MFH: r418585

graphics/tiff: Patch vulnerabilities

These two patches were obtained from OpenBSD. An additional CVE is not
yet addressed, but upstream indicates they are removing the gif2tiff
utility as the mitigation in the upcoming 4.0.7.

PR:		211113
Security:	CVE-2016-5875
Security:	CVE-2016-3186

Approved by:	ports-secteam (with hat)

3 files changed, 49 insertions, 1 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 16c8efb..c366e74 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	tiff
 PORTVERSION=	4.0.6
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/
diff --git a/graphics/tiff/files/patch-libtiff_tif__pixarlog.c b/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
new file mode 100644
index 0000000..4976524
--- /dev/null
+++ b/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
@@ -0,0 +1,34 @@
+CVE-2016-5875(, dup?)
+https://marc.info/?l=oss-security&m=146720235906569&w=2
+
+--- libtiff/tif_pixarlog.c.orig	Sat Aug 29 00:16:22 2015
++++ libtiff/tif_pixarlog.c	Fri Jul  1 13:04:52 2016
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
+ typedef	struct {
+ 	TIFFPredictorState	predict;
+ 	z_stream		stream;
++	tmsize_t		tbuf_size; /* only set/used on reading for now */
+ 	uint16			*tbuf; 
+ 	uint16			stride;
+ 	int			state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
++	sp->tbuf_size = tbuf_size;
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = PixarLogGuessDataFmt(td);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
+ 	if (sp->stream.avail_out != nsamples * sizeof(uint16))
+ 	{
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
++		return (0);
++	}
++	/* Check that we will not fill more than what was allocated */
++	if (sp->stream.avail_out > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ 		return (0);
+ 	}
+ 	do {
diff --git a/graphics/tiff/files/patch-tools_gif2tiff.c b/graphics/tiff/files/patch-tools_gif2tiff.c
new file mode 100644
index 0000000..cba2d90
--- /dev/null
+++ b/graphics/tiff/files/patch-tools_gif2tiff.c
@@ -0,0 +1,14 @@
+CVE-2016-3186, patch from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1319666
+
+--- tools/gif2tiff.c.orig	Fri Jul  1 13:11:43 2016
++++ tools/gif2tiff.c	Fri Jul  1 13:12:07 2016
+@@ -349,7 +349,7 @@ readextension(void)
+     int status = 1;
+ 
+     (void) getc(infile);
+-    while ((count = getc(infile)) && count <= 255)
++    while ((count = getc(infile)) && count >= 0 && count <= 255)
+         if (fread(buf, 1, count, infile) != (size_t) count) {
+             fprintf(stderr, "short read from file %s (%s)\n",
+                     filename, strerror(errno));