rpms
/
mingw-libtiff
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Update to 3.9.4

Browse Source 
- Merged the native Fedora package changes up to 3.9.4-1
- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's
epel9
epienbro 15 years ago
parent c735ea2f00
commit 6e63b9fa1b
18 changed files with 463 additions and 771 deletions
Show Stats Download Patch File Download Diff File

2
.cvsignore
Unescape View File

@ -1 +1 @@
tiff-3.8.2.tar.gz tiff-3.9.4.tar.gz

11
libtiff-3.8.2-CVE-2006-2193.patch
Unescape View File

@ -1,11 +0,0 @@
--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100
+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200
@@ -3668,7 +3668,7 @@
written += TIFFWriteFile(output, (tdata_t) "(", 1);
for (i=0;i<len;i++){
if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
- sprintf(buffer, "\\%.3o", pdfstr[i]);
+ snprintf(buffer, sizeof(buffer), "\\%.3o", (unsigned char) pdfstr[i]);
written += TIFFWriteFile(output, (tdata_t) buffer, 4);
} else {
switch (pdfstr[i]){

58
libtiff-3.8.2-lzw-bugs.patch
Unescape View File

@ -1,58 +0,0 @@
Fixes for CVE-2008-2327 and CVE-2009-2285
diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-22 16:26:01.000000000 -0400
@@ -237,6 +237,11 @@
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
}
return (1);
}
@@ -408,12 +413,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +616,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecodeCompat: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;

669
libtiff-3.8.2-ormandy.patch
Unescape View File

@ -1,669 +0,0 @@
diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
@@ -122,6 +122,7 @@
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -195,10 +196,12 @@
break;
case TIFFTAG_ORIENTATION:
v = va_arg(ap, uint32);
+ const TIFFFieldInfo* fip;
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
@@ -387,11 +390,15 @@
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +475,7 @@
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +570,7 @@
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +579,12 @@
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +820,16 @@
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}
diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
@@ -775,7 +775,8 @@
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -789,7 +790,8 @@
if (!fip) {
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
*/
+
+#include <limits.h>
+
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
@@ -81,6 +84,7 @@
uint16 dircount;
toff_t nextdiroff;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -147,13 +151,20 @@
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Can not read TIFF directory count",
- tif->tif_name);
- return (0);
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso@google.com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off > (UINT_MAX - sizeof(uint16))) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
} else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -254,6 +265,7 @@
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -264,17 +276,23 @@
dp->tdir_tag,
dp->tdir_tag,
dp->tdir_type);
-
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
+ /*
+ * creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
+
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
}
+
/*
* Null out old tags that we ignore.
*/
@@ -326,6 +344,7 @@
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -540,6 +559,7 @@
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -556,7 +576,7 @@
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -580,6 +600,7 @@
} else if (td->td_nstrips == 1
&& td->td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Plexus (and others) sometimes give a value of zero for
* a tag when they don't know what the correct value is! Try
@@ -589,13 +610,14 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
&& td->td_nstrips > 2
&& td->td_compression == COMPRESSION_NONE
&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Some vendors fill StripByteCount array with absolutely
* wrong values (it can be equal to StripOffset array, for
@@ -604,7 +626,7 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -870,7 +892,13 @@
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso@google.com 15 Jun 2006
+ */
+
+ uint32 i;
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
@@ -947,16 +975,18 @@
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -970,6 +1000,7 @@
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -1013,7 +1044,7 @@
bad:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (tsize_t) 0;
}
@@ -1039,10 +1070,12 @@
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -1159,6 +1192,20 @@
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso@google.com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
@@ -1329,14 +1376,15 @@
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
dir->tdir_type,
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- return (0);
+ fip ? fip->field_name : "Unknown");
+ return (0); }
}
return (1);
}
@@ -1351,6 +1399,9 @@
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1493,6 +1544,7 @@
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1510,9 +1562,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1534,6 +1587,7 @@
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1551,9 +1605,10 @@
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1574,6 +1629,7 @@
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1591,9 +1647,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
@@ -1136,6 +1136,7 @@
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1181,7 +1182,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
@@ -722,15 +722,31 @@
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarningExt(tif->tif_clientdata, module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
+ }
+
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
}
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -761,6 +777,22 @@
sp->cinfo.d.comp_info[0].v_samp_factor,
sp->h_sampling, sp->v_sampling);
+ /*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso@google.com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
/*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
@@ -1521,15 +1553,18 @@
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
+ if (sp != NULL) {
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
@@ -1541,6 +1576,7 @@
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
assert(sp != NULL);
@@ -1606,7 +1642,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
@@ -1726,7 +1768,11 @@
{
JPEGState* sp = JState(tif);
- assert(sp != NULL);
+ /* assert(sp != NULL); */
+ if (sp == NULL) {
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
@@ -105,11 +105,16 @@
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
@@ -768,7 +768,19 @@
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,
diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
+
int TIFFFillStrip(TIFF*, tstrip_t);
int TIFFFillTile(TIFF*, ttile_t);
static int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +478,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
tif->tif_curtile = NOTILE;
return (0);
}

21
libtiff-3samples.patch
Unescape View File

@ -0,0 +1,21 @@
Patch for bug #603081: failure to guard against bogus SamplesPerPixel
when converting a YCbCr image to RGB.
This patch duplicates into PickContigCase() a safety check that already
existed in PickSeparateCase().
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400
@@ -2397,7 +2397,7 @@
}
break;
case PHOTOMETRIC_YCBCR:
- if (img->bitspersample == 8)
+ if ((img->bitspersample==8) && (img->samplesperpixel==3))
{
if (initYCbCrConversion(img)!=0)
{

16
libtiff-acversion.patch
Unescape View File

@ -0,0 +1,16 @@
This patch is needed for building the package as of F-11. It can be
dropped whenever autoconf 2.63 is no longer used on any live branch.
diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400
+++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400
@@ -24,7 +24,7 @@
dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.64)
+AC_PREREQ(2.63)
AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_MACRO_DIR(m4)

48
libtiff-checkbytecount.patch
Unescape View File

@ -0,0 +1,48 @@
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
missing strip byte counts too. Testing shows that tiffsplit.c has an issue
too.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400
@@ -1920,6 +1920,10 @@
sp->in_buffer_file_pos=0;
else
{
+ if (sp->tif->tif_dir.td_stripbytecount == 0) {
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+ return(0);
+ }
sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
if (sp->in_buffer_file_togo==0)
sp->in_buffer_file_pos=0;
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400
@@ -237,7 +237,10 @@
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+ return (0);
+ }
for (s = 0; s < ns; s++) {
if (bytecounts[s] > (uint32)bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@
ttile_t t, nt = TIFFNumberOfTiles(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+ return (0);
+ }
for (t = 0; t < nt; t++) {
if (bytecounts[t] > (uint32) bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);

48
libtiff-getimage-64bit.patch
Unescape View File

@ -0,0 +1,48 @@
Fix misbehavior on 64-bit machines when trying to flip a downsampled image
vertically: unsigned ints will be widened to 64 bits the wrong way.
See RH bug #583081.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400
@@ -1846,6 +1846,7 @@
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
{
uint32* cp2;
+ int32 incr = 2*toskew+w;
(void) y;
fromskew = (fromskew / 2) * 6;
cp2 = cp+w+toskew;
@@ -1872,8 +1873,8 @@
cp2 ++ ;
pp += 6;
}
- cp += toskew*2+w;
- cp2 += toskew*2+w;
+ cp += incr;
+ cp2 += incr;
pp += fromskew;
h-=2;
}
@@ -1939,6 +1940,7 @@
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
{
uint32* cp2;
+ int32 incr = 2*toskew+w;
(void) y;
fromskew = (fromskew / 2) * 4;
cp2 = cp+w+toskew;
@@ -1953,8 +1955,8 @@
cp2 ++;
pp += 4;
} while (--x);
- cp += toskew*2+w;
- cp2 += toskew*2+w;
+ cp += incr;
+ cp2 += incr;
pp += fromskew;
h-=2;
}

17
libtiff-mantypo.patch
Unescape View File

@ -0,0 +1,17 @@
Minor typo, reported upstream at
http://bugzilla.maptools.org/show_bug.cgi?id=2129
This patch should not be needed as of libtiff 4.0.
diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1
--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400
+++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500
@@ -60,7 +60,7 @@
``Anonymous'':
.RS
.nf
-tiffset \-s 305 Anonymous a.tif
+tiffset \-s 315 Anonymous a.tif
.fi
.RE
.PP

32
libtiff-mingw32-libjpeg-7-compatibility.patch
Unescape View File

@ -60,3 +60,35 @@
std_fill_input_buffer(j_decompress_ptr cinfo) std_fill_input_buffer(j_decompress_ptr cinfo)
{ {
JPEGState* sp = (JPEGState* ) cinfo; JPEGState* sp = (JPEGState* ) cinfo;
--- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200
+++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200
@@ -383,9 +383,9 @@
static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo);
static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo);
static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo);
-static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo);
+static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo);
static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes);
-static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired);
+static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired);
static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo);
int
@@ -2388,7 +2388,7 @@
(void)cinfo;
}
-static boolean
+static jpeg_boolean
OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo)
{
TIFF* tif=(TIFF*)cinfo->client_data;
@@ -2414,7 +2414,7 @@
jpeg_encap_unwind(tif);
}
-static boolean
+static jpeg_boolean
OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired)
{
TIFF* tif=(TIFF*)cinfo->client_data;

72
libtiff-scanlinesize.patch
Unescape View File

@ -0,0 +1,72 @@
Partial fix for issues filed upstream at
http://bugzilla.maptools.org/show_bug.cgi?id=2140
This stops the tiffcmp core dump noted in bug #460322, but isn't enough
to make tiffcmp return the right answer (it emits a bunch of error
messages instead).
diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500
@@ -988,8 +988,15 @@
tsize_t nrows;
(void) s;
- /* data is expected to be read in multiples of a scanline */
- if ( (nrows = sp->cinfo.d.image_height) ) {
+ nrows = cc / sp->bytesperline;
+ if (cc % sp->bytesperline)
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
+
+ if( nrows > (int) sp->cinfo.d.image_height )
+ nrows = sp->cinfo.d.image_height;
+
+ /* data is expected to be read in multiples of a scanline */
+ if (nrows) {
/* Cb,Cr both have sampling factors 1, so this is correct */
JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;
int samples_per_clump = sp->samplesperclump;
@@ -1087,8 +1094,7 @@
* TODO: resolve this */
buf += sp->bytesperline;
cc -= sp->bytesperline;
- nrows -= sp->v_sampling;
- } while (nrows > 0);
+ } while (--nrows > 0);
#ifdef JPEG_LIB_MK1
_TIFFfree(tmpbuf);
diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500
@@ -238,23 +238,19 @@
ycbcrsubsampling + 0,
ycbcrsubsampling + 1);
- if (ycbcrsubsampling[0] == 0) {
+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Invalid YCbCr subsampling");
return 0;
}
- scanline = TIFFroundup(td->td_imagewidth,
+ /* number of sample clumps per line */
+ scanline = TIFFhowmany(td->td_imagewidth,
ycbcrsubsampling[0]);
- scanline = TIFFhowmany8(multiply(tif, scanline,
- td->td_bitspersample,
- "TIFFScanlineSize"));
- return ((tsize_t)
- summarize(tif, scanline,
- multiply(tif, 2,
- scanline / ycbcrsubsampling[0],
- "TIFFVStripSize"),
- "TIFFVStripSize"));
+ /* number of samples per line */
+ scanline = multiply(tif, scanline,
+ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
+ "TIFFScanlineSize");
} else {
scanline = multiply(tif, td->td_imagewidth,
td->td_samplesperpixel,

51
libtiff-subsampling.patch
Unescape View File

@ -0,0 +1,51 @@
Use the spec-mandated default YCbCrSubSampling values in strip size
calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
See bug #603703.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.
diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400
@@ -124,9 +124,9 @@
uint16 ycbcrsubsampling[2];
tsize_t w, scanline, samplingarea;
- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1 );
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
if (samplingarea == 0) {
@@ -234,9 +234,9 @@
&& !isUpSampled(tif)) {
uint16 ycbcrsubsampling[2];
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
@@ -308,9 +308,9 @@
&& !isUpSampled(tif)) {
uint16 ycbcrsubsampling[2];
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

35
libtiff-tiffdump.patch
Unescape View File

@ -0,0 +1,35 @@
Make tiffdump more paranoid about checking the count field of a directory
entry.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
# include <io.h>
#endif
+#include "tiffiop.h"
#include "tiffio.h"
#ifndef O_BINARY
@@ -317,7 +318,7 @@
printf(">\n");
continue;
}
- space = dp->tdir_count * datawidth[dp->tdir_type];
+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
if (space <= 0) {
printf(">\n");
Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
cc = dir->tdir_count * w;
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
- && read(fd, cp, cc) != -1) {
+ && read(fd, cp, cc) == cc) {
if (swabflag) {
switch (dir->tdir_type) {
case TIFF_SHORT:

47
libtiff-unknown-fix.patch
Unescape View File

@ -0,0 +1,47 @@
Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
sometimes complain about out-of-order tags when there weren't really any.
Fix by decoupling that logic from the tag search logic.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400
@@ -83,6 +83,7 @@
const TIFFFieldInfo* fip;
size_t fix;
uint16 dircount;
+ uint16 previous_tag = 0;
int diroutoforderwarning = 0, compressionknown = 0;
int haveunknowntags = 0;
@@ -163,23 +164,24 @@
if (dp->tdir_tag == IGNORE)
continue;
- if (fix >= tif->tif_nfields)
- fix = 0;
/*
* Silicon Beach (at least) writes unordered
* directory tags (violating the spec). Handle
* it here, but be obnoxious (maybe they'll fix it?).
*/
- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
+ if (dp->tdir_tag < previous_tag) {
if (!diroutoforderwarning) {
TIFFWarningExt(tif->tif_clientdata, module,
"%s: invalid TIFF directory; tags are not sorted in ascending order",
tif->tif_name);
diroutoforderwarning = 1;
}
- fix = 0; /* O(n^2) */
}
+ previous_tag = dp->tdir_tag;
+ if (fix >= tif->tif_nfields ||
+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
+ fix = 0; /* O(n^2) */
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;

35
libtiff-ycbcr-clamp.patch
Unescape View File

@ -0,0 +1,35 @@
Using an array to clamp translated YCbCr values is insecure, because if the
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
values could be very far out of range (much further than the current array
size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
favor of using a comparison-based macro to clamp. See RH bug #583081.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
@@ -183,13 +183,18 @@
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
uint32 *r, uint32 *g, uint32 *b)
{
+ int32 i;
+
/* XXX: Only 8-bit YCbCr input supported for now */
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+ *r = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y]
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+ *g = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+ *b = CLAMP(i, 0, 255);
}
/*

48
mingw32-libtiff.spec
Unescape View File

@ -7,17 +7,23 @@
Summary: MinGW Windows port of the LibTIFF library Summary: MinGW Windows port of the LibTIFF library
Name: mingw32-libtiff Name: mingw32-libtiff
Version: 3.8.2 Version: 3.9.4
Release: 20%{?dist} Release: 1%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.remotesensing.org/libtiff/ URL: http://www.remotesensing.org/libtiff/
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
Patch0: tiffsplit-overflow.patch Patch1: libtiff-acversion.patch
Patch1: libtiff-3.8.2-ormandy.patch Patch2: libtiff-mantypo.patch
Patch2: libtiff-3.8.2-CVE-2006-2193.patch Patch3: libtiff-scanlinesize.patch
Patch4: libtiff-3.8.2-lzw-bugs.patch Patch4: libtiff-getimage-64bit.patch
Patch5: libtiff-ycbcr-clamp.patch
Patch6: libtiff-3samples.patch
Patch7: libtiff-subsampling.patch
Patch8: libtiff-unknown-fix.patch
Patch9: libtiff-checkbytecount.patch
Patch10: libtiff-tiffdump.patch
Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch
@ -29,6 +35,10 @@ BuildRequires: mingw32-filesystem >= 35
BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc
BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-gcc-c++
BuildRequires: mingw32-binutils BuildRequires: mingw32-binutils
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
%description %description
The libtiff package contains a library of functions for manipulating The libtiff package contains a library of functions for manipulating
@ -56,14 +66,29 @@ Static version of the MinGW Windows LibTIFF library.
%setup -q -n tiff-%{version} %setup -q -n tiff-%{version}
# Patches from the native Fedora package: # Patches from the native Fedora package:
%patch0 -p1 -b .overflow %patch1 -p1
%patch1 -p1 -b .ormandy %patch2 -p1
%patch2 -p1 -b .CVE-2006-2193 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
# MinGW specific patches # MinGW specific patches
%patch100 -p0 %patch100 -p0
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
libtoolize --force --copy
aclocal -I . -I m4
automake --add-missing --copy
autoconf
autoheader
%build %build
export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing"
@ -105,6 +130,11 @@ rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Fri Jun 25 2010 Erik van Pienbroek <epienbro@fedoraproject.org> - 3.9.4-1
- Update to 3.9.4
- Merged the native Fedora package changes up to 3.9.4-1
- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's
* Fri Sep 18 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 3.8.2-20 * Fri Sep 18 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 3.8.2-20
- Rebuild because of broken mingw32-gcc/mingw32-binutils - Rebuild because of broken mingw32-gcc/mingw32-binutils

2
sources
Unescape View File

@ -1 +1 @@
fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz 2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz

22
tiffsplit-overflow.patch
Unescape View File

@ -1,22 +0,0 @@
--- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400
+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400
@@ -60,14 +60,16 @@
fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n");
return (-3);
}
- if (argc > 2)
- strcpy(fname, argv[2]);
+ if (argc > 2) {
+ strncpy(fname, argv[2], 1024);
+ fname[1024] = '\0';
+ }
in = TIFFOpen(argv[1], "r");
if (in != NULL) {
do {
char path[1024+1];
newfilename();
- strcpy(path, fname);
+ strncpy(path, fname, 1020);
strcat(path, ".tif");
out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
if (out == NULL)
Write Preview
Loading…
Cancel
Save