diff --git a/libtiff-jpeg-scanline.patch b/libtiff-jpeg-scanline.patch index 95ba5ea..7289e7b 100644 --- a/libtiff-jpeg-scanline.patch +++ b/libtiff-jpeg-scanline.patch @@ -1,10 +1,29 @@ -Upstream patch that partially fixes bug #460322. The tiffcmp case is -still there, but this is a step forward anyhow, so going with it for now. +Upstream patch for tiff2ps core dump noted in bug #460322. (Note that +the tiffcmp crash mentioned there is really a different bug.) +Now also incorporating Adam Goode's patch for bug #552360. See +http://bugzilla.maptools.org/show_bug.cgi?id=1936 +diff -Naur tiff-3.9.2.orig/libtiff/tif_dir.c tiff-3.9.2/libtiff/tif_dir.c +--- tiff-3.9.2.orig/libtiff/tif_dir.c 2008-12-31 19:10:43.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_dir.c 2010-01-05 19:59:12.000000000 -0500 +@@ -1100,6 +1100,13 @@ + */ + tif->tif_flags &= ~TIFF_ISTILED; + ++ /* ++ * Clear other directory-specific fields. ++ */ ++ tif->tif_tilesize = 0; ++ tif->tif_scanlinesize = 0; ++ ++ + return (1); + } + diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c --- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2009-12-05 16:48:56.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 19:59:12.000000000 -0500 @@ -1613,7 +1613,11 @@ * Must recalculate cached tile size in case sampling state changed. * Should we really be doing this now if image size isn't set? diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch new file mode 100644 index 0000000..57fe809 --- /dev/null +++ b/libtiff-scanlinesize.patch @@ -0,0 +1,72 @@ +Partial fix for issues filed upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2140 +This stops the tiffcmp core dump noted in bug #460322, but isn't enough +to make tiffcmp return the right answer (it emits a bunch of error +messages instead). + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c +--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 +@@ -988,8 +988,15 @@ + tsize_t nrows; + (void) s; + +- /* data is expected to be read in multiples of a scanline */ +- if ( (nrows = sp->cinfo.d.image_height) ) { ++ nrows = cc / sp->bytesperline; ++ if (cc % sp->bytesperline) ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); ++ ++ if( nrows > (int) sp->cinfo.d.image_height ) ++ nrows = sp->cinfo.d.image_height; ++ ++ /* data is expected to be read in multiples of a scanline */ ++ if (nrows) { + /* Cb,Cr both have sampling factors 1, so this is correct */ + JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; + int samples_per_clump = sp->samplesperclump; +@@ -1087,8 +1094,7 @@ + * TODO: resolve this */ + buf += sp->bytesperline; + cc -= sp->bytesperline; +- nrows -= sp->v_sampling; +- } while (nrows > 0); ++ } while (--nrows > 0); + + #ifdef JPEG_LIB_MK1 + _TIFFfree(tmpbuf); +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 +@@ -238,23 +238,19 @@ + ycbcrsubsampling + 0, + ycbcrsubsampling + 1); + +- if (ycbcrsubsampling[0] == 0) { ++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Invalid YCbCr subsampling"); + return 0; + } + +- scanline = TIFFroundup(td->td_imagewidth, ++ /* number of sample clumps per line */ ++ scanline = TIFFhowmany(td->td_imagewidth, + ycbcrsubsampling[0]); +- scanline = TIFFhowmany8(multiply(tif, scanline, +- td->td_bitspersample, +- "TIFFScanlineSize")); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, +- scanline / ycbcrsubsampling[0], +- "TIFFVStripSize"), +- "TIFFVStripSize")); ++ /* number of samples per line */ ++ scanline = multiply(tif, scanline, ++ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, ++ "TIFFScanlineSize"); + } else { + scanline = multiply(tif, td->td_imagewidth, + td->td_samplesperpixel, diff --git a/libtiff.spec b/libtiff.spec index 571184a..2129ff0 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 3.9.2 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries @@ -12,6 +12,7 @@ Patch1: libtiff-acversion.patch Patch2: libtiff-mantypo.patch Patch3: libtiff-CVE-2009-2347.patch Patch4: libtiff-jpeg-scanline.patch +Patch5: libtiff-scanlinesize.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel @@ -68,6 +69,7 @@ image files using the libtiff library. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -179,6 +181,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/* %changelog +* Tue Jan 5 2010 Tom Lane 3.9.2-3 +- Apply Adam Goode's fix for Warmerdam's fix +Resolves: #552360 +Resolves: #533353 +- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG + images; this isn't enough to make it really work correctly though +Related: #460322 + * Wed Dec 16 2009 Tom Lane 3.9.2-2 - Apply Warmerdam's partial fix for bug #460322 ... better than nothing. Related: #460322