GNU bug report logs - #27607
[PATCH] gnu: libtiff: Fix two integer overflows.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 7 Jul 2017 04:34:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27607 in the body.
You can then email your comments to 27607 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#27607; Package guix-patches. (Fri, 07 Jul 2017 04:34:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 07 Jul 2017 04:34:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libtiff: Fix two integer overflows.
Date: Fri,  7 Jul 2017 00:32:43 -0400

* gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch,
gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch:
New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Use them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  4 +-
 .../libtiff-tiffycbcrtorgb-integer-overflow.patch  | 57 ++++++++++++++++++++++
 ...btiff-tiffycbcrtorgbinit-integer-overflow.patch | 43 ++++++++++++++++
 4 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch
 create mode 100644 gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6f6db6d0a..a1a214b6d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -781,6 +781,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtiff-null-dereference.patch		\
   %D%/packages/patches/libtiff-tiffcp-underflow.patch		\
   %D%/packages/patches/libtiff-tiffgetfield-bugs.patch		\
+  %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch	\
+  %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch	\
   %D%/packages/patches/libtirpc-CVE-2017-8779.patch		\
   %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch	\
   %D%/packages/patches/libtool-skip-tests2.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index fe9d2d5b1..9dfb99cba 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -393,7 +393,9 @@ collection of tools for doing simple manipulations of TIFF images.")
                            version ".tar.gz"))
        (patches (search-patches "libtiff-tiffgetfield-bugs.patch"
                                 "libtiff-CVE-2016-10688.patch"
-                                "libtiff-CVE-2017-9936.patch"))
+                                "libtiff-CVE-2017-9936.patch"
+                                "libtiff-tiffycbcrtorgb-integer-overflow.patch"
+                                "libtiff-tiffycbcrtorgbinit-integer-overflow.patch"))
        (sha256
         (base32
          "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch
new file mode 100644
index 000000000..060740d95
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch
@@ -0,0 +1,57 @@
+Fix an integer overflow TIFFYCbCrtoRGB():
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
+
+3rd party Git reference:
+
+https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717
+
+2017-05-29  Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
+        int32 overflow in TIFFYCbCrtoRGB().
+        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
+        Credit to OSS Fuzz
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1241; previous revision: 1.1240
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v  <--  libtiff/tif_color.c
+new revision: 1.24; previous revision: 1.23
+
+Index: libtiff/libtiff/tif_color.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v
+retrieving revision 1.23
+retrieving revision 1.24
+diff -u -r1.23 -r1.24
+--- libtiff/libtiff/tif_color.c	13 May 2017 18:17:34 -0000	1.23
++++ libtiff/libtiff/tif_color.c	29 May 2017 10:12:54 -0000	1.24
+@@ -1,4 +1,4 @@
+-/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
++/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -275,10 +275,10 @@
+       for (i = 0, x = -128; i < 256; i++, x++) {
+ 	    int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
+ 			    refBlackWhite[5] - 128.0F, 127),
+-                            -128.0F * 64, 128.0F * 64);
++                            -128.0F * 32, 128.0F * 32);
+ 	    int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
+ 			    refBlackWhite[3] - 128.0F, 127),
+-                            -128.0F * 64, 128.0F * 64);
++                            -128.0F * 32, 128.0F * 32);
+ 
+ 	    ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
+ 	    ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
+@@ -286,7 +286,7 @@
+ 	    ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
+ 	    ycbcr->Y_tab[i] =
+ 		    (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
+-                                  -128.0F * 64, 128.0F * 64);
++                                  -128.0F * 32, 128.0F * 32);
+       }
+     }
+ 
diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch
new file mode 100644
index 000000000..a990641a4
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch
@@ -0,0 +1,43 @@
+Fix an integer overflow in initYCbCrConversion():
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
+
+3rd party Git reference
+
+https://github.com/vadz/libtiff/commit/468988860e0dae62ebbf991627c74bcbb4bd256f
+
+        * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
+        refBlackWhite coefficients values. To avoid invalid float->int32 conversion
+        (when refBlackWhite[0] == 2147483648.f)
+        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
+        Credit to OSS Fuzz
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1243; previous revision: 1.1242
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v  <--  libtiff/tif_getimage.c
+new revision: 1.107; previous revision: 1.106
+
+Index: libtiff/libtiff/tif_getimage.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
+retrieving revision 1.106
+retrieving revision 1.107
+diff -u -r1.106 -r1.107
+--- libtiff/libtiff/tif_getimage.c	20 May 2017 11:29:02 -0000	1.106
++++ libtiff/libtiff/tif_getimage.c	29 May 2017 11:29:06 -0000	1.107
+@@ -1,4 +1,4 @@
+-/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */
++/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1991-1997 Sam Leffler
+@@ -2241,7 +2241,7 @@
+ 
+ static int isInRefBlackWhiteRange(float f)
+ {
+-    return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
++    return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
+ }
+ 
+ static int
-- 
2.13.2
Information forwarded to guix-patches <at> gnu.org:
bug#27607; Package guix-patches. (Fri, 07 Jul 2017 17:28:01 GMT) Full text and rfc822 format available.

Message #8 received at 27607 <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27607 <at> debbugs.gnu.org
Subject: Re: [bug#27607] [PATCH] gnu: libtiff: Fix two integer overflows.
Date: Fri, 07 Jul 2017 13:26:24 -0400

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch,
> gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch:
> New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/image.scm (libtiff)[source]: Use them.

LGTM.

[signature.asc (application/pgp-signature, inline)]
bug closed, send any further explanations to 27607 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Mon, 10 Jul 2017 17:38:01 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 08 Aug 2017 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 12 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.