Fix CVE-2009-2347 again wrt security #307001.

(Portage version: 2.2_rc63/cvs/Linux x86_64)

3 files changed, 149 insertions, 1 deletions

diff --git a/media-libs/tiff/ChangeLog b/media-libs/tiff/ChangeLog
index e99404cb2a91..96213b510a53 100644
--- a/media-libs/tiff/ChangeLog
+++ b/media-libs/tiff/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/tiff
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.144 2010/01/22 17:19:11 ssuominen Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.145 2010/02/26 20:31:32 ssuominen Exp $
+
+*tiff-3.9.2-r1 (26 Feb 2010)
+
+  26 Feb 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.2-r1.ebuild,
+  +files/tiff-3.9.2-CVE-2009-2347.patch:
+  Fix CVE-2009-2347 again wrt security #307001.
 
   22 Jan 2010; Samuli Suominen <ssuominen@gentoo.org> tiff-3.9.2.ebuild:
   Require SLOT="0" of media-libs/jpeg for headers.
diff --git a/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch b/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch
new file mode 100644
index 000000000000..8d30334da380
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch
@@ -0,0 +1,89 @@
+http://bugs.gentoo.org/show_bug.cgi?id=307001
+http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+--- tools/tiff2rgba.c
++++ tools/tiff2rgba.c
+@@ -125,6 +125,17 @@
+     return (0);
+ }
+ 
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;		/* overflow */
++
++    return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+ 
+@@ -134,6 +145,7 @@
+     uint32  tile_width, tile_height;
+     uint32  row, col;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -151,7 +163,14 @@
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) tile_width, (unsigned long) tile_height);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -159,7 +178,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -236,6 +255,7 @@
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -251,7 +271,14 @@
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) width, (unsigned long) rowsperstrip);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -259,7 +286,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+     if (!wrk_line) {
diff --git a/media-libs/tiff/tiff-3.9.2-r1.ebuild b/media-libs/tiff/tiff-3.9.2-r1.ebuild
new file mode 100644
index 000000000000..bad4e457d06a
--- /dev/null
+++ b/media-libs/tiff/tiff-3.9.2-r1.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.2-r1.ebuild,v 1.1 2010/02/26 20:31:32 ssuominen Exp $
+
+EAPI=2
+inherit eutils libtool
+
+DESCRIPTION="Library for manipulation of TIFF (Tag Image File Format) images"
+HOMEPAGE="http://www.remotesensing.org/libtiff/"
+SRC_URI="ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="jpeg jbig +cxx zlib"
+
+DEPEND="jpeg? ( >=media-libs/jpeg-6b:0 )
+	jbig? ( media-libs/jbigkit )
+	zlib? ( sys-libs/zlib )"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-3.8.2-CVE-2009-2285.patch \
+		"${FILESDIR}"/${P}-CVE-2009-2347.patch
+	elibtoolize
+}
+
+src_configure() {
+	use prefix || EPREFIX=
+	econf \
+		--disable-dependency-tracking \
+		$(use_enable cxx) \
+		$(use_enable zlib) \
+		$(use_enable jpeg) \
+		$(use_enable jbig) \
+		--without-x \
+		--with-docdir="${EPREFIX}"/usr/share/doc/${PF}
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die
+	dodoc ChangeLog README TODO
+}
+
+pkg_postinst() {
+	if use jbig; then
+		echo
+		elog "JBIG support is intended for Hylafax fax compression, so we"
+		elog "really need more feedback in other areas (most testing has"
+		elog "been done with fax).  Be sure to recompile anything linked"
+		elog "against tiff if you rebuild it with jbig support."
+		echo
+	fi
+}