From unknown Sat Sep 13 03:07:18 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Feb 2018 01:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 30418 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 30418@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.151831115110944 (code B ref -1); Sun, 11 Feb 2018 01:06:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Feb 2018 01:05:51 +0000 Received: from localhost ([127.0.0.1]:37432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekg5R-0002qK-OL for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:51 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41637) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekg5N-0002q1-4R for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg5F-0005bZ-39 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:35 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:55407) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekg5E-0005bS-Vz for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60722) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekg58-0007PR-T9 for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg56-0005IT-0Q for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:26 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52315) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekg55-0005GA-He for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:23 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B624220BD3; Sat, 10 Feb 2018 20:05:22 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 20:05:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=0XJ8WHMcGTe/4yArWv0rWGjCr5aP2MomgBuzaE 2nM9E=; b=CmJeHPMMMEfndEqSLh4xEC3X0gK1IKcIPiP1jihRud4urPpyTEPygz p9Lu+X/5/V0k9I1Az/AAm+ChNSYNwOhFOZ0BnmfFP8GdGfi2a/e36+iHv/21f8Xo duIyVoqFxslRgXJmDHzUAlzHGascZn4gmTg4anZm22CS/QQZ2zeHU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=0XJ8WHMcGTe/4yArW v0rWGjCr5aP2MomgBuzaE2nM9E=; b=B1IhQnmxhnA4dDqOT/9K4rdfDvaSnWJ+j 1dr2xb/OorBK1ur/cwL2KYiN1lDdtxIxsfRlhLFuWsVL9I9XeogFilUCeynAHbns u+RU4MsmKBzy9I1SGG8wJK737XY1FyE3dTQDtPs5KDiFt4s8JNdvOfekmbMArQn0 vNGwJ0IfE9PHDhUxyP2xjpZ48Tir1TxE91TERQVEqs91rEsR05bB0iIY7Y7R5sza 1VGttFDjY37bKBXpbfDs2+EutrO7imCpvkzazpn/KYWHzoeFVB8G9oVPwnAzQGEb Oh0aA7dJJGBTKtNyjZNtbi8YhFuoqsNWrs/MRWNmIKmv3p2F/g+6w== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 47C1A245F1 for ; Sat, 10 Feb 2018 20:05:22 -0500 (EST) From: Leo Famulari Date: Sat, 10 Feb 2018 20:05:18 -0500 Message-Id: X-Mailer: git-send-email 2.16.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/libtiff-CVE-2017-9935.patch, gnu/packages/patches/libtiff-CVE-2017-11335.patch, gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable. --- gnu/local.mk | 3 + gnu/packages/image.scm | 13 ++ gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++ gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++ gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 ++++++++++++++++++++++ 5 files changed, 271 insertions(+) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..95650cc50 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -854,7 +854,10 @@ dist_patch_DATA = \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ + %D%/packages/patches/libtiff-CVE-2017-9935.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ + %D%/packages/patches/libtiff-CVE-2017-11335.patch \ + %D%/packages/patches/libtiff-CVE-2017-18013.patch \ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 548c1df44..a5738f431 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -390,6 +390,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") + (replacement libtiff/fixed) (version "4.0.8") (source (origin @@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) +(define libtiff/fixed + (package + (inherit libtiff) + (source + (origin + (inherit (package-source libtiff)) + (patches + (append (origin-patches (package-source libtiff)) + (search-patches "libtiff-CVE-2017-9935.patch" + "libtiff-CVE-2017-11335.patch" + "libtiff-CVE-2017-18013.patch"))))))) + (define-public leptonica (package (name "leptonica") diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch b/gnu/packages/patches/libtiff-CVE-2017-11335.patch new file mode 100644 index 000000000..504bf3d3e --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-11335: + +http://bugzilla.maptools.org/show_bug.cgi?id=2715 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223 + +From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 15 Jul 2017 11:13:46 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in + "Raw" mode on PlanarConfig=Contig input images. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 + +--- + ChangeLog | 7 +++++++ + tools/tiff2pdf.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 8e4e24ef..caf64ee5 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1,4 +1,4 @@ +-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $ ++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $ + * + * tiff2pdf - converts a TIFF image to a PDF document + * +@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + return; + + t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; +- if(t2p->pdf_nopassthrough==0){ ++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ ++ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ ++ /* do not take into account the number of samples, and thus */ ++ /* that can cause heap buffer overflows such as in */ ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ ++ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ + #ifdef CCITT_SUPPORT + if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 + ){ +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch new file mode 100644 index 000000000..ba03c8384 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-18013: + +http://bugzilla.maptools.org/show_bug.cgi?id=2770 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 + +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d353..8deceb2b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch new file mode 100644 index 000000000..5685d81f6 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch @@ -0,0 +1,162 @@ +Fix CVE-2017-9935 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935 +http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 + +From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf448..cbf2b693 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b095..c3ec0746 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.16.1 + -- 2.16.1 From unknown Sat Sep 13 03:07:18 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335, 18013}. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Feb 2018 01:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30418 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 30418@debbugs.gnu.org, leo@famulari.name X-Debbugs-Original-To: guix-patches@gnu.org, Leo Famulari , 30418@debbugs.gnu.org Received: via spool by 30418-submit@debbugs.gnu.org id=B30418.151831277313576 (code B ref 30418); Sun, 11 Feb 2018 01:33:01 +0000 Received: (at 30418) by debbugs.gnu.org; 11 Feb 2018 01:32:53 +0000 Received: from localhost ([127.0.0.1]:37475 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgVZ-0003Wk-Qz for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:32:52 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:45113) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgVW-0003Wb-Ns for 30418@debbugs.gnu.org; Sat, 10 Feb 2018 20:32:45 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 99C9820CDE; Sat, 10 Feb 2018 20:32:42 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Feb 2018 20:32:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=7lNSLZxBQvAfknmiJba0cr7yf93Ib +/MSe9UlCHukSo=; b=k5ID+0wZ4UHh+nmIcbw5YTfaRCpTCiyH7ToVKICXzHapj npZZCE91ajc8BiFxubXFcPvMhqXFvW2gRQZKSfNTPshSZjJEwCRsEwZZFA8/vilp 8SMzUo4xdrfvGn/L/GMI9XQzlcsaef0yoIPPa5uBlWkt0CQpT7XiakrZOs5Kmd0w H1ThSDoOHbZQZioWAhIj3r6YmT1aeatkdJSfoU7u06tkpXE1Jlpl1NSlNn8BkjPe Sc7kS5unendupbveQjkPgi86ltw5W6WYsA6ElRyVW4Gja4gwNkC5tKIbQrI+5liZ 2RHK5bfoFQx6zQmC1P08nMyphdjXSwE0hPVLI+wDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=7lNSLZ xBQvAfknmiJba0cr7yf93Ib+/MSe9UlCHukSo=; b=Hxdm7AdvLhXRCEuQaOpOBz GofyFR6615Z2kx+3Gmr4GRBGgzzU/WXBAch0A6TOfoEOL++yEiGusWsULLw33iCQ fxFA8LAuMsNcFoTtGnTNAeqgUuktVTchi1ukjdU+8H01kDtUMkm/hgD2a9cPzGIz Bqave4XCoI05ZXQTSGMlTPICgIHPdnflitBuZunRgcBGMjn159/nJu+OP1qKOtkx 8g3vUPef5hg7HDiGnM5EffQY+dnWE7fxqDIsurjswFm3zDlTyiDGsSL8FmBsN1/Z bhhTd3s3GrR3ahJhF4h2PGRVYCKUsXVJqMkIIRbji8zYdAVULgqosQogXFvywfYw == X-ME-Sender: Received: from [10.233.121.25] (26-121-11.connect.netcom.no [176.11.121.26]) by mail.messagingengine.com (Postfix) with ESMTPA id 013D324406; Sat, 10 Feb 2018 20:32:41 -0500 (EST) Date: Sun, 11 Feb 2018 02:32:38 +0100 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Marius Bakke Message-ID: <3B1F7BD8-9EAA-4560-A547-3D308C01BF09@fastmail.com> X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari wrote: >* gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch, >gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch, >gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch: New files=2E >* gnu/local=2Emk (dist_patch_DATA): Add them=2E >* gnu/packages/image=2Escm (libtiff)[replacement]: New field=2E >(libtiff/fixed): New variable=2E LGTM, thanks for taking care of this=2E >--- > gnu/local=2Emk | 3 + > gnu/packages/image=2Escm | 13 ++ > gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch | 48 +++++++ > gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch | 45 ++++++ >gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch | 162 >++++++++++++++++++++++ > 5 files changed, 271 insertions(+) > create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch > create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch > create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch > >diff --git a/gnu/local=2Emk b/gnu/local=2Emk >index eb968dede=2E=2E95650cc50 100644 >--- a/gnu/local=2Emk >+++ b/gnu/local=2Emk >@@ -854,7 +854,10 @@ dist_patch_DATA =3D \ > %D%/packages/patches/libtasn1-CVE-2017-10790=2Epatch \ > %D%/packages/patches/libtheora-config-guess=2Epatch \ > %D%/packages/patches/libtiff-CVE-2016-10688=2Epatch \ >+ %D%/packages/patches/libtiff-CVE-2017-9935=2Epatch \ > %D%/packages/patches/libtiff-CVE-2017-9936=2Epatch \ >+ %D%/packages/patches/libtiff-CVE-2017-11335=2Epatch \ >+ %D%/packages/patches/libtiff-CVE-2017-18013=2Epatch \ > %D%/packages/patches/libtiff-tiffgetfield-bugs=2Epatch \ > %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow=2Epatch \ >%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow=2Epatch = \ >diff --git a/gnu/packages/image=2Escm b/gnu/packages/image=2Escm >index 548c1df44=2E=2Ea5738f431 100644 >--- a/gnu/packages/image=2Escm >+++ b/gnu/packages/image=2Escm >@@ -390,6 +390,7 @@ extracting icontainer icon files=2E") > (define-public libtiff > (package > (name "libtiff") >+ (replacement libtiff/fixed) > (version "4=2E0=2E8") > (source > (origin >@@ -426,6 +427,18 @@ collection of tools for doing simple manipulations >of TIFF images=2E") > "See COPYRIGHT in the distribution=2E")) > (home-page "http://www=2Esimplesystems=2Eorg/libtiff/"))) >=20 >+(define libtiff/fixed >+ (package >+ (inherit libtiff) >+ (source >+ (origin >+ (inherit (package-source libtiff)) >+ (patches >+ (append (origin-patches (package-source libtiff)) >+ (search-patches "libtiff-CVE-2017-9935=2Epatch" >+ "libtiff-CVE-2017-11335=2Epatch" >+ =20 >"libtiff-CVE-2017-18013=2Epatch"))))))) >+ > (define-public leptonica > (package > (name "leptonica") >diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch >b/gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch >new file mode 100644 >index 000000000=2E=2E504bf3d3e >--- /dev/null >+++ b/gnu/packages/patches/libtiff-CVE-2017-11335=2Epatch >@@ -0,0 +1,48 @@ >+Fix CVE-2017-11335: >+ >+http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2715 >+https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2017-11335 >+ >+Patch copied from upstream source repository: >+ >+https://gitlab=2Ecom/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab= 9e3af42c1223 >+ >+From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001 >+From: Even Rouault >+Date: Sat, 15 Jul 2017 11:13:46 +0000 >+Subject: [PATCH] * tools/tiff2pdf=2Ec: prevent heap buffer overflow >write in >+ "Raw" mode on PlanarConfig=3DContig input images=2E Fixes >+ http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2715 Reported by t= eam >OWL337 >+ >+--- >+ ChangeLog | 7 +++++++ >+ tools/tiff2pdf=2Ec | 9 +++++++-- >+ 2 files changed, 14 insertions(+), 2 deletions(-) >+ >+diff --git a/tools/tiff2pdf=2Ec b/tools/tiff2pdf=2Ec >+index 8e4e24ef=2E=2Ecaf64ee5 100644 >+--- a/tools/tiff2pdf=2Ec >++++ b/tools/tiff2pdf=2Ec >+@@ -1,4 +1,4 @@ >+-/* $Id: tiff2pdf=2Ec,v 1=2E101 2016-12-20 17:28:17 erouault Exp $ >++/* $Id: tiff2pdf=2Ec,v 1=2E102 2017-07-15 11:13:46 erouault Exp $ >+ * >+ * tiff2pdf - converts a TIFF image to a PDF document >+ * >+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ >+ return; >+=20 >+ t2p->pdf_transcode =3D T2P_TRANSCODE_ENCODE; >+- if(t2p->pdf_nopassthrough=3D=3D0){ >++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support >separate->contig */ >++ /* conversion=2E At least t2p_read_tiff_size and >t2p_read_tiff_size_tile */ >++ /* do not take into account the number of samples, and thus >*/ >++ /* that can cause heap buffer overflows such as in */ >++ /* http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2715 */ >++ if(t2p->pdf_nopassthrough=3D=3D0 && >t2p->tiff_planar!=3DPLANARCONFIG_SEPARATE){ >+ #ifdef CCITT_SUPPORT >+ if(t2p->tiff_compression=3D=3DCOMPRESSION_CCITTFAX4 =20 >+ ){ >+--=20 >+2=2E16=2E1 >+ >diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch >b/gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch >new file mode 100644 >index 000000000=2E=2Eba03c8384 >--- /dev/null >+++ b/gnu/packages/patches/libtiff-CVE-2017-18013=2Epatch >@@ -0,0 +1,45 @@ >+Fix CVE-2017-18013: >+ >+http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2770 >+https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2017-18013 >+ >+Patch copied from upstream source repository: >+ >+https://gitlab=2Ecom/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3d= f4454c551a01 >+ >+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 >+From: Even Rouault >+Date: Sun, 31 Dec 2017 15:09:41 +0100 >+Subject: [PATCH] libtiff/tif_print=2Ec: TIFFPrintDirectory(): fix null >pointer >+ dereference on corrupted file=2E Fixes >+ http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2770 >+ >+--- >+ libtiff/tif_print=2Ec | 8 ++++---- >+ 1 file changed, 4 insertions(+), 4 deletions(-) >+ >+diff --git a/libtiff/tif_print=2Ec b/libtiff/tif_print=2Ec >+index 9959d353=2E=2E8deceb2b 100644 >+--- a/libtiff/tif_print=2Ec >++++ b/libtiff/tif_print=2Ec >+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long >flags) >+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) >+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", >+ (unsigned long) s, >+- (unsigned __int64) td->td_stripoffset[s], >+- (unsigned __int64) td->td_stripbytecount[s]); >++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] >: 0, >++ td->td_stripbytecount ? (unsigned __int64) >td->td_stripbytecount[s] : 0); >+ #else >+ fprintf(fd, " %3lu: [%8llu, %8llu]\n", >+ (unsigned long) s, >+- (unsigned long long) td->td_stripoffset[s], >+- (unsigned long long) td->td_stripbytecount[s]); >++ td->td_stripoffset ? (unsigned long long) >td->td_stripoffset[s] : 0, >++ td->td_stripbytecount ? (unsigned long long) >td->td_stripbytecount[s] : 0); >+ #endif >+ } >+ } >+--=20 >+2=2E16=2E1 >+ >diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch >b/gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch >new file mode 100644 >index 000000000=2E=2E5685d81f6 >--- /dev/null >+++ b/gnu/packages/patches/libtiff-CVE-2017-9935=2Epatch >@@ -0,0 +1,162 @@ >+Fix CVE-2017-9935 >+ >+https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2017-9935 >+http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2704 >+ >+Patch copied from upstream source repository: >+ >+https://gitlab=2Ecom/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025= 056c938b6940 >+ >+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 >+From: Brian May >+Date: Thu, 7 Dec 2017 07:46:47 +1100 >+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 >+ >+Fix for http://bugzilla=2Emaptools=2Eorg/show_bug=2Ecgi?id=3D2704 >+ >+This vulnerability - at least for the supplied test case - is because >we >+assume that a tiff will only have one transfer function that is the >same >+for all pages=2E This is not required by the TIFF standards=2E >+ >+We than read the transfer function for every page=2E Depending on the >+transfer function, we allocate either 2 or 4 bytes to the XREF buffer=2E >+We allocate this memory after we read in the transfer function for the >+page=2E >+ >+For the first exploit - POC1, this file has 3 pages=2E For the first >page >+we allocate 2 extra extra XREF entries=2E Then for the next page 2 more >+entries=2E Then for the last page the transfer function changes and we >+allocate 4 more entries=2E >+ >+When we read the file into memory, we assume we have 4 bytes extra for >+each and every page (as per the last transfer function we read)=2E Which >+is not correct, we only have 2 bytes extra for the first 2 pages=2E As a >+result, we end up writing past the end of the buffer=2E >+ >+There are also some related issues that this also fixes=2E For example, >+TIFFGetField can return uninitalized pointer values, and the logic to >+detect a N=3D3 vs N=3D1 transfer function seemed rather strange=2E >+ >+It is also strange that we declare the transfer functions to be of >type >+float, when the standard says they are unsigned 16 bit values=2E This is >+fixed in another patch=2E >+ >+This patch will check to ensure that the N value for every transfer >+function is the same for every page=2E If this changes, we abort with an >+error=2E In theory, we should perhaps check that the transfer function >+itself is identical for every page, however we don't do that due to >the >+confusion of the type of the data in the transfer function=2E >+--- >+ libtiff/tif_dir=2Ec | 3 +++ >+ tools/tiff2pdf=2Ec | 65 >+++++++++++++++++++++++++++++++++++++------------------ >+ 2 files changed, 47 insertions(+), 21 deletions(-) >+ >+diff --git a/libtiff/tif_dir=2Ec b/libtiff/tif_dir=2Ec >+index 2ccaf448=2E=2Ecbf2b693 100644 >+--- a/libtiff/tif_dir=2Ec >++++ b/libtiff/tif_dir=2Ec >+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list >ap) >+ if (td->td_samplesperpixel - td->td_extrasamples > 1) { >+ *va_arg(ap, uint16**) =3D td->td_transferfunction[1]; >+ *va_arg(ap, uint16**) =3D td->td_transferfunction[2]; >++ } else { >++ *va_arg(ap, uint16**) =3D NULL; >++ *va_arg(ap, uint16**) =3D NULL; >+ } >+ break; >+ case TIFFTAG_REFERENCEBLACKWHITE: >+diff --git a/tools/tiff2pdf=2Ec b/tools/tiff2pdf=2Ec >+index d1a9b095=2E=2Ec3ec0746 100644 >+--- a/tools/tiff2pdf=2Ec >++++ b/tools/tiff2pdf=2Ec >+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ >+ uint16 pagen=3D0; >+ uint16 paged=3D0; >+ uint16 xuint16=3D0; >++ uint16 tiff_transferfunctioncount=3D0; >++ float* tiff_transferfunction[3]; >+=20 >+ directorycount=3DTIFFNumberOfDirectories(input); >+ t2p->tiff_pages =3D (T2P_PAGE*) >_TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); >+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* >input){ >+ } >+ #endif >+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, >+- &(t2p->tiff_transferfunction[0]), >+- &(t2p->tiff_transferfunction[1]), >+- &(t2p->tiff_transferfunction[2]))) { >+- if((t2p->tiff_transferfunction[1] !=3D (float*) NULL) && >+- (t2p->tiff_transferfunction[2] !=3D (float*) >NULL) && >+- (t2p->tiff_transferfunction[1] !=3D >+- t2p->tiff_transferfunction[0])) { >+- t2p->tiff_transferfunctioncount =3D 3; >+- t2p->tiff_pages[i]=2Epage_extra +=3D 4; >+- t2p->pdf_xrefcount +=3D 4; >+- } else { >+- t2p->tiff_transferfunctioncount =3D 1; >+- t2p->tiff_pages[i]=2Epage_extra +=3D 2; >+- t2p->pdf_xrefcount +=3D 2; >+- } >+- if(t2p->pdf_minorversion < 2) >+- t2p->pdf_minorversion =3D 2; >++ &(tiff_transferfunction[0]), >++ &(tiff_transferfunction[1]), >++ &(tiff_transferfunction[2]))) { >++ >++ if((tiff_transferfunction[1] !=3D (float*) >NULL) && >++ (tiff_transferfunction[2] !=3D (float*) >NULL) >++ ) { >++ tiff_transferfunctioncount=3D3; >++ } else { >++ tiff_transferfunctioncount=3D1; >++ } >+ } else { >+- t2p->tiff_transferfunctioncount=3D0; >++ tiff_transferfunctioncount=3D0; >+ } >++ >++ if (i > 0){ >++ if (tiff_transferfunctioncount !=3D >t2p->tiff_transferfunctioncount){ >++ TIFFError( >++ TIFF2PDF_MODULE, >++ "Different transfer function on page %d", >++ i); >++ t2p->t2p_error =3D T2P_ERR_ERROR; >++ return; >++ } >++ } >++ >++ t2p->tiff_transferfunctioncount =3D >tiff_transferfunctioncount; >++ t2p->tiff_transferfunction[0] =3D >tiff_transferfunction[0]; >++ t2p->tiff_transferfunction[1] =3D >tiff_transferfunction[1]; >++ t2p->tiff_transferfunction[2] =3D >tiff_transferfunction[2]; >++ if(tiff_transferfunctioncount =3D=3D 3){ >++ t2p->tiff_pages[i]=2Epage_extra +=3D 4; >++ t2p->pdf_xrefcount +=3D 4; >++ if(t2p->pdf_minorversion < 2) >++ t2p->pdf_minorversion =3D 2; >++ } else if (tiff_transferfunctioncount =3D=3D 1){ >++ t2p->tiff_pages[i]=2Epage_extra +=3D 2; >++ t2p->pdf_xrefcount +=3D 2; >++ if(t2p->pdf_minorversion < 2) >++ t2p->pdf_minorversion =3D 2; >++ } >++ >+ if( TIFFGetField( >+ input,=20 >+ TIFFTAG_ICCPROFILE,=20 >+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ >+ &(t2p->tiff_transferfunction[1]), >+ &(t2p->tiff_transferfunction[2]))) { >+ if((t2p->tiff_transferfunction[1] !=3D (float*) NULL) && >+- (t2p->tiff_transferfunction[2] !=3D (float*) NULL) >&& >+- (t2p->tiff_transferfunction[1] !=3D >+- t2p->tiff_transferfunction[0])) { >++ (t2p->tiff_transferfunction[2] !=3D (float*) NULL) >++ ) { >+ t2p->tiff_transferfunctioncount=3D3; >+ } else { >+ t2p->tiff_transferfunctioncount=3D1; >+--=20 >+2=2E16=2E1 >+ --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E From unknown Sat Sep 13 03:07:18 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#30418: closed (Re: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.) Message-ID: References: <20180211040002.GB6331@jasmine.lan> X-Gnu-PR-Message: they-closed 30418 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 30418@debbugs.gnu.org Date: Sun, 11 Feb 2018 04:01:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1518321662-26879-1" This is a multi-part message in MIME format... ------------=_1518321662-26879-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #30418: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 30418@debbugs.gnu.org. --=20 30418: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D30418 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1518321662-26879-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 30418-done) by debbugs.gnu.org; 11 Feb 2018 04:00:10 +0000 Received: from localhost ([127.0.0.1]:37533 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekioD-0006yD-Ud for submit@debbugs.gnu.org; Sat, 10 Feb 2018 23:00:10 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:32877) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekio9-0006xC-Ny for 30418-done@debbugs.gnu.org; Sat, 10 Feb 2018 23:00:08 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5DDBD20D32; Sat, 10 Feb 2018 23:00:05 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 23:00:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=LVhATPD578H2jJ/VhGfKFceJ0ex/VpJCQs+ZcTdBfuo=; b=G4yqI whyZjplWM+uf4/a9fGGYZ2sOVoVO85WVNudfI+eW8UCgZ/GnpBtcY35ctQ4FQ9bj Pz+Rv9yOKFDC+ABM4dxgrsZ4ZJLtA1G0pPP0NN6IXQwvIqE3H1iobgazG4zEvGzI gM8AYNlnwxyEorhXg6kd+4x92iMZZFgPcfCCYo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=LVhATPD578H2jJ/VhGfKFceJ0ex/V pJCQs+ZcTdBfuo=; b=mZWntfp9YlaMK8ZpJXQr/fG/qdweiwCPiTa6EcrcxQYXf FTAiBBuss0Lvo/KNzoeHAXeVdClnv6gwl1mn62HoDfDRuZgK2yDhNh4tQXy4A2LL FQlYp6u00MDoqnCbd9b90jAeGqIJ4FLliid8Z8j4K1fBSKeT415BsnH2noWOwIHd D2Y/LrnliV85av/strdujfhF4J0FsyZSHZ6mXX9glypsI2xz6ukq0MZm6GbP+vif 5UkF5jZbWJGOughgvlVHr/Mq77v2Xacwd0aNqljlwScA3ioIlmpakibKjpQUToWb IDM8E7gBw3HLmLuxdLRIaC8G4JF6Giy1cCm2oQotQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 195827E46B; Sat, 10 Feb 2018 23:00:05 -0500 (EST) Date: Sat, 10 Feb 2018 23:00:02 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}. Message-ID: <20180211040002.GB6331@jasmine.lan> References: <3B1F7BD8-9EAA-4560-A547-3D308C01BF09@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TRYliJ5NKNqkz5bu" Content-Disposition: inline In-Reply-To: <3B1F7BD8-9EAA-4560-A547-3D308C01BF09@fastmail.com> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30418-done Cc: 30418-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --TRYliJ5NKNqkz5bu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2018 at 02:32:38AM +0100, Marius Bakke wrote: >=20 >=20 > On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari wrote: > >* gnu/packages/patches/libtiff-CVE-2017-9935.patch, > >gnu/packages/patches/libtiff-CVE-2017-11335.patch, > >gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. > >* gnu/local.mk (dist_patch_DATA): Add them. > >* gnu/packages/image.scm (libtiff)[replacement]: New field. > >(libtiff/fixed): New variable. >=20 > LGTM, thanks for taking care of this. Thanks for review, pushed as 79cf1053046f083df831460c9ff7d42d5c47c110 --TRYliJ5NKNqkz5bu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/v8IACgkQJkb6MLrK fwjIeg//RZQZg/3EtDPu2YiSN5iEBA1X5eijwROGZHjqq00lAfYwAmGyCGUwz8yv Zz7lSE1lUYUSylklZED5BkfX6ABdj0hBg1FP5hRex+aEWASIeWDOadk1/OIKCeE0 wistyZg/ClUqQjH2UH5HStm2G4HyqqaNdfbhdAfWjN+umAb3DFXEDXJEF+cUr/uf aLBsqCBoeiKJ4ksOoGSn5D0U8ML2ftAXoqXQPzePUDjmOeyQjhFaDhlFzZ2UX2la hcrm4TNpNBZszb/6JWvVIL/E381/KcD+WDwcQmW87OAiN0T3+MDka/xJS7yYewAC qL1nmEeMP8FULyiC8PJ2VFy3+f+bG+7HjmnGtaD8BZRH+uXjO7MFDrEyAM4bWlA2 4ZiK0hfXtiCeTawyUxX4Hf3+GyXip6oVE/bRV25n1wyaFn48jei9nqr0XCX6mGPQ nxdfEJaVH6w6WcXviq7KxYVCGcRAGgVecBSyKmsCTf+nh0AlXQ3cAVfjPTViRIbY XbOuloqhF4sqF5l7aGprnIrmA3rwC/wyjArSWIJVrilyTbLEkvjb+yWlRw6+sqzk 1G8B9x6rc91pdBRdN6kUjwjG3lp8hdmIq8TrSjPz04LDbr1vlOIMGkRA4yFCqTDw XeFBUzhDzZnSt1JRR3kCMpRKOhBMmMyePDa6NTPpjeuzRXrOUN0= =OOH0 -----END PGP SIGNATURE----- --TRYliJ5NKNqkz5bu-- ------------=_1518321662-26879-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 11 Feb 2018 01:05:51 +0000 Received: from localhost ([127.0.0.1]:37432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekg5R-0002qK-OL for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:51 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41637) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekg5N-0002q1-4R for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg5F-0005bZ-39 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:35 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:55407) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekg5E-0005bS-Vz for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:05:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60722) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekg58-0007PR-T9 for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg56-0005IT-0Q for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:26 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52315) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekg55-0005GA-He for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:23 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B624220BD3; Sat, 10 Feb 2018 20:05:22 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 20:05:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=0XJ8WHMcGTe/4yArWv0rWGjCr5aP2MomgBuzaE 2nM9E=; b=CmJeHPMMMEfndEqSLh4xEC3X0gK1IKcIPiP1jihRud4urPpyTEPygz p9Lu+X/5/V0k9I1Az/AAm+ChNSYNwOhFOZ0BnmfFP8GdGfi2a/e36+iHv/21f8Xo duIyVoqFxslRgXJmDHzUAlzHGascZn4gmTg4anZm22CS/QQZ2zeHU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=0XJ8WHMcGTe/4yArW v0rWGjCr5aP2MomgBuzaE2nM9E=; b=B1IhQnmxhnA4dDqOT/9K4rdfDvaSnWJ+j 1dr2xb/OorBK1ur/cwL2KYiN1lDdtxIxsfRlhLFuWsVL9I9XeogFilUCeynAHbns u+RU4MsmKBzy9I1SGG8wJK737XY1FyE3dTQDtPs5KDiFt4s8JNdvOfekmbMArQn0 vNGwJ0IfE9PHDhUxyP2xjpZ48Tir1TxE91TERQVEqs91rEsR05bB0iIY7Y7R5sza 1VGttFDjY37bKBXpbfDs2+EutrO7imCpvkzazpn/KYWHzoeFVB8G9oVPwnAzQGEb Oh0aA7dJJGBTKtNyjZNtbi8YhFuoqsNWrs/MRWNmIKmv3p2F/g+6w== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 47C1A245F1 for ; Sat, 10 Feb 2018 20:05:22 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}. Date: Sat, 10 Feb 2018 20:05:18 -0500 Message-Id: X-Mailer: git-send-email 2.16.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/libtiff-CVE-2017-9935.patch, gnu/packages/patches/libtiff-CVE-2017-11335.patch, gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable. --- gnu/local.mk | 3 + gnu/packages/image.scm | 13 ++ gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++ gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++ gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 ++++++++++++++++++++++ 5 files changed, 271 insertions(+) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..95650cc50 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -854,7 +854,10 @@ dist_patch_DATA = \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ + %D%/packages/patches/libtiff-CVE-2017-9935.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ + %D%/packages/patches/libtiff-CVE-2017-11335.patch \ + %D%/packages/patches/libtiff-CVE-2017-18013.patch \ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 548c1df44..a5738f431 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -390,6 +390,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") + (replacement libtiff/fixed) (version "4.0.8") (source (origin @@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) +(define libtiff/fixed + (package + (inherit libtiff) + (source + (origin + (inherit (package-source libtiff)) + (patches + (append (origin-patches (package-source libtiff)) + (search-patches "libtiff-CVE-2017-9935.patch" + "libtiff-CVE-2017-11335.patch" + "libtiff-CVE-2017-18013.patch"))))))) + (define-public leptonica (package (name "leptonica") diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch b/gnu/packages/patches/libtiff-CVE-2017-11335.patch new file mode 100644 index 000000000..504bf3d3e --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-11335: + +http://bugzilla.maptools.org/show_bug.cgi?id=2715 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223 + +From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 15 Jul 2017 11:13:46 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in + "Raw" mode on PlanarConfig=Contig input images. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 + +--- + ChangeLog | 7 +++++++ + tools/tiff2pdf.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 8e4e24ef..caf64ee5 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1,4 +1,4 @@ +-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $ ++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $ + * + * tiff2pdf - converts a TIFF image to a PDF document + * +@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + return; + + t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; +- if(t2p->pdf_nopassthrough==0){ ++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ ++ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ ++ /* do not take into account the number of samples, and thus */ ++ /* that can cause heap buffer overflows such as in */ ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ ++ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ + #ifdef CCITT_SUPPORT + if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 + ){ +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch new file mode 100644 index 000000000..ba03c8384 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-18013: + +http://bugzilla.maptools.org/show_bug.cgi?id=2770 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 + +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d353..8deceb2b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch new file mode 100644 index 000000000..5685d81f6 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch @@ -0,0 +1,162 @@ +Fix CVE-2017-9935 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935 +http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 + +From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf448..cbf2b693 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b095..c3ec0746 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.16.1 + -- 2.16.1 ------------=_1518321662-26879-1--