From fe91584aba6e39d6f41d0d1f3e66f82e4622ca7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jason=20=E3=83=86=E3=82=A3=E3=83=93=E3=83=84?= Date: Mon, 8 Jun 2009 16:20:43 +0000 Subject: [PATCH 01/56] Setup of module mingw32-libtiff --- .cvsignore | 0 Makefile | 21 +++++++++++++++++++++ sources | 0 3 files changed, 21 insertions(+) create mode 100644 .cvsignore create mode 100644 Makefile create mode 100644 sources diff --git a/.cvsignore b/.cvsignore new file mode 100644 index 0000000..e69de29 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a211c7c --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: mingw32-libtiff +# $Id$ +NAME := mingw32-libtiff +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From 4f3032ef6ea62543725f977657f60cdd493a2406 Mon Sep 17 00:00:00 2001 From: plouj Date: Mon, 8 Jun 2009 22:29:00 +0000 Subject: [PATCH 02/56] - initial devel branch CVS import --- .cvsignore | 1 + import.log | 1 + libtiff-3.8.2-CVE-2006-2193.patch | 11 + libtiff-3.8.2-lzw-bugs.patch | 58 +++ libtiff-3.8.2-ormandy.patch | 669 ++++++++++++++++++++++++++++++ mingw32-libtiff.spec | 359 ++++++++++++++++ sources | 1 + tiffsplit-overflow.patch | 22 + 8 files changed, 1122 insertions(+) create mode 100644 import.log create mode 100644 libtiff-3.8.2-CVE-2006-2193.patch create mode 100644 libtiff-3.8.2-lzw-bugs.patch create mode 100644 libtiff-3.8.2-ormandy.patch create mode 100644 mingw32-libtiff.spec create mode 100644 tiffsplit-overflow.patch diff --git a/.cvsignore b/.cvsignore index e69de29..d85724d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +tiff-3.8.2.tar.gz diff --git a/import.log b/import.log new file mode 100644 index 0000000..fef82dd --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +mingw32-libtiff-3_8_2-15_fc10:HEAD:mingw32-libtiff-3.8.2-15.fc10.src.rpm:1244499917 diff --git a/libtiff-3.8.2-CVE-2006-2193.patch b/libtiff-3.8.2-CVE-2006-2193.patch new file mode 100644 index 0000000..ffd81bf --- /dev/null +++ b/libtiff-3.8.2-CVE-2006-2193.patch @@ -0,0 +1,11 @@ +--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100 ++++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;idec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); + } + return (1); + } +@@ -408,12 +413,19 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +616,19 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecodeCompat: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch new file mode 100644 index 0000000..cb55b03 --- /dev/null +++ b/libtiff-3.8.2-ormandy.patch @@ -0,0 +1,669 @@ +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include + ++#include ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec new file mode 100644 index 0000000..d7b3245 --- /dev/null +++ b/mingw32-libtiff.spec @@ -0,0 +1,359 @@ +%global __strip %{_mingw32_strip} +%global __objdump %{_mingw32_objdump} +%global _use_internal_dependency_generator 0 +%global __find_requires %{_mingw32_findrequires} +%global __find_provides %{_mingw32_findprovides} + +Summary: MinGW Windows port of the LibTIFF library +Name: mingw32-libtiff +Version: 3.8.2 +Release: 15%{?dist} +License: libtiff +Group: System Environment/Libraries +URL: http://www.libtiff.org/ + +Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz +Patch0: tiffsplit-overflow.patch +Patch1: libtiff-3.8.2-ormandy.patch +Patch2: libtiff-3.8.2-CVE-2006-2193.patch +Patch4: libtiff-3.8.2-lzw-bugs.patch + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +BuildRequires: mingw32-zlib mingw32-libjpeg +BuildRequires: mingw32-filesystem >= 35 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-binutils + +%description +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%prep +%setup -q -n tiff-%{version} + +# Patches from the native Fedora package: +%patch0 -p1 -b .overflow +%patch1 -p1 -b .ormandy +%patch2 -p1 -b .CVE-2006-2193 +%patch4 -p1 + +%build +export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" +%{_mingw32_configure} --disable-static +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install + +# remove docs +rm -rf $RPM_BUILD_ROOT%{_mingw32_datadir}/doc +rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} + +# remove binaries +rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog +%{_mingw32_bindir}/libtiff-3.dll +%{_mingw32_bindir}/libtiffxx-3.dll +%{_mingw32_includedir}/* +%{_mingw32_libdir}/libtiff.dll.a +%{_mingw32_libdir}/libtiffxx.dll.a +%{_mingw32_libdir}/libtiff.la +%{_mingw32_libdir}/libtiffxx.la + + +%changelog +* Fri Jun 5 2009 Michael Ploujnikov - 3.8.2-15 +- replace %%define with %%global as per Fedora packaging guidelines + +* Wed Jun 3 2009 Michael Ploujnikov - 3.8.2-14 +- cleanup based on initial review and help from Adam Goode: +- removed LIBVER define +- exported proper mingw32 cflags +- removed make check +- removed executables +- removed multilib stuff (irrelevant for mingw32) +- fixed defattr +- added .la files back in + +* Sun Mar 22 2009 Michael Ploujnikov - 3.8.2-13 +- Initial mingw32 build + +* Wed Feb 25 2009 Fedora Release Engineering - 3.8.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 26 2008 Tom Lane 3.8.2-11 +- Fix LZW decoding vulnerabilities (CVE-2008-2327) +Related: #458674 +- Use -fno-strict-aliasing per rpmdiff recommendation + +* Tue Feb 19 2008 Fedora Release Engineering - 3.8.2-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Tom Lane 3.8.2-9 +- Update License tag +- Rebuild to fix Fedora toolchain issues + +* Thu Jul 19 2007 Tom Lane 3.8.2-8 +- Restore static library to distribution, in a separate -static subpackage +Resolves: #219905 +- Don't apply multilib header hack to unrecognized architectures +Resolves: #233091 +- Remove documentation for programs we don't ship +Resolves: #205079 +Related: #185145 + +* Tue Jan 16 2007 Tom Lane 3.8.2-7 +- Remove Makefiles from the shipped /usr/share/doc/html directories +Resolves: bz #222729 + +* Tue Sep 5 2006 Jindrich Novy - 3.8.2-6 +- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362) +- fix typo in man page for tiffset (#186297) +- use %%{?dist} + +* Mon Jul 24 2006 Matthias Clasen +- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461 + CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) + +* Wed Jul 12 2006 Jesse Keating - 3.8.2-4.1 +- rebuild + +* Fri Jun 2 2006 Matthias Clasen - 3.8.2-3 +- Fix multilib conflict + +* Thu May 25 2006 Matthias Clasen - 3.8.2-3 +- Fix overflows in tiffsplit + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-2 +- Drop tiffgt to get rid of the libGL dependency (#190768) + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-1 +- Update to 3.8.2 + +* Fri Feb 10 2006 Jesse Keating - 3.7.4-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.7.4-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 16 2005 Matthias Clasen 3.7.4-3 +- Don't ship static libs + +* Fri Nov 11 2005 Matthias Saou 3.7.4-2 +- Remove useless explicit dependencies. +- Minor spec file cleanups. +- Move make check to %%check. +- Add _smp_mflags. + +* Thu Sep 29 2005 Matthias Clasen - 3.7.4-1 +- Update to 3.7.4 +- Drop upstreamed patches + +* Wed Jun 29 2005 Matthias Clasen - 3.7.2-1 +- Update to 3.7.2 +- Drop upstreamed patches + +* Fri May 6 2005 Matthias Clasen - 3.7.1-6 +- Fix a stack overflow + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-5 +- Don't use mktemp + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-4 +- Rebuild with gcc4 + +* Wed Jan 5 2005 Matthias Clasen - 3.7.1-3 +- Drop the largefile patch again +- Fix a problem with the handling of alpha channels +- Fix an integer overflow in tiffdump (#143576) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-2 +- Readd the largefile patch (#143560) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-1 +- Upgrade to 3.7.1 +- Remove upstreamed patches +- Remove specfile cruft +- make check + +* Thu Oct 14 2004 Matthias Clasen 3.6.1-7 +- fix some integer and buffer overflows (#134853, #134848) + +* Tue Oct 12 2004 Matthias Clasen 3.6.1-6 +- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483 + +* Mon Sep 27 2004 Rik van Riel 3.6.1-4 +- compile using RPM_OPT_FLAGS (bz #133650) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 20 2004 Matthias Clasen 3.6.1-2 +- Fix and use the makeflags patch + +* Wed May 19 2004 Matthias Clasen 3.6.1-1 +- Upgrade to 3.6.1 +- Adjust patches +- Don't install tiffgt man page (#104864) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sat Feb 21 2004 Florian La Roche +- really add symlink to shared lib by running ldconfig at compile time + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Oct 09 2003 Florian La Roche +- link shared lib against -lm (Jakub Jelinek) + +* Thu Sep 25 2003 Jeremy Katz 3.5.7-13 +- rebuild to fix gzipped file md5sum (#91281) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Feb 11 2003 Phil Knirsch 3.5.7-11 +- Fixed rebuild problems. + +* Tue Feb 04 2003 Florian La Roche +- add symlink to shared lib + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Tim Powers 3.5.7-8 +- rebuild on all arches + +* Mon Aug 19 2002 Phil Knirsch 3.5.7-7 +- Added LFS support (#71593) + +* Tue Jun 25 2002 Phil Knirsch 3.5.7-6 +- Fixed wrong exit code of tiffcp app (#67240) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed May 15 2002 Phil Knirsch +- Fixed segfault in fax2tiff tool (#64708). + +* Mon Feb 25 2002 Phil Knirsch +- Fixed problem with newer bash versions setting CDPATH (#59741) + +* Tue Feb 19 2002 Phil Knirsch +- Update to current release 3.5.7 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Tue Aug 28 2001 Phil Knirsch +- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x + and ia64 were missing (#52129). + +* Tue Jun 26 2001 Philipp Knirsch +- Hopefully final symlink fix + +* Thu Jun 21 2001 Than Ngo +- add missing libtiff symlink + +* Fri Mar 16 2001 Crutcher Dunnavant +- killed tiff-to-ps.fpi filter + +* Wed Feb 28 2001 Philipp Knirsch +- Fixed missing devel version dependancy. + +* Tue Dec 19 2000 Philipp Knirsch +- rebuild + +* Tue Aug 7 2000 Crutcher Dunnavant +- added a tiff-to-ps.fpi filter for printing + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Thu Jul 13 2000 Nalin Dahyabhai +- apply Peter Skarpetis's fix for the 32-bit conversion + +* Mon Jul 3 2000 Nalin Dahyabhai +- make man pages non-executable (#12811) + +* Mon Jun 12 2000 Nalin Dahyabhai +- remove CVS repo info from data directories + +* Thu May 18 2000 Nalin Dahyabhai +- fix build rooting +- fix syntax error in configure script +- move man pages to {_mandir} + +* Wed May 17 2000 Nalin Dahyabhai +- rebuild for an errata release + +* Wed Mar 29 2000 Nalin Dahyabhai +- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix + +* Tue Mar 28 2000 Nalin Dahyabhai +- fix fax2ps swapping height and width in the bounding box + +* Mon Mar 27 2000 Nalin Dahyabhai +- move man pages from devel package to the regular one +- integrate Frank Warmerdam's fixed .fax handling code (keep until next release + of libtiff) +- fix fax2ps breakage (bug #8345) + +* Sat Feb 05 2000 Nalin Dahyabhai +- set MANDIR=man3 to make multifunction man pages friendlier + +* Mon Jan 31 2000 Nalin Dahyabhai +- fix URLs + +* Fri Jan 28 2000 Nalin Dahyabhai +- link shared library against libjpeg and libz + +* Tue Jan 18 2000 Nalin Dahyabhai +- enable zip and jpeg codecs +- change defattr in normal package to 0755 +- add defattr to -devel package + +* Wed Dec 22 1999 Bill Nottingham +- update to 3.5.4 + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 6) + +* Wed Jan 13 1999 Cristian Gafton +- build for glibc 2.1 + +* Wed Jun 10 1998 Prospector System +- translations modified for de + +* Wed Jun 10 1998 Michael Fulbright +- rebuilt against fixed jpeg libs (libjpeg-6b) + +* Thu May 07 1998 Prospector System +- translations modified for de, fr, tr + +* Mon Oct 13 1997 Donnie Barnes +- new version to replace the one from libgr +- patched for glibc +- added shlib support diff --git a/sources b/sources index e69de29..1c867c8 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz diff --git a/tiffsplit-overflow.patch b/tiffsplit-overflow.patch new file mode 100644 index 0000000..36a613f --- /dev/null +++ b/tiffsplit-overflow.patch @@ -0,0 +1,22 @@ +--- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400 ++++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400 +@@ -60,14 +60,16 @@ + fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n"); + return (-3); + } +- if (argc > 2) +- strcpy(fname, argv[2]); ++ if (argc > 2) { ++ strncpy(fname, argv[2], 1024); ++ fname[1024] = '\0'; ++ } + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); ++ strncpy(path, fname, 1020); + strcat(path, ".tif"); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) From 121475f5fbfc9fbe9a7e84d2a97f7caebb9e1f28 Mon Sep 17 00:00:00 2001 From: plouj Date: Tue, 9 Jun 2009 01:58:34 +0000 Subject: [PATCH 03/56] - add mingw32-gcc-c++ to BuildRequires --- mingw32-libtiff.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index d7b3245..4a75cdc 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,7 +7,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 15%{?dist} +Release: 16%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.libtiff.org/ @@ -24,6 +24,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: mingw32-zlib mingw32-libjpeg BuildRequires: mingw32-filesystem >= 35 BuildRequires: mingw32-gcc +BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils %description @@ -76,6 +77,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Jun 8 2009 Michael Ploujnikov - 3.8.2-16 +- add mingw32-gcc-c++ to the BuildRequirements + * Fri Jun 5 2009 Michael Ploujnikov - 3.8.2-15 - replace %%define with %%global as per Fedora packaging guidelines From 1aa6993d5e03254c5bb397efdcb63df5354c4592 Mon Sep 17 00:00:00 2001 From: plouj Date: Mon, 13 Jul 2009 23:09:30 +0000 Subject: [PATCH 04/56] - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) Related: #511015 --- libtiff-3.8.2-lzw-bugs.patch | 6 +++--- mingw32-libtiff.spec | 9 +++++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libtiff-3.8.2-lzw-bugs.patch b/libtiff-3.8.2-lzw-bugs.patch index 874e5e3..a0d46f2 100644 --- a/libtiff-3.8.2-lzw-bugs.patch +++ b/libtiff-3.8.2-lzw-bugs.patch @@ -1,4 +1,4 @@ -Fixes for CVE-2008-2327 +Fixes for CVE-2008-2327 and CVE-2009-2285 diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c @@ -27,7 +27,7 @@ diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c NextCode(tif, sp, bp, code, GetNextCode); if (code == CODE_EOI) break; -+ if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); @@ -47,7 +47,7 @@ diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c NextCode(tif, sp, bp, code, GetNextCodeCompat); if (code == CODE_EOI) break; -+ if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecodeCompat: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 4a75cdc..c5f4846 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,10 +7,10 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 16%{?dist} +Release: 17%{?dist} License: libtiff Group: System Environment/Libraries -URL: http://www.libtiff.org/ +URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Patch0: tiffsplit-overflow.patch @@ -77,6 +77,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Jul 13 2009 Michael Ploujnikov - 3.8.2-17 +- update upstream URL +- Fix some more LZW decoding vulnerabilities (CVE-2009-2285) +Related: #511015 + * Mon Jun 8 2009 Michael Ploujnikov - 3.8.2-16 - add mingw32-gcc-c++ to the BuildRequirements From 62882e325f9e860160c86959db1ae646d5a264ef Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 25 Jul 2009 14:25:36 +0000 Subject: [PATCH 05/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index c5f4846..dab74ab 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,7 +7,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 17%{?dist} +Release: 18%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -77,6 +77,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + * Mon Jul 13 2009 Michael Ploujnikov - 3.8.2-17 - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) From fe87125459b1749787753c79053207e497e576ad Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 28 Aug 2009 04:54:50 +0000 Subject: [PATCH 06/56] - Rebuild for minw32-libjpeg 7 - Automatically generate debuginfo subpackage - Added -static subpackage --- libtiff-mingw32-libjpeg-7-compatibility.patch | 62 +++++++++++++++++++ mingw32-libtiff.spec | 37 ++++++++++- 2 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 libtiff-mingw32-libjpeg-7-compatibility.patch diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch new file mode 100644 index 0000000..4cc6e28 --- /dev/null +++ b/libtiff-mingw32-libjpeg-7-compatibility.patch @@ -0,0 +1,62 @@ +--- libtiff/tif_jpeg.c.orig 2009-08-20 14:27:50.688881034 +0200 ++++ libtiff/tif_jpeg.c 2009-08-20 14:29:03.814866414 +0200 +@@ -288,20 +288,20 @@ + } + + static int +-TIFFjpeg_set_quality(JPEGState* sp, int quality, boolean force_baseline) ++TIFFjpeg_set_quality(JPEGState* sp, int quality, jpeg_boolean force_baseline) + { + return CALLVJPEG(sp, + jpeg_set_quality(&sp->cinfo.c, quality, force_baseline)); + } + + static int +-TIFFjpeg_suppress_tables(JPEGState* sp, boolean suppress) ++TIFFjpeg_suppress_tables(JPEGState* sp, jpeg_boolean suppress) + { + return CALLVJPEG(sp, jpeg_suppress_tables(&sp->cinfo.c, suppress)); + } + + static int +-TIFFjpeg_start_compress(JPEGState* sp, boolean write_all_tables) ++TIFFjpeg_start_compress(JPEGState* sp, jpeg_boolean write_all_tables) + { + return CALLVJPEG(sp, + jpeg_start_compress(&sp->cinfo.c, write_all_tables)); +@@ -334,7 +334,7 @@ + } + + static int +-TIFFjpeg_read_header(JPEGState* sp, boolean require_image) ++TIFFjpeg_read_header(JPEGState* sp, jpeg_boolean require_image) + { + return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); + } +@@ -402,7 +402,7 @@ + sp->dest.free_in_buffer = (size_t) tif->tif_rawdatasize; + } + +-static boolean ++static jpeg_boolean + std_empty_output_buffer(j_compress_ptr cinfo) + { + JPEGState* sp = (JPEGState*) cinfo; +@@ -453,7 +453,7 @@ + sp->dest.free_in_buffer = (size_t) sp->jpegtables_length; + } + +-static boolean ++static jpeg_boolean + tables_empty_output_buffer(j_compress_ptr cinfo) + { + JPEGState* sp = (JPEGState*) cinfo; +@@ -519,7 +519,7 @@ + sp->src.bytes_in_buffer = (size_t) tif->tif_rawcc; + } + +-static boolean ++static jpeg_boolean + std_fill_input_buffer(j_decompress_ptr cinfo) + { + JPEGState* sp = (JPEGState* ) cinfo; diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index dab74ab..a0bb557 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -3,11 +3,12 @@ %global _use_internal_dependency_generator 0 %global __find_requires %{_mingw32_findrequires} %global __find_provides %{_mingw32_findprovides} +%define __debug_install_post %{_mingw32_debug_install_post} Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 18%{?dist} +Release: 19%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -18,6 +19,8 @@ Patch1: libtiff-3.8.2-ormandy.patch Patch2: libtiff-3.8.2-CVE-2006-2193.patch Patch4: libtiff-3.8.2-lzw-bugs.patch +Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch + BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -36,6 +39,19 @@ used file format for bitmapped images. TIFF files usually end in the The libtiff package should be installed if you need to manipulate TIFF format image files. + +%package static +Summary: Static version of the MinGW Windows LibTIFF library +Requires: %{name} = %{version}-%{release} +Group: Development/Libraries + +%description static +Static version of the MinGW Windows LibTIFF library. + + +%{_mingw32_debug_package} + + %prep %setup -q -n tiff-%{version} @@ -45,11 +61,16 @@ format image files. %patch2 -p1 -b .CVE-2006-2193 %patch4 -p1 +# MinGW specific patches +%patch100 -p0 + + %build export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" -%{_mingw32_configure} --disable-static +%{_mingw32_configure} --enable-static --enable-shared make %{?_smp_mflags} + %install rm -rf $RPM_BUILD_ROOT make DESTDIR=$RPM_BUILD_ROOT install @@ -61,9 +82,11 @@ rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} # remove binaries rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe + %clean rm -rf $RPM_BUILD_ROOT + %files %defattr(-,root,root,-) %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog @@ -75,8 +98,18 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_libdir}/libtiff.la %{_mingw32_libdir}/libtiffxx.la +%files static +%defattr(-,root,root,-) +%{_mingw32_libdir}/libtiff.a +%{_mingw32_libdir}/libtiffxx.a + %changelog +* Thu Aug 27 2009 Erik van Pienbroek - 3.8.2-19 +- Rebuild for minw32-libjpeg 7 +- Automatically generate debuginfo subpackage +- Added -static subpackage + * Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild From e142eb5c7e9dc921dbabeb4d865b75bc3f307ede Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 18 Sep 2009 21:48:53 +0000 Subject: [PATCH 07/56] Rebuild because of broken mingw32-gcc/mingw32-binutils --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index a0bb557..a64c728 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.8.2 -Release: 19%{?dist} +Release: 20%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -105,6 +105,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Sep 18 2009 Erik van Pienbroek - 3.8.2-20 +- Rebuild because of broken mingw32-gcc/mingw32-binutils + * Thu Aug 27 2009 Erik van Pienbroek - 3.8.2-19 - Rebuild for minw32-libjpeg 7 - Automatically generate debuginfo subpackage From c735ea2f00ad950701e5fc467098ed2c9899882e Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:18:49 +0000 Subject: [PATCH 08/56] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a211c7c..4bf07d2 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: mingw32-libtiff -# $Id$ +# $Id: Makefile,v 1.1 2009/06/08 16:20:43 tibbs Exp $ NAME := mingw32-libtiff SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 6e63b9fa1bf916e620dc6a12c8f8e48e8192855a Mon Sep 17 00:00:00 2001 From: epienbro Date: Fri, 25 Jun 2010 12:48:14 +0000 Subject: [PATCH 09/56] - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 - Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's --- .cvsignore | 2 +- libtiff-3.8.2-CVE-2006-2193.patch | 11 - libtiff-3.8.2-lzw-bugs.patch | 58 -- libtiff-3.8.2-ormandy.patch | 669 ------------------ libtiff-3samples.patch | 21 + libtiff-acversion.patch | 16 + libtiff-checkbytecount.patch | 48 ++ libtiff-getimage-64bit.patch | 48 ++ libtiff-mantypo.patch | 17 + libtiff-mingw32-libjpeg-7-compatibility.patch | 32 + libtiff-scanlinesize.patch | 72 ++ libtiff-subsampling.patch | 51 ++ libtiff-tiffdump.patch | 35 + libtiff-unknown-fix.patch | 47 ++ libtiff-ycbcr-clamp.patch | 35 + mingw32-libtiff.spec | 48 +- sources | 2 +- tiffsplit-overflow.patch | 22 - 18 files changed, 463 insertions(+), 771 deletions(-) delete mode 100644 libtiff-3.8.2-CVE-2006-2193.patch delete mode 100644 libtiff-3.8.2-lzw-bugs.patch delete mode 100644 libtiff-3.8.2-ormandy.patch create mode 100644 libtiff-3samples.patch create mode 100644 libtiff-acversion.patch create mode 100644 libtiff-checkbytecount.patch create mode 100644 libtiff-getimage-64bit.patch create mode 100644 libtiff-mantypo.patch create mode 100644 libtiff-scanlinesize.patch create mode 100644 libtiff-subsampling.patch create mode 100644 libtiff-tiffdump.patch create mode 100644 libtiff-unknown-fix.patch create mode 100644 libtiff-ycbcr-clamp.patch delete mode 100644 tiffsplit-overflow.patch diff --git a/.cvsignore b/.cvsignore index d85724d..37e1552 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -tiff-3.8.2.tar.gz +tiff-3.9.4.tar.gz diff --git a/libtiff-3.8.2-CVE-2006-2193.patch b/libtiff-3.8.2-CVE-2006-2193.patch deleted file mode 100644 index ffd81bf..0000000 --- a/libtiff-3.8.2-CVE-2006-2193.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100 -+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;idec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); - } - return (1); - } -@@ -408,12 +413,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +616,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecodeCompat: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch deleted file mode 100644 index cb55b03..0000000 --- a/libtiff-3.8.2-ormandy.patch +++ /dev/null @@ -1,669 +0,0 @@ -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 -@@ -29,6 +29,9 @@ - * - * Directory Read Support Routines. - */ -+ -+#include -+ - #include "tiffiop.h" - - #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "%s: Can not read TIFF directory count", -- tif->tif_name); -- return (0); -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off > (UINT_MAX - sizeof(uint16))) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Can not read TIFF directory count", -+ tif->tif_name); -+ return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +1000,7 @@ - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1070,12 @@ - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1399,9 @@ - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 -@@ -105,11 +105,16 @@ - * as codes of the form - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include - -+#include -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch new file mode 100644 index 0000000..c305bd0 --- /dev/null +++ b/libtiff-3samples.patch @@ -0,0 +1,21 @@ +Patch for bug #603081: failure to guard against bogus SamplesPerPixel +when converting a YCbCr image to RGB. + +This patch duplicates into PickContigCase() a safety check that already +existed in PickSeparateCase(). + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 +@@ -2397,7 +2397,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch new file mode 100644 index 0000000..fc3a136 --- /dev/null +++ b/libtiff-acversion.patch @@ -0,0 +1,16 @@ +This patch is needed for building the package as of F-11. It can be +dropped whenever autoconf 2.63 is no longer used on any live branch. + + +diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac +--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 ++++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 +@@ -24,7 +24,7 @@ + + dnl Process this file with autoconf to produce a configure script. + +-AC_PREREQ(2.64) ++AC_PREREQ(2.63) + AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) + AC_CONFIG_AUX_DIR(config) + AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch new file mode 100644 index 0000000..ecd8a9f --- /dev/null +++ b/libtiff-checkbytecount.patch @@ -0,0 +1,48 @@ +Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against +missing strip byte counts too. Testing shows that tiffsplit.c has an issue +too. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c +--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 +@@ -1920,6 +1920,10 @@ + sp->in_buffer_file_pos=0; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; +diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c +--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch new file mode 100644 index 0000000..2f3d68e --- /dev/null +++ b/libtiff-getimage-64bit.patch @@ -0,0 +1,48 @@ +Fix misbehavior on 64-bit machines when trying to flip a downsampled image +vertically: unsigned ints will be widened to 64 bits the wrong way. +See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 +@@ -1846,6 +1846,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 6; + cp2 = cp+w+toskew; +@@ -1872,8 +1873,8 @@ + cp2 ++ ; + pp += 6; + } +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -1939,6 +1940,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 4; + cp2 = cp+w+toskew; +@@ -1953,8 +1955,8 @@ + cp2 ++; + pp += 4; + } while (--x); +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch new file mode 100644 index 0000000..c7e91b4 --- /dev/null +++ b/libtiff-mantypo.patch @@ -0,0 +1,17 @@ +Minor typo, reported upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2129 +This patch should not be needed as of libtiff 4.0. + + +diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 +--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 ++++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 +@@ -60,7 +60,7 @@ + ``Anonymous'': + .RS + .nf +-tiffset \-s 305 Anonymous a.tif ++tiffset \-s 315 Anonymous a.tif + .fi + .RE + .PP diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch index 4cc6e28..9ecb365 100644 --- a/libtiff-mingw32-libjpeg-7-compatibility.patch +++ b/libtiff-mingw32-libjpeg-7-compatibility.patch @@ -60,3 +60,35 @@ std_fill_input_buffer(j_decompress_ptr cinfo) { JPEGState* sp = (JPEGState* ) cinfo; +--- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200 ++++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200 +@@ -383,9 +383,9 @@ + static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo); + static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo); + static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo); +-static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); ++static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); + static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes); +-static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); ++static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); + static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo); + + int +@@ -2388,7 +2388,7 @@ + (void)cinfo; + } + +-static boolean ++static jpeg_boolean + OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo) + { + TIFF* tif=(TIFF*)cinfo->client_data; +@@ -2414,7 +2414,7 @@ + jpeg_encap_unwind(tif); + } + +-static boolean ++static jpeg_boolean + OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired) + { + TIFF* tif=(TIFF*)cinfo->client_data; diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch new file mode 100644 index 0000000..57fe809 --- /dev/null +++ b/libtiff-scanlinesize.patch @@ -0,0 +1,72 @@ +Partial fix for issues filed upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2140 +This stops the tiffcmp core dump noted in bug #460322, but isn't enough +to make tiffcmp return the right answer (it emits a bunch of error +messages instead). + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c +--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 +@@ -988,8 +988,15 @@ + tsize_t nrows; + (void) s; + +- /* data is expected to be read in multiples of a scanline */ +- if ( (nrows = sp->cinfo.d.image_height) ) { ++ nrows = cc / sp->bytesperline; ++ if (cc % sp->bytesperline) ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); ++ ++ if( nrows > (int) sp->cinfo.d.image_height ) ++ nrows = sp->cinfo.d.image_height; ++ ++ /* data is expected to be read in multiples of a scanline */ ++ if (nrows) { + /* Cb,Cr both have sampling factors 1, so this is correct */ + JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; + int samples_per_clump = sp->samplesperclump; +@@ -1087,8 +1094,7 @@ + * TODO: resolve this */ + buf += sp->bytesperline; + cc -= sp->bytesperline; +- nrows -= sp->v_sampling; +- } while (nrows > 0); ++ } while (--nrows > 0); + + #ifdef JPEG_LIB_MK1 + _TIFFfree(tmpbuf); +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 +@@ -238,23 +238,19 @@ + ycbcrsubsampling + 0, + ycbcrsubsampling + 1); + +- if (ycbcrsubsampling[0] == 0) { ++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Invalid YCbCr subsampling"); + return 0; + } + +- scanline = TIFFroundup(td->td_imagewidth, ++ /* number of sample clumps per line */ ++ scanline = TIFFhowmany(td->td_imagewidth, + ycbcrsubsampling[0]); +- scanline = TIFFhowmany8(multiply(tif, scanline, +- td->td_bitspersample, +- "TIFFScanlineSize")); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, +- scanline / ycbcrsubsampling[0], +- "TIFFVStripSize"), +- "TIFFVStripSize")); ++ /* number of samples per line */ ++ scanline = multiply(tif, scanline, ++ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, ++ "TIFFScanlineSize"); + } else { + scanline = multiply(tif, td->td_imagewidth, + td->td_samplesperpixel, diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch new file mode 100644 index 0000000..a44406b --- /dev/null +++ b/libtiff-subsampling.patch @@ -0,0 +1,51 @@ +Use the spec-mandated default YCbCrSubSampling values in strip size +calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. +See bug #603703. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 + +NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -308,9 +308,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch new file mode 100644 index 0000000..cb77796 --- /dev/null +++ b/libtiff-tiffdump.patch @@ -0,0 +1,35 @@ +Make tiffdump more paranoid about checking the count field of a directory +entry. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 + + +diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 +@@ -46,6 +46,7 @@ + # include + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef O_BINARY +@@ -317,7 +318,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +710,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch new file mode 100644 index 0000000..5c3b32e --- /dev/null +++ b/libtiff-unknown-fix.patch @@ -0,0 +1,47 @@ +Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to +sometimes complain about out-of-order tags when there weren't really any. +Fix by decoupling that logic from the tag search logic. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c +--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0, compressionknown = 0; + int haveunknowntags = 0; + +@@ -163,23 +164,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch new file mode 100644 index 0000000..fbd10bb --- /dev/null +++ b/libtiff-ycbcr-clamp.patch @@ -0,0 +1,35 @@ +Using an array to clamp translated YCbCr values is insecure, because if the +TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB +values could be very far out of range (much further than the current array +size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in +favor of using a comparison-based macro to clamp. See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c +--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index a64c728..b7450c2 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,17 +7,23 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff -Version: 3.8.2 -Release: 20%{?dist} +Version: 3.9.4 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch0: tiffsplit-overflow.patch -Patch1: libtiff-3.8.2-ormandy.patch -Patch2: libtiff-3.8.2-CVE-2006-2193.patch -Patch4: libtiff-3.8.2-lzw-bugs.patch +Patch1: libtiff-acversion.patch +Patch2: libtiff-mantypo.patch +Patch3: libtiff-scanlinesize.patch +Patch4: libtiff-getimage-64bit.patch +Patch5: libtiff-ycbcr-clamp.patch +Patch6: libtiff-3samples.patch +Patch7: libtiff-subsampling.patch +Patch8: libtiff-unknown-fix.patch +Patch9: libtiff-checkbytecount.patch +Patch10: libtiff-tiffdump.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch @@ -29,6 +35,10 @@ BuildRequires: mingw32-filesystem >= 35 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool + %description The libtiff package contains a library of functions for manipulating @@ -56,14 +66,29 @@ Static version of the MinGW Windows LibTIFF library. %setup -q -n tiff-%{version} # Patches from the native Fedora package: -%patch0 -p1 -b .overflow -%patch1 -p1 -b .ormandy -%patch2 -p1 -b .CVE-2006-2193 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # MinGW specific patches %patch100 -p0 +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + %build export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" @@ -105,6 +130,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jun 25 2010 Erik van Pienbroek - 3.9.4-1 +- Update to 3.9.4 +- Merged the native Fedora package changes up to 3.9.4-1 +- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's + * Fri Sep 18 2009 Erik van Pienbroek - 3.8.2-20 - Rebuild because of broken mingw32-gcc/mingw32-binutils diff --git a/sources b/sources index 1c867c8..a73728b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz +2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz diff --git a/tiffsplit-overflow.patch b/tiffsplit-overflow.patch deleted file mode 100644 index 36a613f..0000000 --- a/tiffsplit-overflow.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400 -+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400 -@@ -60,14 +60,16 @@ - fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n"); - return (-3); - } -- if (argc > 2) -- strcpy(fname, argv[2]); -+ if (argc > 2) { -+ strncpy(fname, argv[2], 1024); -+ fname[1024] = '\0'; -+ } - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -+ strncpy(path, fname, 1020); - strcat(path, ".tif"); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) From 6513719e9858e3b4a07fa34899bc05733f749972 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 03:21:25 +0000 Subject: [PATCH 10/56] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- import.log | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 import.log diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 4bf07d2..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: mingw32-libtiff -# $Id: Makefile,v 1.1 2009/06/08 16:20:43 tibbs Exp $ -NAME := mingw32-libtiff -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/import.log b/import.log deleted file mode 100644 index fef82dd..0000000 --- a/import.log +++ /dev/null @@ -1 +0,0 @@ -mingw32-libtiff-3_8_2-15_fc10:HEAD:mingw32-libtiff-3.8.2-15.fc10.src.rpm:1244499917 From 6d64a60e6660af18e7f03e052ea32b7a7c17c7c4 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Mon, 25 Apr 2011 11:07:17 +0300 Subject: [PATCH 11/56] Update to 3.9.5 - Fixes CVE-2011-1167 (#689575) - Dropped the patches from Fedora native libtiff package which are all now incorporated in 3.9.5 --- .gitignore | 1 + libtiff-3samples.patch | 21 ----------- libtiff-acversion.patch | 16 -------- libtiff-checkbytecount.patch | 48 ------------------------ libtiff-getimage-64bit.patch | 48 ------------------------ libtiff-mantypo.patch | 17 --------- libtiff-scanlinesize.patch | 72 ------------------------------------ libtiff-subsampling.patch | 51 ------------------------- libtiff-tiffdump.patch | 35 ------------------ libtiff-unknown-fix.patch | 47 ----------------------- libtiff-ycbcr-clamp.patch | 35 ------------------ mingw32-libtiff.spec | 32 ++++------------ sources | 2 +- 13 files changed, 10 insertions(+), 415 deletions(-) delete mode 100644 libtiff-3samples.patch delete mode 100644 libtiff-acversion.patch delete mode 100644 libtiff-checkbytecount.patch delete mode 100644 libtiff-getimage-64bit.patch delete mode 100644 libtiff-mantypo.patch delete mode 100644 libtiff-scanlinesize.patch delete mode 100644 libtiff-subsampling.patch delete mode 100644 libtiff-tiffdump.patch delete mode 100644 libtiff-unknown-fix.patch delete mode 100644 libtiff-ycbcr-clamp.patch diff --git a/.gitignore b/.gitignore index 37e1552..7992c78 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ tiff-3.9.4.tar.gz +/tiff-3.9.5.tar.gz diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch deleted file mode 100644 index c305bd0..0000000 --- a/libtiff-3samples.patch +++ /dev/null @@ -1,21 +0,0 @@ -Patch for bug #603081: failure to guard against bogus SamplesPerPixel -when converting a YCbCr image to RGB. - -This patch duplicates into PickContigCase() a safety check that already -existed in PickSeparateCase(). - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 -@@ -2397,7 +2397,7 @@ - } - break; - case PHOTOMETRIC_YCBCR: -- if (img->bitspersample == 8) -+ if ((img->bitspersample==8) && (img->samplesperpixel==3)) - { - if (initYCbCrConversion(img)!=0) - { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch deleted file mode 100644 index fc3a136..0000000 --- a/libtiff-acversion.patch +++ /dev/null @@ -1,16 +0,0 @@ -This patch is needed for building the package as of F-11. It can be -dropped whenever autoconf 2.63 is no longer used on any live branch. - - -diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac ---- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 -+++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 -@@ -24,7 +24,7 @@ - - dnl Process this file with autoconf to produce a configure script. - --AC_PREREQ(2.64) -+AC_PREREQ(2.63) - AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) - AC_CONFIG_AUX_DIR(config) - AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch deleted file mode 100644 index ecd8a9f..0000000 --- a/libtiff-checkbytecount.patch +++ /dev/null @@ -1,48 +0,0 @@ -Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against -missing strip byte counts too. Testing shows that tiffsplit.c has an issue -too. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c ---- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 -@@ -1920,6 +1920,10 @@ - sp->in_buffer_file_pos=0; - else - { -+ if (sp->tif->tif_dir.td_stripbytecount == 0) { -+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); -+ return(0); -+ } - sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; - if (sp->in_buffer_file_togo==0) - sp->in_buffer_file_pos=0; -diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c ---- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 -@@ -237,7 +237,10 @@ - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); -+ return (0); -+ } - for (s = 0; s < ns; s++) { - if (bytecounts[s] > (uint32)bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); -@@ -267,7 +270,10 @@ - ttile_t t, nt = TIFFNumberOfTiles(in); - uint32 *bytecounts; - -- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); -+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { -+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); -+ return (0); -+ } - for (t = 0; t < nt; t++) { - if (bytecounts[t] > (uint32) bufsize) { - buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch deleted file mode 100644 index 2f3d68e..0000000 --- a/libtiff-getimage-64bit.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix misbehavior on 64-bit machines when trying to flip a downsampled image -vertically: unsigned ints will be widened to 64 bits the wrong way. -See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 -@@ -1846,6 +1846,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr22tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 6; - cp2 = cp+w+toskew; -@@ -1872,8 +1873,8 @@ - cp2 ++ ; - pp += 6; - } -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } -@@ -1939,6 +1940,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr12tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 4; - cp2 = cp+w+toskew; -@@ -1953,8 +1955,8 @@ - cp2 ++; - pp += 4; - } while (--x); -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch deleted file mode 100644 index c7e91b4..0000000 --- a/libtiff-mantypo.patch +++ /dev/null @@ -1,17 +0,0 @@ -Minor typo, reported upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2129 -This patch should not be needed as of libtiff 4.0. - - -diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 ---- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 -+++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 -@@ -60,7 +60,7 @@ - ``Anonymous'': - .RS - .nf --tiffset \-s 305 Anonymous a.tif -+tiffset \-s 315 Anonymous a.tif - .fi - .RE - .PP diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch deleted file mode 100644 index 57fe809..0000000 --- a/libtiff-scanlinesize.patch +++ /dev/null @@ -1,72 +0,0 @@ -Partial fix for issues filed upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2140 -This stops the tiffcmp core dump noted in bug #460322, but isn't enough -to make tiffcmp return the right answer (it emits a bunch of error -messages instead). - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c ---- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 -@@ -988,8 +988,15 @@ - tsize_t nrows; - (void) s; - -- /* data is expected to be read in multiples of a scanline */ -- if ( (nrows = sp->cinfo.d.image_height) ) { -+ nrows = cc / sp->bytesperline; -+ if (cc % sp->bytesperline) -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); -+ -+ if( nrows > (int) sp->cinfo.d.image_height ) -+ nrows = sp->cinfo.d.image_height; -+ -+ /* data is expected to be read in multiples of a scanline */ -+ if (nrows) { - /* Cb,Cr both have sampling factors 1, so this is correct */ - JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; - int samples_per_clump = sp->samplesperclump; -@@ -1087,8 +1094,7 @@ - * TODO: resolve this */ - buf += sp->bytesperline; - cc -= sp->bytesperline; -- nrows -= sp->v_sampling; -- } while (nrows > 0); -+ } while (--nrows > 0); - - #ifdef JPEG_LIB_MK1 - _TIFFfree(tmpbuf); -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 -@@ -238,23 +238,19 @@ - ycbcrsubsampling + 0, - ycbcrsubsampling + 1); - -- if (ycbcrsubsampling[0] == 0) { -+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Invalid YCbCr subsampling"); - return 0; - } - -- scanline = TIFFroundup(td->td_imagewidth, -+ /* number of sample clumps per line */ -+ scanline = TIFFhowmany(td->td_imagewidth, - ycbcrsubsampling[0]); -- scanline = TIFFhowmany8(multiply(tif, scanline, -- td->td_bitspersample, -- "TIFFScanlineSize")); -- return ((tsize_t) -- summarize(tif, scanline, -- multiply(tif, 2, -- scanline / ycbcrsubsampling[0], -- "TIFFVStripSize"), -- "TIFFVStripSize")); -+ /* number of samples per line */ -+ scanline = multiply(tif, scanline, -+ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, -+ "TIFFScanlineSize"); - } else { - scanline = multiply(tif, td->td_imagewidth, - td->td_samplesperpixel, diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch deleted file mode 100644 index a44406b..0000000 --- a/libtiff-subsampling.patch +++ /dev/null @@ -1,51 +0,0 @@ -Use the spec-mandated default YCbCrSubSampling values in strip size -calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. -See bug #603703. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 - -NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 -@@ -124,9 +124,9 @@ - uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; - -- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1 ); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; - if (samplingarea == 0) { -@@ -234,9 +234,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -@@ -308,9 +308,9 @@ - && !isUpSampled(tif)) { - uint16 ycbcrsubsampling[2]; - -- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, -- ycbcrsubsampling + 0, -- ycbcrsubsampling + 1); -+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, -+ ycbcrsubsampling + 0, -+ ycbcrsubsampling + 1); - - if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch deleted file mode 100644 index cb77796..0000000 --- a/libtiff-tiffdump.patch +++ /dev/null @@ -1,35 +0,0 @@ -Make tiffdump more paranoid about checking the count field of a directory -entry. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 - - -diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c ---- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 -@@ -46,6 +46,7 @@ - # include - #endif - -+#include "tiffiop.h" - #include "tiffio.h" - - #ifndef O_BINARY -@@ -317,7 +318,7 @@ - printf(">\n"); - continue; - } -- space = dp->tdir_count * datawidth[dp->tdir_type]; -+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); - if (space <= 0) { - printf(">\n"); - Error("Invalid count for tag %u", dp->tdir_tag); -@@ -709,7 +710,7 @@ - w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); - cc = dir->tdir_count * w; - if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 -- && read(fd, cp, cc) != -1) { -+ && read(fd, cp, cc) == cc) { - if (swabflag) { - switch (dir->tdir_type) { - case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch deleted file mode 100644 index 5c3b32e..0000000 --- a/libtiff-unknown-fix.patch +++ /dev/null @@ -1,47 +0,0 @@ -Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to -sometimes complain about out-of-order tags when there weren't really any. -Fix by decoupling that logic from the tag search logic. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c ---- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 -@@ -83,6 +83,7 @@ - const TIFFFieldInfo* fip; - size_t fix; - uint16 dircount; -+ uint16 previous_tag = 0; - int diroutoforderwarning = 0, compressionknown = 0; - int haveunknowntags = 0; - -@@ -163,23 +164,24 @@ - - if (dp->tdir_tag == IGNORE) - continue; -- if (fix >= tif->tif_nfields) -- fix = 0; - - /* - * Silicon Beach (at least) writes unordered - * directory tags (violating the spec). Handle - * it here, but be obnoxious (maybe they'll fix it?). - */ -- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { -+ if (dp->tdir_tag < previous_tag) { - if (!diroutoforderwarning) { - TIFFWarningExt(tif->tif_clientdata, module, - "%s: invalid TIFF directory; tags are not sorted in ascending order", - tif->tif_name); - diroutoforderwarning = 1; - } -- fix = 0; /* O(n^2) */ - } -+ previous_tag = dp->tdir_tag; -+ if (fix >= tif->tif_nfields || -+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) -+ fix = 0; /* O(n^2) */ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch deleted file mode 100644 index fbd10bb..0000000 --- a/libtiff-ycbcr-clamp.patch +++ /dev/null @@ -1,35 +0,0 @@ -Using an array to clamp translated YCbCr values is insecure, because if the -TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB -values could be very far out of range (much further than the current array -size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in -favor of using a comparison-based macro to clamp. See RH bug #583081. - -Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c ---- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 -@@ -183,13 +183,18 @@ - TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, - uint32 *r, uint32 *g, uint32 *b) - { -+ int32 i; -+ - /* XXX: Only 8-bit YCbCr input supported for now */ - Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); - -- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; -- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] -- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; -- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; -+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; -+ *r = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] -+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); -+ *g = CLAMP(i, 0, 255); -+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; -+ *b = CLAMP(i, 0, 255); - } - - /* diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index b7450c2..8637a08 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -7,23 +7,13 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff -Version: 3.9.4 +Version: 3.9.5 Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch1: libtiff-acversion.patch -Patch2: libtiff-mantypo.patch -Patch3: libtiff-scanlinesize.patch -Patch4: libtiff-getimage-64bit.patch -Patch5: libtiff-ycbcr-clamp.patch -Patch6: libtiff-3samples.patch -Patch7: libtiff-subsampling.patch -Patch8: libtiff-unknown-fix.patch -Patch9: libtiff-checkbytecount.patch -Patch10: libtiff-tiffdump.patch Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch @@ -59,24 +49,12 @@ Group: Development/Libraries Static version of the MinGW Windows LibTIFF library. -%{_mingw32_debug_package} +%{?_mingw32_debug_package} %prep %setup -q -n tiff-%{version} -# Patches from the native Fedora package: -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 - # MinGW specific patches %patch100 -p0 @@ -130,6 +108,12 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Apr 25 2011 Kalev Lember - 3.9.5-1 +- Update to 3.9.5 +- Fixes CVE-2011-1167 (#689575) +- Dropped the patches from Fedora native libtiff package which are all now + incorporated in 3.9.5 + * Fri Jun 25 2010 Erik van Pienbroek - 3.9.4-1 - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 diff --git a/sources b/sources index a73728b..04027f5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz +8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz From ce058df158ea761548d0e88578e22ca642b6066d Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Fri, 3 Jun 2011 23:27:14 +0300 Subject: [PATCH 12/56] Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) --- libtiff-mingw32-libjpeg-7-compatibility.patch | 94 ------------------- mingw32-libtiff.spec | 10 +- 2 files changed, 4 insertions(+), 100 deletions(-) delete mode 100644 libtiff-mingw32-libjpeg-7-compatibility.patch diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch deleted file mode 100644 index 9ecb365..0000000 --- a/libtiff-mingw32-libjpeg-7-compatibility.patch +++ /dev/null @@ -1,94 +0,0 @@ ---- libtiff/tif_jpeg.c.orig 2009-08-20 14:27:50.688881034 +0200 -+++ libtiff/tif_jpeg.c 2009-08-20 14:29:03.814866414 +0200 -@@ -288,20 +288,20 @@ - } - - static int --TIFFjpeg_set_quality(JPEGState* sp, int quality, boolean force_baseline) -+TIFFjpeg_set_quality(JPEGState* sp, int quality, jpeg_boolean force_baseline) - { - return CALLVJPEG(sp, - jpeg_set_quality(&sp->cinfo.c, quality, force_baseline)); - } - - static int --TIFFjpeg_suppress_tables(JPEGState* sp, boolean suppress) -+TIFFjpeg_suppress_tables(JPEGState* sp, jpeg_boolean suppress) - { - return CALLVJPEG(sp, jpeg_suppress_tables(&sp->cinfo.c, suppress)); - } - - static int --TIFFjpeg_start_compress(JPEGState* sp, boolean write_all_tables) -+TIFFjpeg_start_compress(JPEGState* sp, jpeg_boolean write_all_tables) - { - return CALLVJPEG(sp, - jpeg_start_compress(&sp->cinfo.c, write_all_tables)); -@@ -334,7 +334,7 @@ - } - - static int --TIFFjpeg_read_header(JPEGState* sp, boolean require_image) -+TIFFjpeg_read_header(JPEGState* sp, jpeg_boolean require_image) - { - return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); - } -@@ -402,7 +402,7 @@ - sp->dest.free_in_buffer = (size_t) tif->tif_rawdatasize; - } - --static boolean -+static jpeg_boolean - std_empty_output_buffer(j_compress_ptr cinfo) - { - JPEGState* sp = (JPEGState*) cinfo; -@@ -453,7 +453,7 @@ - sp->dest.free_in_buffer = (size_t) sp->jpegtables_length; - } - --static boolean -+static jpeg_boolean - tables_empty_output_buffer(j_compress_ptr cinfo) - { - JPEGState* sp = (JPEGState*) cinfo; -@@ -519,7 +519,7 @@ - sp->src.bytes_in_buffer = (size_t) tif->tif_rawcc; - } - --static boolean -+static jpeg_boolean - std_fill_input_buffer(j_decompress_ptr cinfo) - { - JPEGState* sp = (JPEGState* ) cinfo; ---- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200 -+++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200 -@@ -383,9 +383,9 @@ - static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo); - static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo); - static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo); --static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); -+static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo); - static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes); --static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); -+static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired); - static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo); - - int -@@ -2388,7 +2388,7 @@ - (void)cinfo; - } - --static boolean -+static jpeg_boolean - OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo) - { - TIFF* tif=(TIFF*)cinfo->client_data; -@@ -2414,7 +2414,7 @@ - jpeg_encap_unwind(tif); - } - --static boolean -+static jpeg_boolean - OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired) - { - TIFF* tif=(TIFF*)cinfo->client_data; diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 8637a08..3e0f2c4 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,15 +8,13 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch - BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -55,9 +53,6 @@ Static version of the MinGW Windows LibTIFF library. %prep %setup -q -n tiff-%{version} -# MinGW specific patches -%patch100 -p0 - # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -108,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jun 03 2011 Kalev Lember - 3.9.5-2 +- Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) + * Mon Apr 25 2011 Kalev Lember - 3.9.5-1 - Update to 3.9.5 - Fixes CVE-2011-1167 (#689575) From de6d40377fd65025cba54e7bff3eec64d3af51d2 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 04:04:13 -0600 Subject: [PATCH 13/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index 3e0f2c4..e2fd932 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -103,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Fri Jun 03 2011 Kalev Lember - 3.9.5-2 - Rebuilt with mingw32-libjpeg-turbo, dropped jpeg_boolean patch (#604702) From 4b750af4c4f2ef0eb29eb77659ce4104029da9b1 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Tue, 28 Feb 2012 00:06:45 +0100 Subject: [PATCH 14/56] Rebuild against the mingw-w64 toolchain --- mingw32-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec index e2fd932..ea5c579 100644 --- a/mingw32-libtiff.spec +++ b/mingw32-libtiff.spec @@ -8,7 +8,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw32-libtiff Version: 3.9.5 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -103,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Feb 27 2012 Erik van Pienbroek - 3.9.5-4 +- Rebuild against the mingw-w64 toolchain + * Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild From 4f9dfb7855ed2e6e64eb1cbc41c01f02c289b841 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 6 Mar 2012 14:14:00 +0000 Subject: [PATCH 15/56] Initial setup of the repo --- .gitignore | 0 sources | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 .gitignore create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From a1ab900f7fbb5208ca657d7cfb923009380d447c Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Tue, 6 Mar 2012 21:43:21 +0200 Subject: [PATCH 16/56] Renamed the source package to mingw-libtiff (#800437) --- mingw32-libtiff.spec => mingw-libtiff.spec | 30 +++++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) rename mingw32-libtiff.spec => mingw-libtiff.spec (94%) diff --git a/mingw32-libtiff.spec b/mingw-libtiff.spec similarity index 94% rename from mingw32-libtiff.spec rename to mingw-libtiff.spec index ea5c579..478caaa 100644 --- a/mingw32-libtiff.spec +++ b/mingw-libtiff.spec @@ -6,9 +6,9 @@ %define __debug_install_post %{_mingw32_debug_install_post} Summary: MinGW Windows port of the LibTIFF library -Name: mingw32-libtiff +Name: mingw-libtiff Version: 3.9.5 -Release: 4%{?dist} +Release: 5%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -38,12 +38,25 @@ The libtiff package should be installed if you need to manipulate TIFF format image files. -%package static +%package -n mingw32-libtiff +Summary: MinGW Windows port of the LibTIFF library + +%description -n mingw32-libtiff +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + + +%package -n mingw32-libtiff-static Summary: Static version of the MinGW Windows LibTIFF library -Requires: %{name} = %{version}-%{release} +Requires: mingw32-libtiff = %{version}-%{release} Group: Development/Libraries -%description static +%description -n mingw32-libtiff-static Static version of the MinGW Windows LibTIFF library. @@ -85,7 +98,7 @@ rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe rm -rf $RPM_BUILD_ROOT -%files +%files -n mingw32-libtiff %defattr(-,root,root,-) %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog %{_mingw32_bindir}/libtiff-3.dll @@ -96,13 +109,16 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_libdir}/libtiff.la %{_mingw32_libdir}/libtiffxx.la -%files static +%files -n mingw32-libtiff-static %defattr(-,root,root,-) %{_mingw32_libdir}/libtiff.a %{_mingw32_libdir}/libtiffxx.a %changelog +* Tue Mar 06 2012 Kalev Lember - 3.9.5-5 +- Renamed the source package to mingw-libtiff (#800437) + * Mon Feb 27 2012 Erik van Pienbroek - 3.9.5-4 - Rebuild against the mingw-w64 toolchain From fad6a7bd2152c0a0f44cc50d1c566cdb3fd8bad9 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Tue, 6 Mar 2012 21:45:19 +0200 Subject: [PATCH 17/56] Spec clean up --- mingw-libtiff.spec | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 478caaa..7e6ee3e 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -1,8 +1,5 @@ %global __strip %{_mingw32_strip} %global __objdump %{_mingw32_objdump} -%global _use_internal_dependency_generator 0 -%global __find_requires %{_mingw32_findrequires} -%global __find_provides %{_mingw32_findprovides} %define __debug_install_post %{_mingw32_debug_install_post} Summary: MinGW Windows port of the LibTIFF library @@ -17,9 +14,8 @@ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: mingw32-zlib mingw32-libjpeg -BuildRequires: mingw32-filesystem >= 35 +BuildRequires: mingw32-filesystem BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils @@ -83,7 +79,6 @@ make %{?_smp_mflags} %install -rm -rf $RPM_BUILD_ROOT make DESTDIR=$RPM_BUILD_ROOT install # remove docs @@ -94,12 +89,7 @@ rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe -%clean -rm -rf $RPM_BUILD_ROOT - - %files -n mingw32-libtiff -%defattr(-,root,root,-) %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog %{_mingw32_bindir}/libtiff-3.dll %{_mingw32_bindir}/libtiffxx-3.dll @@ -110,7 +100,6 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_libdir}/libtiffxx.la %files -n mingw32-libtiff-static -%defattr(-,root,root,-) %{_mingw32_libdir}/libtiff.a %{_mingw32_libdir}/libtiffxx.a @@ -118,6 +107,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Tue Mar 06 2012 Kalev Lember - 3.9.5-5 - Renamed the source package to mingw-libtiff (#800437) +- Spec clean up * Mon Feb 27 2012 Erik van Pienbroek - 3.9.5-4 - Rebuild against the mingw-w64 toolchain From 9296f1d3c5573f6ec41999d568c348b9dcd2fed1 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Tue, 6 Mar 2012 21:45:27 +0200 Subject: [PATCH 18/56] Use mingw macros without leading underscore --- mingw-libtiff.spec | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 7e6ee3e..f5588ba 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -1,6 +1,6 @@ -%global __strip %{_mingw32_strip} -%global __objdump %{_mingw32_objdump} -%define __debug_install_post %{_mingw32_debug_install_post} +%global __strip %{mingw32_strip} +%global __objdump %{mingw32_objdump} +%define __debug_install_post %{mingw32_debug_install_post} Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff @@ -56,7 +56,7 @@ Group: Development/Libraries Static version of the MinGW Windows LibTIFF library. -%{?_mingw32_debug_package} +%{?mingw32_debug_package} %prep @@ -73,8 +73,8 @@ autoheader %build -export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing" -%{_mingw32_configure} --enable-static --enable-shared +export MINGW32_CFLAGS="%{mingw32_cflags} -fno-strict-aliasing" +%{mingw32_configure} --enable-static --enable-shared make %{?_smp_mflags} @@ -82,32 +82,33 @@ make %{?_smp_mflags} make DESTDIR=$RPM_BUILD_ROOT install # remove docs -rm -rf $RPM_BUILD_ROOT%{_mingw32_datadir}/doc -rm -rf $RPM_BUILD_ROOT%{_mingw32_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw32_datadir}/doc +rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} # remove binaries -rm -f $RPM_BUILD_ROOT%{_mingw32_bindir}/*.exe +rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.exe %files -n mingw32-libtiff %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog -%{_mingw32_bindir}/libtiff-3.dll -%{_mingw32_bindir}/libtiffxx-3.dll -%{_mingw32_includedir}/* -%{_mingw32_libdir}/libtiff.dll.a -%{_mingw32_libdir}/libtiffxx.dll.a -%{_mingw32_libdir}/libtiff.la -%{_mingw32_libdir}/libtiffxx.la +%{mingw32_bindir}/libtiff-3.dll +%{mingw32_bindir}/libtiffxx-3.dll +%{mingw32_includedir}/* +%{mingw32_libdir}/libtiff.dll.a +%{mingw32_libdir}/libtiffxx.dll.a +%{mingw32_libdir}/libtiff.la +%{mingw32_libdir}/libtiffxx.la %files -n mingw32-libtiff-static -%{_mingw32_libdir}/libtiff.a -%{_mingw32_libdir}/libtiffxx.a +%{mingw32_libdir}/libtiff.a +%{mingw32_libdir}/libtiffxx.a %changelog * Tue Mar 06 2012 Kalev Lember - 3.9.5-5 - Renamed the source package to mingw-libtiff (#800437) - Spec clean up +- Use mingw macros without leading underscore * Mon Feb 27 2012 Erik van Pienbroek - 3.9.5-4 - Rebuild against the mingw-w64 toolchain From 3b78a237582ad1e99a8c1ea92ef6b4367c9f9f81 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Fri, 9 Mar 2012 17:07:58 +0100 Subject: [PATCH 19/56] Dropped .la files --- mingw-libtiff.spec | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index f5588ba..4d6a43b 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -5,7 +5,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 3.9.5 -Release: 5%{?dist} +Release: 6%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -88,6 +88,9 @@ rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} # remove binaries rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.exe +# Drop all .la files +find $RPM_BUILD_ROOT -name "*.la" -delete + %files -n mingw32-libtiff %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog @@ -96,8 +99,6 @@ rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.exe %{mingw32_includedir}/* %{mingw32_libdir}/libtiff.dll.a %{mingw32_libdir}/libtiffxx.dll.a -%{mingw32_libdir}/libtiff.la -%{mingw32_libdir}/libtiffxx.la %files -n mingw32-libtiff-static %{mingw32_libdir}/libtiff.a @@ -105,6 +106,9 @@ rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.exe %changelog +* Fri Mar 09 2012 Erik van Pienbroek - 3.9.5-6 +- Dropped .la files + * Tue Mar 06 2012 Kalev Lember - 3.9.5-5 - Renamed the source package to mingw-libtiff (#800437) - Spec clean up From 3027ab1e2e7896f34a5d5a6dea09145ca91c5ea7 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Sat, 10 Mar 2012 22:54:16 +0100 Subject: [PATCH 20/56] Added win64 support --- mingw-libtiff.spec | 93 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 72 insertions(+), 21 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 4d6a43b..199363a 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -1,24 +1,33 @@ -%global __strip %{mingw32_strip} -%global __objdump %{mingw32_objdump} -%define __debug_install_post %{mingw32_debug_install_post} +%?mingw_package_header -Summary: MinGW Windows port of the LibTIFF library -Name: mingw-libtiff -Version: 3.9.5 -Release: 6%{?dist} -License: libtiff -Group: System Environment/Libraries -URL: http://www.remotesensing.org/libtiff/ +%global mingw_build_win32 1 +%global mingw_build_win64 1 -Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz - -BuildArch: noarch - -BuildRequires: mingw32-zlib mingw32-libjpeg -BuildRequires: mingw32-filesystem +Summary: MinGW Windows port of the LibTIFF library +Name: mingw-libtiff +Version: 3.9.5 +Release: 7%{?dist} +License: libtiff +Group: System Environment/Libraries +URL: http://www.remotesensing.org/libtiff/ +Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz + +BuildArch: noarch + +BuildRequires: mingw32-zlib +BuildRequires: mingw32-libjpeg-turbo +BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-binutils + +BuildRequires: mingw64-zlib +BuildRequires: mingw64-libjpeg-turbo +BuildRequires: mingw64-filesystem >= 95 +BuildRequires: mingw64-gcc +BuildRequires: mingw64-gcc-c++ +BuildRequires: mingw64-binutils + BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -34,6 +43,7 @@ The libtiff package should be installed if you need to manipulate TIFF format image files. +# Win32 %package -n mingw32-libtiff Summary: MinGW Windows port of the LibTIFF library @@ -46,7 +56,6 @@ used file format for bitmapped images. TIFF files usually end in the The libtiff package should be installed if you need to manipulate TIFF format image files. - %package -n mingw32-libtiff-static Summary: Static version of the MinGW Windows LibTIFF library Requires: mingw32-libtiff = %{version}-%{release} @@ -55,8 +64,29 @@ Group: Development/Libraries %description -n mingw32-libtiff-static Static version of the MinGW Windows LibTIFF library. +# Win64 +%package -n mingw64-libtiff +Summary: MinGW Windows port of the LibTIFF library -%{?mingw32_debug_package} +%description -n mingw64-libtiff +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%package -n mingw64-libtiff-static +Summary: Static version of the MinGW Windows LibTIFF library +Requires: mingw64-libtiff = %{version}-%{release} +Group: Development/Libraries + +%description -n mingw64-libtiff-static +Static version of the MinGW Windows LibTIFF library. + + +%?mingw_debug_package %prep @@ -74,24 +104,29 @@ autoheader %build export MINGW32_CFLAGS="%{mingw32_cflags} -fno-strict-aliasing" -%{mingw32_configure} --enable-static --enable-shared -make %{?_smp_mflags} +export MINGW64_CFLAGS="%{mingw64_cflags} -fno-strict-aliasing" +%mingw_configure --enable-static --enable-shared +%mingw_make %{?_smp_mflags} %install -make DESTDIR=$RPM_BUILD_ROOT install +%mingw_make_install DESTDIR=$RPM_BUILD_ROOT # remove docs rm -rf $RPM_BUILD_ROOT%{mingw32_datadir}/doc rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw64_datadir}/doc +rm -rf $RPM_BUILD_ROOT%{mingw64_mandir} # remove binaries rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.exe +rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.exe # Drop all .la files find $RPM_BUILD_ROOT -name "*.la" -delete +# Win32 %files -n mingw32-libtiff %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog %{mingw32_bindir}/libtiff-3.dll @@ -104,8 +139,24 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %{mingw32_libdir}/libtiff.a %{mingw32_libdir}/libtiffxx.a +# Win64 +%files -n mingw64-libtiff +%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog +%{mingw64_bindir}/libtiff-3.dll +%{mingw64_bindir}/libtiffxx-3.dll +%{mingw64_includedir}/* +%{mingw64_libdir}/libtiff.dll.a +%{mingw64_libdir}/libtiffxx.dll.a + +%files -n mingw64-libtiff-static +%{mingw64_libdir}/libtiff.a +%{mingw64_libdir}/libtiffxx.a + %changelog +* Sat Mar 10 2012 Erik van Pienbroek - 3.9.5-7 +- Added win64 support + * Fri Mar 09 2012 Erik van Pienbroek - 3.9.5-6 - Dropped .la files From c0f86ba705372575402604d5ff24b75307225cfe Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 19 Jul 2012 20:35:55 -0500 Subject: [PATCH 21/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 199363a..e9c30b5 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -6,7 +6,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 3.9.5 -Release: 7%{?dist} +Release: 8%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -154,6 +154,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Jul 20 2012 Fedora Release Engineering - 3.9.5-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + * Sat Mar 10 2012 Erik van Pienbroek - 3.9.5-7 - Added win64 support From 936816d41acfc968b3bee48e853efdd0a3940aa3 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Sat, 25 Aug 2012 21:35:51 +0200 Subject: [PATCH 22/56] Update to 4.0.2 (RHBZ #850919) --- .gitignore | 1 + mingw-libtiff.spec | 32 +++++++++++++++++--------------- sources | 2 +- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/.gitignore b/.gitignore index 7992c78..ca81abc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ tiff-3.9.4.tar.gz /tiff-3.9.5.tar.gz +/tiff-4.0.2.tar.gz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index e9c30b5..0e302d6 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -1,12 +1,9 @@ %?mingw_package_header -%global mingw_build_win32 1 -%global mingw_build_win64 1 - Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 3.9.5 -Release: 8%{?dist} +Version: 4.0.2 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -93,13 +90,13 @@ Static version of the MinGW Windows LibTIFF library. %setup -q -n tiff-%{version} # Use build system's libtool.m4, not the one in the package. -rm -f libtool.m4 +#rm -f libtool.m4 -libtoolize --force --copy -aclocal -I . -I m4 -automake --add-missing --copy -autoconf -autoheader +#libtoolize --force --copy +#aclocal -I . -I m4 +#automake --add-missing --copy +#autoconf +#autoheader %build @@ -129,11 +126,12 @@ find $RPM_BUILD_ROOT -name "*.la" -delete # Win32 %files -n mingw32-libtiff %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog -%{mingw32_bindir}/libtiff-3.dll -%{mingw32_bindir}/libtiffxx-3.dll +%{mingw32_bindir}/libtiff-5.dll +%{mingw32_bindir}/libtiffxx-5.dll %{mingw32_includedir}/* %{mingw32_libdir}/libtiff.dll.a %{mingw32_libdir}/libtiffxx.dll.a +%{mingw32_libdir}/pkgconfig/libtiff-4.pc %files -n mingw32-libtiff-static %{mingw32_libdir}/libtiff.a @@ -142,11 +140,12 @@ find $RPM_BUILD_ROOT -name "*.la" -delete # Win64 %files -n mingw64-libtiff %doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog -%{mingw64_bindir}/libtiff-3.dll -%{mingw64_bindir}/libtiffxx-3.dll +%{mingw64_bindir}/libtiff-5.dll +%{mingw64_bindir}/libtiffxx-5.dll %{mingw64_includedir}/* %{mingw64_libdir}/libtiff.dll.a %{mingw64_libdir}/libtiffxx.dll.a +%{mingw64_libdir}/pkgconfig/libtiff-4.pc %files -n mingw64-libtiff-static %{mingw64_libdir}/libtiff.a @@ -154,6 +153,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Sat Aug 25 2012 Erik van Pienbroek - 4.0.2-1 +- Update to 4.0.2 (RHBZ #850919) + * Fri Jul 20 2012 Fedora Release Engineering - 3.9.5-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild diff --git a/sources b/sources index 04027f5..5a4b39d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz +04a08fa1e07e696e820a0c3f32465a13 tiff-4.0.2.tar.gz From 7c93d0cb907679d57c70a0860706ed1055f929a5 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Sat, 25 Aug 2012 21:45:19 +0200 Subject: [PATCH 23/56] Removed old autoconf/libtool stuff --- mingw-libtiff.spec | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 0e302d6..320738b 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -25,10 +25,6 @@ BuildRequires: mingw64-gcc BuildRequires: mingw64-gcc-c++ BuildRequires: mingw64-binutils -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool - %description The libtiff package contains a library of functions for manipulating @@ -89,15 +85,6 @@ Static version of the MinGW Windows LibTIFF library. %prep %setup -q -n tiff-%{version} -# Use build system's libtool.m4, not the one in the package. -#rm -f libtool.m4 - -#libtoolize --force --copy -#aclocal -I . -I m4 -#automake --add-missing --copy -#autoconf -#autoheader - %build export MINGW32_CFLAGS="%{mingw32_cflags} -fno-strict-aliasing" From f5b25218c1b49d07db36fdcd20dbf4f185cea6a5 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Wed, 21 Nov 2012 23:27:17 +0100 Subject: [PATCH 24/56] Update to 4.0.3 --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 320738b..a713785 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,7 +2,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.0.2 +Version: 4.0.3 Release: 1%{?dist} License: libtiff Group: System Environment/Libraries @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Nov 21 2012 Erik van Pienbroek - 4.0.3-1 +- Update to 4.0.3 + * Sat Aug 25 2012 Erik van Pienbroek - 4.0.2-1 - Update to 4.0.2 (RHBZ #850919) From 5dbc403478075cf8f24a15861e9ddb2eebc1be5d Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Mon, 26 Nov 2012 14:27:29 +0100 Subject: [PATCH 25/56] Updated sources --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ca81abc..b3689f3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ tiff-3.9.4.tar.gz /tiff-3.9.5.tar.gz /tiff-4.0.2.tar.gz +/tiff-4.0.3.tar.gz diff --git a/sources b/sources index 5a4b39d..10672da 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -04a08fa1e07e696e820a0c3f32465a13 tiff-4.0.2.tar.gz +051c1068e6a0627f461948c365290410 tiff-4.0.3.tar.gz From 28408812a60a35c3c17cf1fab389466ff459bff0 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 14 Feb 2013 01:06:51 -0600 Subject: [PATCH 26/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index a713785..6db1902 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Feb 14 2013 Fedora Release Engineering - 4.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + * Wed Nov 21 2012 Erik van Pienbroek - 4.0.3-1 - Update to 4.0.3 From 62de102ab250d533e05bf6c5655f3cb412a092a1 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 3 Aug 2013 05:53:09 -0500 Subject: [PATCH 27/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 6db1902..429af51 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Sat Aug 03 2013 Fedora Release Engineering - 4.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + * Thu Feb 14 2013 Fedora Release Engineering - 4.0.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild From 79903c3aefa6456afb3d2ee9df7340bdcada6b49 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Thu, 29 May 2014 16:09:06 +0200 Subject: [PATCH 28/56] Fix various CVE's --- libtiff-CVE-2012-4447.patch | 40 ++ libtiff-CVE-2012-4564.patch | 86 ++++ libtiff-CVE-2013-1960.patch | 145 +++++++ libtiff-CVE-2013-1961.patch | 759 ++++++++++++++++++++++++++++++++++++ libtiff-CVE-2013-4231.patch | 15 + libtiff-CVE-2013-4232.patch | 12 + libtiff-CVE-2013-4243.patch | 41 ++ libtiff-CVE-2013-4244.patch | 15 + mingw-libtiff.spec | 24 +- 9 files changed, 1136 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2012-4447.patch create mode 100644 libtiff-CVE-2012-4564.patch create mode 100644 libtiff-CVE-2013-1960.patch create mode 100644 libtiff-CVE-2013-1961.patch create mode 100644 libtiff-CVE-2013-4231.patch create mode 100644 libtiff-CVE-2013-4232.patch create mode 100644 libtiff-CVE-2013-4243.patch create mode 100644 libtiff-CVE-2013-4244.patch diff --git a/libtiff-CVE-2012-4447.patch b/libtiff-CVE-2012-4447.patch new file mode 100644 index 0000000..ebf9a00 --- /dev/null +++ b/libtiff-CVE-2012-4447.patch @@ -0,0 +1,40 @@ +Upstream patch for CVE-2012-4447. + + +diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c +--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500 +@@ -644,6 +644,20 @@ + return bytes; + } + ++static tmsize_t ++add_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 + m2; ++ ++ /* if either input is zero, assume overflow already occurred */ ++ if (m1 == 0 || m2 == 0) ++ bytes = 0; ++ else if (bytes <= m1 || bytes <= m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + static int + PixarLogFixupTags(TIFF* tif) + { +@@ -671,9 +685,11 @@ + td->td_samplesperpixel : 1); + tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ /* add one more stride in case input ends mid-stride */ ++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ +- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); ++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) diff --git a/libtiff-CVE-2012-4564.patch b/libtiff-CVE-2012-4564.patch new file mode 100644 index 0000000..3d7946c --- /dev/null +++ b/libtiff-CVE-2012-4564.patch @@ -0,0 +1,86 @@ +Upstream patch for CVE-2012-4564. + + +diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c +--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400 ++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500 +@@ -72,6 +72,17 @@ + exit(-2); + } + ++static tmsize_t ++multiply_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 * m2; ++ ++ if (m1 && bytes / m1 != m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + int + main(int argc, char* argv[]) + { +@@ -79,7 +90,7 @@ + uint32 rowsperstrip = (uint32) -1; + double resolution = -1; + unsigned char *buf = NULL; +- tsize_t linebytes = 0; ++ tmsize_t linebytes = 0; + uint16 spp = 1; + uint16 bpp = 8; + TIFF *out; +@@ -89,6 +100,7 @@ + int c; + extern int optind; + extern char* optarg; ++ tmsize_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -221,7 +233,8 @@ + } + switch (bpp) { + case 1: +- linebytes = (spp * w + (8 - 1)) / 8; ++ /* if round-up overflows, result will be zero, OK */ ++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; + if (rowsperstrip == (uint32) -1) { + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); + } else { +@@ -230,15 +243,31 @@ + } + break; + case 8: +- linebytes = spp * w; ++ linebytes = multiply_ms(spp, w); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + break; + } +- if (TIFFScanlineSize(out) > linebytes) ++ if (linebytes == 0) { ++ fprintf(stderr, "%s: scanline size overflow\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size == 0) { ++ /* overflow - TIFFScanlineSize already printed a message */ ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ if (scanline_size < linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); + else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ buf = (unsigned char *)_TIFFmalloc(scanline_size); ++ if (buf == NULL) { ++ fprintf(stderr, "%s: Not enough memory\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/libtiff-CVE-2013-1960.patch b/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000..1c8dfb7 --- /dev/null +++ b/libtiff-CVE-2013-1960.patch @@ -0,0 +1,145 @@ +diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 +@@ -3341,33 +3341,56 @@ + uint32 height){ + + tsize_t i=0; +- uint16 ri =0; +- uint16 v_samp=1; +- uint16 h_samp=1; +- int j=0; +- +- i++; +- +- while(i<(*striplength)){ ++ ++ while (i < *striplength) { ++ tsize_t datalen; ++ uint16 ri; ++ uint16 v_samp; ++ uint16 h_samp; ++ int j; ++ int ncomp; ++ ++ /* marker header: one or more FFs */ ++ if (strip[i] != 0xff) ++ return(0); ++ i++; ++ while (i < *striplength && strip[i] == 0xff) ++ i++; ++ if (i >= *striplength) ++ return(0); ++ /* SOI is the only pre-SOS marker without a length word */ ++ if (strip[i] == 0xd8) ++ datalen = 0; ++ else { ++ if ((*striplength - i) <= 2) ++ return(0); ++ datalen = (strip[i+1] << 8) | strip[i+2]; ++ if (datalen < 2 || datalen >= (*striplength - i)) ++ return(0); ++ } + switch( strip[i] ){ +- case 0xd8: +- /* SOI - start of image */ ++ case 0xd8: /* SOI - start of image */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; +- i+=2; + break; +- case 0xc0: +- case 0xc1: +- case 0xc3: +- case 0xc9: +- case 0xca: ++ case 0xc0: /* SOF0 */ ++ case 0xc1: /* SOF1 */ ++ case 0xc3: /* SOF3 */ ++ case 0xc9: /* SOF9 */ ++ case 0xca: /* SOF10 */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- for(j=0;j>4) > h_samp) +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ ncomp = buffer[*bufferoffset+9]; ++ if (ncomp < 1 || ncomp > 4) ++ return(0); ++ v_samp=1; ++ h_samp=1; ++ for(j=0;j>4) > h_samp) ++ h_samp = (samp>>4); ++ if( (samp & 0x0f) > v_samp) ++ v_samp = (samp & 0x0f); + } + v_samp*=8; + h_samp*=8; +@@ -3381,45 +3404,43 @@ + (unsigned char) ((height>>8) & 0xff); + buffer[*bufferoffset+6]= + (unsigned char) (height & 0xff); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; +- ++ *bufferoffset+=datalen+2; ++ /* insert a DRI marker */ + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]=0xdd; + buffer[(*bufferoffset)++]=0x00; + buffer[(*bufferoffset)++]=0x04; + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; + buffer[(*bufferoffset)++]= ri & 0xff; +- } else { +- i+=strip[i+2]+2; + } + break; +- case 0xc4: +- case 0xdb: +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ case 0xc4: /* DHT */ ++ case 0xdb: /* DQT */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + break; +- case 0xda: ++ case 0xda: /* SOS */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + } else { + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); +- i+=strip[i+2]+2; + } +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); +- *bufferoffset+=(*striplength)-i-1; ++ i += datalen + 1; ++ /* copy remainder of strip */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ++ *bufferoffset+= *striplength - i; + return(1); + default: +- i+=strip[i+2]+2; ++ /* ignore any other marker */ ++ break; + } ++ i += datalen + 1; + } +- + ++ /* failed to find SOS marker */ + return(0); + } + #endif diff --git a/libtiff-CVE-2013-1961.patch b/libtiff-CVE-2013-1961.patch new file mode 100644 index 0000000..0ea9b52 --- /dev/null +++ b/libtiff-CVE-2013-1961.patch @@ -0,0 +1,759 @@ +diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c +--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400 ++++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400 +@@ -512,9 +512,9 @@ + Arg args[1]; + + if (tfMultiPage) +- sprintf(buffer, "%s - page %d", fileName, tfDirectory); ++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); + else +- strcpy(buffer, fileName); ++ snprintf(buffer, sizeof(buffer), "%s", fileName); + XtSetArg(args[0], XtNlabel, buffer); + XtSetValues(labelWidget, args, 1); + } +diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c +--- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500 ++++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400 +@@ -108,7 +108,8 @@ + const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); + char compression_code[20]; + +- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); ++ snprintf(compression_code, sizeof(compression_code), "%d", ++ tif->tif_dir.td_compression ); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s compression support is not configured", + c ? c->name : compression_code ); +diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c +--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400 +@@ -711,7 +711,7 @@ + * note that this name is a special sign to TIFFClose() and + * _TIFFSetupFields() to free the field + */ +- sprintf(fld->field_name, "Tag %d", (int) tag); ++ snprintf(fld->field_name, 32, "Tag %d", (int) tag); + + return fld; + } +diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c +--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400 ++++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400 +@@ -332,7 +332,8 @@ + TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); + { char buf[2048]; + char *cp = strrchr(TIFFFileName(in), '/'); +- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); ++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", ++ cp ? cp+1 : TIFFFileName(in)); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); + } + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); +diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c +--- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400 +@@ -205,7 +205,7 @@ + } + } + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); +- sprintf(thing, "B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); +diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400 +@@ -3609,7 +3609,9 @@ + char buffer[16]; + int buflen=0; + +- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); ++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", ++ t2p->pdf_majorversion&0xff, ++ t2p->pdf_minorversion&0xff); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); + +@@ -3623,10 +3625,10 @@ + tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen ); + written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); + +@@ -3665,13 +3667,13 @@ + written += t2pWriteFile(output, (tdata_t) "/", 1); + for (i=0;i 0x7E){ +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + nextchar=1; +@@ -3679,57 +3681,57 @@ + if (nextchar==0){ + switch (name[i]){ + case 0x23: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x25: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x28: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x29: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x2F: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3C: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3E: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; +@@ -3844,14 +3846,14 @@ + tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/Length ", 8); + if(len!=0){ + written += t2p_write_pdf_stream_length(len, output); + } else { +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + } +@@ -3892,10 +3894,10 @@ + tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)len); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n", 1); + +@@ -3909,7 +3911,7 @@ + tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) + { + tsize_t written = 0; +- char buffer[16]; ++ char buffer[32]; + int buflen = 0; + + written += t2pWriteFile(output, +@@ -3948,7 +3950,6 @@ + written += t2p_write_pdf_string(t2p->pdf_datetime, output); + } + written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); +- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); + snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); + written += t2p_write_pdf_string(buffer, output); + written += t2pWriteFile(output, (tdata_t) "\n", 1); +@@ -4089,7 +4090,7 @@ + { + tsize_t written=0; + tdir_t i=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + int page=0; +@@ -4097,7 +4098,7 @@ + (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); + page = t2p->pdf_pages+1; + for (i=0;itiff_pagecount;i++){ +- buflen=sprintf(buffer, "%d", page); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", page); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + if ( ((i+1)%8)==0 ) { +@@ -4112,8 +4113,7 @@ + } + } + written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); + +@@ -4128,28 +4128,28 @@ + + unsigned int i=0; + tsize_t written=0; +- char buffer[16]; ++ char buffer[256]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "] \n", 3); + written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); +- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); +@@ -4157,15 +4157,13 @@ + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen = sprintf(buffer, "%u", i+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4177,12 +4175,10 @@ + } else { + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4191,9 +4187,7 @@ + if(t2p->tiff_transferfunctioncount != 0) { + written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); + t2pWriteFile(output, (tdata_t) "/GS1 ", 5); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4566,7 +4560,7 @@ + if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ + box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4581,7 +4575,7 @@ + } + } else { + box=t2p->pdf_imagebox; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4606,59 +4600,48 @@ + TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); + written += t2pWriteFile(output, + (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", + 42); +- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + if(tile != 0){ + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen=sprintf(buffer, "%lu", (unsigned long)tile); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); + } else { + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); + written += t2p_write_pdf_xobject_cs(t2p, output); +@@ -4702,11 +4685,10 @@ + t2p->pdf_colorspace ^= T2P_CS_PALETTE; + written += t2p_write_pdf_xobject_cs(t2p, output); + t2p->pdf_colorspace |= T2P_CS_PALETTE; +- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); + return(written); +@@ -4740,10 +4722,10 @@ + X_W /= Y_W; + Z_W /= Y_W; + Y_W = 1.0F; +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Range ", 7); +- buflen=sprintf(buffer, "[%d %d %d %d] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", + t2p->pdf_labrange[0], + t2p->pdf_labrange[1], + t2p->pdf_labrange[2], +@@ -4759,26 +4741,26 @@ + tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); + if(t2p->tiff_transferfunctioncount == 1){ +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + } else { + written += t2pWriteFile(output, (tdata_t) "[ ", 2); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 2)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4800,7 +4782,7 @@ + written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); + written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); + written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); +- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); ++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); + written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); +@@ -4827,7 +4809,7 @@ + tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[128]; ++ char buffer[256]; + int buflen=0; + + float X_W=0.0; +@@ -4895,16 +4877,16 @@ + written += t2pWriteFile(output, (tdata_t) "<< \n", 4); + if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); + } + if(t2p->pdf_colorspace & T2P_CS_CALRGB){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + X_R, Y_R, Z_R, + X_G, Y_G, Z_G, + X_B, Y_B, Z_B); +@@ -4923,11 +4905,11 @@ + tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); + +@@ -4937,11 +4919,11 @@ + tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/N ", 3); +- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); + t2p->pdf_colorspace ^= T2P_CS_ICCBASED; +@@ -5006,7 +4988,7 @@ + tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + if(t2p->pdf_compression==T2P_COMPRESS_NONE){ +@@ -5021,41 +5003,33 @@ + written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); + if(tile==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_length); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } +@@ -5082,21 +5056,17 @@ + if(t2p->pdf_compressionquality%100){ + written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); + written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen = sprintf(buffer, "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) ">>\n", 3); + } +@@ -5116,16 +5086,16 @@ + tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[21]; ++ char buffer[64]; + int buflen=0; + uint32 i=0; + + written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); + for (i=0;ipdf_xrefcount;i++){ +- sprintf(buffer, "%.10lu 00000 n \n", ++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", + (unsigned long)t2p->pdf_xrefoffsets[i]); + written += t2pWriteFile(output, (tdata_t) buffer, 20); + } +@@ -5149,17 +5119,14 @@ + snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); + + written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); +- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); +@@ -5167,9 +5134,8 @@ + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); + written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); + + return(written); +diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c +--- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400 +@@ -1781,8 +1781,8 @@ + imageOp = "imagemask"; + + (void)strcpy(im_x, "0"); +- (void)sprintf(im_y, "%lu", (long) h); +- (void)sprintf(im_h, "%lu", (long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); ++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); + tile_width = w; + tile_height = h; + if (TIFFIsTiled(tif)) { +@@ -1803,7 +1803,7 @@ + } + if (tile_height < h) { + fputs("/im_y 0 def\n", fd); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } else { + repeat_count = tf_numberstrips; +@@ -1815,7 +1815,7 @@ + fprintf(fd, "/im_h %lu def\n", + (unsigned long) tile_height); + (void)strcpy(im_h, "im_h"); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } + +diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c +--- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500 ++++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400 +@@ -2077,7 +2077,7 @@ + return 1; + } + +- sprintf (filenum, "-%03d%s", findex, export_ext); ++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); + filenum[14] = '\0'; + strncat (exportname, filenum, 15); + } +@@ -2230,8 +2230,8 @@ + + /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", ++ dump.infilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) + { +@@ -2249,8 +2249,8 @@ + + /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", ++ dump.outfilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) + { +diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c +--- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500 ++++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400 +@@ -260,7 +260,7 @@ + TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); + else + CopyField(TIFFTAG_FILLORDER, shortv); +- sprintf(thing, "Dithered B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + CopyField(TIFFTAG_PHOTOMETRIC, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); diff --git a/libtiff-CVE-2013-4231.patch b/libtiff-CVE-2013-4231.patch new file mode 100644 index 0000000..8ae1e12 --- /dev/null +++ b/libtiff-CVE-2013-4231.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 17f7a19..375b152 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -333,6 +333,10 @@ readraster(void) + int status = 1; + + datasize = getc(infile); ++ ++ if (datasize > 12) ++ return 0; ++ + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; diff --git a/libtiff-CVE-2013-4232.patch b/libtiff-CVE-2013-4232.patch new file mode 100644 index 0000000..cec322f --- /dev/null +++ b/libtiff-CVE-2013-4232.patch @@ -0,0 +1,12 @@ +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 92a1a3d..312a946 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/libtiff-CVE-2013-4243.patch b/libtiff-CVE-2013-4243.patch new file mode 100644 index 0000000..c365d99 --- /dev/null +++ b/libtiff-CVE-2013-4243.patch @@ -0,0 +1,41 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 2731273..ca824e2 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -280,6 +280,10 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -406,7 +410,11 @@ process(register int code, unsigned char** fill) + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } +- *(*fill)++ = suffix[code]; ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } ++ *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; + } +@@ -436,7 +444,11 @@ process(register int code, unsigned char** fill) + } + oldcode = incode; + do { +- *(*fill)++ = *--stackp; ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } ++ *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; + } diff --git a/libtiff-CVE-2013-4244.patch b/libtiff-CVE-2013-4244.patch new file mode 100644 index 0000000..792e076 --- /dev/null +++ b/libtiff-CVE-2013-4244.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 375b152..2731273 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill) + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 429af51..2abdadc 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,12 +3,22 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz +# Various CVE fixes +Patch0: libtiff-CVE-2012-4447.patch +Patch1: libtiff-CVE-2012-4564.patch +Patch2: libtiff-CVE-2013-1960.patch +Patch3: libtiff-CVE-2013-1961.patch +Patch4: libtiff-CVE-2013-4231.patch +Patch5: libtiff-CVE-2013-4232.patch +Patch6: libtiff-CVE-2013-4244.patch +Patch7: libtiff-CVE-2013-4243.patch + BuildArch: noarch BuildRequires: mingw32-zlib @@ -84,6 +94,14 @@ Static version of the MinGW Windows LibTIFF library. %prep %setup -q -n tiff-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build @@ -140,6 +158,10 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu May 29 2014 Erik van Pienbroek - 4.0.3-4 +- Fix CVE-2013-4231, CVE-2013-4232, CVE-2013-4243, CVE-2013-4244 (RHBZ #996833) +- Fix CVE-2012-4447, CVE-2012-4564, CVE-2013-1960.patch, CVE-2013-1961 + * Sat Aug 03 2013 Fedora Release Engineering - 4.0.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild From 3d48eae2873089d15c5e2c147d7a28cd9c95f1f6 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 7 Jun 2014 04:58:52 -0500 Subject: [PATCH 29/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 2abdadc..a809e4e 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 4%{?dist} +Release: 5%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -158,6 +158,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Sat Jun 07 2014 Fedora Release Engineering - 4.0.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + * Thu May 29 2014 Erik van Pienbroek - 4.0.3-4 - Fix CVE-2013-4231, CVE-2013-4232, CVE-2013-4243, CVE-2013-4244 (RHBZ #996833) - Fix CVE-2012-4447, CVE-2012-4564, CVE-2013-1960.patch, CVE-2013-1961 From 95e563f0b045ff562c4bb4fab9ceec4e78901058 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Fri, 24 Apr 2015 18:04:35 +0200 Subject: [PATCH 30/56] Fix CVE-2014-9655 and CVE-2015-1547 (RHBZ #1190712) --- libtiff-CVE-2014-9655.patch | 34 ++++++++++++++++++++++++++++++++++ mingw-libtiff.spec | 10 +++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2014-9655.patch diff --git a/libtiff-CVE-2014-9655.patch b/libtiff-CVE-2014-9655.patch new file mode 100644 index 0000000..de90114 --- /dev/null +++ b/libtiff-CVE-2014-9655.patch @@ -0,0 +1,34 @@ +commit 26d8e9052f2226508d076f390162afb04d737bec +Author: erouault +Date: Sat Dec 27 15:20:42 2014 +0000 + + * libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing + extented tags installed by user code through the extender mechaninm before + calling the extender callback (GDAL #5054) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index ab43a28..1a413df 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1322,8 +1322,20 @@ TIFFDefaultDirectory(TIFF* tif) + tif->tif_tagmethods.printdir = NULL; + /* + * Give client code a chance to install their own +- * tag extensions & methods, prior to compression overloads. ++ * tag extensions & methods, prior to compression overloads, ++ * but do some prior cleanup first. (http://trac.osgeo.org/gdal/ticket/5054) + */ ++ if (tif->tif_nfieldscompat > 0) { ++ uint32 i; ++ ++ for (i = 0; i < tif->tif_nfieldscompat; i++) { ++ if (tif->tif_fieldscompat[i].allocated_size) ++ _TIFFfree(tif->tif_fieldscompat[i].fields); ++ } ++ _TIFFfree(tif->tif_fieldscompat); ++ tif->tif_nfieldscompat = 0; ++ tif->tif_fieldscompat = NULL; ++ } + if (_TIFFextender) + (*_TIFFextender)(tif); + (void) TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE); diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index a809e4e..af82b06 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 5%{?dist} +Release: 6%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -19,6 +19,10 @@ Patch5: libtiff-CVE-2013-4232.patch Patch6: libtiff-CVE-2013-4244.patch Patch7: libtiff-CVE-2013-4243.patch +# Also fixes CVE-2015-1547 according to +# https://bugzilla.redhat.com/show_bug.cgi?id=1190709#c3 +Patch8: libtiff-CVE-2014-9655.patch + BuildArch: noarch BuildRequires: mingw32-zlib @@ -102,6 +106,7 @@ Static version of the MinGW Windows LibTIFF library. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build @@ -158,6 +163,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Apr 24 2015 Erik van Pienbroek - 4.0.3-6 +- Fix CVE-2014-9655 and CVE-2015-1547 (RHBZ #1190712) + * Sat Jun 07 2014 Fedora Release Engineering - 4.0.3-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild From a5be9fedfe4c160fc7276ef663f0fbc327a7238a Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Wed, 17 Jun 2015 20:28:17 +0000 Subject: [PATCH 31/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index af82b06..84c8f7f 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -163,6 +163,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Jun 17 2015 Fedora Release Engineering - 4.0.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Fri Apr 24 2015 Erik van Pienbroek - 4.0.3-6 - Fix CVE-2014-9655 and CVE-2015-1547 (RHBZ #1190712) From 6061f6a44260e79727098f65868fbc33d8602111 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 4 Feb 2016 08:17:15 +0000 Subject: [PATCH 32/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 84c8f7f..a971232 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.3 -Release: 7%{?dist} +Release: 8%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -163,6 +163,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Feb 04 2016 Fedora Release Engineering - 4.0.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + * Wed Jun 17 2015 Fedora Release Engineering - 4.0.3-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From 46568e58ac9579a71b42d481db4f4603bafe0781 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Mon, 9 Jan 2017 15:55:00 -0600 Subject: [PATCH 33/56] Update to 4.0.7 --- .gitignore | 5 +- libtiff-CVE-2012-4447.patch | 40 -- libtiff-CVE-2012-4564.patch | 86 ---- libtiff-CVE-2013-1960.patch | 145 ------- libtiff-CVE-2013-1961.patch | 759 ------------------------------------ libtiff-CVE-2013-4231.patch | 15 - libtiff-CVE-2013-4232.patch | 12 - libtiff-CVE-2013-4243.patch | 41 -- libtiff-CVE-2013-4244.patch | 15 - libtiff-CVE-2014-9655.patch | 34 -- mingw-libtiff.spec | 38 +- sources | 2 +- 12 files changed, 11 insertions(+), 1181 deletions(-) delete mode 100644 libtiff-CVE-2012-4447.patch delete mode 100644 libtiff-CVE-2012-4564.patch delete mode 100644 libtiff-CVE-2013-1960.patch delete mode 100644 libtiff-CVE-2013-1961.patch delete mode 100644 libtiff-CVE-2013-4231.patch delete mode 100644 libtiff-CVE-2013-4232.patch delete mode 100644 libtiff-CVE-2013-4243.patch delete mode 100644 libtiff-CVE-2013-4244.patch delete mode 100644 libtiff-CVE-2014-9655.patch diff --git a/.gitignore b/.gitignore index b3689f3..3010a1c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1 @@ -tiff-3.9.4.tar.gz -/tiff-3.9.5.tar.gz -/tiff-4.0.2.tar.gz -/tiff-4.0.3.tar.gz +/tiff-4.0.7.tar.gz diff --git a/libtiff-CVE-2012-4447.patch b/libtiff-CVE-2012-4447.patch deleted file mode 100644 index ebf9a00..0000000 --- a/libtiff-CVE-2012-4447.patch +++ /dev/null @@ -1,40 +0,0 @@ -Upstream patch for CVE-2012-4447. - - -diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c ---- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400 -+++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500 -@@ -644,6 +644,20 @@ - return bytes; - } - -+static tmsize_t -+add_ms(tmsize_t m1, tmsize_t m2) -+{ -+ tmsize_t bytes = m1 + m2; -+ -+ /* if either input is zero, assume overflow already occurred */ -+ if (m1 == 0 || m2 == 0) -+ bytes = 0; -+ else if (bytes <= m1 || bytes <= m2) -+ bytes = 0; -+ -+ return bytes; -+} -+ - static int - PixarLogFixupTags(TIFF* tif) - { -@@ -671,9 +685,11 @@ - td->td_samplesperpixel : 1); - tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); -+ /* add one more stride in case input ends mid-stride */ -+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); - if (tbuf_size == 0) - return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ -- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); -+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); - if (sp->tbuf == NULL) - return (0); - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) diff --git a/libtiff-CVE-2012-4564.patch b/libtiff-CVE-2012-4564.patch deleted file mode 100644 index 3d7946c..0000000 --- a/libtiff-CVE-2012-4564.patch +++ /dev/null @@ -1,86 +0,0 @@ -Upstream patch for CVE-2012-4564. - - -diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c ---- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400 -+++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500 -@@ -72,6 +72,17 @@ - exit(-2); - } - -+static tmsize_t -+multiply_ms(tmsize_t m1, tmsize_t m2) -+{ -+ tmsize_t bytes = m1 * m2; -+ -+ if (m1 && bytes / m1 != m2) -+ bytes = 0; -+ -+ return bytes; -+} -+ - int - main(int argc, char* argv[]) - { -@@ -79,7 +90,7 @@ - uint32 rowsperstrip = (uint32) -1; - double resolution = -1; - unsigned char *buf = NULL; -- tsize_t linebytes = 0; -+ tmsize_t linebytes = 0; - uint16 spp = 1; - uint16 bpp = 8; - TIFF *out; -@@ -89,6 +100,7 @@ - int c; - extern int optind; - extern char* optarg; -+ tmsize_t scanline_size; - - if (argc < 2) { - fprintf(stderr, "%s: Too few arguments\n", argv[0]); -@@ -221,7 +233,8 @@ - } - switch (bpp) { - case 1: -- linebytes = (spp * w + (8 - 1)) / 8; -+ /* if round-up overflows, result will be zero, OK */ -+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; - if (rowsperstrip == (uint32) -1) { - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); - } else { -@@ -230,15 +243,31 @@ - } - break; - case 8: -- linebytes = spp * w; -+ linebytes = multiply_ms(spp, w); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, - TIFFDefaultStripSize(out, rowsperstrip)); - break; - } -- if (TIFFScanlineSize(out) > linebytes) -+ if (linebytes == 0) { -+ fprintf(stderr, "%s: scanline size overflow\n", infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ scanline_size = TIFFScanlineSize(out); -+ if (scanline_size == 0) { -+ /* overflow - TIFFScanlineSize already printed a message */ -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ if (scanline_size < linebytes) - buf = (unsigned char *)_TIFFmalloc(linebytes); - else -- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ buf = (unsigned char *)_TIFFmalloc(scanline_size); -+ if (buf == NULL) { -+ fprintf(stderr, "%s: Not enough memory\n", infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } - if (resolution > 0) { - TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); - TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/libtiff-CVE-2013-1960.patch b/libtiff-CVE-2013-1960.patch deleted file mode 100644 index 1c8dfb7..0000000 --- a/libtiff-CVE-2013-1960.patch +++ /dev/null @@ -1,145 +0,0 @@ -diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 -@@ -3341,33 +3341,56 @@ - uint32 height){ - - tsize_t i=0; -- uint16 ri =0; -- uint16 v_samp=1; -- uint16 h_samp=1; -- int j=0; -- -- i++; -- -- while(i<(*striplength)){ -+ -+ while (i < *striplength) { -+ tsize_t datalen; -+ uint16 ri; -+ uint16 v_samp; -+ uint16 h_samp; -+ int j; -+ int ncomp; -+ -+ /* marker header: one or more FFs */ -+ if (strip[i] != 0xff) -+ return(0); -+ i++; -+ while (i < *striplength && strip[i] == 0xff) -+ i++; -+ if (i >= *striplength) -+ return(0); -+ /* SOI is the only pre-SOS marker without a length word */ -+ if (strip[i] == 0xd8) -+ datalen = 0; -+ else { -+ if ((*striplength - i) <= 2) -+ return(0); -+ datalen = (strip[i+1] << 8) | strip[i+2]; -+ if (datalen < 2 || datalen >= (*striplength - i)) -+ return(0); -+ } - switch( strip[i] ){ -- case 0xd8: -- /* SOI - start of image */ -+ case 0xd8: /* SOI - start of image */ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); - *bufferoffset+=2; -- i+=2; - break; -- case 0xc0: -- case 0xc1: -- case 0xc3: -- case 0xc9: -- case 0xca: -+ case 0xc0: /* SOF0 */ -+ case 0xc1: /* SOF1 */ -+ case 0xc3: /* SOF3 */ -+ case 0xc9: /* SOF9 */ -+ case 0xca: /* SOF10 */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- for(j=0;j>4) > h_samp) -- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); -- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) -- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ ncomp = buffer[*bufferoffset+9]; -+ if (ncomp < 1 || ncomp > 4) -+ return(0); -+ v_samp=1; -+ h_samp=1; -+ for(j=0;j>4) > h_samp) -+ h_samp = (samp>>4); -+ if( (samp & 0x0f) > v_samp) -+ v_samp = (samp & 0x0f); - } - v_samp*=8; - h_samp*=8; -@@ -3381,45 +3404,43 @@ - (unsigned char) ((height>>8) & 0xff); - buffer[*bufferoffset+6]= - (unsigned char) (height & 0xff); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -- -+ *bufferoffset+=datalen+2; -+ /* insert a DRI marker */ - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]=0xdd; - buffer[(*bufferoffset)++]=0x00; - buffer[(*bufferoffset)++]=0x04; - buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; - buffer[(*bufferoffset)++]= ri & 0xff; -- } else { -- i+=strip[i+2]+2; - } - break; -- case 0xc4: -- case 0xdb: -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ case 0xc4: /* DHT */ -+ case 0xdb: /* DQT */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - break; -- case 0xda: -+ case 0xda: /* SOS */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - } else { - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]= - (unsigned char)(0xd0 | ((no-1)%8)); -- i+=strip[i+2]+2; - } -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); -- *bufferoffset+=(*striplength)-i-1; -+ i += datalen + 1; -+ /* copy remainder of strip */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); -+ *bufferoffset+= *striplength - i; - return(1); - default: -- i+=strip[i+2]+2; -+ /* ignore any other marker */ -+ break; - } -+ i += datalen + 1; - } -- - -+ /* failed to find SOS marker */ - return(0); - } - #endif diff --git a/libtiff-CVE-2013-1961.patch b/libtiff-CVE-2013-1961.patch deleted file mode 100644 index 0ea9b52..0000000 --- a/libtiff-CVE-2013-1961.patch +++ /dev/null @@ -1,759 +0,0 @@ -diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c ---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400 -+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400 -@@ -512,9 +512,9 @@ - Arg args[1]; - - if (tfMultiPage) -- sprintf(buffer, "%s - page %d", fileName, tfDirectory); -+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); - else -- strcpy(buffer, fileName); -+ snprintf(buffer, sizeof(buffer), "%s", fileName); - XtSetArg(args[0], XtNlabel, buffer); - XtSetValues(labelWidget, args, 1); - } -diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c ---- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500 -+++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400 -@@ -108,7 +108,8 @@ - const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); - char compression_code[20]; - -- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); -+ snprintf(compression_code, sizeof(compression_code), "%d", -+ tif->tif_dir.td_compression ); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s compression support is not configured", - c ? c->name : compression_code ); -diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c ---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400 -+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400 -@@ -711,7 +711,7 @@ - * note that this name is a special sign to TIFFClose() and - * _TIFFSetupFields() to free the field - */ -- sprintf(fld->field_name, "Tag %d", (int) tag); -+ snprintf(fld->field_name, 32, "Tag %d", (int) tag); - - return fld; - } -diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c ---- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400 -+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400 -@@ -332,7 +332,8 @@ - TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); - { char buf[2048]; - char *cp = strrchr(TIFFFileName(in), '/'); -- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); -+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", -+ cp ? cp+1 : TIFFFileName(in)); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); - } - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); -diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c ---- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400 -+++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400 -@@ -205,7 +205,7 @@ - } - } - TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); -- sprintf(thing, "B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); - outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400 -@@ -3609,7 +3609,9 @@ - char buffer[16]; - int buflen=0; - -- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); -+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", -+ t2p->pdf_majorversion&0xff, -+ t2p->pdf_minorversion&0xff); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); - -@@ -3623,10 +3625,10 @@ - tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen ); - written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); - -@@ -3665,13 +3667,13 @@ - written += t2pWriteFile(output, (tdata_t) "/", 1); - for (i=0;i 0x7E){ -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - nextchar=1; -@@ -3679,57 +3681,57 @@ - if (nextchar==0){ - switch (name[i]){ - case 0x23: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x25: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x28: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x29: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x2F: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3C: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3E: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; -@@ -3844,14 +3846,14 @@ - tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/Length ", 8); - if(len!=0){ - written += t2p_write_pdf_stream_length(len, output); - } else { -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - } -@@ -3892,10 +3894,10 @@ - tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)len); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n", 1); - -@@ -3909,7 +3911,7 @@ - tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) - { - tsize_t written = 0; -- char buffer[16]; -+ char buffer[32]; - int buflen = 0; - - written += t2pWriteFile(output, -@@ -3948,7 +3950,6 @@ - written += t2p_write_pdf_string(t2p->pdf_datetime, output); - } - written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); -- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); - snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); - written += t2p_write_pdf_string(buffer, output); - written += t2pWriteFile(output, (tdata_t) "\n", 1); -@@ -4089,7 +4090,7 @@ - { - tsize_t written=0; - tdir_t i=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - int page=0; -@@ -4097,7 +4098,7 @@ - (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); - page = t2p->pdf_pages+1; - for (i=0;itiff_pagecount;i++){ -- buflen=sprintf(buffer, "%d", page); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", page); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - if ( ((i+1)%8)==0 ) { -@@ -4112,8 +4113,7 @@ - } - } - written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); - -@@ -4128,28 +4128,28 @@ - - unsigned int i=0; - tsize_t written=0; -- char buffer[16]; -+ char buffer[256]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "] \n", 3); - written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); -- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); -@@ -4157,15 +4157,13 @@ - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen = sprintf(buffer, "%u", i+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4177,12 +4175,10 @@ - } else { - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4191,9 +4187,7 @@ - if(t2p->tiff_transferfunctioncount != 0) { - written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); - t2pWriteFile(output, (tdata_t) "/GS1 ", 5); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4566,7 +4560,7 @@ - if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ - box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4581,7 +4575,7 @@ - } - } else { - box=t2p->pdf_imagebox; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4606,59 +4600,48 @@ - TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); - written += t2pWriteFile(output, - (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", - 42); -- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - if(tile != 0){ - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen=sprintf(buffer, "%lu", (unsigned long)tile); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); - } else { - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); - written += t2p_write_pdf_xobject_cs(t2p, output); -@@ -4702,11 +4685,10 @@ - t2p->pdf_colorspace ^= T2P_CS_PALETTE; - written += t2p_write_pdf_xobject_cs(t2p, output); - t2p->pdf_colorspace |= T2P_CS_PALETTE; -- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); - return(written); -@@ -4740,10 +4722,10 @@ - X_W /= Y_W; - Z_W /= Y_W; - Y_W = 1.0F; -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Range ", 7); -- buflen=sprintf(buffer, "[%d %d %d %d] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", - t2p->pdf_labrange[0], - t2p->pdf_labrange[1], - t2p->pdf_labrange[2], -@@ -4759,26 +4741,26 @@ - tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); - if(t2p->tiff_transferfunctioncount == 1){ -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - } else { - written += t2pWriteFile(output, (tdata_t) "[ ", 2); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 2)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4800,7 +4782,7 @@ - written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); - written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); - written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); -- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); -+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); - written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); -@@ -4827,7 +4809,7 @@ - tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[128]; -+ char buffer[256]; - int buflen=0; - - float X_W=0.0; -@@ -4895,16 +4877,16 @@ - written += t2pWriteFile(output, (tdata_t) "<< \n", 4); - if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); - } - if(t2p->pdf_colorspace & T2P_CS_CALRGB){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", - X_R, Y_R, Z_R, - X_G, Y_G, Z_G, - X_B, Y_B, Z_B); -@@ -4923,11 +4905,11 @@ - tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); - -@@ -4937,11 +4919,11 @@ - tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/N ", 3); -- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); - t2p->pdf_colorspace ^= T2P_CS_ICCBASED; -@@ -5006,7 +4988,7 @@ - tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - if(t2p->pdf_compression==T2P_COMPRESS_NONE){ -@@ -5021,41 +5003,33 @@ - written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); - if(tile==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_length); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } -@@ -5082,21 +5056,17 @@ - if(t2p->pdf_compressionquality%100){ - written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen = sprintf(buffer, "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) ">>\n", 3); - } -@@ -5116,16 +5086,16 @@ - tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[21]; -+ char buffer[64]; - int buflen=0; - uint32 i=0; - - written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); - for (i=0;ipdf_xrefcount;i++){ -- sprintf(buffer, "%.10lu 00000 n \n", -+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", - (unsigned long)t2p->pdf_xrefoffsets[i]); - written += t2pWriteFile(output, (tdata_t) buffer, 20); - } -@@ -5149,17 +5119,14 @@ - snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); - - written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); -- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); -@@ -5167,9 +5134,8 @@ - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); - written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); - - return(written); -diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c ---- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400 -+++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400 -@@ -1781,8 +1781,8 @@ - imageOp = "imagemask"; - - (void)strcpy(im_x, "0"); -- (void)sprintf(im_y, "%lu", (long) h); -- (void)sprintf(im_h, "%lu", (long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); -+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); - tile_width = w; - tile_height = h; - if (TIFFIsTiled(tif)) { -@@ -1803,7 +1803,7 @@ - } - if (tile_height < h) { - fputs("/im_y 0 def\n", fd); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } else { - repeat_count = tf_numberstrips; -@@ -1815,7 +1815,7 @@ - fprintf(fd, "/im_h %lu def\n", - (unsigned long) tile_height); - (void)strcpy(im_h, "im_h"); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } - -diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c ---- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500 -+++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400 -@@ -2077,7 +2077,7 @@ - return 1; - } - -- sprintf (filenum, "-%03d%s", findex, export_ext); -+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); - filenum[14] = '\0'; - strncat (exportname, filenum, 15); - } -@@ -2230,8 +2230,8 @@ - - /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", -+ dump.infilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) - { -@@ -2249,8 +2249,8 @@ - - /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", -+ dump.outfilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) - { -diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c ---- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500 -+++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400 -@@ -260,7 +260,7 @@ - TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); - else - CopyField(TIFFTAG_FILLORDER, shortv); -- sprintf(thing, "Dithered B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - CopyField(TIFFTAG_PHOTOMETRIC, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); diff --git a/libtiff-CVE-2013-4231.patch b/libtiff-CVE-2013-4231.patch deleted file mode 100644 index 8ae1e12..0000000 --- a/libtiff-CVE-2013-4231.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c -index 17f7a19..375b152 100644 ---- a/tools/gif2tiff.c -+++ b/tools/gif2tiff.c -@@ -333,6 +333,10 @@ readraster(void) - int status = 1; - - datasize = getc(infile); -+ -+ if (datasize > 12) -+ return 0; -+ - clear = 1 << datasize; - eoi = clear + 1; - avail = clear + 2; diff --git a/libtiff-CVE-2013-4232.patch b/libtiff-CVE-2013-4232.patch deleted file mode 100644 index cec322f..0000000 --- a/libtiff-CVE-2013-4232.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 92a1a3d..312a946 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ - TIFFFileName(input)); - t2p->t2p_error = T2P_ERR_ERROR; - _TIFFfree(buffer); -+ return(0); - } else { - buffer=samplebuffer; - t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/libtiff-CVE-2013-4243.patch b/libtiff-CVE-2013-4243.patch deleted file mode 100644 index c365d99..0000000 --- a/libtiff-CVE-2013-4243.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c -index 2731273..ca824e2 100644 ---- a/tools/gif2tiff.c -+++ b/tools/gif2tiff.c -@@ -280,6 +280,10 @@ readgifimage(char* mode) - fprintf(stderr, "no colormap present for image\n"); - return (0); - } -+ if (width == 0 || height == 0) { -+ fprintf(stderr, "Invalid value of width or height\n"); -+ return(0); -+ } - if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { - fprintf(stderr, "not enough memory for image\n"); - return (0); -@@ -406,7 +410,11 @@ process(register int code, unsigned char** fill) - fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); - return 0; - } -- *(*fill)++ = suffix[code]; -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } -+ *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; - } -@@ -436,7 +444,11 @@ process(register int code, unsigned char** fill) - } - oldcode = incode; - do { -- *(*fill)++ = *--stackp; -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } -+ *(*fill)++ = *--stackp; - } while (stackp > stack); - return 1; - } diff --git a/libtiff-CVE-2013-4244.patch b/libtiff-CVE-2013-4244.patch deleted file mode 100644 index 792e076..0000000 --- a/libtiff-CVE-2013-4244.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c -index 375b152..2731273 100644 ---- a/tools/gif2tiff.c -+++ b/tools/gif2tiff.c -@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill) - } - - if (oldcode == -1) { -+ if (code >= clear) { -+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); -+ return 0; -+ } - *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; diff --git a/libtiff-CVE-2014-9655.patch b/libtiff-CVE-2014-9655.patch deleted file mode 100644 index de90114..0000000 --- a/libtiff-CVE-2014-9655.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 26d8e9052f2226508d076f390162afb04d737bec -Author: erouault -Date: Sat Dec 27 15:20:42 2014 +0000 - - * libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing - extented tags installed by user code through the extender mechaninm before - calling the extender callback (GDAL #5054) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index ab43a28..1a413df 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -1322,8 +1322,20 @@ TIFFDefaultDirectory(TIFF* tif) - tif->tif_tagmethods.printdir = NULL; - /* - * Give client code a chance to install their own -- * tag extensions & methods, prior to compression overloads. -+ * tag extensions & methods, prior to compression overloads, -+ * but do some prior cleanup first. (http://trac.osgeo.org/gdal/ticket/5054) - */ -+ if (tif->tif_nfieldscompat > 0) { -+ uint32 i; -+ -+ for (i = 0; i < tif->tif_nfieldscompat; i++) { -+ if (tif->tif_fieldscompat[i].allocated_size) -+ _TIFFfree(tif->tif_fieldscompat[i].fields); -+ } -+ _TIFFfree(tif->tif_fieldscompat); -+ tif->tif_nfieldscompat = 0; -+ tif->tif_fieldscompat = NULL; -+ } - if (_TIFFextender) - (*_TIFFextender)(tif); - (void) TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE); diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index a971232..9258972 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,26 +2,12 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.0.3 -Release: 8%{?dist} +Version: 4.0.7 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries -URL: http://www.remotesensing.org/libtiff/ -Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz - -# Various CVE fixes -Patch0: libtiff-CVE-2012-4447.patch -Patch1: libtiff-CVE-2012-4564.patch -Patch2: libtiff-CVE-2013-1960.patch -Patch3: libtiff-CVE-2013-1961.patch -Patch4: libtiff-CVE-2013-4231.patch -Patch5: libtiff-CVE-2013-4232.patch -Patch6: libtiff-CVE-2013-4244.patch -Patch7: libtiff-CVE-2013-4243.patch - -# Also fixes CVE-2015-1547 according to -# https://bugzilla.redhat.com/show_bug.cgi?id=1190709#c3 -Patch8: libtiff-CVE-2014-9655.patch +URL: http://www.simplesystems.org/libtiff/ +Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz BuildArch: noarch @@ -98,21 +84,12 @@ Static version of the MinGW Windows LibTIFF library. %prep %setup -q -n tiff-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 %build export MINGW32_CFLAGS="%{mingw32_cflags} -fno-strict-aliasing" export MINGW64_CFLAGS="%{mingw64_cflags} -fno-strict-aliasing" -%mingw_configure --enable-static --enable-shared +%mingw_configure --enable-static --enable-shared --enable-ld-version-script %mingw_make %{?_smp_mflags} @@ -163,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Mon Jan 09 2017 Michael Cronenworth - 4.0.7-1 +- Update to 4.0.7 + * Thu Feb 04 2016 Fedora Release Engineering - 4.0.3-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild @@ -454,7 +434,7 @@ Resolves: bz #222729 * Tue Dec 19 2000 Philipp Knirsch - rebuild -* Tue Aug 7 2000 Crutcher Dunnavant +* Mon Aug 7 2000 Crutcher Dunnavant - added a tiff-to-ps.fpi filter for printing * Thu Jul 13 2000 Prospector diff --git a/sources b/sources index 10672da..9278717 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -051c1068e6a0627f461948c365290410 tiff-4.0.3.tar.gz +SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc From 07186caae758d54268ebb3a32386bfa28936bd4b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 10 Feb 2017 21:13:07 +0000 Subject: [PATCH 34/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 9258972..e0c9824 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.7 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Feb 10 2017 Fedora Release Engineering - 4.0.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Mon Jan 09 2017 Michael Cronenworth - 4.0.7-1 - Update to 4.0.7 From 228e9231fb81e277bbc497d6c1f6bc1831dcc7f9 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Sun, 4 Jun 2017 14:49:57 -0500 Subject: [PATCH 35/56] Update to 4.0.8 --- .gitignore | 2 +- mingw-libtiff.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3010a1c..c8005c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/tiff-4.0.7.tar.gz +/tiff-4.0.8.tar.gz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index e0c9824..8f2b71c 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,8 +2,8 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.0.7 -Release: 2%{?dist} +Version: 4.0.8 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Sun Jun 04 2017 Michael Cronenworth - 4.0.8-1 +- Update to 4.0.8 + * Fri Feb 10 2017 Fedora Release Engineering - 4.0.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 9278717..7a454e9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc +SHA512 (tiff-4.0.8.tar.gz) = 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6 From 8056712fcd7141a3ecce60dfd2df32e1550f1cba Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 21:42:27 +0000 Subject: [PATCH 36/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 8f2b71c..63e2252 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.8 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 4.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Sun Jun 04 2017 Michael Cronenworth - 4.0.8-1 - Update to 4.0.8 From eeb611f83e2339423fdecd3906b5f67eb3acb428 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 8 Feb 2018 02:22:11 +0000 Subject: [PATCH 37/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 63e2252..c3d1f07 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.8 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Feb 08 2018 Fedora Release Engineering - 4.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 4.0.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 4f5445a5de8d6f8fcb323ba6140dffa3acd2e801 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Mon, 11 Jun 2018 09:34:47 -0500 Subject: [PATCH 38/56] Update to 4.0.9 --- .gitignore | 1 + mingw-libtiff.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c8005c9..537f089 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /tiff-4.0.8.tar.gz +/tiff-4.0.9.tar.gz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index c3d1f07..c95b927 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,8 +2,8 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.0.8 -Release: 3%{?dist} +Version: 4.0.9 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Mon Jun 11 2018 Michael Cronenworth - 4.0.9-1 +- Update to 4.0.9 + * Thu Feb 08 2018 Fedora Release Engineering - 4.0.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index 7a454e9..a945734 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.0.8.tar.gz) = 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6 +SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd From 8b4437581008443868a3b12a4c72c2262397f5ab Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 13 Jul 2018 10:31:00 +0000 Subject: [PATCH 39/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index c95b927..4ca7f46 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -140,6 +140,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Jul 13 2018 Fedora Release Engineering - 4.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Mon Jun 11 2018 Michael Cronenworth - 4.0.9-1 - Update to 4.0.9 From 4d96409569851509875fce7ff3119f8761662574 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Mon, 28 Jan 2019 20:17:54 +0100 Subject: [PATCH 40/56] Remove obsolete Group tag References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag --- mingw-libtiff.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 4ca7f46..cdeb00f 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -5,7 +5,6 @@ Name: mingw-libtiff Version: 4.0.9 Release: 2%{?dist} License: libtiff -Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -52,7 +51,6 @@ format image files. %package -n mingw32-libtiff-static Summary: Static version of the MinGW Windows LibTIFF library Requires: mingw32-libtiff = %{version}-%{release} -Group: Development/Libraries %description -n mingw32-libtiff-static Static version of the MinGW Windows LibTIFF library. @@ -73,7 +71,6 @@ format image files. %package -n mingw64-libtiff-static Summary: Static version of the MinGW Windows LibTIFF library Requires: mingw64-libtiff = %{version}-%{release} -Group: Development/Libraries %description -n mingw64-libtiff-static Static version of the MinGW Windows LibTIFF library. From 66facc6baf74ab200ce272e9279adb69253210e6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 1 Feb 2019 10:43:35 +0000 Subject: [PATCH 41/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index cdeb00f..cca004b 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -137,6 +137,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Feb 01 2019 Fedora Release Engineering - 4.0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Fri Jul 13 2018 Fedora Release Engineering - 4.0.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 4b1eae02d20ab491f490f53efea3e6d3fd6b6222 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 25 Jul 2019 16:57:04 +0000 Subject: [PATCH 42/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index cca004b..cf35978 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -137,6 +137,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Jul 25 2019 Fedora Release Engineering - 4.0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Fri Feb 01 2019 Fedora Release Engineering - 4.0.9-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild From d77e75a60aff71c3d1e2fbb668d4ab5c0c27a87b Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 8 Oct 2019 18:52:27 +0200 Subject: [PATCH 43/56] Rebuild (Changes/Mingw32GccDwarf2) --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index cf35978..0d3e186 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 4%{?dist} +Release: 5%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -137,6 +137,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Tue Oct 08 2019 Sandro Mani - 4.0.9-5 +- Rebuild (Changes/Mingw32GccDwarf2) + * Thu Jul 25 2019 Fedora Release Engineering - 4.0.9-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From 6934de68ddaa01abbb063c6fb1291962296d6d75 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jan 2020 13:13:39 +0000 Subject: [PATCH 44/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 0d3e186..580fc1e 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 5%{?dist} +Release: 6%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -137,6 +137,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Jan 29 2020 Fedora Release Engineering - 4.0.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Tue Oct 08 2019 Sandro Mani - 4.0.9-5 - Rebuild (Changes/Mingw32GccDwarf2) From 1037dfab6f25df1cc66076b794ba39dc626eb34e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jul 2020 07:47:19 +0000 Subject: [PATCH 45/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 580fc1e..279891d 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -137,6 +137,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Tue Jul 28 2020 Fedora Release Engineering - 4.0.9-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Wed Jan 29 2020 Fedora Release Engineering - 4.0.9-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 0d9b51d1165df9c1f7b02bf53ceba2d88471dac6 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Wed, 6 Jan 2021 21:58:18 +0000 Subject: [PATCH 46/56] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- mingw-libtiff.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 279891d..b2cebce 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -10,6 +10,7 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz BuildArch: noarch +BuildRequires: make BuildRequires: mingw32-zlib BuildRequires: mingw32-libjpeg-turbo BuildRequires: mingw32-filesystem >= 95 From ed16864e28f6e28074db604c224b167f73329717 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 20:07:57 +0000 Subject: [PATCH 47/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index b2cebce..4da4141 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 7%{?dist} +Release: 8%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 4.0.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Tue Jul 28 2020 Fedora Release Engineering - 4.0.9-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From ac85af136c038b2dd1d73798d93b73b65721f58f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 22 Jul 2021 14:39:19 +0000 Subject: [PATCH 48/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 4da4141..5f09ea0 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 8%{?dist} +Release: 9%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Jul 22 2021 Fedora Release Engineering - 4.0.9-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Tue Jan 26 2021 Fedora Release Engineering - 4.0.9-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From 5272fd2558bec974b2bb93f8b13f6655932dce49 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 19:37:38 +0000 Subject: [PATCH 49/56] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 5f09ea0..5027f6d 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 9%{?dist} +Release: 10%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 4.0.9-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Thu Jul 22 2021 Fedora Release Engineering - 4.0.9-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From d8879a36c5e07b6d5bf17221b739243d7acb5abc Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Fri, 25 Mar 2022 14:28:38 +0100 Subject: [PATCH 50/56] Rebuild with mingw-gcc-12 --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 5027f6d..1ad5e7a 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.0.9 -Release: 10%{?dist} +Release: 11%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Fri Mar 25 2022 Sandro Mani - 4.0.9-11 +- Rebuild with mingw-gcc-12 + * Thu Jan 20 2022 Fedora Release Engineering - 4.0.9-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 5b3d779ba355fbbb5332e444fc7e925b81be2547 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Wed, 1 Jun 2022 08:08:52 -0500 Subject: [PATCH 51/56] Update to 4.2.0 --- .gitignore | 3 +-- mingw-libtiff.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 537f089..0ca794a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -/tiff-4.0.8.tar.gz -/tiff-4.0.9.tar.gz +/tiff-4.2.0.tar.gz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 1ad5e7a..50eac16 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,7 +2,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.0.9 +Version: 4.2.0 Release: 11%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -110,7 +110,7 @@ find $RPM_BUILD_ROOT -name "*.la" -delete # Win32 %files -n mingw32-libtiff -%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog +%doc COPYRIGHT README.md RELEASE-DATE VERSION TODO ChangeLog %{mingw32_bindir}/libtiff-5.dll %{mingw32_bindir}/libtiffxx-5.dll %{mingw32_includedir}/* @@ -124,7 +124,7 @@ find $RPM_BUILD_ROOT -name "*.la" -delete # Win64 %files -n mingw64-libtiff -%doc COPYRIGHT README RELEASE-DATE VERSION TODO ChangeLog +%doc COPYRIGHT README.md RELEASE-DATE VERSION TODO ChangeLog %{mingw64_bindir}/libtiff-5.dll %{mingw64_bindir}/libtiffxx-5.dll %{mingw64_includedir}/* @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Jun 01 2022 Michael Cronenworth - 4.2.0-1 +- Update to 4.2.0 + * Fri Mar 25 2022 Sandro Mani - 4.0.9-11 - Rebuild with mingw-gcc-12 diff --git a/sources b/sources index a945734..0e663b3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd +SHA512 (tiff-4.2.0.tar.gz) = d7d42e6e6dbda9604c638f28e6cfa4705191a4e8ea276d18031d50dbab0931ac91141e57a2cf294124487f1a2e6dfcb9be62431c1b69de5acf4d0e632f3322e5 From 5e7eb08f66351d6ced8e00196d9c1b5cebe104b9 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Wed, 1 Jun 2022 08:09:47 -0500 Subject: [PATCH 52/56] Fix release number --- mingw-libtiff.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 50eac16..8b1cf03 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.2.0 -Release: 11%{?dist} +Release: 1%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz From 6a3e532cf41b0728034d372e1e7719173d65e64f Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Wed, 1 Jun 2022 08:46:58 -0500 Subject: [PATCH 53/56] Update to 4.3.0 --- .gitignore | 2 +- mingw-libtiff.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0ca794a..e88c5a0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/tiff-4.2.0.tar.gz +/tiff-4.3.0.tar.gz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 8b1cf03..a6ac7bb 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,7 +2,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.2.0 +Version: 4.3.0 Release: 1%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Wed Jun 01 2022 Michael Cronenworth - 4.3.0-1 +- Update to 4.3.0 + * Wed Jun 01 2022 Michael Cronenworth - 4.2.0-1 - Update to 4.2.0 diff --git a/sources b/sources index 0e663b3..516126c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.2.0.tar.gz) = d7d42e6e6dbda9604c638f28e6cfa4705191a4e8ea276d18031d50dbab0931ac91141e57a2cf294124487f1a2e6dfcb9be62431c1b69de5acf4d0e632f3322e5 +SHA512 (tiff-4.3.0.tar.gz) = e04a4a6c542e58a174c1e9516af3908acf1d3d3e1096648c5514f4963f73e7af27387a76b0fbabe43cf867a18874088f963796a7cd6e45deb998692e3e235493 From 476df64fa0003dcf731333b45d72302b31855057 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 21:29:31 +0000 Subject: [PATCH 54/56] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- mingw-libtiff.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index a6ac7bb..5f9c7b6 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -3,7 +3,7 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff Version: 4.3.0 -Release: 1%{?dist} +Release: 2%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Jul 21 2022 Fedora Release Engineering - 4.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Wed Jun 01 2022 Michael Cronenworth - 4.3.0-1 - Update to 4.3.0 From e515de539545654a13320cc39d038b1f44a74571 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 4 Jan 2023 17:56:05 -0700 Subject: [PATCH 55/56] Update to 4.4.0 --- .gitignore | 2 ++ mingw-libtiff.spec | 9 ++++++--- sources | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e88c5a0..52cfa6e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /tiff-4.3.0.tar.gz +/tiff-4.5.0.tar.xz +/tiff-4.4.0.tar.xz diff --git a/mingw-libtiff.spec b/mingw-libtiff.spec index 5f9c7b6..6405710 100644 --- a/mingw-libtiff.spec +++ b/mingw-libtiff.spec @@ -2,11 +2,11 @@ Summary: MinGW Windows port of the LibTIFF library Name: mingw-libtiff -Version: 4.3.0 -Release: 2%{?dist} +Version: 4.4.0 +Release: 1%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ -Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz +Source: https://download.osgeo.org/libtiff/tiff-%{version}.tar.xz BuildArch: noarch @@ -138,6 +138,9 @@ find $RPM_BUILD_ROOT -name "*.la" -delete %changelog +* Thu Jan 05 2023 Orion Poplawski - 4.4.0-1 +- Update to 4.4.0 + * Thu Jul 21 2022 Fedora Release Engineering - 4.3.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild diff --git a/sources b/sources index 516126c..45a7773 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.3.0.tar.gz) = e04a4a6c542e58a174c1e9516af3908acf1d3d3e1096648c5514f4963f73e7af27387a76b0fbabe43cf867a18874088f963796a7cd6e45deb998692e3e235493 +SHA512 (tiff-4.4.0.tar.xz) = c9611faadc9b1199f3aba9a43bfa160c77c11558d1fa358b42115ed78db73c8387531c0668cc9021842c58f1c02f8d84264d3600e1039dfe6f866822ad91cff9 From 2993a4e7c5c4ffef76747fbb39abae38d8f35e88 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 30 Oct 2023 23:27:00 +0300 Subject: [PATCH 56/56] Remove unnecessary files --- sources | 1 - 1 file changed, 1 deletion(-) delete mode 100644 sources diff --git a/sources b/sources deleted file mode 100644 index 45a7773..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (tiff-4.4.0.tar.xz) = c9611faadc9b1199f3aba9a43bfa160c77c11558d1fa358b42115ed78db73c8387531c0668cc9021842c58f1c02f8d84264d3600e1039dfe6f866822ad91cff9