From fc0ce8a34ad4fb3b031790c78403fc51b9f7f9d8 Mon Sep 17 00:00:00 2001 From: Zhang Yuntong Date: Fri, 1 Sep 2023 18:14:16 +0800 Subject: [PATCH] Add dev patch for two more bugs --- data/libtiff/cve_2016_3186/dev.patch | 13 ++++++++ data/libtiff/cve_2016_5314/dev.patch | 46 ++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 data/libtiff/cve_2016_3186/dev.patch create mode 100644 data/libtiff/cve_2016_5314/dev.patch diff --git a/data/libtiff/cve_2016_3186/dev.patch b/data/libtiff/cve_2016_3186/dev.patch new file mode 100644 index 0000000..84664b0 --- /dev/null +++ b/data/libtiff/cve_2016_3186/dev.patch @@ -0,0 +1,13 @@ +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -350,7 +350,7 @@ readextension(void) + int status = 1; + + (void) getc(infile); +- while ((count = getc(infile)) && count <= 255) ++ while ((count = getc(infile)) && count <= 255 && count >=0 ) + { + assert(count >= 0); + if (fread(buf, 1, count, infile) != (size_t) count) { + fprintf(stderr, "short read from file %s (%s)\n", + diff --git a/data/libtiff/cve_2016_5314/dev.patch b/data/libtiff/cve_2016_5314/dev.patch new file mode 100644 index 0000000..86e7aa8 --- /dev/null +++ b/data/libtiff/cve_2016_5314/dev.patch @@ -0,0 +1,46 @@ +diff --git a/ChangeLog b/ChangeLog +index 1b0e5996..dee18813 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,8 @@ ++2016-06-28 Even Rouault ++ ++ * libtiff/tif_pixarlog.c: fix potential buffer write overrun in ++ PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) ++ + 2016-06-15 Bob Friesenhahn + + * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 06e8af39..cc486c54 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -459,6 +459,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, + typedef struct { + TIFFPredictorState predict; + z_stream stream; ++ tmsize_t tbuf_size; /* only set/used on reading for now */ + uint16 *tbuf; + uint16 stride; + int state; +@@ -694,6 +695,7 @@ PixarLogSetupDecode(TIFF* tif) + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); ++ sp->tbuf_size = tbuf_size; + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { +@@ -783,6 +785,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); + return (0); + } ++ /* Check that we will not fill more than what was allocated */ ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); ++ return (0); ++ } + do { + int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); + if (state == Z_STREAM_END) {