Fix assorted issues around downsampled JPEG files

2010-01-06 04:31:25 +00:00 · 2010-01-06 04:31:25 +00:00 · 578a0a9fca
commit 578a0a9fca
parent 7457001209
3 changed files with 105 additions and 4 deletions
--- a/libtiff-jpeg-scanline.patch
+++ b/libtiff-jpeg-scanline.patch
@ -1,10 +1,29 @@
-Upstream patch that partially fixes bug #460322.  The tiffcmp case is
-still there, but this is a step forward anyhow, so going with it for now.
+Upstream patch for tiff2ps core dump noted in bug #460322.  (Note that
+the tiffcmp crash mentioned there is really a different bug.)
+Now also incorporating Adam Goode's patch for bug #552360.  See
+http://bugzilla.maptools.org/show_bug.cgi?id=1936


+diff -Naur tiff-3.9.2.orig/libtiff/tif_dir.c tiff-3.9.2/libtiff/tif_dir.c
+--- tiff-3.9.2.orig/libtiff/tif_dir.c	2008-12-31 19:10:43.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_dir.c	2010-01-05 19:59:12.000000000 -0500
+@@ -1100,6 +1100,13 @@
+ 	 */
+ 	tif->tif_flags &= ~TIFF_ISTILED;
+ 
+	/*
+	 * Clear other directory-specific fields.
+	 */
+	tif->tif_tilesize = 0;
+	tif->tif_scanlinesize = 0;
+	
+
+ 	return (1);
+ }
+ 
 diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
 --- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
-+++ tiff-3.9.2/libtiff/tif_jpeg.c	2009-12-05 16:48:56.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 19:59:12.000000000 -0500
@@ -1613,7 +1613,11 @@
 	 * Must recalculate cached tile size in case sampling state changed.
 	 * Should we really be doing this now if image size isn't set? 
--- a/libtiff-scanlinesize.patch
+++ b/libtiff-scanlinesize.patch
@ -0,0 +1,72 @@
+Partial fix for issues filed upstream at
+http://bugzilla.maptools.org/show_bug.cgi?id=2140
+This stops the tiffcmp core dump noted in bug #460322, but isn't enough
+to make tiffcmp return the right answer (it emits a bunch of error
+messages instead).
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
+--- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 22:40:40.000000000 -0500
+@@ -988,8 +988,15 @@
+ 	tsize_t nrows;
+ 	(void) s;
+ 
+-	/* data is expected to be read in multiples of a scanline */
+-	if ( (nrows = sp->cinfo.d.image_height) ) {
+    nrows = cc / sp->bytesperline;
+    if (cc % sp->bytesperline)
+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
+
+    if( nrows > (int) sp->cinfo.d.image_height )
+        nrows = sp->cinfo.d.image_height;
+
+    /* data is expected to be read in multiples of a scanline */
+    if (nrows) {
+ 		/* Cb,Cr both have sampling factors 1, so this is correct */
+ 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
+ 		int samples_per_clump = sp->samplesperclump;
+@@ -1087,8 +1094,7 @@
+ 			 * TODO: resolve this */
+ 			buf += sp->bytesperline;
+ 			cc -= sp->bytesperline;
+-			nrows -= sp->v_sampling;
+-		} while (nrows > 0);
+		} while (--nrows > 0);
+ 
+ #ifdef JPEG_LIB_MK1
+ 		_TIFFfree(tmpbuf);
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c	2010-01-05 21:39:20.000000000 -0500
+@@ -238,23 +238,19 @@
+ 				     ycbcrsubsampling + 0,
+ 				     ycbcrsubsampling + 1);
+ 
+-			if (ycbcrsubsampling[0] == 0) {
+			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 					     "Invalid YCbCr subsampling");
+ 				return 0;
+ 			}
+ 
+-			scanline = TIFFroundup(td->td_imagewidth,
+			/* number of sample clumps per line */
+			scanline = TIFFhowmany(td->td_imagewidth,
+ 					       ycbcrsubsampling[0]);
+-			scanline = TIFFhowmany8(multiply(tif, scanline,
+-							 td->td_bitspersample,
+-							 "TIFFScanlineSize"));
+-			return ((tsize_t)
+-				summarize(tif, scanline,
+-					  multiply(tif, 2,
+-						scanline / ycbcrsubsampling[0],
+-						"TIFFVStripSize"),
+-					  "TIFFVStripSize"));
+			/* number of samples per line */
+			scanline = multiply(tif, scanline,
+					    ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
+					    "TIFFScanlineSize");
+ 		} else {
+ 			scanline = multiply(tif, td->td_imagewidth,
+ 					    td->td_samplesperpixel,
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 3.9.2
-Release: 2%{?dist}
+Release: 3%{?dist}

 License: libtiff
 Group: System Environment/Libraries
@ -12,6 +12,7 @@ Patch1: libtiff-acversion.patch
 Patch2: libtiff-mantypo.patch
 Patch3: libtiff-CVE-2009-2347.patch
 Patch4: libtiff-jpeg-scanline.patch
+Patch5: libtiff-scanlinesize.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@ -68,6 +69,7 @@ image files using the libtiff library.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -179,6 +181,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*

 %changelog
+* Tue Jan  5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
+- Apply Adam Goode's fix for Warmerdam's fix
+Resolves: #552360
+Resolves: #533353
+- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG
+  images; this isn't enough to make it really work correctly though
+Related: #460322
+
 * Wed Dec 16 2009 Tom Lane <tgl@redhat.com> 3.9.2-2
 - Apply Warmerdam's partial fix for bug #460322 ... better than nothing.
 Related: #460322