Index: branches/2016Q1/graphics/tiff/Makefile =================================================================== --- branches/2016Q1/graphics/tiff/Makefile (revision 405294) +++ branches/2016Q1/graphics/tiff/Makefile (revision 405295) @@ -1,122 +1,123 @@ # Created by: Richard Hwang , Mikhail Teterin , Jun-ichiro itojun Itoh # $FreeBSD$ PORTNAME= tiff PORTVERSION= 4.0.6 +PORTREVISION= 1 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://download.osgeo.org/libtiff/ MAINTAINER= portmgr@FreeBSD.org COMMENT= Tools and library routines for working with TIFF images LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/COPYRIGHT LIB_DEPENDS= libjbig.so:${PORTSDIR}/graphics/jbigkit USES= cpe jpeg libtool CPE_PRODUCT= libtiff CPE_VERSION= ${DISTVERSION:C/[a-z]+//} CPE_UPDATE= ${DISTVERSION:C/[0-9.]+//} USE_LDCONFIG= yes GNU_CONFIGURE= yes CONFIGURE_ARGS+= --with-jpeg-include-dir=${LOCALBASE}/include \ --with-jpeg-lib-dir=${LOCALBASE}/lib \ --without-x INSTALL_TARGET= install-strip TEST_TARGET= check MLNKS= TIFFError.3tiff TIFFSetErrorHandler.3tiff \ TIFFFlush.3tiff TIFFFlushData.3tiff \ TIFFGetField.3tiff TIFFGetFieldDefaulted.3tiff \ TIFFGetField.3tiff TIFFVGetField.3tiff \ TIFFGetField.3tiff TIFFVGetFieldDefaulted.3tiff \ TIFFOpen.3tiff TIFFFdOpen.3tiff \ TIFFOpen.3tiff TIFFClientOpen.3tiff \ TIFFRGBAImage.3tiff TIFFRGBAImageOK.3tiff \ TIFFRGBAImage.3tiff TIFFRGBAImageBegin.3tiff \ TIFFRGBAImage.3tiff TIFFRGBAImageGet.3tiff \ TIFFRGBAImage.3tiff TIFFRGBAImageEnd.3tiff \ TIFFRGBAImage.3tiff TIFFReadRGBAImageOriented.3tiff \ TIFFSetDirectory.3tiff TIFFSetSubDirectory.3tiff \ TIFFSetField.3tiff TIFFVSetField.3tiff \ TIFFWarning.3tiff TIFFSetWarningHandler.3tiff \ TIFFWriteDirectory.3tiff TIFFRewriteDirectory.3tiff \ TIFFbuffer.3tiff TIFFReadBufferSetup.3tiff \ TIFFbuffer.3tiff TIFFWriteBufferSetup.3tiff \ TIFFcodec.3tiff TIFFFindCODEC.3tiff \ TIFFcodec.3tiff TIFFRegisterCODEC.3tiff \ TIFFcodec.3tiff TIFFUnRegisterCODEC.3tiff \ TIFFmemory.3tiff TIFFfree.3tiff \ TIFFmemory.3tiff TIFFmalloc.3tiff \ TIFFmemory.3tiff TIFFmemcmp.3tiff \ TIFFmemory.3tiff TIFFmemcpy.3tiff \ TIFFmemory.3tiff TIFFmemset.3tiff \ TIFFmemory.3tiff TIFFrealloc.3tiff \ TIFFquery.3tiff TIFFCurrentDirectory.3tiff \ TIFFquery.3tiff TIFFCurrentRow.3tiff \ TIFFquery.3tiff TIFFCurrentStrip.3tiff \ TIFFquery.3tiff TIFFCurrentTile.3tiff \ TIFFquery.3tiff TIFFFileName.3tiff \ TIFFquery.3tiff TIFFFileno.3tiff \ TIFFquery.3tiff TIFFGetMode.3tiff \ TIFFquery.3tiff TIFFIsTiled.3tiff \ TIFFquery.3tiff TIFFIsByteSwapped.3tiff \ TIFFquery.3tiff TIFFIsUpSampled.3tiff \ TIFFquery.3tiff TIFFIsMSB2LSB.3tiff \ TIFFquery.3tiff TIFFLastDirectory.3tiff \ TIFFsize.3tiff TIFFScanlineSize.3tiff \ TIFFstrip.3tiff TIFFComputeStrip.3tiff \ TIFFstrip.3tiff TIFFDefaultStripSize.3tiff \ TIFFstrip.3tiff TIFFNumberOfStrips.3tiff \ TIFFstrip.3tiff TIFFStripSize.3tiff \ TIFFstrip.3tiff TIFFVStripSize.3tiff \ TIFFswab.3tiff TIFFReverseBits.3tiff \ TIFFswab.3tiff TIFFSwabArrayOfLong.3tiff \ TIFFswab.3tiff TIFFSwabArrayOfShort.3tiff \ TIFFswab.3tiff TIFFSwabLong.3tiff \ TIFFswab.3tiff TIFFSwabShort.3tiff \ TIFFtile.3tiff TIFFCheckTile.3tiff \ TIFFtile.3tiff TIFFComputeTile.3tiff \ TIFFtile.3tiff TIFFDefaultTileSize.3tiff \ TIFFtile.3tiff TIFFNumberOfTiles.3tiff \ TIFFtile.3tiff TIFFTileSize.3tiff \ TIFFtile.3tiff TIFFTileRowSize.3tiff \ TIFFtile.3tiff TIFFVTileSize.3tiff OPTIONS_DEFINE= DOCS .include .if !defined(BUILDING_INDEX) __pmlinks3!= ${ECHO_CMD} '${MLNKS:S/ / /}' | ${AWK} \ '{ if (NF % 2 != 0) { print "broken"; exit; } \ for (i=1; i<=NF; i++) { \ if ( i % 2 == 0) { print " " $$i " ;"; } \ else { print "${LN} -s " $$i " "; } \ } }' .endif post-patch: @${REINPLACE_CMD} "/\.po 0/d" ${WRKSRC}/man/* pre-configure: ${REINPLACE_CMD} \ -e 's|tiffgt.1 ||' \ ${WRKSRC}/man/Makefile.in ${REINPLACE_CMD} -e 's|^docfiles|no-docfiles|' \ -e 's|man html|man|' ${WRKSRC}/Makefile.in post-install: ${LN} -s libtiff.so.5 ${STAGEDIR}${PREFIX}/lib/libtiff.so.4 ( cd ${STAGEDIR}${PREFIX}/man/man3 && ${__pmlinks3} ) .if ${PORT_OPTIONS:MDOCS} ${MKDIR} ${STAGEDIR}${DOCSDIR}/images ${STAGEDIR}${DOCSDIR}/man ${INSTALL_DATA} ${WRKSRC}/html/*.html ${STAGEDIR}${DOCSDIR}/ ${INSTALL_DATA} ${WRKSRC}/html/images/*.jpg ${STAGEDIR}${DOCSDIR}/images/ ${INSTALL_DATA} ${WRKSRC}/html/images/*.gif ${STAGEDIR}${DOCSDIR}/images/ ${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${STAGEDIR}${DOCSDIR}/man/ .endif .include Index: branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683 =================================================================== --- branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683 (nonexistent) +++ branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683 (revision 405295) @@ -0,0 +1,118 @@ +revision 1.94 +date: 2015-12-26 17:32:03 +0000; author: erouault; state: Exp; lines: +23 -14; commitid: ohB9uRxvIWq9YtOy; +* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage +interface in case of unsupported values of SamplesPerPixel/ExtraSamples +for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in +TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and +CVE-2015-8683 reported by zzf of Alibaba. + +Index: libtiff/tif_getimage.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v +retrieving revision 1.93 +retrieving revision 1.94 +diff -u -r1.93 -r1.94 +--- libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93 ++++ libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94 +@@ -1,4 +1,4 @@ +-/* $Id: tif_getimage.c,v 1.93 2015-11-22 15:31:03 erouault Exp $ */ ++/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -182,20 +182,22 @@ + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d", +- "Samples/pixel", td->td_samplesperpixel); ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); + return 0; + } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d and %s=%d", ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } +@@ -255,6 +257,9 @@ + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -2509,29 +2514,33 @@ + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2540,7 +2549,7 @@ + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2636,7 +2645,7 @@ + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; Property changes on: branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c =================================================================== --- branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c (nonexistent) +++ branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c (revision 405295) @@ -0,0 +1,176 @@ +revision 1.41 +date: 2015-12-27 16:25:11 +0000; author: erouault; state: Exp; lines: +45 -12; commitid: gXczlJDfVlBdzBOy; +* libtiff/tif_luv.c: fix potential out-of-bound writes in decode +functions in non debug builds by replacing assert()s by regular if +checks (bugzilla #2522). +Fix potential out-of-bound reads in case of short input data. + +Index: libtiff/tif_luv.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v +retrieving revision 1.40 +retrieving revision 1.41 +diff -u -r1.40 -r1.41 +--- libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40 ++++ libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41 +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ ++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -202,7 +202,11 @@ + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -413,6 +431,7 @@ + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -433,7 +452,11 @@ + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -506,6 +529,7 @@ + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -521,7 +545,11 @@ + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -553,6 +581,7 @@ + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -574,7 +603,11 @@ + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ Property changes on: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c =================================================================== --- branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c (nonexistent) +++ branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c (revision 405295) @@ -0,0 +1,54 @@ +revision 1.17 +date: 2015-12-27 16:55:20 +0000; author: erouault; state: Exp; lines: +9 -3; commitid: 4yLOaM0uFVPyJBOy; +* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() +triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif +(bugzilla #2508) + +Index: libtiff/tif_next.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_next.c,v +retrieving revision 1.16 +retrieving revision 1.17 +diff -u -r1.16 -r1.17 +--- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 ++++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 +@@ -1,4 +1,4 @@ +-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ ++/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -106,6 +106,7 @@ + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; ++ tmsize_t op_offset = 0; + + /* + * The scanline is composed of a sequence of constant +@@ -122,10 +123,15 @@ + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; Property changes on: branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2016Q1 =================================================================== --- branches/2016Q1 (revision 405294) +++ branches/2016Q1 (revision 405295) Property changes on: branches/2016Q1 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r405294