mirror/openwrt-packages
1
0
Fork 0
mirror of https://git.openwrt.org/feed/packages.git synced 2024-06-14 11:23:57 +02:00
Code Releases Activity

Merge pull request #5541 from micmac1/jiri-lede-17.01

Browse Source 
libssh2, libxslt, tiff: security bumps + fix (for lede-17.01)
This commit is contained in:
Jiri Slachta 2018-01-30 19:57:37 +01:00 committed by GitHub
commit ea967b5a71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 1169 additions and 413 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libs/libssh2/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2015-2016 OpenWrt.org
# Copyright (C) 2015-2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libssh2
PKG_VERSION:=1.7.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.libssh2.org/download
PKG_SOURCE_URL:=https://www.libssh2.org/download
PKG_MD5SUM:=b01662a210e94cccf2f76094db7dac5c
PKG_INSTALL:=1
@ -26,7 +26,7 @@ define Package/libssh2
SECTION:=libs
CATEGORY:=Libraries
TITLE:=SSH2 library
URL:=http://www.libssh2.org/
URL:=https://www.libssh2.org/
DEPENDS:=+libopenssl +zlib
MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
endef
@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC)
CONFIGURE_ARGS += \
--disable-examples-build \
--with-libssl-prefix=$(STAGING_DIR)/usr
--with-libssl-prefix=$(STAGING_DIR)/usr \
--with-libz-prefix=$(STAGING_DIR)/usr
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include

5
libs/libxslt/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2014 OpenWrt.org
# Copyright (C) 2014 - 2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libxslt
PKG_VERSION:=1.1.28
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@ -64,6 +64,7 @@ define Package/xsltproc/description
endef
CONFIGURE_ARGS+= \
--disable-silent-rules \
--enable-shared \
--enable-static \
--without-python \

48
libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch Normal file
View File

@ -0,0 +1,48 @@
From: Daniel Veillard <veillard@redhat.com>
Date: Wed, 30 Jan 2013 16:31:37 +0000
Subject: Fix a couple of places where (f)printf parameters were broken
As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>
---
python/libxslt.c | 10 +++++-----
xsltproc/xsltproc.c | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/libxslt.c b/python/libxslt.c
index 6a4f1c3..8dd6c78 100644
--- a/python/libxslt.c
+++ b/python/libxslt.c
@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
PyObject *pyobj_element_f;
PyObject *pyobj_precomp_f;
-#ifdef DEBUG_EXTENSIONS
- printf("libxslt_xsltRegisterExtModuleElement called\n",
- name, ns_uri);
-#endif
-
if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
&name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
return(NULL);
+#ifdef DEBUG_EXTENSIONS
+ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
+ name, ns_uri);
+#endif
+
if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
py_retval = libxml_intWrap(-1);
return(py_retval);
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 9ec4b76..33beddf 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
va_start(ap, format);
vfprintf(stderr,format,ap);
va_end(ap);
- fprintf(stderr, " was not timed\n", msec);
+ fprintf(stderr, " was not timed\n");
#else
/* We don't have gettimeofday, time or stdarg.h, what crazy world is
* this ?!

56
libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch Normal file
View File

@ -0,0 +1,56 @@
From: Nils Werner <wernerns@iis.fraunhofer.de>
Date: Thu, 24 Jan 2013 18:44:03 +0000
Subject: Initialize pseudo random number generator with current time or
optional command line parameter
---
xsltproc/xsltproc.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 33beddf..7d1fe61 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -514,6 +514,7 @@ static void usage(const char *name) {
printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
printf("\t--maxparserdepth val : increase the maximum parser depth\n");
+ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
#ifdef LIBXML_HTML_ENABLED
printf("\t--html: the input document is(are) an HTML file(s)\n");
#endif
@@ -556,6 +557,7 @@ main(int argc, char **argv)
return (1);
}
+ srand(time(NULL));
xmlInitMemory();
LIBXML_TEST_VERSION
@@ -750,6 +752,15 @@ main(int argc, char **argv)
if (value > 0)
xmlParserMaxDepth = value;
}
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ int value;
+
+ i++;
+ if (sscanf(argv[i], "%d", &value) == 1) {
+ if (value > 0)
+ srand(value);
+ }
} else if ((!strcmp(argv[i],"-dumpextensions"))||
(!strcmp(argv[i],"--dumpextensions"))) {
dumpextensions++;
@@ -786,6 +797,10 @@ main(int argc, char **argv)
(!strcmp(argv[i], "--maxparserdepth"))) {
i++;
continue;
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ i++;
+ continue;
} else if ((!strcmp(argv[i], "-o")) ||
(!strcmp(argv[i], "-output")) ||
(!strcmp(argv[i], "--output"))) {

38
libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch Normal file
View File

@ -0,0 +1,38 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 1 Jul 2013 13:10:10 +0000
Subject: EXSLT function str:replace() is broken as-is
the str:replace() function is no longer usable without a transform
context. I take it from the bug report that it is not supposed to be used
from plain XPath but only from XSLT according to the EXSLT specification.
However, the previous implementation used to work in XPath and is still
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
function. When called from plain XPath, it results in a memory error in
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
returns NULL as an error indicator due to a NULL transform context being
passed in, which was the return value from xsltXPathGetTransformContext() a
bit further up (and the code doesn't validate that).
Since fixing the function looks impossible, best is to remove it.
---
libexslt/strings.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 045cc14..c0c7a18 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
&& !xmlXPathRegisterFuncNS(ctxt,
(const xmlChar *) "concat",
(const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrConcatFunction)
- && !xmlXPathRegisterFuncNS(ctxt,
- (const xmlChar *) "replace",
- (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrReplaceFunction)) {
+ exsltStrConcatFunction)) {
return 0;
}
return -1;

43
libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch Normal file
View File

@ -0,0 +1,43 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 30 Jul 2013 11:57:28 +0000
Subject: Fix quoting of xlocale test program in configure.in
Double square brackets aren't needed anymore, probably due to the
changes in commit a2cd8a03.
---
configure.in | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index 767e980..ac004fe 100644
--- a/configure.in
+++ b/configure.in
@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
#endif
]],[[
xsltLocale locale;
- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
- char *dst[[2]];
+ const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
+ char *dst[2];
size_t len, r;
int i;
locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
if (locale == NULL) exit(1);
for (i=0; i<2; ++i) {
- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
- dst[[i]] = malloc(len);
- if(dst[[i]] == NULL) exit(1);
- r = strxfrm_l(dst[[i]], src[[i]], len, locale);
+ len = strxfrm_l(NULL, src[i], 0, locale) + 1;
+ dst[i] = malloc(len);
+ if(dst[i] == NULL) exit(1);
+ r = strxfrm_l(dst[i], src[i], len, locale);
if(r >= len) exit(1);
}
- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
+ if (strcmp(dst[0], dst[1]) >= 0) exit(1);
exit(0);
return(0);

29
libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch Normal file
View File

@ -0,0 +1,29 @@
From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 29 Oct 2015 19:33:23 +0800
Subject: [PATCH] Fix for type confusion in preprocessing attributes
CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before dereferencing
its namespace
---
libxslt/preproc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/preproc.c b/libxslt/preproc.c
index 0eb80a0..7f69325 100644
--- a/libxslt/preproc.c
+++ b/libxslt/preproc.c
@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
} else if (IS_XSLT_NAME(inst, "attribute")) {
xmlNodePtr parent = inst->parent;
- if ((parent == NULL) || (parent->ns == NULL) ||
+ if ((parent == NULL) ||
+ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
((parent->ns != inst->ns) &&
(!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
--
2.8.1

62
libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch Normal file
View File

@ -0,0 +1,62 @@
From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 3 Jan 2016 16:45:24 +0100
Subject: [PATCH] Always initialize EXSLT month and day to 1
Fixes bug #757970
https://bugzilla.gnome.org/show_bug.cgi?id=757970
---
libexslt/date.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 9ca993c..272c61b 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type)
}
memset (ret, 0, sizeof(exsltDateVal));
+ if (type != XS_DURATION) {
+ ret->value.date.mon = 1;
+ ret->value.date.day = 1;
+ }
+
if (type != EXSLT_UNKNOWN)
ret->type = type;
@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type)
}
if ((type & XS_GDAY) != XS_GDAY)
- dt->value.date.day = 0;
+ dt->value.date.day = 1;
if ((type & XS_GMONTH) != XS_GMONTH)
- dt->value.date.mon = 0;
+ dt->value.date.mon = 1;
if ((type & XS_GYEAR) != XS_GYEAR)
dt->value.date.year = 0;
@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur)
d = &(dt->value.date);
u = &(dur->value.dur);
- /* normalization */
- if (d->mon == 0)
- d->mon = 1;
-
/* normalize for time zone offset */
u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */
d->tzo = 0;
- /* normalization */
- if (d->day == 0)
- d->day = 1;
-
/* month */
carry = d->mon + u->mon;
r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13);
--
2.8.1

105
libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch Normal file
View File

@ -0,0 +1,105 @@
From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 25 Feb 2016 17:16:06 +0100
Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument
Also fixes a memory leak in an unlikely error case.
Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291
---
libxslt/functions.c | 3 ++-
tests/docs/bug-185-data.xml | 5 +++++
tests/docs/bug-185.xml | 2 ++
tests/general/bug-185.err | 3 +++
tests/general/bug-185.out | 0
tests/general/bug-185.xsl | 14 ++++++++++++++
6 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 tests/docs/bug-185-data.xml
create mode 100644 tests/docs/bug-185.xml
create mode 100644 tests/general/bug-185.err
create mode 100644 tests/general/bug-185.out
create mode 100644 tests/general/bug-185.xsl
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 549649c..a5e7021 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
resObj = xmlXPtrEval(fragment, xptrctxt);
xmlXPathFreeContext(xptrctxt);
#endif
- xmlFree(fragment);
if (resObj == NULL)
goto out_fragment;
@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
}
valuePush(ctxt, resObj);
+ xmlFree(fragment);
return;
out_object:
@@ -211,6 +211,7 @@ out_object:
out_fragment:
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
+ xmlFree(fragment);
}
/**
diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml
new file mode 100644
index 0000000..166ef17
--- /dev/null
+++ b/tests/docs/bug-185-data.xml
@@ -0,0 +1,5 @@
+<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
+<test>
+ <A id="X"/>
+ <A id="Y"/>
+</test>
diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml
new file mode 100644
index 0000000..72bfdc4
--- /dev/null
+++ b/tests/docs/bug-185.xml
@@ -0,0 +1,2 @@
+<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
+<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err
new file mode 100644
index 0000000..d7bbe92
--- /dev/null
+++ b/tests/general/bug-185.err
@@ -0,0 +1,3 @@
+runtime error: file ./bug-185.xsl line 7 element copy-of
+document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
+no result for ./../docs/bug-185.xml
diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out
new file mode 100644
index 0000000..e69de29
diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl
new file mode 100644
index 0000000..1c5c7d1
--- /dev/null
+++ b/tests/general/bug-185.xsl
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+ <xsl:template match="in">
+ <annotation>
+ <xsl:copy-of select="."/>
+ <value>
+ <xsl:copy-of select="document(.)"/>
+ </value>
+ </annotation>
+ </xsl:template>
+ <xsl:template match="@*|node()">
+ <xsl:apply-templates/>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

171
libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch Normal file
View File

@ -0,0 +1,171 @@
From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 22 Mar 2016 18:20:01 +0100
Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel
Namespace nodes are actually an xmlNs, not an xmlNode. They must be
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
out-of-bounds heap access.
Move the test whether a node matches the "count" pattern to a separate
function to make the code more readable. As a side effect, we also
compare expanded names when walking up the ancestor axis, fixing an
insignificant bug.
---
libxslt/numbers.c | 82 +++++++++++++++++++++++++++--------------------
tests/docs/bug-186.xml | 4 +++
tests/general/bug-186.out | 5 +++
tests/general/bug-186.xsl | 7 ++++
4 files changed, 63 insertions(+), 35 deletions(-)
create mode 100644 tests/docs/bug-186.xml
create mode 100644 tests/general/bug-186.out
create mode 100644 tests/general/bug-186.xsl
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index e3209e0..184ee6f 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
}
static int
+xsltTestCompMatchCount(xsltTransformContextPtr context,
+ xmlNodePtr node,
+ xsltCompMatchPtr countPat,
+ xmlNodePtr cur)
+{
+ if (countPat != NULL) {
+ return xsltTestCompMatchList(context, node, countPat);
+ }
+ else {
+ /*
+ * 7.7 Numbering
+ *
+ * If count attribute is not specified, then it defaults to the
+ * pattern that matches any node with the same node type as the
+ * current node and, if the current node has an expanded-name, with
+ * the same expanded-name as the current node.
+ */
+ if (node->type != cur->type)
+ return 0;
+ if (node->type == XML_NAMESPACE_DECL)
+ /*
+ * Namespace nodes have no preceding siblings and no parents
+ * that are namespace nodes. This means that node == cur.
+ */
+ return 1;
+ /* TODO: Skip node types without expanded names like text nodes. */
+ if (!xmlStrEqual(node->name, cur->name))
+ return 0;
+ if (node->ns == cur->ns)
+ return 1;
+ if ((node->ns == NULL) || (cur->ns == NULL))
+ return 0;
+ return (xmlStrEqual(node->ns->href, cur->ns->href));
+ }
+}
+
+static int
xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
xmlNodePtr node,
xsltCompMatchPtr countPat,
@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
while (cur != NULL) {
/* process current node */
- if (countPat == NULL) {
- if ((node->type == cur->type) &&
- /* FIXME: must use expanded-name instead of local name */
- xmlStrEqual(node->name, cur->name)) {
- if ((node->ns == cur->ns) ||
- ((node->ns != NULL) &&
- (cur->ns != NULL) &&
- (xmlStrEqual(node->ns->href,
- cur->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, cur, countPat))
- cnt++;
- }
+ if (xsltTestCompMatchCount(context, cur, countPat, node))
+ cnt++;
if ((fromPat != NULL) &&
xsltTestCompMatchList(context, cur, fromPat)) {
break; /* while */
@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context,
xsltTestCompMatchList(context, ancestor, fromPat))
break; /* for */
- if ((countPat == NULL && node->type == ancestor->type &&
- xmlStrEqual(node->name, ancestor->name)) ||
- xsltTestCompMatchList(context, ancestor, countPat)) {
+ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) {
/* count(preceding-sibling::*) */
- cnt = 0;
- for (preceding = ancestor;
+ cnt = 1;
+ for (preceding =
+ xmlXPathNextPrecedingSibling(parser, ancestor);
preceding != NULL;
preceding =
xmlXPathNextPrecedingSibling(parser, preceding)) {
- if (countPat == NULL) {
- if ((preceding->type == ancestor->type) &&
- xmlStrEqual(preceding->name, ancestor->name)){
- if ((preceding->ns == ancestor->ns) ||
- ((preceding->ns != NULL) &&
- (ancestor->ns != NULL) &&
- (xmlStrEqual(preceding->ns->href,
- ancestor->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, preceding,
- countPat))
- cnt++;
- }
+
+ if (xsltTestCompMatchCount(context, preceding, countPat,
+ node))
+ cnt++;
}
array[amount++] = (double)cnt;
if (amount >= max)
diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml
new file mode 100644
index 0000000..424db6b
--- /dev/null
+++ b/tests/docs/bug-186.xml
@@ -0,0 +1,4 @@
+<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
+<foo/>
+<bar/>
+</top>
diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out
new file mode 100644
index 0000000..01a59f8
--- /dev/null
+++ b/tests/general/bug-186.out
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+
+1111
+1111
+
diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl
new file mode 100644
index 0000000..9c491dd
--- /dev/null
+++ b/tests/general/bug-186.xsl
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:template match="*/*">
+ <xsl:for-each select="namespace::*">
+ <xsl:number/>
+ </xsl:for-each>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

26
libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch Normal file
View File

@ -0,0 +1,26 @@
From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:50:02 +0200
Subject: [PATCH] Round xsl:number values to nearest integer
This matches XSLT 2.0 behavior.
---
libxslt/numbers.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 184ee6f..eb087bc 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
for (i = 0; i < numbers_max; i++) {
/* Insert number */
number = numbers[(numbers_max - 1) - i];
+ /* Round to nearest like XSLT 2.0 */
+ number = floor(number + 0.5);
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

51
libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch Normal file
View File

@ -0,0 +1,51 @@
From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:51:57 +0200
Subject: [PATCH] Handle negative xsl:number values
According to XSLT 2.0, negative values are a non-recoverable dynamic error.
Print an error message and treat negative values as zero.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index eb087bc..a3cabcf 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
number--;
*(--pointer) = alpha_list[((int)fmod(number, alpha_size))];
number /= alpha_size;
- if (fabs(number) < 1.0)
+ if (number < 1.0)
break; /* for */
}
xmlBufferCCat(buffer, pointer);
@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
number = numbers[(numbers_max - 1) - i];
/* Round to nearest like XSLT 2.0 */
number = floor(number + 0.5);
+ /*
+ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT
+ * 2.0 says:
+ *
+ * It is a non-recoverable dynamic error if any undiscarded item
+ * in the atomized sequence supplied as the value of the value
+ * attribute of xsl:number cannot be converted to an integer, or
+ * if the resulting integer is less than 0 (zero).
+ */
+ if (number < 0.0) {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl-number : negative value\n");
+ /* Recover by treating negative values as zero. */
+ number = 0.0;
+ }
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

75
libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch Normal file
View File

@ -0,0 +1,75 @@
From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:11:31 +0200
Subject: [PATCH] Lower bound for format token "a"
Handle xsl:number with format "a" and value 0 according to XSLT 2.0.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index a3cabcf..af52883 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
}
static void
-xsltNumberFormatAlpha(xmlBufferPtr buffer,
+xsltNumberFormatAlpha(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
char *alpha_list;
double alpha_size = (double)(sizeof(alpha_upper_list) - 1);
+ /*
+ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says:
+ *
+ * For all format tokens other than the first kind above (one that
+ * consists of decimal digits), there may be implementation-defined
+ * lower and upper bounds on the range of numbers that can be
+ * formatted using this format token; indeed, for some numbering
+ * sequences there may be intrinsic limits. [...] Numbers that fall
+ * outside this range must be formatted using the format token 1.
+ *
+ * The "a" token has an intrinsic lower limit of 1.
+ */
+ if (number < 1.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
/* Build buffer from back */
pointer = &temp_string[sizeof(temp_string)];
*(--pointer) = 0;
@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
switch (token->token) {
case 'A':
- xsltNumberFormatAlpha(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatAlpha(data, buffer, number, TRUE);
break;
case 'a':
- xsltNumberFormatAlpha(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
xsltNumberFormatRoman(buffer,
--
2.8.1

64
libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch Normal file
View File

@ -0,0 +1,64 @@
From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:12:28 +0200
Subject: [PATCH] Lower and upper bound for format token "i"
Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
Also introduce an upper bound to fix a denial of service.
---
libxslt/numbers.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index af52883..e769c42 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
}
static void
-xsltNumberFormatRoman(xmlBufferPtr buffer,
+xsltNumberFormatRoman(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
/*
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
+ * bound to avoid denial of service.
+ */
+ if (number < 1.0 || number > 5000.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
+ /*
* Based on an example by Jim Walsh
*/
while (number >= 1000.0) {
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
- xsltNumberFormatRoman(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
break;
case 'i':
- xsltNumberFormatRoman(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
break;
default:
if (IS_DIGIT_ZERO(token->token)) {
--
2.8.1

62
libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch Normal file
View File

@ -0,0 +1,62 @@
From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 20 Apr 2016 14:35:43 +0200
Subject: [PATCH] Fix double free in libexslt hash functions
Thanks to Nicolas Gregoire for the report.
Fixes bug #765271:
https://bugzilla.gnome.org/show_bug.cgi?id=765271
---
libexslt/crypto.c | 15 +++------------
tests/exslt/crypto/hash.1.out | 2 ++
tests/exslt/crypto/hash.1.xml | 5 +++++
3 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/libexslt/crypto.c b/libexslt/crypto.c
index 6aa9dd2..e13db8b 100644
--- a/libexslt/crypto.c
+++ b/libexslt/crypto.c
@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len,
(char *) hash);
@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len,
(char *) hash);
@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len,
(char *) hash);
--
2.8.1

33
libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch Normal file
View File

@ -0,0 +1,33 @@
From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 28 Apr 2016 17:34:27 +0200
Subject: [PATCH] Fix buffer overflow in exsltDateFormat
Long years can overflow a stack-based buffer on 64-bit platforms by
up to four bytes.
Thanks to Nicolas Gregoire for the report.
Fixes bug #765380:
https://bugzilla.gnome.org/show_bug.cgi?id=765380
---
libexslt/date.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 272c61b..12c9919 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt)
}
if (dt->type & XS_GYEAR) {
- xmlChar buf[20], *cur = buf;
+ xmlChar buf[100], *cur = buf;
FORMAT_GYEAR(dt->value.date.year, cur);
if (dt->type == XS_GYEARMONTH) {
--
2.8.1

36
libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch Normal file
View File

@ -0,0 +1,36 @@
From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 May 2016 15:12:48 +0200
Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic
xsltExtModuleRegisterDynamic would read a byte before the start of a
string under certain circumstances. I looks like this piece code was
supposed to strip characters from the end of the extension name, but
it didn't have any effect. Don't read beyond the beginning of the
string and actually strip unwanted characters.
Found with afl-fuzz and ASan.
---
libxslt/extensions.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb..ae6eef0 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
i++;
}
- if (*(i - 1) == '_')
+ /* Strip underscores from end of string. */
+ while (i > ext_name && *(i - 1) == '_') {
+ i--;
*i = '\0';
+ }
/* determine module directory */
ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
--
2.8.1

31
libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch Normal file
View File

@ -0,0 +1,31 @@
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
2.10.2

74
libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch Normal file
View File

@ -0,0 +1,74 @@
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 12 Jan 2017 15:39:52 +0100
Subject: [PATCH] Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
---
libxslt/transform.c | 25 ++++++++++++++++++++++---
libxslt/xsltInternals.h | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 519133fc..02bff34a 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 060b1783..5ad17719 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
--
2.11.0

8
libs/tiff/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2006-2016 OpenWrt.org
# Copyright (C) 2006-2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=tiff
PKG_VERSION:=4.0.6
PKG_RELEASE:=2
PKG_VERSION:=4.0.9
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
PKG_MD5SUM:=d1d2e940dea0b5ad435f21f03d96dd72
PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79
PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=autogen.sh aclocal.m4

136
libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch
View File

@ -1,136 +0,0 @@
From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 26 Dec 2015 17:32:03 +0000
Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
TIFFRGBAImage interface in case of unsupported values of
SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
limingxing and CVE-2015-8683 reported by zzf of Alibaba.
---
ChangeLog | 8 ++++++++
libtiff/tif_getimage.c | 37 +++++++++++++++++++++++--------------
2 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a7d283a..4beb30b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.6 released.
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index fd0a4f9..fae1e31 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.90 2015-06-17 01:34:08 bfriesen Exp $ */
+/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d",
- "Samples/pixel", td->td_samplesperpixel);
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
return 0;
}
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d and %s=%d",
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
"Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
"Bits/sample", td->td_bitspersample);
return 0;
}
@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
int colorchannels;
uint16 *red_orig, *green_orig, *blue_orig;
int n_color;
+
+ if( !TIFFRGBAImageOK(tif, emsg) )
+ return 0;
/* Initialize to normal values */
img->row_offset = 0;
@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
case PHOTOMETRIC_RGB:
switch (img->bitspersample) {
case 8:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >= 4)
img->put.contig = putRGBAAcontig8bittile;
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >= 4)
{
if (BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig8bittile;
}
- else
+ else if( img->samplesperpixel >= 3 )
img->put.contig = putRGBcontig8bittile;
break;
case 16:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBAAcontig16bittile;
}
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img) &&
BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig16bittile;
}
- else
+ else if( img->samplesperpixel >=3 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBcontig16bittile;
@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
}
break;
case PHOTOMETRIC_SEPARATED:
- if (buildMap(img)) {
+ if (img->samplesperpixel >=4 && buildMap(img)) {
if (img->bitspersample == 8) {
if (!img->Map)
img->put.contig = putRGBcontig8bitCMYKtile;
@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
}
break;
case PHOTOMETRIC_CIELAB:
- if (buildMap(img)) {
+ if (img->samplesperpixel == 3 && buildMap(img)) {
if (img->bitspersample == 8)
img->put.contig = initCIELabConversion(img);
break;

193
libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch
View File

@ -1,193 +0,0 @@
From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:25:11 +0000
Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
decode functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
input data.
---
ChangeLog | 7 +++++++
libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------
2 files changed, 52 insertions(+), 12 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 4beb30b..b8aa23c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522).
+ Fix potential out-of-bound reads in case of short input data.
+
2015-12-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 4e328ba..60a174d 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
tp = (int16*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (int16*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 2*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ if( cc < 2 )
+ break;
+ rc = *bp++ + (2-128);
b = (int16)(*bp++ << shft);
cc -= 2;
while (rc-- && i < npixels)
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32 *)op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32 *) sp->tbuf;
}
/* copy to array of uint32 */
bp = (unsigned char*) tif->tif_rawcp;
cc = tif->tif_rawcc;
- for (i = 0; i < npixels && cc > 0; i++) {
+ for (i = 0; i < npixels && cc >= 3; i++) {
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
bp += 3;
cc -= 3;
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 4*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
+ if( cc < 2 )
+ break;
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ cc -= 2;
while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogL16Encode";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (int16*) bp;
else {
tp = (int16*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode24";
LogLuvState* sp = EncoderState(tif);
tmsize_t i;
tmsize_t npixels;
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* write out encoded pixels */
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode32";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */

72
libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch
View File

@ -1,72 +0,0 @@
From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 27 Dec 2015 16:55:20 +0000
Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
(bugzilla #2508)
---
ChangeLog | 6 ++++++
libtiff/tif_next.c | 12 +++++++++---
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b8aa23c..04926a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2015-12-27 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522).
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
index 17e0311..1248caa 100644
--- a/libtiff/tif_next.c
+++ b/libtiff/tif_next.c
@@ -1,4 +1,4 @@
-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
+/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
+ tmsize_t op_offset = 0;
/*
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;

2
libs/tiff/patches/005-fix-ftell-macro.patch
View File

@ -1,6 +1,6 @@
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -284,7 +284,7 @@ struct tiff {
@@ -287,7 +287,7 @@ struct tiff {
*/
#if defined(HAVE_FSEEKO)
# define fseek(stream,offset,whence) fseeko(stream,offset,whence)

34
libs/tiff/patches/019-CVE-2017-18013.patch Normal file
View File

@ -0,0 +1,34 @@
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 31 Dec 2017 15:09:41 +0100
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
---
libtiff/tif_print.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 9959d35..8deceb2 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
(unsigned long) s,
- (unsigned __int64) td->td_stripoffset[s],
- (unsigned __int64) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
#else
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
(unsigned long) s,
- (unsigned long long) td->td_stripoffset[s],
- (unsigned long long) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
#endif
}
}
--
libgit2 0.26.0

117
libs/tiff/patches/020-CVE-2017-9935.patch Normal file
View File

@ -0,0 +1,117 @@
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 2ccaf44..cbf2b69 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
+ } else {
+ *va_arg(ap, uint16**) = NULL;
+ *va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index d1a9b09..484776c 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
- t2p->tiff_transferfunctioncount = 3;
- t2p->tiff_pages[i].page_extra += 4;
- t2p->pdf_xrefcount += 4;
- } else {
- t2p->tiff_transferfunctioncount = 1;
- t2p->tiff_pages[i].page_extra += 2;
- t2p->pdf_xrefcount += 2;
- }
- if(t2p->pdf_minorversion < 2)
- t2p->pdf_minorversion = 2;
+ &(tiff_transferfunction[0]),
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+ tiff_transferfunctioncount=1;
+ }
} else {
- t2p->tiff_transferfunctioncount=0;
+ tiff_transferfunctioncount=0;
}
+
+ if (i > 0){
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Different transfer function on page %d",
+ i);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ }
+
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+ if(tiff_transferfunctioncount == 3){
+ t2p->tiff_pages[i].page_extra += 4;
+ t2p->pdf_xrefcount += 4;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ } else if (tiff_transferfunctioncount == 1){
+ t2p->tiff_pages[i].page_extra += 2;
+ t2p->pdf_xrefcount += 2;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ }
+
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;