rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to libtiff 3.9.2

Browse Source
This commit is contained in:
Tom Lane 2009-12-03 18:42:07 +00:00
parent 197c5fd5e4
commit 21b0c4c5f8
14 changed files with 157 additions and 1164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
tiff-3.8.2.tar.gz tiff-3.9.2.tar.gz

194
libtiff-3.7.2-persample.patch
View File

@ -1,194 +0,0 @@
--- tiff-3.7.2/libtiff/tif_dirread.c.persample 2005-03-05 04:06:00.000000000 -0500
+++ tiff-3.7.2/libtiff/tif_dirread.c 2005-06-29 11:54:31.536319000 -0400
@@ -1303,33 +1303,37 @@
static int
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
- uint16 samples = tif->tif_dir.td_samplesperpixel;
- int status = 0;
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
+ int status = 0;
- if (CheckDirCount(tif, dir, (uint32) samples)) {
- uint16 buf[10];
- uint16* v = buf;
-
- if (samples > NITEMS(buf))
- v = (uint16*) CheckMalloc(tif, samples, sizeof(uint16),
- "to fetch per-sample values");
- if (v && TIFFFetchShortArray(tif, dir, v)) {
- uint16 i;
- for (i = 1; i < samples; i++)
- if (v[i] != v[0]) {
- TIFFError(tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- goto bad;
- }
- *pl = v[0];
- status = 1;
- }
- bad:
- if (v && v != buf)
- _TIFFfree(v);
- }
- return (status);
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+ uint16 buf[10];
+ uint16* v = buf;
+
+ if (dir->tdir_count > NITEMS(buf))
+ v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
+ "to fetch per-sample values");
+ if (v && TIFFFetchShortArray(tif, dir, v)) {
+ uint16 i;
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
+ TIFFError(tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ goto bad;
+ }
+ *pl = v[0];
+ status = 1;
+ }
+ bad:
+ if (v && v != buf)
+ _TIFFfree(v);
+ }
+ return (status);
}
/*
@@ -1340,33 +1344,37 @@
static int
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
- uint16 samples = tif->tif_dir.td_samplesperpixel;
- int status = 0;
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
+ int status = 0;
- if (CheckDirCount(tif, dir, (uint32) samples)) {
- uint32 buf[10];
- uint32* v = buf;
-
- if (samples > NITEMS(buf))
- v = (uint32*) CheckMalloc(tif, samples, sizeof(uint32),
- "to fetch per-sample values");
- if (v && TIFFFetchLongArray(tif, dir, v)) {
- uint16 i;
- for (i = 1; i < samples; i++)
- if (v[i] != v[0]) {
- TIFFError(tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- goto bad;
- }
- *pl = v[0];
- status = 1;
- }
- bad:
- if (v && v != buf)
- _TIFFfree(v);
- }
- return (status);
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+ uint32 buf[10];
+ uint32* v = buf;
+
+ if (dir->tdir_count > NITEMS(buf))
+ v = (uint32*) CheckMalloc(tif, dir->tdir_count, sizeof(uint32),
+ "to fetch per-sample values");
+ if (v && TIFFFetchLongArray(tif, dir, v)) {
+ uint16 i;
+ int check_count = dir->tdir_count;
+
+ if( samples < check_count )
+ check_count = samples;
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
+ TIFFError(tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ goto bad;
+ }
+ *pl = v[0];
+ status = 1;
+ }
+ bad:
+ if (v && v != buf)
+ _TIFFfree(v);
+ }
+ return (status);
}
/*
@@ -1377,33 +1385,37 @@
static int
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
- uint16 samples = tif->tif_dir.td_samplesperpixel;
- int status = 0;
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
+ int status = 0;
- if (CheckDirCount(tif, dir, (uint32) samples)) {
- double buf[10];
- double* v = buf;
-
- if (samples > NITEMS(buf))
- v = (double*) CheckMalloc(tif, samples, sizeof (double),
- "to fetch per-sample values");
- if (v && TIFFFetchAnyArray(tif, dir, v)) {
- uint16 i;
- for (i = 1; i < samples; i++)
- if (v[i] != v[0]) {
- TIFFError(tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- goto bad;
- }
- *pl = v[0];
- status = 1;
- }
- bad:
- if (v && v != buf)
- _TIFFfree(v);
- }
- return (status);
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+ double buf[10];
+ double* v = buf;
+
+ if (dir->tdir_count > NITEMS(buf))
+ v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
+ "to fetch per-sample values");
+ if (v && TIFFFetchAnyArray(tif, dir, v)) {
+ uint16 i;
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
+ TIFFError(tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+ _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ goto bad;
+ }
+ *pl = v[0];
+ status = 1;
+ }
+ bad:
+ if (v && v != buf)
+ _TIFFfree(v);
+ }
+ return (status);
}
#undef NITEMS

11
libtiff-3.8.2-CVE-2006-2193.patch
View File

@ -1,11 +0,0 @@
--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100
+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200
@@ -3668,7 +3668,7 @@
written += TIFFWriteFile(output, (tdata_t) "(", 1);
for (i=0;i<len;i++){
if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
- sprintf(buffer, "\\%.3o", pdfstr[i]);
+ snprintf(buffer, sizeof(buffer), "\\%.3o", (unsigned char) pdfstr[i]);
written += TIFFWriteFile(output, (tdata_t) buffer, 4);
} else {
switch (pdfstr[i]){

169
libtiff-3.8.2-CVE-2009-2347.patch
View File

@ -1,169 +0,0 @@
Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
possible integer overflow in calculation of buffer sizes.
CVE-2009-2347
diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
@@ -202,6 +202,17 @@
#undef LumaBlue
#undef V2Code
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
/*
* Convert a strip of RGB data to YCbCr and
* sample to generate the output data.
@@ -278,10 +289,19 @@
float floatv;
char *stringv;
uint32 longv;
+ tsize_t raster_size;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
@@ -124,6 +124,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -133,6 +144,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -150,7 +162,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -158,7 +177,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -226,6 +245,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -241,7 +261,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -249,7 +276,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {
@@ -328,14 +355,22 @@
uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */
uint32 row;
-
+ tsize_t raster_size;
+
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -353,7 +388,7 @@
*/
if( no_alpha )
{
- int pixel_count = width * height;
+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
unsigned char *src, *dst;
src = (unsigned char *) raster;

58
libtiff-3.8.2-lzw-bugs.patch
View File

@ -1,58 +0,0 @@
Fixes for CVE-2008-2327 and CVE-2009-2285
diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-22 16:26:01.000000000 -0400
@@ -237,6 +237,11 @@
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
}
return (1);
}
@@ -408,12 +413,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +616,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecodeCompat: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;

11
libtiff-3.8.2-mantypo.patch
View File

@ -1,11 +0,0 @@
--- tiff-3.8.2/man/tiffset.1.mantypo 2005-12-02 17:01:33.000000000 +0100
+++ tiff-3.8.2/man/tiffset.1 2006-09-05 10:10:02.000000000 +0200
@@ -60,7 +60,7 @@
"Anonymous":
.RS
.nf
-tiffset -s 305 Anonymous a.tif
+tiffset -s 315 Anonymous a.tif
.fi
.RE
.PP

669
libtiff-3.8.2-ormandy.patch
View File

@ -1,669 +0,0 @@
diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
@@ -122,6 +122,7 @@
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -195,10 +196,12 @@
break;
case TIFFTAG_ORIENTATION:
v = va_arg(ap, uint32);
+ const TIFFFieldInfo* fip;
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
@@ -387,11 +390,15 @@
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +475,7 @@
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +570,7 @@
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +579,12 @@
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +820,16 @@
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}
diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
@@ -775,7 +775,8 @@
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -789,7 +790,8 @@
if (!fip) {
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
*/
+
+#include <limits.h>
+
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
@@ -81,6 +84,7 @@
uint16 dircount;
toff_t nextdiroff;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -147,13 +151,20 @@
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Can not read TIFF directory count",
- tif->tif_name);
- return (0);
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso@google.com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off > (UINT_MAX - sizeof(uint16))) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
} else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -254,6 +265,7 @@
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -264,17 +276,23 @@
dp->tdir_tag,
dp->tdir_tag,
dp->tdir_type);
-
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
+ /*
+ * creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
+
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
}
+
/*
* Null out old tags that we ignore.
*/
@@ -326,6 +344,7 @@
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -540,6 +559,7 @@
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -556,7 +576,7 @@
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -580,6 +600,7 @@
} else if (td->td_nstrips == 1
&& td->td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Plexus (and others) sometimes give a value of zero for
* a tag when they don't know what the correct value is! Try
@@ -589,13 +610,14 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
&& td->td_nstrips > 2
&& td->td_compression == COMPRESSION_NONE
&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Some vendors fill StripByteCount array with absolutely
* wrong values (it can be equal to StripOffset array, for
@@ -604,7 +626,7 @@
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -870,7 +892,13 @@
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso@google.com 15 Jun 2006
+ */
+
+ uint32 i;
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
@@ -947,16 +975,18 @@
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -970,6 +1000,7 @@
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -1013,7 +1044,7 @@
bad:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (tsize_t) 0;
}
@@ -1039,10 +1070,12 @@
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -1159,6 +1192,20 @@
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso@google.com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
@@ -1329,14 +1376,15 @@
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
dir->tdir_type,
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- return (0);
+ fip ? fip->field_name : "Unknown");
+ return (0); }
}
return (1);
}
@@ -1351,6 +1399,9 @@
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1493,6 +1544,7 @@
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1510,9 +1562,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1534,6 +1587,7 @@
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1551,9 +1605,10 @@
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1574,6 +1629,7 @@
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1591,9 +1647,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
@@ -1136,6 +1136,7 @@
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1181,7 +1182,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
@@ -722,15 +722,31 @@
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarningExt(tif->tif_clientdata, module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
+ }
+
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
}
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -761,6 +777,22 @@
sp->cinfo.d.comp_info[0].v_samp_factor,
sp->h_sampling, sp->v_sampling);
+ /*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso@google.com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
/*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
@@ -1521,15 +1553,18 @@
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
+ if (sp != NULL) {
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
@@ -1541,6 +1576,7 @@
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
assert(sp != NULL);
@@ -1606,7 +1642,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
@@ -1726,7 +1768,11 @@
{
JPEGState* sp = JState(tif);
- assert(sp != NULL);
+ /* assert(sp != NULL); */
+ if (sp == NULL) {
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
@@ -105,11 +105,16 @@
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
@@ -768,7 +768,19 @@
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,
diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
+
int TIFFFillStrip(TIFF*, tstrip_t);
int TIFFFillTile(TIFF*, ttile_t);
static int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +478,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
tif->tif_curtile = NOTILE;
return (0);
}

87
libtiff-CVE-2009-2347.patch Normal file
View File

@ -0,0 +1,87 @@
diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c
--- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400
+++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500
@@ -125,6 +125,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -134,6 +145,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -151,7 +163,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -159,7 +178,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -236,6 +255,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -251,7 +271,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -259,7 +286,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {

12
libtiff-acversion.patch Normal file
View File

@ -0,0 +1,12 @@
diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac
--- tiff-3.9.2.orig/configure.ac 2009-11-04 12:11:20.000000000 -0500
+++ tiff-3.9.2/configure.ac 2009-12-03 12:52:41.000000000 -0500
@@ -24,7 +24,7 @@
dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.64)
+AC_PREREQ(2.63)
AC_INIT([LibTIFF Software],[3.9.2],[tiff@lists.maptools.org],[tiff])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_MACRO_DIR(m4)

12
libtiff-mantypo.patch Normal file
View File

@ -0,0 +1,12 @@
diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1
--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400
+++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500
@@ -60,7 +60,7 @@
``Anonymous'':
.RS
.nf
-tiffset \-s 305 Anonymous a.tif
+tiffset \-s 315 Anonymous a.tif
.fi
.RE
.PP

11
libtiff-v3.6.1-64bit.patch
View File

@ -1,11 +0,0 @@
--- tiff-v3.6.1/libtiff/tiff.h.64bit 2003-12-22 03:22:15.000000000 -0500
+++ tiff-v3.6.1/libtiff/tiff.h 2004-05-19 13:53:35.000000000 -0400
@@ -79,7 +79,7 @@
typedef unsigned char uint8;
typedef short int16;
typedef unsigned short uint16; /* sizeof (uint16) must == 2 */
-#if defined(__alpha) || (defined(_MIPS_SZLONG) && _MIPS_SZLONG == 64) || defined(__LP64__) || defined(__arch64__)
+#if defined(__s390x__) || defined(__ia64__) || defined(__alpha) || (defined(_MIPS_SZLONG) && _MIPS_SZLONG == 64) || defined(__LP64__) || defined(__arch64__)
typedef int int32;
typedef unsigned int uint32; /* sizeof (uint32) must == 4 */
#else

61
libtiff.spec
View File

@ -1,21 +1,21 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 3.8.2 Version: 3.9.2
Release: 16%{?dist} Release: 1%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.remotesensing.org/libtiff/ URL: http://www.remotesensing.org/libtiff/
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
Patch0: tiffsplit-overflow.patch Patch1: libtiff-acversion.patch
Patch1: libtiff-3.8.2-ormandy.patch Patch2: libtiff-mantypo.patch
Patch2: libtiff-3.8.2-CVE-2006-2193.patch Patch3: libtiff-CVE-2009-2347.patch
Patch3: libtiff-3.8.2-mantypo.patch
Patch4: libtiff-3.8.2-lzw-bugs.patch
Patch5: libtiff-3.8.2-CVE-2009-2347.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel BuildRequires: zlib-devel libjpeg-devel
BuildRequires: libtool automake autoconf
%define LIBVER %(echo %{version} | cut -f 1-2 -d .) %define LIBVER %(echo %{version} | cut -f 1-2 -d .)
%description %description
@ -51,15 +51,30 @@ The libtiff-static package contains the statically linkable version of libtiff.
Linking to static libraries is discouraged for most applications, but it is Linking to static libraries is discouraged for most applications, but it is
necessary for some boot packages. necessary for some boot packages.
%package tools
Summary: Command-line utility programs for manipulating TIFF files
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description tools
This package contains command-line programs for manipulating TIFF format
image files using the libtiff library.
%prep %prep
%setup -q -n tiff-%{version} %setup -q -n tiff-%{version}
%patch0 -p1 -b .overflow %patch1 -p1
%patch1 -p1 -b .ormandy %patch2 -p1
%patch2 -p1 -b .CVE-2006-2193 %patch3 -p1
%patch3 -p1 -b .mantypo
%patch4 -p1 # Use build system's libtool.m4, not the one in the package.
%patch5 -p1 rm -f libtool.m4
libtoolize --force --copy
aclocal -I . -I m4
automake --add-missing --copy
autoconf
autoheader
%build %build
export CFLAGS="%{optflags} -fno-strict-aliasing" export CFLAGS="%{optflags} -fno-strict-aliasing"
@ -71,7 +86,7 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%makeinstall make DESTDIR=$RPM_BUILD_ROOT install
# remove what we didn't want installed # remove what we didn't want installed
rm $RPM_BUILD_ROOT%{_libdir}/*.la rm $RPM_BUILD_ROOT%{_libdir}/*.la
@ -141,10 +156,8 @@ rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-,root,root,0755) %defattr(-,root,root,0755)
%doc COPYRIGHT README RELEASE-DATE VERSION %doc COPYRIGHT README RELEASE-DATE VERSION
%{_bindir}/*
%{_libdir}/libtiff.so.* %{_libdir}/libtiff.so.*
%{_libdir}/libtiffxx.so.* %{_libdir}/libtiffxx.so.*
%{_mandir}/man1/*
%files devel %files devel
%defattr(-,root,root,0755) %defattr(-,root,root,0755)
@ -158,7 +171,21 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root) %defattr(-,root,root)
%{_libdir}/*.a %{_libdir}/*.a
%files tools
%defattr(-,root,root,0755)
%{_bindir}/*
%{_mandir}/man1/*
%changelog %changelog
* Thu Dec 3 2009 Tom Lane <tgl@redhat.com> 3.9.2-1
- Update to libtiff 3.9.2; stop carrying a lot of old patches
Resolves: #520734
- Split command-line tools into libtiff-tools subpackage
Resolves: #515170
- Use build system's libtool instead of what package contains;
among other cleanup this gets rid of unwanted rpath specs in executables
Related: #226049
* Thu Oct 15 2009 Tom Lane <tgl@redhat.com> 3.8.2-16 * Thu Oct 15 2009 Tom Lane <tgl@redhat.com> 3.8.2-16
- add sparc/sparc64 to multilib header support - add sparc/sparc64 to multilib header support

2
sources
View File

@ -1 +1 @@
fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz 93e56e421679c591de7552db13384cb8 tiff-3.9.2.tar.gz

22
tiffsplit-overflow.patch
View File

@ -1,22 +0,0 @@
--- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000 -0400
+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400
@@ -60,14 +60,16 @@
fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n");
return (-3);
}
- if (argc > 2)
- strcpy(fname, argv[2]);
+ if (argc > 2) {
+ strncpy(fname, argv[2], 1024);
+ fname[1024] = '\0';
+ }
in = TIFFOpen(argv[1], "r");
if (in != NULL) {
do {
char path[1024+1];
newfilename();
- strcpy(path, fname);
+ strncpy(path, fname, 1020);
strcat(path, ".tif");
out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
if (out == NULL)