rpms
/
libtiff
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import libtiff-4.4.0-7.el9

Browse Source
c9-beta imports/c9-beta/libtiff-4.4.0-7.el9
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit 334e050427
12 changed files with 2181 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/tiff-4.4.0.tar.gz

1
.libtiff.metadata
Unescape View File

@ -0,0 +1 @@
e11d05db71d243a62800b4bf4479eb4859714405 SOURCES/tiff-4.4.0.tar.gz

40
SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
Unescape View File

@ -0,0 +1,40 @@
From b2e3171e935be3c4b79657aebf4175ef3be403b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Mon, 18 Jul 2022 13:40:10 +0200
Subject: [PATCH] Back off the minimum required automake version to 1.11.
There isn't anything in libtiff currently that actually requires 1.12, and
changing this allows the package to be built on pre-F18 machines for easier
testing.
This patch can go away once we no longer care about testing on pre-F18.
---
Makefile.am | 2 +-
test/Makefile.am | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index aaabf4d1..66e13dd8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,7 @@
docdir = $(LIBTIFF_DOCDIR)
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
ACLOCAL_AMFLAGS = -I m4
docfiles = \
diff --git a/test/Makefile.am b/test/Makefile.am
index b5823198..949667ee 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -23,7 +23,7 @@
# Process this file with automake to produce Makefile.in.
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
LIBTIFF = $(top_builddir)/libtiff/libtiff.la

21
SOURCES/0002-Fix-Makefile.patch
Unescape View File

@ -0,0 +1,21 @@
From ab8a25b78922ba0e93fc4264d15c3e796a6f4c34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:42:52 +0200
Subject: [PATCH] Fix Makefile
---
html/man/Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
index 3ed00d44..8a64925a 100644
--- a/html/man/Makefile.am
+++ b/html/man/Makefile.am
@@ -90,7 +90,6 @@ docfiles = \
tiffcrop.1.html \
tiffdither.1.html \
tiffdump.1.html \
- tiffgt.1.html \
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \

179
SOURCES/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Unescape View File

@ -0,0 +1,179 @@
From eda0ab31e15edbb6ddee96f5c87d52888d68872c Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
tiffcrop (#415, #427, and #428)
(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{

90
SOURCES/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
Unescape View File

@ -0,0 +1,90 @@
From ecd9216e574039b8fba893314bdfc6edbdd6bf20 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521)?=
=?UTF-8?q?=20According=20to=20Richard=20Nolde=20https://gitlab.com/libtif?=
=?UTF-8?q?f/libtiff/-/issues/401#note=5F877637400=20the=20tiffcrop=20opti?=
=?UTF-8?q?on=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually=20exclusive=20?=
=?UTF-8?q?to=20the=20other=20crop=20options=20(-X|-Y),=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
---
tools/tiffcrop.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 90286a5e..d9213ecb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -108,7 +108,7 @@
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
*
- * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
*/
@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -316,7 +316,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -781,7 +781,7 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
;
@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
- char XY, Z, R;
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
Z = (crop_data->crop_mode & CROP_ZONES);
R = (crop_data->crop_mode & CROP_REGIONS);
- if ((XY && Z) || (XY && R) || (Z && R)) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}
} /* end process_command_opts */

32
SOURCES/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
Unescape View File

@ -0,0 +1,32 @@
From 670117c3a76bc0f995bfdb6c293ab2ce9af18273 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521) tiffcrop -S
option: Make decision simpler.
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
---
tools/tiffcrop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9213ecb..0551a01c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
- Z = (crop_data->crop_mode & CROP_ZONES);
- R = (crop_data->crop_mode & CROP_REGIONS);
- S = (page->mode & PAGE_MODE_ROWSCOLS);
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}

100
SOURCES/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Unescape View File

@ -0,0 +1,100 @@
From c382116391639603e06aeceb80accf7af4418892 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 25 Aug 2022 16:11:41 +0200
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
#411 and #413)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tiffcrop does not support Z, -z, -X and Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or S.
Code analysis:
With the options Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
Execution of the else-clause often leads to buffer-overflows.
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
The MR solves issues #411 and #413.
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
---
tools/tiffcrop.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 0551a01c..613ce7f8 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -107,10 +107,12 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
- *
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ *
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
- */
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
static char tiffcrop_version_id[] = "2.5";
static char tiffcrop_rev_date[] = "02-09-2022";
@@ -781,9 +783,12 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n"
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n"
+"\n"
;
/* This function could be modified to pass starting sample offset
@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
if (XY + Z + R + S > 1) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
exit(EXIT_FAILURE);
}
+
+ /* Check for not allowed combination:
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+. */
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+ TIFFError("tiffcrop input error",
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+ exit(EXIT_FAILURE);
+ }
+
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2411,6 +2427,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2427,6 +2444,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
}
+ /* Format and write selected image parts to output file(s). */
if (page.mode == PAGE_MODE_NONE)
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)

261
SOURCES/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Unescape View File

@ -0,0 +1,261 @@
From 80d781f24346e2ba76e9eedfc943f6013abb2771 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 30 Aug 2022 16:56:48 +0200
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
related TIFFTAG_NUMBEROFINKS value
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
Behaviour for writing:
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
`NumberOfInks` is automatically set when `InkNames` is set.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
Behaviour for reading:
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
---
libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirwrite.c | 5 ++
libtiff/tif_print.c | 4 ++
5 files changed, 82 insertions(+), 50 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index e90f14a0..a4295dc9 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
}
/*
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
+ * Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
-static uint32_t
-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
+static uint16_t
+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
- TIFFDirectory* td = &tif->tif_dir;
- uint16_t i = td->td_samplesperpixel;
+ uint16_t i = 0;
+ const char *ep = s + slen;
+ const char *cp = s;
if (slen > 0) {
- const char* ep = s+slen;
- const char* cp = s;
- for (; i > 0; i--) {
+ do {
for (; cp < ep && *cp != '\0'; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
- }
- return ((uint32_t)(cp - s));
+ i++;
+ } while (cp < ep);
+ return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
- tif->tif_name,
- td->td_samplesperpixel,
- (uint16_t)(td->td_samplesperpixel-i));
+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
+ tif->tif_name, slen, i);
return (0);
}
@@ -475,13 +473,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
- v = (uint16_t) va_arg(ap, uint16_vap);
- s = va_arg(ap, char*);
- v = checkInkNamesString(tif, v, s);
- status = v > 0;
- if( v > 0 ) {
- _TIFFsetNString(&td->td_inknames, s, v);
- td->td_inknameslen = v;
+ {
+ v = (uint16_t) va_arg(ap, uint16_vap);
+ s = va_arg(ap, char*);
+ uint16_t ninksinstring;
+ ninksinstring = countInkNamesString(tif, v, s);
+ status = ninksinstring > 0;
+ if(ninksinstring > 0 ) {
+ _TIFFsetNString(&td->td_inknames, s, v);
+ td->td_inknameslen = v;
+ /* Set NumberOfInks to the value ninksinstring */
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (td->td_numberofinks != ninksinstring) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+ td->td_numberofinks = ninksinstring;
+ }
+ } else {
+ td->td_numberofinks = ninksinstring;
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
+ }
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+ }
+ }
+ }
+ }
+ break;
+ case TIFFTAG_NUMBEROFINKS:
+ v = (uint16_t)va_arg(ap, uint16_vap);
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
+ {
+ if (v != td->td_numberofinks) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
+ status = 0;
+ }
+ } else {
+ td->td_numberofinks = (uint16_t)v;
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
+ }
+ }
}
break;
case TIFFTAG_PERSAMPLE:
@@ -915,34 +961,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
if (fip->field_bit == FIELD_CUSTOM) {
standard_tag = 0;
}
-
- if( standard_tag == TIFFTAG_NUMBEROFINKS )
- {
- int i;
- for (i = 0; i < td->td_customValueCount; i++) {
- uint16_t val;
- TIFFTagValue *tv = td->td_customValues + i;
- if (tv->info->field_tag != standard_tag)
- continue;
- if( tv->value == NULL )
- return 0;
- val = *(uint16_t *)tv->value;
- /* Truncate to SamplesPerPixel, since the */
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
- /* inknames. */
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
- if( val > td->td_samplesperpixel )
- {
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
- "Truncating NumberOfInks from %u to %"PRIu16,
- val, td->td_samplesperpixel);
- val = td->td_samplesperpixel;
- }
- *va_arg(ap, uint16_t*) = val;
- return 1;
- }
- return 0;
- }
switch (standard_tag) {
case TIFFTAG_SUBFILETYPE:
@@ -1124,6 +1142,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, const char**) = td->td_inknames;
break;
+ case TIFFTAG_NUMBEROFINKS:
+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
+ break;
default:
{
int i;
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 09065648..0c251c9e 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -117,6 +117,7 @@ typedef struct {
/* CMYK parameters */
int td_inknameslen;
char* td_inknames;
+ uint16_t td_numberofinks; /* number of inks in InkNames string */
int td_customValueCount;
TIFFTagValue *td_customValues;
@@ -174,6 +175,7 @@ typedef struct {
#define FIELD_TRANSFERFUNCTION 44
#define FIELD_INKNAMES 46
#define FIELD_SUBIFD 49
+#define FIELD_NUMBEROFINKS 50
/* FIELD_CUSTOM (see tiffio.h) 65 */
/* end of support for well-known tags; codec-private tags follow */
#define FIELD_CODEC 66 /* base of codec-private tags */
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index c30f569b..a7e78aae 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -114,7 +114,7 @@ tiffFields[] = {
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2fef6d82..1a00edbf 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
goto bad;
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+ goto bad;
+ }
if (TIFFFieldSet(tif,FIELD_SUBIFD))
{
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 80a9d90f..1ed90e28 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
}
fputs("\n", fd);
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+ fprintf(fd, " NumberOfInks: %d\n",
+ td->td_numberofinks);
+ }
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
fprintf(fd, " Thresholding: ");
switch (td->td_threshholding) {

647
SOURCES/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Unescape View File

@ -0,0 +1,647 @@
From aacb1f89c5aa85d513dea8bdb1fd6818519bae2d Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Thu, 13 Oct 2022 14:33:27 +0000
Subject: [PATCH] (CVE-2022-3570 CVE-2022-3598) tiffcrop subroutines require a
larger buffer (fixes #271, #381, #386, #388, #389, #435)
(cherry picked from commit afd7086090dafd3949afd172822cbcec4ed17d56)
---
tools/tiffcrop.c | 205 +++++++++++++++++++++++++++--------------------
1 file changed, 116 insertions(+), 89 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 613ce7f8..70d56e55 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define TIFF_DIR_MAX 65534
+/* Some conversion subroutines require image buffers, which are at least 3 bytes
+ * larger than the necessary size for the image itself. */
+#define NUM_BUFF_OVERSIZE_BYTES 3
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32_t tmargin;
@@ -233,7 +237,7 @@ struct offset {
*/
struct buffinfo {
- uint32_t size; /* size of this buffer */
+ size_t size; /* size of this buffer */
unsigned char *buffer; /* address of the allocated buffer */
};
@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
uint32_t dst_rowsize, shift_width;
uint32_t bytes_per_sample, bytes_per_pixel;
uint32_t trailing_bits, prev_trailing_bits;
- uint32_t tile_rowsize = TIFFTileRowSize(in);
- uint32_t src_offset, dst_offset;
+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
+ tmsize_t src_offset, dst_offset;
uint32_t row_offset, col_offset;
uint8_t *bufp = (uint8_t*) buf;
unsigned char *src = NULL;
@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
exit(EXIT_FAILURE);
}
- tilebuf = limitMalloc(tile_buffsize + 3);
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 0;
tilebuf[tile_buffsize] = 0;
@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
{
srcbuffs[sample] = NULL;
- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
if (!tbuff)
{
TIFFError ("readSeparateTilesIntoBuffer",
@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
- obuf = limitMalloc (rowstripsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (obuf == NULL)
return 1;
@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
stripsize = TIFFVStripSize(out, nrows);
src = buf + (row * rowsize);
- memset (obuf, '\0', rowstripsize);
+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
{
_TIFFfree(obuf);
@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
if ((dump->outfile != NULL) && (dump->level == 1))
{
- dump_info(dump->outfile, dump->format,"",
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
+ dump_info(dump->outfile, dump->format,"",
"Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
}
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
- uint32_t tile_rowsize = TIFFTileRowSize(out);
+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
uint8_t* bufp = (uint8_t*) buf;
tsize_t tile_buffsize = 0;
tsize_t tilesize = TIFFTileSize(out);
@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
}
src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
- tilebuf = limitMalloc(tile_buffsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 1;
+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
uint32_t imagewidth, tsample_t spp,
struct dump_opts * dump)
{
- tdata_t obuf = limitMalloc(TIFFTileSize(out));
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
if (obuf == NULL)
return 1;
+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
!TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
*opt_offset = '\0';
/* convert option to lowercase */
- end = strlen (opt_ptr);
+ end = (unsigned int)strlen (opt_ptr);
for (i = 0; i < end; i++)
*(opt_ptr + i) = tolower((int) *(opt_ptr + i));
/* Look for dump format specification */
if (strncmp(opt_ptr, "for", 3) == 0)
{
/* convert value to lowercase */
- end = strlen (opt_offset + 1);
+ end = (unsigned int)strlen (opt_offset + 1);
for (i = 1; i <= end; i++)
*(opt_offset + i) = tolower((int) *(opt_offset + i));
/* check dump format value */
@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
size_t length;
char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
+
little_endian = *((unsigned char *)&little_endian) & '1';
initImageData(&image);
@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
{
uint8_t* bufp = buf;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint32_t strip, nstrips = TIFFNumberOfStrips(in);
- uint32_t stripsize = TIFFStripSize(in);
- uint32_t rows = 0;
+ tmsize_t stripsize = TIFFStripSize(in);
+ tmsize_t rows = 0;
uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
tsize_t scanline_size = TIFFScanlineSize(in);
@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
rows = bytes_read / scanline_size;
if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
strip + 1, bytes_read, stripsize);
if (bytes_read < 0 && !ignore) {
- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
strip, rows);
return 0;
}
@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
{
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32_t j;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint16_t bps = 0, planar;
uint32_t nstrips;
uint32_t strips_per_sample;
@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = limitMalloc(stripsize + 3);
+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
buff = srcbuffs[s];
strip = (s * strips_per_sample) + j;
bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
- rows_this_strip = bytes_read / src_rowsize;
+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
if (bytes_read < 0 && !ignore)
{
TIFFError(TIFFFileName(in),
@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint16_t input_compression = 0, input_photometric = 0;
uint16_t subsampling_horiz, subsampling_vert;
uint32_t width = 0, length = 0;
- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
+ tmsize_t scanlinesize = 0;
uint32_t tw = 0, tl = 0; /* Tile width and length */
- uint32_t tile_rowsize = 0;
+ tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
unsigned char *new_buff = NULL;
int readunit = 0;
- static uint32_t prev_readsize = 0;
+ static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
/* The buffsize_check and the possible adaptation of buffsize
* has to account also for padding of each line to a byte boundary.
* This is assumed by mirrorImage() and rotateImage().
+ * Furthermore, functions like extractContigSamplesShifted32bits()
+ * need a buffer, which is at least 3 bytes larger than the actual image.
* Otherwise buffer-overflow might occur there.
*/
buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- new_buff = _TIFFrealloc(read_buff, buffsize+3);
+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
read_buff = new_buff;
@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
dump_info (dump->infile, dump->format, "",
"Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
for (i = 0; i < length; i++)
- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
i, read_buff + (i * scanlinesize));
}
return (0);
@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!sect_buff)
{
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
if (prev_sectsize < sectsize)
{
- new_buff = _TIFFrealloc(sect_buff, sectsize);
+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
_TIFFfree (sect_buff);
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
sect_buff = new_buff;
@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[0].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[0].buffer = crop_buff;
seg_buffs[0].size = cropsize;
@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[i].buffer = crop_buff;
seg_buffs[i].size = cropsize;
@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
crop_buff = *crop_buff_ptr;
if (!crop_buff)
{
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!crop_buff)
{
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
prev_cropsize = cropsize;
}
else
{
if (prev_cropsize < cropsize)
{
- new_buff = _TIFFrealloc(crop_buff, cropsize);
+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = new_buff;
@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
return (-1);
}
- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
- _TIFFmemset(rbuff, '\0', buffsize);
+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
ibuff = *ibuff_ptr;
switch (rotation)
@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
case MIRROR_BOTH:
case MIRROR_VERT:
- line_buff = (unsigned char *)limitMalloc(rowsize);
+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
if (line_buff == NULL)
{
- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
dst = ibuff + (rowsize * (length - 1));
for (row = 0; row < length / 2; row++)
@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
}
else
{ /* non 8 bit per sample data */
- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
{
TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
if (bytes_per_pixel < (bytes_per_sample + 1))
@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
row_offset = row * rowsize;
src = ibuff + row_offset;
- _TIFFmemset (line_buff, '\0', rowsize);
+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
switch (shift_width)
{
case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))

37
SOURCES/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Unescape View File

@ -0,0 +1,37 @@
From b6204fada53418fdf140e039e87052f987770de1 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
overflow on strips/tiles > 2 GB
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index a1b6570b..9a2e0c59 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32_t) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32_t) * tile_xsize );
}

772
SPECS/libtiff.spec
Unescape View File

@ -0,0 +1,772 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.4.0
Release: 7%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/c9s
# Patches were generated by: git format-patch --no-signature -N ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0004: 0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
Patch0005: 0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
BuildRequires: libtool automake autoconf pkgconfig
BuildRequires: make
%description
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.
The libtiff package should be installed if you need to manipulate TIFF
format image files.
%package devel
Summary: Development tools for programs which will use the libtiff library
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description devel
This package contains the header files and documentation necessary for
developing programs which will manipulate TIFF format image files
using the libtiff library.
If you need to develop programs which will manipulate TIFF format
image files, you should install this package. You'll also need to
install the libtiff package.
%package static
Summary: Static TIFF image format file library
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
%description static
The libtiff-static package contains the statically linkable version of libtiff.
Linking to static libraries is discouraged for most applications, but it is
necessary for some boot packages.
%package tools
Summary: Command-line utility programs for manipulating TIFF files
Requires: %{name}%{?_isa} = %{version}-%{release}
%description tools
This package contains command-line programs for manipulating TIFF format
image files using the libtiff library.
%prep
%autosetup -p1 -n tiff-%{version}
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
libtoolize --force --copy
aclocal -I . -I m4
automake --add-missing --copy
autoconf
autoheader
%build
export CFLAGS="%{optflags} -fno-strict-aliasing"
%configure --enable-ld-version-script
%make_build
%install
%make_install
# remove what we didn't want installed
rm $RPM_BUILD_ROOT%{_libdir}/*.la
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/
# no libGL dependency, please
rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt
# no sgi2tiff or tiffsv, either
rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff
rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1
rm -f html/man/tiffgt.1.html
rm -f html/man/sgi2tiff.1.html
rm -f html/man/tiffsv.1.html
# multilib header hack
# we only apply this to known Red Hat multilib arches, per bug #233091
case `uname -i` in
i386 | ppc | s390 | sparc )
wordsize="32"
;;
x86_64 | ppc64 | s390x | sparc64 )
wordsize="64"
;;
*)
wordsize=""
;;
esac
if test -n "$wordsize"
then
mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \
$RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h
cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h <<EOF
#ifndef TIFFCONF_H_MULTILIB
#define TIFFCONF_H_MULTILIB
#include <bits/wordsize.h>
#if __WORDSIZE == 32
# include "tiffconf-32.h"
#elif __WORDSIZE == 64
# include "tiffconf-64.h"
#else
# error "unexpected value for __WORDSIZE macro"
#endif
#endif
EOF
fi
%ldconfig_scriptlets
%check
LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
# don't include documentation Makefiles, they are a multilib hazard
find html -name 'Makefile*' | xargs rm
%files
%license COPYRIGHT
%doc README.md RELEASE-DATE VERSION
%{_libdir}/libtiff.so.*
%{_libdir}/libtiffxx.so.*
%files devel
%doc TODO ChangeLog html
%{_includedir}/*
%{_libdir}/libtiff.so
%{_libdir}/libtiffxx.so
%{_libdir}/pkgconfig/libtiff*.pc
%{_mandir}/man3/*
%files static
%{_libdir}/*.a
%files tools
%{_bindir}/*
%{_mandir}/man1/*
%changelog
* Tue Dec 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-7
- Fix CVE-2022-3970
- Resolves: CVE-2022-3970
* Mon Dec 05 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-6
- Fix CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 CVE-2022-3598
CVE-2022-3627
- Resolves: CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570
CVE-2022-3598 CVE-2022-3627
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-5
- Bump release
- Resolves: CVE-2022-2953
* Tue Oct 11 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-4
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-3
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
- Resolves: #2106768
* Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-2
- Update to version 4.4.0
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1354
CVE-2022-1355
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Feb 02 2021 Nikola Forró <nforro@redhat.com> - 4.2.0-1
- New upstream release 4.2.0 (#1909412)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jan 04 2021 Nikola Forró <nforro@redhat.com> - 4.1.0-6
- Build with ZSTD and WEBP support (#1911969)
* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 4.1.0-5
- Remove libtiff-devel dependency on arch-specific pkgconfig
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 4.1.0-3
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 05 2019 Nikola Forró <nforro@redhat.com> - 4.1.0-1
- New upstream version libtiff-4.1.0 (#1768276)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-5
- Fix CVE-2018-19210 (#1649387)
* Fri Feb 15 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-4
- Fix CVE-2019-7663 (#1677529)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 30 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-2
- Fix CVE-2019-6128 (#1667124)
* Wed Nov 14 2018 Nikola Forró <nforro@redhat.com> - 4.0.10-1
- New upstream version libtiff-4.0.10
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
- Fix CVE-2018-10779 (#1577316)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.9-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 06 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
- Fix CVE-2017-11613 (#1475531)
* Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9
- Fix CVE-2017-9935, CVE-2017-18013 (#1530441),
CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061)
* Tue Apr 17 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-8
- Fix CVE-2018-7456 (#1556709)
* Fri Mar 23 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-7
- Fix CVE-2018-5784 (#1537742)
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-6
- Add missing gcc-c++ build dependency
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-5
- Add missing gcc build dependency
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.0.9-3
- Switch to %%ldconfig_scriptlets
* Mon Dec 11 2017 Nikola Forró <nforro@redhat.com> - 4.0.9-2
- Fix unescaped macro in changelog entry (#1523643)
* Thu Nov 23 2017 Nikola Forró <nforro@redhat.com> - 4.0.9-1
- New upstream version libtiff-4.0.9 (#1514863)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon May 22 2017 Nikola Forró <nforro@redhat.com> - 4.0.8-1
- New upstream version libtiff-4.0.8 (#1453030)
* Wed Apr 12 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-5
- Fix CVE-2017-759{2,3,4,5,6,7,8,9}, CVE-2017-760{0,1,2} (#1441273)
* Wed Apr 05 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-4
- Fix CVE-2016-1026{6,7,8,9}, CVE-2016-1027{0,1,2} (#1438464)
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jan 24 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-2
- Fix Hylafax breakage (#1416042)
* Mon Nov 21 2016 Nikola Forró <nforro@redhat.com> - 4.0.7-1
- New upstream version libtiff-4.0.7 (#1396769)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Oct 09 2015 Petr Hracek <phracek@redhat.com> - 4.0.6-1
- New upstream version libtiff-4.0.6 (#1262585)
* Wed Sep 09 2015 Petr Hracek <phracek@redhat.com> - 4.0.5-1
- New upstream version libtiff-4.0.5 (#1258286)
* Mon Jun 22 2015 Petr Hracek <phracek@redhat.com> - 4.0.4-1
- New upstream version libtiff-4.0.4 (#1234191)
* Fri Jun 19 2015 Petr Hracek <phracek@redhat.com> - 4.0.4beta-1
- New upstream version libtiff-4.0.4beta (#1186219)
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue May 19 2015 Petr Hracek <phracek@redhat.com> - 4.0.3-20
- CVE-2014-9655 and CVE-2015-1547 #1190710
* Sat May 02 2015 Kalev Lember <kalevlember@gmail.com> - 4.0.3-19
- Rebuilt for GCC 5 C++11 ABI change
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 12 2014 Kalev Lember <kalevlember@gmail.com> - 4.0.3-17
- Rebuilt for libjbig soname bump
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed May 21 2014 Petr Hracek <phracek@redhat.com> - 4.0.3-15
- Add upstream patches for CVE-2013-4243 (#996832)
* Thu Dec 19 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-14
- Fix: #1044609 Can't install both architectures
* Wed Dec 18 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-13
- Fix #510240 Correct tiff2ps man option -W
* Wed Oct 16 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-12
- make check moved to %%check section (#1017070)
* Tue Oct 08 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-11
- Resolves: #510258, #510240 - man page corrections
* Mon Aug 19 2013 Petr Hracek <phracek@redhat.com> 4.0.3-10
- Add upstream patches for CVE-2013-4244
Resolves: #996468
* Wed Aug 14 2013 Petr Hracek <phracek@redhat.com> 4.0.3-9
- Add upstream patches for CVE-2013-4231 CVE-2013-4232
Resolves: #995965 #995975
* Mon Aug 12 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-8
- Manpage fixing (#510240, #510258)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu May 2 2013 Tom Lane <tgl@redhat.com> 4.0.3-6
- Add upstream patches for CVE-2013-1960, CVE-2013-1961
Resolves: #958609
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jan 18 2013 Adam Tkac <atkac redhat com> - 4.0.3-4
- rebuild due to "jpeg8-ABI" feature drop
* Wed Dec 19 2012 Tom Lane <tgl@redhat.com> 4.0.3-3
- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8
* Thu Dec 13 2012 Tom Lane <tgl@redhat.com> 4.0.3-2
- Add upstream patches for CVE-2012-4447, CVE-2012-4564
(note: CVE-2012-5581 is already fixed in 4.0.3)
Resolves: #880907
* Thu Oct 4 2012 Tom Lane <tgl@redhat.com> 4.0.3-1
- Update to libtiff 4.0.3
* Fri Aug 3 2012 Tom Lane <tgl@redhat.com> 4.0.2-6
- Remove compat subpackage; no longer needed
- Minor specfile cleanup per suggestions from Tom Callaway
Related: #845110
* Thu Aug 2 2012 Tom Lane <tgl@redhat.com> 4.0.2-5
- Add accessor functions for opaque type TIFFField (backport of not-yet-released
upstream feature addition; needed to fix freeimage)
* Sun Jul 22 2012 Tom Lane <tgl@redhat.com> 4.0.2-4
- Add patches for CVE-2012-3401
Resolves: #841736
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Tue Jul 03 2012 Karsten Hopp <karsten@redhat.com> 4.0.2-2
- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390*
* Thu Jun 28 2012 Tom Lane <tgl@redhat.com> 4.0.2-1
- Update to libtiff 4.0.2, includes fix for CVE-2012-2113
(note that CVE-2012-2088 does not apply to 4.0.x)
- Update libtiff-compat to 3.9.6 and add patches to it for
CVE-2012-2088, CVE-2012-2113
Resolves: #832866
* Fri Jun 1 2012 Tom Lane <tgl@redhat.com> 4.0.1-2
- Enable JBIG support
Resolves: #826240
* Sun May 6 2012 Tom Lane <tgl@redhat.com> 4.0.1-1
- Update to libtiff 4.0.1, adds BigTIFF support and other features;
library soname is bumped from libtiff.so.3 to libtiff.so.5
Resolves: #782383
- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage
so that dependent packages won't be broken while rebuilding proceeds
* Thu Apr 5 2012 Tom Lane <tgl@redhat.com> 3.9.5-3
- Add fix for CVE-2012-1173
Resolves: #CVE-2012-1173
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Apr 12 2011 Tom Lane <tgl@redhat.com> 3.9.5-1
- Update to libtiff 3.9.5, incorporating all our previous patches plus other
fixes, notably the fix for CVE-2009-5022
Related: #695885
* Mon Mar 21 2011 Tom Lane <tgl@redhat.com> 3.9.4-4
- Fix incorrect fix for CVE-2011-0192
Resolves: #684007
Related: #688825
- Add fix for CVE-2011-1167
Resolves: #689574
* Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
- Add patch for CVE-2011-0192
Resolves: #681672
- Fix non-security-critical potential SIGSEGV in gif2tiff
Related: #648820
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Jun 22 2010 Tom Lane <tgl@redhat.com> 3.9.4-1
- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
Resolves: #554371
Related: #460653, #588784, #601274, #599576, #592361, #603024
- Add fixes for multiple SIGSEGV problems
Resolves: #583081
Related: #603081, #603699, #603703
* Tue Jan 5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
- Apply Adam Goode's fix for Warmerdam's fix
Resolves: #552360
Resolves: #533353
- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG
images; this isn't enough to make it really work correctly though
Related: #460322
* Wed Dec 16 2009 Tom Lane <tgl@redhat.com> 3.9.2-2
- Apply Warmerdam's partial fix for bug #460322 ... better than nothing.
Related: #460322
* Thu Dec 3 2009 Tom Lane <tgl@redhat.com> 3.9.2-1
- Update to libtiff 3.9.2; stop carrying a lot of old patches
Resolves: #520734
- Split command-line tools into libtiff-tools subpackage
Resolves: #515170
- Use build system's libtool instead of what package contains;
among other cleanup this gets rid of unwanted rpath specs in executables
Related: #226049
* Thu Oct 15 2009 Tom Lane <tgl@redhat.com> 3.8.2-16
- add sparc/sparc64 to multilib header support
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jul 13 2009 Tom Lane <tgl@redhat.com> 3.8.2-14
- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347)
Related: #510041
* Wed Jul 1 2009 Tom Lane <tgl@redhat.com> 3.8.2-13
- Fix some more LZW decoding vulnerabilities (CVE-2009-2285)
Related: #507465
- Update upstream URL
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Tue Aug 26 2008 Tom Lane <tgl@redhat.com> 3.8.2-11
- Fix LZW decoding vulnerabilities (CVE-2008-2327)
Related: #458674
- Use -fno-strict-aliasing per rpmdiff recommendation
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 3.8.2-10
- Autorebuild for GCC 4.3
* Wed Aug 22 2007 Tom Lane <tgl@redhat.com> 3.8.2-9
- Update License tag
- Rebuild to fix Fedora toolchain issues
* Thu Jul 19 2007 Tom Lane <tgl@redhat.com> 3.8.2-8
- Restore static library to distribution, in a separate -static subpackage
Resolves: #219905
- Don't apply multilib header hack to unrecognized architectures
Resolves: #233091
- Remove documentation for programs we don't ship
Resolves: #205079
Related: #185145
* Tue Jan 16 2007 Tom Lane <tgl@redhat.com> 3.8.2-7
- Remove Makefiles from the shipped /usr/share/doc/html directories
Resolves: bz #222729
* Tue Sep 5 2006 Jindrich Novy <jnovy@redhat.com> - 3.8.2-6
- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362)
- fix typo in man page for tiffset (#186297)
- use %%{?dist}
* Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com>
- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.8.2-4.1
- rebuild
* Fri Jun 2 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
- Fix multilib conflict
* Thu May 25 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
- Fix overflows in tiffsplit
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-2
- Drop tiffgt to get rid of the libGL dependency (#190768)
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-1
- Update to 3.8.2
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Wed Nov 16 2005 Matthias Clasen <mclasen@redhat.com> 3.7.4-3
- Don't ship static libs
* Fri Nov 11 2005 Matthias Saou <http://freshrpms.net/> 3.7.4-2
- Remove useless explicit dependencies.
- Minor spec file cleanups.
- Move make check to %%check.
- Add _smp_mflags.
* Thu Sep 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.4-1
- Update to 3.7.4
- Drop upstreamed patches
* Wed Jun 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.2-1
- Update to 3.7.2
- Drop upstreamed patches
* Fri May 6 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-6
- Fix a stack overflow
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-5
- Don't use mktemp
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-4
- Rebuild with gcc4
* Wed Jan 5 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-3
- Drop the largefile patch again
- Fix a problem with the handling of alpha channels
- Fix an integer overflow in tiffdump (#143576)
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-2
- Readd the largefile patch (#143560)
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-1
- Upgrade to 3.7.1
- Remove upstreamed patches
- Remove specfile cruft
- make check
* Thu Oct 14 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-7
- fix some integer and buffer overflows (#134853, #134848)
* Tue Oct 12 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-6
- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483
* Mon Sep 27 2004 Rik van Riel <riel@redhat.com> 3.6.1-4
- compile using RPM_OPT_FLAGS (bz #133650)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu May 20 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-2
- Fix and use the makeflags patch
* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-1
- Upgrade to 3.6.1
- Adjust patches
- Don't install tiffgt man page (#104864)
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
- really add symlink to shared lib by running ldconfig at compile time
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu Oct 09 2003 Florian La Roche <Florian.LaRoche@redhat.de>
- link shared lib against -lm (Jakub Jelinek)
* Thu Sep 25 2003 Jeremy Katz <katzj@redhat.com> 3.5.7-13
- rebuild to fix gzipped file md5sum (#91281)
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Feb 11 2003 Phil Knirsch <pknirsch@redhat.com> 3.5.7-11
- Fixed rebuild problems.
* Tue Feb 04 2003 Florian La Roche <Florian.LaRoche@redhat.de>
- add symlink to shared lib
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Thu Dec 12 2002 Tim Powers <timp@redhat.com> 3.5.7-8
- rebuild on all arches
* Mon Aug 19 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-7
- Added LFS support (#71593)
* Tue Jun 25 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-6
- Fixed wrong exit code of tiffcp app (#67240)
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Thu May 23 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Wed May 15 2002 Phil Knirsch <pknirsch@redhat.com>
- Fixed segfault in fax2tiff tool (#64708).
* Mon Feb 25 2002 Phil Knirsch <pknirsch@redhat.com>
- Fixed problem with newer bash versions setting CDPATH (#59741)
* Tue Feb 19 2002 Phil Knirsch <pknirsch@redhat.com>
- Update to current release 3.5.7
* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Tue Aug 28 2001 Phil Knirsch <phil@redhat.de>
- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x
and ia64 were missing (#52129).
* Tue Jun 26 2001 Philipp Knirsch <pknirsch@redhat.de>
- Hopefully final symlink fix
* Thu Jun 21 2001 Than Ngo <than@redhat.com>
- add missing libtiff symlink
* Fri Mar 16 2001 Crutcher Dunnavant <crutcher@redhat.com>
- killed tiff-to-ps.fpi filter
* Wed Feb 28 2001 Philipp Knirsch <pknirsch@redhat.de>
- Fixed missing devel version dependancy.
* Tue Dec 19 2000 Philipp Knirsch <pknirsch@redhat.de>
- rebuild
* Mon Aug 7 2000 Crutcher Dunnavant <crutcher@redhat.com>
- added a tiff-to-ps.fpi filter for printing
* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
- automatic rebuild
* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
- apply Peter Skarpetis's fix for the 32-bit conversion
* Mon Jul 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- make man pages non-executable (#12811)
* Mon Jun 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- remove CVS repo info from data directories
* Thu May 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix build rooting
- fix syntax error in configure script
- move man pages to {_mandir}
* Wed May 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- rebuild for an errata release
* Wed Mar 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix
* Tue Mar 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix fax2ps swapping height and width in the bounding box
* Mon Mar 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- move man pages from devel package to the regular one
- integrate Frank Warmerdam's fixed .fax handling code (keep until next release
of libtiff)
- fix fax2ps breakage (bug #8345)
* Sat Feb 05 2000 Nalin Dahyabhai <nalin@redhat.com>
- set MANDIR=man3 to make multifunction man pages friendlier
* Mon Jan 31 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix URLs
* Fri Jan 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- link shared library against libjpeg and libz
* Tue Jan 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- enable zip and jpeg codecs
- change defattr in normal package to 0755
- add defattr to -devel package
* Wed Dec 22 1999 Bill Nottingham <notting@redhat.com>
- update to 3.5.4
* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
- auto rebuild in the new build environment (release 6)
* Wed Jan 13 1999 Cristian Gafton <gafton@redhat.com>
- build for glibc 2.1
* Wed Jun 10 1998 Prospector System <bugs@redhat.com>
- translations modified for de
* Wed Jun 10 1998 Michael Fulbright <msf@redhat.com>
- rebuilt against fixed jpeg libs (libjpeg-6b)
* Thu May 07 1998 Prospector System <bugs@redhat.com>
- translations modified for de, fr, tr
* Mon Oct 13 1997 Donnie Barnes <djb@redhat.com>
- new version to replace the one from libgr
- patched for glibc
- added shlib support
Write Preview
Loading…
Cancel
Save