From: Jiri Slachta <slachta@cesnet.cz>
Date: Wed, 28 Jan 2015 20:12:21 +0000 (+0100)
Subject: tiff: fix CVE-2014-9330
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=5b83e7cfa80341f0da96c6aa4b15c87447204260;p=feed%2Fpackages.git

tiff: fix CVE-2014-9330

Signed-off-by: Jiri Slachta <slachta@cesnet.cz>
---

diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile
index 6476c46d94..bccab8bf49 100644
--- a/libs/tiff/Makefile
+++ b/libs/tiff/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
 PKG_VERSION:=4.0.3
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
diff --git a/libs/tiff/patches/017-CVE-2014-9330.patch b/libs/tiff/patches/017-CVE-2014-9330.patch
new file mode 100644
index 0000000000..acd0a331d0
--- /dev/null
+++ b/libs/tiff/patches/017-CVE-2014-9330.patch
@@ -0,0 +1,45 @@
+Description: CVE-2014-9330
+ Integer overflow in bmp2tiff
+Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
+Bug-Debian: http://bugs.debian.org/773987
+
+Index: tiff/tools/bmp2tiff.c
+===================================================================
+--- tiff.orig/tools/bmp2tiff.c
++++ tiff/tools/bmp2tiff.c
+@@ -1,4 +1,4 @@
+-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
++/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
+  *
+  * Project:  libtiff tools
+  * Purpose:  Convert Windows BMP files in TIFF.
+@@ -403,6 +403,13 @@ main(int argc, char* argv[])
+ 
+ 		width = info_hdr.iWidth;
+ 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
++        if( width <= 0 || length <= 0 )
++        {
++            TIFFError(infilename,
++                  "Invalid dimensions of BMP file" );
++            close(fd);
++            return -1;
++        }
+ 
+ 		switch (info_hdr.iBitCount)
+ 		{
+@@ -593,6 +600,14 @@ main(int argc, char* argv[])
+ 
+ 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
+ 			uncompr_size = width * length;
++            /* Detect int overflow */
++            if( uncompr_size / width != length )
++            {
++                TIFFError(infilename,
++                    "Invalid dimensions of BMP file" );
++                close(fd);
++                return -1;
++            }
+ 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ 			if (!comprbuf) {
+ 				TIFFError(infilename,