diff --git a/.gitignore b/.gitignore index 37e1552..7992c78 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ tiff-3.9.4.tar.gz +/tiff-3.9.5.tar.gz diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch deleted file mode 100644 index c305bd0..0000000 --- a/libtiff-3samples.patch +++ /dev/null @@ -1,21 +0,0 @@ -Patch for bug #603081: failure to guard against bogus SamplesPerPixel -when converting a YCbCr image to RGB. - -This patch duplicates into PickContigCase() a safety check that already -existed in PickSeparateCase(). - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 -@@ -2397,7 +2397,7 @@ - } - break; - case PHOTOMETRIC_YCBCR: -- if (img->bitspersample == 8) -+ if ((img->bitspersample==8) && (img->samplesperpixel==3)) - { - if (initYCbCrConversion(img)!=0) - { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch deleted file mode 100644 index fc3a136..0000000 --- a/libtiff-acversion.patch +++ /dev/null @@ -1,16 +0,0 @@ -This patch is needed for building the package as of F-11. It can be -dropped whenever autoconf 2.63 is no longer used on any live branch. - - -diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac ---- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 -+++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 -@@ -24,7 +24,7 @@ - - dnl Process this file with autoconf to produce a configure script. - --AC_PREREQ(2.64) -+AC_PREREQ(2.63) - AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) - AC_CONFIG_AUX_DIR(config) - AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch deleted file mode 100644 index ecd8a9f..0000000 --- a/libtiff-checkbytecount.patch +++ /dev/null @@ -1,48 +0,0 @@ -Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against -missing strip byte counts too. Testing shows that tiffsplit.c has an issue -too. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c ---- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 -@@ -1920,6 +1920,10 @@ - sp->in_buffer_file_pos=0; - else - { -+ if (sp->tif->tif_dir.td_stripbytecount == 0) { -+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); -+ return(0); -+ } - sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; - if (sp->in_buffer_file_togo==0) - sp->in_buffer_file_pos=0; -diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c ---- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 -@@ -237,7 +237,10 @@ - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); -+ return (0); -+ } - for (s = 0; s < ns; s++) { - if (bytecounts[s] > (uint32)bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); -@@ -267,7 +270,10 @@ - ttile_t t, nt = TIFFNumberOfTiles(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); -+ return (0); -+ } - for (t = 0; t < nt; t++) { - if (bytecounts[t] > (uint32) bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch deleted file mode 100644 index 2f3d68e..0000000 --- a/libtiff-getimage-64bit.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix misbehavior on 64-bit machines when trying to flip a downsampled image -vertically: unsigned ints will be widened to 64 bits the wrong way. -See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 -@@ -1846,6 +1846,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr22tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 6; - cp2 = cp+w+toskew; -@@ -1872,8 +1873,8 @@ - cp2 ++ ; - pp += 6; - } -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } -@@ -1939,6 +1940,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr12tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 4; - cp2 = cp+w+toskew; -@@ -1953,8 +1955,8 @@ - cp2 ++; - pp += 4; - } while (--x); -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch deleted file mode 100644 index c7e91b4..0000000 --- a/libtiff-mantypo.patch +++ /dev/null @@ -1,17 +0,0 @@ -Minor typo, reported upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2129 -This patch should not be needed as of libtiff 4.0. - - -diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 ---- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 -+++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 -@@ -60,7 +60,7 @@ - ``Anonymous'': - .RS - .nf --tiffset \-s 305 Anonymous a.tif -+tiffset \-s 315 Anonymous a.tif - .fi - .RE - .PP diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch deleted file mode 100644 index 57fe809..0000000 --- a/libtiff-scanlinesize.patch +++ /dev/null @@ -1,72 +0,0 @@ -Partial fix for issues filed upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2140 -This stops the tiffcmp core dump noted in bug #460322, but isn't enough -to make tiffcmp return the right answer (it emits a bunch of error -messages instead). - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c ---- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 -@@ -988,8 +988,15 @@ - tsize_t nrows; - (void) s; - -- /* data is expected to be read in multiples of a scanline */ -- if ( (nrows = sp->cinfo.d.image_height) ) { -+ nrows = cc / sp->bytesperline; -+ if (cc % sp->bytesperline) -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); -+ -+ if( nrows > (int) sp->cinfo.d.image_height ) -+ nrows = sp->cinfo.d.image_height; -+ -+ /* data is expected to be read in multiples of a scanline */ -+ if (nrows) { - /* Cb,Cr both have sampling factors 1, so this is correct */ - JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; - int samples_per_clump = sp->samplesperclump; -@@ -1087,8 +1094,7 @@ - * TODO: resolve this */ - buf += sp->bytesperline; - cc -= sp->bytesperline; -- nrows -= sp->v_sampling; -- } while (nrows > 0); -+ } while (--nrows > 0); - - #ifdef JPEG_LIB_MK1 - _TIFFfree(tmpbuf); -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 -@@ -238,23 +238,19 @@ - ycbcrsubsampling + 0, - ycbcrsubsampling + 1); - -- if (ycbcrsubsampling[0] == 0) { -+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Invalid YCbCr subsampling"); - return 0; - } - -- scanline = TIFFroundup(td->td_imagewidth, -+ /* number of sample clumps per line */ -+ scanline = TIFFhowmany(td->td_imagewidth, - ycbcrsubsampling[0]); -- scanline = TIFFhowmany8(multiply(tif, scanline, -- td->td_bitspersample, -- "TIFFScanlineSize")); -- return ((tsize_t) -- summarize(tif, scanline, -- multiply(tif, 2, -- scanline / ycbcrsubsampling[0], -- "TIFFVStripSize"), -- "TIFFVStripSize")); -+ /* number of samples per line */ -+ scanline = multiply(tif, scanline, -+ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, -+ "TIFFScanlineSize"); - } else { - scanline = multiply(tif, td->td_imagewidth, - td->td_samplesperpixel, diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch deleted file mode 100644 index a44406b..0000000 --- a/libtiff-subsampling.patch +++ /dev/null @@ -1,51 +0,0 @@ -Use the spec-mandated default YCbCrSubSampling values in strip size -calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. -See bug #603703. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 - -NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 -@@ -124,9 +124,9 @@ - uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; - -- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1 ); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; - if (samplingarea == 0) { -@@ -234,9 +234,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -@@ -308,9 +308,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch deleted file mode 100644 index cb77796..0000000 --- a/libtiff-tiffdump.patch +++ /dev/null @@ -1,35 +0,0 @@ -Make tiffdump more paranoid about checking the count field of a directory -entry. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 - - -diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c ---- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 -@@ -46,6 +46,7 @@ - # include - #endif - -+#include "tiffiop.h" - #include "tiffio.h" - - #ifndef O_BINARY -@@ -317,7 +318,7 @@ - printf(">\n"); - continue; - } -- space = dp->tdir_count * datawidth[dp->tdir_type]; -+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); - if (space <= 0) { - printf(">\n"); - Error("Invalid count for tag %u", dp->tdir_tag); -@@ -709,7 +710,7 @@ - w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); - cc = dir->tdir_count * w; - if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 -- && read(fd, cp, cc) != -1) { -+ && read(fd, cp, cc) == cc) { - if (swabflag) { - switch (dir->tdir_type) { - case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch deleted file mode 100644 index 5c3b32e..0000000 --- a/libtiff-unknown-fix.patch +++ /dev/null @@ -1,47 +0,0 @@ -Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to -sometimes complain about out-of-order tags when there weren't really any. -Fix by decoupling that logic from the tag search logic. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c ---- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 -@@ -83,6 +83,7 @@ - const TIFFFieldInfo* fip; - size_t fix; - uint16 dircount; -+ uint16 previous_tag = 0; - int diroutoforderwarning = 0, compressionknown = 0; - int haveunknowntags = 0; - -@@ -163,23 +164,24 @@ - - if (dp->tdir_tag == IGNORE) - continue; -- if (fix >= tif->tif_nfields) -- fix = 0; - - /* - * Silicon Beach (at least) writes unordered - * directory tags (violating the spec). Handle - * it here, but be obnoxious (maybe they'll fix it?). - */ -- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { -+ if (dp->tdir_tag < previous_tag) { - if (!diroutoforderwarning) { - TIFFWarningExt(tif->tif_clientdata, module, - "%s: invalid TIFF directory; tags are not sorted in ascending order", - tif->tif_name); - diroutoforderwarning = 1; - } -- fix = 0; /* O(n^2) */ - } -+ previous_tag = dp->tdir_tag; -+ if (fix >= tif->tif_nfields || -+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) -+ fix = 0; /* O(n^2) */ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch deleted file mode 100644 index fbd10bb..0000000 --- a/libtiff-ycbcr-clamp.patch +++ /dev/null @@ -1,35 +0,0 @@ -Using an array to clamp translated YCbCr values is insecure, because if the -TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB -values could be very far out of range (much further than the current array -size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in -favor of using a comparison-based macro to clamp. See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c ---- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 -@@ -183,13 +183,18 @@ - TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, - uint32 *r, uint32 *g, uint32 *b) - { -+ int32 i; -+ - /* XXX: Only 8-bit YCbCr input supported for now */ - Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); - -- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; -- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] -- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; -- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; -+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; -+ *r = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] -+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); -+ *g = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; -+ *b = CLAMP(i, 0, 255); - } - - /* diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index b7450c2..8637a08 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,23 +7,13 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff -Version: 3.9.4 +Version: 3.9.5 Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch1: libtiff-acversion.patch -Patch2: libtiff-mantypo.patch -Patch3: libtiff-scanlinesize.patch -Patch4: libtiff-getimage-64bit.patch -Patch5: libtiff-ycbcr-clamp.patch -Patch6: libtiff-3samples.patch -Patch7: libtiff-subsampling.patch -Patch8: libtiff-unknown-fix.patch -Patch9: libtiff-checkbytecount.patch -Patch10: libtiff-tiffdump.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch @@ -59,24 +49,12 @@ Group: Development/Libraries Static version of the MinGW Windows LibTIFF library. -%{_mingw32_debug_package} +%{?_mingw32_debug_package} %prep %setup -q -n tiff-%{version} -# Patches from the native Fedora package: -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 - # MinGW specific patches %patch100 -p0 @@ -130,6 +108,12 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Apr 25 2011 Kalev Lember - 3.9.5-1 +- Update to 3.9.5 +- Fixes CVE-2011-1167 (#689575) +- Dropped the patches from Fedora native libtiff package which are all now + incorporated in 3.9.5 + * Fri Jun 25 2010 Erik van Pienbroek - 3.9.4-1 - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 diff --git a/sources b/sources index a73728b..04027f5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz +8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz