summaryrefslogtreecommitdiff
path: root/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch')
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch191
1 files changed, 0 insertions, 191 deletions
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
deleted file mode 100644
index 6c28dc6ec9a8..000000000000
--- a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
-possibility in the same file, which wasn't given a separate CVE.
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
---- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
-@@ -117,9 +117,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- t0 = ToLinearF[cr = wp[0]];
-- t1 = ToLinearF[cg = wp[1]];
-- t2 = ToLinearF[cb = wp[2]];
-+ t0 = ToLinearF[cr = (wp[0] & mask)];
-+ t1 = ToLinearF[cg = (wp[1] & mask)];
-+ t2 = ToLinearF[cb = (wp[2] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -136,10 +136,10 @@
- op[2] = t2;
- }
- } else if (stride == 4) {
-- t0 = ToLinearF[cr = wp[0]];
-- t1 = ToLinearF[cg = wp[1]];
-- t2 = ToLinearF[cb = wp[2]];
-- t3 = ToLinearF[ca = wp[3]];
-+ t0 = ToLinearF[cr = (wp[0] & mask)];
-+ t1 = ToLinearF[cg = (wp[1] & mask)];
-+ t2 = ToLinearF[cb = (wp[2] & mask)];
-+ t3 = ToLinearF[ca = (wp[3] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -183,9 +183,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- t0 = ToLinearF[cr = wp[0]] * SCALE12;
-- t1 = ToLinearF[cg = wp[1]] * SCALE12;
-- t2 = ToLinearF[cb = wp[2]] * SCALE12;
-+ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
-+ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
-+ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
- op[0] = CLAMP12(t0);
- op[1] = CLAMP12(t1);
- op[2] = CLAMP12(t2);
-@@ -202,10 +202,10 @@
- op[2] = CLAMP12(t2);
- }
- } else if (stride == 4) {
-- t0 = ToLinearF[cr = wp[0]] * SCALE12;
-- t1 = ToLinearF[cg = wp[1]] * SCALE12;
-- t2 = ToLinearF[cb = wp[2]] * SCALE12;
-- t3 = ToLinearF[ca = wp[3]] * SCALE12;
-+ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
-+ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
-+ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
-+ t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12;
- op[0] = CLAMP12(t0);
- op[1] = CLAMP12(t1);
- op[2] = CLAMP12(t2);
-@@ -247,9 +247,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- op[0] = ToLinear16[cr = wp[0]];
-- op[1] = ToLinear16[cg = wp[1]];
-- op[2] = ToLinear16[cb = wp[2]];
-+ op[0] = ToLinear16[cr = (wp[0] & mask)];
-+ op[1] = ToLinear16[cg = (wp[1] & mask)];
-+ op[2] = ToLinear16[cb = (wp[2] & mask)];
- n -= 3;
- while (n > 0) {
- wp += 3;
-@@ -260,10 +260,10 @@
- op[2] = ToLinear16[(cb += wp[2]) & mask];
- }
- } else if (stride == 4) {
-- op[0] = ToLinear16[cr = wp[0]];
-- op[1] = ToLinear16[cg = wp[1]];
-- op[2] = ToLinear16[cb = wp[2]];
-- op[3] = ToLinear16[ca = wp[3]];
-+ op[0] = ToLinear16[cr = (wp[0] & mask)];
-+ op[1] = ToLinear16[cg = (wp[1] & mask)];
-+ op[2] = ToLinear16[cb = (wp[2] & mask)];
-+ op[3] = ToLinear16[ca = (wp[3] & mask)];
- n -= 4;
- while (n > 0) {
- wp += 4;
-@@ -342,9 +342,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- op[0] = ToLinear8[cr = wp[0]];
-- op[1] = ToLinear8[cg = wp[1]];
-- op[2] = ToLinear8[cb = wp[2]];
-+ op[0] = ToLinear8[cr = (wp[0] & mask)];
-+ op[1] = ToLinear8[cg = (wp[1] & mask)];
-+ op[2] = ToLinear8[cb = (wp[2] & mask)];
- n -= 3;
- while (n > 0) {
- n -= 3;
-@@ -355,10 +355,10 @@
- op[2] = ToLinear8[(cb += wp[2]) & mask];
- }
- } else if (stride == 4) {
-- op[0] = ToLinear8[cr = wp[0]];
-- op[1] = ToLinear8[cg = wp[1]];
-- op[2] = ToLinear8[cb = wp[2]];
-- op[3] = ToLinear8[ca = wp[3]];
-+ op[0] = ToLinear8[cr = (wp[0] & mask)];
-+ op[1] = ToLinear8[cg = (wp[1] & mask)];
-+ op[2] = ToLinear8[cb = (wp[2] & mask)];
-+ op[3] = ToLinear8[ca = (wp[3] & mask)];
- n -= 4;
- while (n > 0) {
- n -= 4;
-@@ -393,9 +393,9 @@
- mask = CODE_MASK;
- if (stride == 3) {
- op[0] = 0;
-- t1 = ToLinear8[cb = wp[2]];
-- t2 = ToLinear8[cg = wp[1]];
-- t3 = ToLinear8[cr = wp[0]];
-+ t1 = ToLinear8[cb = (wp[2] & mask)];
-+ t2 = ToLinear8[cg = (wp[1] & mask)];
-+ t3 = ToLinear8[cr = (wp[0] & mask)];
- op[1] = t1;
- op[2] = t2;
- op[3] = t3;
-@@ -413,10 +413,10 @@
- op[3] = t3;
- }
- } else if (stride == 4) {
-- t0 = ToLinear8[ca = wp[3]];
-- t1 = ToLinear8[cb = wp[2]];
-- t2 = ToLinear8[cg = wp[1]];
-- t3 = ToLinear8[cr = wp[0]];
-+ t0 = ToLinear8[ca = (wp[3] & mask)];
-+ t1 = ToLinear8[cb = (wp[2] & mask)];
-+ t2 = ToLinear8[cg = (wp[1] & mask)];
-+ t3 = ToLinear8[cr = (wp[0] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -630,10 +630,10 @@
- return guess;
- }
-
--static uint32
--multiply(size_t m1, size_t m2)
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
- {
-- uint32 bytes = m1 * m2;
-+ tsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-@@ -641,6 +641,20 @@
- return bytes;
- }
-
-+static tsize_t
-+add_ms(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t bytes = m1 + m2;
-+
-+ /* if either input is zero, assume overflow already occurred */
-+ if (m1 == 0 || m2 == 0)
-+ bytes = 0;
-+ else if (bytes <= m1 || bytes <= m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- static int
- PixarLogSetupDecode(TIFF* tif)
- {
-@@ -661,6 +675,8 @@
- td->td_samplesperpixel : 1);
- tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
-+ /* add one more stride in case input ends mid-stride */
-+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
- if (tbuf_size == 0)
- return (0);
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 10:45:16 +0000