rpms/libtiff/F-10 libtiff-3.8.2-CVE-2009-2347.patch, NONE, 1.1 libtiff.spec, 1.53, 1.54

Tom Lane tgl at fedoraproject.org
Mon Jul 13 14:44:47 UTC 2009 

Author: tgl

Update of /cvs/pkgs/rpms/libtiff/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6916

Modified Files:
	libtiff.spec 
Added Files:
	libtiff-3.8.2-CVE-2009-2347.patch 
Log Message:
Fix CVE-2009-2347

libtiff-3.8.2-CVE-2009-2347.patch:

--- NEW FILE libtiff-3.8.2-CVE-2009-2347.patch ---
Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
possible integer overflow in calculation of buffer sizes.

CVE-2009-2347


diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
--- tiff-3.8.2.orig/tools/rgb2ycbcr.c	2004-09-03 03:57:13.000000000 -0400
+++ tiff-3.8.2/tools/rgb2ycbcr.c	2009-07-10 17:12:32.000000000 -0400
@@ -202,6 +202,17 @@
 #undef LumaBlue
 #undef V2Code
 
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+    tsize_t prod = m1 * m2;
+
+    if (m1 && prod / m1 != m2)
+        prod = 0;		/* overflow */
+
+    return prod;
+}
+
 /*
  * Convert a strip of RGB data to YCbCr and
  * sample to generate the output data.
@@ -278,10 +289,19 @@
 	float floatv;
 	char *stringv;
 	uint32 longv;
+	tsize_t raster_size;
 
 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+	raster_size = multiply(multiply(width, height), sizeof (uint32));
+	if (!raster_size) {
+		TIFFError(TIFFFileName(in),
+			  "Can't allocate buffer for raster of size %lux%lu",
+			  (unsigned long) width, (unsigned long) height);
+		return (0);
+	}
+	raster = (uint32*)_TIFFmalloc(raster_size);
 	if (raster == 0) {
 		TIFFError(TIFFFileName(in), "No space for raster buffer");
 		return (0);
diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
--- tiff-3.8.2.orig/tools/tiff2rgba.c	2004-11-07 06:08:37.000000000 -0500
+++ tiff-3.8.2/tools/tiff2rgba.c	2009-07-10 17:06:42.000000000 -0400
@@ -124,6 +124,17 @@
     return (0);
 }
 
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+    tsize_t prod = m1 * m2;
+
+    if (m1 && prod / m1 != m2)
+        prod = 0;		/* overflow */
+
+    return prod;
+}
+
 static int
 cvt_by_tile( TIFF *in, TIFF *out )
 
@@ -133,6 +144,7 @@
     uint32  tile_width, tile_height;
     uint32  row, col;
     uint32  *wrk_line;
+    tsize_t raster_size;
     int	    ok = 1;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -150,7 +162,14 @@
     /*
      * Allocate tile buffer
      */
-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+    if (!raster_size) {
+	TIFFError(TIFFFileName(in),
+		  "Can't allocate buffer for raster of size %lux%lu",
+		  (unsigned long) tile_width, (unsigned long) tile_height);
+	return (0);
+    }
+    raster = (uint32*)_TIFFmalloc(raster_size);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -158,7 +177,7 @@
 
     /*
      * Allocate a scanline buffer for swapping during the vertical
-     * mirroring pass.
+     * mirroring pass.  (Request can't overflow given prior checks.)
      */
     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
     if (!wrk_line) {
@@ -226,6 +245,7 @@
     uint32  width, height;		/* image width & height */
     uint32  row;
     uint32  *wrk_line;
+    tsize_t raster_size;
     int	    ok = 1;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -241,7 +261,14 @@
     /*
      * Allocate strip buffer
      */
-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+    if (!raster_size) {
+	TIFFError(TIFFFileName(in),
+		  "Can't allocate buffer for raster of size %lux%lu",
+		  (unsigned long) width, (unsigned long) rowsperstrip);
+	return (0);
+    }
+    raster = (uint32*)_TIFFmalloc(raster_size);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -249,7 +276,7 @@
 
     /*
      * Allocate a scanline buffer for swapping during the vertical
-     * mirroring pass.
+     * mirroring pass.  (Request can't overflow given prior checks.)
      */
     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
     if (!wrk_line) {
@@ -328,14 +355,22 @@
     uint32* raster;			/* retrieve RGBA image */
     uint32  width, height;		/* image width & height */
     uint32  row;
-        
+    tsize_t raster_size;
+
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
 
     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+    raster_size = multiply(multiply(width, height), sizeof (uint32));
+    if (!raster_size) {
+	TIFFError(TIFFFileName(in),
+		  "Can't allocate buffer for raster of size %lux%lu",
+		  (unsigned long) width, (unsigned long) height);
+	return (0);
+    }
+    raster = (uint32*)_TIFFmalloc(raster_size);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -353,7 +388,7 @@
     */
     if( no_alpha )
     {
-        int	pixel_count = width * height;
+        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
         unsigned char *src, *dst;
 
         src = (unsigned char *) raster;


Index: libtiff.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-10/libtiff.spec,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -p -r1.53 -r1.54
--- libtiff.spec	1 Jul 2009 15:29:03 -0000	1.53
+++ libtiff.spec	13 Jul 2009 14:44:17 -0000	1.54
@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 3.8.2
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: libtiff
 Group: System Environment/Libraries
 URL: http://www.remotesensing.org/libtiff/
@@ -12,6 +12,7 @@ Patch1: libtiff-3.8.2-ormandy.patch
 Patch2: libtiff-3.8.2-CVE-2006-2193.patch
 Patch3: libtiff-3.8.2-mantypo.patch
 Patch4: libtiff-3.8.2-lzw-bugs.patch
+Patch5: libtiff-3.8.2-CVE-2009-2347.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -58,6 +59,7 @@ necessary for some boot packages.
 %patch2 -p1 -b .CVE-2006-2193
 %patch3 -p1 -b .mantypo
 %patch4 -p1
+%patch5 -p1
 
 %build
 export CFLAGS="%{optflags} -fno-strict-aliasing"
@@ -157,6 +159,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/*.a
 
 %changelog
+* Mon Jul 13 2009 Tom Lane <tgl at redhat.com> 3.8.2-14
+- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347)
+Related: #510041
+
 * Wed Jul  1 2009 Tom Lane <tgl at redhat.com> 3.8.2-13
 - Fix some more LZW decoding vulnerabilities (CVE-2009-2285)
 Related: #507465

More information about the fedora-extras-commits mailing list