From fe91584aba6e39d6f41d0d1f3e66f82e4622ca7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jason=20=E3=83=86=E3=82=A3=E3=83=93=E3=83=84?= Date: Mon, 8 Jun 2009 16:20:43 +0000 Subject: [PATCH 01/14] Setup of module mingw32-libtiff --- .cvsignore | 0 Makefile | 21 +++++++++++++++++++++ sources | 0 3 files changed, 21 insertions(+) create mode 100644 .cvsignore create mode 100644 Makefile create mode 100644 sources diff --git a/.cvsignore b/.cvsignore new file mode 100644 index 0000000..e69de29 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a211c7c --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: mingw32-libtiff +# $Id$ +NAME := mingw32-libtiff +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From 4f3032ef6ea62543725f977657f60cdd493a2406 Mon Sep 17 00:00:00 2001 From: plouj Date: Mon, 8 Jun 2009 22:29:00 +0000 Subject: [PATCH 02/14] - initial devel branch CVS import --- .cvsignore | 1 + import.log | 1 + libtiff-3.8.2-CVE-2006-2193.patch | 11 + libtiff-3.8.2-lzw-bugs.patch | 58 +++ libtiff-3.8.2-ormandy.patch | 669 ++++++++++++++++++++++++++++++ mingw32-libtiff.spec | 359 ++++++++++++++++ sources | 1 + tiffsplit-overflow.patch | 22 + 8 files changed, 1122 insertions(+) create mode 100644 import.log create mode 100644 libtiff-3.8.2-CVE-2006-2193.patch create mode 100644 libtiff-3.8.2-lzw-bugs.patch create mode 100644 libtiff-3.8.2-ormandy.patch create mode 100644 mingw32-libtiff.spec create mode 100644 tiffsplit-overflow.patch diff --git a/.cvsignore b/.cvsignore index e69de29..d85724d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +tiff-3.8.2.tar.gz diff --git a/import.log b/import.log new file mode 100644 index 0000000..fef82dd --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +mingw32-libtiff-3_8_2-15_fc10:HEAD:mingw32-libtiff-3.8.2-15.fc10.src.rpm:1244499917 diff --git a/libtiff-3.8.2-CVE-2006-2193.patch b/libtiff-3.8.2-CVE-2006-2193.patch new file mode 100644 index 0000000..ffd81bf --- /dev/null +++ b/libtiff-3.8.2-CVE-2006-2193.patch @@ -0,0 +1,11 @@ +--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100 ++++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;idec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); + } + return (1); + } +@@ -408,12 +413,19 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +616,19 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecodeCompat: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch new file mode 100644 index 0000000..cb55b03 --- /dev/null +++ b/libtiff-3.8.2-ormandy.patch @@ -0,0 +1,669 @@ +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include + ++#include ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec new file mode 100644 index 0000000..d7b3245 --- /dev/null +++ b/mingw32-libtiff.spec @@ -0,0 +1,359 @@ +%global __strip %{_mingw32_strip} +%global __objdump %{_mingw32_objdump} +%global _use_internal_dependency_generator 0 +%global __find_requires %{_mingw32_findrequires} +%global __find_provides %{_mingw32_findprovides} + +Summary: MinGW Windows port of the LibTIFF library +Name: mingw32-libtiff +Version: 3.8.2 +Release: 15%{?dist} +License: libtiff +Group: System Environment/Libraries +URL: http://www.libtiff.org/ + +Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz +Patch0: tiffsplit-overflow.patch +Patch1: libtiff-3.8.2-ormandy.patch +Patch2: libtiff-3.8.2-CVE-2006-2193.patch +Patch4: libtiff-3.8.2-lzw-bugs.patch + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +BuildRequires: mingw32-zlib mingw32-libjpeg +BuildRequires: mingw32-filesystem >= 35 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-binutils + +%description +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%prep +%setup -q -n tiff-%{version} + +# Patches from the native Fedora package: +%patch0 -p1 -b .overflow +%patch1 -p1 -b .ormandy +%patch2 -p1 -b .CVE-2006-2193 +%patch4 -p1 + +%build +export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" +%{_mingw32_configure} --disable-static +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install + +# remove docs +rm -rf $RPM_BUILD_ROOT%{_mingw32_datadir}/doc +rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} + +# remove binaries +rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog +%{_mingw32_bindir}/libtiff-3.dll +%{_mingw32_bindir}/libtiffxx-3.dll +%{_mingw32_includedir}/* +%{_mingw32_libdir}/libtiff.dll.a +%{_mingw32_libdir}/libtiffxx.dll.a +%{_mingw32_libdir}/libtiff.la +%{_mingw32_libdir}/libtiffxx.la + + +%changelog +* Fri Jun 5 2009 Michael Ploujnikov - 3.8.2-15 +- replace %%define with %%global as per Fedora packaging guidelines + +* Wed Jun 3 2009 Michael Ploujnikov - 3.8.2-14 +- cleanup based on initial review and help from Adam Goode: +- removed LIBVER define +- exported proper mingw32 cflags +- removed make check +- removed executables +- removed multilib stuff (irrelevant for mingw32) +- fixed defattr +- added .la files back in + +* Sun Mar 22 2009 Michael Ploujnikov - 3.8.2-13 +- Initial mingw32 build + +* Wed Feb 25 2009 Fedora Release Engineering - 3.8.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 26 2008 Tom Lane 3.8.2-11 +- Fix LZW decoding vulnerabilities (CVE-2008-2327) +Related: #458674 +- Use -fno-strict-aliasing per rpmdiff recommendation + +* Tue Feb 19 2008 Fedora Release Engineering - 3.8.2-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Tom Lane 3.8.2-9 +- Update License tag +- Rebuild to fix Fedora toolchain issues + +* Thu Jul 19 2007 Tom Lane 3.8.2-8 +- Restore static library to distribution, in a separate -static subpackage +Resolves: #219905 +- Don't apply multilib header hack to unrecognized architectures +Resolves: #233091 +- Remove documentation for programs we don't ship +Resolves: #205079 +Related: #185145 + +* Tue Jan 16 2007 Tom Lane 3.8.2-7 +- Remove Makefiles from the shipped /usr/share/doc/html directories +Resolves: bz #222729 + +* Tue Sep 5 2006 Jindrich Novy - 3.8.2-6 +- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362) +- fix typo in man page for tiffset (#186297) +- use %%{?dist} + +* Mon Jul 24 2006 Matthias Clasen +- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461 + CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) + +* Wed Jul 12 2006 Jesse Keating - 3.8.2-4.1 +- rebuild + +* Fri Jun 2 2006 Matthias Clasen - 3.8.2-3 +- Fix multilib conflict + +* Thu May 25 2006 Matthias Clasen - 3.8.2-3 +- Fix overflows in tiffsplit + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-2 +- Drop tiffgt to get rid of the libGL dependency (#190768) + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-1 +- Update to 3.8.2 + +* Fri Feb 10 2006 Jesse Keating - 3.7.4-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.7.4-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 16 2005 Matthias Clasen 3.7.4-3 +- Don't ship static libs + +* Fri Nov 11 2005 Matthias Saou 3.7.4-2 +- Remove useless explicit dependencies. +- Minor spec file cleanups. +- Move make check to %%check. +- Add _smp_mflags. + +* Thu Sep 29 2005 Matthias Clasen - 3.7.4-1 +- Update to 3.7.4 +- Drop upstreamed patches + +* Wed Jun 29 2005 Matthias Clasen - 3.7.2-1 +- Update to 3.7.2 +- Drop upstreamed patches + +* Fri May 6 2005 Matthias Clasen - 3.7.1-6 +- Fix a stack overflow + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-5 +- Don't use mktemp + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-4 +- Rebuild with gcc4 + +* Wed Jan 5 2005 Matthias Clasen - 3.7.1-3 +- Drop the largefile patch again +- Fix a problem with the handling of alpha channels +- Fix an integer overflow in tiffdump (#143576) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-2 +- Readd the largefile patch (#143560) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-1 +- Upgrade to 3.7.1 +- Remove upstreamed patches +- Remove specfile cruft +- make check + +* Thu Oct 14 2004 Matthias Clasen 3.6.1-7 +- fix some integer and buffer overflows (#134853, #134848) + +* Tue Oct 12 2004 Matthias Clasen 3.6.1-6 +- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483 + +* Mon Sep 27 2004 Rik van Riel 3.6.1-4 +- compile using RPM_OPT_FLAGS (bz #133650) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 20 2004 Matthias Clasen 3.6.1-2 +- Fix and use the makeflags patch + +* Wed May 19 2004 Matthias Clasen 3.6.1-1 +- Upgrade to 3.6.1 +- Adjust patches +- Don't install tiffgt man page (#104864) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sat Feb 21 2004 Florian La Roche +- really add symlink to shared lib by running ldconfig at compile time + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Oct 09 2003 Florian La Roche +- link shared lib against -lm (Jakub Jelinek) + +* Thu Sep 25 2003 Jeremy Katz 3.5.7-13 +- rebuild to fix gzipped file md5sum (#91281) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Feb 11 2003 Phil Knirsch 3.5.7-11 +- Fixed rebuild problems. + +* Tue Feb 04 2003 Florian La Roche +- add symlink to shared lib + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Tim Powers 3.5.7-8 +- rebuild on all arches + +* Mon Aug 19 2002 Phil Knirsch 3.5.7-7 +- Added LFS support (#71593) + +* Tue Jun 25 2002 Phil Knirsch 3.5.7-6 +- Fixed wrong exit code of tiffcp app (#67240) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed May 15 2002 Phil Knirsch +- Fixed segfault in fax2tiff tool (#64708). + +* Mon Feb 25 2002 Phil Knirsch +- Fixed problem with newer bash versions setting CDPATH (#59741) + +* Tue Feb 19 2002 Phil Knirsch +- Update to current release 3.5.7 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Tue Aug 28 2001 Phil Knirsch +- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x + and ia64 were missing (#52129). + +* Tue Jun 26 2001 Philipp Knirsch +- Hopefully final symlink fix + +* Thu Jun 21 2001 Than Ngo +- add missing libtiff symlink + +* Fri Mar 16 2001 Crutcher Dunnavant +- killed tiff-to-ps.fpi filter + +* Wed Feb 28 2001 Philipp Knirsch +- Fixed missing devel version dependancy. + +* Tue Dec 19 2000 Philipp Knirsch +- rebuild + +* Tue Aug 7 2000 Crutcher Dunnavant +- added a tiff-to-ps.fpi filter for printing + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Thu Jul 13 2000 Nalin Dahyabhai +- apply Peter Skarpetis's fix for the 32-bit conversion + +* Mon Jul 3 2000 Nalin Dahyabhai +- make man pages non-executable (#12811) + +* Mon Jun 12 2000 Nalin Dahyabhai +- remove CVS repo info from data directories + +* Thu May 18 2000 Nalin Dahyabhai +- fix build rooting +- fix syntax error in configure script +- move man pages to {_mandir} + +* Wed May 17 2000 Nalin Dahyabhai +- rebuild for an errata release + +* Wed Mar 29 2000 Nalin Dahyabhai +- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix + +* Tue Mar 28 2000 Nalin Dahyabhai +- fix fax2ps swapping height and width in the bounding box + +* Mon Mar 27 2000 Nalin Dahyabhai +- move man pages from devel package to the regular one +- integrate Frank Warmerdam's fixed .fax handling code (keep until next release + of libtiff) +- fix fax2ps breakage (bug #8345) + +* Sat Feb 05 2000 Nalin Dahyabhai +- set MANDIR=man3 to make multifunction man pages friendlier + +* Mon Jan 31 2000 Nalin Dahyabhai +- fix URLs + +* Fri Jan 28 2000 Nalin Dahyabhai +- link shared library against libjpeg and libz + +* Tue Jan 18 2000 Nalin Dahyabhai +- enable zip and jpeg codecs +- change defattr in normal package to 0755 +- add defattr to -devel package + +* Wed Dec 22 1999 Bill Nottingham +- update to 3.5.4 + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 6) + +* Wed Jan 13 1999 Cristian Gafton +- build for glibc 2.1 + +* Wed Jun 10 1998 Prospector System +- translations modified for de + +* Wed Jun 10 1998 Michael Fulbright +- rebuilt against fixed jpeg libs (libjpeg-6b) + +* Thu May 07 1998 Prospector System +- translations modified for de, fr, tr + +* Mon Oct 13 1997 Donnie Barnes +- new version to replace the one from libgr +- patched for glibc +- added shlib support diff --git a/sources b/sources index e69de29..1c867c8 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz diff --git a/tiffsplit-overflow.patch b/tiffsplit-overflow.patch new file mode 100644 index 0000000..36a613f --- /dev/null +++ b/tiffsplit-overflow.patch @@ -0,0 +1,22 @@ +--- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400 ++++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400 +@@ -60,14 +60,16 @@ + fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n"); + return (-3); + } +- if (argc > 2) +- strcpy(fname, argv[2]); ++ if (argc > 2) { ++ strncpy(fname, argv[2], 1024); ++ fname[1024] = '\0'; ++ } + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); ++ strncpy(path, fname, 1020); + strcat(path, ".tif"); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) From 121475f5fbfc9fbe9a7e84d2a97f7caebb9e1f28 Mon Sep 17 00:00:00 2001 From: plouj Date: Tue, 9 Jun 2009 01:58:34 +0000 Subject: [PATCH 03/14] - add mingw32-gcc-c++ to BuildRequires --- mingw32-libtiff.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index d7b3245..4a75cdc 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,7 +7,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 15%{?dist} +Release: 16%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.libtiff.org/ @@ -24,6 +24,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: mingw32-zlib mingw32-libjpeg BuildRequires: mingw32-filesystem >= 35 BuildRequires: mingw32-gcc +BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils %description @@ -76,6 +77,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Jun 8 2009 Michael Ploujnikov - 3.8.2-16 +- add mingw32-gcc-c++ to the BuildRequirements + * Fri Jun 5 2009 Michael Ploujnikov - 3.8.2-15 - replace %%define with %%global as per Fedora packaging guidelines From 1aa6993d5e03254c5bb397efdcb63df5354c4592 Mon Sep 17 00:00:00 2001 From: plouj Date: Mon, 13 Jul 2009 23:09:30 +0000 Subject: [PATCH 04/14] - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) Related: #511015 --- libtiff-3.8.2-lzw-bugs.patch | 6 +++--- mingw32-libtiff.spec | 9 +++++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libtiff-3.8.2-lzw-bugs.patch b/libtiff-3.8.2-lzw-bugs.patch index 874e5e3..a0d46f2 100644 --- a/libtiff-3.8.2-lzw-bugs.patch +++ b/libtiff-3.8.2-lzw-bugs.patch @@ -1,4 +1,4 @@ -Fixes for CVE-2008-2327 +Fixes for CVE-2008-2327 and CVE-2009-2285 diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c @@ -27,7 +27,7 @@ diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c NextCode(tif, sp, bp, code, GetNextCode); if (code == CODE_EOI) break; -+ if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); @@ -47,7 +47,7 @@ diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c NextCode(tif, sp, bp, code, GetNextCodeCompat); if (code == CODE_EOI) break; -+ if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecodeCompat: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 4a75cdc..c5f4846 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,10 +7,10 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 16%{?dist} +Release: 17%{?dist} License: libtiff Group: System Environment/Libraries -URL: http://www.libtiff.org/ +URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Patch0: tiffsplit-overflow.patch @@ -77,6 +77,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Jul 13 2009 Michael Ploujnikov - 3.8.2-17 +- update upstream URL +- Fix some more LZW decoding vulnerabilities (CVE-2009-2285) +Related: #511015 + * Mon Jun 8 2009 Michael Ploujnikov - 3.8.2-16 - add mingw32-gcc-c++ to the BuildRequirements From 62882e325f9e860160c86959db1ae646d5a264ef Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 25 Jul 2009 14:25:36 +0000 Subject: [PATCH 05/14] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index c5f4846..dab74ab 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,7 +7,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 17%{?dist} +Release: 18%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -77,6 +77,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + * Mon Jul 13 2009 Michael Ploujnikov - 3.8.2-17 - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) From fe87125459b1749787753c79053207e497e576ad Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 28 Aug 2009 04:54:50 +0000 Subject: [PATCH 06/14] - Rebuild for minw32-libjpeg 7 - Automatically generate debuginfo subpackage - Added -static subpackage --- libtiff-mingw32-libjpeg-7-compatibility.patch | 62 +++++++++++++++++++ mingw32-libtiff.spec | 37 ++++++++++- 2 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 libtiff-mingw32-libjpeg-7-compatibility.patch diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch new file mode 100644 index 0000000..4cc6e28 --- /dev/null +++ b/libtiff-mingw32-libjpeg-7-compatibility.patch @@ -0,0 +1,62 @@ +--- libtiff/tif_jpeg.c.orig 2009-08-20 14:27:50.688881034 +0200 ++++ libtiff/tif_jpeg.c 2009-08-20 14:29:03.814866414 +0200 +@@ -288,20 +288,20 @@ + } + + static int +-TIFFjpeg_set_quality(JPEGState* sp, int quality, boolean force_baseline) ++TIFFjpeg_set_quality(JPEGState* sp, int quality, jpeg_boolean force_baseline) + { + return CALLVJPEG(sp, + jpeg_set_quality(&sp->cinfo.c, quality, force_baseline)); + } + + static int +-TIFFjpeg_suppress_tables(JPEGState* sp, boolean suppress) ++TIFFjpeg_suppress_tables(JPEGState* sp, jpeg_boolean suppress) + { + return CALLVJPEG(sp, jpeg_suppress_tables(&sp->cinfo.c, suppress)); + } + + static int +-TIFFjpeg_start_compress(JPEGState* sp, boolean write_all_tables) ++TIFFjpeg_start_compress(JPEGState* sp, jpeg_boolean write_all_tables) + { + return CALLVJPEG(sp, + jpeg_start_compress(&sp->cinfo.c, write_all_tables)); +@@ -334,7 +334,7 @@ + } + + static int +-TIFFjpeg_read_header(JPEGState* sp, boolean require_image) ++TIFFjpeg_read_header(JPEGState* sp, jpeg_boolean require_image) + { + return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); + } +@@ -402,7 +402,7 @@ + sp->dest.free_in_buffer = (size_t) tif->tif_rawdatasize; + } + +-static boolean ++static jpeg_boolean + std_empty_output_buffer(j_compress_ptr cinfo) + { + JPEGState* sp = (JPEGState*) cinfo; +@@ -453,7 +453,7 @@ + sp->dest.free_in_buffer = (size_t) sp->jpegtables_length; + } + +-static boolean ++static jpeg_boolean + tables_empty_output_buffer(j_compress_ptr cinfo) + { + JPEGState* sp = (JPEGState*) cinfo; +@@ -519,7 +519,7 @@ + sp->src.bytes_in_buffer = (size_t) tif->tif_rawcc; + } + +-static boolean ++static jpeg_boolean + std_fill_input_buffer(j_decompress_ptr cinfo) + { + JPEGState* sp = (JPEGState* ) cinfo; diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index dab74ab..a0bb557 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -3,11 +3,12 @@ %global _use_internal_dependency_generator 0 %global __find_requires %{_mingw32_findrequires} %global __find_provides %{_mingw32_findprovides} +%define __debug_install_post %{_mingw32_debug_install_post} Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 18%{?dist} +Release: 19%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -18,6 +19,8 @@ Patch1: libtiff-3.8.2-ormandy.patch Patch2: libtiff-3.8.2-CVE-2006-2193.patch Patch4: libtiff-3.8.2-lzw-bugs.patch +Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch + BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -36,6 +39,19 @@ used file format for bitmapped images. TIFF files usually end in the The libtiff package should be installed if you need to manipulate TIFF format image files. + +%package static +Summary: Static version of the MinGW Windows LibTIFF library +Requires: %{name} = %{version}-%{release} +Group: Development/Libraries + +%description static +Static version of the MinGW Windows LibTIFF library. + + +%{_mingw32_debug_package} + + %prep %setup -q -n tiff-%{version} @@ -45,11 +61,16 @@ format image files. %patch2 -p1 -b .CVE-2006-2193 %patch4 -p1 +# MinGW specific patches +%patch100 -p0 + + %build export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" -%{_mingw32_configure} --disable-static +%{_mingw32_configure} --enable-static --enable-shared make %{?_smp_mflags} + %install rm -rf $RPM_BUILD_ROOT make DESTDIR=$RPM_BUILD_ROOT install @@ -61,9 +82,11 @@ rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} # remove binaries rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe + %clean rm -rf $RPM_BUILD_ROOT + %files %defattr(-,root,root,-) %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog @@ -75,8 +98,18 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_libdir}/libtiff.la %{_mingw32_libdir}/libtiffxx.la +%files static +%defattr(-,root,root,-) +%{_mingw32_libdir}/libtiff.a +%{_mingw32_libdir}/libtiffxx.a + %changelog +* Thu Aug 27 2009 Erik van Pienbroek - 3.8.2-19 +- Rebuild for minw32-libjpeg 7 +- Automatically generate debuginfo subpackage +- Added -static subpackage + * Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild From e142eb5c7e9dc921dbabeb4d865b75bc3f307ede Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 18 Sep 2009 21:48:53 +0000 Subject: [PATCH 07/14] Rebuild because of broken mingw32-gcc/mingw32-binutils --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index a0bb557..a64c728 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 19%{?dist} +Release: 20%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -105,6 +105,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Sep 18 2009 Erik van Pienbroek - 3.8.2-20 +- Rebuild because of broken mingw32-gcc/mingw32-binutils + * Thu Aug 27 2009 Erik van Pienbroek - 3.8.2-19 - Rebuild for minw32-libjpeg 7 - Automatically generate debuginfo subpackage From c735ea2f00ad950701e5fc467098ed2c9899882e Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:18:49 +0000 Subject: [PATCH 08/14] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a211c7c..4bf07d2 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: mingw32-libtiff -# $Id$ +# $Id: Makefile,v 1.1 2009/06/08 16:20:43 tibbs Exp $ NAME := mingw32-libtiff SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 6e63b9fa1bf916e620dc6a12c8f8e48e8192855a Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 25 Jun 2010 12:48:14 +0000 Subject: [PATCH 09/14] - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 - Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's --- .cvsignore | 2 +- libtiff-3.8.2-CVE-2006-2193.patch | 11 - libtiff-3.8.2-lzw-bugs.patch | 58 -- libtiff-3.8.2-ormandy.patch | 669 ------------------ libtiff-3samples.patch | 21 + libtiff-acversion.patch | 16 + libtiff-checkbytecount.patch | 48 ++ libtiff-getimage-64bit.patch | 48 ++ libtiff-mantypo.patch | 17 + libtiff-mingw32-libjpeg-7-compatibility.patch | 32 + libtiff-scanlinesize.patch | 72 ++ libtiff-subsampling.patch | 51 ++ libtiff-tiffdump.patch | 35 + libtiff-unknown-fix.patch | 47 ++ libtiff-ycbcr-clamp.patch | 35 + mingw32-libtiff.spec | 48 +- sources | 2 +- tiffsplit-overflow.patch | 22 - 18 files changed, 463 insertions(+), 771 deletions(-) delete mode 100644 libtiff-3.8.2-CVE-2006-2193.patch delete mode 100644 libtiff-3.8.2-lzw-bugs.patch delete mode 100644 libtiff-3.8.2-ormandy.patch create mode 100644 libtiff-3samples.patch create mode 100644 libtiff-acversion.patch create mode 100644 libtiff-checkbytecount.patch create mode 100644 libtiff-getimage-64bit.patch create mode 100644 libtiff-mantypo.patch create mode 100644 libtiff-scanlinesize.patch create mode 100644 libtiff-subsampling.patch create mode 100644 libtiff-tiffdump.patch create mode 100644 libtiff-unknown-fix.patch create mode 100644 libtiff-ycbcr-clamp.patch delete mode 100644 tiffsplit-overflow.patch diff --git a/.cvsignore b/.cvsignore index d85724d..37e1552 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -tiff-3.8.2.tar.gz +tiff-3.9.4.tar.gz diff --git a/libtiff-3.8.2-CVE-2006-2193.patch b/libtiff-3.8.2-CVE-2006-2193.patch deleted file mode 100644 index ffd81bf..0000000 --- a/libtiff-3.8.2-CVE-2006-2193.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100 -+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;idec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); - } - return (1); - } -@@ -408,12 +413,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +616,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecodeCompat: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch deleted file mode 100644 index cb55b03..0000000 --- a/libtiff-3.8.2-ormandy.patch +++ /dev/null @@ -1,669 +0,0 @@ -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 -@@ -29,6 +29,9 @@ - * - * Directory Read Support Routines. - */ -+ -+#include -+ - #include "tiffiop.h" - - #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "%s: Can not read TIFF directory count", -- tif->tif_name); -- return (0); -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off > (UINT_MAX - sizeof(uint16))) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Can not read TIFF directory count", -+ tif->tif_name); -+ return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +1000,7 @@ - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1070,12 @@ - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1399,9 @@ - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 -@@ -105,11 +105,16 @@ - * as codes of the form - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include - -+#include -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch new file mode 100644 index 0000000..c305bd0 --- /dev/null +++ b/libtiff-3samples.patch @@ -0,0 +1,21 @@ +Patch for bug #603081: failure to guard against bogus SamplesPerPixel +when converting a YCbCr image to RGB. + +This patch duplicates into PickContigCase() a safety check that already +existed in PickSeparateCase(). + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 +@@ -2397,7 +2397,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch new file mode 100644 index 0000000..fc3a136 --- /dev/null +++ b/libtiff-acversion.patch @@ -0,0 +1,16 @@ +This patch is needed for building the package as of F-11. It can be +dropped whenever autoconf 2.63 is no longer used on any live branch. + + +diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac +--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 ++++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 +@@ -24,7 +24,7 @@ + + dnl Process this file with autoconf to produce a configure script. + +-AC_PREREQ(2.64) ++AC_PREREQ(2.63) + AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) + AC_CONFIG_AUX_DIR(config) + AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch new file mode 100644 index 0000000..ecd8a9f --- /dev/null +++ b/libtiff-checkbytecount.patch @@ -0,0 +1,48 @@ +Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against +missing strip byte counts too. Testing shows that tiffsplit.c has an issue +too. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c +--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 +@@ -1920,6 +1920,10 @@ + sp->in_buffer_file_pos=0; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; +diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c +--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch new file mode 100644 index 0000000..2f3d68e --- /dev/null +++ b/libtiff-getimage-64bit.patch @@ -0,0 +1,48 @@ +Fix misbehavior on 64-bit machines when trying to flip a downsampled image +vertically: unsigned ints will be widened to 64 bits the wrong way. +See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 +@@ -1846,6 +1846,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 6; + cp2 = cp+w+toskew; +@@ -1872,8 +1873,8 @@ + cp2 ++ ; + pp += 6; + } +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -1939,6 +1940,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 4; + cp2 = cp+w+toskew; +@@ -1953,8 +1955,8 @@ + cp2 ++; + pp += 4; + } while (--x); +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch new file mode 100644 index 0000000..c7e91b4 --- /dev/null +++ b/libtiff-mantypo.patch @@ -0,0 +1,17 @@ +Minor typo, reported upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2129 +This patch should not be needed as of libtiff 4.0. + + +diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 +--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 ++++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 +@@ -60,7 +60,7 @@ + ``Anonymous'': + .RS + .nf +-tiffset \-s 305 Anonymous a.tif ++tiffset \-s 315 Anonymous a.tif + .fi + .RE + .PP diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch index 4cc6e28..9ecb365 100644 --- a/libtiff-mingw32-libjpeg-7-compatibility.patch +++ b/libtiff-mingw32-libjpeg-7-compatibility.patch @@ -60,3 +60,35 @@ std_fill_input_buffer(j_decompress_ptr cinfo) { JPEGState* sp = (JPEGState* ) cinfo; +--- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200 ++++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200 +@@ -383,9 +383,9 @@ + static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo); + static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo); + static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo); +-static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); ++static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); + static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes); +-static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); ++static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); + static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo); + + int +@@ -2388,7 +2388,7 @@ + (void)cinfo; + } + +-static boolean ++static jpeg_boolean + OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo) + { + TIFF* tif=(TIFF*)cinfo->client_data; +@@ -2414,7 +2414,7 @@ + jpeg_encap_unwind(tif); + } + +-static boolean ++static jpeg_boolean + OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired) + { + TIFF* tif=(TIFF*)cinfo->client_data; diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch new file mode 100644 index 0000000..57fe809 --- /dev/null +++ b/libtiff-scanlinesize.patch @@ -0,0 +1,72 @@ +Partial fix for issues filed upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2140 +This stops the tiffcmp core dump noted in bug #460322, but isn't enough +to make tiffcmp return the right answer (it emits a bunch of error +messages instead). + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c +--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 +@@ -988,8 +988,15 @@ + tsize_t nrows; + (void) s; + +- /* data is expected to be read in multiples of a scanline */ +- if ( (nrows = sp->cinfo.d.image_height) ) { ++ nrows = cc / sp->bytesperline; ++ if (cc % sp->bytesperline) ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); ++ ++ if( nrows > (int) sp->cinfo.d.image_height ) ++ nrows = sp->cinfo.d.image_height; ++ ++ /* data is expected to be read in multiples of a scanline */ ++ if (nrows) { + /* Cb,Cr both have sampling factors 1, so this is correct */ + JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; + int samples_per_clump = sp->samplesperclump; +@@ -1087,8 +1094,7 @@ + * TODO: resolve this */ + buf += sp->bytesperline; + cc -= sp->bytesperline; +- nrows -= sp->v_sampling; +- } while (nrows > 0); ++ } while (--nrows > 0); + + #ifdef JPEG_LIB_MK1 + _TIFFfree(tmpbuf); +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 +@@ -238,23 +238,19 @@ + ycbcrsubsampling + 0, + ycbcrsubsampling + 1); + +- if (ycbcrsubsampling[0] == 0) { ++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Invalid YCbCr subsampling"); + return 0; + } + +- scanline = TIFFroundup(td->td_imagewidth, ++ /* number of sample clumps per line */ ++ scanline = TIFFhowmany(td->td_imagewidth, + ycbcrsubsampling[0]); +- scanline = TIFFhowmany8(multiply(tif, scanline, +- td->td_bitspersample, +- "TIFFScanlineSize")); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, +- scanline / ycbcrsubsampling[0], +- "TIFFVStripSize"), +- "TIFFVStripSize")); ++ /* number of samples per line */ ++ scanline = multiply(tif, scanline, ++ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, ++ "TIFFScanlineSize"); + } else { + scanline = multiply(tif, td->td_imagewidth, + td->td_samplesperpixel, diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch new file mode 100644 index 0000000..a44406b --- /dev/null +++ b/libtiff-subsampling.patch @@ -0,0 +1,51 @@ +Use the spec-mandated default YCbCrSubSampling values in strip size +calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. +See bug #603703. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 + +NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -308,9 +308,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch new file mode 100644 index 0000000..cb77796 --- /dev/null +++ b/libtiff-tiffdump.patch @@ -0,0 +1,35 @@ +Make tiffdump more paranoid about checking the count field of a directory +entry. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 + + +diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 +@@ -46,6 +46,7 @@ + # include + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef O_BINARY +@@ -317,7 +318,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +710,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch new file mode 100644 index 0000000..5c3b32e --- /dev/null +++ b/libtiff-unknown-fix.patch @@ -0,0 +1,47 @@ +Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to +sometimes complain about out-of-order tags when there weren't really any. +Fix by decoupling that logic from the tag search logic. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c +--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0, compressionknown = 0; + int haveunknowntags = 0; + +@@ -163,23 +164,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch new file mode 100644 index 0000000..fbd10bb --- /dev/null +++ b/libtiff-ycbcr-clamp.patch @@ -0,0 +1,35 @@ +Using an array to clamp translated YCbCr values is insecure, because if the +TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB +values could be very far out of range (much further than the current array +size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in +favor of using a comparison-based macro to clamp. See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c +--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index a64c728..b7450c2 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,17 +7,23 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff -Version: 3.8.2 -Release: 20%{?dist} +Version: 3.9.4 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch0: tiffsplit-overflow.patch -Patch1: libtiff-3.8.2-ormandy.patch -Patch2: libtiff-3.8.2-CVE-2006-2193.patch -Patch4: libtiff-3.8.2-lzw-bugs.patch +Patch1: libtiff-acversion.patch +Patch2: libtiff-mantypo.patch +Patch3: libtiff-scanlinesize.patch +Patch4: libtiff-getimage-64bit.patch +Patch5: libtiff-ycbcr-clamp.patch +Patch6: libtiff-3samples.patch +Patch7: libtiff-subsampling.patch +Patch8: libtiff-unknown-fix.patch +Patch9: libtiff-checkbytecount.patch +Patch10: libtiff-tiffdump.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch @@ -29,6 +35,10 @@ BuildRequires: mingw32-filesystem >= 35 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool + %description The libtiff package contains a library of functions for manipulating @@ -56,14 +66,29 @@ Static version of the MinGW Windows LibTIFF library. %setup -q -n tiff-%{version} # Patches from the native Fedora package: -%patch0 -p1 -b .overflow -%patch1 -p1 -b .ormandy -%patch2 -p1 -b .CVE-2006-2193 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # MinGW specific patches %patch100 -p0 +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + %build export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" @@ -105,6 +130,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jun 25 2010 Erik van Pienbroek - 3.9.4-1 +- Update to 3.9.4 +- Merged the native Fedora package changes up to 3.9.4-1 +- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's + * Fri Sep 18 2009 Erik van Pienbroek - 3.8.2-20 - Rebuild because of broken mingw32-gcc/mingw32-binutils diff --git a/sources b/sources index 1c867c8..a73728b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz +2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz diff --git a/tiffsplit-overflow.patch b/tiffsplit-overflow.patch deleted file mode 100644 index 36a613f..0000000 --- a/tiffsplit-overflow.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400 -+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400 -@@ -60,14 +60,16 @@ - fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n"); - return (-3); - } -- if (argc > 2) -- strcpy(fname, argv[2]); -+ if (argc > 2) { -+ strncpy(fname, argv[2], 1024); -+ fname[1024] = '\0'; -+ } - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -+ strncpy(path, fname, 1020); - strcat(path, ".tif"); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) From 6513719e9858e3b4a07fa34899bc05733f749972 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 03:21:25 +0000 Subject: [PATCH 10/14] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- import.log | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 import.log diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 4bf07d2..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: mingw32-libtiff -# $Id: Makefile,v 1.1 2009/06/08 16:20:43 tibbs Exp $ -NAME := mingw32-libtiff -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/import.log b/import.log deleted file mode 100644 index fef82dd..0000000 --- a/import.log +++ /dev/null @@ -1 +0,0 @@ -mingw32-libtiff-3_8_2-15_fc10:HEAD:mingw32-libtiff-3.8.2-15.fc10.src.rpm:1244499917 From 6d64a60e6660af18e7f03e052ea32b7a7c17c7c4 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Mon, 25 Apr 2011 11:07:17 +0300 Subject: [PATCH 11/14] Update to 3.9.5 - Fixes CVE-2011-1167 (#689575) - Dropped the patches from Fedora native libtiff package which are all now incorporated in 3.9.5 --- .gitignore | 1 + libtiff-3samples.patch | 21 ----------- libtiff-acversion.patch | 16 -------- libtiff-checkbytecount.patch | 48 ------------------------ libtiff-getimage-64bit.patch | 48 ------------------------ libtiff-mantypo.patch | 17 --------- libtiff-scanlinesize.patch | 72 ------------------------------------ libtiff-subsampling.patch | 51 ------------------------- libtiff-tiffdump.patch | 35 ------------------ libtiff-unknown-fix.patch | 47 ----------------------- libtiff-ycbcr-clamp.patch | 35 ------------------ mingw32-libtiff.spec | 32 ++++------------ sources | 2 +- 13 files changed, 10 insertions(+), 415 deletions(-) delete mode 100644 libtiff-3samples.patch delete mode 100644 libtiff-acversion.patch delete mode 100644 libtiff-checkbytecount.patch delete mode 100644 libtiff-getimage-64bit.patch delete mode 100644 libtiff-mantypo.patch delete mode 100644 libtiff-scanlinesize.patch delete mode 100644 libtiff-subsampling.patch delete mode 100644 libtiff-tiffdump.patch delete mode 100644 libtiff-unknown-fix.patch delete mode 100644 libtiff-ycbcr-clamp.patch diff --git a/.gitignore b/.gitignore index 37e1552..7992c78 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ tiff-3.9.4.tar.gz +/tiff-3.9.5.tar.gz diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch deleted file mode 100644 index c305bd0..0000000 --- a/libtiff-3samples.patch +++ /dev/null @@ -1,21 +0,0 @@ -Patch for bug #603081: failure to guard against bogus SamplesPerPixel -when converting a YCbCr image to RGB. - -This patch duplicates into PickContigCase() a safety check that already -existed in PickSeparateCase(). - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 -@@ -2397,7 +2397,7 @@ - } - break; - case PHOTOMETRIC_YCBCR: -- if (img->bitspersample == 8) -+ if ((img->bitspersample==8) && (img->samplesperpixel==3)) - { - if (initYCbCrConversion(img)!=0) - { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch deleted file mode 100644 index fc3a136..0000000 --- a/libtiff-acversion.patch +++ /dev/null @@ -1,16 +0,0 @@ -This patch is needed for building the package as of F-11. It can be -dropped whenever autoconf 2.63 is no longer used on any live branch. - - -diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac ---- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 -+++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 -@@ -24,7 +24,7 @@ - - dnl Process this file with autoconf to produce a configure script. - --AC_PREREQ(2.64) -+AC_PREREQ(2.63) - AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) - AC_CONFIG_AUX_DIR(config) - AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch deleted file mode 100644 index ecd8a9f..0000000 --- a/libtiff-checkbytecount.patch +++ /dev/null @@ -1,48 +0,0 @@ -Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against -missing strip byte counts too. Testing shows that tiffsplit.c has an issue -too. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c ---- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 -@@ -1920,6 +1920,10 @@ - sp->in_buffer_file_pos=0; - else - { -+ if (sp->tif->tif_dir.td_stripbytecount == 0) { -+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); -+ return(0); -+ } - sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; - if (sp->in_buffer_file_togo==0) - sp->in_buffer_file_pos=0; -diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c ---- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 -@@ -237,7 +237,10 @@ - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); -+ return (0); -+ } - for (s = 0; s < ns; s++) { - if (bytecounts[s] > (uint32)bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); -@@ -267,7 +270,10 @@ - ttile_t t, nt = TIFFNumberOfTiles(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); -+ return (0); -+ } - for (t = 0; t < nt; t++) { - if (bytecounts[t] > (uint32) bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch deleted file mode 100644 index 2f3d68e..0000000 --- a/libtiff-getimage-64bit.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix misbehavior on 64-bit machines when trying to flip a downsampled image -vertically: unsigned ints will be widened to 64 bits the wrong way. -See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 -@@ -1846,6 +1846,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr22tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 6; - cp2 = cp+w+toskew; -@@ -1872,8 +1873,8 @@ - cp2 ++ ; - pp += 6; - } -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } -@@ -1939,6 +1940,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr12tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 4; - cp2 = cp+w+toskew; -@@ -1953,8 +1955,8 @@ - cp2 ++; - pp += 4; - } while (--x); -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch deleted file mode 100644 index c7e91b4..0000000 --- a/libtiff-mantypo.patch +++ /dev/null @@ -1,17 +0,0 @@ -Minor typo, reported upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2129 -This patch should not be needed as of libtiff 4.0. - - -diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 ---- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 -+++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 -@@ -60,7 +60,7 @@ - ``Anonymous'': - .RS - .nf --tiffset \-s 305 Anonymous a.tif -+tiffset \-s 315 Anonymous a.tif - .fi - .RE - .PP diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch deleted file mode 100644 index 57fe809..0000000 --- a/libtiff-scanlinesize.patch +++ /dev/null @@ -1,72 +0,0 @@ -Partial fix for issues filed upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2140 -This stops the tiffcmp core dump noted in bug #460322, but isn't enough -to make tiffcmp return the right answer (it emits a bunch of error -messages instead). - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c ---- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 -@@ -988,8 +988,15 @@ - tsize_t nrows; - (void) s; - -- /* data is expected to be read in multiples of a scanline */ -- if ( (nrows = sp->cinfo.d.image_height) ) { -+ nrows = cc / sp->bytesperline; -+ if (cc % sp->bytesperline) -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); -+ -+ if( nrows > (int) sp->cinfo.d.image_height ) -+ nrows = sp->cinfo.d.image_height; -+ -+ /* data is expected to be read in multiples of a scanline */ -+ if (nrows) { - /* Cb,Cr both have sampling factors 1, so this is correct */ - JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; - int samples_per_clump = sp->samplesperclump; -@@ -1087,8 +1094,7 @@ - * TODO: resolve this */ - buf += sp->bytesperline; - cc -= sp->bytesperline; -- nrows -= sp->v_sampling; -- } while (nrows > 0); -+ } while (--nrows > 0); - - #ifdef JPEG_LIB_MK1 - _TIFFfree(tmpbuf); -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 -@@ -238,23 +238,19 @@ - ycbcrsubsampling + 0, - ycbcrsubsampling + 1); - -- if (ycbcrsubsampling[0] == 0) { -+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Invalid YCbCr subsampling"); - return 0; - } - -- scanline = TIFFroundup(td->td_imagewidth, -+ /* number of sample clumps per line */ -+ scanline = TIFFhowmany(td->td_imagewidth, - ycbcrsubsampling[0]); -- scanline = TIFFhowmany8(multiply(tif, scanline, -- td->td_bitspersample, -- "TIFFScanlineSize")); -- return ((tsize_t) -- summarize(tif, scanline, -- multiply(tif, 2, -- scanline / ycbcrsubsampling[0], -- "TIFFVStripSize"), -- "TIFFVStripSize")); -+ /* number of samples per line */ -+ scanline = multiply(tif, scanline, -+ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, -+ "TIFFScanlineSize"); - } else { - scanline = multiply(tif, td->td_imagewidth, - td->td_samplesperpixel, diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch deleted file mode 100644 index a44406b..0000000 --- a/libtiff-subsampling.patch +++ /dev/null @@ -1,51 +0,0 @@ -Use the spec-mandated default YCbCrSubSampling values in strip size -calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. -See bug #603703. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 - -NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 -@@ -124,9 +124,9 @@ - uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; - -- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1 ); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; - if (samplingarea == 0) { -@@ -234,9 +234,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -@@ -308,9 +308,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch deleted file mode 100644 index cb77796..0000000 --- a/libtiff-tiffdump.patch +++ /dev/null @@ -1,35 +0,0 @@ -Make tiffdump more paranoid about checking the count field of a directory -entry. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 - - -diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c ---- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 -@@ -46,6 +46,7 @@ - # include - #endif - -+#include "tiffiop.h" - #include "tiffio.h" - - #ifndef O_BINARY -@@ -317,7 +318,7 @@ - printf(">\n"); - continue; - } -- space = dp->tdir_count * datawidth[dp->tdir_type]; -+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); - if (space <= 0) { - printf(">\n"); - Error("Invalid count for tag %u", dp->tdir_tag); -@@ -709,7 +710,7 @@ - w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); - cc = dir->tdir_count * w; - if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 -- && read(fd, cp, cc) != -1) { -+ && read(fd, cp, cc) == cc) { - if (swabflag) { - switch (dir->tdir_type) { - case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch deleted file mode 100644 index 5c3b32e..0000000 --- a/libtiff-unknown-fix.patch +++ /dev/null @@ -1,47 +0,0 @@ -Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to -sometimes complain about out-of-order tags when there weren't really any. -Fix by decoupling that logic from the tag search logic. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c ---- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 -@@ -83,6 +83,7 @@ - const TIFFFieldInfo* fip; - size_t fix; - uint16 dircount; -+ uint16 previous_tag = 0; - int diroutoforderwarning = 0, compressionknown = 0; - int haveunknowntags = 0; - -@@ -163,23 +164,24 @@ - - if (dp->tdir_tag == IGNORE) - continue; -- if (fix >= tif->tif_nfields) -- fix = 0; - - /* - * Silicon Beach (at least) writes unordered - * directory tags (violating the spec). Handle - * it here, but be obnoxious (maybe they'll fix it?). - */ -- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { -+ if (dp->tdir_tag < previous_tag) { - if (!diroutoforderwarning) { - TIFFWarningExt(tif->tif_clientdata, module, - "%s: invalid TIFF directory; tags are not sorted in ascending order", - tif->tif_name); - diroutoforderwarning = 1; - } -- fix = 0; /* O(n^2) */ - } -+ previous_tag = dp->tdir_tag; -+ if (fix >= tif->tif_nfields || -+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) -+ fix = 0; /* O(n^2) */ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch deleted file mode 100644 index fbd10bb..0000000 --- a/libtiff-ycbcr-clamp.patch +++ /dev/null @@ -1,35 +0,0 @@ -Using an array to clamp translated YCbCr values is insecure, because if the -TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB -values could be very far out of range (much further than the current array -size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in -favor of using a comparison-based macro to clamp. See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c ---- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 -@@ -183,13 +183,18 @@ - TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, - uint32 *r, uint32 *g, uint32 *b) - { -+ int32 i; -+ - /* XXX: Only 8-bit YCbCr input supported for now */ - Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); - -- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; -- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] -- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; -- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; -+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; -+ *r = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] -+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); -+ *g = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; -+ *b = CLAMP(i, 0, 255); - } - - /* diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index b7450c2..8637a08 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,23 +7,13 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff -Version: 3.9.4 +Version: 3.9.5 Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch1: libtiff-acversion.patch -Patch2: libtiff-mantypo.patch -Patch3: libtiff-scanlinesize.patch -Patch4: libtiff-getimage-64bit.patch -Patch5: libtiff-ycbcr-clamp.patch -Patch6: libtiff-3samples.patch -Patch7: libtiff-subsampling.patch -Patch8: libtiff-unknown-fix.patch -Patch9: libtiff-checkbytecount.patch -Patch10: libtiff-tiffdump.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch @@ -59,24 +49,12 @@ Group: Development/Libraries Static version of the MinGW Windows LibTIFF library. -%{_mingw32_debug_package} +%{?_mingw32_debug_package} %prep %setup -q -n tiff-%{version} -# Patches from the native Fedora package: -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 - # MinGW specific patches %patch100 -p0 @@ -130,6 +108,12 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Apr 25 2011 Kalev Lember - 3.9.5-1 +- Update to 3.9.5 +- Fixes CVE-2011-1167 (#689575) +- Dropped the patches from Fedora native libtiff package which are all now + incorporated in 3.9.5 + * Fri Jun 25 2010 Erik van Pienbroek - 3.9.4-1 - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 diff --git a/sources b/sources index a73728b..04027f5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz +8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz From ce058df158ea761548d0e88578e22ca642b6066d Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Fri, 3 Jun 2011 23:27:14 +0300 Subject: [PATCH 12/14] Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) --- libtiff-mingw32-libjpeg-7-compatibility.patch | 94 ------------------- mingw32-libtiff.spec | 10 +- 2 files changed, 4 insertions(+), 100 deletions(-) delete mode 100644 libtiff-mingw32-libjpeg-7-compatibility.patch diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch deleted file mode 100644 index 9ecb365..0000000 --- a/libtiff-mingw32-libjpeg-7-compatibility.patch +++ /dev/null @@ -1,94 +0,0 @@ ---- libtiff/tif_jpeg.c.orig 2009-08-20 14:27:50.688881034 +0200 -+++ libtiff/tif_jpeg.c 2009-08-20 14:29:03.814866414 +0200 -@@ -288,20 +288,20 @@ - } - - static int --TIFFjpeg_set_quality(JPEGState* sp, int quality, boolean force_baseline) -+TIFFjpeg_set_quality(JPEGState* sp, int quality, jpeg_boolean force_baseline) - { - return CALLVJPEG(sp, - jpeg_set_quality(&sp->cinfo.c, quality, force_baseline)); - } - - static int --TIFFjpeg_suppress_tables(JPEGState* sp, boolean suppress) -+TIFFjpeg_suppress_tables(JPEGState* sp, jpeg_boolean suppress) - { - return CALLVJPEG(sp, jpeg_suppress_tables(&sp->cinfo.c, suppress)); - } - - static int --TIFFjpeg_start_compress(JPEGState* sp, boolean write_all_tables) -+TIFFjpeg_start_compress(JPEGState* sp, jpeg_boolean write_all_tables) - { - return CALLVJPEG(sp, - jpeg_start_compress(&sp->cinfo.c, write_all_tables)); -@@ -334,7 +334,7 @@ - } - - static int --TIFFjpeg_read_header(JPEGState* sp, boolean require_image) -+TIFFjpeg_read_header(JPEGState* sp, jpeg_boolean require_image) - { - return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); - } -@@ -402,7 +402,7 @@ - sp->dest.free_in_buffer = (size_t) tif->tif_rawdatasize; - } - --static boolean -+static jpeg_boolean - std_empty_output_buffer(j_compress_ptr cinfo) - { - JPEGState* sp = (JPEGState*) cinfo; -@@ -453,7 +453,7 @@ - sp->dest.free_in_buffer = (size_t) sp->jpegtables_length; - } - --static boolean -+static jpeg_boolean - tables_empty_output_buffer(j_compress_ptr cinfo) - { - JPEGState* sp = (JPEGState*) cinfo; -@@ -519,7 +519,7 @@ - sp->src.bytes_in_buffer = (size_t) tif->tif_rawcc; - } - --static boolean -+static jpeg_boolean - std_fill_input_buffer(j_decompress_ptr cinfo) - { - JPEGState* sp = (JPEGState* ) cinfo; ---- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200 -+++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200 -@@ -383,9 +383,9 @@ - static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo); - static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo); - static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo); --static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); -+static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); - static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes); --static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); -+static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); - static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo); - - int -@@ -2388,7 +2388,7 @@ - (void)cinfo; - } - --static boolean -+static jpeg_boolean - OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo) - { - TIFF* tif=(TIFF*)cinfo->client_data; -@@ -2414,7 +2414,7 @@ - jpeg_encap_unwind(tif); - } - --static boolean -+static jpeg_boolean - OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired) - { - TIFF* tif=(TIFF*)cinfo->client_data; diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 8637a08..3e0f2c4 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,15 +8,13 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch - BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -55,9 +53,6 @@ Static version of the MinGW Windows LibTIFF library. %prep %setup -q -n tiff-%{version} -# MinGW specific patches -%patch100 -p0 - # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -108,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jun 03 2011 Kalev Lember - 3.9.5-2 +- Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) + * Mon Apr 25 2011 Kalev Lember - 3.9.5-1 - Update to 3.9.5 - Fixes CVE-2011-1167 (#689575) From de6d40377fd65025cba54e7bff3eec64d3af51d2 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 04:04:13 -0600 Subject: [PATCH 13/14] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 3e0f2c4..e2fd932 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -103,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Fri Jun 03 2011 Kalev Lember - 3.9.5-2 - Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) From 4b750af4c4f2ef0eb29eb77659ce4104029da9b1 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Tue, 28 Feb 2012 00:06:45 +0100 Subject: [PATCH 14/14] Rebuild against the mingw-w64 toolchain --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index e2fd932..ea5c579 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -103,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Feb 27 2012 Erik van Pienbroek - 3.9.5-4 +- Rebuild against the mingw-w64 toolchain + * Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild