diff --git a/.cvsignore b/.cvsignore index d85724d..70fb369 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -tiff-3.8.2.tar.gz +tiff-3.9.2.tar.gz diff --git a/libtiff-3.7.2-persample.patch b/libtiff-3.7.2-persample.patch deleted file mode 100644 index 41f7d06..0000000 --- a/libtiff-3.7.2-persample.patch +++ /dev/null @@ -1,194 +0,0 @@ ---- tiff-3.7.2/libtiff/tif_dirread.c.persample 2005-03-05 04:06:00.000000000 -0500 -+++ tiff-3.7.2/libtiff/tif_dirread.c 2005-06-29 11:54:31.536319000 -0400 -@@ -1303,33 +1303,37 @@ - static int - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { -- uint16 samples = tif->tif_dir.td_samplesperpixel; -- int status = 0; -+ uint16 samples = tif->tif_dir.td_samplesperpixel; -+ int status = 0; - -- if (CheckDirCount(tif, dir, (uint32) samples)) { -- uint16 buf[10]; -- uint16* v = buf; -- -- if (samples > NITEMS(buf)) -- v = (uint16*) CheckMalloc(tif, samples, sizeof(uint16), -- "to fetch per-sample values"); -- if (v && TIFFFetchShortArray(tif, dir, v)) { -- uint16 i; -- for (i = 1; i < samples; i++) -- if (v[i] != v[0]) { -- TIFFError(tif->tif_name, -- "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- goto bad; -- } -- *pl = v[0]; -- status = 1; -- } -- bad: -- if (v && v != buf) -- _TIFFfree(v); -- } -- return (status); -+ if (CheckDirCount(tif, dir, (uint32) samples)) { -+ uint16 buf[10]; -+ uint16* v = buf; -+ -+ if (dir->tdir_count > NITEMS(buf)) -+ v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16), -+ "to fetch per-sample values"); -+ if (v && TIFFFetchShortArray(tif, dir, v)) { -+ uint16 i; -+ int check_count = dir->tdir_count; -+ if( samples < check_count ) -+ check_count = samples; -+ -+ for (i = 1; i < check_count; i++) -+ if (v[i] != v[0]) { -+ TIFFError(tif->tif_name, -+ "Cannot handle different per-sample values for field \"%s\"", -+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ goto bad; -+ } -+ *pl = v[0]; -+ status = 1; -+ } -+ bad: -+ if (v && v != buf) -+ _TIFFfree(v); -+ } -+ return (status); - } - - /* -@@ -1340,33 +1344,37 @@ - static int - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { -- uint16 samples = tif->tif_dir.td_samplesperpixel; -- int status = 0; -+ uint16 samples = tif->tif_dir.td_samplesperpixel; -+ int status = 0; - -- if (CheckDirCount(tif, dir, (uint32) samples)) { -- uint32 buf[10]; -- uint32* v = buf; -- -- if (samples > NITEMS(buf)) -- v = (uint32*) CheckMalloc(tif, samples, sizeof(uint32), -- "to fetch per-sample values"); -- if (v && TIFFFetchLongArray(tif, dir, v)) { -- uint16 i; -- for (i = 1; i < samples; i++) -- if (v[i] != v[0]) { -- TIFFError(tif->tif_name, -- "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- goto bad; -- } -- *pl = v[0]; -- status = 1; -- } -- bad: -- if (v && v != buf) -- _TIFFfree(v); -- } -- return (status); -+ if (CheckDirCount(tif, dir, (uint32) samples)) { -+ uint32 buf[10]; -+ uint32* v = buf; -+ -+ if (dir->tdir_count > NITEMS(buf)) -+ v = (uint32*) CheckMalloc(tif, dir->tdir_count, sizeof(uint32), -+ "to fetch per-sample values"); -+ if (v && TIFFFetchLongArray(tif, dir, v)) { -+ uint16 i; -+ int check_count = dir->tdir_count; -+ -+ if( samples < check_count ) -+ check_count = samples; -+ for (i = 1; i < check_count; i++) -+ if (v[i] != v[0]) { -+ TIFFError(tif->tif_name, -+ "Cannot handle different per-sample values for field \"%s\"", -+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ goto bad; -+ } -+ *pl = v[0]; -+ status = 1; -+ } -+ bad: -+ if (v && v != buf) -+ _TIFFfree(v); -+ } -+ return (status); - } - - /* -@@ -1377,33 +1385,37 @@ - static int - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { -- uint16 samples = tif->tif_dir.td_samplesperpixel; -- int status = 0; -+ uint16 samples = tif->tif_dir.td_samplesperpixel; -+ int status = 0; - -- if (CheckDirCount(tif, dir, (uint32) samples)) { -- double buf[10]; -- double* v = buf; -- -- if (samples > NITEMS(buf)) -- v = (double*) CheckMalloc(tif, samples, sizeof (double), -- "to fetch per-sample values"); -- if (v && TIFFFetchAnyArray(tif, dir, v)) { -- uint16 i; -- for (i = 1; i < samples; i++) -- if (v[i] != v[0]) { -- TIFFError(tif->tif_name, -- "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- goto bad; -- } -- *pl = v[0]; -- status = 1; -- } -- bad: -- if (v && v != buf) -- _TIFFfree(v); -- } -- return (status); -+ if (CheckDirCount(tif, dir, (uint32) samples)) { -+ double buf[10]; -+ double* v = buf; -+ -+ if (dir->tdir_count > NITEMS(buf)) -+ v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double), -+ "to fetch per-sample values"); -+ if (v && TIFFFetchAnyArray(tif, dir, v)) { -+ uint16 i; -+ int check_count = dir->tdir_count; -+ if( samples < check_count ) -+ check_count = samples; -+ -+ for (i = 1; i < check_count; i++) -+ if (v[i] != v[0]) { -+ TIFFError(tif->tif_name, -+ "Cannot handle different per-sample values for field \"%s\"", -+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ goto bad; -+ } -+ *pl = v[0]; -+ status = 1; -+ } -+ bad: -+ if (v && v != buf) -+ _TIFFfree(v); -+ } -+ return (status); - } - #undef NITEMS - diff --git a/libtiff-3.8.2-CVE-2006-2193.patch b/libtiff-3.8.2-CVE-2006-2193.patch deleted file mode 100644 index ffd81bf..0000000 --- a/libtiff-3.8.2-CVE-2006-2193.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100 -+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;idec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); - } - return (1); - } -@@ -408,12 +413,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +616,19 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code >= CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecodeCompat: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/libtiff-3.8.2-mantypo.patch b/libtiff-3.8.2-mantypo.patch deleted file mode 100644 index dd2811e..0000000 --- a/libtiff-3.8.2-mantypo.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-3.8.2/man/tiffset.1.mantypo 2005-12-02 17:01:33.000000000 +0100 -+++ tiff-3.8.2/man/tiffset.1 2006-09-05 10:10:02.000000000 +0200 -@@ -60,7 +60,7 @@ - "Anonymous": - .RS - .nf --tiffset -s 305 Anonymous a.tif -+tiffset -s 315 Anonymous a.tif - .fi - .RE - .PP diff --git a/libtiff-3.8.2-ormandy.patch b/libtiff-3.8.2-ormandy.patch deleted file mode 100644 index cb55b03..0000000 --- a/libtiff-3.8.2-ormandy.patch +++ /dev/null @@ -1,669 +0,0 @@ -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 -@@ -29,6 +29,9 @@ - * - * Directory Read Support Routines. - */ -+ -+#include -+ - #include "tiffiop.h" - - #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "%s: Can not read TIFF directory count", -- tif->tif_name); -- return (0); -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off > (UINT_MAX - sizeof(uint16))) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Can not read TIFF directory count", -+ tif->tif_name); -+ return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +1000,7 @@ - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1070,12 @@ - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1399,9 @@ - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 -@@ -105,11 +105,16 @@ - * as codes of the form - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include - -+#include -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/libtiff-CVE-2009-2347.patch b/libtiff-CVE-2009-2347.patch new file mode 100644 index 0000000..f1fd62b --- /dev/null +++ b/libtiff-CVE-2009-2347.patch @@ -0,0 +1,87 @@ +diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c +--- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400 ++++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500 +@@ -125,6 +125,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -134,6 +145,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -151,7 +163,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -159,7 +178,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -236,6 +255,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -251,7 +271,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -259,7 +286,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch new file mode 100644 index 0000000..b188563 --- /dev/null +++ b/libtiff-acversion.patch @@ -0,0 +1,12 @@ +diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac +--- tiff-3.9.2.orig/configure.ac 2009-11-04 12:11:20.000000000 -0500 ++++ tiff-3.9.2/configure.ac 2009-12-03 12:52:41.000000000 -0500 +@@ -24,7 +24,7 @@ + + dnl Process this file with autoconf to produce a configure script. + +-AC_PREREQ(2.64) ++AC_PREREQ(2.63) + AC_INIT([LibTIFF Software],[3.9.2],[tiff@lists.maptools.org],[tiff]) + AC_CONFIG_AUX_DIR(config) + AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch new file mode 100644 index 0000000..519a871 --- /dev/null +++ b/libtiff-mantypo.patch @@ -0,0 +1,12 @@ +diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1 +--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400 ++++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500 +@@ -60,7 +60,7 @@ + ``Anonymous'': + .RS + .nf +-tiffset \-s 305 Anonymous a.tif ++tiffset \-s 315 Anonymous a.tif + .fi + .RE + .PP diff --git a/libtiff-v3.6.1-64bit.patch b/libtiff-v3.6.1-64bit.patch deleted file mode 100644 index 5176db0..0000000 --- a/libtiff-v3.6.1-64bit.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-v3.6.1/libtiff/tiff.h.64bit 2003-12-22 03:22:15.000000000 -0500 -+++ tiff-v3.6.1/libtiff/tiff.h 2004-05-19 13:53:35.000000000 -0400 -@@ -79,7 +79,7 @@ - typedef unsigned char uint8; - typedef short int16; - typedef unsigned short uint16; /* sizeof (uint16) must == 2 */ --#if defined(__alpha) || (defined(_MIPS_SZLONG) && _MIPS_SZLONG == 64) || defined(__LP64__) || defined(__arch64__) -+#if defined(__s390x__) || defined(__ia64__) || defined(__alpha) || (defined(_MIPS_SZLONG) && _MIPS_SZLONG == 64) || defined(__LP64__) || defined(__arch64__) - typedef int int32; - typedef unsigned int uint32; /* sizeof (uint32) must == 4 */ - #else diff --git a/libtiff.spec b/libtiff.spec index 312ca58..ff61238 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,21 +1,21 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 3.8.2 -Release: 16%{?dist} +Version: 3.9.2 +Release: 1%{?dist} + License: libtiff Group: System Environment/Libraries URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -Patch0: tiffsplit-overflow.patch -Patch1: libtiff-3.8.2-ormandy.patch -Patch2: libtiff-3.8.2-CVE-2006-2193.patch -Patch3: libtiff-3.8.2-mantypo.patch -Patch4: libtiff-3.8.2-lzw-bugs.patch -Patch5: libtiff-3.8.2-CVE-2009-2347.patch +Patch1: libtiff-acversion.patch +Patch2: libtiff-mantypo.patch +Patch3: libtiff-CVE-2009-2347.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel +BuildRequires: libtool automake autoconf + %define LIBVER %(echo %{version} | cut -f 1-2 -d .) %description @@ -51,15 +51,30 @@ The libtiff-static package contains the statically linkable version of libtiff. Linking to static libraries is discouraged for most applications, but it is necessary for some boot packages. +%package tools +Summary: Command-line utility programs for manipulating TIFF files +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description tools +This package contains command-line programs for manipulating TIFF format +image files using the libtiff library. + %prep %setup -q -n tiff-%{version} -%patch0 -p1 -b .overflow -%patch1 -p1 -b .ormandy -%patch2 -p1 -b .CVE-2006-2193 -%patch3 -p1 -b .mantypo -%patch4 -p1 -%patch5 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -71,7 +86,7 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check %install rm -rf $RPM_BUILD_ROOT -%makeinstall +make DESTDIR=$RPM_BUILD_ROOT install # remove what we didn't want installed rm $RPM_BUILD_ROOT%{_libdir}/*.la @@ -141,10 +156,8 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,0755) %doc COPYRIGHT README RELEASE-DATE VERSION -%{_bindir}/* %{_libdir}/libtiff.so.* %{_libdir}/libtiffxx.so.* -%{_mandir}/man1/* %files devel %defattr(-,root,root,0755) @@ -158,7 +171,21 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) %{_libdir}/*.a +%files tools +%defattr(-,root,root,0755) +%{_bindir}/* +%{_mandir}/man1/* + %changelog +* Thu Dec 3 2009 Tom Lane 3.9.2-1 +- Update to libtiff 3.9.2; stop carrying a lot of old patches +Resolves: #520734 +- Split command-line tools into libtiff-tools subpackage +Resolves: #515170 +- Use build system's libtool instead of what package contains; + among other cleanup this gets rid of unwanted rpath specs in executables +Related: #226049 + * Thu Oct 15 2009 Tom Lane 3.8.2-16 - add sparc/sparc64 to multilib header support diff --git a/sources b/sources index 1c867c8..ba0b467 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz +93e56e421679c591de7552db13384cb8 tiff-3.9.2.tar.gz diff --git a/tiffsplit-overflow.patch b/tiffsplit-overflow.patch deleted file mode 100644 index 36a613f..0000000 --- a/tiffsplit-overflow.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400 -+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400 -@@ -60,14 +60,16 @@ - fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n"); - return (-3); - } -- if (argc > 2) -- strcpy(fname, argv[2]); -+ if (argc > 2) { -+ strncpy(fname, argv[2], 1024); -+ fname[1024] = '\0'; -+ } - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -+ strncpy(path, fname, 1020); - strcat(path, ".tif"); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL)