rpms
/
mingw-libtiff
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- initial devel branch CVS import

Browse Source
epel9
plouj 16 years ago
parent fe91584aba
commit 4f3032ef6e
8 changed files with 1122 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.cvsignore
Unescape View File

@ -0,0 +1 @@
tiff-3.8.2.tar.gz

1
import.log
Unescape View File

@ -0,0 +1 @@
mingw32-libtiff-3_8_2-15_fc10:HEAD:mingw32-libtiff-3.8.2-15.fc10.src.rpm:1244499917

11
libtiff-3.8.2-CVE-2006-2193.patch
Unescape View File

@ -0,0 +1,11 @@
--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100
+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200
@@ -3668,7 +3668,7 @@
written += TIFFWriteFile(output, (tdata_t) "(", 1);
for (i=0;i<len;i++){
if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
- sprintf(buffer, "\\%.3o", pdfstr[i]);
+ snprintf(buffer, sizeof(buffer), "\\%.3o", (unsigned char) pdfstr[i]);
written += TIFFWriteFile(output, (tdata_t) buffer, 4);
} else {
switch (pdfstr[i]){

58
libtiff-3.8.2-lzw-bugs.patch
Unescape View File

@ -0,0 +1,58 @@
Fixes for CVE-2008-2327
diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-22 16:26:01.000000000 -0400
@@ -237,6 +237,11 @@
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
}
return (1);
}
@@ -408,12 +413,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +616,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecodeCompat: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;

669
libtiff-3.8.2-ormandy.patch
Unescape View File

@ -0,0 +1,669 @@
diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
@@ -122,6 +122,7 @@
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -195,10 +196,12 @@
break;
case TIFFTAG_ORIENTATION:
v = va_arg(ap, uint32);
+ const TIFFFieldInfo* fip;
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
@@ -387,11 +390,15 @@
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +475,7 @@
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +570,7 @@
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +579,12 @@
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +820,16 @@
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}
diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
@@ -775,7 +775,8 @@
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -789,7 +790,8 @@
if (!fip) {
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
*/
+
+#include <limits.h>
+
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
@@ -81,6 +84,7 @@
uint16 dircount;
toff_t nextdiroff;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -147,13 +151,20 @@
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Can not read TIFF directory count",
- tif->tif_name);
- return (0);
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso@google.com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off > (UINT_MAX - sizeof(uint16))) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
} else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -254,6 +265,7 @@
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -264,17 +276,23 @@
dp->tdir_tag,
dp->tdir_tag,
dp->tdir_type);
-
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
+ /*
+ * creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
+
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
}
+
/*
* Null out old tags that we ignore.
*/
@@ -326,6 +344,7 @@
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -540,6 +559,7 @@
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -556,7 +576,7 @@
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -580,6 +600,7 @@
} else if (td->td_nstrips == 1
&& td->td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Plexus (and others) sometimes give a value of zero for
* a tag when they don't know what the correct value is! Try
@@ -589,13 +610,14 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
&& td->td_nstrips > 2
&& td->td_compression == COMPRESSION_NONE
&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Some vendors fill StripByteCount array with absolutely
* wrong values (it can be equal to StripOffset array, for
@@ -604,7 +626,7 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -870,7 +892,13 @@
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso@google.com 15 Jun 2006
+ */
+
+ uint32 i;
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
@@ -947,16 +975,18 @@
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -970,6 +1000,7 @@
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -1013,7 +1044,7 @@
bad:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (tsize_t) 0;
}
@@ -1039,10 +1070,12 @@
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -1159,6 +1192,20 @@
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso@google.com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
@@ -1329,14 +1376,15 @@
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
dir->tdir_type,
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- return (0);
+ fip ? fip->field_name : "Unknown");
+ return (0); }
}
return (1);
}
@@ -1351,6 +1399,9 @@
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1493,6 +1544,7 @@
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1510,9 +1562,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1534,6 +1587,7 @@
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1551,9 +1605,10 @@
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1574,6 +1629,7 @@
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1591,9 +1647,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
@@ -1136,6 +1136,7 @@
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1181,7 +1182,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
@@ -722,15 +722,31 @@
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarningExt(tif->tif_clientdata, module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
+ }
+
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
}
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -761,6 +777,22 @@
sp->cinfo.d.comp_info[0].v_samp_factor,
sp->h_sampling, sp->v_sampling);
+ /*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso@google.com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
/*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
@@ -1521,15 +1553,18 @@
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
+ if (sp != NULL) {
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
@@ -1541,6 +1576,7 @@
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
assert(sp != NULL);
@@ -1606,7 +1642,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
@@ -1726,7 +1768,11 @@
{
JPEGState* sp = JState(tif);
- assert(sp != NULL);
+ /* assert(sp != NULL); */
+ if (sp == NULL) {
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
@@ -105,11 +105,16 @@
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
@@ -768,7 +768,19 @@
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,
diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
+
int TIFFFillStrip(TIFF*, tstrip_t);
int TIFFFillTile(TIFF*, ttile_t);
static int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +478,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
tif->tif_curtile = NOTILE;
return (0);
}

359
mingw32-libtiff.spec
Unescape View File

@ -0,0 +1,359 @@
%global __strip %{_mingw32_strip}
%global __objdump %{_mingw32_objdump}
%global _use_internal_dependency_generator 0
%global __find_requires %{_mingw32_findrequires}
%global __find_provides %{_mingw32_findprovides}
Summary: MinGW Windows port of the LibTIFF library
Name: mingw32-libtiff
Version: 3.8.2
Release: 15%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.libtiff.org/
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
Patch0: tiffsplit-overflow.patch
Patch1: libtiff-3.8.2-ormandy.patch
Patch2: libtiff-3.8.2-CVE-2006-2193.patch
Patch4: libtiff-3.8.2-lzw-bugs.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: mingw32-zlib mingw32-libjpeg
BuildRequires: mingw32-filesystem >= 35
BuildRequires: mingw32-gcc
BuildRequires: mingw32-binutils
%description
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.
The libtiff package should be installed if you need to manipulate TIFF
format image files.
%prep
%setup -q -n tiff-%{version}
# Patches from the native Fedora package:
%patch0 -p1 -b .overflow
%patch1 -p1 -b .ormandy
%patch2 -p1 -b .CVE-2006-2193
%patch4 -p1
%build
export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing"
%{_mingw32_configure} --disable-static
make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT install
# remove docs
rm -rf $RPM_BUILD_ROOT%{_mingw32_datadir}/doc
rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir}
# remove binaries
rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog
%{_mingw32_bindir}/libtiff-3.dll
%{_mingw32_bindir}/libtiffxx-3.dll
%{_mingw32_includedir}/*
%{_mingw32_libdir}/libtiff.dll.a
%{_mingw32_libdir}/libtiffxx.dll.a
%{_mingw32_libdir}/libtiff.la
%{_mingw32_libdir}/libtiffxx.la
%changelog
* Fri Jun 5 2009 Michael Ploujnikov <ploujj@gmail.com> - 3.8.2-15
- replace %%define with %%global as per Fedora packaging guidelines
* Wed Jun 3 2009 Michael Ploujnikov <ploujj@gmail.com> - 3.8.2-14
- cleanup based on initial review and help from Adam Goode:
- removed LIBVER define
- exported proper mingw32 cflags
- removed make check
- removed executables
- removed multilib stuff (irrelevant for mingw32)
- fixed defattr
- added .la files back in
* Sun Mar 22 2009 Michael Ploujnikov <ploujj@gmail.com> - 3.8.2-13
- Initial mingw32 build
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Tue Aug 26 2008 Tom Lane <tgl@redhat.com> 3.8.2-11
- Fix LZW decoding vulnerabilities (CVE-2008-2327)
Related: #458674
- Use -fno-strict-aliasing per rpmdiff recommendation
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 3.8.2-10
- Autorebuild for GCC 4.3
* Wed Aug 22 2007 Tom Lane <tgl@redhat.com> 3.8.2-9
- Update License tag
- Rebuild to fix Fedora toolchain issues
* Thu Jul 19 2007 Tom Lane <tgl@redhat.com> 3.8.2-8
- Restore static library to distribution, in a separate -static subpackage
Resolves: #219905
- Don't apply multilib header hack to unrecognized architectures
Resolves: #233091
- Remove documentation for programs we don't ship
Resolves: #205079
Related: #185145
* Tue Jan 16 2007 Tom Lane <tgl@redhat.com> 3.8.2-7
- Remove Makefiles from the shipped /usr/share/doc/html directories
Resolves: bz #222729
* Tue Sep 5 2006 Jindrich Novy <jnovy@redhat.com> - 3.8.2-6
- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362)
- fix typo in man page for tiffset (#186297)
- use %%{?dist}
* Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com>
- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.8.2-4.1
- rebuild
* Fri Jun 2 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
- Fix multilib conflict
* Thu May 25 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
- Fix overflows in tiffsplit
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-2
- Drop tiffgt to get rid of the libGL dependency (#190768)
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-1
- Update to 3.8.2
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Wed Nov 16 2005 Matthias Clasen <mclasen@redhat.com> 3.7.4-3
- Don't ship static libs
* Fri Nov 11 2005 Matthias Saou <http://freshrpms.net/> 3.7.4-2
- Remove useless explicit dependencies.
- Minor spec file cleanups.
- Move make check to %%check.
- Add _smp_mflags.
* Thu Sep 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.4-1
- Update to 3.7.4
- Drop upstreamed patches
* Wed Jun 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.2-1
- Update to 3.7.2
- Drop upstreamed patches
* Fri May 6 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-6
- Fix a stack overflow
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-5
- Don't use mktemp
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-4
- Rebuild with gcc4
* Wed Jan 5 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-3
- Drop the largefile patch again
- Fix a problem with the handling of alpha channels
- Fix an integer overflow in tiffdump (#143576)
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-2
- Readd the largefile patch (#143560)
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-1
- Upgrade to 3.7.1
- Remove upstreamed patches
- Remove specfile cruft
- make check
* Thu Oct 14 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-7
- fix some integer and buffer overflows (#134853, #134848)
* Tue Oct 12 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-6
- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483
* Mon Sep 27 2004 Rik van Riel <riel@redhat.com> 3.6.1-4
- compile using RPM_OPT_FLAGS (bz #133650)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu May 20 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-2
- Fix and use the makeflags patch
* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-1
- Upgrade to 3.6.1
- Adjust patches
- Don't install tiffgt man page (#104864)
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
- really add symlink to shared lib by running ldconfig at compile time
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu Oct 09 2003 Florian La Roche <Florian.LaRoche@redhat.de>
- link shared lib against -lm (Jakub Jelinek)
* Thu Sep 25 2003 Jeremy Katz <katzj@redhat.com> 3.5.7-13
- rebuild to fix gzipped file md5sum (#91281)
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Feb 11 2003 Phil Knirsch <pknirsch@redhat.com> 3.5.7-11
- Fixed rebuild problems.
* Tue Feb 04 2003 Florian La Roche <Florian.LaRoche@redhat.de>
- add symlink to shared lib
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Thu Dec 12 2002 Tim Powers <timp@redhat.com> 3.5.7-8
- rebuild on all arches
* Mon Aug 19 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-7
- Added LFS support (#71593)
* Tue Jun 25 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-6
- Fixed wrong exit code of tiffcp app (#67240)
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Thu May 23 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Wed May 15 2002 Phil Knirsch <pknirsch@redhat.com>
- Fixed segfault in fax2tiff tool (#64708).
* Mon Feb 25 2002 Phil Knirsch <pknirsch@redhat.com>
- Fixed problem with newer bash versions setting CDPATH (#59741)
* Tue Feb 19 2002 Phil Knirsch <pknirsch@redhat.com>
- Update to current release 3.5.7
* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Tue Aug 28 2001 Phil Knirsch <phil@redhat.de>
- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x
and ia64 were missing (#52129).
* Tue Jun 26 2001 Philipp Knirsch <pknirsch@redhat.de>
- Hopefully final symlink fix
* Thu Jun 21 2001 Than Ngo <than@redhat.com>
- add missing libtiff symlink
* Fri Mar 16 2001 Crutcher Dunnavant <crutcher@redhat.com>
- killed tiff-to-ps.fpi filter
* Wed Feb 28 2001 Philipp Knirsch <pknirsch@redhat.de>
- Fixed missing devel version dependancy.
* Tue Dec 19 2000 Philipp Knirsch <pknirsch@redhat.de>
- rebuild
* Tue Aug 7 2000 Crutcher Dunnavant <crutcher@redhat.com>
- added a tiff-to-ps.fpi filter for printing
* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
- automatic rebuild
* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
- apply Peter Skarpetis's fix for the 32-bit conversion
* Mon Jul 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- make man pages non-executable (#12811)
* Mon Jun 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- remove CVS repo info from data directories
* Thu May 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix build rooting
- fix syntax error in configure script
- move man pages to {_mandir}
* Wed May 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- rebuild for an errata release
* Wed Mar 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix
* Tue Mar 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix fax2ps swapping height and width in the bounding box
* Mon Mar 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- move man pages from devel package to the regular one
- integrate Frank Warmerdam's fixed .fax handling code (keep until next release
of libtiff)
- fix fax2ps breakage (bug #8345)
* Sat Feb 05 2000 Nalin Dahyabhai <nalin@redhat.com>
- set MANDIR=man3 to make multifunction man pages friendlier
* Mon Jan 31 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix URLs
* Fri Jan 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- link shared library against libjpeg and libz
* Tue Jan 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- enable zip and jpeg codecs
- change defattr in normal package to 0755
- add defattr to -devel package
* Wed Dec 22 1999 Bill Nottingham <notting@redhat.com>
- update to 3.5.4
* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
- auto rebuild in the new build environment (release 6)
* Wed Jan 13 1999 Cristian Gafton <gafton@redhat.com>
- build for glibc 2.1
* Wed Jun 10 1998 Prospector System <bugs@redhat.com>
- translations modified for de
* Wed Jun 10 1998 Michael Fulbright <msf@redhat.com>
- rebuilt against fixed jpeg libs (libjpeg-6b)
* Thu May 07 1998 Prospector System <bugs@redhat.com>
- translations modified for de, fr, tr
* Mon Oct 13 1997 Donnie Barnes <djb@redhat.com>
- new version to replace the one from libgr
- patched for glibc
- added shlib support

1
sources
Unescape View File

@ -0,0 +1 @@
fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz

22
tiffsplit-overflow.patch
Unescape View File

@ -0,0 +1,22 @@
--- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400
+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400
@@ -60,14 +60,16 @@
fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n");
return (-3);
}
- if (argc > 2)
- strcpy(fname, argv[2]);
+ if (argc > 2) {
+ strncpy(fname, argv[2], 1024);
+ fname[1024] = '\0';
+ }
in = TIFFOpen(argv[1], "r");
if (in != NULL) {
do {
char path[1024+1];
newfilename();
- strcpy(path, fname);
+ strncpy(path, fname, 1020);
strcat(path, ".tif");
out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
if (out == NULL)
Write Preview
Loading…
Cancel
Save