graphics/tiff: fix integer overflows leading to heap overflows

Grab upstream fixes for integer overflows that lead to heap overflows. One is a fix for CVE-2026-4775. While looking over the commit history, I also noticed another fix that looked worthwhile. This is a game of whack-a-mole ... OK? ----------------------------------------------- commit 4f681d9153d0fde49c4f5eeaf442ef86dc449385 (mystuff) from: Christian Weisgerber <naddy@mips.inka.de> date: Tue Apr 14 15:56:33 2026 UTC graphics/tiff: fix integer overflows leading to heap overflows CVE-2026-4775 https://gitlab.com/libtiff/libtiff/-/commit/782a11d6 Further fixes https://gitlab.com/libtiff/libtiff/-/commit/67713aae diff c19177cff85d52d0f279197f8fb8980b6243a78b 4f681d9153d0fde49c4f5eeaf442ef86dc449385 commit - c19177cff85d52d0f279197f8fb8980b6243a78b commit + 4f681d9153d0fde49c4f5eeaf442ef86dc449385 blob - b8c1a0b2a2a67d5db5c3f32bf6af57be63de571a blob + 60fd601b2bd159534243df4196349e3864bdbc7a --- graphics/tiff/Makefile +++ graphics/tiff/Makefile @@ -4,7 +4,7 @@ DISTNAME= tiff-4.7.1 SHARED_LIBS= tiff 42.2 # 13.0 SHARED_LIBS+= tiffxx 42.0 # 13.0 CATEGORIES= graphics -REVISION= 0 +REVISION= 1 SITES= https://download.osgeo.org/libtiff/ EXTRACT_SUFX= .tar.xz blob - /dev/null blob + add0d449326f8588f469ed0011f7cd20ae013c4d (mode 644) --- /dev/null +++ graphics/tiff/patches/patch-libtiff_tif_dirwrite_c @@ -0,0 +1,42 @@ +fix: add integer overflow checks to allocation size calculations +https://gitlab.com/libtiff/libtiff/-/commit/67713aaea9e29793763db732249c7bf2c1e12e8d + +Index: libtiff/tif_dirwrite.c +--- libtiff/tif_dirwrite.c.orig ++++ libtiff/tif_dirwrite.c +@@ -2537,7 +2537,7 @@ static int TIFFWriteDirectoryTagCheckedRationalArray(T + EvaluateIFDdatasizeWrite(tif, count * 2, sizeof(uint32_t), ndir); + return 1; + } +- m = _TIFFmallocExt(tif, count * 2 * sizeof(uint32_t)); ++ m = _TIFFCheckMalloc(tif, count, 2 * sizeof(uint32_t), "for rational array"); + if (m == NULL) + { + TIFFErrorExtR(tif, module, "Out of memory"); +@@ -2573,7 +2573,7 @@ static int TIFFWriteDirectoryTagCheckedSrationalArray( + EvaluateIFDdatasizeWrite(tif, count * 2, sizeof(int32_t), ndir); + return 1; + } +- m = _TIFFmallocExt(tif, count * 2 * sizeof(int32_t)); ++ m = _TIFFCheckMalloc(tif, count, 2 * sizeof(int32_t), "for srational array"); + if (m == NULL) + { + TIFFErrorExtR(tif, module, "Out of memory"); +@@ -2610,7 +2610,7 @@ TIFFWriteDirectoryTagCheckedRationalDoubleArray(TIFF * + EvaluateIFDdatasizeWrite(tif, count * 2, sizeof(uint32_t), ndir); + return 1; + } +- m = _TIFFmallocExt(tif, count * 2 * sizeof(uint32_t)); ++ m = _TIFFCheckMalloc(tif, count, 2 * sizeof(uint32_t), "for rational double array"); + if (m == NULL) + { + TIFFErrorExtR(tif, module, "Out of memory"); +@@ -2645,7 +2645,7 @@ static int TIFFWriteDirectoryTagCheckedSrationalDouble + EvaluateIFDdatasizeWrite(tif, count * 2, sizeof(int32_t), ndir); + return 1; + } +- m = _TIFFmallocExt(tif, count * 2 * sizeof(int32_t)); ++ m = _TIFFCheckMalloc(tif, count, 2 * sizeof(int32_t), "for srational double array"); + if (m == NULL) + { + TIFFErrorExtR(tif, module, "Out of memory"); blob - /dev/null blob + 3c3ce50ccb6ad8da4369b60a347a1d64c19f90b2 (mode 644) --- /dev/null +++ graphics/tiff/patches/patch-libtiff_tif_getimage_c @@ -0,0 +1,43 @@ +TIFFReadRGBAImage(): prevent integer overflow and later heap overflow +on images with huge width in YCbCr tile decoding functions +https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c + +Index: libtiff/tif_getimage.c +--- libtiff/tif_getimage.c.orig ++++ libtiff/tif_getimage.c +@@ -2216,7 +2216,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2356,7 +2356,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2512,7 +2512,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2615,7 +2615,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; blob - /dev/null blob + 1fd841f6ea1d5cece308a7052078cdc20719e7c4 (mode 644) --- /dev/null +++ graphics/tiff/patches/patch-libtiff_tif_print_c @@ -0,0 +1,16 @@ +fix: add integer overflow checks to allocation size calculations +https://gitlab.com/libtiff/libtiff/-/commit/67713aaea9e29793763db732249c7bf2c1e12e8d + +Index: libtiff/tif_print.c +--- libtiff/tif_print.c.orig ++++ libtiff/tif_print.c +@@ -680,7 +680,8 @@ void TIFFPrintDirectory(TIFF *tif, FILE *fd, long flag + * "set_get_field_type" to determine internal storage size. + */ + int tv_size = TIFFFieldSetGetSize(fip); +- raw_data = _TIFFmallocExt(tif, tv_size * value_count); ++ raw_data = _TIFFCheckMalloc(tif, value_count, tv_size, ++ "for tag data"); + mem_alloc = 1; + if (TIFFGetField(tif, tag, raw_data) != 1) + { -- Christian "naddy" Weisgerber naddy@mips.inka.de