-libs/tiff/tiff-4.0.7-r2.ebuild new file mode 100644 index 00000000000..b77d5196171 --- /dev/null +++ b/media-libs/tiff/tiff-4.0.7-r2.ebuild @@ -0,0 +1,121 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +inherit autotools eutils libtool multilib-minimal + +DESCRIPTION="Tag Image File Format (TIFF) library" +HOMEPAGE="http://libtiff.maptools.org"; +SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz + ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"; + +LICENSE="libtiff" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="+cxx jbig jpeg lzma static-libs test zlib" + +RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) + jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] ) + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20130224-r9 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] + )" +DEPEND="${RDEPEND}" + +REQUIRED_USE="test? ( jpeg )" #483132 + +PATCHES=( + "${FILESDIR}"/${P}-fax2tiff.patch #598938 + "${FILESDIR}"/${P}-CVE-2016-10266.patch + "${FILESDIR}"/${P}-bug2598.patch + "${FILESDIR}"/${P}-bug2604.patch + "${FILESDIR}"/${P}-bug2608.patch + "${FILESDIR}"/${P}-CVE-2016-10267.patch + "${FILESDIR}"/${P}-bug2620.patch + "${FILESDIR}"/${P}-bug2621.patch + "${FILESDIR}"/${P}-bug2619.patch + "${FILESDIR}"/${P}-bug2594.patch + "${FILESDIR}"/${P}-bug2597.patch + "${FILESDIR}"/${P}-bug2599.patch + "${FILESDIR}"/${P}-bug2607.patch + "${FILESDIR}"/${P}-bug2610.patch + "${FILESDIR}"/${P}-bug2605.patch + "${FILESDIR}"/${P}-hylafax-hack.patch #612172 + "${FILESDIR}"/${P}-bug2633-bug2634.patch + "${FILESDIR}"/${P}-bug2635.patch + "${FILESDIR}"/${P}-bug2627.patch + "${FILESDIR}"/${P}-bug2638.patch + "${FILESDIR}"/${P}-bug2639.patch + "${FILESDIR}"/${P}-bug2640.patch + "${FILESDIR}"/${P}-bug2653.patch + "${FILESDIR}"/${P}-bug2535.patch + "${FILESDIR}"/${P}-bug2644.patch + "${FILESDIR}"/${P}-bug2642-bug2643-bug2646-bug2647.patch + "${FILESDIR}"/${P}-bug2648.patch + "${FILESDIR}"/${P}-bug2650.patch + "${FILESDIR}"/${P}-bug2658.patch + "${FILESDIR}"/${P}-bug2650-2.patch + "${FILESDIR}"/${P}-bug2651.patch + "${FILESDIR}"/${P}-CVE-2017-5225.patch #610330 + "${FILESDIR}"/${P}-bug2130.patch + "${FILESDIR}"/${P}-bug2659.patch + "${FILESDIR}"/${P}-bug2659-2.patch + "${FILESDIR}"/${P}-bug2631.patch + "${FILESDIR}"/${P}-bug2665.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0007-uninitialized-value.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0013-validate-refblackwhite.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/tiffconf.h +) + +src_prepare() { + default + + # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7 + sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die + + eautoreconf +} + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + $(use_enable static-libs static) \ + $(use_enable zlib) \ + $(use_enable jpeg) \ + $(use_enable jbig) \ + $(use_enable lzma) \ + $(use_enable cxx) \ + --without-x + + # remove useless subdirs + if ! multilib_is_native_abi ; then + sed -i \ + -e 's/ tools//' \ + -e 's/ contrib//' \ + -e 's/ man//' \ + -e 's/ html//' \ + Makefile || die + fi +} + +multilib_src_test() { + if ! multilib_is_native_abi ; then + emake -C tools + fi + emake check +} + +multilib_src_install_all() { + prune_libtool_files --all + rm -f "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} +}
