Update to libtiff 3.9.4, and fix assorted crashing bugs
This commit is contained in:
parent
578a0a9fca
commit
8a8bf67044
@ -1 +1 @@
|
|||||||
tiff-3.9.2.tar.gz
|
tiff-3.9.4.tar.gz
|
||||||
|
21
libtiff-3samples.patch
Normal file
21
libtiff-3samples.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
Patch for bug #603081: failure to guard against bogus SamplesPerPixel
|
||||||
|
when converting a YCbCr image to RGB.
|
||||||
|
|
||||||
|
This patch duplicates into PickContigCase() a safety check that already
|
||||||
|
existed in PickSeparateCase().
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
|
||||||
|
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
|
||||||
|
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400
|
||||||
|
@@ -2397,7 +2397,7 @@
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case PHOTOMETRIC_YCBCR:
|
||||||
|
- if (img->bitspersample == 8)
|
||||||
|
+ if ((img->bitspersample==8) && (img->samplesperpixel==3))
|
||||||
|
{
|
||||||
|
if (initYCbCrConversion(img)!=0)
|
||||||
|
{
|
@ -1,93 +0,0 @@
|
|||||||
This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2.
|
|
||||||
Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this
|
|
||||||
part. Reported upstream at
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2079
|
|
||||||
|
|
||||||
|
|
||||||
diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c
|
|
||||||
--- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400
|
|
||||||
+++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500
|
|
||||||
@@ -125,6 +125,17 @@
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static tsize_t
|
|
||||||
+multiply(tsize_t m1, tsize_t m2)
|
|
||||||
+{
|
|
||||||
+ tsize_t prod = m1 * m2;
|
|
||||||
+
|
|
||||||
+ if (m1 && prod / m1 != m2)
|
|
||||||
+ prod = 0; /* overflow */
|
|
||||||
+
|
|
||||||
+ return prod;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
cvt_by_tile( TIFF *in, TIFF *out )
|
|
||||||
|
|
||||||
@@ -134,6 +145,7 @@
|
|
||||||
uint32 tile_width, tile_height;
|
|
||||||
uint32 row, col;
|
|
||||||
uint32 *wrk_line;
|
|
||||||
+ tsize_t raster_size;
|
|
||||||
int ok = 1;
|
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
||||||
@@ -151,7 +163,14 @@
|
|
||||||
/*
|
|
||||||
* Allocate tile buffer
|
|
||||||
*/
|
|
||||||
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
|
||||||
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
|
|
||||||
+ if (!raster_size) {
|
|
||||||
+ TIFFError(TIFFFileName(in),
|
|
||||||
+ "Can't allocate buffer for raster of size %lux%lu",
|
|
||||||
+ (unsigned long) tile_width, (unsigned long) tile_height);
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
+ raster = (uint32*)_TIFFmalloc(raster_size);
|
|
||||||
if (raster == 0) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
||||||
return (0);
|
|
||||||
@@ -159,7 +178,7 @@
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Allocate a scanline buffer for swapping during the vertical
|
|
||||||
- * mirroring pass.
|
|
||||||
+ * mirroring pass. (Request can't overflow given prior checks.)
|
|
||||||
*/
|
|
||||||
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
|
||||||
if (!wrk_line) {
|
|
||||||
@@ -236,6 +255,7 @@
|
|
||||||
uint32 width, height; /* image width & height */
|
|
||||||
uint32 row;
|
|
||||||
uint32 *wrk_line;
|
|
||||||
+ tsize_t raster_size;
|
|
||||||
int ok = 1;
|
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
||||||
@@ -251,7 +271,14 @@
|
|
||||||
/*
|
|
||||||
* Allocate strip buffer
|
|
||||||
*/
|
|
||||||
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
|
||||||
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
|
|
||||||
+ if (!raster_size) {
|
|
||||||
+ TIFFError(TIFFFileName(in),
|
|
||||||
+ "Can't allocate buffer for raster of size %lux%lu",
|
|
||||||
+ (unsigned long) width, (unsigned long) rowsperstrip);
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
+ raster = (uint32*)_TIFFmalloc(raster_size);
|
|
||||||
if (raster == 0) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
||||||
return (0);
|
|
||||||
@@ -259,7 +286,7 @@
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Allocate a scanline buffer for swapping during the vertical
|
|
||||||
- * mirroring pass.
|
|
||||||
+ * mirroring pass. (Request can't overflow given prior checks.)
|
|
||||||
*/
|
|
||||||
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
|
||||||
if (!wrk_line) {
|
|
@ -2,15 +2,15 @@ This patch is needed for building the package as of F-11. It can be
|
|||||||
dropped whenever autoconf 2.63 is no longer used on any live branch.
|
dropped whenever autoconf 2.63 is no longer used on any live branch.
|
||||||
|
|
||||||
|
|
||||||
diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac
|
diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
|
||||||
--- tiff-3.9.2.orig/configure.ac 2009-11-04 12:11:20.000000000 -0500
|
--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400
|
||||||
+++ tiff-3.9.2/configure.ac 2009-12-03 12:52:41.000000000 -0500
|
+++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400
|
||||||
@@ -24,7 +24,7 @@
|
@@ -24,7 +24,7 @@
|
||||||
|
|
||||||
dnl Process this file with autoconf to produce a configure script.
|
dnl Process this file with autoconf to produce a configure script.
|
||||||
|
|
||||||
-AC_PREREQ(2.64)
|
-AC_PREREQ(2.64)
|
||||||
+AC_PREREQ(2.63)
|
+AC_PREREQ(2.63)
|
||||||
AC_INIT([LibTIFF Software],[3.9.2],[tiff@lists.maptools.org],[tiff])
|
AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff])
|
||||||
AC_CONFIG_AUX_DIR(config)
|
AC_CONFIG_AUX_DIR(config)
|
||||||
AC_CONFIG_MACRO_DIR(m4)
|
AC_CONFIG_MACRO_DIR(m4)
|
||||||
|
48
libtiff-checkbytecount.patch
Normal file
48
libtiff-checkbytecount.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
|
||||||
|
missing strip byte counts too. Testing shows that tiffsplit.c has an issue
|
||||||
|
too.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
|
||||||
|
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
|
||||||
|
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400
|
||||||
|
@@ -1920,6 +1920,10 @@
|
||||||
|
sp->in_buffer_file_pos=0;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ if (sp->tif->tif_dir.td_stripbytecount == 0) {
|
||||||
|
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
|
||||||
|
+ return(0);
|
||||||
|
+ }
|
||||||
|
sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
|
||||||
|
if (sp->in_buffer_file_togo==0)
|
||||||
|
sp->in_buffer_file_pos=0;
|
||||||
|
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
|
||||||
|
--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400
|
||||||
|
+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400
|
||||||
|
@@ -237,7 +237,10 @@
|
||||||
|
tstrip_t s, ns = TIFFNumberOfStrips(in);
|
||||||
|
uint32 *bytecounts;
|
||||||
|
|
||||||
|
- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
|
||||||
|
+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
|
||||||
|
+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
for (s = 0; s < ns; s++) {
|
||||||
|
if (bytecounts[s] > (uint32)bufsize) {
|
||||||
|
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
|
||||||
|
@@ -267,7 +270,10 @@
|
||||||
|
ttile_t t, nt = TIFFNumberOfTiles(in);
|
||||||
|
uint32 *bytecounts;
|
||||||
|
|
||||||
|
- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
|
||||||
|
+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
|
||||||
|
+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
for (t = 0; t < nt; t++) {
|
||||||
|
if (bytecounts[t] > (uint32) bufsize) {
|
||||||
|
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
|
48
libtiff-getimage-64bit.patch
Normal file
48
libtiff-getimage-64bit.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
Fix misbehavior on 64-bit machines when trying to flip a downsampled image
|
||||||
|
vertically: unsigned ints will be widened to 64 bits the wrong way.
|
||||||
|
See RH bug #583081.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
|
||||||
|
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
|
||||||
|
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400
|
||||||
|
@@ -1846,6 +1846,7 @@
|
||||||
|
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
|
||||||
|
{
|
||||||
|
uint32* cp2;
|
||||||
|
+ int32 incr = 2*toskew+w;
|
||||||
|
(void) y;
|
||||||
|
fromskew = (fromskew / 2) * 6;
|
||||||
|
cp2 = cp+w+toskew;
|
||||||
|
@@ -1872,8 +1873,8 @@
|
||||||
|
cp2 ++ ;
|
||||||
|
pp += 6;
|
||||||
|
}
|
||||||
|
- cp += toskew*2+w;
|
||||||
|
- cp2 += toskew*2+w;
|
||||||
|
+ cp += incr;
|
||||||
|
+ cp2 += incr;
|
||||||
|
pp += fromskew;
|
||||||
|
h-=2;
|
||||||
|
}
|
||||||
|
@@ -1939,6 +1940,7 @@
|
||||||
|
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
|
||||||
|
{
|
||||||
|
uint32* cp2;
|
||||||
|
+ int32 incr = 2*toskew+w;
|
||||||
|
(void) y;
|
||||||
|
fromskew = (fromskew / 2) * 4;
|
||||||
|
cp2 = cp+w+toskew;
|
||||||
|
@@ -1953,8 +1955,8 @@
|
||||||
|
cp2 ++;
|
||||||
|
pp += 4;
|
||||||
|
} while (--x);
|
||||||
|
- cp += toskew*2+w;
|
||||||
|
- cp2 += toskew*2+w;
|
||||||
|
+ cp += incr;
|
||||||
|
+ cp2 += incr;
|
||||||
|
pp += fromskew;
|
||||||
|
h-=2;
|
||||||
|
}
|
@ -1,62 +0,0 @@
|
|||||||
Upstream patch for tiff2ps core dump noted in bug #460322. (Note that
|
|
||||||
the tiffcmp crash mentioned there is really a different bug.)
|
|
||||||
Now also incorporating Adam Goode's patch for bug #552360. See
|
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=1936
|
|
||||||
|
|
||||||
|
|
||||||
diff -Naur tiff-3.9.2.orig/libtiff/tif_dir.c tiff-3.9.2/libtiff/tif_dir.c
|
|
||||||
--- tiff-3.9.2.orig/libtiff/tif_dir.c 2008-12-31 19:10:43.000000000 -0500
|
|
||||||
+++ tiff-3.9.2/libtiff/tif_dir.c 2010-01-05 19:59:12.000000000 -0500
|
|
||||||
@@ -1100,6 +1100,13 @@
|
|
||||||
*/
|
|
||||||
tif->tif_flags &= ~TIFF_ISTILED;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Clear other directory-specific fields.
|
|
||||||
+ */
|
|
||||||
+ tif->tif_tilesize = 0;
|
|
||||||
+ tif->tif_scanlinesize = 0;
|
|
||||||
+
|
|
||||||
+
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
|
|
||||||
--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400
|
|
||||||
+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 19:59:12.000000000 -0500
|
|
||||||
@@ -1613,7 +1613,11 @@
|
|
||||||
* Must recalculate cached tile size in case sampling state changed.
|
|
||||||
* Should we really be doing this now if image size isn't set?
|
|
||||||
*/
|
|
||||||
- tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
|
|
||||||
+ if( tif->tif_tilesize > 0 )
|
|
||||||
+ tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
|
|
||||||
+
|
|
||||||
+ if(tif->tif_scanlinesize > 0 )
|
|
||||||
+ tif->tif_scanlinesize = TIFFScanlineSize(tif);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -1741,13 +1745,21 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
- {
|
|
||||||
+ {
|
|
||||||
if( !TIFFFillStrip( tif, 0 ) )
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
TIFFSetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
|
|
||||||
(uint16) sp->h_sampling, (uint16) sp->v_sampling );
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ ** We want to clear the loaded strip so the application has time
|
|
||||||
+ ** to set JPEGCOLORMODE or other behavior modifiers. This essentially
|
|
||||||
+ ** undoes the JPEGPreDecode triggers by TIFFFileStrip(). (#1936)
|
|
||||||
+ */
|
|
||||||
+ tif->tif_curstrip = -1;
|
|
||||||
+
|
|
||||||
#endif /* CHECK_JPEG_YCBCR_SUBSAMPLING */
|
|
||||||
}
|
|
||||||
|
|
51
libtiff-subsampling.patch
Normal file
51
libtiff-subsampling.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
Use the spec-mandated default YCbCrSubSampling values in strip size
|
||||||
|
calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
|
||||||
|
See bug #603703.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
|
||||||
|
|
||||||
|
NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
|
||||||
|
--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
|
||||||
|
+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400
|
||||||
|
@@ -124,9 +124,9 @@
|
||||||
|
uint16 ycbcrsubsampling[2];
|
||||||
|
tsize_t w, scanline, samplingarea;
|
||||||
|
|
||||||
|
- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
- ycbcrsubsampling + 0,
|
||||||
|
- ycbcrsubsampling + 1 );
|
||||||
|
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
+ ycbcrsubsampling + 0,
|
||||||
|
+ ycbcrsubsampling + 1);
|
||||||
|
|
||||||
|
samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
|
||||||
|
if (samplingarea == 0) {
|
||||||
|
@@ -234,9 +234,9 @@
|
||||||
|
&& !isUpSampled(tif)) {
|
||||||
|
uint16 ycbcrsubsampling[2];
|
||||||
|
|
||||||
|
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
- ycbcrsubsampling + 0,
|
||||||
|
- ycbcrsubsampling + 1);
|
||||||
|
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
+ ycbcrsubsampling + 0,
|
||||||
|
+ ycbcrsubsampling + 1);
|
||||||
|
|
||||||
|
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
||||||
|
@@ -308,9 +308,9 @@
|
||||||
|
&& !isUpSampled(tif)) {
|
||||||
|
uint16 ycbcrsubsampling[2];
|
||||||
|
|
||||||
|
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
- ycbcrsubsampling + 0,
|
||||||
|
- ycbcrsubsampling + 1);
|
||||||
|
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
|
||||||
|
+ ycbcrsubsampling + 0,
|
||||||
|
+ ycbcrsubsampling + 1);
|
||||||
|
|
||||||
|
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
35
libtiff-tiffdump.patch
Normal file
35
libtiff-tiffdump.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
Make tiffdump more paranoid about checking the count field of a directory
|
||||||
|
entry.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
|
||||||
|
--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400
|
||||||
|
+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
# include <io.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include "tiffiop.h"
|
||||||
|
#include "tiffio.h"
|
||||||
|
|
||||||
|
#ifndef O_BINARY
|
||||||
|
@@ -317,7 +318,7 @@
|
||||||
|
printf(">\n");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
- space = dp->tdir_count * datawidth[dp->tdir_type];
|
||||||
|
+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
|
||||||
|
if (space <= 0) {
|
||||||
|
printf(">\n");
|
||||||
|
Error("Invalid count for tag %u", dp->tdir_tag);
|
||||||
|
@@ -709,7 +710,7 @@
|
||||||
|
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
|
||||||
|
cc = dir->tdir_count * w;
|
||||||
|
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
|
||||||
|
- && read(fd, cp, cc) != -1) {
|
||||||
|
+ && read(fd, cp, cc) == cc) {
|
||||||
|
if (swabflag) {
|
||||||
|
switch (dir->tdir_type) {
|
||||||
|
case TIFF_SHORT:
|
47
libtiff-unknown-fix.patch
Normal file
47
libtiff-unknown-fix.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
|
||||||
|
sometimes complain about out-of-order tags when there weren't really any.
|
||||||
|
Fix by decoupling that logic from the tag search logic.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
|
||||||
|
--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400
|
||||||
|
+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400
|
||||||
|
@@ -83,6 +83,7 @@
|
||||||
|
const TIFFFieldInfo* fip;
|
||||||
|
size_t fix;
|
||||||
|
uint16 dircount;
|
||||||
|
+ uint16 previous_tag = 0;
|
||||||
|
int diroutoforderwarning = 0, compressionknown = 0;
|
||||||
|
int haveunknowntags = 0;
|
||||||
|
|
||||||
|
@@ -163,23 +164,24 @@
|
||||||
|
|
||||||
|
if (dp->tdir_tag == IGNORE)
|
||||||
|
continue;
|
||||||
|
- if (fix >= tif->tif_nfields)
|
||||||
|
- fix = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Silicon Beach (at least) writes unordered
|
||||||
|
* directory tags (violating the spec). Handle
|
||||||
|
* it here, but be obnoxious (maybe they'll fix it?).
|
||||||
|
*/
|
||||||
|
- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
|
||||||
|
+ if (dp->tdir_tag < previous_tag) {
|
||||||
|
if (!diroutoforderwarning) {
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
"%s: invalid TIFF directory; tags are not sorted in ascending order",
|
||||||
|
tif->tif_name);
|
||||||
|
diroutoforderwarning = 1;
|
||||||
|
}
|
||||||
|
- fix = 0; /* O(n^2) */
|
||||||
|
}
|
||||||
|
+ previous_tag = dp->tdir_tag;
|
||||||
|
+ if (fix >= tif->tif_nfields ||
|
||||||
|
+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
|
||||||
|
+ fix = 0; /* O(n^2) */
|
||||||
|
while (fix < tif->tif_nfields &&
|
||||||
|
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
|
||||||
|
fix++;
|
35
libtiff-ycbcr-clamp.patch
Normal file
35
libtiff-ycbcr-clamp.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
Using an array to clamp translated YCbCr values is insecure, because if the
|
||||||
|
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
|
||||||
|
values could be very far out of range (much further than the current array
|
||||||
|
size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
|
||||||
|
favor of using a comparison-based macro to clamp. See RH bug #583081.
|
||||||
|
|
||||||
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
|
||||||
|
|
||||||
|
|
||||||
|
diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
|
||||||
|
--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
|
||||||
|
+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
|
||||||
|
@@ -183,13 +183,18 @@
|
||||||
|
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
|
||||||
|
uint32 *r, uint32 *g, uint32 *b)
|
||||||
|
{
|
||||||
|
+ int32 i;
|
||||||
|
+
|
||||||
|
/* XXX: Only 8-bit YCbCr input supported for now */
|
||||||
|
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
|
||||||
|
|
||||||
|
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
|
||||||
|
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
|
||||||
|
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
|
||||||
|
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
|
||||||
|
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
|
||||||
|
+ *r = CLAMP(i, 0, 255);
|
||||||
|
+ i = ycbcr->Y_tab[Y]
|
||||||
|
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
|
||||||
|
+ *g = CLAMP(i, 0, 255);
|
||||||
|
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
|
||||||
|
+ *b = CLAMP(i, 0, 255);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
29
libtiff.spec
29
libtiff.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: Library of functions for manipulating TIFF format image files
|
Summary: Library of functions for manipulating TIFF format image files
|
||||||
Name: libtiff
|
Name: libtiff
|
||||||
Version: 3.9.2
|
Version: 3.9.4
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
|
|
||||||
License: libtiff
|
License: libtiff
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -10,9 +10,14 @@ URL: http://www.remotesensing.org/libtiff/
|
|||||||
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
|
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
|
||||||
Patch1: libtiff-acversion.patch
|
Patch1: libtiff-acversion.patch
|
||||||
Patch2: libtiff-mantypo.patch
|
Patch2: libtiff-mantypo.patch
|
||||||
Patch3: libtiff-CVE-2009-2347.patch
|
Patch3: libtiff-scanlinesize.patch
|
||||||
Patch4: libtiff-jpeg-scanline.patch
|
Patch4: libtiff-getimage-64bit.patch
|
||||||
Patch5: libtiff-scanlinesize.patch
|
Patch5: libtiff-ycbcr-clamp.patch
|
||||||
|
Patch6: libtiff-3samples.patch
|
||||||
|
Patch7: libtiff-subsampling.patch
|
||||||
|
Patch8: libtiff-unknown-fix.patch
|
||||||
|
Patch9: libtiff-checkbytecount.patch
|
||||||
|
Patch10: libtiff-tiffdump.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
BuildRequires: zlib-devel libjpeg-devel
|
BuildRequires: zlib-devel libjpeg-devel
|
||||||
@ -70,6 +75,11 @@ image files using the libtiff library.
|
|||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
|
||||||
# Use build system's libtool.m4, not the one in the package.
|
# Use build system's libtool.m4, not the one in the package.
|
||||||
rm -f libtool.m4
|
rm -f libtool.m4
|
||||||
@ -181,6 +191,15 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 22 2010 Tom Lane <tgl@redhat.com> 3.9.4-1
|
||||||
|
- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
|
||||||
|
CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
|
||||||
|
Resolves: #554371
|
||||||
|
Related: #460653, #588784, #601274, #599576, #592361, #603024
|
||||||
|
- Add fixes for multiple SIGSEGV problems
|
||||||
|
Resolves: #583081
|
||||||
|
Related: #603081, #603699, #603703
|
||||||
|
|
||||||
* Tue Jan 5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
|
* Tue Jan 5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
|
||||||
- Apply Adam Goode's fix for Warmerdam's fix
|
- Apply Adam Goode's fix for Warmerdam's fix
|
||||||
Resolves: #552360
|
Resolves: #552360
|
||||||
|
Loading…
Reference in New Issue
Block a user