tiff wheezy security update ready for testing
Hi,
I've built an update for the tiff package for all the pending issues in
the security tracker, including some issues that were marked "no-dsa"
for various reasons. I believe some of those were actually misfiled, as
arbitrary code execution seems serious enough, in my opinion, to warrant
an upload.
I closed a bunch of issues I couldn't reproduce with the provided POC
(with or without valgrind) in a wheezy VM as well. Those are
CVE-2016-3625, CVE-2016-10094 and CVE-2016-10095.
Since there are so many changes, I figured it was a good idea to submit
the package for testing. In the usual location:
https://people.debian.org/~anarcat/debian/wheezy-lts/
Debdiff attached.
I did some quick smoke tests but didn't test all the 16+ (!) proof of
concepts. If someone had the patience to go through that, it would be
useful...
I also wonder if there's a test suite, or where did it go if there were
any before, because it doesn't seem to run on build right now.
Thanks for any feedback,
A.
--
Il faut tout un village pour élever un enfant.
- Proverbe africain
diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog 2016-11-22 06:03:09.000000000 -0500
+++ tiff-4.0.2/debian/changelog 2017-01-17 15:05:14.000000000 -0500
@@ -1,3 +1,61 @@
+tiff (4.0.2-6+deb7u9) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2016-3622: The fpAcc function in tif_predict.c in the tiff2rgba
+ tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a
+ denial of service (divide-by-zero error) via a crafted TIFF image.
+ * CVE-2016-3623: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
+ remote attackers to cause a denial of service (divide-by-zero) by
+ setting the (1) v or (2) h parameter to 0. (Fixed along with CVE-2016-3624.)
+ * CVE-2016-3624: The cvtClump function in the rgb2ycbcr tool in
+ LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial
+ of service (out-of-bounds write) by setting the "-v" option to -1.
+ * CVE-2016-3945: Multiple integer overflows in the (1) cvt_by_strip
+ and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6
+ and earlier, when -b mode is enabled, allow remote attackers to
+ cause a denial of service (crash) or execute arbitrary code via a
+ crafted TIFF image, which triggers an out-of-bounds write.
+ * CVE-2016-3990: Heap-based buffer overflow in the
+ horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6
+ and earlier allows remote attackers to cause a denial of service
+ (crash) or execute arbitrary code via a crafted TIFF image to
+ tiffcp.
+ * CVE-2016-9533: tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write
+ vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka
+ "PixarLog horizontalDifference heap-buffer-overflow."
+ * CVE-2016-9534: tif_write.c in libtiff 4.0.6 has an issue in the error
+ code path of TIFFFlushData1() that didn't reset the tif_rawcc and
+ tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1
+ heap-buffer-overflow."
+ * CVE-2016-9535: tif_predict.h and tif_predict.c in libtiff 4.0.6 have
+ assertions that can lead to assertion failures in debug mode, or
+ buffer overflows in release mode, when dealing with unusual tile size
+ like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor
+ heap-buffer-overflow."
+ * CVE-2016-9536: tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds
+ write vulnerabilities in heap allocated buffers in
+ t2p_process_jpeg_strip(). Reported as MSVR 35098, aka
+ "t2p_process_jpeg_strip heap-buffer-overflow."
+ * CVE-2016-9537: tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds
+ write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096,
+ and MSVR 35097.
+ * CVE-2016-9538: tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
+ buffer in readContigStripsIntoBuffer() because of a uint16 integer
+ overflow. Reported as MSVR 35100.
+ * CVE-2016-9540: tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds
+ write on tiled images with odd tile width versus image width.
+ Reported as MSVR 35103, aka cpStripToTile heap-buffer-overflow.
+ * CVE-2016-10092: heap-buffer-overflow in tiffcrop
+ * CVE-2016-10093: uint32 underflow/overflow that can cause heap-based
+ buffer overflow in tiffcp
+ * CVE-2017-5225: LibTIFF version 4.0.7 is vulnerable to a heap buffer
+ overflow in the tools/tiffcp resulting in DoS or code execution via
+ a crafted BitsPerSample value.
+ * heap-based buffer overflow in TIFFFillStrip (tif_read.c) (Closes:
+ 846837)
+
+ -- Antoine Beaupré <anarcat@debian.org> Tue, 17 Jan 2017 15:05:14 -0500
+
tiff (4.0.2-6+deb7u8) wheezy-security; urgency=high
* Non-maintainer upload by the Debian Long Term Support Team.
diff -Nru tiff-4.0.2/debian/patches/0047-CVE-2016-9532.patch tiff-4.0.2/debian/patches/0047-CVE-2016-9532.patch
--- tiff-4.0.2/debian/patches/0047-CVE-2016-9532.patch 2016-11-22 06:03:09.000000000 -0500
+++ tiff-4.0.2/debian/patches/0047-CVE-2016-9532.patch 2017-01-17 15:05:14.000000000 -0500
@@ -15,8 +15,6 @@
tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 6244385..9680ba0 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -148,6 +148,8 @@ extern int getopt(int, char**, char*);
@@ -28,7 +26,7 @@
#ifndef streq
#define streq(a,b) (strcmp((a),(b)) == 0)
#endif
-@@ -1155,7 +1157,24 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
+@@ -1155,7 +1157,24 @@ writeBufferToSeparateStrips (TIFF* out,
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
bytes_per_sample = (bps + 7) / 8;
@@ -54,7 +52,7 @@
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
obuf = _TIFFmalloc (rowstripsize);
-@@ -1242,11 +1261,19 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+@@ -1242,11 +1261,19 @@ static int writeBufferToContigTiles (TIF
}
}
@@ -76,7 +74,7 @@
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
-@@ -1306,7 +1333,16 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
+@@ -1306,7 +1333,16 @@ static int writeBufferToSeparateTiles (T
TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
diff -Nru tiff-4.0.2/debian/patches/0048-CVE-2016-9533.patch tiff-4.0.2/debian/patches/0048-CVE-2016-9533.patch
--- tiff-4.0.2/debian/patches/0048-CVE-2016-9533.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0048-CVE-2016-9533.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,110 @@
+From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 23 Sep 2016 22:12:18 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix various out-of-bounds write
+ vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
+ the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
+ out-of-bounds write vulnerabilities in heap allocate buffer in
+ t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
+ and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
+ allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
+ didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
+ that could happen in practice outside of the odd behaviour of t2p_seekproc()
+ of tiff2pdf). The report points that a better fix could be to check the
+ return value of TIFFFlushData1() in places where it isn't done currently, but
+ it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
+ Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
+ Mitigations team.
+
+---
+ ChangeLog | 23 +++++++++++++++++++++
+ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
+ libtiff/tif_write.c | 7 +++++++
+ tools/tiff2pdf.c | 22 ++++++++++++++++++--
+ tools/tiffcrop.c | 20 +++++++++++++++++-
+ 5 files changed, 92 insertions(+), 35 deletions(-)
+
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -965,17 +965,14 @@ horizontalDifferenceF(float *ip, int n,
+ a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
+ }
+ } else {
+- ip += n - 1; /* point to last one */
+- wp += n - 1; /* point to last one */
+- n -= stride;
+- while (n > 0) {
+- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
++ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
++ n -= stride;
++ while (n > 0) {
++ REPEAT(stride,
++ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
+ }
+ }
+ }
+@@ -1018,17 +1015,14 @@ horizontalDifference16(unsigned short *i
+ a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
+ }
+ } else {
+- ip += n - 1; /* point to last one */
+- wp += n - 1; /* point to last one */
++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
+ n -= stride;
+ while (n > 0) {
+- REPEAT(stride, wp[0] = CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
++ REPEAT(stride,
++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
+ }
+ }
+ }
+@@ -1071,18 +1065,15 @@ horizontalDifference8(unsigned char *ip,
+ ip += 4;
+ }
+ } else {
+- wp += n + stride - 1; /* point to last one */
+- ip += n + stride - 1; /* point to last one */
+- n -= stride;
+- while (n > 0) {
+- REPEAT(stride, wp[0] = CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
+- }
++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
++ n -= stride;
++ while (n > 0) {
++ REPEAT(stride,
++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
++ }
+ }
+ }
+
diff -Nru tiff-4.0.2/debian/patches/0049-CVE-2016-9534.patch tiff-4.0.2/debian/patches/0049-CVE-2016-9534.patch
--- tiff-4.0.2/debian/patches/0049-CVE-2016-9534.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0049-CVE-2016-9534.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,47 @@
+From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 23 Sep 2016 22:12:18 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix various out-of-bounds write
+ vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
+ the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
+ out-of-bounds write vulnerabilities in heap allocate buffer in
+ t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
+ and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
+ allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
+ didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
+ that could happen in practice outside of the odd behaviour of t2p_seekproc()
+ of tiff2pdf). The report points that a better fix could be to check the
+ return value of TIFFFlushData1() in places where it isn't done currently, but
+ it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
+ Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
+ Mitigations team.
+
+---
+ ChangeLog | 23 +++++++++++++++++++++
+ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
+ libtiff/tif_write.c | 7 +++++++
+ tools/tiff2pdf.c | 22 ++++++++++++++++++--
+ tools/tiffcrop.c | 20 +++++++++++++++++-
+ 5 files changed, 92 insertions(+), 35 deletions(-)
+
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -720,7 +720,14 @@ TIFFFlushData1(TIFF* tif)
+ if (!TIFFAppendToStrip(tif,
+ isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
+ tif->tif_rawdata, tif->tif_rawcc))
++ {
++ /* We update those variables even in case of error since there's */
++ /* code that doesn't really check the return code of this */
++ /* function */
++ tif->tif_rawcc = 0;
++ tif->tif_rawcp = tif->tif_rawdata;
+ return (0);
++ }
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
+ }
diff -Nru tiff-4.0.2/debian/patches/0050-CVE-2016-9536.patch tiff-4.0.2/debian/patches/0050-CVE-2016-9536.patch
--- tiff-4.0.2/debian/patches/0050-CVE-2016-9536.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0050-CVE-2016-9536.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,116 @@
+From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 23 Sep 2016 22:12:18 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix various out-of-bounds write
+ vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
+ the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
+ out-of-bounds write vulnerabilities in heap allocate buffer in
+ t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
+ and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
+ allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
+ didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
+ that could happen in practice outside of the odd behaviour of t2p_seekproc()
+ of tiff2pdf). The report points that a better fix could be to check the
+ return value of TIFFFlushData1() in places where it isn't done currently, but
+ it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
+ Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
+ Mitigations team.
+
+---
+ ChangeLog | 23 +++++++++++++++++++++
+ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
+ libtiff/tif_write.c | 7 +++++++
+ tools/tiff2pdf.c | 22 ++++++++++++++++++--
+ tools/tiffcrop.c | 20 +++++++++++++++++-
+ 5 files changed, 92 insertions(+), 35 deletions(-)
+
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P
+ int t2p_process_ojpeg_tables(T2P*, TIFF*);
+ #endif
+ #ifdef JPEG_SUPPORT
+-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
++int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
+ #endif
+ void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
+ void t2p_write_advance_directory(T2P*, TIFF*);
+@@ -2375,7 +2375,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p
+ if(!t2p_process_jpeg_strip(
+ stripbuffer,
+ &striplength,
+- buffer,
++ buffer,
++ t2p->tiff_datasize,
+ &bufferoffset,
+ i,
+ t2p->tiff_length)){
+@@ -3407,6 +3408,7 @@ int t2p_process_jpeg_strip(
+ unsigned char* strip,
+ tsize_t* striplength,
+ unsigned char* buffer,
++ tsize_t buffersize,
+ tsize_t* bufferoffset,
+ tstrip_t no,
+ uint32 height){
+@@ -3441,6 +3443,8 @@ int t2p_process_jpeg_strip(
+ }
+ switch( strip[i] ){
+ case 0xd8: /* SOI - start of image */
++ if( *bufferoffset + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+ break;
+@@ -3450,12 +3454,18 @@ int t2p_process_jpeg_strip(
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
+ if(no==0){
++ if( *bufferoffset + datalen + 2 + 6 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ if( *bufferoffset + 9 >= buffersize )
++ return(0);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
++ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
++ return(0);
+ for(j=0;j<ncomp;j++){
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+@@ -3487,20 +3497,28 @@ int t2p_process_jpeg_strip(
+ break;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
++ if( *bufferoffset + datalen + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
+ break;
+ case 0xda: /* SOS */
+ if(no==0){
++ if( *bufferoffset + datalen + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
+ } else {
++ if( *bufferoffset + 2 > buffersize )
++ return(0);
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+ }
+ i += datalen + 1;
+ /* copy remainder of strip */
++ if( *bufferoffset + *striplength - i > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
+ return(1);
diff -Nru tiff-4.0.2/debian/patches/0051-CVE-2016-9537.patch tiff-4.0.2/debian/patches/0051-CVE-2016-9537.patch
--- tiff-4.0.2/debian/patches/0051-CVE-2016-9537.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0051-CVE-2016-9537.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,78 @@
+From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 23 Sep 2016 22:12:18 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix various out-of-bounds write
+ vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
+ the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
+ out-of-bounds write vulnerabilities in heap allocate buffer in
+ t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
+ and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
+ allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
+ libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
+ didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
+ that could happen in practice outside of the odd behaviour of t2p_seekproc()
+ of tiff2pdf). The report points that a better fix could be to check the
+ return value of TIFFFlushData1() in places where it isn't done currently, but
+ it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
+ Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
+ Mitigations team.
+
+---
+ ChangeLog | 23 +++++++++++++++++++++
+ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
+ libtiff/tif_write.c | 7 +++++++
+ tools/tiff2pdf.c | 22 ++++++++++++++++++--
+ tools/tiffcrop.c | 20 +++++++++++++++++-
+ 5 files changed, 92 insertions(+), 35 deletions(-)
+
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5785,7 +5785,8 @@ loadImage(TIFF* in, struct image_data *i
+ {
+ uint32 i;
+ float xres = 0.0, yres = 0.0;
+- uint16 nstrips = 0, ntiles = 0, planar = 0;
++ uint32 nstrips = 0, ntiles = 0;
++ uint16 planar = 0;
+ uint16 bps = 0, spp = 0, res_unit = 0;
+ uint16 orientation = 0;
+ uint16 input_compression = 0, input_photometric = 0;
+@@ -6093,11 +6094,23 @@ loadImage(TIFF* in, struct image_data *i
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+ /* outside buffer */
+ if (!read_buff)
++ {
++ if( buffsize > 0xFFFFFFFFU - 3 )
++ {
++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ return (-1);
++ }
+ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
++ }
+ else
+ {
+ if (prev_readsize < buffsize)
++ {
++ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ return (-1);
++ }
+ new_buff = _TIFFrealloc(read_buff, buffsize);
+ if (!new_buff)
+ {
+@@ -8923,6 +8936,11 @@ reverseSamplesBytes (uint16 spp, uint16
+ }
+
+ bytes_per_pixel = ((bps * spp) + 7) / 8;
++ if( bytes_per_pixel > sizeof(swapbuff) )
++ {
++ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
++ return (1);
++ }
+ switch (bps / 8)
+ {
+ case 8: /* Use memcpy for multiple bytes per sample data */
diff -Nru tiff-4.0.2/debian/patches/0052-CVE-2016-9535.patch tiff-4.0.2/debian/patches/0052-CVE-2016-9535.patch
--- tiff-4.0.2/debian/patches/0052-CVE-2016-9535.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0052-CVE-2016-9535.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,402 @@
+Description: fix for CVE-2016-9535, a merge of 3ca657a8793dd011bf869695d72ad31c779c3cc1 and 6a984bf7905c6621281588431f384e79d11a2e33 upstream
+
+Subject: [PATCH] * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
+ assertions by runtime checks to avoid assertions in debug mode, or buffer
+ overflows in release mode. Can happen when dealing with unusual tile size
+ like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet &
+ Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+Subject: [PATCH] * libtiff/tif_predic.c: fix memory leaks in error code paths
+ added in previous commit (fix for MSVR 35105)
+
+Note that the swab* functions were refactored to follow upstream to
+simplify the patch and ease possible future fixes.
+
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -34,16 +34,16 @@
+
+ #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
+
+-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+ static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
+@@ -239,13 +239,19 @@ PredictorSetupEncode(TIFF* tif)
+ case 0: ; \
+ }
+
+-static void
++static int
+ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+
+ char* cp = (char*) cp0;
+- assert((cc%stride)==0);
++ if((cc%stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
++ "%s", "(cc%stride)!=0");
++ return 0;
++ }
++
+ if (cc > stride) {
+ /*
+ * Pipeline the most common cases.
+@@ -287,35 +293,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t
+ } while (cc>0);
+ }
+ }
++ return 1;
+ }
+
+-static void
++static int
+ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+- tmsize_t stride = PredictorState(tif)->stride;
+ uint16* wp = (uint16*) cp0;
+ tmsize_t wc = cc / 2;
+
+- assert((cc%(2*stride))==0);
+-
+- if (wc > stride) {
+- TIFFSwabArrayOfShort(wp, wc);
+- wc -= stride;
+- do {
+- REPEAT4(stride, wp[stride] += wp[0]; wp++)
+- wc -= stride;
+- } while (wc > 0);
+- }
++ TIFFSwabArrayOfShort(wp, wc);
++ return horAcc16(tif, cp0, cc);
+ }
+
+-static void
++static int
+ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+ uint16* wp = (uint16*) cp0;
+ tmsize_t wc = cc / 2;
+
+- assert((cc%(2*stride))==0);
++ if((cc%(2*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
++ "%s", "cc%(2*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -324,35 +327,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+-static void
++static int
+ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+- tmsize_t stride = PredictorState(tif)->stride;
+ uint32* wp = (uint32*) cp0;
+ tmsize_t wc = cc / 4;
+
+- assert((cc%(4*stride))==0);
+-
+- if (wc > stride) {
+- TIFFSwabArrayOfLong(wp, wc);
+- wc -= stride;
+- do {
+- REPEAT4(stride, wp[stride] += wp[0]; wp++)
+- wc -= stride;
+- } while (wc > 0);
+- }
++ TIFFSwabArrayOfLong(wp, wc);
++ return horAcc32(tif, cp0, cc);
+ }
+
+-static void
++static int
+ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+ uint32* wp = (uint32*) cp0;
+ tmsize_t wc = cc / 4;
+
+- assert((cc%(4*stride))==0);
++ if((cc%(4*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
++ "%s", "cc%(4*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -361,12 +361,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+ /*
+ * Floating point predictor accumulation routine.
+ */
+-static void
++static int
+ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+@@ -374,12 +375,18 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc
+ tmsize_t wc = cc / bps;
+ tmsize_t count = cc;
+ uint8 *cp = (uint8 *) cp0;
+- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
++ uint8 *tmp;
+
+- assert((cc%(bps*stride))==0);
++ if(cc%(bps*stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
++ "%s", "cc%(bps*stride))!=0");
++ return 0;
++ }
+
++ tmp = (uint8 *)_TIFFmalloc(cc);
+ if (!tmp)
+- return;
++ return 0;
+
+ while (count > stride) {
+ REPEAT4(stride, cp[stride] += cp[0]; cp++)
+@@ -400,6 +407,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc
+ }
+ }
+ _TIFFfree(tmp);
++ return 1;
+ }
+
+ /*
+@@ -415,8 +423,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0
+ assert(sp->decodepfunc != NULL);
+
+ if ((*sp->decoderow)(tif, op0, occ0, s)) {
+- (*sp->decodepfunc)(tif, op0, occ0);
+- return 1;
++ return (*sp->decodepfunc)(tif, op0, occ0);
+ } else
+ return 0;
+ }
+@@ -439,10 +446,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op
+ if ((*sp->decodetile)(tif, op0, occ0, s)) {
+ tmsize_t rowsize = sp->rowsize;
+ assert(rowsize > 0);
+- assert((occ0%rowsize)==0);
++ if((occ0%rowsize) !=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
++ "%s", "occ0%rowsize != 0");
++ return 0;
++ }
+ assert(sp->decodepfunc != NULL);
+ while (occ0 > 0) {
+- (*sp->decodepfunc)(tif, op0, rowsize);
++ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
++ return 0;
+ occ0 -= rowsize;
+ op0 += rowsize;
+ }
+@@ -451,14 +464,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op
+ return 0;
+ }
+
+-static void
++static int
+ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+ tmsize_t stride = sp->stride;
+ char* cp = (char*) cp0;
+
+- assert((cc%stride)==0);
++ if((cc%stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
++ "%s", "(cc%stride)!=0");
++ return 0;
++ }
+
+ if (cc > stride) {
+ cc -= stride;
+@@ -496,9 +514,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t
+ } while ((cc -= stride) > 0);
+ }
+ }
++ return 1;
+ }
+
+-static void
++static int
+ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+@@ -506,7 +525,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_
+ int16 *wp = (int16*) cp0;
+ tmsize_t wc = cc/2;
+
+- assert((cc%(2*stride))==0);
++ if((cc%(2*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
++ "%s", "(cc%(2*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -516,9 +540,10 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+-static void
++static int
+ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+@@ -526,7 +551,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_
+ int32 *wp = (int32*) cp0;
+ tmsize_t wc = cc/4;
+
+- assert((cc%(4*stride))==0);
++ if((cc%(4*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
++ "%s", "(cc%(4*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -536,12 +566,13 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+ /*
+ * Floating point predictor differencing routine.
+ */
+-static void
++static int
+ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+@@ -549,12 +580,18 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t c
+ tmsize_t wc = cc / bps;
+ tmsize_t count;
+ uint8 *cp = (uint8 *) cp0;
+- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
++ uint8 *tmp;
+
+- assert((cc%(bps*stride))==0);
++ if((cc%(bps*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
++ "%s", "(cc%(bps*stride))!=0");
++ return 0;
++ }
+
++ tmp = (uint8 *)_TIFFmalloc(cc);
+ if (!tmp)
+- return;
++ return 0;
+
+ _TIFFmemcpy(tmp, cp0, cc);
+ for (count = 0; count < wc; count++) {
+@@ -574,6 +611,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t c
+ cp += cc - stride - 1;
+ for (count = cc; count > stride; count -= stride)
+ REPEAT4(stride, cp[stride] -= cp[0]; cp--)
++ return 1;
+ }
+
+ static int
+@@ -586,7 +624,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp,
+ assert(sp->encoderow != NULL);
+
+ /* XXX horizontal differencing alters user's data XXX */
+- (*sp->encodepfunc)(tif, bp, cc);
++ if( !(*sp->encodepfunc)(tif, bp, cc) )
++ return 0;
+ return (*sp->encoderow)(tif, bp, cc, s);
+ }
+
+@@ -621,7 +660,13 @@ PredictorEncodeTile(TIFF* tif, uint8* bp
+
+ rowsize = sp->rowsize;
+ assert(rowsize > 0);
+- assert((cc0%rowsize)==0);
++ if((cc0%rowsize)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
++ "%s", "(cc0%rowsize)!=0");
++ _TIFFfree( working_copy );
++ return 0;
++ }
+ while (cc > 0) {
+ (*sp->encodepfunc)(tif, bp, rowsize);
+ cc -= rowsize;
+--- a/libtiff/tif_predict.h
++++ b/libtiff/tif_predict.h
+@@ -30,6 +30,8 @@
+ * ``Library-private'' Support for the Predictor Tag
+ */
+
++typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
++
+ /*
+ * Codecs that want to support the Predictor tag must place
+ * this structure first in their private state block so that
+@@ -43,12 +45,12 @@ typedef struct {
+ TIFFCodeMethod encoderow; /* parent codec encode/decode row */
+ TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
+ TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
+- TIFFPostMethod encodepfunc; /* horizontal differencer */
++ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
+
+ TIFFCodeMethod decoderow; /* parent codec encode/decode row */
+ TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
+ TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
+- TIFFPostMethod decodepfunc; /* horizontal accumulator */
++ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
+
+ TIFFVGetMethod vgetparent; /* super-class method */
+ TIFFVSetMethod vsetparent; /* super-class method */
diff -Nru tiff-4.0.2/debian/patches/0053-CVE-2016-9538.patch tiff-4.0.2/debian/patches/0053-CVE-2016-9538.patch
--- tiff-4.0.2/debian/patches/0053-CVE-2016-9538.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0053-CVE-2016-9538.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,54 @@
+From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 8 Oct 2016 15:04:31 +0000
+Subject: [PATCH] * tools/tiffcp.c: fix read of undefined variable in case of
+ missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
+ fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
+ overflow. Probably not a security issue but I can be wrong. Reported as MSVR
+ 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
+
+---
+ ChangeLog | 9 +++++++++
+ tools/tiffcp.c | 4 ++--
+ tools/tiffcrop.c | 9 ++++++---
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -586,8 +586,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel;
+- uint16 input_compression, input_photometric;
++ uint16 bitspersample, samplesperpixel = 1;
++ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+ struct cpTag* p;
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -3659,7 +3659,7 @@ static int readContigStripsIntoBuffer (T
+ {
+ uint8* bufp = buf;
+ int32 bytes_read = 0;
+- uint16 strip, nstrips = TIFFNumberOfStrips(in);
++ uint32 strip, nstrips = TIFFNumberOfStrips(in);
+ uint32 stripsize = TIFFStripSize(in);
+ uint32 rows = 0;
+ uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
+@@ -4738,9 +4738,12 @@ static int readSeparateStripsIntoBuffer
+ uint32 width, uint16 spp,
+ struct dump_opts *dump)
+ {
+- int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
++ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
++ uint32 j;
+ int32 bytes_read = 0;
+- uint16 bps, nstrips, planar, strips_per_sample;
++ uint16 bps, planar;
++ uint32 nstrips;
++ uint32 strips_per_sample;
+ uint32 src_rowsize, dst_rowsize, rows_processed, rps;
+ uint32 rows_this_strip = 0;
+ tsample_t s;
diff -Nru tiff-4.0.2/debian/patches/0054-CVE-2016-9540.patch tiff-4.0.2/debian/patches/0054-CVE-2016-9540.patch
--- tiff-4.0.2/debian/patches/0054-CVE-2016-9540.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0054-CVE-2016-9540.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,32 @@
+From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 8 Oct 2016 15:54:56 +0000
+Subject: [PATCH] * tools/tiffcp.c: fix out-of-bounds write on tiled images
+ with odd tile width vs image width. Reported as MSVR 35103 by Axel Souchet
+ and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiffcp.c | 4 ++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1332,7 +1332,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+ uint32 colb = 0;
+ uint32 col;
+
+- for (col = 0; col < imagewidth; col += tw) {
++ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
+ if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
+ && !ignore) {
+ TIFFError(TIFFFileName(in),
+@@ -1517,7 +1517,7 @@ DECLAREwriteFunc(writeBufferToContigTile
+ uint32 colb = 0;
+ uint32 col;
+
+- for (col = 0; col < imagewidth; col += tw) {
++ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
+ /*
+ * Tile is clipped horizontally. Calculate
+ * visible portion and skewing factors.
diff -Nru tiff-4.0.2/debian/patches/0055-CVE-2016-10092.patch tiff-4.0.2/debian/patches/0055-CVE-2016-10092.patch
--- tiff-4.0.2/debian/patches/0055-CVE-2016-10092.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0055-CVE-2016-10092.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,24 @@
+From 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:35:56 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i
+ (ignore) mode so that the output buffer is correctly incremented to avoid
+ write outside bounds. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiffcrop.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -3679,7 +3679,7 @@ static int readContigStripsIntoBuffer (T
+ (unsigned long) strip, (unsigned long)rows);
+ return 0;
+ }
+- bufp += bytes_read;
++ bufp += stripsize;
+ }
+
+ return 1;
diff -Nru tiff-4.0.2/debian/patches/0056-CVE-2016-10093.patch tiff-4.0.2/debian/patches/0056-CVE-2016-10093.patch
--- tiff-4.0.2/debian/patches/0056-CVE-2016-10093.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0056-CVE-2016-10093.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,41 @@
+From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 16:40:01 +0000
+Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
+ cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2610
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiffcp.c | 6 +++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1157,7 +1157,7 @@ bad:
+
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+- uint32 rows, uint32 cols, int outskew, int inskew)
++ uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+ while (rows-- > 0) {
+ uint32 j = cols;
+@@ -1314,7 +1314,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+ tdata_t tilebuf;
+ uint32 imagew = TIFFScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew;
++ int64 iskew = (int64)imagew - (int64)tilew;
+ uint8* bufp = (uint8*) buf;
+ uint32 tw, tl;
+ uint32 row;
+@@ -1342,7 +1342,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe
+ status = 0;
+ goto done;
+ }
+- if (colb + tilew > imagew) {
++ if (colb > iskew) {
+ uint32 width = imagew - colb;
+ uint32 oskew = tilew - width;
+ cpStripToTile(bufp + colb,
diff -Nru tiff-4.0.2/debian/patches/0057-CVE-2017-5225.patch tiff-4.0.2/debian/patches/0057-CVE-2017-5225.patch
--- tiff-4.0.2/debian/patches/0057-CVE-2017-5225.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0057-CVE-2017-5225.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,67 @@
+From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:25:44 +0000
+Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
+ and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+ overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiffcp.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -586,7 +586,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel = 1;
++ uint16 bitspersample = 1, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+@@ -1062,6 +1062,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpContig2SeparateByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1115,6 +1125,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpSeparate2ContigByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1757,7 +1777,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16
+ uint32 w, l, tw, tl;
+ int bychunk;
+
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ fprintf(stderr,
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
diff -Nru tiff-4.0.2/debian/patches/0058-CVE-2016-3622.patch tiff-4.0.2/debian/patches/0058-CVE-2016-3622.patch
--- tiff-4.0.2/debian/patches/0058-CVE-2016-3622.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0058-CVE-2016-3622.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,101 @@
+From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sat, 24 Sep 2016 23:11:55 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
+ to read floating point images.
+
+* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+requirements of floating point predictor (3). Fixes CVE-2016-3622
+"Divide By Zero in the tiff2rgba tool."
+
+places where it isn't done currently, but it seems this patch is enough.
+---
+ ChangeLog | 11 ++++++++++-
+ libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
+ libtiff/tif_predict.c | 11 ++++++++++-
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
+ td->td_bitspersample);
+ return (0);
+ }
++ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
++ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
++ return (0);
++ }
+ colorchannels = td->td_samplesperpixel - td->td_extrasamples;
+ if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
+ switch (colorchannels) {
+@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+- {
+- sprintf(emsg,
+- "Sorry, can not handle image with %s=%d, %s=%d",
+- "Samples/pixel", td->td_samplesperpixel,
+- "colorchannels", colorchannels);
+- return 0;
+- }
++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+- {
+- sprintf(emsg,
+- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+- "Samples/pixel", td->td_samplesperpixel,
+- "colorchannels", colorchannels,
+- "Bits/sample", td->td_bitspersample);
+- return 0;
+- }
++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+- default:
++ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+ photoTag, photometric);
+ return (0);
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -78,6 +78,15 @@ PredictorSetup(TIFF* tif)
+ td->td_sampleformat);
+ return 0;
+ }
++ if (td->td_bitspersample != 16
++ && td->td_bitspersample != 24
++ && td->td_bitspersample != 32
++ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Floating point \"Predictor\" not supported with %d-bit samples",
++ td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -172,7 +181,7 @@ PredictorSetupDecode(TIFF* tif)
+ }
+ /*
+ * Allocate buffer to keep the decoded bytes before
+- * rearranging in the ight order
++ * rearranging in the right order
+ */
+ }
+
diff -Nru tiff-4.0.2/debian/patches/0059-CVE-2016-3624.patch tiff-4.0.2/debian/patches/0059-CVE-2016-3624.patch
--- tiff-4.0.2/debian/patches/0059-CVE-2016-3624.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0059-CVE-2016-3624.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,27 @@
+From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 21:26:56 +0000
+Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
+ to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
+
+---
+ ChangeLog | 5 +++++
+ tools/rgb2ycbcr.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+--- a/tools/rgb2ycbcr.c
++++ b/tools/rgb2ycbcr.c
+@@ -93,9 +93,13 @@ main(int argc, char* argv[])
+ break;
+ case 'h':
+ horizSubSampling = atoi(optarg);
++ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
++ usage(-1);
+ break;
+ case 'v':
+ vertSubSampling = atoi(optarg);
++ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
++ usage(-1);
+ break;
+ case 'r':
+ rowsperstrip = atoi(optarg);
diff -Nru tiff-4.0.2/debian/patches/0060-CVE-2016-3990.patch tiff-4.0.2/debian/patches/0060-CVE-2016-3990.patch
--- tiff-4.0.2/debian/patches/0060-CVE-2016-3990.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0060-CVE-2016-3990.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,33 @@
+From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 20:49:48 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
+ PixarLogEncode if more input samples are provided than expected by
+ PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
+ simpler check. (bugzilla #2544)
+
+invalid tests that rejected valid files. (bugzilla #2545)
+---
+ ChangeLog | 10 +++++++++-
+ libtiff/tif_pixarlog.c | 7 +++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index e78f788..28329d1 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ }
+
+ llen = sp->stride * td->td_imagewidth;
++ /* Check against the number of elements (of size uint16) of sp->tbuf */
++ if( n > td->td_rowsperstrip * llen )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Too many input bytes provided");
++ return 0;
++ }
+
+ for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
+ switch (sp->user_datafmt) {
diff -Nru tiff-4.0.2/debian/patches/0061-bug-846837.patch tiff-4.0.2/debian/patches/0061-bug-846837.patch
--- tiff-4.0.2/debian/patches/0061-bug-846837.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0061-bug-846837.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,97 @@
+From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:02:15 +0000
+Subject: [PATCH] * libtiff/tif_dirread.c: modify
+ ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
+ TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
+ the total size of data. Which is faulty is the total size of data is not
+ sufficient to fill the whole image, and thus results in reading outside of
+ the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+the above change is a better fix that makes it unnecessary.
+---
+ ChangeLog | 15 +++++++++++++++
+ libtiff/tif_dirread.c | 22 ++++++++++------------
+ libtiff/tif_strip.c | 9 ---------
+ 3 files changed, 25 insertions(+), 21 deletions(-)
+
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5498,8 +5498,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ uint64 rowblockbytes;
+ uint64 stripbytes;
+ uint32 strip;
+- uint64 nstrips64;
+- uint32 nstrips32;
++ uint32 nstrips;
+ uint32 rowsperstrip;
+ uint64* newcounts;
+ uint64* newoffsets;
+@@ -5530,18 +5529,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ return;
+
+ /*
+- * never increase the number of strips in an image
++ * never increase the number of rows per strip
+ */
+ if (rowsperstrip >= td->td_rowsperstrip)
+ return;
+- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+- return;
+- nstrips32 = (uint32)nstrips64;
++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++ if( nstrips == 0 )
++ return;
+
+- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripOffsets\" array");
+ if (newcounts == NULL || newoffsets == NULL) {
+ /*
+@@ -5558,18 +5556,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ * Fill the strip information arrays with new bytecounts and offsets
+ * that reflect the broken-up format.
+ */
+- for (strip = 0; strip < nstrips32; strip++) {
++ for (strip = 0; strip < nstrips; strip++) {
+ if (stripbytes > bytecount)
+ stripbytes = bytecount;
+ newcounts[strip] = stripbytes;
+- newoffsets[strip] = offset;
++ newoffsets[strip] = stripbytes ? offset : 0;
+ offset += stripbytes;
+ bytecount -= stripbytes;
+ }
+ /*
+ * Replace old single strip info with multi-strip info.
+ */
+- td->td_stripsperimage = td->td_nstrips = nstrips32;
++ td->td_stripsperimage = td->td_nstrips = nstrips;
+ TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+ _TIFFfree(td->td_stripbytecount);
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ TIFFDirectory *td = &tif->tif_dir;
+ uint32 nstrips;
+
+- /* If the value was already computed and store in td_nstrips, then return it,
+- since ChopUpSingleUncompressedStrip might have altered and resized the
+- since the td_stripbytecount and td_stripoffset arrays to the new value
+- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+- tif_dirread.c ~line 3612.
+- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+- if( td->td_nstrips )
+- return td->td_nstrips;
+-
+ nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff -Nru tiff-4.0.2/debian/patches/0062-CVE-2016-3945.patch tiff-4.0.2/debian/patches/0062-CVE-2016-3945.patch
--- tiff-4.0.2/debian/patches/0062-CVE-2016-3945.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/0062-CVE-2016-3945.patch 2017-01-17 15:05:14.000000000 -0500
@@ -0,0 +1,92 @@
+From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:05:49 +0200
+Subject: [PATCH 5/8] Fix CVE-2016-3945
+
+---
+ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 737167c..5228966 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ uint32 row, col;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ rastersize = tile_width * tile_height * sizeof (uint32);
++ if (width != (tile_width / tile_height) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++ wrk_linesize = tile_width * sizeof (uint32);
++ if (wrk_linesize != tile_width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ uint32 row;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ rastersize = width * rowsperstrip * sizeof (uint32);
++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++ wrk_linesize = width * sizeof (uint32);
++ if (wrk_linesize != width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+--
+2.7.4
+
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series 2016-11-22 06:03:09.000000000 -0500
+++ tiff-4.0.2/debian/patches/series 2017-01-17 15:05:14.000000000 -0500
@@ -45,3 +45,18 @@
0045-CVE-2016-9273.patch
0046-CVE-2016-9297.patch
0047-CVE-2016-9532.patch
+0048-CVE-2016-9533.patch
+0049-CVE-2016-9534.patch
+0050-CVE-2016-9536.patch
+0051-CVE-2016-9537.patch
+0052-CVE-2016-9535.patch
+0053-CVE-2016-9538.patch
+0054-CVE-2016-9540.patch
+0055-CVE-2016-10092.patch
+0056-CVE-2016-10093.patch
+0057-CVE-2017-5225.patch
+0058-CVE-2016-3622.patch
+0059-CVE-2016-3624.patch
+0060-CVE-2016-3990.patch
+0061-bug-846837.patch
+0062-CVE-2016-3945.patch
Reply to: