Mercurial Mercurial > upstream > oracle > spec-files / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
2012-04-23 Padraig O'Briain <[email protected]> gnome-2-30-s11update S11U1_15
authorpadraig
Mon, 23 Apr 2012 07:10:23 +0000
branchgnome-2-30-s11update
changeset 22399 14250a5ebbce
parent 22398 e3d6b5d5325f
child 22400 482746451042
2012-04-23 Padraig O'Briain <[email protected]> CR 7158160 Problem with gnome/libraries RTI 362135 * specs/SUNWTiff.spec: * patches/tiff-01-CVE-2012-1173.diff:
ChangeLog file | annotate | diff | comparison | revisions
patches/tiff-01-CVE-2012-1173.diff file | annotate | diff | comparison | revisions
specs/SUNWTiff.spec file | annotate | diff | comparison | revisions 
--- a/ChangeLog	Mon Apr 23 03:14:56 2012 +0000
+++ b/ChangeLog	Mon Apr 23 07:10:23 2012 +0000
@@ -1,3 +1,10 @@
+2012-04-23  Padraig O'Briain  <[email protected]>
+
+	CR 7158160 Problem with gnome/libraries
+	RTI 362135
+	* specs/SUNWTiff.spec:
+	* patches/tiff-01-CVE-2012-1173.diff:
+
 2012-04-20  Jeff Cai  <[email protected]>
 
         Fix CR #7151417 - File-roller crashes when creating an 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/tiff-01-CVE-2012-1173.diff	Mon Apr 23 07:10:23 2012 +0000
@@ -0,0 +1,66 @@
+--- libtiff/tif_getimage.c.orig	2012-04-19 08:49:47.367361776 +0100
++++ libtiff/tif_getimage.c	2012-04-19 09:42:41.967552598 +0100
+@@ -673,18 +673,24 @@
+ 	unsigned char* p2;
+ 	unsigned char* pa;
+ 	tsize_t tilesize;
++	tsize_t bufsize;
+ 	int32 fromskew, toskew;
+ 	int alpha = img->alpha;
+ 	uint32 nrow;
+ 	int ret = 1, flip;
+ 
+ 	tilesize = TIFFTileSize(tif);
+-	buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
++	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
++	if (bufsize == 0) {
++		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
++		return (0);
++	}
++	buf = (unsigned char*) _TIFFmalloc(bufsize);
+ 	if (buf == 0) {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ 		return (0);
+ 	}
+-	_TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
++	_TIFFmemset(buf, 0, bufsize);
+ 	p0 = buf;
+ 	p1 = p0 + tilesize;
+ 	p2 = p1 + tilesize;
+@@ -880,17 +886,23 @@
+ 	uint32 rowsperstrip, offset_row;
+ 	uint32 imagewidth = img->width;
+ 	tsize_t stripsize;
++	tsize_t bufsize;
+ 	int32 fromskew, toskew;
+ 	int alpha = img->alpha;
+ 	int ret = 1, flip;
+ 
+ 	stripsize = TIFFStripSize(tif);
+-	p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
++	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
++	if (bufsize == 0) {
++		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
++		return (0);
++	}
++	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
+ 	if (buf == 0) {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ 		return (0);
+ 	}
+-	_TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
++	_TIFFmemset(buf, 0, bufsize);
+ 	p1 = p0 + stripsize;
+ 	p2 = p1 + stripsize;
+ 	pa = (alpha?(p2+stripsize):NULL);
+--- libtiff/tiffiop.h.orig	2012-04-19 08:50:17.752392827 +0100
++++ libtiff/tiffiop.h	2012-04-19 08:50:51.586979922 +0100
+@@ -246,7 +246,7 @@
+ #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+ 
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))
--- a/specs/SUNWTiff.spec	Mon Apr 23 03:14:56 2012 +0000
+++ b/specs/SUNWTiff.spec	Mon Apr 23 07:10:23 2012 +0000
@@ -3,7 +3,7 @@
 #
 # includes module(s): tiff
 #
-# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -28,23 +28,23 @@
 SUNW_BaseDir:            %{_prefix}
 SUNW_Copyright:          %{name}.copyright
 BuildRoot:               %{_tmppath}/%{name}-%{version}-build
+# date:2012-04-19 owner:padraig type:bug bugster:7158160
+Patch1: tiff-01-CVE-2012-1173.diff
 
 %include default-depend.inc
 %include desktop-incorporation.inc
-Requires: SUNWlibms
-Requires: SUNWzlib
-BuildRequires: SUNWjpg
+Requires: system/library/math
+Requires: library/zlib
+BuildRequires: image/library/libjpeg
 
 %package devel
 Summary:                 %{summary} - development files
 SUNW_BaseDir:            %{_prefix}
-%include default-depend.inc
-%include desktop-incorporation.inc
-Requires: SUNWTiff
 
 %prep
 %setup -c -n %name-%version
 cd tiff-%{tarball_version}
+%patch1 -p0
 gzcat %SOURCE1 | tar -xf -
 
 %ifarch amd64 sparcv9
@@ -147,6 +147,8 @@
 %{_mandir}/man3tiff/*
 
 %changelog
+* Thu Apr 19 2012 - [email protected]
+- Added patch tiff-01-CVE-2012-1173.
 * Thu Mar 17 2011 - [email protected]
 - Added patch tiff-01-CVE-2011-0192.diff & tiff-01-CVE-2011-1167.diff to fix security vulnerability CVE-2011-0192 & CVE-2011-1167. 
 * Thu Jul 29 2010 - [email protected]
upstream/oracle/spec-files