~ubuntu-branches/ubuntu/hardy/tiff/hardy-updates

Viewing changes to debian/patches/CVE-2010-1411.patch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-04-02 12:15:45 UTC
Revision ID: package-import@ubuntu.com-20120402121545-4v7622mmp6box103

Tags: 3.8.2-7ubuntu3.10

* SECURITY UPDATE: denial of service and possible code execution via
  tiffdump
  - debian/patches/z_CVE-2010-4665.patch: prevent integer overflow in
    tools/tiffdump.c.
  - CVE-2010-4665
* SECURITY UPDATE: arbitrary code execution via size overflow
  - debian/patches/z_CVE-2012-1173.patch: use TIFFSafeMultiply in
    libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h.
  - CVE-2012-1173
* debian/patches/CVE-2010-1411.patch: updated to use actual upstream fix
  and to get TIFFSafeMultiply macro.

files added:
debian/patches/z_CVE-2010-4665.patch

debian/patches/z_CVE-2012-1173.patch

files modified:
debian/changelog

debian/patches/CVE-2010-1411.patch

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2010-1411.patch

Description: fix integer overflow in use of TIFFroundup (CVE-2010-1411)

Author: Tomas Hoger <thoger@redhat.com>

Description: fix integer overflows, introduce TIFFSafeMultiply

Origin: backported from libtiff 3.9.4

Index: tiff-3.8.2/libtiff/tif_fax3.c

===================================================================

--- tiff-3.8.2.orig/libtiff/tif_fax3.c 2010-06-10 18:09:58.779641597 -0700

+++ tiff-3.8.2/libtiff/tif_fax3.c 2010-06-10 18:11:50.949640612 -0700

@@ -491,7 +491,16 @@

diff -Naur tiff-3.8.2.ori/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c

--- tiff-3.8.2.ori/libtiff/tif_fax3.c 2012-04-02 11:57:19.010090410 -0400

+++ tiff-3.8.2/libtiff/tif_fax3.c 2012-04-02 12:01:32.918087990 -0400

@@ -491,10 +491,27 @@

td->td_compression == COMPRESSION_CCITTFAX4

);

- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;

+ /*

+ Assure that allocation computations do not overflow.

+ TIFFroundup and TIFFSafeMultiply return zero on integer overflow

+ */

+ dsp->runs=(uint32*) NULL;

+ nruns = TIFFroundup(rowpixels,32);

+ if (needsRefLine) {

+ /* integer overflow check */

+ if ((uint32)rowpixels > 0xffffffff - 32 || TIFFroundup(rowpixels,32) > 0xffffffff / 2)

+ return (0);

+ nruns = 2*TIFFroundup(rowpixels,32);

+ } else

+ nruns = rowpixels;

+ /* integer overflow check */

+ if (nruns > (0xffffffff - 3) / 2)

+ nruns = TIFFSafeMultiply(uint32,nruns,2);

+ }

+ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {

+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

+ "Row pixels integer overflow (rowpixels %u)",

+ rowpixels);

+ return (0);

dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),

"for Group 3/4 run arrays");

+ }

+ dsp->runs = (uint32*) _TIFFCheckMalloc(tif,

+ TIFFSafeMultiply(uint32,nruns,2),

+ sizeof (uint32),

+ "for Group 3/4 run arrays");

- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),

- "for Group 3/4 run arrays");

if (dsp->runs == NULL)

return (0);

dsp->curruns = dsp->runs;

diff -Naur tiff-3.8.2.ori/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h

--- tiff-3.8.2.ori/libtiff/tiffiop.h 2006-03-21 11:42:50.000000000 -0500

+++ tiff-3.8.2/libtiff/tiffiop.h 2012-04-02 11:58:04.838089974 -0400

@@ -222,10 +222,15 @@

#endif

/* NB: the uint32 casts are to silence certain ANSI-C compilers */

-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))

+#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \

+ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \

+ 0U)

#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)

#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))

+/* Safe multiply which returns zero if there is an integer overflow */

+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)

#define TIFFmax(A,B) ((A)>(B)?(A):(B))

#define TIFFmin(A,B) ((A)<(B)?(A):(B))

Older »