--- a/ChangeLog Tue May 08 11:43:49 2012 +0000
+++ b/ChangeLog Mon May 14 04:48:17 2012 +0000
@@ -1,3 +1,8 @@
+2012-05-14 Abhijit Nath <[email protected]>
+
+ * Added patches/tiff-01-CVE-2012-1173.diff
+ * Modified specs/SUNWTiff.spec to fix CR#7158160
+
2012-04-09 Leon Sha <[email protected]>
CR#7157311 Bump to 11.2.202.223.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/tiff-01-CVE-2012-1173.diff Mon May 14 04:48:17 2012 +0000
@@ -0,0 +1,66 @@
+--- libtiff/tif_getimage.c.orig 2012-04-19 08:49:47.367361776 +0100
++++ libtiff/tif_getimage.c 2012-04-19 09:42:41.967552598 +0100
+@@ -673,18 +673,24 @@
+ unsigned char* p2;
+ unsigned char* pa;
+ tsize_t tilesize;
++ tsize_t bufsize;
+ int32 fromskew, toskew;
+ int alpha = img->alpha;
+ uint32 nrow;
+ int ret = 1, flip;
+
+ tilesize = TIFFTileSize(tif);
+- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
++ return (0);
++ }
++ buf = (unsigned char*) _TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
++ _TIFFmemset(buf, 0, bufsize);
+ p0 = buf;
+ p1 = p0 + tilesize;
+ p2 = p1 + tilesize;
+@@ -880,17 +886,23 @@
+ uint32 rowsperstrip, offset_row;
+ uint32 imagewidth = img->width;
+ tsize_t stripsize;
++ tsize_t bufsize;
+ int32 fromskew, toskew;
+ int alpha = img->alpha;
+ int ret = 1, flip;
+
+ stripsize = TIFFStripSize(tif);
+- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
++ return (0);
++ }
++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
++ _TIFFmemset(buf, 0, bufsize);
+ p1 = p0 + stripsize;
+ p2 = p1 + stripsize;
+ pa = (alpha?(p2+stripsize):NULL);
+--- libtiff/tiffiop.h.orig 2012-04-19 08:50:17.752392827 +0100
++++ libtiff/tiffiop.h 2012-04-19 08:50:51.586979922 +0100
+@@ -246,7 +246,7 @@
+ #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))
--- a/specs/SUNWTiff.spec Tue May 08 11:43:49 2012 +0000
+++ b/specs/SUNWTiff.spec Mon May 14 04:48:17 2012 +0000
@@ -3,7 +3,7 @@
#
# includes module(s): tiff
#
-# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -28,23 +28,23 @@
SUNW_BaseDir: %{_prefix}
SUNW_Copyright: %{name}.copyright
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+# date:2012-04-19 owner:padraig type:bug bugster:7158160
+Patch1: tiff-01-CVE-2012-1173.diff
%include default-depend.inc
%include desktop-incorporation.inc
-Requires: SUNWlibms
-Requires: SUNWzlib
-BuildRequires: SUNWjpg
+Requires: system/library/math
+Requires: library/zlib
+BuildRequires: image/library/libjpeg
%package devel
Summary: %{summary} - development files
SUNW_BaseDir: %{_prefix}
-%include default-depend.inc
-%include desktop-incorporation.inc
-Requires: SUNWTiff
%prep
%setup -c -n %name-%version
cd tiff-%{tarball_version}
+%patch1 -p0
gzcat %SOURCE1 | tar -xf -
%ifarch amd64 sparcv9
@@ -147,6 +147,8 @@
%{_mandir}/man3tiff/*
%changelog
+* Thu May 10 2012 - [email protected]
+- Added patch tiff-01-CVE-2012-1173.
* Thu Mar 17 2011 - [email protected]
- Added patch tiff-01-CVE-2011-0192.diff & tiff-01-CVE-2011-1167.diff to fix security vulnerability CVE-2011-0192 & CVE-2011-1167.
* Thu Jul 29 2010 - [email protected]