diff options
Diffstat (limited to 'media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch')
| -rw-r--r-- | media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch new file mode 100644 index 000000000000..6c28dc6ec9a8 --- /dev/null +++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch @@ -0,0 +1,191 @@ +Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read +possibility in the same file, which wasn't given a separate CVE. + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c +--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500 +@@ -117,9 +117,9 @@ + if (n >= stride) { + mask = CODE_MASK; + if (stride == 3) { +- t0 = ToLinearF[cr = wp[0]]; +- t1 = ToLinearF[cg = wp[1]]; +- t2 = ToLinearF[cb = wp[2]]; ++ t0 = ToLinearF[cr = (wp[0] & mask)]; ++ t1 = ToLinearF[cg = (wp[1] & mask)]; ++ t2 = ToLinearF[cb = (wp[2] & mask)]; + op[0] = t0; + op[1] = t1; + op[2] = t2; +@@ -136,10 +136,10 @@ + op[2] = t2; + } + } else if (stride == 4) { +- t0 = ToLinearF[cr = wp[0]]; +- t1 = ToLinearF[cg = wp[1]]; +- t2 = ToLinearF[cb = wp[2]]; +- t3 = ToLinearF[ca = wp[3]]; ++ t0 = ToLinearF[cr = (wp[0] & mask)]; ++ t1 = ToLinearF[cg = (wp[1] & mask)]; ++ t2 = ToLinearF[cb = (wp[2] & mask)]; ++ t3 = ToLinearF[ca = (wp[3] & mask)]; + op[0] = t0; + op[1] = t1; + op[2] = t2; +@@ -183,9 +183,9 @@ + if (n >= stride) { + mask = CODE_MASK; + if (stride == 3) { +- t0 = ToLinearF[cr = wp[0]] * SCALE12; +- t1 = ToLinearF[cg = wp[1]] * SCALE12; +- t2 = ToLinearF[cb = wp[2]] * SCALE12; ++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12; ++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12; ++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12; + op[0] = CLAMP12(t0); + op[1] = CLAMP12(t1); + op[2] = CLAMP12(t2); +@@ -202,10 +202,10 @@ + op[2] = CLAMP12(t2); + } + } else if (stride == 4) { +- t0 = ToLinearF[cr = wp[0]] * SCALE12; +- t1 = ToLinearF[cg = wp[1]] * SCALE12; +- t2 = ToLinearF[cb = wp[2]] * SCALE12; +- t3 = ToLinearF[ca = wp[3]] * SCALE12; ++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12; ++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12; ++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12; ++ t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12; + op[0] = CLAMP12(t0); + op[1] = CLAMP12(t1); + op[2] = CLAMP12(t2); +@@ -247,9 +247,9 @@ + if (n >= stride) { + mask = CODE_MASK; + if (stride == 3) { +- op[0] = ToLinear16[cr = wp[0]]; +- op[1] = ToLinear16[cg = wp[1]]; +- op[2] = ToLinear16[cb = wp[2]]; ++ op[0] = ToLinear16[cr = (wp[0] & mask)]; ++ op[1] = ToLinear16[cg = (wp[1] & mask)]; ++ op[2] = ToLinear16[cb = (wp[2] & mask)]; + n -= 3; + while (n > 0) { + wp += 3; +@@ -260,10 +260,10 @@ + op[2] = ToLinear16[(cb += wp[2]) & mask]; + } + } else if (stride == 4) { +- op[0] = ToLinear16[cr = wp[0]]; +- op[1] = ToLinear16[cg = wp[1]]; +- op[2] = ToLinear16[cb = wp[2]]; +- op[3] = ToLinear16[ca = wp[3]]; ++ op[0] = ToLinear16[cr = (wp[0] & mask)]; ++ op[1] = ToLinear16[cg = (wp[1] & mask)]; ++ op[2] = ToLinear16[cb = (wp[2] & mask)]; ++ op[3] = ToLinear16[ca = (wp[3] & mask)]; + n -= 4; + while (n > 0) { + wp += 4; +@@ -342,9 +342,9 @@ + if (n >= stride) { + mask = CODE_MASK; + if (stride == 3) { +- op[0] = ToLinear8[cr = wp[0]]; +- op[1] = ToLinear8[cg = wp[1]]; +- op[2] = ToLinear8[cb = wp[2]]; ++ op[0] = ToLinear8[cr = (wp[0] & mask)]; ++ op[1] = ToLinear8[cg = (wp[1] & mask)]; ++ op[2] = ToLinear8[cb = (wp[2] & mask)]; + n -= 3; + while (n > 0) { + n -= 3; +@@ -355,10 +355,10 @@ + op[2] = ToLinear8[(cb += wp[2]) & mask]; + } + } else if (stride == 4) { +- op[0] = ToLinear8[cr = wp[0]]; +- op[1] = ToLinear8[cg = wp[1]]; +- op[2] = ToLinear8[cb = wp[2]]; +- op[3] = ToLinear8[ca = wp[3]]; ++ op[0] = ToLinear8[cr = (wp[0] & mask)]; ++ op[1] = ToLinear8[cg = (wp[1] & mask)]; ++ op[2] = ToLinear8[cb = (wp[2] & mask)]; ++ op[3] = ToLinear8[ca = (wp[3] & mask)]; + n -= 4; + while (n > 0) { + n -= 4; +@@ -393,9 +393,9 @@ + mask = CODE_MASK; + if (stride == 3) { + op[0] = 0; +- t1 = ToLinear8[cb = wp[2]]; +- t2 = ToLinear8[cg = wp[1]]; +- t3 = ToLinear8[cr = wp[0]]; ++ t1 = ToLinear8[cb = (wp[2] & mask)]; ++ t2 = ToLinear8[cg = (wp[1] & mask)]; ++ t3 = ToLinear8[cr = (wp[0] & mask)]; + op[1] = t1; + op[2] = t2; + op[3] = t3; +@@ -413,10 +413,10 @@ + op[3] = t3; + } + } else if (stride == 4) { +- t0 = ToLinear8[ca = wp[3]]; +- t1 = ToLinear8[cb = wp[2]]; +- t2 = ToLinear8[cg = wp[1]]; +- t3 = ToLinear8[cr = wp[0]]; ++ t0 = ToLinear8[ca = (wp[3] & mask)]; ++ t1 = ToLinear8[cb = (wp[2] & mask)]; ++ t2 = ToLinear8[cg = (wp[1] & mask)]; ++ t3 = ToLinear8[cr = (wp[0] & mask)]; + op[0] = t0; + op[1] = t1; + op[2] = t2; +@@ -630,10 +630,10 @@ + return guess; + } + +-static uint32 +-multiply(size_t m1, size_t m2) ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) + { +- uint32 bytes = m1 * m2; ++ tsize_t bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; +@@ -641,6 +641,20 @@ + return bytes; + } + ++static tsize_t ++add_ms(tsize_t m1, tsize_t m2) ++{ ++ tsize_t bytes = m1 + m2; ++ ++ /* if either input is zero, assume overflow already occurred */ ++ if (m1 == 0 || m2 == 0) ++ bytes = 0; ++ else if (bytes <= m1 || bytes <= m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + static int + PixarLogSetupDecode(TIFF* tif) + { +@@ -661,6 +675,8 @@ + td->td_samplesperpixel : 1); + tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ /* add one more stride in case input ends mid-stride */ ++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); + if (tbuf_size == 0) + return (0); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |