From 4e574b64ac30b77c767f6466eaced934c7a4ce54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucio=20Andr=C3=A9s=20Illanes=20Albornoz?= Date: Sat, 23 Mar 2019 17:56:18 +0000 Subject: vars/build.vars:{clzip,expat}{_host,}: updated to v{1.11,2.2.6} (via Redfoxmoon.) vars/build.vars:libxml2: updated to v2.9.9 (via Redfoxmoon.) vars/build.vars:libunistring: updated to v0.9.10 (via Redfoxmoon.) vars/build.vars:libpng: updated to v1.6.36 (via Redfoxmoon.) vars/build.vars:tiff: updated to v4.0.10 (via Redfoxmoon.) vars/build.vars:gdbm: updated to v1.18.1 (via Redfoxmoon.) vars/build.vars:pcre: updated to v8.43 (via Redfoxmoon.) vars/build.vars:gzip: updated to v1.10 (via Redfoxmoon.) vars/build.vars:gzip:${PKG_{CFLAGS_CONFIGURE_EXTRA,CONFIGURE_ARGS,MAKEFLAGS_{BUILD,INSTALL}_EXTRA}}: unset (via Redfoxmoon.) vars/build.vars:libvorbis: updated to v1.3.6 (via Redfoxmoon.) vars/build.vars:libxslt: updated to v1.1.33 (via Redfoxmoon.) vars/build.vars:libtirpc: updated to v1.1.4 (via Redfoxmoon.) patches/expat-2.2.{5,6}.local.patch: updated (via Redfoxmoon.) patches/libtirpc-1.{0.3,1.4}.local.patch: updated (via Redfoxmoon.) patches/libvorbis-1.3.5.local.patch: removes obsolete patch (via Redfoxmoon.) patches/libxslt-1.1.3{2,3}.local.patch: updated (via Redfoxmoon.) patches/pcre-8.4{2,3}.local.patch: updated (via Redfoxmoon.) patches/tiff/CVE-{2017-{11613,17095,18013,9935},2018-{10963,5784,7456,8905}}.patch: removes obsolete patches (via Redfoxmoon.) patches/tiff/CVE-2018-12900.patch: added (via Redfoxmoon.) --- patches/expat-2.2.5.local.patch | 13 --- patches/expat-2.2.6.local.patch | 13 +++ patches/libtirpc-1.0.3.local.patch | 90 ------------------- patches/libtirpc-1.1.4.local.patch | 90 +++++++++++++++++++ patches/libvorbis-1.3.5.local.patch | 57 ------------ patches/libxslt-1.1.32.local.patch | 15 ---- patches/libxslt-1.1.33.local.patch | 15 ++++ patches/pcre-8.42.local.patch | 11 --- patches/pcre-8.43.local.patch | 11 +++ patches/tiff/CVE-2017-11613.patch | 44 ---------- patches/tiff/CVE-2017-17095.patch | 28 ------ patches/tiff/CVE-2017-18013.patch | 34 -------- patches/tiff/CVE-2017-9935.patch | 164 ---------------------------------- patches/tiff/CVE-2018-10963.patch | 31 ------- patches/tiff/CVE-2018-12900.patch | 29 ++++++ patches/tiff/CVE-2018-5784.patch | 128 --------------------------- patches/tiff/CVE-2018-7456.patch | 170 ------------------------------------ patches/tiff/CVE-2018-8905.patch | 51 ----------- 18 files changed, 158 insertions(+), 836 deletions(-) delete mode 100644 patches/expat-2.2.5.local.patch create mode 100644 patches/expat-2.2.6.local.patch delete mode 100644 patches/libtirpc-1.0.3.local.patch create mode 100644 patches/libtirpc-1.1.4.local.patch delete mode 100644 patches/libvorbis-1.3.5.local.patch delete mode 100644 patches/libxslt-1.1.32.local.patch create mode 100644 patches/libxslt-1.1.33.local.patch delete mode 100644 patches/pcre-8.42.local.patch create mode 100644 patches/pcre-8.43.local.patch delete mode 100644 patches/tiff/CVE-2017-11613.patch delete mode 100644 patches/tiff/CVE-2017-17095.patch delete mode 100644 patches/tiff/CVE-2017-18013.patch delete mode 100644 patches/tiff/CVE-2017-9935.patch delete mode 100644 patches/tiff/CVE-2018-10963.patch create mode 100644 patches/tiff/CVE-2018-12900.patch delete mode 100644 patches/tiff/CVE-2018-5784.patch delete mode 100644 patches/tiff/CVE-2018-7456.patch delete mode 100644 patches/tiff/CVE-2018-8905.patch (limited to 'patches') diff --git a/patches/expat-2.2.5.local.patch b/patches/expat-2.2.5.local.patch deleted file mode 100644 index b6f1446b..00000000 --- a/patches/expat-2.2.5.local.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- expat-2.2.0/configure.orig 2016-06-21 15:52:05.000000000 +0200 -+++ expat-2.2.0/configure 2017-08-02 22:31:27.913780534 +0200 -@@ -7493,8 +7493,8 @@ - # This can be used to rebuild libtool when needed - LIBTOOL_DEPS=$ltmain - --# Always use our own libtool. --LIBTOOL='$(SHELL) $(top_builddir)/libtool' -+# NEIN -+# LIBTOOL='$(top_builddir)/libtool' - - - diff --git a/patches/expat-2.2.6.local.patch b/patches/expat-2.2.6.local.patch new file mode 100644 index 00000000..b6f1446b --- /dev/null +++ b/patches/expat-2.2.6.local.patch @@ -0,0 +1,13 @@ +--- expat-2.2.0/configure.orig 2016-06-21 15:52:05.000000000 +0200 ++++ expat-2.2.0/configure 2017-08-02 22:31:27.913780534 +0200 +@@ -7493,8 +7493,8 @@ + # This can be used to rebuild libtool when needed + LIBTOOL_DEPS=$ltmain + +-# Always use our own libtool. +-LIBTOOL='$(SHELL) $(top_builddir)/libtool' ++# NEIN ++# LIBTOOL='$(top_builddir)/libtool' + + + diff --git a/patches/libtirpc-1.0.3.local.patch b/patches/libtirpc-1.0.3.local.patch deleted file mode 100644 index 535880fe..00000000 --- a/patches/libtirpc-1.0.3.local.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff -ru libtirpc-1.0.3.orig/src/bindresvport.c libtirpc-1.0.3/src/bindresvport.c ---- libtirpc-1.0.3.orig/src/bindresvport.c 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/src/bindresvport.c 2018-08-04 19:37:31.972078008 +0200 -@@ -61,7 +61,7 @@ - return bindresvport_sa(sd, (struct sockaddr *)sin); - } - --#ifdef __linux__ -+#if defined(__linux__) || defined(__midipix__) - - #define STARTPORT 600 - #define LOWPORT 512 -diff -ru libtirpc-1.0.3.orig/src/clnt_dg.c libtirpc-1.0.3/src/clnt_dg.c ---- libtirpc-1.0.3.orig/src/clnt_dg.c 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/src/clnt_dg.c 2018-08-04 19:41:06.325266026 +0200 -@@ -54,12 +54,16 @@ - #include - #include "rpc_com.h" - --#ifdef IP_RECVERR -+#if defined(IP_RECVERR) && !defined(__midipix__) - #include - #include - #include - #endif - -+#ifdef __midipix__ -+#include -+#endif -+ - - #define MAX_DEFAULT_FDS 20000 - -@@ -421,7 +425,7 @@ - } - break; - } --#ifdef IP_RECVERR -+#if defined(IP_RECVERR) && !defined(__midipix__) - if (fd.revents & POLLERR) - { - struct msghdr msg; -diff -ru libtirpc-1.0.3.orig/src/rtime.c libtirpc-1.0.3/src/rtime.c ---- libtirpc-1.0.3.orig/src/rtime.c 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/src/rtime.c 2018-08-04 19:47:49.089270334 +0200 -@@ -46,7 +46,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include -diff -ru libtirpc-1.0.3.orig/src/svc_run.c libtirpc-1.0.3/src/svc_run.c ---- libtirpc-1.0.3.orig/src/svc_run.c 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/src/svc_run.c 2018-08-04 19:48:02.569155655 +0200 -@@ -37,7 +37,7 @@ - #include - #include - #include --#include -+#include - - - #include -diff -ru libtirpc-1.0.3.orig/tirpc/reentrant.h libtirpc-1.0.3/tirpc/reentrant.h ---- libtirpc-1.0.3.orig/tirpc/reentrant.h 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/tirpc/reentrant.h 2018-08-04 19:23:48.165632436 +0200 -@@ -36,7 +36,7 @@ - * These definitions are only guaranteed to be valid on Linux. - */ - --#if defined(__linux__) -+#if defined(__linux__) || defined(__midipix__) - - #include - -diff -ru libtirpc-1.0.3.orig/tirpc/rpc/types.h libtirpc-1.0.3/tirpc/rpc/types.h ---- libtirpc-1.0.3.orig/tirpc/rpc/types.h 2018-03-14 14:55:12.000000000 +0100 -+++ libtirpc-1.0.3/tirpc/rpc/types.h 2018-08-04 19:18:35.415064046 +0200 -@@ -66,7 +66,7 @@ - #define mem_free(ptr, bsize) free(ptr) - - --#if defined __APPLE_CC__ || defined __FreeBSD__ -+#if defined __APPLE_CC__ || defined __FreeBSD__ || !defined(__GLIBC__) - # define __u_char_defined - # define __daddr_t_defined - #endif diff --git a/patches/libtirpc-1.1.4.local.patch b/patches/libtirpc-1.1.4.local.patch new file mode 100644 index 00000000..535880fe --- /dev/null +++ b/patches/libtirpc-1.1.4.local.patch @@ -0,0 +1,90 @@ +diff -ru libtirpc-1.0.3.orig/src/bindresvport.c libtirpc-1.0.3/src/bindresvport.c +--- libtirpc-1.0.3.orig/src/bindresvport.c 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/src/bindresvport.c 2018-08-04 19:37:31.972078008 +0200 +@@ -61,7 +61,7 @@ + return bindresvport_sa(sd, (struct sockaddr *)sin); + } + +-#ifdef __linux__ ++#if defined(__linux__) || defined(__midipix__) + + #define STARTPORT 600 + #define LOWPORT 512 +diff -ru libtirpc-1.0.3.orig/src/clnt_dg.c libtirpc-1.0.3/src/clnt_dg.c +--- libtirpc-1.0.3.orig/src/clnt_dg.c 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/src/clnt_dg.c 2018-08-04 19:41:06.325266026 +0200 +@@ -54,12 +54,16 @@ + #include + #include "rpc_com.h" + +-#ifdef IP_RECVERR ++#if defined(IP_RECVERR) && !defined(__midipix__) + #include + #include + #include + #endif + ++#ifdef __midipix__ ++#include ++#endif ++ + + #define MAX_DEFAULT_FDS 20000 + +@@ -421,7 +425,7 @@ + } + break; + } +-#ifdef IP_RECVERR ++#if defined(IP_RECVERR) && !defined(__midipix__) + if (fd.revents & POLLERR) + { + struct msghdr msg; +diff -ru libtirpc-1.0.3.orig/src/rtime.c libtirpc-1.0.3/src/rtime.c +--- libtirpc-1.0.3.orig/src/rtime.c 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/src/rtime.c 2018-08-04 19:47:49.089270334 +0200 +@@ -46,7 +46,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +diff -ru libtirpc-1.0.3.orig/src/svc_run.c libtirpc-1.0.3/src/svc_run.c +--- libtirpc-1.0.3.orig/src/svc_run.c 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/src/svc_run.c 2018-08-04 19:48:02.569155655 +0200 +@@ -37,7 +37,7 @@ + #include + #include + #include +-#include ++#include + + + #include +diff -ru libtirpc-1.0.3.orig/tirpc/reentrant.h libtirpc-1.0.3/tirpc/reentrant.h +--- libtirpc-1.0.3.orig/tirpc/reentrant.h 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/tirpc/reentrant.h 2018-08-04 19:23:48.165632436 +0200 +@@ -36,7 +36,7 @@ + * These definitions are only guaranteed to be valid on Linux. + */ + +-#if defined(__linux__) ++#if defined(__linux__) || defined(__midipix__) + + #include + +diff -ru libtirpc-1.0.3.orig/tirpc/rpc/types.h libtirpc-1.0.3/tirpc/rpc/types.h +--- libtirpc-1.0.3.orig/tirpc/rpc/types.h 2018-03-14 14:55:12.000000000 +0100 ++++ libtirpc-1.0.3/tirpc/rpc/types.h 2018-08-04 19:18:35.415064046 +0200 +@@ -66,7 +66,7 @@ + #define mem_free(ptr, bsize) free(ptr) + + +-#if defined __APPLE_CC__ || defined __FreeBSD__ ++#if defined __APPLE_CC__ || defined __FreeBSD__ || !defined(__GLIBC__) + # define __u_char_defined + # define __daddr_t_defined + #endif diff --git a/patches/libvorbis-1.3.5.local.patch b/patches/libvorbis-1.3.5.local.patch deleted file mode 100644 index e52de1dd..00000000 --- a/patches/libvorbis-1.3.5.local.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -ru libvorbis-1.3.5.orig/lib/info.c libvorbis-1.3.5/lib/info.c ---- libvorbis-1.3.5.orig/lib/info.c 2015-02-26 22:58:19.000000000 +0100 -+++ libvorbis-1.3.5/lib/info.c 2018-02-27 16:47:27.373883142 +0100 -@@ -583,7 +583,8 @@ - oggpack_buffer opb; - private_state *b=v->backend_state; - -- if(!b||vi->channels<=0){ -+ if(!b||vi->channels<=0||vi->channels>256){ -+ b = NULL; - ret=OV_EFAULT; - goto err_out; - } -diff -ru libvorbis-1.3.5.orig/lib/psy.c libvorbis-1.3.5/lib/psy.c ---- libvorbis-1.3.5.orig/lib/psy.c 2013-11-12 05:01:54.000000000 +0100 -+++ libvorbis-1.3.5/lib/psy.c 2018-02-27 16:47:58.285637422 +0100 -@@ -600,7 +600,7 @@ - XY[i] = tXY; - } - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - if( lo>=0 ) break; -@@ -622,12 +622,11 @@ - noise[i] = R - offset; - } - -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - hi = b[i] & 0xffff; - if(hi>=n)break; -- - tN = N[hi] - N[lo]; - tX = X[hi] - X[lo]; - tXX = XX[hi] - XX[lo]; -@@ -652,7 +651,7 @@ - - if (fixed <= 0) return; - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - hi = i + fixed / 2; - lo = hi - fixed; - if(lo>=0)break; -@@ -671,7 +670,7 @@ - - if (R - offset < noise[i]) noise[i] = R - offset; - } -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - hi = i + fixed / 2; - lo = hi - fixed; diff --git a/patches/libxslt-1.1.32.local.patch b/patches/libxslt-1.1.32.local.patch deleted file mode 100644 index 1cf25319..00000000 --- a/patches/libxslt-1.1.32.local.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -ru libxslt-1.1.32.orig/Makefile.in libxslt-1.1.32/Makefile.in ---- libxslt-1.1.32.orig/Makefile.in 2017-11-02 21:34:22.000000000 +0100 -+++ libxslt-1.1.32/Makefile.in 2018-08-04 15:15:09.283854093 +0200 -@@ -415,10 +415,7 @@ - SUBDIRS = \ - libxslt \ - libexslt \ -- xsltproc \ -- doc \ -- $(PYTHON_SUBDIR) \ -- tests -+ xsltproc - - DIST_SUBDIRS = libxslt libexslt xsltproc python doc tests - confexecdir = $(libdir) diff --git a/patches/libxslt-1.1.33.local.patch b/patches/libxslt-1.1.33.local.patch new file mode 100644 index 00000000..1cf25319 --- /dev/null +++ b/patches/libxslt-1.1.33.local.patch @@ -0,0 +1,15 @@ +diff -ru libxslt-1.1.32.orig/Makefile.in libxslt-1.1.32/Makefile.in +--- libxslt-1.1.32.orig/Makefile.in 2017-11-02 21:34:22.000000000 +0100 ++++ libxslt-1.1.32/Makefile.in 2018-08-04 15:15:09.283854093 +0200 +@@ -415,10 +415,7 @@ + SUBDIRS = \ + libxslt \ + libexslt \ +- xsltproc \ +- doc \ +- $(PYTHON_SUBDIR) \ +- tests ++ xsltproc + + DIST_SUBDIRS = libxslt libexslt xsltproc python doc tests + confexecdir = $(libdir) diff --git a/patches/pcre-8.42.local.patch b/patches/pcre-8.42.local.patch deleted file mode 100644 index babbfce9..00000000 --- a/patches/pcre-8.42.local.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- pcre-8.42/Makefile.in.orig 2018-03-20 10:53:18.000000000 +0000 -+++ pcre-8.42/Makefile.in 2018-08-21 20:20:32.800000000 +0000 -@@ -1081,7 +1081,7 @@ - # it is generated from pcre.h.in. - nodist_include_HEADERS = pcre.h $(am__append_1) - include_HEADERS = pcreposix.h $(am__append_2) --bin_SCRIPTS = pcre-config -+bin_SCRIPTS = - @WITH_REBUILD_CHARTABLES_TRUE@dftables_SOURCES = dftables.c - BUILT_SOURCES = pcre_chartables.c - @WITH_PCRE8_TRUE@libpcre_la_SOURCES = \ diff --git a/patches/pcre-8.43.local.patch b/patches/pcre-8.43.local.patch new file mode 100644 index 00000000..babbfce9 --- /dev/null +++ b/patches/pcre-8.43.local.patch @@ -0,0 +1,11 @@ +--- pcre-8.42/Makefile.in.orig 2018-03-20 10:53:18.000000000 +0000 ++++ pcre-8.42/Makefile.in 2018-08-21 20:20:32.800000000 +0000 +@@ -1081,7 +1081,7 @@ + # it is generated from pcre.h.in. + nodist_include_HEADERS = pcre.h $(am__append_1) + include_HEADERS = pcreposix.h $(am__append_2) +-bin_SCRIPTS = pcre-config ++bin_SCRIPTS = + @WITH_REBUILD_CHARTABLES_TRUE@dftables_SOURCES = dftables.c + BUILT_SOURCES = pcre_chartables.c + @WITH_PCRE8_TRUE@libpcre_la_SOURCES = \ diff --git a/patches/tiff/CVE-2017-11613.patch b/patches/tiff/CVE-2017-11613.patch deleted file mode 100644 index b3f600a9..00000000 --- a/patches/tiff/CVE-2017-11613.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 11 Mar 2018 11:14:01 +0100 -Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion - (CVE-2017-11613) - -In ChopUpSingleUncompressedStrip(), if the computed number of strips is big -enough and we are in read only mode, validate that the file size is consistent -with that number of strips to avoid useless attempts at allocating a lot of -memory for the td_stripbytecount and td_stripoffset arrays. - -Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more -cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. -Credit to OSS Fuzz - -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 ---- - libtiff/tif_dirread.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 80aaf8d..5896a78 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; - -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) -+ { -+ return; -+ } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), --- -2.17.1 - diff --git a/patches/tiff/CVE-2017-17095.patch b/patches/tiff/CVE-2017-17095.patch deleted file mode 100644 index 760c9553..00000000 --- a/patches/tiff/CVE-2017-17095.patch +++ /dev/null @@ -1,28 +0,0 @@ -Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5 - -diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c -index 7a57800..8443fce 100644 ---- a/tools/pal2rgb.c -+++ b/tools/pal2rgb.c -@@ -184,8 +184,19 @@ main(int argc, char* argv[]) - { unsigned char *ibuf, *obuf; - register unsigned char* pp; - register uint32 x; -- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); -- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); -+ tmsize_t tss_in = TIFFScanlineSize(in); -+ tmsize_t tss_out = TIFFScanlineSize(out); -+ if (tss_out / tss_in < 3) { -+ /* -+ * BUG 2750: The following code assumes the output buffer is 3x the -+ * length of the input buffer due to exploding the palette into -+ * RGB tuples. If this doesn't happen, fail now. -+ */ -+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); -+ return -1; -+ } -+ ibuf = (unsigned char*)_TIFFmalloc(tss_in); -+ obuf = (unsigned char*)_TIFFmalloc(tss_out); - switch (config) { - case PLANARCONFIG_CONTIG: - for (row = 0; row < imagelength; row++) { diff --git a/patches/tiff/CVE-2017-18013.patch b/patches/tiff/CVE-2017-18013.patch deleted file mode 100644 index 5f56ff25..00000000 --- a/patches/tiff/CVE-2017-18013.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 31 Dec 2017 15:09:41 +0100 -Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 - ---- - libtiff/tif_print.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 9959d35..8deceb2 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -667,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } --- -libgit2 0.26.0 - diff --git a/patches/tiff/CVE-2017-9935.patch b/patches/tiff/CVE-2017-9935.patch deleted file mode 100644 index 39327ffb..00000000 --- a/patches/tiff/CVE-2017-9935.patch +++ /dev/null @@ -1,164 +0,0 @@ -From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:46:47 +1100 -Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 - -Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 - -This vulnerability - at least for the supplied test case - is because we -assume that a tiff will only have one transfer function that is the same -for all pages. This is not required by the TIFF standards. - -We than read the transfer function for every page. Depending on the -transfer function, we allocate either 2 or 4 bytes to the XREF buffer. -We allocate this memory after we read in the transfer function for the -page. - -For the first exploit - POC1, this file has 3 pages. For the first page -we allocate 2 extra extra XREF entries. Then for the next page 2 more -entries. Then for the last page the transfer function changes and we -allocate 4 more entries. - -When we read the file into memory, we assume we have 4 bytes extra for -each and every page (as per the last transfer function we read). Which -is not correct, we only have 2 bytes extra for the first 2 pages. As a -result, we end up writing past the end of the buffer. - -There are also some related issues that this also fixes. For example, -TIFFGetField can return uninitalized pointer values, and the logic to -detect a N=3 vs N=1 transfer function seemed rather strange. - -It is also strange that we declare the transfer functions to be of type -float, when the standard says they are unsigned 16 bit values. This is -fixed in another patch. - -This patch will check to ensure that the N value for every transfer -function is the same for every page. If this changes, we abort with an -error. In theory, we should perhaps check that the transfer function -itself is identical for every page, however we don't do that due to the -confusion of the type of the data in the transfer function. ---- - libtiff/tif_dir.c | 3 +++ - tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- - 2 files changed, 49 insertions(+), 23 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index f00f808..c36a5f3 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index bdb9126..bd23c9e 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -239,7 +239,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - if(directorycount > TIFF_DIR_MAX) { -@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; --- -2.17.0 - diff --git a/patches/tiff/CVE-2018-10963.patch b/patches/tiff/CVE-2018-10963.patch deleted file mode 100644 index 039b7c1a..00000000 --- a/patches/tiff/CVE-2018-10963.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 14:24:15 +0200 -Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 - ---- - libtiff/tif_dirwrite.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index c68d6d2..5d0a669 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } --- -2.17.0 - diff --git a/patches/tiff/CVE-2018-12900.patch b/patches/tiff/CVE-2018-12900.patch new file mode 100644 index 00000000..f95cd06a --- /dev/null +++ b/patches/tiff/CVE-2018-12900.patch @@ -0,0 +1,29 @@ +From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001 +From: pgajdos +Date: Tue, 13 Nov 2018 09:03:31 +0100 +Subject: [PATCH] prevent integer overflow + +--- + tools/tiffcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d..ece7ba13 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + status = 0; + goto done; + } ++ if (0xFFFFFFFF / tilew < spp) ++ { ++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); ++ status = 0; ++ goto done; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { +-- +2.18.1 + diff --git a/patches/tiff/CVE-2018-5784.patch b/patches/tiff/CVE-2018-5784.patch deleted file mode 100644 index 92fc2daf..00000000 --- a/patches/tiff/CVE-2018-5784.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 -From: Nathan Baker -Date: Tue, 6 Feb 2018 10:13:57 -0500 -Subject: [PATCH] Fix for bug 2772 - -It is possible to craft a TIFF document where the IFD list is circular, -leading to an infinite loop while traversing the chain. The libtiff -directory reader has a failsafe that will break out of this loop after -reading 65535 directory entries, but it will continue processing, -consuming time and resources to process what is essentially a bogus TIFF -document. - -This change fixes the above behavior by breaking out of processing when -a TIFF document has >= 65535 directories and terminating with an error. ---- - contrib/addtiffo/tif_overview.c | 14 +++++++++++++- - tools/tiff2pdf.c | 10 ++++++++++ - tools/tiffcrop.c | 13 +++++++++++-- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c -index c61ffbb..03b3573 100644 ---- a/contrib/addtiffo/tif_overview.c -+++ b/contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; - - (void) bUseSubIFDs; - -@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 984ef65..832a247 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1049,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 91a38f6..e466dae 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -217,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2234,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2242,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; --- -libgit2 0.26.0 - diff --git a/patches/tiff/CVE-2018-7456.patch b/patches/tiff/CVE-2018-7456.patch deleted file mode 100644 index b2d081a5..00000000 --- a/patches/tiff/CVE-2018-7456.patch +++ /dev/null @@ -1,170 +0,0 @@ -From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Sun, 8 Apr 2018 14:07:08 -0400 -Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory - -The TIFFPrintDirectory function relies on the following assumptions, -supposed to be guaranteed by the specification: - -(a) A Transfer Function field is only present if the TIFF file has - photometric type < 3. - -(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field - has count SamplesPerPixel - (Color Channels) and contains - information about supplementary channels. - -While respect of (a) and (b) are essential for the well functioning of -TIFFPrintDirectory, no checks are realized neither by the callee nor -by TIFFPrintDirectory itself. Hence, following scenarios might happen -and trigger the NULL pointer dereference: - -(1) TIFF File of photometric type 4 or more has illegal Transfer - Function field. - -(2) TIFF File has photometric type 3 or less and defines a - SamplesPerPixel field such that SamplesPerPixel > Color Channels - without defining all extra samples in the ExtraSamples fields. - -In this patch, we address both issues with respect of the following -principles: - -(A) In the case of (1), the defined transfer table should be printed - safely even if it isn't 'legal'. This allows us to avoid expensive - checks in TIFFPrintDirectory. Also, it is quite possible that - an alternative photometric type would be developed (not part of the - standard) and would allow definition of Transfer Table. We want - libtiff to be able to handle this scenario out of the box. - -(B) In the case of (2), the transfer table should be printed at its - right size, that is if TIFF file has photometric type Palette - then the transfer table should have one row and not three, even - if two extra samples are declared. - -In order to fulfill (A) we simply add a new 'i < 3' end condition to -the broken TIFFPrintDirectory loop. This makes sure that in any case -where (b) would be respected but not (a), everything stays fine. - -(B) is fulfilled by the loop condition -'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as -long as (b) is respected. - -Naturally, we also make sure (b) is respected. This is done in the -TIFFReadDirectory function by making sure any non-color channel is -counted in ExtraSamples. - -This commit addresses CVE-2018-7456. ---- - libtiff/tif_dirread.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - libtiff/tif_print.c | 2 +- - 2 files changed, 63 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 6baa7b3..af5b84a 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c - } - - /* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ -+/* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. - */ -@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 8deceb2..1d86adb 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - uint16 i; - fprintf(fd, " %2ld: %5u", - l, td->td_transferfunction[0][l]); -- for (i = 1; i < td->td_samplesperpixel; i++) -+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) - fprintf(fd, " %5u", - td->td_transferfunction[i][l]); - fputc('\n', fd); --- -libgit2 0.27.0 - diff --git a/patches/tiff/CVE-2018-8905.patch b/patches/tiff/CVE-2018-8905.patch deleted file mode 100644 index f951092c..00000000 --- a/patches/tiff/CVE-2018-8905.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 15:32:31 +0200 -Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 - -The fix consists in using the similar code LZWDecode() to validate we -don't write outside of the output buffer. ---- - libtiff/tif_lzw.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index 4ccb443..94d85e3 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; --- -libgit2 0.27.0 - -- cgit v1.2.3