Auto sync2gitlab import of libtiff-4.0.9-23.el8.src.rpm
This commit is contained in:
parent
cdaa44c4b3
commit
4dd7658732
@ -0,0 +1,43 @@
|
||||
From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 5 May 2022 14:38:04 +0200
|
||||
Subject: [PATCH] Back off the minimum required automake version to 1.11.
|
||||
|
||||
There isn't anything in libtiff currently that actually requires 1.12,
|
||||
and changing this allows the package to be built on pre-F18 machines for
|
||||
easier testing. This patch can go away once we no longer care about
|
||||
testing on pre-F18.
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
test/Makefile.am | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 418a3b93..fa8bf4c0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
docdir = $(LIBTIFF_DOCDIR)
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
docfiles = \
|
||||
diff --git a/test/Makefile.am b/test/Makefile.am
|
||||
index 2052487c..227f228f 100644
|
||||
--- a/test/Makefile.am
|
||||
+++ b/test/Makefile.am
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
# Process this file with automake to produce Makefile.in.
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
|
||||
|
||||
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
24
0002-Fix-Makefile.patch
Normal file
24
0002-Fix-Makefile.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 5 May 2022 14:42:52 +0200
|
||||
Subject: [PATCH] Fix Makefile
|
||||
|
||||
---
|
||||
html/man/Makefile.am | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
|
||||
index 3ed00d44..8a64925a 100644
|
||||
--- a/html/man/Makefile.am
|
||||
+++ b/html/man/Makefile.am
|
||||
@@ -90,7 +90,6 @@ docfiles = \
|
||||
tiffcrop.1.html \
|
||||
tiffdither.1.html \
|
||||
tiffdump.1.html \
|
||||
- tiffgt.1.html \
|
||||
tiffinfo.1.html \
|
||||
tiffmedian.1.html \
|
||||
tiffset.1.html \
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Fri, 23 Mar 2018 15:35:39 +0100
|
||||
Subject: [PATCH] Fix for bug 2772
|
||||
From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
|
||||
From: Nathan Baker <nathanb@lenovo-chrome.com>
|
||||
Date: Tue, 6 Feb 2018 10:13:57 -0500
|
||||
Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
|
||||
|
||||
It is possible to craft a TIFF document where the IFD list is circular,
|
||||
leading to an infinite loop while traversing the chain. The libtiff
|
||||
@ -12,6 +12,8 @@ document.
|
||||
|
||||
This change fixes the above behavior by breaking out of processing when
|
||||
a TIFF document has >= 65535 directories and terminating with an error.
|
||||
|
||||
(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
|
||||
---
|
||||
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
|
||||
tools/tiff2pdf.c | 10 ++++++++++
|
||||
@ -19,7 +21,7 @@ a TIFF document has >= 65535 directories and terminating with an error.
|
||||
3 files changed, 34 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
|
||||
index c61ffbb..03b3573 100644
|
||||
index c61ffbb8..03b35733 100644
|
||||
--- a/contrib/addtiffo/tif_overview.c
|
||||
+++ b/contrib/addtiffo/tif_overview.c
|
||||
@@ -65,6 +65,8 @@
|
||||
@ -58,7 +60,7 @@ index c61ffbb..03b3573 100644
|
||||
nOffset = TIFFCurrentDirOffset( hTIFF );
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index 454befb..bdb9126 100644
|
||||
index 454befbd..bdb91262 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
|
||||
@ -86,7 +88,7 @@ index 454befb..bdb9126 100644
|
||||
if(t2p->tiff_pages==NULL){
|
||||
TIFFError(
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index c69177e..c60cb38 100644
|
||||
index c69177e0..c60cb389 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||
@ -124,5 +126,5 @@ index c69177e..c60cb38 100644
|
||||
{
|
||||
dirnum = 0;
|
||||
--
|
||||
2.13.6
|
||||
2.34.1
|
||||
|
@ -1,7 +1,8 @@
|
||||
From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Tue, 17 Apr 2018 18:42:09 +0200
|
||||
Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
|
||||
From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Sun, 8 Apr 2018 14:07:08 -0400
|
||||
Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
|
||||
TIFFPrintDirectory
|
||||
|
||||
The TIFFPrintDirectory function relies on the following assumptions,
|
||||
supposed to be guaranteed by the specification:
|
||||
@ -53,13 +54,15 @@ TIFFReadDirectory function by making sure any non-color channel is
|
||||
counted in ExtraSamples.
|
||||
|
||||
This commit addresses CVE-2018-7456.
|
||||
|
||||
(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
|
||||
---
|
||||
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||
libtiff/tif_print.c | 2 +-
|
||||
2 files changed, 63 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index 5e62e81..80aaf8d 100644
|
||||
index 5e62e813..80aaf8d1 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
|
||||
@ -153,7 +156,7 @@ index 5e62e81..80aaf8d 100644
|
||||
* Verify Palette image has a Colormap.
|
||||
*/
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 24d4b98..10a588e 100644
|
||||
index 24d4b98a..10a588ea 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
@ -166,5 +169,5 @@ index 24d4b98..10a588e 100644
|
||||
td->td_transferfunction[i][l]);
|
||||
fputc('\n', fd);
|
||||
--
|
||||
2.17.0
|
||||
2.34.1
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
|
||||
From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
|
||||
From: Brian May <brian@linuxpenguins.xyz>
|
||||
Date: Thu, 7 Dec 2017 07:46:47 +1100
|
||||
Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
|
||||
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
|
||||
|
||||
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
||||
|
||||
@ -37,13 +37,15 @@ function is the same for every page. If this changes, we abort with an
|
||||
error. In theory, we should perhaps check that the transfer function
|
||||
itself is identical for every page, however we don't do that due to the
|
||||
confusion of the type of the data in the transfer function.
|
||||
|
||||
(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
|
||||
---
|
||||
libtiff/tif_dir.c | 3 +++
|
||||
tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
|
||||
2 files changed, 49 insertions(+), 23 deletions(-)
|
||||
tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++---------------
|
||||
2 files changed, 47 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index f00f808..c36a5f3 100644
|
||||
index f00f8080..c36a5f3f 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
@ -57,24 +59,15 @@ index f00f808..c36a5f3 100644
|
||||
break;
|
||||
case TIFFTAG_REFERENCEBLACKWHITE:
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index bdb9126..bd23c9e 100644
|
||||
index bdb91262..ef5d6a01 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -239,7 +239,7 @@ typedef struct {
|
||||
float tiff_whitechromaticities[2];
|
||||
float tiff_primarychromaticities[6];
|
||||
float tiff_referenceblackwhite[2];
|
||||
- float* tiff_transferfunction[3];
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
||||
1 : interpolate */
|
||||
uint16 tiff_transferfunctioncount;
|
||||
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 pagen=0;
|
||||
uint16 paged=0;
|
||||
uint16 xuint16=0;
|
||||
+ uint16 tiff_transferfunctioncount=0;
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
+ float* tiff_transferfunction[3];
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
if(directorycount > TIFF_DIR_MAX) {
|
||||
@ -103,8 +96,8 @@ index bdb9126..bd23c9e 100644
|
||||
+ &(tiff_transferfunction[1]),
|
||||
+ &(tiff_transferfunction[2]))) {
|
||||
+
|
||||
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ if((tiff_transferfunction[1] != (float*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (float*) NULL)
|
||||
+ ) {
|
||||
+ tiff_transferfunctioncount=3;
|
||||
+ } else {
|
||||
@ -145,20 +138,18 @@ index bdb9126..bd23c9e 100644
|
||||
if( TIFFGetField(
|
||||
input,
|
||||
TIFFTAG_ICCPROFILE,
|
||||
@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[0]),
|
||||
@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[1]),
|
||||
&(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
|
||||
+ ) {
|
||||
t2p->tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
t2p->tiff_transferfunctioncount=1;
|
||||
--
|
||||
2.17.0
|
||||
2.34.1
|
||||
|
@ -0,0 +1,61 @@
|
||||
From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
|
||||
From: Brian May <brian@linuxpenguins.xyz>
|
||||
Date: Thu, 7 Dec 2017 07:49:20 +1100
|
||||
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
|
||||
transfer table
|
||||
|
||||
The standard says the transfer table contains unsigned 16 bit values,
|
||||
I have no idea why we refer to them as floats.
|
||||
|
||||
(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
|
||||
---
|
||||
tools/tiff2pdf.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index ef5d6a01..bd23c9e5 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -239,7 +239,7 @@ typedef struct {
|
||||
float tiff_whitechromaticities[2];
|
||||
float tiff_primarychromaticities[6];
|
||||
float tiff_referenceblackwhite[2];
|
||||
- float* tiff_transferfunction[3];
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
||||
1 : interpolate */
|
||||
uint16 tiff_transferfunctioncount;
|
||||
@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 paged=0;
|
||||
uint16 xuint16=0;
|
||||
uint16 tiff_transferfunctioncount=0;
|
||||
- float* tiff_transferfunction[3];
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
if(directorycount > TIFF_DIR_MAX) {
|
||||
@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
&(tiff_transferfunction[1]),
|
||||
&(tiff_transferfunction[2]))) {
|
||||
|
||||
- if((tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (tiff_transferfunction[2] != (float*) NULL)
|
||||
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
||||
) {
|
||||
tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[0]),
|
||||
&(t2p->tiff_transferfunction[1]),
|
||||
&(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL)
|
||||
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
||||
) {
|
||||
t2p->tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,16 +1,17 @@
|
||||
From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
|
||||
From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
||||
Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
|
||||
pointer dereference on corrupted file. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
|
||||
Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
|
||||
fix null pointer dereference on corrupted file. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770
|
||||
|
||||
(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
|
||||
---
|
||||
libtiff/tif_print.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 10a588e..b9b53a0 100644
|
||||
index 10a588ea..b9b53a0f 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
@ -32,5 +33,5 @@ index 10a588e..b9b53a0 100644
|
||||
}
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
2.34.1
|
||||
|
@ -1,18 +1,20 @@
|
||||
From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
|
||||
From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 12 May 2018 15:32:31 +0200
|
||||
Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
|
||||
write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
|
||||
CVE-2018-8905
|
||||
Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
|
||||
index-out-of-bounds write. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
|
||||
|
||||
The fix consists in using the similar code LZWDecode() to validate we
|
||||
don't write outside of the output buffer.
|
||||
|
||||
(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
|
||||
---
|
||||
libtiff/tif_lzw.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
|
||||
index bc8f9c8..186ea3c 100644
|
||||
index bc8f9c84..186ea3ca 100644
|
||||
--- a/libtiff/tif_lzw.c
|
||||
+++ b/libtiff/tif_lzw.c
|
||||
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
@ -49,5 +51,5 @@ index bc8f9c8..186ea3c 100644
|
||||
*op++ = (char)code;
|
||||
occ--;
|
||||
--
|
||||
2.17.0
|
||||
2.34.1
|
||||
|
@ -1,15 +1,16 @@
|
||||
From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
|
||||
From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 12 May 2018 14:24:15 +0200
|
||||
Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
|
||||
Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
|
||||
|
||||
(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
|
||||
---
|
||||
libtiff/tif_dirwrite.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||
index c68d6d2..5d0a669 100644
|
||||
index c68d6d21..5d0a6699 100644
|
||||
--- a/libtiff/tif_dirwrite.c
|
||||
+++ b/libtiff/tif_dirwrite.c
|
||||
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||
@ -27,5 +28,5 @@ index c68d6d2..5d0a669 100644
|
||||
}
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
2.34.1
|
||||
|
@ -1,14 +1,16 @@
|
||||
From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
|
||||
From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
|
||||
From: Young_X <YangX92@hotmail.com>
|
||||
Date: Sat, 8 Sep 2018 14:46:27 +0800
|
||||
Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
|
||||
Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
|
||||
multiply_ms()
|
||||
|
||||
(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
|
||||
---
|
||||
tools/ppm2tiff.c | 13 +++++++------
|
||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||
index 91415e9..81ffa3d 100644
|
||||
index 91415e96..81ffa3db 100644
|
||||
--- a/tools/ppm2tiff.c
|
||||
+++ b/tools/ppm2tiff.c
|
||||
@@ -72,15 +72,16 @@ BadPPM(char* file)
|
||||
@ -35,5 +37,5 @@ index 91415e9..81ffa3d 100644
|
||||
|
||||
int
|
||||
--
|
||||
2.17.2
|
||||
2.34.1
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
|
||||
From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 14 Oct 2018 16:38:29 +0200
|
||||
Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
|
||||
Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
|
||||
JBIGDecode()
|
||||
|
||||
JBIGDecode doesn't check if the user provided buffer is large enough
|
||||
to store the JBIG decoded image, which can potentially cause out-of-bounds
|
||||
@ -13,13 +14,15 @@ tif->tif_rawsize > tif->tif_rawcc
|
||||
|
||||
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
|
||||
that whole strip data is provided to JBIGDecode()
|
||||
|
||||
(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
|
||||
---
|
||||
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
|
||||
libtiff/tif_read.c | 6 ++++++
|
||||
2 files changed, 32 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
||||
index 7a14dd9..8136c77 100644
|
||||
index 7a14dd9a..8136c77b 100644
|
||||
--- a/libtiff/tif_jbig.c
|
||||
+++ b/libtiff/tif_jbig.c
|
||||
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
||||
@ -86,7 +89,7 @@ index 7a14dd9..8136c77 100644
|
||||
}
|
||||
|
||||
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||
index 2ba985a..04100f4 100644
|
||||
index 2ba985a7..04100f4d 100644
|
||||
--- a/libtiff/tif_read.c
|
||||
+++ b/libtiff/tif_read.c
|
||||
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
|
||||
@ -103,5 +106,5 @@ index 2ba985a..04100f4 100644
|
||||
whole_strip = 1;
|
||||
#endif
|
||||
--
|
||||
2.17.2
|
||||
2.34.1
|
||||
|
@ -1,10 +1,11 @@
|
||||
From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
|
||||
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
||||
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
||||
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
|
||||
CVE-2018-18661
|
||||
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
|
||||
case of out of memory situation. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
|
||||
|
||||
(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
|
||||
---
|
||||
libtiff/tiffiop.h | 1 +
|
||||
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
|
||||
@ -12,7 +13,7 @@ Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
||||
3 files changed, 27 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||
index daa291c..08e5dc4 100644
|
||||
index daa291c0..08e5dc44 100644
|
||||
--- a/libtiff/tiffiop.h
|
||||
+++ b/libtiff/tiffiop.h
|
||||
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||
@ -24,7 +25,7 @@ index daa291c..08e5dc4 100644
|
||||
#ifndef TRUE
|
||||
#define TRUE 1
|
||||
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
||||
index dad54af..1f3bb2c 100644
|
||||
index dad54afa..1f3bb2cd 100644
|
||||
--- a/tools/tiff2bw.c
|
||||
+++ b/tools/tiff2bw.c
|
||||
@@ -40,9 +40,7 @@
|
||||
@ -101,7 +102,7 @@ index dad54af..1f3bb2c 100644
|
||||
#undef pack
|
||||
if (inbuf)
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index c60cb38..3862b1c 100644
|
||||
index c60cb389..3862b1ca 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||
@ -117,5 +118,5 @@ index c60cb38..3862b1c 100644
|
||||
#define FALSE 0
|
||||
|
||||
--
|
||||
2.17.2
|
||||
2.34.1
|
||||
|
43
0013-bz1602597-Fix-two-resource-leaks.patch
Normal file
43
0013-bz1602597-Fix-two-resource-leaks.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Wed, 31 Oct 2018 11:50:48 +0100
|
||||
Subject: [PATCH] (bz1602597) Fix two resource leaks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Nikola Forró <nforro@redhat.com>
|
||||
(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
|
||||
---
|
||||
tools/ppm2tiff.c | 2 ++
|
||||
tools/tiff2pdf.c | 1 +
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||
index 81ffa3db..a02e865a 100644
|
||||
--- a/tools/ppm2tiff.c
|
||||
+++ b/tools/ppm2tiff.c
|
||||
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
|
||||
if (TIFFWriteScanline(out, buf, row, 0) < 0)
|
||||
break;
|
||||
}
|
||||
+ if (in != stdin)
|
||||
+ fclose(in);
|
||||
(void) TIFFClose(out);
|
||||
if (buf)
|
||||
_TIFFfree(buf);
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index bd23c9e5..ff7b9c22 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
|
||||
"for t2p_readwrite_pdf_image_tile, %s",
|
||||
(unsigned long) t2p->tiff_datasize,
|
||||
TIFFFileName(input));
|
||||
+ _TIFFfree(buffer);
|
||||
t2p->t2p_error = T2P_ERR_ERROR;
|
||||
return(0);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,15 +1,18 @@
|
||||
From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
|
||||
From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
||||
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
|
||||
Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
|
||||
no overflow
|
||||
|
||||
fixes bug 2833
|
||||
|
||||
(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
|
||||
---
|
||||
tools/tiffcp.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index 489459a..0c66229 100644
|
||||
index 489459a7..96f14728 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -43,6 +43,7 @@
|
||||
@ -43,5 +46,5 @@ index 489459a..0c66229 100644
|
||||
if (tilebuf == 0)
|
||||
return 0;
|
||||
--
|
||||
2.21.0
|
||||
2.34.1
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001
|
||||
From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 10 Aug 2019 18:25:03 +0200
|
||||
Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
|
||||
implementation-defined behaviour (CVE-2019-14973)
|
||||
Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
|
||||
and other implementation-defined behaviour (CVE-2019-14973)
|
||||
|
||||
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
|
||||
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
|
||||
@ -16,6 +16,8 @@ builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
|
||||
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
|
||||
at that time exploits, but are better to fix in a more bullet-proof way.
|
||||
Or similarly use of (int64)uint64_var <= 0.
|
||||
|
||||
(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
|
||||
---
|
||||
libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
|
||||
libtiff/tif_getimage.c | 6 ++----
|
||||
@ -28,7 +30,7 @@ Or similarly use of (int64)uint64_var <= 0.
|
||||
8 files changed, 71 insertions(+), 106 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
|
||||
index 10b8d00..38a98b6 100644
|
||||
index 10b8d00c..38a98b67 100644
|
||||
--- a/libtiff/tif_aux.c
|
||||
+++ b/libtiff/tif_aux.c
|
||||
@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
|
||||
@ -95,7 +97,7 @@ index 10b8d00..38a98b6 100644
|
||||
if (cp == NULL) {
|
||||
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index fc554cc..ec09fea 100644
|
||||
index fc554cca..ec09feaf 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
@ -121,7 +123,7 @@ index fc554cc..ec09fea 100644
|
||||
}
|
||||
|
||||
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
|
||||
index 4b25244..c4cb73a 100644
|
||||
index 4b25244b..c4cb73a3 100644
|
||||
--- a/libtiff/tif_luv.c
|
||||
+++ b/libtiff/tif_luv.c
|
||||
@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
|
||||
@ -143,7 +145,7 @@ index 4b25244..c4cb73a 100644
|
||||
|
||||
static int
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index 979858d..8e9eaa1 100644
|
||||
index 979858da..8e9eaa1d 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
|
||||
@ -164,7 +166,7 @@ index 979858d..8e9eaa1 100644
|
||||
|
||||
static tmsize_t
|
||||
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||
index 04100f4..9a0e6e9 100644
|
||||
index 04100f4d..9a0e6e95 100644
|
||||
--- a/libtiff/tif_read.c
|
||||
+++ b/libtiff/tif_read.c
|
||||
@@ -31,9 +31,6 @@
|
||||
@ -262,7 +264,7 @@ index 04100f4..9a0e6e9 100644
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFWarningExt(tif->tif_clientdata, module,
|
||||
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
|
||||
index 6e9f2ef..321ad6b 100644
|
||||
index 6e9f2ef6..321ad6b9 100644
|
||||
--- a/libtiff/tif_strip.c
|
||||
+++ b/libtiff/tif_strip.c
|
||||
@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
|
||||
@ -333,7 +335,7 @@ index 6e9f2ef..321ad6b 100644
|
||||
|
||||
/* vim: set ts=8 sts=8 sw=8 noet: */
|
||||
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
|
||||
index 388e168..7d05750 100644
|
||||
index 388e168a..7d057509 100644
|
||||
--- a/libtiff/tif_tile.c
|
||||
+++ b/libtiff/tif_tile.c
|
||||
@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
|
||||
@ -388,7 +390,7 @@ index 388e168..7d05750 100644
|
||||
|
||||
/*
|
||||
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||
index 08e5dc4..d4b8631 100644
|
||||
index 08e5dc44..d4b86314 100644
|
||||
--- a/libtiff/tiffiop.h
|
||||
+++ b/libtiff/tiffiop.h
|
||||
@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||
@ -420,5 +422,5 @@ index 08e5dc4..d4b8631 100644
|
||||
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
|
||||
|
||||
--
|
||||
2.21.0
|
||||
2.34.1
|
||||
|
@ -1,17 +1,18 @@
|
||||
From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
|
||||
From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Thu, 15 Aug 2019 15:05:28 +0200
|
||||
Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
|
||||
write heap buffer overflow, especially on 32 bit builds. Fixes
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
|
||||
Fuzz
|
||||
Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
|
||||
potentially causing write heap buffer overflow, especially on 32 bit builds.
|
||||
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
|
||||
OSS Fuzz
|
||||
|
||||
(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
|
||||
---
|
||||
libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index ec09fea..c6edd27 100644
|
||||
index ec09feaf..c6edd27c 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
@ -100,5 +101,5 @@ index ec09fea..c6edd27 100644
|
||||
{
|
||||
ret = 0;
|
||||
--
|
||||
2.21.1
|
||||
2.34.1
|
||||
|
@ -1,16 +1,19 @@
|
||||
From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
|
||||
From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Sun, 15 Nov 2020 17:02:51 +0100
|
||||
Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
|
||||
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
|
||||
limit in tiff2rgba
|
||||
|
||||
fixes #207
|
||||
fixes #209
|
||||
|
||||
(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
|
||||
---
|
||||
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
|
||||
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
||||
index 4de96ae..e6de220 100644
|
||||
index 4de96aec..e6de2209 100644
|
||||
--- a/tools/tiff2rgba.c
|
||||
+++ b/tools/tiff2rgba.c
|
||||
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
|
||||
@ -82,5 +85,5 @@ index 4de96ae..e6de220 100644
|
||||
};
|
||||
|
||||
--
|
||||
2.31.1
|
||||
2.34.1
|
||||
|
@ -1,15 +1,18 @@
|
||||
From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
|
||||
From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Tue, 10 Nov 2020 01:54:30 +0100
|
||||
Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
|
||||
Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
|
||||
overflow
|
||||
|
||||
fixes #211
|
||||
|
||||
(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
|
||||
---
|
||||
libtiff/tif_getimage.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index c6edd27..b1f7cc9 100644
|
||||
index c6edd27c..b1f7cc95 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -31,6 +31,7 @@
|
||||
@ -46,5 +49,5 @@ index c6edd27..b1f7cc9 100644
|
||||
|
||||
/*
|
||||
--
|
||||
2.31.1
|
||||
2.34.1
|
||||
|
@ -1,16 +1,18 @@
|
||||
From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
|
||||
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Sat, 14 Nov 2020 12:53:01 +0000
|
||||
Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
|
||||
JPEG YCbCr
|
||||
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
|
||||
saving to JPEG YCbCr
|
||||
|
||||
fixes #220
|
||||
|
||||
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
|
||||
---
|
||||
tools/tiff2pdf.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index a15a3ef..db380ec 100644
|
||||
index ff7b9c22..a5db1f64 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
|
||||
@ -35,5 +37,5 @@ index a15a3ef..db380ec 100644
|
||||
if (k == 0) {
|
||||
/* Assume we had overflow inside TIFFScanlineSize */
|
||||
--
|
||||
2.31.1
|
||||
2.34.1
|
||||
|
@ -1,7 +1,8 @@
|
||||
From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001
|
||||
From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Mon, 11 Feb 2019 23:08:25 +0100
|
||||
Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4
|
||||
Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
|
||||
4
|
||||
|
||||
too much bytes were processed, causing a heap buffer overrun
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2831
|
||||
@ -14,12 +15,14 @@ Also the values were not properly calculated. It should be
|
||||
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
|
||||
(substracting from a binary number composed of all 1 is like inverting
|
||||
the bits)
|
||||
|
||||
(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
|
||||
---
|
||||
tools/tiffcrop.c | 37 ++++++-------------------------------
|
||||
1 file changed, 6 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 3862b1c..a612914 100644
|
||||
index 3862b1ca..a6129148 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -9142,7 +9142,6 @@ static int
|
||||
@ -85,5 +88,5 @@ index 3862b1c..a612914 100644
|
||||
*src = ~(*src);
|
||||
src++;
|
||||
--
|
||||
2.32.0
|
||||
2.34.1
|
||||
|
@ -0,0 +1,30 @@
|
||||
From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 6 Feb 2022 13:08:38 +0100
|
||||
Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
|
||||
with a null source pointer and size of zero (fixes #362)
|
||||
|
||||
(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
|
||||
---
|
||||
libtiff/tif_dirread.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index 80aaf8d1..1e6f1c2f 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
|
||||
_TIFFfree(data);
|
||||
return(0);
|
||||
}
|
||||
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
|
||||
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
|
||||
+ if( dir->tdir_count )
|
||||
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
|
||||
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
|
||||
_TIFFfree(data);
|
||||
data=resizeddata;
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,28 @@
|
||||
From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 5 Feb 2022 20:36:41 +0100
|
||||
Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
|
||||
with a null source pointer and size of zero (fixes #362)
|
||||
|
||||
(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
|
||||
---
|
||||
libtiff/tif_dirread.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index 1e6f1c2f..d68aecc5 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
|
||||
+ if (old_extrasamples > 0)
|
||||
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
|
||||
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
|
||||
_TIFFfree(new_sampleinfo);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,39 @@
|
||||
From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
|
||||
From: 4ugustus <wangdw.augustus@qq.com>
|
||||
Date: Tue, 25 Jan 2022 16:25:28 +0000
|
||||
Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
|
||||
ASCII tags where count is required (fixes #355)
|
||||
|
||||
(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
|
||||
---
|
||||
tools/tiffset.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tiffset.c b/tools/tiffset.c
|
||||
index 894c9f1f..e4b0d49f 100644
|
||||
--- a/tools/tiffset.c
|
||||
+++ b/tools/tiffset.c
|
||||
@@ -134,9 +134,19 @@ main(int argc, char* argv[])
|
||||
|
||||
arg_index++;
|
||||
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
|
||||
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
|
||||
+ if(TIFFFieldPassCount( fip )) {
|
||||
+ size_t len;
|
||||
+ len = strlen(argv[arg_index]) + 1;
|
||||
+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||
+ (uint16)len, argv[arg_index]) != 1)
|
||||
fprintf( stderr, "Failed to set %s=%s\n",
|
||||
TIFFFieldName(fip), argv[arg_index] );
|
||||
+ } else {
|
||||
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||
+ argv[arg_index]) != 1)
|
||||
+ fprintf( stderr, "Failed to set %s=%s\n",
|
||||
+ TIFFFieldName(fip), argv[arg_index] );
|
||||
+ }
|
||||
} else if (TIFFFieldWriteCount(fip) > 0
|
||||
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
|
||||
int ret = 1;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Thu, 24 Feb 2022 22:26:02 +0100
|
||||
Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
|
||||
with multiple IFD in memory-mapped mode and when bit reversal is needed
|
||||
(fixes #385)
|
||||
|
||||
(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
|
||||
---
|
||||
libtiff/tif_jbig.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
||||
index 8136c77b..698428f0 100644
|
||||
--- a/libtiff/tif_jbig.c
|
||||
+++ b/libtiff/tif_jbig.c
|
||||
@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
|
||||
*/
|
||||
tif->tif_flags |= TIFF_NOBITREV;
|
||||
tif->tif_flags &= ~TIFF_MAPPED;
|
||||
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
|
||||
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
|
||||
+ * value to be consistent with the state of a non-memory mapped file.
|
||||
+ */
|
||||
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
|
||||
+ tif->tif_rawdata = NULL;
|
||||
+ tif->tif_rawdatasize = 0;
|
||||
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
|
||||
+ tif->tif_flags |= TIFF_MYBUFFER;
|
||||
+ }
|
||||
|
||||
/* Setup the function pointers for encode, decode, and cleanup. */
|
||||
tif->tif_setupdecode = JBIGSetupDecode;
|
||||
--
|
||||
2.34.1
|
||||
|
201
0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
Normal file
201
0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
Normal file
@ -0,0 +1,201 @@
|
||||
From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
|
||||
From: Su Laus <sulau@freenet.de>
|
||||
Date: Tue, 8 Mar 2022 17:02:44 +0000
|
||||
Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
|
||||
overflow in extractImageSection
|
||||
|
||||
(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
|
||||
---
|
||||
tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
|
||||
1 file changed, 32 insertions(+), 52 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index a6129148..83cf80ad 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
#ifdef DEVELMODE
|
||||
uint32 img_length;
|
||||
#endif
|
||||
- uint32 j, shift1, shift2, trailing_bits;
|
||||
+ uint32 j, shift1, trailing_bits;
|
||||
uint32 row, first_row, last_row, first_col, last_col;
|
||||
uint32 src_offset, dst_offset, row_offset, col_offset;
|
||||
- uint32 offset1, offset2, full_bytes;
|
||||
+ uint32 offset1, full_bytes;
|
||||
uint32 sect_width;
|
||||
#ifdef DEVELMODE
|
||||
uint32 sect_length;
|
||||
@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
#ifdef DEVELMODE
|
||||
int k;
|
||||
unsigned char bitset;
|
||||
- static char *bitarray = NULL;
|
||||
#endif
|
||||
|
||||
img_width = image->width;
|
||||
@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
dst_offset = 0;
|
||||
|
||||
#ifdef DEVELMODE
|
||||
- if (bitarray == NULL)
|
||||
- {
|
||||
- if ((bitarray = (char *)malloc(img_width)) == NULL)
|
||||
- {
|
||||
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
|
||||
- return (-1);
|
||||
- }
|
||||
- }
|
||||
+ char bitarray[39];
|
||||
#endif
|
||||
|
||||
- /* rows, columns, width, length are expressed in pixels */
|
||||
+ /* rows, columns, width, length are expressed in pixels
|
||||
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
|
||||
+ * last_col shall be also extracted. */
|
||||
first_row = section->y1;
|
||||
last_row = section->y2;
|
||||
first_col = section->x1;
|
||||
@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
#ifdef DEVELMODE
|
||||
sect_length = last_row - first_row + 1;
|
||||
#endif
|
||||
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
|
||||
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
|
||||
+ * samples rather than separate planes so the same logic works to extract regions
|
||||
+ * regardless of the way the data are organized in the input file.
|
||||
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
|
||||
+ */
|
||||
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
|
||||
full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
|
||||
- trailing_bits = (sect_width * bps) % 8;
|
||||
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
|
||||
|
||||
#ifdef DEVELMODE
|
||||
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
|
||||
@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
|
||||
if ((bps % 8) == 0)
|
||||
{
|
||||
- col_offset = first_col * spp * bps / 8;
|
||||
+ col_offset = (first_col * spp * bps) / 8;
|
||||
for (row = first_row; row <= last_row; row++)
|
||||
{
|
||||
- /* row_offset = row * img_width * spp * bps / 8; */
|
||||
row_offset = row * img_rowsize;
|
||||
src_offset = row_offset + col_offset;
|
||||
|
||||
@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
}
|
||||
else
|
||||
{ /* bps != 8 */
|
||||
- shift1 = spp * ((first_col * bps) % 8);
|
||||
- shift2 = spp * ((last_col * bps) % 8);
|
||||
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
|
||||
for (row = first_row; row <= last_row; row++)
|
||||
{
|
||||
/* pull out the first byte */
|
||||
row_offset = row * img_rowsize;
|
||||
- offset1 = row_offset + (first_col * bps / 8);
|
||||
- offset2 = row_offset + (last_col * bps / 8);
|
||||
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
|
||||
|
||||
#ifdef DEVELMODE
|
||||
for (j = 0, k = 7; j < 8; j++, k--)
|
||||
@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
sprintf(&bitarray[9], " ");
|
||||
for (j = 10, k = 7; j < 18; j++, k--)
|
||||
{
|
||||
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||
sprintf(&bitarray[j], (bitset) ? "1" : "0");
|
||||
}
|
||||
bitarray[18] = '\0';
|
||||
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
|
||||
- row, offset1, shift1, offset2, shift2);
|
||||
+ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n",
|
||||
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
|
||||
#endif
|
||||
|
||||
bytebuff1 = bytebuff2 = 0;
|
||||
@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
|
||||
if (trailing_bits != 0)
|
||||
{
|
||||
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
|
||||
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
|
||||
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
|
||||
sect_buff[dst_offset] = bytebuff2;
|
||||
#ifdef DEVELMODE
|
||||
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
|
||||
- offset2, dst_offset);
|
||||
+ offset1 + full_bytes, dst_offset);
|
||||
for (j = 30, k = 7; j < 38; j++, k--)
|
||||
{
|
||||
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||
@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
#endif
|
||||
for (j = 0; j <= full_bytes; j++)
|
||||
{
|
||||
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
|
||||
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
|
||||
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
|
||||
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
|
||||
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
|
||||
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
|
||||
}
|
||||
#ifdef DEVELMODE
|
||||
@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||
#endif
|
||||
dst_offset += full_bytes;
|
||||
|
||||
+ /* Copy the trailing_bits for the last byte in the destination buffer.
|
||||
+ Could come from one ore two bytes of the source buffer. */
|
||||
if (trailing_bits != 0)
|
||||
{
|
||||
#ifdef DEVELMODE
|
||||
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
|
||||
-#endif
|
||||
- if (shift2 > shift1)
|
||||
- {
|
||||
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
|
||||
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
|
||||
- sect_buff[dst_offset] = bytebuff2;
|
||||
-#ifdef DEVELMODE
|
||||
- TIFFError ("", " Shift2 > Shift1\n");
|
||||
+ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
|
||||
#endif
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- if (shift2 < shift1)
|
||||
- {
|
||||
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
|
||||
- sect_buff[dst_offset] &= bytebuff2;
|
||||
-#ifdef DEVELMODE
|
||||
- TIFFError ("", " Shift2 < Shift1\n");
|
||||
-#endif
|
||||
- }
|
||||
-#ifdef DEVELMODE
|
||||
- else
|
||||
- TIFFError ("", " Shift2 == Shift1\n");
|
||||
-#endif
|
||||
- }
|
||||
+ /* More than necessary bits are already copied into last destination buffer,
|
||||
+ * only masking of last byte in destination buffer is necessary.*/
|
||||
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
|
||||
}
|
||||
#ifdef DEVELMODE
|
||||
sprintf(&bitarray[28], " ");
|
||||
@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
|
||||
width = sections[i].x2 - sections[i].x1 + 1;
|
||||
length = sections[i].y2 - sections[i].y1 + 1;
|
||||
sectsize = (uint32)
|
||||
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
|
||||
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
|
||||
/* allocate a buffer if we don't have one already */
|
||||
if (createImageSection(sectsize, sect_buff_ptr))
|
||||
{
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,54 @@
|
||||
From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
|
||||
From: 4ugustus <wangdw.augustus@qq.com>
|
||||
Date: Thu, 10 Mar 2022 08:48:00 +0000
|
||||
Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
|
||||
|
||||
(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
|
||||
---
|
||||
tools/tiffcp.c | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index 96f14728..d5f1d248 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
||||
tdata_t obuf;
|
||||
tstrip_t strip = 0;
|
||||
tsample_t s;
|
||||
+ uint16 bps = 0, bytes_per_sample;
|
||||
|
||||
obuf = _TIFFmalloc(stripsize);
|
||||
if (obuf == NULL)
|
||||
return (0);
|
||||
_TIFFmemset(obuf, 0, stripsize);
|
||||
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
||||
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
||||
+ if( bps == 0 )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
|
||||
+ _TIFFfree(obuf);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if( (bps % 8) != 0 )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
|
||||
+ _TIFFfree(obuf);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ bytes_per_sample = bps/8;
|
||||
for (s = 0; s < spp; s++) {
|
||||
uint32 row;
|
||||
for (row = 0; row < imagelength; row += rowsperstrip) {
|
||||
@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
||||
|
||||
cpContigBufToSeparateBuf(
|
||||
obuf, (uint8*) buf + row*rowsize + s,
|
||||
- nrows, imagewidth, 0, 0, spp, 1);
|
||||
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
|
||||
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
|
||||
TIFFError(TIFFFileName(out),
|
||||
"Error, can't write strip %u",
|
||||
--
|
||||
2.34.1
|
||||
|
33
0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Normal file
33
0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
|
||||
From: 4ugustus <wangdw.augustus@qq.com>
|
||||
Date: Tue, 8 Mar 2022 16:22:04 +0000
|
||||
Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
|
||||
|
||||
(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
|
||||
---
|
||||
libtiff/tif_dir.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index c36a5f3f..f126f2aa 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
break;
|
||||
case TIFFTAG_XRESOLUTION:
|
||||
dblval = va_arg(ap, double);
|
||||
- if( dblval < 0 )
|
||||
+ if( dblval != dblval || dblval < 0 )
|
||||
goto badvaluedouble;
|
||||
td->td_xresolution = TIFFClampDoubleToFloat( dblval );
|
||||
break;
|
||||
case TIFFTAG_YRESOLUTION:
|
||||
dblval = va_arg(ap, double);
|
||||
- if( dblval < 0 )
|
||||
+ if( dblval != dblval || dblval < 0 )
|
||||
goto badvaluedouble;
|
||||
td->td_yresolution = TIFFClampDoubleToFloat( dblval );
|
||||
break;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,30 @@
|
||||
From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Thu, 17 Feb 2022 15:28:43 +0100
|
||||
Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
|
||||
with a null source pointer and size of zero (fixes #383)
|
||||
|
||||
(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
|
||||
---
|
||||
libtiff/tif_dirread.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index d68aecc5..b72e6a3b 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
|
||||
_TIFFfree(data);
|
||||
return(0);
|
||||
}
|
||||
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
|
||||
+ if (dp->tdir_count > 0 )
|
||||
+ {
|
||||
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
|
||||
+ }
|
||||
o[(uint32)dp->tdir_count]=0;
|
||||
if (data!=0)
|
||||
_TIFFfree(data);
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,58 @@
|
||||
From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
|
||||
From: Su_Laus <sulau@freenet.de>
|
||||
Date: Sat, 2 Apr 2022 22:33:31 +0200
|
||||
Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
|
||||
string (fixes #400)
|
||||
|
||||
(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
|
||||
---
|
||||
tools/tiffcp.c | 25 ++++++++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index d5f1d248..fb98bd57 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -249,19 +249,34 @@ main(int argc, char* argv[])
|
||||
deftilewidth = atoi(optarg);
|
||||
break;
|
||||
case 'B':
|
||||
- *mp++ = 'b'; *mp = '\0';
|
||||
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||
+ {
|
||||
+ *mp++ = 'b'; *mp = '\0';
|
||||
+ }
|
||||
break;
|
||||
case 'L':
|
||||
- *mp++ = 'l'; *mp = '\0';
|
||||
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||
+ {
|
||||
+ *mp++ = 'l'; *mp = '\0';
|
||||
+ }
|
||||
break;
|
||||
case 'M':
|
||||
- *mp++ = 'm'; *mp = '\0';
|
||||
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||
+ {
|
||||
+ *mp++ = 'm'; *mp = '\0';
|
||||
+ }
|
||||
break;
|
||||
case 'C':
|
||||
- *mp++ = 'c'; *mp = '\0';
|
||||
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||
+ {
|
||||
+ *mp++ = 'c'; *mp = '\0';
|
||||
+ }
|
||||
break;
|
||||
case '8':
|
||||
- *mp++ = '8'; *mp = '\0';
|
||||
+ if (strlen(mode) < (sizeof(mode)-1))
|
||||
+ {
|
||||
+ *mp++ = '8'; *mp = '\0';
|
||||
+ }
|
||||
break;
|
||||
case 'x':
|
||||
pageInSeq = 1;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,31 +0,0 @@
|
||||
Back off the minimum required automake version to 1.11. There isn't
|
||||
anything in libtiff currently that actually requires 1.12, and changing
|
||||
this allows the package to be built on pre-F18 machines for easier testing.
|
||||
|
||||
This patch can go away once we no longer care about testing on pre-F18.
|
||||
|
||||
|
||||
diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
|
||||
--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
|
||||
+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
docdir = $(LIBTIFF_DOCDIR)
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
docfiles = \
|
||||
diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
|
||||
--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
|
||||
+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
# Process this file with automake to produce Makefile.in.
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
|
||||
|
||||
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
|
||||
|
@ -1,42 +0,0 @@
|
||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||
index 81ffa3d..a02e865 100644
|
||||
--- a/tools/ppm2tiff.c
|
||||
+++ b/tools/ppm2tiff.c
|
||||
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
|
||||
if (TIFFWriteScanline(out, buf, row, 0) < 0)
|
||||
break;
|
||||
}
|
||||
+ if (in != stdin)
|
||||
+ fclose(in);
|
||||
(void) TIFFClose(out);
|
||||
if (buf)
|
||||
_TIFFfree(buf);
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index bd23c9e..a15a3ef 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
|
||||
"for t2p_readwrite_pdf_image_tile, %s",
|
||||
(unsigned long) t2p->tiff_datasize,
|
||||
TIFFFileName(input));
|
||||
+ _TIFFfree(buffer);
|
||||
t2p->t2p_error = T2P_ERR_ERROR;
|
||||
return(0);
|
||||
}
|
||||
@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
|
||||
{
|
||||
uint32 i;
|
||||
|
||||
- /* For the 3 first samples, there is overlapping between souce and
|
||||
- destination, so use memmove().
|
||||
- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
||||
- for(i = 0; i < 3 && i < samplecount; i++)
|
||||
- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
+ /* For the 3 first samples, there is overlapping between souce and
|
||||
+ destination, so use memmove().
|
||||
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
||||
+ for(i = 0; i < 3 && i < samplecount; i++)
|
||||
+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
for(; i < samplecount; i++)
|
||||
memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
|
||||
index 587296c..696005e 100644
|
||||
--- a/html/man/Makefile.am
|
||||
+++ b/html/man/Makefile.am
|
||||
@@ -92,7 +92,6 @@ docfiles = \
|
||||
tiffcrop.1.html \
|
||||
tiffdither.1.html \
|
||||
tiffdump.1.html \
|
||||
- tiffgt.1.html \
|
||||
tiffinfo.1.html \
|
||||
tiffmedian.1.html \
|
||||
tiffset.1.html \
|
81
libtiff.spec
81
libtiff.spec
@ -1,32 +1,46 @@
|
||||
Summary: Library of functions for manipulating TIFF format image files
|
||||
Name: libtiff
|
||||
Version: 4.0.9
|
||||
Release: 21%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: libtiff
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.simplesystems.org/libtiff/
|
||||
|
||||
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
|
||||
|
||||
Patch0: libtiff-am-version.patch
|
||||
Patch1: libtiff-make-check.patch
|
||||
Patch2: libtiff-CVE-2018-5784.patch
|
||||
Patch3: libtiff-CVE-2018-7456.patch
|
||||
Patch4: libtiff-CVE-2017-9935.patch
|
||||
Patch5: libtiff-CVE-2017-18013.patch
|
||||
Patch6: libtiff-CVE-2018-8905.patch
|
||||
Patch7: libtiff-CVE-2018-10963.patch
|
||||
Patch8: libtiff-CVE-2018-17100.patch
|
||||
Patch9: libtiff-coverity.patch
|
||||
Patch10: libtiff-CVE-2018-18557.patch
|
||||
Patch11: libtiff-CVE-2018-18661.patch
|
||||
Patch12: libtiff-CVE-2018-12900.patch
|
||||
Patch13: libtiff-CVE-2019-14973.patch
|
||||
Patch14: libtiff-CVE-2019-17546.patch
|
||||
Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch
|
||||
Patch16: libtiff-CVE-2020-35523.patch
|
||||
Patch17: libtiff-CVE-2020-35524.patch
|
||||
Patch18: libtiff-CVE-2020-19131.patch
|
||||
|
||||
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
|
||||
# Patches were generated by: git format-patch -N ...
|
||||
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
|
||||
Patch0002: 0002-Fix-Makefile.patch
|
||||
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
|
||||
Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
|
||||
Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
|
||||
Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
|
||||
Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
|
||||
Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
|
||||
Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
|
||||
Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
|
||||
Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
|
||||
Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
|
||||
Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
|
||||
Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
|
||||
Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
|
||||
Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
|
||||
Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
|
||||
Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
|
||||
Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
|
||||
Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
|
||||
Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
|
||||
Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
|
||||
Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
|
||||
Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
|
||||
Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
|
||||
Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
|
||||
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
|
||||
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
|
||||
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
|
||||
|
||||
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
||||
@ -76,27 +90,7 @@ This package contains command-line programs for manipulating TIFF format
|
||||
image files using the libtiff library.
|
||||
|
||||
%prep
|
||||
%setup -q -n tiff-%{version}
|
||||
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%autosetup -p1 -n tiff-%{version}
|
||||
|
||||
# Use build system's libtool.m4, not the one in the package.
|
||||
rm -f libtool.m4
|
||||
@ -200,6 +194,11 @@ find html -name 'Makefile*' | xargs rm
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
|
||||
- Fix various CVEs
|
||||
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
|
||||
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
|
||||
|
||||
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
|
||||
- Fix CVE-2020-19131 (#2006535)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user