rpms/libtiff
6
0
Fork 0
Code Issues Pull Requests Releases Activity

backport documentation change for CVE-2023-52355 (RHEL-17328)

Browse Source 
Resolves: RHEL-17328
This commit is contained in:
Michal Hlavinka 2025-05-05 17:16:23 +02:00
parent 491b3c94fa
commit 1d8f0e982d
2 changed files with 607 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

596
libtiff-4.4.0-cve2023-52355.patch Normal file
View File

@ -0,0 +1,596 @@
diff -up tiff-4.4.0/html/libtiff.html.cvedoc tiff-4.4.0/html/libtiff.html
--- tiff-4.4.0/html/libtiff.html.cvedoc 2022-02-19 16:33:54.000000000 +0100
+++ tiff-4.4.0/html/libtiff.html 2025-05-05 15:46:15.541350830 +0200
@@ -127,11 +127,16 @@
</p>
<p>
To deal with segmented pointer issues <tt>libtiff</tt> also provides
- <tt>_TIFFmemcpy</tt>, <tt>_TIFFmemset</tt>, and <tt>_TIFFmemmove</tt>
+ <tt>_TIFFmemcpy</tt>, <tt>_TIFFmemset</tt>, and <tt>_TIFFmemcmp</tt>
routines that mimic the equivalent ANSI C routines, but that are
intended for use with memory allocated through <tt>_TIFFmalloc</tt>
and <tt>_TIFFrealloc</tt>.
</p>
+ <p>
+ With <tt>libtiff</tt> 4.5 a method was introduced to limit the internal
+ memory allocation that functions are allowed to request per call
+ (see <tt>TIFFOpenOptionsSetMaxSingleMemAlloc</tt> and <tt>TIFFOpenExt</tt>).
+ </p>
<hr>
<h2 id="errors">Error Handling</h2>
<p>
@@ -143,6 +148,11 @@
Likewise warning messages are directed to a single handler routine
that can be specified with a call to <tt>TIFFSetWarningHandler</tt>
</p>
+ <p>
+ Further application-specific and per-TIFF handle (re-entrant) error handler
+ and warning handler can be set. Please refer to <tt>TIFFError</tt>
+ and <tt>TIFFOpenOptions</tt>.
+ </p>
<hr>
<h2 id="fio">Basic File Handling</h2>
<p>
@@ -155,7 +165,7 @@
main()<br>
{<br>
&nbsp;&nbsp;&nbsp;&nbsp;TIFF* tif = TIFFOpen("foo.tif", "r");<br>
- &nbsp;&nbsp;&nbsp;&nbsp;... do stuff ...<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;/* ... do stuff ... */<br>
&nbsp;&nbsp;&nbsp;&nbsp;TIFFClose(tif);<br>
}</tt>
</p>
@@ -196,6 +206,27 @@
buffered information to a file. Note that if you call <tt>TIFFClose</tt>
you do not need to call <tt>TIFFFlush</tt>.
</p>
+ <p>
+ <table>
+ <tr>
+ <td valign=top><img src="images/warning.gif" width="40" height="40" alt=""></td>
+ <td><i>In order to prevent out-of-memory issues when opening a TIFF file
+ <tt>TIFFOpenExt</tt> can be used and then the maximum single memory
+ limit in byte that <tt>libtiff</tt> internal memory allocation functions
+ are allowed to request per call can be set with
+ <tt>TIFFOpenOptionsSetMaxSingleMemAlloc</tt>.</i></td>
+ </tr>
+ </table>
+ </p>
+Example:
+ <p style="margin-left: 40px">
+ tmsize_t limit = (256 * 1024 * 1024);<br>
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();<br>
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);<br>
+ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);<br>
+ TIFFOpenOptionsFree(opts);<br>
+ /* ... go on here ... */<br>
+ </p>
<hr>
<h2 id="dirs">TIFF Directories</h2>
<p>
diff -up tiff-4.4.0/html/man/Makefile.am.cvedoc tiff-4.4.0/html/man/Makefile.am
--- tiff-4.4.0/html/man/Makefile.am.cvedoc 2025-05-05 15:46:15.492346180 +0200
+++ tiff-4.4.0/html/man/Makefile.am 2025-05-05 15:49:32.759368119 +0200
@@ -38,6 +38,7 @@ docfiles = \
TIFFcodec.3tiff.html \
TIFFcolor.3tiff.html \
TIFFDataWidth.3tiff.html \
+ TIFFDeferStrileArrayWriting.3tiff.html \
TIFFError.3tiff.html \
TIFFFieldDataType.3tiff.html \
TIFFFieldName.3tiff.html \
@@ -49,6 +50,7 @@ docfiles = \
TIFFGetField.3tiff.html \
TIFFmemory.3tiff.html \
TIFFOpen.3tiff.html \
+ TIFFOpenOptions.3tiff.html \
TIFFPrintDirectory.3tiff.html \
TIFFquery.3tiff.html \
TIFFReadDirectory.3tiff.html \
@@ -66,6 +68,7 @@ docfiles = \
TIFFSetField.3tiff.html \
TIFFsize.3tiff.html \
TIFFstrip.3tiff.html \
+ TIFFStrileQuery.3tiff.html \
TIFFswab.3tiff.html \
TIFFtile.3tiff.html \
TIFFWarning.3tiff.html \
diff -up tiff-4.4.0/man/Makefile.am.cvedoc tiff-4.4.0/man/Makefile.am
--- tiff-4.4.0/man/Makefile.am.cvedoc 2025-05-05 15:46:42.027712039 +0200
+++ tiff-4.4.0/man/Makefile.am 2025-05-05 15:48:31.730675076 +0200
@@ -51,6 +51,7 @@ dist_man3_MANS = \
TIFFcodec.3tiff \
TIFFcolor.3tiff \
TIFFDataWidth.3tiff \
+ TIFFDeferStrileArrayWriting.3tiff \
TIFFError.3tiff \
TIFFFieldDataType.3tiff \
TIFFFieldName.3tiff \
@@ -62,6 +63,7 @@ dist_man3_MANS = \
TIFFGetField.3tiff \
TIFFmemory.3tiff \
TIFFOpen.3tiff \
+ TIFFOpenOptions.3tiff \
TIFFPrintDirectory.3tiff \
TIFFquery.3tiff \
TIFFReadDirectory.3tiff \
@@ -79,6 +81,7 @@ dist_man3_MANS = \
TIFFSetField.3tiff \
TIFFsize.3tiff \
TIFFstrip.3tiff \
+ TIFFStrileQuery.3tiff \
TIFFswab.3tiff \
TIFFtile.3tiff \
TIFFWarning.3tiff \
diff -up tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff
--- tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc 2025-05-05 15:46:15.541666402 +0200
+++ tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff 2025-05-05 15:46:15.541666402 +0200
@@ -0,0 +1,108 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "TIFFDEFERSTRILEARRAYWRITING" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF"
+.SH NAME
+TIFFDeferStrileArrayWriting \- defer strile array writing
+.SH SYNOPSIS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+#include <tiffio.h>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B int TIFFDeferStrileArrayWriting(TIFF *tif)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B int TIFFForceStrileArrayWriting(TIFF *tif)
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fI\%TIFFDeferStrileArrayWriting()\fP is an advanced writing function
+that must be used in a particular sequence, and generally together
+with \fI\%TIFFForceStrileArrayWriting()\fP, to achieve its intended
+effect. Their aim is to control when and where the
+\fBStripOffsets\fP / \fBStripByteCounts\fP or \fBTileOffsets\fP / \fBTileByteCounts\fP
+arrays are written into the file.
+.sp
+The purpose of this is to generate \(aqcloud\-optimized geotiff\(aq files where
+the first KB of the file only contain the IFD entries without the potentially
+large strile arrays. Those are written afterwards.
+.sp
+More precisely, when TIFFWriteCheck() is called, the tag entries for
+those arrays will be written with type = count = offset = 0 as a temporary value.
+.sp
+Its effect is only valid for the current directory, and before
+TIFFWriteDirectory() is first called, and will be reset
+when changing directory.
+.sp
+The typical sequence of calls is:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+TIFFOpen()
+/* or TIFFCreateDirectory(tif) */
+/* Set fields with calls to TIFFSetField(tif, ...) */
+TIFFDeferStrileArrayWriting(tif)
+TIFFWriteCheck(tif, ...)
+TIFFWriteDirectory(tif)
+/* ... potentially create other directories and come back to the above directory */
+TIFFForceStrileArrayWriting(tif) /* emit the arrays at the end of file */
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH RETURNS
+.sp
+1 in case of success, 0 otherwise.
+.SH DIAGNOSTICS
+.sp
+All error messages are directed to the TIFFErrorExtR() routine.
+Likewise, warning messages are directed to the TIFFWarningExtR() routine.
+.SH NOTE
+.sp
+This functionality was introduced with libtiff 4.1.
+.SH SEE ALSO
+.sp
+\fI\%libtiff\fP (3tiff)
+.SH AUTHOR
+LibTIFF contributors
+.SH COPYRIGHT
+1988-2025, LibTIFF contributors
+.\" Generated by docutils manpage writer.
+.
diff -up tiff-4.4.0/man/TIFFError.3tiff.cvedoc tiff-4.4.0/man/TIFFError.3tiff
--- tiff-4.4.0/man/TIFFError.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100
+++ tiff-4.4.0/man/TIFFError.3tiff 2025-05-05 15:46:15.541755008 +0200
@@ -56,6 +56,11 @@ to override the default error handler.
A
.SM NULL
(0) error handling function may be installed to suppress error messages.
+.PP
+Please refer to
+.IR TIFFOpenOptions
+for how to setup the
+application-specific handler introduced with libtiff 4.5.
.SH "RETURN VALUES"
.IR TIFFSetErrorHandler
returns a reference to the previous error handling function.
diff -up tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc tiff-4.4.0/man/TIFFOpen.3tiff
--- tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100
+++ tiff-4.4.0/man/TIFFOpen.3tiff 2025-05-05 15:46:15.541863922 +0200
@@ -94,6 +94,27 @@ To alter these values, or to define valu
.IR TIFFSetField (3TIFF)
must be used.
.PP
+.IR TIFFOpenExt
+(added in libtiff 4.5) is like
+.IR TIFFOpen
+, but options, such as re-entrant error and warning handlers and a limit in byte
+that libtiff internal memory allocation functions are allowed to request per call
+may be passed with the opts argument. The opts argument may be NULL.
+Refer to
+.IR TIFFOpenOptions
+for allocating and filling the opts argument
+parameters. The allocated memory for
+.IR TIFFOpenOptions
+can be released straight after successful execution of the related
+"TIFFOpenExt" functions.
+.PP
+.IR TIFFFdOpenExt
+(added in libtiff 4.5) is like
+.IR TIFFFdOpen
+, but options argument opts like for
+.IR TIFFOpenExt
+can be passed.
+.PP
.IR TIFFFdOpen
is like
.IR TIFFOpen
diff -up tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc tiff-4.4.0/man/TIFFOpenOptions.3tiff
--- tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc 2025-05-05 15:46:15.541984178 +0200
+++ tiff-4.4.0/man/TIFFOpenOptions.3tiff 2025-05-05 15:46:15.541984178 +0200
@@ -0,0 +1,189 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "TIFFOPENOPTIONS" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF"
+.SH NAME
+TIFFOpenOptions \- open a TIFF file for reading or writing
+.SH SYNOPSIS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+#include <tiffio.h>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B typedef \fI\%TIFFOpenOptions\fP TIFFOpenOptions
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fI\%TIFFOpenOptions\fP *TIFFOpenOptionsAlloc(void)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsFree(\fI\%TIFFOpenOptions\fP*)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsSetMaxSingleMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_single_mem_alloc)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsSetMaxCumulatedMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_cumulated_mem_alloc)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsSetErrorHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *errorhandler_user_data)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsSetWarningHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *warnhandler_user_data)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B void TIFFOpenOptionsSetWarnAboutUnknownTags(\fI\%TIFFOpenOptions\fP *opts, int warn_about_unknown_tags)
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fI\%TIFFOpenOptions\fP is an opaque structure which can be passed
+to the TIFF open\(dqExt\(dq functions to define some \fBlibtiff\fP internal settings.
+The settings are the maximum single memory allocation limit and
+per\-TIFF handle (re\-entrant) error handler and warning handler functions.
+For those handler a pointer to a \fBcustom defined data structure\fP \fIuser_data\fP
+can be given along.
+.sp
+\fI\%TIFFOpenOptionsAlloc()\fP allocates memory for the \fI\%TIFFOpenOptions\fP
+opaque structure and returns a \fI\%TIFFOpenOptions\fP pointer.
+.sp
+\fI\%TIFFOpenOptionsFree()\fP releases the allocated memory for
+\fI\%TIFFOpenOptions\fP\&. The allocated memory for \fI\%TIFFOpenOptions\fP
+can be released straight after successful execution of the related
+TIFFOpen\(dqExt\(dq functions like \X'tty: link #c.TIFFOpenExt'\fI\%TIFFOpenExt()\fP\X'tty: link'\&.
+.sp
+\fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP (added in libtiff 4.5.0) sets
+the value for the maximum single memory limit in byte that \fBlibtiff\fP internal
+memory allocation functions are allowed to request per call.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link'
+and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory
+allocation limit set by \fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP!
+.UNINDENT
+.UNINDENT
+.sp
+\fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP (added in libtiff 4.6.1) sets
+the maximum cumulated memory allocations in byte, for a given TIFF handle,
+that \fBlibtiff\fP internal memory allocation functions are allowed.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link'
+and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory
+allocation limit set by \fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP!
+.UNINDENT
+.UNINDENT
+.sp
+\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP sets the function pointer to
+an application\-specific and per\-TIFF handle (re\-entrant) error handler.
+Furthermore, a pointer to a \fBcustom defined data structure\fP \fIerrorhandler_user_data\fP
+can be passed. This error handler is invoked through \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link'
+and the \fIerrorhandler_user_data\fP pointer is given along.
+The \fIerrorhandler_user_data\fP argument may be NULL.
+.sp
+\fI\%TIFFOpenOptionsSetWarningHandlerExtR()\fP works like
+\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP but for the warning handler,
+which is invoked through \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link'
+.sp
+\fI\%TIFFOpenOptionsSetWarnAboutUnknownTags()\fP sets whether libtiff should
+emit a warning when encountering a unknown tag. This function has been added in
+libtiff 4.7.1 and the default value is FALSE (change of behaviour compared to
+earlier versions).
+.SH EXAMPLE
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+#include \(dqtiffio.h\(dq
+
+typedef struct MyErrorHandlerUserDataStruct
+{
+ /* ... any user data structure ... */
+} MyErrorHandlerUserDataStruct;
+
+static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
+ const char *fmt, va_list ap)
+{
+ MyErrorHandlerUserDataStruct *errorhandler_user_data =
+ (MyErrorHandlerUserDataStruct *)user_data;
+ /*... code of myErrorHandler ...*/
+ return 1;
+}
+
+
+main()
+{
+ tmsize_t limit = (256 * 1024 * 1024);
+ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
+
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
+ TIFF *tif = TIFFOpenExt(\(dqfoo.tif\(dq, \(dqr\(dq, opts);
+ TIFFOpenOptionsFree(opts);
+ /* ... go on here ... */
+
+ TIFFClose(tif);
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH NOTE
+.sp
+This functionality was introduced with libtiff 4.5.
+.SH SEE ALSO
+.sp
+\fI\%libtiff\fP (3tiff),
+\fI\%TIFFOpen\fP (3tiff),
+\fI\%TIFFError\fP (3tiff),
+\fI\%TIFFWarning\fP (3tiff)
+.SH AUTHOR
+LibTIFF contributors
+.SH COPYRIGHT
+1988-2025, LibTIFF contributors
+.\" Generated by docutils manpage writer.
+.
diff -up tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc tiff-4.4.0/man/TIFFStrileQuery.3tiff
--- tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc 2025-05-05 15:46:15.542083764 +0200
+++ tiff-4.4.0/man/TIFFStrileQuery.3tiff 2025-05-05 15:46:15.542083764 +0200
@@ -0,0 +1,117 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "TIFFSTRILEQUERY" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF"
+.SH NAME
+TIFFStrileQuery \- get strile byte count and offset
+.SH SYNOPSIS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+#include <tiffio.h>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile);
+.UNINDENT
+.INDENT 0.0
+.TP
+.B uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile);
+.UNINDENT
+.INDENT 0.0
+.TP
+.B uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr);
+.UNINDENT
+.INDENT 0.0
+.TP
+.B uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr);
+.UNINDENT
+.SH DESCRIPTION
+.sp
+Make defer strile offset/bytecount loading available at runtime
+and add per\-strile offset/bytecount loading capabilities. Part of
+this commit makes the behaviour that was previously met when \fBlibtiff\fP
+was compiled with \fB\-DDEFER_STRILE_LOAD\fP available for default builds.
+.sp
+When specifying the new \fBD\fP (Deferred) \X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' flag,
+the loading of strile offset/bytecount is defered.
+In that mode, the \fBStripOffsets\fP / \fBStripByteCounts\fP or
+\fBTileOffsets\fP / \fBTileByteCounts\fP arrays are only loaded when first
+accessed. This can speed\-up the opening of files stored on the network
+when just metadata retrieval is needed.
+.sp
+Another addition is the capability of loading only the values of
+the offset/bytecount of the strile of interest instead of the
+whole array. This is enabled with the new \fBO\fP (Ondemand) flag of
+\X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' (which implies \fBD\fP).
+.sp
+The public \fI\%TIFFGetStrileOffset()\fP, \fI\%TIFFGetStrileOffsetWithErr()\fP,
+\fI\%TIFFGetStrileByteCount()\fP and \fI\%TIFFGetStrileByteCountWithErr()\fP
+functions have been added to API.
+They are of particular interest when using sparse files (with
+\fBoffset == bytecount == 0\fP) and you want to detect if a strile is
+present or not without decompressing the data, or updating an
+existing sparse file.
+.sp
+\fI\%TIFFGetStrileByteCount()\fP returns the value of the TileByteCounts /
+StripByteCounts array for the specified tile/strile.
+.sp
+\fI\%TIFFGetStrileByteCountWithErr()\fP additionally provides \fIpbErr\fP
+as an \fIint\fP pointer to an error return variable,
+which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return.
+.sp
+\fI\%TIFFGetStrileOffset()\fP returns the value of the TileOffsets /
+StripOffsets array for the specified tile/strile.
+.sp
+\fI\%TIFFGetStrileOffsetWithErr()\fP additionally provides \fIpbErr\fP
+as an \fIint\fP pointer to an error return variable,
+which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return.
+.SH DIAGNOSTICS
+.sp
+All error messages are directed to the \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link' routine.
+Likewise, warning messages are directed to the \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link' routine.
+.SH NOTE
+.sp
+This functionality was introduced with libtiff 4.1.
+.SH SEE ALSO
+.sp
+\fI\%libtiff\fP (3tiff),
+\fI\%TIFFOpen\fP (3tiff),
+\fI\%TIFFDeferStrileArrayWriting\fP (3tiff)
+.SH AUTHOR
+LibTIFF contributors
+.SH COPYRIGHT
+1988-2025, LibTIFF contributors
+.\" Generated by docutils manpage writer.
+.

12
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.4.0
Release: 14%{?dist}
Release: 15%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
@ -42,6 +42,7 @@ Patch23: libtiff-4.6.0-CVE-2024-7006.patch
# from upstream, for <=4.6.0, RHEL-17337
# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
Patch24: libtiff-4.4.0-CVE-2023-52356.patch
Patch25: libtiff-4.4.0-cve2023-52355.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@ -103,6 +104,12 @@ autoheader
%build
export CFLAGS="%{optflags} -fno-strict-aliasing"
%configure --enable-ld-version-script
# have to regenerate missing/patched htmldoc before calling make
pushd html/man
make htmldoc
popd
%make_build
%install
@ -194,6 +201,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Mon May 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15
- backport documentation change for CVE-2023-52355 (RHEL-17328)
* Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-14
- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-17337)