From 8a8bf6704497c5165ec5233eb1b8ce8992173d94 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 22 Jun 2010 23:51:29 +0000 Subject: [PATCH] Update to libtiff 3.9.4, and fix assorted crashing bugs --- .cvsignore | 2 +- libtiff-3samples.patch | 21 ++++++++ libtiff-CVE-2009-2347.patch | 93 ------------------------------------ libtiff-acversion.patch | 8 ++-- libtiff-checkbytecount.patch | 48 +++++++++++++++++++ libtiff-getimage-64bit.patch | 48 +++++++++++++++++++ libtiff-jpeg-scanline.patch | 62 ------------------------ libtiff-subsampling.patch | 51 ++++++++++++++++++++ libtiff-tiffdump.patch | 35 ++++++++++++++ libtiff-unknown-fix.patch | 47 ++++++++++++++++++ libtiff-ycbcr-clamp.patch | 35 ++++++++++++++ libtiff.spec | 29 +++++++++-- sources | 2 +- 13 files changed, 315 insertions(+), 166 deletions(-) create mode 100644 libtiff-3samples.patch delete mode 100644 libtiff-CVE-2009-2347.patch create mode 100644 libtiff-checkbytecount.patch create mode 100644 libtiff-getimage-64bit.patch delete mode 100644 libtiff-jpeg-scanline.patch create mode 100644 libtiff-subsampling.patch create mode 100644 libtiff-tiffdump.patch create mode 100644 libtiff-unknown-fix.patch create mode 100644 libtiff-ycbcr-clamp.patch diff --git a/.cvsignore b/.cvsignore index 70fb369..37e1552 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -tiff-3.9.2.tar.gz +tiff-3.9.4.tar.gz diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch new file mode 100644 index 0000000..c305bd0 --- /dev/null +++ b/libtiff-3samples.patch @@ -0,0 +1,21 @@ +Patch for bug #603081: failure to guard against bogus SamplesPerPixel +when converting a YCbCr image to RGB. + +This patch duplicates into PickContigCase() a safety check that already +existed in PickSeparateCase(). + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 +@@ -2397,7 +2397,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { diff --git a/libtiff-CVE-2009-2347.patch b/libtiff-CVE-2009-2347.patch deleted file mode 100644 index 0a97da2..0000000 --- a/libtiff-CVE-2009-2347.patch +++ /dev/null @@ -1,93 +0,0 @@ -This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2. -Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this -part. Reported upstream at -http://bugzilla.maptools.org/show_bug.cgi?id=2079 - - -diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c ---- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400 -+++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500 -@@ -125,6 +125,17 @@ - return (0); - } - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - static int - cvt_by_tile( TIFF *in, TIFF *out ) - -@@ -134,6 +145,7 @@ - uint32 tile_width, tile_height; - uint32 row, col; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -151,7 +163,14 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) tile_width, (unsigned long) tile_height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -159,7 +178,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); - if (!wrk_line) { -@@ -236,6 +255,7 @@ - uint32 width, height; /* image width & height */ - uint32 row; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -251,7 +271,14 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) rowsperstrip); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -259,7 +286,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); - if (!wrk_line) { diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch index 60920dc..fc3a136 100644 --- a/libtiff-acversion.patch +++ b/libtiff-acversion.patch @@ -2,15 +2,15 @@ This patch is needed for building the package as of F-11. It can be dropped whenever autoconf 2.63 is no longer used on any live branch. -diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac ---- tiff-3.9.2.orig/configure.ac 2009-11-04 12:11:20.000000000 -0500 -+++ tiff-3.9.2/configure.ac 2009-12-03 12:52:41.000000000 -0500 +diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac +--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400 ++++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400 @@ -24,7 +24,7 @@ dnl Process this file with autoconf to produce a configure script. -AC_PREREQ(2.64) +AC_PREREQ(2.63) - AC_INIT([LibTIFF Software],[3.9.2],[tiff@lists.maptools.org],[tiff]) + AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_MACRO_DIR(m4) diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch new file mode 100644 index 0000000..ecd8a9f --- /dev/null +++ b/libtiff-checkbytecount.patch @@ -0,0 +1,48 @@ +Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against +missing strip byte counts too. Testing shows that tiffsplit.c has an issue +too. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c +--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400 +@@ -1920,6 +1920,10 @@ + sp->in_buffer_file_pos=0; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; +diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c +--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch new file mode 100644 index 0000000..2f3d68e --- /dev/null +++ b/libtiff-getimage-64bit.patch @@ -0,0 +1,48 @@ +Fix misbehavior on 64-bit machines when trying to flip a downsampled image +vertically: unsigned ints will be widened to 64 bits the wrong way. +See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 +@@ -1846,6 +1846,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 6; + cp2 = cp+w+toskew; +@@ -1872,8 +1873,8 @@ + cp2 ++ ; + pp += 6; + } +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -1939,6 +1940,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 4; + cp2 = cp+w+toskew; +@@ -1953,8 +1955,8 @@ + cp2 ++; + pp += 4; + } while (--x); +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } diff --git a/libtiff-jpeg-scanline.patch b/libtiff-jpeg-scanline.patch deleted file mode 100644 index 7289e7b..0000000 --- a/libtiff-jpeg-scanline.patch +++ /dev/null @@ -1,62 +0,0 @@ -Upstream patch for tiff2ps core dump noted in bug #460322. (Note that -the tiffcmp crash mentioned there is really a different bug.) -Now also incorporating Adam Goode's patch for bug #552360. See -http://bugzilla.maptools.org/show_bug.cgi?id=1936 - - -diff -Naur tiff-3.9.2.orig/libtiff/tif_dir.c tiff-3.9.2/libtiff/tif_dir.c ---- tiff-3.9.2.orig/libtiff/tif_dir.c 2008-12-31 19:10:43.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_dir.c 2010-01-05 19:59:12.000000000 -0500 -@@ -1100,6 +1100,13 @@ - */ - tif->tif_flags &= ~TIFF_ISTILED; - -+ /* -+ * Clear other directory-specific fields. -+ */ -+ tif->tif_tilesize = 0; -+ tif->tif_scanlinesize = 0; -+ -+ - return (1); - } - -diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c ---- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 19:59:12.000000000 -0500 -@@ -1613,7 +1613,11 @@ - * Must recalculate cached tile size in case sampling state changed. - * Should we really be doing this now if image size isn't set? - */ -- tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1; -+ if( tif->tif_tilesize > 0 ) -+ tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1; -+ -+ if(tif->tif_scanlinesize > 0 ) -+ tif->tif_scanlinesize = TIFFScanlineSize(tif); - } - - static int -@@ -1741,13 +1745,21 @@ - return; - } - else -- { -+ { - if( !TIFFFillStrip( tif, 0 ) ) - return; - } - - TIFFSetField( tif, TIFFTAG_YCBCRSUBSAMPLING, - (uint16) sp->h_sampling, (uint16) sp->v_sampling ); -+ -+ /* -+ ** We want to clear the loaded strip so the application has time -+ ** to set JPEGCOLORMODE or other behavior modifiers. This essentially -+ ** undoes the JPEGPreDecode triggers by TIFFFileStrip(). (#1936) -+ */ -+ tif->tif_curstrip = -1; -+ - #endif /* CHECK_JPEG_YCBCR_SUBSAMPLING */ - } - diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch new file mode 100644 index 0000000..a44406b --- /dev/null +++ b/libtiff-subsampling.patch @@ -0,0 +1,51 @@ +Use the spec-mandated default YCbCrSubSampling values in strip size +calculations, if the YCBCRSUBSAMPLING tag hasn't been provided. +See bug #603703. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215 + +NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues. + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c +--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -308,9 +308,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch new file mode 100644 index 0000000..cb77796 --- /dev/null +++ b/libtiff-tiffdump.patch @@ -0,0 +1,35 @@ +Make tiffdump more paranoid about checking the count field of a directory +entry. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218 + + +diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 +@@ -46,6 +46,7 @@ + # include + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef O_BINARY +@@ -317,7 +318,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +710,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch new file mode 100644 index 0000000..5c3b32e --- /dev/null +++ b/libtiff-unknown-fix.patch @@ -0,0 +1,47 @@ +Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to +sometimes complain about out-of-order tags when there weren't really any. +Fix by decoupling that logic from the tag search logic. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210 + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c +--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0, compressionknown = 0; + int haveunknowntags = 0; + +@@ -163,23 +164,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch new file mode 100644 index 0000000..fbd10bb --- /dev/null +++ b/libtiff-ycbcr-clamp.patch @@ -0,0 +1,35 @@ +Using an array to clamp translated YCbCr values is insecure, because if the +TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB +values could be very far out of range (much further than the current array +size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in +favor of using a comparison-based macro to clamp. See RH bug #583081. + +Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208 + + +diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c +--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 ++++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff --git a/libtiff.spec b/libtiff.spec index 2129ff0..2b901aa 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 3.9.2 -Release: 3%{?dist} +Version: 3.9.4 +Release: 1%{?dist} License: libtiff Group: System Environment/Libraries @@ -10,9 +10,14 @@ URL: http://www.remotesensing.org/libtiff/ Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Patch1: libtiff-acversion.patch Patch2: libtiff-mantypo.patch -Patch3: libtiff-CVE-2009-2347.patch -Patch4: libtiff-jpeg-scanline.patch -Patch5: libtiff-scanlinesize.patch +Patch3: libtiff-scanlinesize.patch +Patch4: libtiff-getimage-64bit.patch +Patch5: libtiff-ycbcr-clamp.patch +Patch6: libtiff-3samples.patch +Patch7: libtiff-subsampling.patch +Patch8: libtiff-unknown-fix.patch +Patch9: libtiff-checkbytecount.patch +Patch10: libtiff-tiffdump.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel @@ -70,6 +75,11 @@ image files using the libtiff library. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -181,6 +191,15 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/* %changelog +* Tue Jun 22 2010 Tom Lane 3.9.4-1 +- Update to libtiff 3.9.4, for numerous bug fixes including fixes for + CVE-2010-1411, CVE-2010-2065, CVE-2010-2067 +Resolves: #554371 +Related: #460653, #588784, #601274, #599576, #592361, #603024 +- Add fixes for multiple SIGSEGV problems +Resolves: #583081 +Related: #603081, #603699, #603703 + * Tue Jan 5 2010 Tom Lane 3.9.2-3 - Apply Adam Goode's fix for Warmerdam's fix Resolves: #552360 diff --git a/sources b/sources index ba0b467..a73728b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -93e56e421679c591de7552db13384cb8 tiff-3.9.2.tar.gz +2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz