New upstream version libtiff-4.1.0 (#1768276)
This commit is contained in:
parent
15d4f182c8
commit
a15512fd3c
1
.gitignore
vendored
1
.gitignore
vendored
@ -7,3 +7,4 @@
|
|||||||
/tiff-4.0.8.tar.gz
|
/tiff-4.0.8.tar.gz
|
||||||
/tiff-4.0.9.tar.gz
|
/tiff-4.0.9.tar.gz
|
||||||
/tiff-4.0.10.tar.gz
|
/tiff-4.0.10.tar.gz
|
||||||
|
/tiff-4.1.0.tar.gz
|
||||||
|
@ -1,47 +0,0 @@
|
|||||||
From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Thomas Bernard <miniupnp@free.fr>
|
|
||||||
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
|
||||||
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
|
|
||||||
|
|
||||||
fixes bug 2833
|
|
||||||
---
|
|
||||||
tools/tiffcp.c | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
||||||
index 2f406e2..8c81aa4 100644
|
|
||||||
--- a/tools/tiffcp.c
|
|
||||||
+++ b/tools/tiffcp.c
|
|
||||||
@@ -41,6 +41,7 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <limits.h>
|
|
||||||
|
|
||||||
#include <ctype.h>
|
|
||||||
|
|
||||||
@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
|
||||||
int status = 1;
|
|
||||||
uint32 imagew = TIFFRasterScanlineSize(in);
|
|
||||||
uint32 tilew = TIFFTileRowSize(in);
|
|
||||||
- int iskew = imagew - tilew*spp;
|
|
||||||
+ int iskew;
|
|
||||||
tsize_t tilesize = TIFFTileSize(in);
|
|
||||||
tdata_t tilebuf;
|
|
||||||
uint8* bufp = (uint8*) buf;
|
|
||||||
@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
|
||||||
uint32 row;
|
|
||||||
uint16 bps = 0, bytes_per_sample;
|
|
||||||
|
|
||||||
+ if (spp > (INT_MAX / tilew))
|
|
||||||
+ {
|
|
||||||
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ iskew = imagew - tilew*spp;
|
|
||||||
tilebuf = _TIFFmalloc(tilesize);
|
|
||||||
if (tilebuf == 0)
|
|
||||||
return 0;
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hugo Lefeuvre <hle@debian.org>
|
|
||||||
Date: Wed, 21 Nov 2018 18:50:34 +0100
|
|
||||||
Subject: [PATCH] tif_dir: unset transferfunction field if necessary
|
|
||||||
|
|
||||||
The number of entries in the transfer table is determined as following:
|
|
||||||
|
|
||||||
(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1
|
|
||||||
|
|
||||||
This means that whenever td->td_samplesperpixel or td->td_extrasamples are
|
|
||||||
modified we also need to make sure that the number of required entries in
|
|
||||||
the transfer table didn't change.
|
|
||||||
|
|
||||||
If it changed and the number of entries is higher than before we should
|
|
||||||
invalidate the transfer table field and free previously allocated values.
|
|
||||||
In the other case there's nothing to do, additional tf entries won't harm
|
|
||||||
and properly written code will just ignore them since spp - es < 1.
|
|
||||||
|
|
||||||
For instance this situation might happen when reading an OJPEG compressed
|
|
||||||
image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
|
|
||||||
field might be updated after setting the transfer table.
|
|
||||||
|
|
||||||
see http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
|
||||||
|
|
||||||
This commit addresses CVE-2018-19210.
|
|
||||||
---
|
|
||||||
libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++--
|
|
||||||
1 file changed, 28 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
|
||||||
index 6f0b487..028ea54 100644
|
|
||||||
--- a/libtiff/tif_dir.c
|
|
||||||
+++ b/libtiff/tif_dir.c
|
|
||||||
@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
|
|
||||||
* Install extra samples information.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
|
|
||||||
+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
|
|
||||||
{
|
|
||||||
/* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
|
|
||||||
#define EXTRASAMPLE_COREL_UNASSALPHA 999
|
|
||||||
|
|
||||||
uint16* va;
|
|
||||||
uint32 i;
|
|
||||||
+ TIFFDirectory* td = &tif->tif_dir;
|
|
||||||
+ static const char module[] = "setExtraSamples";
|
|
||||||
|
|
||||||
*v = (uint16) va_arg(ap, uint16_vap);
|
|
||||||
if ((uint16) *v > td->td_samplesperpixel)
|
|
||||||
@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
|
|
||||||
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
|
|
||||||
+ {
|
|
||||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
|
||||||
+ "ExtraSamples tag value is changing, "
|
|
||||||
+ "but TransferFunction was read with a different value. Cancelling it");
|
|
||||||
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
|
|
||||||
+ _TIFFfree(td->td_transferfunction[0]);
|
|
||||||
+ td->td_transferfunction[0] = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
td->td_extrasamples = (uint16) *v;
|
|
||||||
_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
|
|
||||||
return 1;
|
|
||||||
@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
|
||||||
_TIFFfree(td->td_smaxsamplevalue);
|
|
||||||
td->td_smaxsamplevalue = NULL;
|
|
||||||
}
|
|
||||||
+ /* Test if 3 transfer functions instead of just one are now needed
|
|
||||||
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
|
|
||||||
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
|
|
||||||
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
|
|
||||||
+ {
|
|
||||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
|
||||||
+ "SamplesPerPixel tag value is changing, "
|
|
||||||
+ "but TransferFunction was read with a different value. Cancelling it");
|
|
||||||
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
|
|
||||||
+ _TIFFfree(td->td_transferfunction[0]);
|
|
||||||
+ td->td_transferfunction[0] = NULL;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
td->td_samplesperpixel = (uint16) v;
|
|
||||||
break;
|
|
||||||
@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
|
||||||
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
|
|
||||||
break;
|
|
||||||
case TIFFTAG_EXTRASAMPLES:
|
|
||||||
- if (!setExtraSamples(td, ap, &v))
|
|
||||||
+ if (!setExtraSamples(tif, ap, &v))
|
|
||||||
goto badvalue;
|
|
||||||
break;
|
|
||||||
case TIFFTAG_MATTEING:
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 99cab41801c37588f67396d836c5b677aba498ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Gayou <github.scott@gmail.com>
|
|
||||||
Date: Wed, 23 Jan 2019 15:03:53 -0500
|
|
||||||
Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
|
|
||||||
|
|
||||||
pal2rgb failed to free memory on a few errors. This was reported
|
|
||||||
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
|
|
||||||
---
|
|
||||||
tools/pal2rgb.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
|
|
||||||
index 01d8502..9492f1c 100644
|
|
||||||
--- a/tools/pal2rgb.c
|
|
||||||
+++ b/tools/pal2rgb.c
|
|
||||||
@@ -118,12 +118,14 @@ main(int argc, char* argv[])
|
|
||||||
shortv != PHOTOMETRIC_PALETTE) {
|
|
||||||
fprintf(stderr, "%s: Expecting a palette image.\n",
|
|
||||||
argv[optind]);
|
|
||||||
+ (void) TIFFClose(in);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
|
|
||||||
fprintf(stderr,
|
|
||||||
"%s: No colormap (not a valid palette image).\n",
|
|
||||||
argv[optind]);
|
|
||||||
+ (void) TIFFClose(in);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
bitspersample = 0;
|
|
||||||
@@ -131,11 +133,14 @@ main(int argc, char* argv[])
|
|
||||||
if (bitspersample != 8) {
|
|
||||||
fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
|
|
||||||
argv[optind]);
|
|
||||||
+ (void) TIFFClose(in);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
out = TIFFOpen(argv[optind+1], "w");
|
|
||||||
- if (out == NULL)
|
|
||||||
+ if (out == NULL) {
|
|
||||||
+ (void) TIFFClose(in);
|
|
||||||
return (-2);
|
|
||||||
+ }
|
|
||||||
cpTags(in, out);
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
13
libtiff.spec
13
libtiff.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: Library of functions for manipulating TIFF format image files
|
Summary: Library of functions for manipulating TIFF format image files
|
||||||
Name: libtiff
|
Name: libtiff
|
||||||
Version: 4.0.10
|
Version: 4.1.0
|
||||||
Release: 6%{?dist}
|
Release: 1%{?dist}
|
||||||
License: libtiff
|
License: libtiff
|
||||||
URL: http://www.simplesystems.org/libtiff/
|
URL: http://www.simplesystems.org/libtiff/
|
||||||
|
|
||||||
@ -9,9 +9,6 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
|
|||||||
|
|
||||||
Patch0: libtiff-am-version.patch
|
Patch0: libtiff-am-version.patch
|
||||||
Patch1: libtiff-make-check.patch
|
Patch1: libtiff-make-check.patch
|
||||||
Patch2: libtiff-CVE-2019-6128.patch
|
|
||||||
Patch3: libtiff-CVE-2018-12900_CVE-2019-7663.patch
|
|
||||||
Patch4: libtiff-CVE-2018-19210.patch
|
|
||||||
|
|
||||||
BuildRequires: gcc, gcc-c++
|
BuildRequires: gcc, gcc-c++
|
||||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
||||||
@ -62,9 +59,6 @@ image files using the libtiff library.
|
|||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
|
|
||||||
# Use build system's libtool.m4, not the one in the package.
|
# Use build system's libtool.m4, not the one in the package.
|
||||||
rm -f libtool.m4
|
rm -f libtool.m4
|
||||||
@ -169,6 +163,9 @@ find html -name 'Makefile*' | xargs rm
|
|||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 05 2019 Nikola Forró <nforro@redhat.com> - 4.1.0-1
|
||||||
|
- New upstream version libtiff-4.1.0 (#1768276)
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-6
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-6
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
|
SHA512 (tiff-4.1.0.tar.gz) = fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6
|
||||||
|
Loading…
Reference in New Issue
Block a user