From 709dc04d2a39762bd58f9de3bb1636a0faa99228 Mon Sep 17 00:00:00 2001
From: Jan Pavlinec <jan.pavlinec@nic.cz>
Date: Tue, 9 Apr 2019 13:28:10 +0200
Subject: [PATCH 1/2] tiff: patch security issues

Fixes
CVE-2019-7663
CVE-2019-6128

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
---
 libs/tiff/Makefile                        |  2 +-
 libs/tiff/patches/020-CVE-2019-7663.patch | 37 +++++++++++++++++
 libs/tiff/patches/021-CVE-2019-6128.patch | 49 +++++++++++++++++++++++
 3 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 libs/tiff/patches/020-CVE-2019-7663.patch
 create mode 100644 libs/tiff/patches/021-CVE-2019-6128.patch

diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile
index b8b1ec470..337d8e6a5 100644
--- a/libs/tiff/Makefile
+++ b/libs/tiff/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
 PKG_VERSION:=4.0.10
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.osgeo.org/libtiff
diff --git a/libs/tiff/patches/020-CVE-2019-7663.patch b/libs/tiff/patches/020-CVE-2019-7663.patch
new file mode 100644
index 000000000..607b6de04
--- /dev/null
+++ b/libs/tiff/patches/020-CVE-2019-7663.patch
@@ -0,0 +1,37 @@
+From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 29 Jan 2019 11:21:47 +0100
+Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL
+ dereferencing
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2833
+
+we must check the pointer is not NULL before memcmp() the memory
+---
+ libtiff/tif_dirwrite.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c15a28db..ef30c869 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ 		n=3;
+ 	if (n==3)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[2] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ 			n=2;
+ 	}
+ 	if (n==2)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[1] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ 			n=1;
+ 	}
+ 	if (n==0)
+-- 
+2.18.1
+
diff --git a/libs/tiff/patches/021-CVE-2019-6128.patch b/libs/tiff/patches/021-CVE-2019-6128.patch
new file mode 100644
index 000000000..cd4259507
--- /dev/null
+++ b/libs/tiff/patches/021-CVE-2019-6128.patch
@@ -0,0 +1,49 @@
+From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Wed, 23 Jan 2019 15:03:53 -0500
+Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
+
+pal2rgb failed to free memory on a few errors. This was reported
+here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
+---
+ tools/pal2rgb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502e..9492f1cf 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ 	    shortv != PHOTOMETRIC_PALETTE) {
+ 		fprintf(stderr, "%s: Expecting a palette image.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ 		fprintf(stderr,
+ 		    "%s: No colormap (not a valid palette image).\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ 	if (bitspersample != 8) {
+ 		fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	out = TIFFOpen(argv[optind+1], "w");
+-	if (out == NULL)
++	if (out == NULL) {
++		(void) TIFFClose(in);
+ 		return (-2);
++	}
+ 	cpTags(in, out);
+ 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
+-- 
+2.18.1
+

From 33e31a4b3a1abdafe937b6bf9f58802ded09d74c Mon Sep 17 00:00:00 2001
From: Jiri Slachta <jiri@slachta.eu>
Date: Mon, 11 Nov 2019 21:49:06 +0100
Subject: [PATCH 2/2] tiff: update version to 4.1.0

Signed-off-by: Jiri Slachta <jiri@slachta.eu>
---
 libs/tiff/Makefile                          |  6 +--
 libs/tiff/patches/005-fix-ftell-macro.patch |  2 +-
 libs/tiff/patches/020-CVE-2019-7663.patch   | 37 ----------------
 libs/tiff/patches/021-CVE-2019-6128.patch   | 49 ---------------------
 4 files changed, 4 insertions(+), 90 deletions(-)
 delete mode 100644 libs/tiff/patches/020-CVE-2019-7663.patch
 delete mode 100644 libs/tiff/patches/021-CVE-2019-6128.patch

diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile
index 337d8e6a5..818cf2c84 100644
--- a/libs/tiff/Makefile
+++ b/libs/tiff/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
-PKG_VERSION:=4.0.10
-PKG_RELEASE:=3
+PKG_VERSION:=4.1.0
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.osgeo.org/libtiff
-PKG_HASH:=2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4
+PKG_HASH:=5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=autogen.sh aclocal.m4
diff --git a/libs/tiff/patches/005-fix-ftell-macro.patch b/libs/tiff/patches/005-fix-ftell-macro.patch
index dc513a392..d5acde92c 100644
--- a/libs/tiff/patches/005-fix-ftell-macro.patch
+++ b/libs/tiff/patches/005-fix-ftell-macro.patch
@@ -1,6 +1,6 @@
 --- a/libtiff/tiffiop.h
 +++ b/libtiff/tiffiop.h
-@@ -286,7 +286,7 @@ struct tiff {
+@@ -302,7 +302,7 @@ struct tiff {
  */
  #if defined(HAVE_FSEEKO)
  #  define fseek(stream,offset,whence)  fseeko(stream,offset,whence)
diff --git a/libs/tiff/patches/020-CVE-2019-7663.patch b/libs/tiff/patches/020-CVE-2019-7663.patch
deleted file mode 100644
index 607b6de04..000000000
--- a/libs/tiff/patches/020-CVE-2019-7663.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Tue, 29 Jan 2019 11:21:47 +0100
-Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL
- dereferencing
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2833
-
-we must check the pointer is not NULL before memcmp() the memory
----
- libtiff/tif_dirwrite.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index c15a28db..ef30c869 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
- 		n=3;
- 	if (n==3)
- 	{
--		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
-+		if (tif->tif_dir.td_transferfunction[2] == NULL ||
-+		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
- 			n=2;
- 	}
- 	if (n==2)
- 	{
--		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
-+		if (tif->tif_dir.td_transferfunction[1] == NULL ||
-+		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
- 			n=1;
- 	}
- 	if (n==0)
--- 
-2.18.1
-
diff --git a/libs/tiff/patches/021-CVE-2019-6128.patch b/libs/tiff/patches/021-CVE-2019-6128.patch
deleted file mode 100644
index cd4259507..000000000
--- a/libs/tiff/patches/021-CVE-2019-6128.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
-From: Scott Gayou <github.scott@gmail.com>
-Date: Wed, 23 Jan 2019 15:03:53 -0500
-Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
-
-pal2rgb failed to free memory on a few errors. This was reported
-here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
----
- tools/pal2rgb.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index 01d8502e..9492f1cf 100644
---- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -118,12 +118,14 @@ main(int argc, char* argv[])
- 	    shortv != PHOTOMETRIC_PALETTE) {
- 		fprintf(stderr, "%s: Expecting a palette image.\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
- 		fprintf(stderr,
- 		    "%s: No colormap (not a valid palette image).\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	bitspersample = 0;
-@@ -131,11 +133,14 @@ main(int argc, char* argv[])
- 	if (bitspersample != 8) {
- 		fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	out = TIFFOpen(argv[optind+1], "w");
--	if (out == NULL)
-+	if (out == NULL) {
-+		(void) TIFFClose(in);
- 		return (-2);
-+	}
- 	cpTags(in, out);
- 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
- 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
--- 
-2.18.1
-