# HG changeset patch # User an230044 # Date 1336970897 0 # Node ID cff59c39235fa9a039ee9169d0d518ed078396b2 # Parent 696a931d78474f02795a285cd9f73dd04c6a07ef 7158160 Problem with gnome/libraries diff -r 696a931d7847 -r cff59c39235f ChangeLog --- a/ChangeLog Tue May 08 11:43:49 2012 +0000 +++ b/ChangeLog Mon May 14 04:48:17 2012 +0000 @@ -1,3 +1,8 @@ +2012-05-14 Abhijit Nath + + * Added patches/tiff-01-CVE-2012-1173.diff + * Modified specs/SUNWTiff.spec to fix CR#7158160 + 2012-04-09 Leon Sha CR#7157311 Bump to 11.2.202.223. diff -r 696a931d7847 -r cff59c39235f patches/tiff-01-CVE-2012-1173.diff --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/tiff-01-CVE-2012-1173.diff Mon May 14 04:48:17 2012 +0000 @@ -0,0 +1,66 @@ +--- libtiff/tif_getimage.c.orig 2012-04-19 08:49:47.367361776 +0100 ++++ libtiff/tif_getimage.c 2012-04-19 09:42:41.967552598 +0100 +@@ -673,18 +673,24 @@ + unsigned char* p2; + unsigned char* pa; + tsize_t tilesize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -880,17 +886,23 @@ + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tsize_t stripsize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); +--- libtiff/tiffiop.h.orig 2012-04-19 08:50:17.752392827 +0100 ++++ libtiff/tiffiop.h 2012-04-19 08:50:51.586979922 +0100 +@@ -246,7 +246,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) diff -r 696a931d7847 -r cff59c39235f specs/SUNWTiff.spec --- a/specs/SUNWTiff.spec Tue May 08 11:43:49 2012 +0000 +++ b/specs/SUNWTiff.spec Mon May 14 04:48:17 2012 +0000 @@ -3,7 +3,7 @@ # # includes module(s): tiff # -# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -28,23 +28,23 @@ SUNW_BaseDir: %{_prefix} SUNW_Copyright: %{name}.copyright BuildRoot: %{_tmppath}/%{name}-%{version}-build +# date:2012-04-19 owner:padraig type:bug bugster:7158160 +Patch1: tiff-01-CVE-2012-1173.diff %include default-depend.inc %include desktop-incorporation.inc -Requires: SUNWlibms -Requires: SUNWzlib -BuildRequires: SUNWjpg +Requires: system/library/math +Requires: library/zlib +BuildRequires: image/library/libjpeg %package devel Summary: %{summary} - development files SUNW_BaseDir: %{_prefix} -%include default-depend.inc -%include desktop-incorporation.inc -Requires: SUNWTiff %prep %setup -c -n %name-%version cd tiff-%{tarball_version} +%patch1 -p0 gzcat %SOURCE1 | tar -xf - %ifarch amd64 sparcv9 @@ -147,6 +147,8 @@ %{_mandir}/man3tiff/* %changelog +* Thu May 10 2012 - abhijit.nath@oracle.com +- Added patch tiff-01-CVE-2012-1173. * Thu Mar 17 2011 - abhijit.nath@oracle.com - Added patch tiff-01-CVE-2011-0192.diff & tiff-01-CVE-2011-1167.diff to fix security vulnerability CVE-2011-0192 & CVE-2011-1167. * Thu Jul 29 2010 - laszlo.peter@oracle.com