diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch index cb55b03..4bf5fce 100644 --- a/libtiff-3.8.2-ormandy.patch +++ b/libtiff-3.8.2-ormandy.patch @@ -1,46 +1,11 @@ -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ +Much of the original content of this patch has been removed in favor of +the more robust solution represented by libtiff-unknown-tags.patch. + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c +--- tiff-3.8.2.orig/libtiff/tif_dir.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dir.c 2010-06-16 21:11:51.000000000 -0400 +@@ -468,7 +468,7 @@ if (fip->field_type == TIFF_ASCII) _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); else { @@ -49,74 +14,9 @@ diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c if (!tv->value) { status = 0; goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +diff -Naur tiff-3.8.2.orig/libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c +--- tiff-3.8.2.orig/libtiff/tif_dirread.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dirread.c 2010-06-16 21:11:51.000000000 -0400 @@ -29,6 +29,9 @@ * * Directory Read Support Routines. @@ -127,15 +27,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c #include "tiffiop.h" #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ +@@ -147,13 +150,20 @@ } else { toff_t off = tif->tif_diroff; @@ -162,103 +54,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c off += sizeof (uint16); if (tif->tif_flags & TIFF_SWAB) TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ +@@ -870,7 +880,13 @@ register TIFFDirEntry *dp; register TIFFDirectory *td = &tif->tif_dir; @@ -273,59 +69,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c if (td->td_stripbytecount) _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +1000,7 @@ - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1070,12 @@ - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ +@@ -1159,6 +1175,20 @@ static int TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) { @@ -346,123 +90,9 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c switch (dir->tdir_type) { case TIFF_BYTE: case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1399,9 @@ - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +diff -Naur tiff-3.8.2.orig/libtiff/tif_jpeg.c tiff-3.8.2/libtiff/tif_jpeg.c +--- tiff-3.8.2.orig/libtiff/tif_jpeg.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_jpeg.c 2010-06-16 21:11:51.000000000 -0400 @@ -722,15 +722,31 @@ segment_width = TIFFhowmany(segment_width, sp->h_sampling); segment_height = TIFFhowmany(segment_height, sp->v_sampling); @@ -544,30 +174,7 @@ diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c _TIFFfree(tif->tif_data); /* release local state */ tif->tif_data = NULL; -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ +@@ -1726,7 +1761,11 @@ { JPEGState* sp = JState(tif); @@ -580,9 +187,9 @@ diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c (void) flags; if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +diff -Naur tiff-3.8.2.orig/libtiff/tif_next.c tiff-3.8.2/libtiff/tif_next.c +--- tiff-3.8.2.orig/libtiff/tif_next.c 2005-12-21 07:33:56.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_next.c 2010-06-16 21:11:51.000000000 -0400 @@ -105,11 +105,16 @@ * as codes of the form * until we've filled the scanline. @@ -601,9 +208,9 @@ diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c SETPIXEL(op, grey); if (npixels >= (int) imagewidth) break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +diff -Naur tiff-3.8.2.orig/libtiff/tif_pixarlog.c tiff-3.8.2/libtiff/tif_pixarlog.c +--- tiff-3.8.2.orig/libtiff/tif_pixarlog.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_pixarlog.c 2010-06-16 21:11:51.000000000 -0400 @@ -768,7 +768,19 @@ if (tif->tif_flags & TIFF_SWAB) TIFFSwabArrayOfShort(up, nsamples); @@ -625,9 +232,9 @@ diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c switch (sp->user_datafmt) { case PIXARLOGDATAFMT_FLOAT: horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c +--- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_read.c 2010-06-16 21:11:51.000000000 -0400 @@ -31,6 +31,8 @@ #include "tiffiop.h" #include diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch new file mode 100644 index 0000000..725e5c3 --- /dev/null +++ b/libtiff-3samples.patch @@ -0,0 +1,18 @@ +Patch for bug #603081: failure to guard against bogus SamplesPerPixel +when converting a YCbCr image to RGB. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_getimage.c tiff-3.8.2/libtiff/tif_getimage.c +--- tiff-3.8.2.orig/libtiff/tif_getimage.c 2005-12-27 06:28:23.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_getimage.c 2010-06-16 21:41:12.000000000 -0400 +@@ -2384,7 +2384,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if (img->bitspersample == 8 && img->samplesperpixel==3) + put = initYCbCrConversion(img); + break; + case PHOTOMETRIC_CIELAB: diff --git a/libtiff-CVE-2010-1411.patch b/libtiff-CVE-2010-1411.patch new file mode 100644 index 0000000..41b6cff --- /dev/null +++ b/libtiff-CVE-2010-1411.patch @@ -0,0 +1,57 @@ +Upstream patch for bug #592361 (CVE-2010-1411) + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c +--- tiff-3.8.2.orig/libtiff/tif_fax3.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_fax3.c 2010-06-13 15:54:49.000000000 -0400 +@@ -491,10 +491,26 @@ + td->td_compression == COMPRESSION_CCITTFAX4 + ); + +- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; +- +- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32), +- "for Group 3/4 run arrays"); ++ /* ++ Assure that allocation computations do not overflow. ++ ++ TIFFroundup and TIFFSafeMultiply return zero on integer overflow ++ */ ++ dsp->runs=(uint32*) NULL; ++ nruns = TIFFroundup(rowpixels,32); ++ if (needsRefLine) { ++ nruns = TIFFSafeMultiply(uint32,nruns,2); ++ } ++ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "Row pixels integer overflow (rowpixels %u)", ++ rowpixels); ++ return (0); ++ } ++ dsp->runs = (uint32*) _TIFFCheckMalloc(tif, ++ TIFFSafeMultiply(uint32,nruns,2), ++ sizeof (uint32), ++ "for Group 3/4 run arrays"); + if (dsp->runs == NULL) + return (0); + dsp->curruns = dsp->runs; +diff -Naur tiff-3.8.2.orig/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h +--- tiff-3.8.2.orig/libtiff/tiffiop.h 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tiffiop.h 2010-06-13 15:52:46.000000000 -0400 +@@ -222,10 +222,15 @@ + #endif + + /* NB: the uint32 casts are to silence certain ANSI-C compilers */ +-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) ++#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ ++ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ ++ 0U) + #define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++ + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) + diff --git a/libtiff-CVE-2010-2065.patch b/libtiff-CVE-2010-2065.patch new file mode 100644 index 0000000..3c1ef55 --- /dev/null +++ b/libtiff-CVE-2010-2065.patch @@ -0,0 +1,27 @@ +Upstream patch for bug #601274 (CVE-2010-2065) + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c +--- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_read.c 2010-06-13 16:04:13.000000000 -0400 +@@ -525,16 +525,18 @@ + _TIFFfree(tif->tif_rawdata); + tif->tif_rawdata = NULL; + } ++ + if (bp) { + tif->tif_rawdatasize = size; + tif->tif_rawdata = (tidata_t) bp; + tif->tif_flags &= ~TIFF_MYBUFFER; + } else { + tif->tif_rawdatasize = TIFFroundup(size, 1024); +- tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); ++ if (tif->tif_rawdatasize > 0) ++ tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); + tif->tif_flags |= TIFF_MYBUFFER; + } +- if (tif->tif_rawdata == NULL) { ++ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: No space for data buffer at scanline %ld", + tif->tif_name, (long) tif->tif_row); diff --git a/libtiff-jpeg-scanline.patch b/libtiff-jpeg-scanline.patch new file mode 100644 index 0000000..8cf0f51 --- /dev/null +++ b/libtiff-jpeg-scanline.patch @@ -0,0 +1,61 @@ +Upstream patch for tiff2ps core dump noted in bug #460322. (Note that +the tiffcmp crash mentioned there is really a different bug.) +Now also incorporating Adam Goode's patch for bug #552360. See +http://bugzilla.maptools.org/show_bug.cgi?id=1936 + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c +--- tiff-3.8.2.orig/libtiff/tif_dir.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dir.c 2010-06-13 15:32:55.000000000 -0400 +@@ -1081,6 +1081,13 @@ + */ + tif->tif_flags &= ~TIFF_ISTILED; + ++ /* ++ * Clear other directory-specific fields. ++ */ ++ tif->tif_tilesize = 0; ++ tif->tif_scanlinesize = 0; ++ ++ + return (1); + } + +diff -Naur tiff-3.8.2.orig/libtiff/tif_jpeg.c tiff-3.8.2/libtiff/tif_jpeg.c +--- tiff-3.8.2.orig/libtiff/tif_jpeg.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_jpeg.c 2010-06-13 15:34:28.000000000 -0400 +@@ -1582,7 +1582,10 @@ + * Must recalculate cached tile size + * in case sampling state changed. + */ +- tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1; ++ if( tif->tif_tilesize > 0 ) ++ tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1; ++ if(tif->tif_scanlinesize > 0 ) ++ tif->tif_scanlinesize = TIFFScanlineSize(tif); + return (1); /* pseudo tag */ + case TIFFTAG_JPEGTABLESMODE: + sp->jpegtablesmode = va_arg(ap, int); +@@ -1668,13 +1671,21 @@ + return; + } + else +- { ++ { + if( !TIFFFillStrip( tif, 0 ) ) + return; + } + + TIFFSetField( tif, TIFFTAG_YCBCRSUBSAMPLING, + (uint16) sp->h_sampling, (uint16) sp->v_sampling ); ++ ++ /* ++ ** We want to clear the loaded strip so the application has time ++ ** to set JPEGCOLORMODE or other behavior modifiers. This essentially ++ ** undoes the JPEGPreDecode triggers by TIFFFileStrip(). (#1936) ++ */ ++ tif->tif_curstrip = -1; ++ + #endif /* CHECK_JPEG_YCBCR_SUBSAMPLING */ + } + diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch new file mode 100644 index 0000000..8af85e0 --- /dev/null +++ b/libtiff-subsampling.patch @@ -0,0 +1,39 @@ +Use the spec-mandated default YCbCrSubSampling values in strip size +calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. +See bug #603703. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_strip.c tiff-3.8.2/libtiff/tif_strip.c +--- tiff-3.8.2.orig/libtiff/tif_strip.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_strip.c 2010-06-16 21:46:16.000000000 -0400 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,11 +234,11 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + +- if (ycbcrsubsampling[0] == 0) { ++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Invalid YCbCr subsampling"); + return 0; diff --git a/libtiff-tiff2pdf-bugs.patch b/libtiff-tiff2pdf-bugs.patch new file mode 100644 index 0000000..0b72ae7 --- /dev/null +++ b/libtiff-tiff2pdf-bugs.patch @@ -0,0 +1,208 @@ +Fix assorted bugs in tiff2pdf: missing "return" in t2p_read_tiff_size() causes +t2p->tiff_datasize to be set entirely wrong for COMPRESSION_JPEG case, +resulting in memory stomp if actual size is larger. Also, there are a +bunch of places that try to memset() a malloc'd buffer before checking +for malloc failure, which would result in core dump if there actually +were a failure. In 3.8.2 it's also using the wrong size variable for +the output of TIFFGetField(input, TIFFTAG_JPEGTABLES, ...) + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2211 + + +diff -Naur tiff-3.8.2.orig/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c +--- tiff-3.8.2.orig/tools/tiff2pdf.c 2006-03-21 11:42:51.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2pdf.c 2010-06-13 16:43:40.000000000 -0400 +@@ -1758,7 +1758,6 @@ + uint32* sbc=NULL; + #if defined(JPEG_SUPPORT) || defined (OJPEG_SUPPORT) + unsigned char* jpt=NULL; +- uint16 xuint16=0; + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +@@ -1825,9 +1824,10 @@ + #endif + #ifdef JPEG_SUPPORT + if(t2p->tiff_compression == COMPRESSION_JPEG){ +- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt) != 0 ){ +- if(xuint16>4){ +- t2p->tiff_datasize+= xuint16; ++ uint32 count = 0; ++ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ ++ if(count>4){ ++ t2p->tiff_datasize+= count; + t2p->tiff_datasize -=2; /* don't use EOI of header */ + } + } else { +@@ -1846,6 +1846,7 @@ + t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ + } + t2p->tiff_datasize +=2; /* use EOI of last strip */ ++ return; + } + #endif + (void) 0; +@@ -1894,9 +1895,10 @@ + #endif + #ifdef JPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_JPEG){ +- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt)!=0){ +- if(xuint16>4){ +- t2p->tiff_datasize+=xuint16; ++ uint32 count = 0; ++ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ ++ if(count>4){ ++ t2p->tiff_datasize+=count; + t2p->tiff_datasize-=4; /* don't use EOI of header or SOI of tile */ + } + } +@@ -2078,7 +2080,6 @@ + #ifdef ZIP_SUPPORT + if(t2p->pdf_compression == T2P_COMPRESS_ZIP){ + buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2087,6 +2088,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + TIFFReadRawStrip(input, 0, (tdata_t) buffer, t2p->tiff_datasize); + if (t2p->tiff_fillorder==FILLORDER_LSB2MSB){ + TIFFReverseBits(buffer, t2p->tiff_datasize); +@@ -2101,7 +2103,6 @@ + + if(t2p->tiff_dataoffset != 0){ + buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2110,6 +2111,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + if(t2p->pdf_ojpegiflength==0){ + inputoffset=TIFFSeekFile(input, 0, SEEK_CUR); + TIFFSeekFile(input, t2p->tiff_dataoffset, SEEK_SET); +@@ -2160,7 +2162,6 @@ + return(0); + } + buffer=(unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2169,6 +2170,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + _TIFFmemcpy(buffer, t2p->pdf_ojpegdata, t2p->pdf_ojpegdatalength); + bufferoffset=t2p->pdf_ojpegdatalength; + stripcount=TIFFNumberOfStrips(input); +@@ -2200,8 +2202,8 @@ + #endif + #ifdef JPEG_SUPPORT + if(t2p->tiff_compression == COMPRESSION_JPEG){ ++ uint32 count = 0; + buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2210,10 +2212,11 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } +- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16_1, &jpt) != 0){ +- if(xuint16_1>4){ +- _TIFFmemcpy(buffer, jpt, xuint16_1); +- bufferoffset+=xuint16_1-2; ++ memset(buffer, 0, t2p->tiff_datasize); ++ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0){ ++ if(count>4){ ++ _TIFFmemcpy(buffer, jpt, count); ++ bufferoffset+=count-2; + } + } + stripcount=TIFFNumberOfStrips(input); +@@ -2262,7 +2265,6 @@ + + if(t2p->pdf_sample==T2P_SAMPLE_NOTHING){ + buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2271,6 +2273,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + stripsize=TIFFStripSize(input); + stripcount=TIFFNumberOfStrips(input); + for(i=0;itiff_samplesperpixel; + + buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2309,6 +2311,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + samplebuffer = (unsigned char*) _TIFFmalloc(stripsize); + if(samplebuffer==NULL){ + TIFFError(TIFF2PDF_MODULE, +@@ -2349,7 +2352,6 @@ + } + + buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); +- memset(buffer, 0, t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, + "Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s", +@@ -2358,6 +2360,7 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } ++ memset(buffer, 0, t2p->tiff_datasize); + stripsize=TIFFStripSize(input); + stripcount=TIFFNumberOfStrips(input); + for(i=0;itiff_compression == COMPRESSION_JPEG){ + unsigned char table_end[2]; ++ uint32 count = 0; + buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize); + if(buffer==NULL){ + TIFFError(TIFF2PDF_MODULE, +@@ -2701,14 +2705,14 @@ + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } +- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16_1, &jpt) != 0) { +- if(xuint16_1 > 0){ +- _TIFFmemcpy(buffer, jpt, xuint16_1); +- bufferoffset += xuint16_1 - 2; ++ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { ++ if(count > 0){ ++ _TIFFmemcpy(buffer, jpt, count); ++ bufferoffset += count - 2; + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; + } +- if(xuint16_1 > 0) { ++ if(count > 0) { + xuint32 = bufferoffset; + bufferoffset += TIFFReadRawTile( + input, diff --git a/libtiff-tiffcp-no-subsample.patch b/libtiff-tiffcp-no-subsample.patch new file mode 100644 index 0000000..9bf8856 --- /dev/null +++ b/libtiff-tiffcp-no-subsample.patch @@ -0,0 +1,71 @@ +tiffcp doesn't have any code to copy subsampled images. It can handle +JPEG-compressed input anyway by the expedient of telling the codec to +convert to RGB (and thereby upsample), but otherwise we have to punt to +avoid buffer overruns. Per bug #588784, bug #460653, and upstream bug +http://bugzilla.maptools.org/show_bug.cgi?id=2097 + +This patch is a bit more than minimally sized because it rearranges +some of the existing code for simplicity. + + +diff -Naur tiff-3.8.2.orig/tools/tiffcp.c tiff-3.8.2/tools/tiffcp.c +--- tiff-3.8.2.orig/tools/tiffcp.c 2006-03-21 11:42:51.000000000 -0500 ++++ tiff-3.8.2/tools/tiffcp.c 2010-06-13 16:08:21.000000000 -0400 +@@ -540,6 +540,7 @@ + tiffcp(TIFF* in, TIFF* out) + { + uint16 bitspersample, samplesperpixel; ++ uint16 input_compression, input_photometric; + copyFunc cf; + uint32 width, length; + struct cpTag* p; +@@ -552,26 +553,30 @@ + TIFFSetField(out, TIFFTAG_COMPRESSION, compression); + else + CopyField(TIFFTAG_COMPRESSION, compression); ++ TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); ++ if (input_compression == COMPRESSION_JPEG) { ++ /* Force conversion to RGB */ ++ TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB); ++ } else if (input_photometric == PHOTOMETRIC_YCBCR) { ++ /* Otherwise, can't handle subsampled input */ ++ uint16 subsamplinghor,subsamplingver; ++ ++ TIFFGetFieldDefaulted(in, TIFFTAG_YCBCRSUBSAMPLING, ++ &subsamplinghor, &subsamplingver); ++ if (subsamplinghor!=1 || subsamplingver!=1) { ++ fprintf(stderr, "tiffcp: %s: Can't copy/convert subsampled image.\n", ++ TIFFFileName(in)); ++ return FALSE; ++ } ++ } + if (compression == COMPRESSION_JPEG) { +- uint16 input_compression, input_photometric; +- +- if (TIFFGetField(in, TIFFTAG_COMPRESSION, &input_compression) +- && input_compression == COMPRESSION_JPEG) { +- TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB); +- } +- if (TIFFGetField(in, TIFFTAG_PHOTOMETRIC, &input_photometric)) { +- if(input_photometric == PHOTOMETRIC_RGB) { +- if (jpegcolormode == JPEGCOLORMODE_RGB) +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- PHOTOMETRIC_YCBCR); +- else +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- PHOTOMETRIC_RGB); +- } else +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- input_photometric); +- } +- } ++ if (input_photometric == PHOTOMETRIC_RGB && ++ jpegcolormode == JPEGCOLORMODE_RGB) ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR); ++ else ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, input_photometric); ++ } + else if (compression == COMPRESSION_SGILOG + || compression == COMPRESSION_SGILOG24) + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch new file mode 100644 index 0000000..cb77796 --- /dev/null +++ b/libtiff-tiffdump.patch @@ -0,0 +1,35 @@ +Make tiffdump more paranoid about checking the count field of a directory +entry. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 + + +diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 +@@ -46,6 +46,7 @@ + # include + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef O_BINARY +@@ -317,7 +318,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +710,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: diff --git a/libtiff-unknown-tags.patch b/libtiff-unknown-tags.patch new file mode 100644 index 0000000..0c1ef00 --- /dev/null +++ b/libtiff-unknown-tags.patch @@ -0,0 +1,166 @@ +Fix for bug #554371: unknown tags have to be processed in a separate pass, +because tags might become known when we register a codec after processing +the Compression tag. We *must not* create an anonymous field entry that +conflicts with a codec-registered field! The original logic could result +in a crash if any such tags appear before Compression. + +An additional bug in the original logic is that it could mishandle unknown +tags with numbers higher than the last known tag. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 + + +diff -Naur tiff-3.8.2.orig/libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c +--- tiff-3.8.2.orig/libtiff/tif_dirread.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dirread.c 2010-06-16 21:28:47.000000000 -0400 +@@ -80,7 +80,9 @@ + size_t fix; + uint16 dircount; + toff_t nextdiroff; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0; ++ int haveunknowntags = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -234,7 +236,7 @@ + fix = 0; + for (dp = dir, n = dircount; n > 0; n--, dp++) { + +- if (fix >= tif->tif_nfields || dp->tdir_tag == IGNORE) ++ if (dp->tdir_tag == IGNORE) + continue; + + /* +@@ -242,38 +244,26 @@ + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { +- +- TIFFWarningExt(tif->tif_clientdata, +- module, +- "%s: unknown field with tag %d (0x%x) encountered", +- tif->tif_name, +- dp->tdir_tag, +- dp->tdir_tag, +- dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); +- fix = 0; +- while (fix < tif->tif_nfields && +- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) +- fix++; ++ /* Unknown tag ... we'll deal with it below */ ++ haveunknowntags = 1; ++ continue; + } + /* + * Null out old tags that we ignore. +@@ -287,8 +277,8 @@ + * Check data type. + */ + fip = tif->tif_fieldinfo[fix]; +- while (dp->tdir_type != (unsigned short) fip->field_type +- && fix < tif->tif_nfields) { ++ while (fix < tif->tif_nfields && ++ dp->tdir_type != (unsigned short) fip->field_type) { + if (fip->field_type == TIFF_ANY) /* wildcard */ + break; + fip = tif->tif_fieldinfo[++fix]; +@@ -362,6 +352,73 @@ + } + + /* ++ * If we saw any unknown tags, make an extra pass over the directory ++ * to deal with them. This must be done separately because the tags ++ * could have become known when we registered a codec after finding ++ * the Compression tag. In a correctly-sorted directory there's ++ * no problem because Compression will come before any codec-private ++ * tags, but if the sorting is wrong that might not hold. ++ */ ++ if (haveunknowntags) { ++ fix = 0; ++ for (dp = dir, n = dircount; n > 0; n--, dp++) { ++ if (dp->tdir_tag == IGNORE) ++ continue; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ if (fix >= tif->tif_nfields || ++ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { ++ TIFFWarningExt(tif->tif_clientdata, ++ module, ++ "%s: unknown field with tag %d (0x%x) encountered", ++ tif->tif_name, ++ dp->tdir_tag, ++ dp->tdir_tag, ++ dp->tdir_type); ++ ++ TIFFMergeFieldInfo(tif, ++ _TIFFCreateAnonFieldInfo(tif, ++ dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), ++ 1 ); ++ fix = 0; ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ if (fix >= tif->tif_nfields || ++ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { ++ /* Can only get here if TIFFMergeFieldInfo failed */ ++ dp->tdir_tag = IGNORE; ++ continue; ++ } ++ } ++ /* ++ * Check data type. ++ */ ++ fip = tif->tif_fieldinfo[fix]; ++ while (fix < tif->tif_nfields && ++ dp->tdir_type != (unsigned short) fip->field_type) { ++ if (fip->field_type == TIFF_ANY) /* wildcard */ ++ break; ++ fip = tif->tif_fieldinfo[++fix]; ++ if (fix >= tif->tif_nfields || ++ fip->field_tag != dp->tdir_tag) { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: wrong data type %d for \"%s\"; tag ignored", ++ tif->tif_name, dp->tdir_type, ++ tif->tif_fieldinfo[fix-1]->field_name); ++ dp->tdir_tag = IGNORE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* + * Allocate directory structure and setup defaults. + */ + if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS)) { diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch new file mode 100644 index 0000000..fbd10bb --- /dev/null +++ b/libtiff-ycbcr-clamp.patch @@ -0,0 +1,35 @@ +Using an array to clamp translated YCbCr values is insecure, because if the +TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB +values could be very far out of range (much further than the current array +size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in +favor of using a comparison-based macro to clamp. See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c +--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff --git a/libtiff.spec b/libtiff.spec index ec7a335..d238631 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 3.8.2 -Release: 14%{?dist} +Release: 15%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ @@ -13,6 +13,16 @@ Patch2: libtiff-3.8.2-CVE-2006-2193.patch Patch3: libtiff-3.8.2-mantypo.patch Patch4: libtiff-3.8.2-lzw-bugs.patch Patch5: libtiff-3.8.2-CVE-2009-2347.patch +Patch6: libtiff-jpeg-scanline.patch +Patch7: libtiff-ycbcr-clamp.patch +Patch8: libtiff-CVE-2010-1411.patch +Patch9: libtiff-CVE-2010-2065.patch +Patch10: libtiff-tiffcp-no-subsample.patch +Patch11: libtiff-tiff2pdf-bugs.patch +Patch12: libtiff-unknown-tags.patch +Patch13: libtiff-3samples.patch +Patch14: libtiff-subsampling.patch +Patch15: libtiff-tiffdump.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel @@ -55,11 +65,21 @@ necessary for some boot packages. %setup -q -n tiff-%{version} %patch0 -p1 -b .overflow -%patch1 -p1 -b .ormandy +%patch1 -p1 %patch2 -p1 -b .CVE-2006-2193 %patch3 -p1 -b .mantypo %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -159,6 +179,13 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/*.a %changelog +* Tue Jun 22 2010 Tom Lane 3.8.2-15 +- Add fixes for multiple SIGSEGV problems, including fixes for + CVE-2010-1411, CVE-2010-2065 +Resolves: #554371, #583081 +Related: #460653, #588784, #601274, #592361 +Related: #603081, #603699, #603703 + * Mon Jul 13 2009 Tom Lane 3.8.2-14 - Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347) Related: #510041