media-libs/tiff: Upstream patch for CVE-2019-7663
Partially fixed by the CVE-2018-12000 patch in
https://crrev.com/c/1574960. The rest of the fix is from
https://gitlab.com/libtiff/libtiff/merge_requests/60.
Upstream PR sent to Gentoo at https://github.com/gentoo/gentoo/pull/12543
BUG=chromium:956420
TEST=Pre-CQ
Change-Id: I89aabefda29f30f71f8809d286079c4724761807
Reviewed-on: https://chromium-review.googlesource.com/1719000
Tested-by: Benjamin Gordon <bmgordon@chromium.org>
Commit-Ready: Benjamin Gordon <bmgordon@chromium.org>
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Chris McDonald <cjmcdonald@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
new file mode 100644
index 0000000..a68ba2f
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
@@ -0,0 +1,73 @@
+From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d7..f0ee2c029 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (spp > (0x7fffffff / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
+--
+2.21.0
+
+
+From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 21:42:03 +0100
+Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
+
+---
+ tools/tiffcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index f0ee2c029..8c81aa4f2 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
+- if (spp > (0x7fffffff / tilew))
++ if (spp > (INT_MAX / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+--
+2.21.0
+
diff --git a/media-libs/tiff/tiff-4.0.10-r1.ebuild b/media-libs/tiff/tiff-4.0.10-r2.ebuild
similarity index 100%
rename from media-libs/tiff/tiff-4.0.10-r1.ebuild
rename to media-libs/tiff/tiff-4.0.10-r2.ebuild
diff --git a/media-libs/tiff/tiff-4.0.10.ebuild b/media-libs/tiff/tiff-4.0.10.ebuild
index 39dfa2c..8a3fbf9 100644
--- a/media-libs/tiff/tiff-4.0.10.ebuild
+++ b/media-libs/tiff/tiff-4.0.10.ebuild
@@ -32,6 +32,7 @@
"${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
"${FILESDIR}"/${P}-CVE-2018-17000-tif_dirwrite-null-dereference.patch
"${FILESDIR}"/${P}-CVE-2019-6128-pal2rgb-leak.patch
+ "${FILESDIR}"/${P}-CVE-2019-7663-tiffcpIntegerOverflow.patch
)
MULTILIB_WRAPPED_HEADERS=(
