svn commit: r382724 - in branches/2015Q1/graphics/tiff: . files

Mon Mar 30 20:47:14 UTC 2015

Author: antoine
Date: Mon Mar 30 20:47:12 2015
New Revision: 382724
URL: https://svnweb.freebsd.org/changeset/ports/382724
QAT: https://qat.redports.org/buildarchive/r382724/

Log:
  MFH: r382617
  
  tools/tiffdither.c: check memory allocations to avoid writing to
  NULL pointer. Also check multiplication overflow. Fixes #2501,
  CVE-2014-8128. Derived from patch by Petr Gajdos.
  
  Reported by:	naddy
  Obtained from:	https://github.com/vadz/libtiff/commit/147b2698c84004fe2da93c0fc7177a7c3797533d

Added:
  branches/2015Q1/graphics/tiff/files/patch-tools_tiffdither.c
     - copied unchanged from r382617, head/graphics/tiff/files/patch-tools_tiffdither.c
Modified:
  branches/2015Q1/graphics/tiff/Makefile
Directory Properties:
  branches/2015Q1/   (props changed)

Modified: branches/2015Q1/graphics/tiff/Makefile
==============================================================================

--- branches/2015Q1/graphics/tiff/Makefile	Mon Mar 30 20:40:13 2015	(r382723)
+++ branches/2015Q1/graphics/tiff/Makefile	Mon Mar 30 20:47:12 2015	(r382724)
@@ -3,6 +3,7 @@
 
 PORTNAME=	tiff
 DISTVERSION=	4.0.4beta
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/

Copied: branches/2015Q1/graphics/tiff/files/patch-tools_tiffdither.c (from r382617, head/graphics/tiff/files/patch-tools_tiffdither.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q1/graphics/tiff/files/patch-tools_tiffdither.c	Mon Mar 30 20:47:12 2015	(r382724, copy of r382617, head/graphics/tiff/files/patch-tools_tiffdither.c)
@@ -0,0 +1,70 @@
+--- tools/tiffdither.c.orig	2013-05-02 14:44:29 UTC
++++ tools/tiffdither.c
+@@ -39,6 +39,7 @@
+ #endif
+ 
+ #include "tiffio.h"
++#include "tiffiop.h"
+ 
+ #define	streq(a,b)	(strcmp(a,b) == 0)
+ #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+@@ -56,7 +57,7 @@ static	void usage(void);
+  * Floyd-Steinberg error propragation with threshold.
+  * This code is stolen from tiffmedian.
+  */
+-static void
++static int
+ fsdither(TIFF* in, TIFF* out)
+ {
+ 	unsigned char *outline, *inputline, *inptr;
+@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
+ 	int lastline, lastpixel;
+ 	int bit;
+ 	tsize_t outlinesize;
++	int errcode = 0;
+ 
+ 	imax = imagelength - 1;
+ 	jmax = imagewidth - 1;
+ 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+-	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
+-	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
++	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
++	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
+ 	outlinesize = TIFFScanlineSize(out);
+ 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
++	if (! (inputline && thisline && nextline && outline)) {
++	    fprintf(stderr, "Out of memory.\n");
++	    goto skip_on_error;
++	}
+ 
+ 	/*
+ 	 * Get first line
+@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
+ 		nextline = tmpptr;
+ 		lastline = (i == imax);
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++			goto skip_on_error;
+ 		inptr = inputline;
+ 		nextptr = nextline;
+ 		for (j = 0; j < imagewidth; ++j)
+@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
+ 			}
+ 		}
+ 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+-			break;
++			goto skip_on_error;
+ 	}
++	goto exit_label;
++
+   skip_on_error:
++	errcode = 1;
++  exit_label:
+ 	_TIFFfree(inputline);
+ 	_TIFFfree(thisline);
+ 	_TIFFfree(nextline);
+ 	_TIFFfree(outline);
++	return errcode;
+ }
+ 
+ static	uint16 compression = COMPRESSION_PACKBITS;
