diff --git a/.gitignore b/.gitignore index 0432824..db6bc5b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tiff-4.0.9.tar.gz +tiff-4.6.0.tar.gz diff --git a/.libtiff.metadata b/.libtiff.metadata deleted file mode 100644 index 0a25bcd..0000000 --- a/.libtiff.metadata +++ /dev/null @@ -1 +0,0 @@ -87d4543579176cc568668617c22baceccd568296 SOURCES/tiff-4.0.9.tar.gz diff --git a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch deleted file mode 100644 index 922631b..0000000 --- a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch +++ /dev/null @@ -1,40 +0,0 @@ -From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Matej=20Mu=C5=BEila?= -Date: Thu, 5 May 2022 14:38:04 +0200 -Subject: [PATCH] Back off the minimum required automake version to 1.11. - -There isn't anything in libtiff currently that actually requires 1.12, -and changing this allows the package to be built on pre-F18 machines for -easier testing. This patch can go away once we no longer care about -testing on pre-F18. ---- - Makefile.am | 2 +- - test/Makefile.am | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 418a3b93..fa8bf4c0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -25,7 +25,7 @@ - - docdir = $(LIBTIFF_DOCDIR) - --AUTOMAKE_OPTIONS = 1.12 dist-zip foreign -+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign - ACLOCAL_AMFLAGS = -I m4 - - docfiles = \ -diff --git a/test/Makefile.am b/test/Makefile.am -index 2052487c..227f228f 100644 ---- a/test/Makefile.am -+++ b/test/Makefile.am -@@ -23,7 +23,7 @@ - - # Process this file with automake to produce Makefile.in. - --AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign -+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign - - LIBTIFF = $(top_builddir)/libtiff/libtiff.la - diff --git a/SOURCES/0002-Fix-Makefile.patch b/SOURCES/0002-Fix-Makefile.patch deleted file mode 100644 index d237372..0000000 --- a/SOURCES/0002-Fix-Makefile.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Matej=20Mu=C5=BEila?= -Date: Thu, 5 May 2022 14:42:52 +0200 -Subject: [PATCH] Fix Makefile - ---- - html/man/Makefile.am | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/html/man/Makefile.am b/html/man/Makefile.am -index 3ed00d44..8a64925a 100644 ---- a/html/man/Makefile.am -+++ b/html/man/Makefile.am -@@ -90,7 +90,6 @@ docfiles = \ - tiffcrop.1.html \ - tiffdither.1.html \ - tiffdump.1.html \ -- tiffgt.1.html \ - tiffinfo.1.html \ - tiffmedian.1.html \ - tiffset.1.html \ diff --git a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch deleted file mode 100644 index 1aaade9..0000000 --- a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch +++ /dev/null @@ -1,127 +0,0 @@ -From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001 -From: Nathan Baker -Date: Tue, 6 Feb 2018 10:13:57 -0500 -Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772 - -It is possible to craft a TIFF document where the IFD list is circular, -leading to an infinite loop while traversing the chain. The libtiff -directory reader has a failsafe that will break out of this loop after -reading 65535 directory entries, but it will continue processing, -consuming time and resources to process what is essentially a bogus TIFF -document. - -This change fixes the above behavior by breaking out of processing when -a TIFF document has >= 65535 directories and terminating with an error. - -(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef) ---- - contrib/addtiffo/tif_overview.c | 14 +++++++++++++- - tools/tiff2pdf.c | 10 ++++++++++ - tools/tiffcrop.c | 13 +++++++++++-- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c -index c61ffbb8..03b35733 100644 ---- a/contrib/addtiffo/tif_overview.c -+++ b/contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; - - (void) bUseSubIFDs; - -@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 454befbd..bdb91262 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 xuint16=0; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index c69177e0..c60cb389 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; diff --git a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch deleted file mode 100644 index 8148474..0000000 --- a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Sun, 8 Apr 2018 14:07:08 -0400 -Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in - TIFFPrintDirectory - -The TIFFPrintDirectory function relies on the following assumptions, -supposed to be guaranteed by the specification: - -(a) A Transfer Function field is only present if the TIFF file has - photometric type < 3. - -(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field - has count SamplesPerPixel - (Color Channels) and contains - information about supplementary channels. - -While respect of (a) and (b) are essential for the well functioning of -TIFFPrintDirectory, no checks are realized neither by the callee nor -by TIFFPrintDirectory itself. Hence, following scenarios might happen -and trigger the NULL pointer dereference: - -(1) TIFF File of photometric type 4 or more has illegal Transfer - Function field. - -(2) TIFF File has photometric type 3 or less and defines a - SamplesPerPixel field such that SamplesPerPixel > Color Channels - without defining all extra samples in the ExtraSamples fields. - -In this patch, we address both issues with respect of the following -principles: - -(A) In the case of (1), the defined transfer table should be printed - safely even if it isn't 'legal'. This allows us to avoid expensive - checks in TIFFPrintDirectory. Also, it is quite possible that - an alternative photometric type would be developed (not part of the - standard) and would allow definition of Transfer Table. We want - libtiff to be able to handle this scenario out of the box. - -(B) In the case of (2), the transfer table should be printed at its - right size, that is if TIFF file has photometric type Palette - then the transfer table should have one row and not three, even - if two extra samples are declared. - -In order to fulfill (A) we simply add a new 'i < 3' end condition to -the broken TIFFPrintDirectory loop. This makes sure that in any case -where (b) would be respected but not (a), everything stays fine. - -(B) is fulfilled by the loop condition -'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as -long as (b) is respected. - -Naturally, we also make sure (b) is respected. This is done in the -TIFFReadDirectory function by making sure any non-color channel is -counted in ExtraSamples. - -This commit addresses CVE-2018-7456. - -(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b) ---- - libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++ - libtiff/tif_print.c | 2 +- - 2 files changed, 63 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 5e62e813..80aaf8d1 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c - } - } - -+/* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ - /* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. -@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 24d4b98a..10a588ea 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - uint16 i; - fprintf(fd, " %2ld: %5u", - l, td->td_transferfunction[0][l]); -- for (i = 1; i < td->td_samplesperpixel; i++) -+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) - fprintf(fd, " %5u", - td->td_transferfunction[i][l]); - fputc('\n', fd); diff --git a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch deleted file mode 100644 index 1021a29..0000000 --- a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:46:47 +1100 -Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935 - -Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 - -This vulnerability - at least for the supplied test case - is because we -assume that a tiff will only have one transfer function that is the same -for all pages. This is not required by the TIFF standards. - -We than read the transfer function for every page. Depending on the -transfer function, we allocate either 2 or 4 bytes to the XREF buffer. -We allocate this memory after we read in the transfer function for the -page. - -For the first exploit - POC1, this file has 3 pages. For the first page -we allocate 2 extra extra XREF entries. Then for the next page 2 more -entries. Then for the last page the transfer function changes and we -allocate 4 more entries. - -When we read the file into memory, we assume we have 4 bytes extra for -each and every page (as per the last transfer function we read). Which -is not correct, we only have 2 bytes extra for the first 2 pages. As a -result, we end up writing past the end of the buffer. - -There are also some related issues that this also fixes. For example, -TIFFGetField can return uninitalized pointer values, and the logic to -detect a N=3 vs N=1 transfer function seemed rather strange. - -It is also strange that we declare the transfer functions to be of type -float, when the standard says they are unsigned 16 bit values. This is -fixed in another patch. - -This patch will check to ensure that the N value for every transfer -function is the same for every page. If this changes, we abort with an -error. In theory, we should perhaps check that the transfer function -itself is identical for every page, however we don't do that due to the -confusion of the type of the data in the transfer function. - -(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940) ---- - libtiff/tif_dir.c | 3 +++ - tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++--------------- - 2 files changed, 47 insertions(+), 21 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index f00f8080..c36a5f3f 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index bdb91262..ef5d6a01 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ float* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - if(directorycount > TIFF_DIR_MAX) { -@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (float*) NULL) && -+ (tiff_transferfunction[2] != (float*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ (t2p->tiff_transferfunction[2] != (float*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; diff --git a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch deleted file mode 100644 index e44206f..0000000 --- a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:49:20 +1100 -Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for - transfer table - -The standard says the transfer table contains unsigned 16 bit values, -I have no idea why we refer to them as floats. - -(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9) ---- - tools/tiff2pdf.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index ef5d6a01..bd23c9e5 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -239,7 +239,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 paged=0; - uint16 xuint16=0; - uint16 tiff_transferfunctioncount=0; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - if(directorycount > TIFF_DIR_MAX) { -@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - &(tiff_transferfunction[1]), - &(tiff_transferfunction[2]))) { - -- if((tiff_transferfunction[1] != (float*) NULL) && -- (tiff_transferfunction[2] != (float*) NULL) -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) - ) { - tiff_transferfunctioncount=3; - } else { -@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) - ) { - t2p->tiff_transferfunctioncount=3; - } else { diff --git a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch deleted file mode 100644 index 6c3816b..0000000 --- a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 31 Dec 2017 15:09:41 +0100 -Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory(): - fix null pointer dereference on corrupted file. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2770 - -(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01) ---- - libtiff/tif_print.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 10a588ea..b9b53a0f 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } diff --git a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch deleted file mode 100644 index e1c0322..0000000 --- a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 15:32:31 +0200 -Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential - index-out-of-bounds write. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 - -The fix consists in using the similar code LZWDecode() to validate we -don't write outside of the output buffer. - -(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d) ---- - libtiff/tif_lzw.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index bc8f9c84..186ea3ca 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; diff --git a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch deleted file mode 100644 index 1fd8f7b..0000000 --- a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 14:24:15 +0200 -Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 - -(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9) ---- - libtiff/tif_dirwrite.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index c68d6d21..5d0a6699 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } diff --git a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch deleted file mode 100644 index 67a79f0..0000000 --- a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001 -From: Young_X -Date: Sat, 8 Sep 2018 14:46:27 +0800 -Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in - multiply_ms() - -(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e) ---- - tools/ppm2tiff.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c -index 91415e96..81ffa3db 100644 ---- a/tools/ppm2tiff.c -+++ b/tools/ppm2tiff.c -@@ -72,15 +72,16 @@ BadPPM(char* file) - exit(-2); - } - -+ -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- tmsize_t bytes = m1 * m2; -- -- if (m1 && bytes / m1 != m2) -- bytes = 0; -- -- return bytes; -+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -+ return 0; -+ return m1 * m2; - } - - int diff --git a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch deleted file mode 100644 index 0c75963..0000000 --- a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch +++ /dev/null @@ -1,107 +0,0 @@ -From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 14 Oct 2018 16:38:29 +0200 -Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in - JBIGDecode() - -JBIGDecode doesn't check if the user provided buffer is large enough -to store the JBIG decoded image, which can potentially cause out-of-bounds -write in the buffer. -This issue was reported and analyzed by Thomas Dullien. - -Also fixes a (harmless) potential use of uninitialized memory when -tif->tif_rawsize > tif->tif_rawcc - -And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure -that whole strip data is provided to JBIGDecode() - -(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66) ---- - libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ - libtiff/tif_read.c | 6 ++++++ - 2 files changed, 32 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 7a14dd9a..8136c77b 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - struct jbg_dec_state decoder; - int decodeStatus = 0; - unsigned char* pImage = NULL; -- (void) size, (void) s; -+ unsigned long decodedSize; -+ (void) s; - - if (isFillOrder(tif, tif->tif_dir.td_fillorder)) - { -- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); -+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); - } - - jbg_dec_init(&decoder); - - #if defined(HAVE_JBG_NEWLEN) -- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); -+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); - /* - * I do not check the return status of jbg_newlen because even if this - * function fails it does not necessarily mean that decoding the image -@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - */ - #endif /* HAVE_JBG_NEWLEN */ - -- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, -- (size_t)tif->tif_rawdatasize, NULL); -+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, -+ (size_t)tif->tif_rawcc, NULL); - if (JBG_EOK != decodeStatus) - { - /* -@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - return 0; - } - -+ decodedSize = jbg_dec_getsize(&decoder); -+ if( (tmsize_t)decodedSize < size ) -+ { -+ TIFFWarningExt(tif->tif_clientdata, "JBIG", -+ "Only decoded %lu bytes, whereas %lu requested", -+ decodedSize, (unsigned long)size); -+ } -+ else if( (tmsize_t)decodedSize > size ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "JBIG", -+ "Decoded %lu bytes, whereas %lu were requested", -+ decodedSize, (unsigned long)size); -+ jbg_dec_free(&decoder); -+ return 0; -+ } - pImage = jbg_dec_getimage(&decoder, 0); -- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); -+ _TIFFmemcpy(buffer, pImage, decodedSize); - jbg_dec_free(&decoder); -+ -+ tif->tif_rawcp += tif->tif_rawcc; -+ tif->tif_rawcc = 0; -+ - return 1; - } - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 2ba985a7..04100f4d 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) - return 0; - whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 - || isMapped(tif); -+ if( td->td_compression == COMPRESSION_JBIG ) -+ { -+ /* Ideally plugins should have a way to declare they don't support -+ * chunk strip */ -+ whole_strip = 1; -+ } - #else - whole_strip = 1; - #endif diff --git a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch deleted file mode 100644 index 9ce55f9..0000000 --- a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 30 Oct 2018 18:50:27 +0100 -Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in - case of out of memory situation. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 - -(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f) ---- - libtiff/tiffiop.h | 1 + - tools/tiff2bw.c | 30 ++++++++++++++++++++++++++---- - tools/tiffcrop.c | 5 ----- - 3 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index daa291c0..08e5dc44 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...); - #endif - - #define streq(a,b) (strcmp(a,b) == 0) -+#define strneq(a,b,n) (strncmp(a,b,n) == 0) - - #ifndef TRUE - #define TRUE 1 -diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c -index dad54afa..1f3bb2cd 100644 ---- a/tools/tiff2bw.c -+++ b/tools/tiff2bw.c -@@ -40,9 +40,7 @@ - #endif - - #include "tiffio.h" -- --#define streq(a,b) (strcmp((a),(b)) == 0) --#define strneq(a,b,n) (strncmp(a,b,n) == 0) -+#include "tiffiop.h" - - /* x% weighting -> fraction of full color */ - #define PCT(x) (((x)*256+50)/100) -@@ -223,6 +221,11 @@ main(int argc, char* argv[]) - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); - outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ if( !outbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, - TIFFDefaultStripSize(out, rowsperstrip)); - -@@ -246,6 +249,11 @@ main(int argc, char* argv[]) - #undef CVT - } - inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - if (TIFFReadScanline(in, inbuf, row, 0) < 0) - break; -@@ -256,6 +264,11 @@ main(int argc, char* argv[]) - break; - case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): - inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - if (TIFFReadScanline(in, inbuf, row, 0) < 0) - break; -@@ -265,8 +278,16 @@ main(int argc, char* argv[]) - } - break; - case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): -+ { -+ tmsize_t inbufsize; - rowsize = TIFFScanlineSize(in); -- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); -+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); -+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - for (s = 0; s < 3; s++) - if (TIFFReadScanline(in, -@@ -278,6 +299,7 @@ main(int argc, char* argv[]) - break; - } - break; -+ } - } - #undef pack - if (inbuf) -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index c60cb389..3862b1ca 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - - #define TIFF_UINT32_MAX 0xFFFFFFFFU - --#ifndef streq --#define streq(a,b) (strcmp((a),(b)) == 0) --#endif --#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) -- - #define TRUE 1 - #define FALSE 0 - diff --git a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch deleted file mode 100644 index 6dbf46d..0000000 --- a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Wed, 31 Oct 2018 11:50:48 +0100 -Subject: [PATCH] (bz1602597) Fix two resource leaks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Nikola Forró -(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef) ---- - tools/ppm2tiff.c | 2 ++ - tools/tiff2pdf.c | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c -index 81ffa3db..a02e865a 100644 ---- a/tools/ppm2tiff.c -+++ b/tools/ppm2tiff.c -@@ -285,6 +285,8 @@ main(int argc, char* argv[]) - if (TIFFWriteScanline(out, buf, row, 0) < 0) - break; - } -+ if (in != stdin) -+ fclose(in); - (void) TIFFClose(out); - if (buf) - _TIFFfree(buf); -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index bd23c9e5..ff7b9c22 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ - "for t2p_readwrite_pdf_image_tile, %s", - (unsigned long) t2p->tiff_datasize, - TIFFFileName(input)); -+ _TIFFfree(buffer); - t2p->t2p_error = T2P_ERR_ERROR; - return(0); - } diff --git a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch deleted file mode 100644 index 52c80b0..0000000 --- a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Mon, 11 Feb 2019 10:05:33 +0100 -Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do - no overflow - -fixes bug 2833 - -(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d) ---- - tools/tiffcp.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 489459a7..96f14728 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - -@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - int status = 1; - uint32 imagew = TIFFRasterScanlineSize(in); - uint32 tilew = TIFFTileRowSize(in); -- int iskew = imagew - tilew*spp; -+ int iskew; - tsize_t tilesize = TIFFTileSize(in); - tdata_t tilebuf; - uint8* bufp = (uint8*) buf; -@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - uint32 row; - uint16 bps = 0, bytes_per_sample; - -+ if (tilew && spp > (INT_MAX / tilew)) -+ { -+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); -+ return 0; -+ } -+ iskew = imagew - tilew*spp; - tilebuf = _TIFFmalloc(tilesize); - if (tilebuf == 0) - return 0; diff --git a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch deleted file mode 100644 index 8eca5e5..0000000 --- a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch +++ /dev/null @@ -1,423 +0,0 @@ -From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 10 Aug 2019 18:25:03 +0200 -Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc() - and other implementation-defined behaviour (CVE-2019-14973) - -_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow -in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus -signed), which was especially easily triggered on 32-bit builds (with recent -enough compilers that assume that signed multiplication cannot overflow, since -this is undefined behaviour by the C standard). The original issue which lead to -this fix was trigged from tif_fax3.c - -There were also unsafe (implementation defied), and broken in practice on 64bit -builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing -(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known -at that time exploits, but are better to fix in a more bullet-proof way. -Or similarly use of (int64)uint64_var <= 0. - -(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773) ---- - libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- - libtiff/tif_getimage.c | 6 ++---- - libtiff/tif_luv.c | 8 +------ - libtiff/tif_pixarlog.c | 7 +----- - libtiff/tif_read.c | 38 +++++++++----------------------- - libtiff/tif_strip.c | 35 ++++-------------------------- - libtiff/tif_tile.c | 27 +++-------------------- - libtiff/tiffiop.h | 7 +++++- - 8 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c -index 10b8d00c..38a98b67 100644 ---- a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) - return bytes; - } - -+tmsize_t -+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) -+{ -+ if( first <= 0 || second <= 0 ) -+ { -+ if( tif != NULL && where != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, where, -+ "Invalid argument to _TIFFMultiplySSize() in %s", where); -+ } -+ return 0; -+ } -+ -+ if( first > TIFF_TMSIZE_T_MAX / second ) -+ { -+ if( tif != NULL && where != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, where, -+ "Integer overflow in %s", where); -+ } -+ return 0; -+ } -+ return first * second; -+} -+ -+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) -+{ -+ if( val > (uint64)TIFF_TMSIZE_T_MAX ) -+ { -+ if( tif != NULL && module != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -+ } -+ return 0; -+ } -+ return (tmsize_t)val; -+} -+ - void* - _TIFFCheckRealloc(TIFF* tif, void* buffer, - tmsize_t nmemb, tmsize_t elem_size, const char* what) - { - void* cp = NULL; -- tmsize_t bytes = nmemb * elem_size; -- -+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); - /* -- * XXX: Check for integer overflow. -+ * Check for integer overflow. - */ -- if (nmemb && elem_size && bytes / elem_size == nmemb) -- cp = _TIFFrealloc(buffer, bytes); -+ if (count != 0) -+ { -+ cp = _TIFFrealloc(buffer, count); -+ } - - if (cp == NULL) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index fc554cca..ec09feaf 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - uint32 leftmost_tw; - - tilesize = TIFFTileSize(tif); -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); -+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); - if (bufsize == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); - return (0); - } - -@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - uint16 colorchannels; - - stripsize = TIFFStripSize(tif); -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); -+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); - if (bufsize == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); - return (0); - } - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 4b25244b..c4cb73a3 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) - return (SGILOGDATAFMT_UNKNOWN); - } - -- --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -- return 0; -- return m1 * m2; -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); - } - - static int -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index 979858da..8e9eaa1d 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) - return guess; - } - --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -- return 0; -- return m1 * m2; -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); - } - - static tmsize_t -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 04100f4d..9a0e6e95 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -31,9 +31,6 @@ - #include "tiffiop.h" - #include - --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - int TIFFFillStrip(TIFF* tif, uint32 strip); - int TIFFFillTile(TIFF* tif, uint32 tile); - static int TIFFStartStrip(TIFF* tif, uint32 strip); -@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m - #define THRESHOLD_MULTIPLIER 10 - #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) - -+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) -+ - /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' - * Returns 1 in case of success, 0 otherwise. */ - static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, -@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - return ((tmsize_t)(-1)); - } - bytecount = td->td_stripbytecount[strip]; -- if ((int64)bytecount <= 0) { --#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) -- TIFFErrorExt(tif->tif_clientdata, module, -- "%I64u: Invalid strip byte count, strip %lu", -- (unsigned __int64) bytecount, -- (unsigned long) strip); --#else -- TIFFErrorExt(tif->tif_clientdata, module, -- "%llu: Invalid strip byte count, strip %lu", -- (unsigned long long) bytecount, -- (unsigned long) strip); --#endif -- return ((tmsize_t)(-1)); -- } -- bytecountm = (tmsize_t)bytecount; -- if ((uint64)bytecountm!=bytecount) { -- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); -+ if (bytecountm == 0) { - return ((tmsize_t)(-1)); - } - if (size != (tmsize_t)(-1) && size < bytecountm) -@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) - if ((tif->tif_flags&TIFF_NOREADRAW)==0) - { - uint64 bytecount = td->td_stripbytecount[strip]; -- if ((int64)bytecount <= 0) { -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, - "Invalid strip byte count %I64u, strip %lu", -@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) - (bytecount - 4096) / 10 > (uint64)stripsize ) - { - uint64 newbytecount = (uint64)stripsize * 10 + 4096; -- if( (int64)newbytecount >= 0 ) -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) - { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFWarningExt(tif->tif_clientdata, module, -@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) - bytecount64 = td->td_stripbytecount[tile]; - if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) - bytecount64 = (uint64)size; -- bytecountm = (tmsize_t)bytecount64; -- if ((uint64)bytecountm!=bytecount64) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); -+ if( bytecountm == 0 ) { - return ((tmsize_t)(-1)); - } - return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); -@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) - if ((tif->tif_flags&TIFF_NOREADRAW)==0) - { - uint64 bytecount = td->td_stripbytecount[tile]; -- if ((int64)bytecount <= 0) { -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, - "%I64u: Invalid tile byte count, tile %lu", -@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) - (bytecount - 4096) / 10 > (uint64)stripsize ) - { - uint64 newbytecount = (uint64)stripsize * 10 + 4096; -- if( (int64)newbytecount >= 0 ) -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) - { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFWarningExt(tif->tif_clientdata, module, -diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c -index 6e9f2ef6..321ad6b9 100644 ---- a/libtiff/tif_strip.c -+++ b/libtiff/tif_strip.c -@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) - { - static const char module[] = "TIFFVStripSize"; - uint64 m; -- tmsize_t n; - m=TIFFVStripSize64(tif,nrows); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif) - { - static const char module[] = "TIFFStripSize"; - uint64 m; -- tmsize_t n; - m=TIFFStripSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif) - { - static const char module[] = "TIFFScanlineSize"; - uint64 m; -- tmsize_t n; - m=TIFFScanlineSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif) - { - static const char module[] = "TIFFRasterScanlineSize"; - uint64 m; -- tmsize_t n; - m=TIFFRasterScanlineSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* vim: set ts=8 sts=8 sw=8 noet: */ -diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c -index 388e168a..7d057509 100644 ---- a/libtiff/tif_tile.c -+++ b/libtiff/tif_tile.c -@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif) - { - static const char module[] = "TIFFTileRowSize"; - uint64 m; -- tmsize_t n; - m=TIFFTileRowSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) - { - static const char module[] = "TIFFVTileSize"; - uint64 m; -- tmsize_t n; - m=TIFFVTileSize64(tif,nrows); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif) - { - static const char module[] = "TIFFTileSize"; - uint64 m; -- tmsize_t n; - m=TIFFTileSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index 08e5dc44..d4b86314 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); - #define FALSE 0 - #endif - -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - typedef struct client_info { - struct client_info *next; - void *data; -@@ -260,7 +263,7 @@ struct tiff { - #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) - #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) - --/* Safe multiply which returns zero if there is an integer overflow */ -+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ - #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) - - #define TIFFmax(A,B) ((A)>(B)?(A):(B)) -@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; - - extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); - extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); -+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); -+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); - extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); - extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); - diff --git a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch deleted file mode 100644 index 9d0adc8..0000000 --- a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch +++ /dev/null @@ -1,102 +0,0 @@ -From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 15 Aug 2019 15:05:28 +0200 -Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow - potentially causing write heap buffer overflow, especially on 32 bit builds. - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to - OSS Fuzz - -(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145) ---- - libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index ec09feaf..c6edd27c 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - nrowsub = nrow; - if ((nrowsub%subsamplingver)!=0) - nrowsub+=subsamplingver-nrowsub%subsamplingver; -+ temp = (row + img->row_offset)%rowsperstrip + nrowsub; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); -+ return 0; -+ } - if (_TIFFReadEncodedStripAndAllocBuffer(tif, - TIFFComputeStrip(tif,row+img->row_offset, 0), - (void**)(&buf), - maxstripsize, -- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - offset_row = row + img->row_offset; -+ temp = (row + img->row_offset)%rowsperstrip + nrow; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); -+ return 0; -+ } - if( buf == NULL ) - { - if (_TIFFReadEncodedStripAndAllocBuffer( - tif, TIFFComputeStrip(tif, offset_row, 0), - (void**) &buf, bufsize, -- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - } - else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), -- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ p0, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), -- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p1, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), -- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p2, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - if (alpha) - { - if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), -- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ pa, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; diff --git a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch deleted file mode 100644 index 03f47a0..0000000 --- a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sun, 15 Nov 2020 17:02:51 +0100 -Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory - limit in tiff2rgba - -fixes #207 -fixes #209 - -(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d) ---- - tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index 4de96aec..e6de2209 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1; - int process_by_block = 0; /* default is whole image at once */ - int no_alpha = 0; - int bigtiff_output = 0; -+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) -+/* malloc size limit (in bytes) -+ * disabled when set to 0 */ -+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; - - - static int tiffcvt(TIFF* in, TIFF* out); -@@ -70,8 +74,11 @@ main(int argc, char* argv[]) - extern char *optarg; - #endif - -- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) -+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1) - switch (c) { -+ case 'M': -+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; -+ break; - case 'b': - process_by_block = 1; - break; -@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) - (unsigned long)width, (unsigned long)height); - return 0; - } -+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { -+ TIFFError(TIFFFileName(in), -+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", -+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); -+ return 0; -+ } - - rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); -@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); - CopyField(TIFFTAG_DOCUMENTNAME, stringv); - -+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) -+ { -+ TIFFError(TIFFFileName(in), -+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", -+ (uint64)TIFFStripSize(in), (uint64)maxMalloc); -+ return 0; -+ } - if( process_by_block && TIFFIsTiled( in ) ) - return( cvt_by_tile( in, out ) ); - else if( process_by_block ) -@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out) - } - - static char* stuff[] = { -- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", -+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", - "where comp is one of the following compression algorithms:", - " jpeg\t\tJPEG encoding", - " zip\t\tZip/Deflate encoding", -@@ -543,6 +563,7 @@ static char* stuff[] = { - " -b (progress by block rather than as a whole image)", - " -n don't emit alpha component.", - " -8 write BigTIFF file instead of ClassicTIFF", -+ " -M set the memory allocation limit in MiB. 0 to disable limit", - NULL - }; - diff --git a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch deleted file mode 100644 index f150651..0000000 --- a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Tue, 10 Nov 2020 01:54:30 +0100 -Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for - overflow - -fixes #211 - -(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2) ---- - libtiff/tif_getimage.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index c6edd27c..b1f7cc95 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -31,6 +31,7 @@ - */ - #include "tiffiop.h" - #include -+#include - - static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); - static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); -@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - - flip = setorientation(img); - if (flip & FLIP_VERTICALLY) { -- y = h - 1; -- toskew = -(int32)(tw + w); -+ if ((tw + w) > INT_MAX) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = h - 1; -+ toskew = -(int32)(tw + w); - } - else { -- y = 0; -- toskew = -(int32)(tw - w); -+ if (tw > (INT_MAX + w)) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = 0; -+ toskew = -(int32)(tw - w); - } - - /* diff --git a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch deleted file mode 100644 index 59e4fbc..0000000 --- a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sat, 14 Nov 2020 12:53:01 +0000 -Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when - saving to JPEG YCbCr - -fixes #220 - -(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22) ---- - tools/tiff2pdf.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index ff7b9c22..a5db1f64 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ - #endif - (void) 0; - } -- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+#ifdef JPEG_SUPPORT -+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG -+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { -+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); -+ } else -+#endif -+ { -+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+ } - } - if (k == 0) { - /* Assume we had overflow inside TIFFScanlineSize */ diff --git a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch deleted file mode 100644 index 094b908..0000000 --- a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Mon, 11 Feb 2019 23:08:25 +0100 -Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and - 4 - -too much bytes were processed, causing a heap buffer overrun - http://bugzilla.maptools.org/show_bug.cgi?id=2831 -the loop counter must be - for (col = 0; col < width; col += 8 / bps) - -Also the values were not properly calculated. It should be -255-x, 15-x, 3-x for bps 8, 4, 2. - -But anyway it is easyer to invert all bits as 255-x = ~x, etc. -(substracting from a binary number composed of all 1 is like inverting -the bits) - -(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0) ---- - tools/tiffcrop.c | 37 ++++++------------------------------- - 1 file changed, 6 insertions(+), 31 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 3862b1ca..a6129148 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -9142,7 +9142,6 @@ static int - invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff) - { - uint32 row, col; -- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4; - unsigned char *src; - uint16 *src_uint16; - uint32 *src_uint32; -@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len - for (row = 0; row < length; row++) - for (col = 0; col < width; col++) - { -- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32; -+ *src_uint32 = ~(*src_uint32); - src_uint32++; - } - break; -@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len - for (row = 0; row < length; row++) - for (col = 0; col < width; col++) - { -- *src_uint16 = (uint16)0xFFFF - *src_uint16; -+ *src_uint16 = ~(*src_uint16); - src_uint16++; - } - break; -- case 8: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- *src = (uint8)255 - *src; -- src++; -- } -- break; -- case 4: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- bytebuff1 = 16 - (uint8)(*src & 240 >> 4); -- bytebuff2 = 16 - (*src & 15); -- *src = bytebuff1 << 4 & bytebuff2; -- src++; -- } -- break; -- case 2: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- bytebuff1 = 4 - (uint8)(*src & 192 >> 6); -- bytebuff2 = 4 - (uint8)(*src & 48 >> 4); -- bytebuff3 = 4 - (uint8)(*src & 12 >> 2); -- bytebuff4 = 4 - (uint8)(*src & 3); -- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4; -- src++; -- } -- break; -+ case 8: -+ case 4: -+ case 2: - case 1: for (row = 0; row < length; row++) -- for (col = 0; col < width; col += 8 /(spp * bps)) -+ for (col = 0; col < width; col += 8 / bps) - { - *src = ~(*src); - src++; diff --git a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch deleted file mode 100644 index 146f7b6..0000000 --- a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 6 Feb 2022 13:08:38 +0100 -Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy() - with a null source pointer and size of zero (fixes #362) - -(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef) ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 80aaf8d1..1e6f1c2f 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); -- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); -+ if( dir->tdir_count ) -+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); -+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); - _TIFFfree(data); - data=resizeddata; - } diff --git a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch deleted file mode 100644 index 26116a2..0000000 --- a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 5 Feb 2022 20:36:41 +0100 -Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy() - with a null source pointer and size of zero (fixes #362) - -(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b) ---- - libtiff/tif_dirread.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 1e6f1c2f..d68aecc5 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - } - -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ if (old_extrasamples > 0) -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); - _TIFFfree(new_sampleinfo); - } diff --git a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch deleted file mode 100644 index c07175a..0000000 --- a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 25 Jan 2022 16:25:28 +0000 -Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for - ASCII tags where count is required (fixes #355) - -(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64) ---- - tools/tiffset.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffset.c b/tools/tiffset.c -index 894c9f1f..e4b0d49f 100644 ---- a/tools/tiffset.c -+++ b/tools/tiffset.c -@@ -134,9 +134,19 @@ main(int argc, char* argv[]) - - arg_index++; - if (TIFFFieldDataType(fip) == TIFF_ASCII) { -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) -+ if(TIFFFieldPassCount( fip )) { -+ size_t len; -+ len = strlen(argv[arg_index]) + 1; -+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip), -+ (uint16)len, argv[arg_index]) != 1) - fprintf( stderr, "Failed to set %s=%s\n", - TIFFFieldName(fip), argv[arg_index] ); -+ } else { -+ if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ argv[arg_index]) != 1) -+ fprintf( stderr, "Failed to set %s=%s\n", -+ TIFFFieldName(fip), argv[arg_index] ); -+ } - } else if (TIFFFieldWriteCount(fip) > 0 - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { - int ret = 1; diff --git a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch deleted file mode 100644 index be0fa01..0000000 --- a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 24 Feb 2022 22:26:02 +0100 -Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file - with multiple IFD in memory-mapped mode and when bit reversal is needed - (fixes #385) - -(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067) ---- - libtiff/tif_jbig.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 8136c77b..698428f0 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) - */ - tif->tif_flags |= TIFF_NOBITREV; - tif->tif_flags &= ~TIFF_MAPPED; -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial -+ * value to be consistent with the state of a non-memory mapped file. -+ */ -+ if (tif->tif_flags&TIFF_BUFFERMMAP) { -+ tif->tif_rawdata = NULL; -+ tif->tif_rawdatasize = 0; -+ tif->tif_flags &= ~TIFF_BUFFERMMAP; -+ tif->tif_flags |= TIFF_MYBUFFER; -+ } - - /* Setup the function pointers for encode, decode, and cleanup. */ - tif->tif_setupdecode = JBIGSetupDecode; diff --git a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch deleted file mode 100644 index d790f39..0000000 --- a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer - overflow in extractImageSection - -(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c) ---- - tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------ - 1 file changed, 32 insertions(+), 52 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index a6129148..83cf80ad 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - uint32 img_length; - #endif -- uint32 j, shift1, shift2, trailing_bits; -+ uint32 j, shift1, trailing_bits; - uint32 row, first_row, last_row, first_col, last_col; - uint32 src_offset, dst_offset, row_offset, col_offset; -- uint32 offset1, offset2, full_bytes; -+ uint32 offset1, full_bytes; - uint32 sect_width; - #ifdef DEVELMODE - uint32 sect_length; -@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - int k; - unsigned char bitset; -- static char *bitarray = NULL; - #endif - - img_width = image->width; -@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - dst_offset = 0; - - #ifdef DEVELMODE -- if (bitarray == NULL) -- { -- if ((bitarray = (char *)malloc(img_width)) == NULL) -- { -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); -- return (-1); -- } -- } -+ char bitarray[39]; - #endif - -- /* rows, columns, width, length are expressed in pixels */ -+ /* rows, columns, width, length are expressed in pixels -+ * first_row, last_row, .. are index into image array starting at 0 to width-1, -+ * last_col shall be also extracted. */ - first_row = section->y1; - last_row = section->y2; - first_col = section->x1; -@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - sect_length = last_row - first_row + 1; - #endif -- img_rowsize = ((img_width * bps + 7) / 8) * spp; -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved -+ * samples rather than separate planes so the same logic works to extract regions -+ * regardless of the way the data are organized in the input file. -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 -+ */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = (sect_width * bps) % 8; -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", -@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if ((bps % 8) == 0) - { -- col_offset = first_col * spp * bps / 8; -+ col_offset = (first_col * spp * bps) / 8; - for (row = first_row; row <= last_row; row++) - { -- /* row_offset = row * img_width * spp * bps / 8; */ - row_offset = row * img_rowsize; - src_offset = row_offset + col_offset; - -@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - } - else - { /* bps != 8 */ -- shift1 = spp * ((first_col * bps) % 8); -- shift2 = spp * ((last_col * bps) % 8); -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + (first_col * bps / 8); -- offset2 = row_offset + (last_col * bps / 8); -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ - - #ifdef DEVELMODE - for (j = 0, k = 7; j < 8; j++, k--) -@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - sprintf(&bitarray[9], " "); - for (j = 10, k = 7; j < 18; j++, k--) - { -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; - sprintf(&bitarray[j], (bitset) ? "1" : "0"); - } - bitarray[18] = '\0'; -- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n", -- row, offset1, shift1, offset2, shift2); -+ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n", -+ row, offset1, shift1, offset1+full_bytes, trailing_bits); - #endif - - bytebuff1 = bytebuff2 = 0; -@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if (trailing_bits != 0) - { -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); - sect_buff[dst_offset] = bytebuff2; - #ifdef DEVELMODE - TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", -- offset2, dst_offset); -+ offset1 + full_bytes, dst_offset); - for (j = 30, k = 7; j < 38; j++, k--) - { - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; -@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - for (j = 0; j <= full_bytes; j++) - { -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ - bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); - } - #ifdef DEVELMODE -@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - dst_offset += full_bytes; - -+ /* Copy the trailing_bits for the last byte in the destination buffer. -+ Could come from one ore two bytes of the source buffer. */ - if (trailing_bits != 0) - { - #ifdef DEVELMODE -- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); --#endif -- if (shift2 > shift1) -- { -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); -- sect_buff[dst_offset] = bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 > Shift1\n"); -+ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset); - #endif -- } -- else -- { -- if (shift2 < shift1) -- { -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); -- sect_buff[dst_offset] &= bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 < Shift1\n"); --#endif -- } --#ifdef DEVELMODE -- else -- TIFFError ("", " Shift2 == Shift1\n"); --#endif -- } -+ /* More than necessary bits are already copied into last destination buffer, -+ * only masking of last byte in destination buffer is necessary.*/ -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); - } - #ifdef DEVELMODE - sprintf(&bitarray[28], " "); -@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, - width = sections[i].x2 - sections[i].x1 + 1; - length = sections[i].y2 - sections[i].y1 + 1; - sectsize = (uint32) -- ceil((width * image->bps + 7) / (double)8) * image->spp * length; -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; - /* allocate a buffer if we don't have one already */ - if (createImageSection(sectsize, sect_buff_ptr)) - { diff --git a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch deleted file mode 100644 index bc3af27..0000000 --- a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278) - -(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a) ---- - tools/tiffcp.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 96f14728..d5f1d248 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - tdata_t obuf; - tstrip_t strip = 0; - tsample_t s; -+ uint16 bps = 0, bytes_per_sample; - - obuf = _TIFFmalloc(stripsize); - if (obuf == NULL) - return (0); - _TIFFmemset(obuf, 0, stripsize); - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ bytes_per_sample = bps/8; - for (s = 0; s < spp; s++) { - uint32 row; - for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - - cpContigBufToSeparateBuf( - obuf, (uint8*) buf + row*rowsize + s, -- nrows, imagewidth, 0, 0, spp, 1); -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { - TIFFError(TIFFFileName(out), - "Error, can't write strip %u", diff --git a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch deleted file mode 100644 index 70461d8..0000000 --- a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch +++ /dev/null @@ -1,30 +0,0 @@ -From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 8 Mar 2022 16:22:04 +0000 -Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393) - -(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde) ---- - libtiff/tif_dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index c36a5f3f..f126f2aa 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - break; - case TIFFTAG_XRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_xresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_yresolution = TIFFClampDoubleToFloat( dblval ); - break; diff --git a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch deleted file mode 100644 index 931a2fa..0000000 --- a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch +++ /dev/null @@ -1,27 +0,0 @@ -From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Feb 2022 15:28:43 +0100 -Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy() - with a null source pointer and size of zero (fixes #383) - -(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85) ---- - libtiff/tif_dirread.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index d68aecc5..b72e6a3b 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(o,data,(uint32)dp->tdir_count); -+ if (dp->tdir_count > 0 ) -+ { -+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count); -+ } - o[(uint32)dp->tdir_count]=0; - if (data!=0) - _TIFFfree(data); diff --git a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch deleted file mode 100644 index 706254e..0000000 --- a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch +++ /dev/null @@ -1,55 +0,0 @@ -From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 2 Apr 2022 22:33:31 +0200 -Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode" - string (fixes #400) - -(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96) ---- - tools/tiffcp.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index d5f1d248..fb98bd57 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -249,19 +249,34 @@ main(int argc, char* argv[]) - deftilewidth = atoi(optarg); - break; - case 'B': -- *mp++ = 'b'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'b'; *mp = '\0'; -+ } - break; - case 'L': -- *mp++ = 'l'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'l'; *mp = '\0'; -+ } - break; - case 'M': -- *mp++ = 'm'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'm'; *mp = '\0'; -+ } - break; - case 'C': -- *mp++ = 'c'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'c'; *mp = '\0'; -+ } - break; - case '8': -- *mp++ = '8'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode)-1)) -+ { -+ *mp++ = '8'; *mp = '\0'; -+ } - break; - case 'x': - pageInSeq = 1; diff --git a/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch b/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch deleted file mode 100644 index e8cbc0f..0000000 --- a/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Tue, 12 Feb 2019 16:04:28 +0100 -Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c - -the same function was declared in tif_dir.c and tif_dirwrite.c - -see http://bugzilla.maptools.org/show_bug.cgi?id=2842 - -(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262) ---- - libtiff/tif_aux.c | 10 ++++++++++ - libtiff/tif_dir.c | 20 +++++--------------- - libtiff/tif_dirwrite.c | 12 +----------- - libtiff/tiffiop.h | 2 ++ - 4 files changed, 18 insertions(+), 26 deletions(-) - -diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c -index 38a98b67..2071d19c 100644 ---- a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -32,6 +32,7 @@ - #include "tiffiop.h" - #include "tif_predict.h" - #include -+#include - - uint32 - _TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where) -@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64) - } - } - -+float _TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ - int _TIFFSeekOK(TIFF* tif, toff_t off) - { - /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index f126f2aa..ad550c65 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -31,7 +31,6 @@ - * (and also some miscellaneous stuff) - */ - #include "tiffiop.h" --#include - - /* - * These are used in the backwards compatibility code... -@@ -155,15 +154,6 @@ bad: - return (0); - } - --static float TIFFClampDoubleToFloat( double val ) --{ -- if( val > FLT_MAX ) -- return FLT_MAX; -- if( val < -FLT_MAX ) -- return -FLT_MAX; -- return (float)val; --} -- - static int - _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - { -@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - dblval = va_arg(ap, double); - if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; -- td->td_xresolution = TIFFClampDoubleToFloat( dblval ); -+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); - if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; -- td->td_yresolution = TIFFClampDoubleToFloat( dblval ); -+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_PLANARCONFIG: - v = (uint16) va_arg(ap, uint16_vap); -@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - td->td_planarconfig = (uint16) v; - break; - case TIFFTAG_XPOSITION: -- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); -+ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_YPOSITION: -- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); -+ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_RESOLUTIONUNIT: - v = (uint16) va_arg(ap, uint16_vap); -@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - case TIFF_SRATIONAL: - case TIFF_FLOAT: - { -- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double)); -+ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double)); - _TIFFmemcpy(val, &v2, tv_size); - } - break; -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 5d0a6699..03a9f296 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -30,7 +30,6 @@ - * Directory Write Support Routines. - */ - #include "tiffiop.h" --#include - - #ifdef HAVE_IEEEFP - #define TIFFCvtNativeToIEEEFloat(tif, n, fp) -@@ -948,15 +947,6 @@ bad: - return(0); - } - --static float TIFFClampDoubleToFloat( double val ) --{ -- if( val > FLT_MAX ) -- return FLT_MAX; -- if( val < -FLT_MAX ) -- return -FLT_MAX; -- return (float)val; --} -- - static int8 TIFFClampDoubleToInt8( double val ) - { - if( val > 127 ) -@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di - if (tif->tif_dir.td_bitspersample<=32) - { - for (i = 0; i < count; ++i) -- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); -+ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]); - ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); - } - else -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index d4b86314..05ba735b 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); - extern double _TIFFUInt64ToDouble(uint64); - extern float _TIFFUInt64ToFloat(uint64); - -+extern float _TIFFClampDoubleToFloat(double); -+ - extern tmsize_t - _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, - void **buf, tmsize_t bufsizetoalloc, diff --git a/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch b/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch deleted file mode 100644 index 9e34aac..0000000 --- a/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch +++ /dev/null @@ -1,179 +0,0 @@ -From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Sat, 11 Jun 2022 09:31:43 +0000 -Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in - tiffcrop (#415, #427, and #428) - -(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab) ---- - libtiff/tif_aux.c | 9 +++++++ - libtiff/tiffiop.h | 1 + - tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- - 3 files changed, 44 insertions(+), 28 deletions(-) - -diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c -index 2071d19c..4d1869b4 100644 ---- a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val ) - return (float)val; - } - -+uint32 _TIFFClampDoubleToUInt32(double val) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 0xFFFFFFFFU || val != val ) -+ return 0xFFFFFFFFU; -+ return (uint32)val; -+} -+ - int _TIFFSeekOK(TIFF* tif, toff_t off) - { - /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index 05ba735b..5b106e03 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64); - extern float _TIFFUInt64ToFloat(uint64); - - extern float _TIFFClampDoubleToFloat(double); -+extern uint32 _TIFFClampDoubleToUInt32(double); - - extern tmsize_t - _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 83cf80ad..ea0b98be 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - { - if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) - { -- x1 = (uint32) (crop->corners[i].X1 * scale * xres); -- x2 = (uint32) (crop->corners[i].X2 * scale * xres); -- y1 = (uint32) (crop->corners[i].Y1 * scale * yres); -- y2 = (uint32) (crop->corners[i].Y2 * scale * yres); -+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); -+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); -+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); -+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); - } - else - { -- x1 = (uint32) (crop->corners[i].X1); -- x2 = (uint32) (crop->corners[i].X2); -- y1 = (uint32) (crop->corners[i].Y1); -- y2 = (uint32) (crop->corners[i].Y2); -+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); -+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); -+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); -+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); - } - if (x1 < 1) - crop->regionlist[i].x1 = 0; -@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - { - if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) - { /* User has specified pixels as reference unit */ -- tmargin = (uint32)(crop->margins[0]); -- lmargin = (uint32)(crop->margins[1]); -- bmargin = (uint32)(crop->margins[2]); -- rmargin = (uint32)(crop->margins[3]); -+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); -+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); -+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); -+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); - } - else - { /* inches or centimeters specified */ -- tmargin = (uint32)(crop->margins[0] * scale * yres); -- lmargin = (uint32)(crop->margins[1] * scale * xres); -- bmargin = (uint32)(crop->margins[2] * scale * yres); -- rmargin = (uint32)(crop->margins[3] * scale * xres); -+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); -+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); -+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); -+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); - } - - if ((lmargin + rmargin) > image->width) -@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) - { - if (crop->crop_mode & CROP_WIDTH) -- width = (uint32)crop->width; -+ width = _TIFFClampDoubleToUInt32(crop->width); - else - width = image->width - lmargin - rmargin; - - if (crop->crop_mode & CROP_LENGTH) -- length = (uint32)crop->length; -+ length = _TIFFClampDoubleToUInt32(crop->length); - else - length = image->length - tmargin - bmargin; - } - else - { - if (crop->crop_mode & CROP_WIDTH) -- width = (uint32)(crop->width * scale * image->xres); -+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); - else - width = image->width - lmargin - rmargin; - - if (crop->crop_mode & CROP_LENGTH) -- length = (uint32)(crop->length * scale * image->yres); -+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); - else - length = image->length - tmargin - bmargin; - } -@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - { - if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) - { /* inches or centimeters specified */ -- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8)); -- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8)); -+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); -+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); - } - else - { /* Otherwise user has specified pixels as reference unit */ -- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8)); -- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8)); -+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); -+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); - } - - if ((hmargin * 2.0) > (pwidth * page->hres)) -@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - { - if (page->mode & PAGE_MODE_PAPERSIZE ) - { -- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2)); -- olength = (uint32)((plength * page->vres) - (vmargin * 2)); -+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); -+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); - } - else - { -- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres)); -- olength = (uint32)(ilength - (vmargin * 2 * page->vres)); -+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); -+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); - } - } - -@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - if (olength > ilength) - olength = ilength; - -+ if (owidth == 0 || olength == 0) -+ { -+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); -+ exit(EXIT_FAILURE); -+ } -+ - /* Compute the number of pages required for Portrait or Landscape */ - switch (page->orient) - { diff --git a/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch b/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch deleted file mode 100644 index 15e8d00..0000000 --- a/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Wed, 9 Feb 2022 21:31:29 +0000 -Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352 - heap-buffer-overflow by correcting uint32_t underflow. - -(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c) ---- - tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++----------------- - 1 file changed, 53 insertions(+), 28 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index ea0b98be..5801b8f6 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); - y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); - } -- if (x1 < 1) -- crop->regionlist[i].x1 = 0; -- else -- crop->regionlist[i].x1 = (uint32) (x1 - 1); -+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 -+ * b) Corners are expected to be submitted as top-left to bottom-right. -+ * Therefore, check that and reorder input. -+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) -+ */ -+ uint32 aux; -+ if (x1 > x2) { -+ aux = x1; -+ x1 = x2; -+ x2 = aux; -+ } -+ if (y1 > y2) { -+ aux = y1; -+ y1 = y2; -+ y2 = aux; -+ } -+ if (x1 > image->width - 1) -+ crop->regionlist[i].x1 = image->width - 1; -+ else if (x1 > 0) -+ crop->regionlist[i].x1 = (uint32)(x1 - 1); - - if (x2 > image->width - 1) - crop->regionlist[i].x2 = image->width - 1; -- else -- crop->regionlist[i].x2 = (uint32) (x2 - 1); -- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ else if (x2 > 0) -+ crop->regionlist[i].x2 = (uint32)(x2 - 1); - -- if (y1 < 1) -- crop->regionlist[i].y1 = 0; -- else -- crop->regionlist[i].y1 = (uint32) (y1 - 1); -+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ -+ if (y1 > image->length - 1) -+ crop->regionlist[i].y1 = image->length - 1; -+ else if (y1 > 0) -+ crop->regionlist[i].y1 = (uint32)(y1 - 1); - - if (y2 > image->length - 1) - crop->regionlist[i].y2 = image->length - 1; -- else -- crop->regionlist[i].y2 = (uint32) (y2 - 1); -- -- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; -+ else if (y2 > 0) -+ crop->regionlist[i].y2 = (uint32)(y2 - 1); - -+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; - if (zwidth > max_width) - max_width = zwidth; - if (zlength > max_length) -@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - } - } - return (0); -- } -+ } /* crop_mode == CROP_REGIONS */ - - /* Convert crop margins into offsets into image - * Margins are expressed as pixel rows and columns, not bytes -@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - bmargin = (uint32) 0; - return (-1); - } -- } -+ } /* crop_mode == CROP_MARGINS */ - else - { /* no margins requested */ - tmargin = (uint32) 0; -@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - off->endx = endx; - off->endy = endy; - -- crop_width = endx - startx + 1; -- crop_length = endy - starty + 1; -- -- if (crop_width <= 0) -+ if (endx + 1 <= startx) - { - TIFFError("computeInputPixelOffsets", - "Invalid left/right margins and /or image crop width requested"); - return (-1); - } -+ crop_width = endx - startx + 1; - if (crop_width > image->width) - crop_width = image->width; - -- if (crop_length <= 0) -+ if (endy + 1 <= starty) - { - TIFFError("computeInputPixelOffsets", - "Invalid top/bottom margins and /or image crop length requested"); - return (-1); - } -+ crop_length = endy - starty + 1; - if (crop_length > image->length) - crop_length = image->length; - -@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - else - crop->selections = crop->zones; - -- for (i = 0; i < crop->zones; i++) -+ /* Initialize regions iterator i */ -+ i = 0; -+ for (int j = 0; j < crop->zones; j++) - { -- seg = crop->zonelist[i].position; -- total = crop->zonelist[i].total; -+ seg = crop->zonelist[j].position; -+ total = crop->zonelist[j].total; -+ -+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ -+ if (seg == 0 || total == 0 || seg > total) { -+ continue; -+ } - - switch (crop->edge_ref) - { -@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - if (dump->outfile != NULL) - dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d", - i + 1, (uint32)zwidth, (uint32)zlength, -- crop->regionlist[i].x1, crop->regionlist[i].x2, -- crop->regionlist[i].y1, crop->regionlist[i].y2); -+ crop->regionlist[i].x1, crop->regionlist[i].x2, -+ crop->regionlist[i].y1, crop->regionlist[i].y2); -+ /* increment regions iterator */ -+ i++; - } -- -+ /* set number of generated regions out of given zones */ -+ crop->selections = i; - return (0); - } /* end getCropOffsets */ - diff --git a/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch deleted file mode 100644 index d7f816a..0000000 --- a/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +++ /dev/null @@ -1,92 +0,0 @@ -From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Mon, 15 Aug 2022 22:11:03 +0200 -Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?= - =?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?= - =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= - =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= - =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= - =?UTF-8?q?=20-Z=20and=20-z.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is now checked and ends tiffcrop if those arguments are not mutually exclusive. - -This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 - -(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf) ---- - tools/tiffcrop.c | 31 +++++++++++++++++++++++-------- - 1 file changed, 23 insertions(+), 8 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 5801b8f6..27e6f81c 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -104,7 +104,10 @@ - * includes annotations for image parameters and scanline info. Level - * selects which functions dump data, with higher numbers selecting - * lower level, scanline level routines. Debug reports a limited set -- * of messages to monitor progess without enabling dump logs. -+ * of messages to monitor progress without enabling dump logs. -+ * -+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. -+ * In no case should the options be applied to a given selection successively. - */ - - static char tiffcrop_version_id[] = "2.4"; -@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define ROTATECW_270 32 - #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) - --#define CROP_NONE 0 --#define CROP_MARGINS 1 --#define CROP_WIDTH 2 --#define CROP_LENGTH 4 --#define CROP_ZONES 8 --#define CROP_REGIONS 16 -+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ -+#define CROP_MARGINS 1 /* "-m" */ -+#define CROP_WIDTH 2 /* "-X" */ -+#define CROP_LENGTH 4 /* "-Y" */ -+#define CROP_ZONES 8 /* "-Z" */ -+#define CROP_REGIONS 16 /* "-z" */ - #define CROP_ROTATE 32 - #define CROP_MIRROR 64 - #define CROP_INVERT 128 -@@ -320,7 +323,7 @@ struct crop_mask { - #define PAGE_MODE_RESOLUTION 1 - #define PAGE_MODE_PAPERSIZE 2 - #define PAGE_MODE_MARGINS 4 --#define PAGE_MODE_ROWSCOLS 8 -+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ - - #define INVERT_DATA_ONLY 10 - #define INVERT_DATA_AND_TAG 11 -@@ -751,6 +754,8 @@ static char* usage_info[] = { - " The four debug/dump options are independent, though it makes little sense to", - " specify a dump file without specifying a detail level.", - " ", -+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." -+" ", - NULL - }; - -@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - /*NOTREACHED*/ - } - } -+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ -+ char XY, Z, R, S; -+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); -+ Z = (crop_data->crop_mode & CROP_ZONES); -+ R = (crop_data->crop_mode & CROP_REGIONS); -+ S = (page->mode & PAGE_MODE_ROWSCOLS); -+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { -+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); -+ exit(EXIT_FAILURE); -+ } - } /* end process_command_opts */ - - /* Start a new output file if one has not been previously opened or diff --git a/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch deleted file mode 100644 index 7fc4e5a..0000000 --- a/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 20 Aug 2022 23:35:26 +0200 -Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953) - tiffcrop -S option: Make decision simpler. - -(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba) ---- - tools/tiffcrop.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 27e6f81c..ff118496 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - } - /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ - char XY, Z, R, S; -- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); -- Z = (crop_data->crop_mode & CROP_ZONES); -- R = (crop_data->crop_mode & CROP_REGIONS); -- S = (page->mode & PAGE_MODE_ROWSCOLS); -- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { -+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; -+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; -+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; -+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; -+ if (XY + Z + R + S > 1) { - TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); - exit(EXIT_FAILURE); - } diff --git a/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch b/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch deleted file mode 100644 index 267a1e3..0000000 --- a/SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Thu, 25 Aug 2022 16:11:41 +0200 -Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable - incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes - #411 and #413) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. - -Code analysis: - -With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. -In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . - -Execution of the else-clause often leads to buffer-overflows. - -Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. - -The MR solves issues #411 and #413. - -(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62) ---- - tools/tiffcrop.c | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index ff118496..848b2b49 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -106,9 +106,11 @@ - * lower level, scanline level routines. Debug reports a limited set - * of messages to monitor progress without enabling dump logs. - * -- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. -+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. - * In no case should the options be applied to a given selection successively. -- */ -+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options -+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. -+ */ - - static char tiffcrop_version_id[] = "2.4"; - static char tiffcrop_rev_date[] = "12-13-2010"; -@@ -754,7 +756,11 @@ static char* usage_info[] = { - " The four debug/dump options are independent, though it makes little sense to", - " specify a dump file without specifying a detail level.", - " ", --"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." -+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.", -+" In no case should the options be applied to a given selection successively.", -+" ", -+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options", -+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.", - " ", - NULL - }; -@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; - S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; - if (XY + Z + R + S > 1) { -- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); -+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); - exit(EXIT_FAILURE); - } -+ -+ /* Check for not allowed combination: -+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options -+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. -+. */ -+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { -+ TIFFError("tiffcrop input error", -+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); -+ exit(EXIT_FAILURE); -+ } -+ - } /* end process_command_opts */ - - /* Start a new output file if one has not been previously opened or -@@ -2381,6 +2398,7 @@ main(int argc, char* argv[]) - exit (-1); - } - -+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ - if (crop.selections > 0) - { - if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) -@@ -2397,6 +2415,7 @@ main(int argc, char* argv[]) - exit (-1); - } - } -+ /* Format and write selected image parts to output file(s). */ - if (page.mode == PAGE_MODE_NONE) - { /* Whole image or sections not based on output page size */ - if (crop.selections > 0) diff --git a/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch b/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch deleted file mode 100644 index ec774b4..0000000 --- a/SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 8 Nov 2022 15:16:58 +0100 -Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer - overflow on strips/tiles > 2 GB - -Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 - - (cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be) ---- - libtiff/tif_getimage.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index b1f7cc95..00cd5510 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop - return( ok ); - - for( i_row = 0; i_row < read_ysize; i_row++ ) { -- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, -- raster + (read_ysize - i_row - 1) * read_xsize, -+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, -+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, - read_xsize * sizeof(uint32) ); -- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, -+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, - 0, sizeof(uint32) * (tile_xsize - read_xsize) ); - } - - for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { -- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, -+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, - 0, sizeof(uint32) * tile_xsize ); - } - diff --git a/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch b/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch deleted file mode 100644 index bb7d439..0000000 --- a/SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Matej=20Mu=C5=BEila?= -Date: Tue, 16 May 2023 13:04:55 +0200 -Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error. - Fix #488. - -(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5) ---- - tools/tiffcrop.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 848b2b49..7f738d91 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc(crop_buff, cropsize); diff --git a/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch b/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch deleted file mode 100644 index ea6c797..0000000 --- a/SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 5 Feb 2023 15:53:16 +0000 -Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 - CVE-2023-0804) tiffcrop: added check for assumption on composite images - (fixes #496) - -Closes #501, #500, #498, #497 et #496 - -See merge request libtiff/libtiff!466 - -(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00) ---- - tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 66 insertions(+), 2 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 7f738d91..77923cf3 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - - crop->regionlist[i].buffsize = buffsize; - crop->bufftotal += buffsize; -+ -+ /* For composite images with more than one region, the -+ * combined_length or combined_width always needs to be equal, -+ * respectively. -+ * Otherwise, even the first section/region copy -+ * action might cause buffer overrun. */ - if (crop->img_mode == COMPOSITE_IMAGES) - { - switch (crop->edge_ref) - { - case EDGE_LEFT: - case EDGE_RIGHT: -+ if (i > 0 && zlength != crop->combined_length) -+ { -+ TIFFError( -+ "computeInputPixelOffsets", -+ "Only equal length regions can be combined for " -+ "-E left or right"); -+ return (-1); -+ } - crop->combined_length = zlength; - crop->combined_width += zwidth; - break; - case EDGE_BOTTOM: - case EDGE_TOP: /* width from left, length from top */ - default: -+ if (i > 0 && zwidth != crop->combined_width) -+ { -+ TIFFError("computeInputPixelOffsets", -+ "Only equal width regions can be " -+ "combined for -E " -+ "top or bottom"); -+ return (-1); -+ } - crop->combined_width = zwidth; - crop->combined_length += zlength; - break; -@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, - crop->combined_width = 0; - crop->combined_length = 0; - -+ /* If there is more than one region, check beforehand whether all the width -+ * and length values of the regions are the same, respectively. */ -+ switch (crop->edge_ref) -+ { -+ default: -+ case EDGE_TOP: -+ case EDGE_BOTTOM: -+ for (i = 1; i < crop->selections; i++) -+ { -+ uint32_t crop_width0 = -+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; -+ uint32_t crop_width1 = -+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ if (crop_width0 != crop_width1) -+ { -+ TIFFError("extractCompositeRegions", -+ "Only equal width regions can be combined for -E " -+ "top or bottom"); -+ return (1); -+ } -+ } -+ break; -+ case EDGE_LEFT: -+ case EDGE_RIGHT: -+ for (i = 1; i < crop->selections; i++) -+ { -+ uint32_t crop_length0 = -+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; -+ uint32_t crop_length1 = -+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; -+ if (crop_length0 != crop_length1) -+ { -+ TIFFError("extractCompositeRegions", -+ "Only equal length regions can be combined for " -+ "-E left or right"); -+ return (1); -+ } -+ } -+ } -+ - for (i = 0; i < crop->selections; i++) - { - /* rows, columns, width, length are expressed in pixels */ -@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, - default: - case EDGE_TOP: - case EDGE_BOTTOM: -- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) -+ if ((crop->selections > i + 1) && -+ (crop_width != crop->regionlist[i + 1].width)) - { - TIFFError ("extractCompositeRegions", - "Only equal width regions can be combined for -E top or bottom"); -@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, - break; - case EDGE_LEFT: /* splice the pieces of each row together, side by side */ - case EDGE_RIGHT: -- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) -+ if ((crop->selections > i + 1) && -+ (crop_length != crop->regionlist[i + 1].length)) - { - TIFFError ("extractCompositeRegions", - "Only equal length regions can be combined for -E left or right"); diff --git a/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch b/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch deleted file mode 100644 index d28098d..0000000 --- a/SOURCES/0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch +++ /dev/null @@ -1,260 +0,0 @@ -From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Tue, 30 Aug 2022 16:56:48 +0200 -Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and - related TIFFTAG_NUMBEROFINKS value - -In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: - -Behaviour for writing: - `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. - `NumberOfInks` is automatically set when `InkNames` is set. - If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. - If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. - -Behaviour for reading: - When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. - If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. - If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. - -This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow - -This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. - -It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. - -(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d) ---- - libtiff/tif_dir.c | 118 ++++++++++++++++++++++++----------------- - libtiff/tif_dir.h | 2 + - libtiff/tif_dirinfo.c | 2 +- - libtiff/tif_dirwrite.c | 5 ++ - libtiff/tif_print.c | 4 ++ - 5 files changed, 82 insertions(+), 49 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index ad550c65..cb329fd8 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) - } - - /* -- * Confirm we have "samplesperpixel" ink names separated by \0. Returns -+ * Count ink names separated by \0. Returns - * zero if the ink names are not as expected. - */ --static uint32 --checkInkNamesString(TIFF* tif, uint32 slen, const char* s) -+static uint16 -+countInkNamesString(TIFF *tif, uint32 slen, const char *s) - { -- TIFFDirectory* td = &tif->tif_dir; -- uint16 i = td->td_samplesperpixel; -+ uint16 i = 0; -+ const char *ep = s + slen; -+ const char *cp = s; - - if (slen > 0) { -- const char* ep = s+slen; -- const char* cp = s; -- for (; i > 0; i--) { -+ do { - for (; cp < ep && *cp != '\0'; cp++) {} - if (cp >= ep) - goto bad; - cp++; /* skip \0 */ -- } -- return ((uint32)(cp-s)); -+ i++; -+ } while (cp < ep); -+ return (i); - } - bad: - TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", -- "%s: Invalid InkNames value; expecting %d names, found %d", -- tif->tif_name, -- td->td_samplesperpixel, -- td->td_samplesperpixel-i); -+ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink", -+ tif->tif_name, slen, i); - return (0); - } - -@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); - break; - case TIFFTAG_INKNAMES: -- v = (uint16) va_arg(ap, uint16_vap); -- s = va_arg(ap, char*); -- v = checkInkNamesString(tif, v, s); -- status = v > 0; -- if( v > 0 ) { -- _TIFFsetNString(&td->td_inknames, s, v); -- td->td_inknameslen = v; -+ { -+ v = (uint16) va_arg(ap, uint16_vap); -+ s = va_arg(ap, char*); -+ uint16 ninksinstring; -+ ninksinstring = countInkNamesString(tif, v, s); -+ status = ninksinstring > 0; -+ if(ninksinstring > 0 ) { -+ _TIFFsetNString(&td->td_inknames, s, v); -+ td->td_inknameslen = v; -+ /* Set NumberOfInks to the value ninksinstring */ -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) -+ { -+ if (td->td_numberofinks != ninksinstring) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d", -+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); -+ td->td_numberofinks = ninksinstring; -+ } -+ } else { -+ td->td_numberofinks = ninksinstring; -+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); -+ } -+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) -+ { -+ if (td->td_numberofinks != td->td_samplesperpixel) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", -+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); -+ } -+ } -+ } -+ } -+ break; -+ case TIFFTAG_NUMBEROFINKS: -+ v = (uint16)va_arg(ap, uint16_vap); -+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ -+ if (TIFFFieldSet(tif, FIELD_INKNAMES)) -+ { -+ if (v != td->td_numberofinks) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)", -+ tif->tif_name, fip->field_name, v, td->td_numberofinks); -+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ -+ status = 0; -+ } -+ } else { -+ td->td_numberofinks = (uint16)v; -+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) -+ { -+ if (td->td_numberofinks != td->td_samplesperpixel) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", -+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); -+ } -+ } - } - break; - case TIFFTAG_PERSAMPLE: -@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ - return 0; - -- if( tag == TIFFTAG_NUMBEROFINKS ) -- { -- int i; -- for (i = 0; i < td->td_customValueCount; i++) { -- uint16 val; -- TIFFTagValue *tv = td->td_customValues + i; -- if (tv->info->field_tag != tag) -- continue; -- if( tv->value == NULL ) -- return 0; -- val = *(uint16 *)tv->value; -- /* Truncate to SamplesPerPixel, since the */ -- /* setting code for INKNAMES assume that there are SamplesPerPixel */ -- /* inknames. */ -- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ -- if( val > td->td_samplesperpixel ) -- { -- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", -- "Truncating NumberOfInks from %u to %u", -- val, td->td_samplesperpixel); -- val = td->td_samplesperpixel; -- } -- *va_arg(ap, uint16*) = val; -- return 1; -- } -- return 0; -- } - - /* - * We want to force the custom code to be used for custom -@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - case TIFFTAG_INKNAMES: - *va_arg(ap, char**) = td->td_inknames; - break; -+ case TIFFTAG_NUMBEROFINKS: -+ *va_arg(ap, uint16 *) = td->td_numberofinks; -+ break; - default: - { - int i; -diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h -index 5a380767..b5881b02 100644 ---- a/libtiff/tif_dir.h -+++ b/libtiff/tif_dir.h -@@ -113,6 +113,7 @@ typedef struct { - /* CMYK parameters */ - int td_inknameslen; - char* td_inknames; -+ uint16 td_numberofinks; /* number of inks in InkNames string */ - - int td_customValueCount; - TIFFTagValue *td_customValues; -@@ -168,6 +169,7 @@ typedef struct { - #define FIELD_TRANSFERFUNCTION 44 - #define FIELD_INKNAMES 46 - #define FIELD_SUBIFD 49 -+#define FIELD_NUMBEROFINKS 50 - /* FIELD_CUSTOM (see tiffio.h) 65 */ - /* end of support for well-known tags; codec-private tags follow */ - #define FIELD_CODEC 66 /* base of codec-private tags */ -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 4904f540..8bbc8323 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -106,7 +106,7 @@ tiffFields[] = { - { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, - { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, - { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, -- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, -+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, - { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, - { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, - { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 03a9f296..994fa57a 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) - goto bad; - } -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) -+ { -+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) -+ goto bad; -+ } - if (TIFFFieldSet(tif,FIELD_SUBIFD)) - { - if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index b9b53a0f..9caba038 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - } - fputs("\n", fd); - } -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { -+ fprintf(fd, " NumberOfInks: %d\n", -+ td->td_numberofinks); -+ } - if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { - fprintf(fd, " Thresholding: "); - switch (td->td_threshholding) { diff --git a/SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch b/SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch deleted file mode 100644 index 2de6c21..0000000 --- a/SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 13 Mar 2018 14:39:30 +0000 -Subject: [PATCH] (CVE-2018-15209) Merge branch - 'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master' - -ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613) - -See merge request libtiff/libtiff!26 - -(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063) ---- - libtiff/tif_dirread.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index b72e6a3b..bc1ab083 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; - -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || -+ tif->tif_dir.td_stripbytecount[0] > -+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) -+ { -+ return; -+ } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch b/SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch deleted file mode 100644 index 396dacc..0000000 --- a/SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Matej=20Mu=C5=BEila?= -Date: Thu, 16 May 2024 14:43:44 +0200 -Subject: [PATCH] (CVE-2023-25433) Merge branch - 'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master' - -tiffcrop correctly update buffersize after rotateImage() fix#520 - -Closes #520 - -See merge request libtiff/libtiff!467 - -(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3) ---- - tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 58 insertions(+), 14 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 77923cf3..8b761874 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, - static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, - uint32, uint32, uint8 *, uint8 *); - static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, -- unsigned char **); -+ unsigned char **, tsize_t *); - static int mirrorImage(uint16, uint16, uint16, uint32, uint32, - unsigned char *); - static int invertImage(uint16, uint16, uint16, uint32, uint32, -@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b - return (-1); - } - -- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) -+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) - { - TIFFError ("correct_orientation", "Unable to rotate image"); - return (-1); -@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { -+ /* rotateImage() set up a new buffer and calculates its size -+ * individually. Therefore, seg_buffs size needs to be updated -+ * accordingly. */ -+ -+ tsize_t rot_buf_size = 0; - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, &crop_buff)) -+ &crop->combined_length, &crop_buff, &rot_buf_size)) - { - TIFFError("processCropSelections", - "Failed to rotate composite regions by %d degrees", crop->rotation); - return (-1); - } - seg_buffs[0].buffer = crop_buff; -- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8) -- * image->spp) * crop->combined_length; -+ seg_buffs[0].size = rot_buf_size; - } - } - else /* Separated Images */ -@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { -- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, -- &crop->regionlist[i].length, &crop_buff)) -+ /* rotateImage() changes image->width, ->length, ->xres and -+ * ->yres, what it schouldn't do here, when more than one -+ * section is processed. ToDo: Therefore rotateImage() and its -+ * usage has to be reworked (e.g. like mirrorImage()) !! -+ * Furthermore, rotateImage() set up a new buffer and calculates -+ * its size individually. Therefore, seg_buffs size needs to be -+ * updated accordingly. */ -+ tsize_t rot_buf_size = 0; -+ if (rotateImage( -+ crop->rotation, image, &crop->regionlist[i].width, -+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) -+ - { - TIFFError("processCropSelections", - "Failed to rotate crop region by %d degrees", crop->rotation); -@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - crop->combined_width = total_width; - crop->combined_length = total_length; - seg_buffs[i].buffer = crop_buff; -- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) -- * image->spp) * crop->regionlist[i].length; -+ seg_buffs[i].size = rot_buf_size; - } - } - } -@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, crop_buff_ptr)) -+ &crop->combined_length, crop_buff_ptr, NULL)) - { - TIFFError("createCroppedImage", - "Failed to rotate image or cropped selection by %d degrees", crop->rotation); -@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, - /* Rotate an image by a multiple of 90 degrees clockwise */ - static int - rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, -- uint32 *img_length, unsigned char **ibuff_ptr) -+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size) - { - int shift_width; - uint32 bytes_per_pixel, bytes_per_sample; - uint32 row, rowsize, src_offset, dst_offset; - uint32 i, col, width, length; -- uint32 colsize, buffsize, col_offset, pix_offset; -+ uint32 colsize, col_offset, pix_offset; -+ tmsize_t buffsize; - unsigned char *ibuff; - unsigned char *src; - unsigned char *dst; -@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, - spp = image->spp; - bps = image->bps; - -+ if ((spp != 0 && bps != 0 && -+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) || -+ (spp != 0 && bps != 0 && -+ length > (uint32)((UINT32_MAX - 7) / spp / bps))) -+ { -+ TIFFError("rotateImage", "Integer overflow detected."); -+ return (-1); -+ } - rowsize = ((bps * spp * width) + 7) / 8; - colsize = ((bps * spp * length) + 7) / 8; - if ((colsize * width) > (rowsize * length)) -- buffsize = (colsize + 1) * width; -+ { -+ if (((tmsize_t)colsize + 1) != 0 && -+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) / -+ ((tmsize_t)colsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } -+ buffsize = ((tmsize_t)colsize + 1) * width; -+ } - else -- buffsize = (rowsize + 1) * length; -+ { -+ if (((tmsize_t)rowsize + 1) != 0 && -+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) / -+ ((tmsize_t)rowsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } -+ buffsize = (rowsize + 1) * length; -+ } - - bytes_per_sample = (bps + 7) / 8; - bytes_per_pixel = ((bps * spp) + 7) / 8; -@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, - return (-1); - } - _TIFFmemset(rbuff, '\0', buffsize); -+ if (rot_buf_size != NULL) -+ *rot_buf_size = buffsize; - - ibuff = *ibuff_ptr; - switch (rotation) diff --git a/SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch b/SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch deleted file mode 100644 index 70733dd..0000000 --- a/SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch +++ /dev/null @@ -1,50 +0,0 @@ -From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Matej=20Mu=C5=BEila?= -Date: Thu, 16 May 2024 14:54:52 +0200 -Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master' - -TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622) - -Closes #622 - -See merge request libtiff/libtiff!546 - -(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e) ---- - libtiff/tif_getimage.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 00cd5510..4f32b3a4 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error) - - if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { - -+ if (row >= img.height) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), -+ "Invalid row passed to TIFFReadRGBAStrip()."); -+ TIFFRGBAImageEnd(&img); -+ return (0); -+ } -+ - img.row_offset = row; - img.col_offset = 0; - -@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop - return( 0 ); - } - -+ if (col >= img.width || row >= img.height) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), -+ "Invalid row/col passed to TIFFReadRGBATile()."); -+ TIFFRGBAImageEnd(&img); -+ return (0); -+ } -+ - /* - * The TIFFRGBAImageGet() function doesn't allow us to get off the - * edge of the image, even to fill an otherwise valid tile. So we diff --git a/SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch b/SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch deleted file mode 100644 index 13de5ed..0000000 --- a/SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 9 Sep 2023 15:11:42 +0000 -Subject: [PATCH] (CVE-2023-6228) Merge branch - 'fix_606_tiffcp_check_also_input_compression_codec' into 'master' - -tiffcp: Fixes #606. Check also codec of input image, not only from output image. - -Closes #606 - -See merge request libtiff/libtiff!533 - -(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e) ---- - tools/tiffcp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index fb98bd57..81ec6bbd 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out) - else - CopyField(TIFFTAG_COMPRESSION, compression); - TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); -+ if (!TIFFIsCODECConfigured(input_compression)) -+ return FALSE; - TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); - if (input_compression == COMPRESSION_JPEG) { - /* Force conversion to RGB */ diff --git a/SOURCES/libtiff-4.0.9-CVE-2017-17095.patch b/SOURCES/libtiff-4.0.9-CVE-2017-17095.patch deleted file mode 100644 index 1077020..0000000 --- a/SOURCES/libtiff-4.0.9-CVE-2017-17095.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001 -From: Nathan Baker -Date: Thu, 25 Jan 2018 21:28:15 +0000 -Subject: [PATCH] Add workaround to pal2rgb buffer overflow. - ---- - tools/pal2rgb.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c -index 0423598f0..01fcf9411 100644 ---- a/tools/pal2rgb.c -+++ b/tools/pal2rgb.c -@@ -182,8 +182,21 @@ main(int argc, char* argv[]) - { unsigned char *ibuf, *obuf; - register unsigned char* pp; - register uint32 x; -- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); -- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); -+ tmsize_t tss_in = TIFFScanlineSize(in); -+ tmsize_t tss_out = TIFFScanlineSize(out); -+ if (tss_out / tss_in < 3) { -+ /* -+ * BUG 2750: The following code does not know about chroma -+ * subsampling of JPEG data. It assumes that the output buffer is 3x -+ * the length of the input buffer due to exploding the palette into -+ * RGB tuples. If this assumption is incorrect, it could lead to a -+ * buffer overflow. Go ahead and fail now to prevent that. -+ */ -+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); -+ return -1; -+ } -+ ibuf = (unsigned char*)_TIFFmalloc(tss_in); -+ obuf = (unsigned char*)_TIFFmalloc(tss_out); - switch (config) { - case PLANARCONFIG_CONTIG: - for (row = 0; row < imagelength; row++) { --- -GitLab - diff --git a/SOURCES/libtiff-4.6.0-CVE-2024-7006.patch b/SOURCES/libtiff-4.6.0-CVE-2024-7006.patch deleted file mode 100644 index 1c7d72a..0000000 --- a/SOURCES/libtiff-4.6.0-CVE-2024-7006.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c ---- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200 -+++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200 -@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint - fld = TIFFFindField(tif, tag, dt); - if (fld == NULL) { - fld = _TIFFCreateAnonField(tif, tag, dt); -- if (!_TIFFMergeFields(tif, fld, 1)) -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) - return NULL; - } - -diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c ---- tiff-4.0.9/libtiff/tif_dirread.c~ 2024-08-29 23:31:19.884308223 +0200 -+++ tiff-4.0.9/libtiff/tif_dirread.c 2024-08-29 23:31:19.909308479 +0200 -@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif) - dp->tdir_tag,dp->tdir_tag); - /* the following knowingly leaks the - anonymous field structure */ -- if (!_TIFFMergeFields(tif, -- _TIFFCreateAnonField(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1)) { -+ const TIFFField *fld = _TIFFCreateAnonField( -+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) -+ { - TIFFWarningExt(tif->tif_clientdata, - module, - "Registering anonymous field with tag %d (0x%x) failed", -@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_ - TIFFWarningExt(tif->tif_clientdata, module, - "Unknown field with tag %d (0x%x) encountered", - dp->tdir_tag, dp->tdir_tag); -- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1)) { -+ const TIFFField *fld = _TIFFCreateAnonField( -+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) -+ { - TIFFWarningExt(tif->tif_clientdata, module, - "Registering anonymous field with tag %d (0x%x) failed", - dp->tdir_tag, dp->tdir_tag); diff --git a/libtiff-4.6.0-CVE-2024-7006.patch b/libtiff-4.6.0-CVE-2024-7006.patch new file mode 100644 index 0000000..78b5a1c --- /dev/null +++ b/libtiff-4.6.0-CVE-2024-7006.patch @@ -0,0 +1,47 @@ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index bff7592a8fd92d24b591b6d342fa98922246db8c..2338ca21c82295ee8ab3da86035d43398fef8efc 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c79694145c30d70901a84bcb8932a2fcf5ad24dd..242912f3be5d15548510ce77ac791e53b112e417 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 diff --git a/libtiff-am-version.patch b/libtiff-am-version.patch new file mode 100644 index 0000000..c94c2e0 --- /dev/null +++ b/libtiff-am-version.patch @@ -0,0 +1,31 @@ +Back off the minimum required automake version to 1.11. There isn't +anything in libtiff currently that actually requires 1.12, and changing +this allows the package to be built on pre-F18 machines for easier testing. + +This patch can go away once we no longer care about testing on pre-F18. + + +diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am +--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 ++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am +--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 ++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/SPECS/libtiff.spec b/libtiff.spec similarity index 74% rename from SPECS/libtiff.spec rename to libtiff.spec index 7907502..52ae64b 100644 --- a/SPECS/libtiff.spec +++ b/libtiff.spec @@ -1,72 +1,24 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 4.0.9 -Release: 34%{?dist} +Version: 4.6.0 +Release: 6%{?dist} License: libtiff -Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ -Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz +Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz +Patch0: libtiff-am-version.patch -# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0 -# Patches were generated by: git format-patch -N --no-signature ... -Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch -Patch0002: 0002-Fix-Makefile.patch -Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch -Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch -Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch -Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch -Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch -Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch -Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch -Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch -Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch -Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch -Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch -Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch -Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch -Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch -Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch -Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch -Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch -Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch -Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch -Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch -Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch -Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch -Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch -Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch -Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch -Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch -Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch -Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch -Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch -Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch -Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch -Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch -Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch -Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch -Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch -Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch -Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch -Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch -Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch -Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch -Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch - -# from upstream, for <=4.6.0, RHEL-52927 +# from upstream, for <=4.6.0, RHEL-52926 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 -Patch44: libtiff-4.6.0-CVE-2024-7006.patch - -# from upstream, for < 4.0.10, RHEL-87363 -# https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655 -Patch45: libtiff-4.0.9-CVE-2017-17095.patch +Patch1: libtiff-4.6.0-CVE-2024-7006.patch BuildRequires: gcc, gcc-c++ -BuildRequires: zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel BuildRequires: libtool automake autoconf pkgconfig +BuildRequires: make + %description The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely @@ -78,9 +30,8 @@ format image files. %package devel Summary: Development tools for programs which will use the libtiff library -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: pkgconfig%{?_isa} +Requires: pkgconfig %description devel This package contains the header files and documentation necessary for @@ -93,7 +44,6 @@ install the libtiff package. %package static Summary: Static TIFF image format file library -Group: Development/Libraries Requires: %{name}-devel%{?_isa} = %{version}-%{release} %description static @@ -103,7 +53,6 @@ necessary for some boot packages. %package tools Summary: Command-line utility programs for manipulating TIFF files -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} %description tools @@ -111,7 +60,10 @@ This package contains command-line programs for manipulating TIFF format image files using the libtiff library. %prep -%autosetup -p1 -n tiff-%{version} +%autosetup -n tiff-%{version} -N + +%patch -P 0 -p1 -b .backup +%patch -P 1 -p1 -b .CVE-2024-7006 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -125,10 +77,10 @@ autoheader %build export CFLAGS="%{optflags} -fno-strict-aliasing" %configure --enable-ld-version-script -make %{?_smp_mflags} +%make_build %install -make DESTDIR=$RPM_BUILD_ROOT install +%make_install # remove what we didn't want installed rm $RPM_BUILD_ROOT%{_libdir}/*.la @@ -144,9 +96,6 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 -rm -f html/man/tiffgt.1.html -rm -f html/man/sgi2tiff.1.html -rm -f html/man/tiffsv.1.html # multilib header hack # we only apply this to known Red Hat multilib arches, per bug #233091 @@ -191,16 +140,14 @@ fi %check LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check -# don't include documentation Makefiles, they are a multilib hazard -find html -name 'Makefile*' | xargs rm - %files -%doc COPYRIGHT README RELEASE-DATE VERSION -%{_libdir}/libtiff.so.* -%{_libdir}/libtiffxx.so.* +%license LICENSE.md +%doc README.md RELEASE-DATE VERSION +%{_libdir}/libtiff.so.6* +%{_libdir}/libtiffxx.so.6* %files devel -%doc TODO ChangeLog html +%doc TODO ChangeLog %{_includedir}/* %{_libdir}/libtiff.so %{_libdir}/libtiffxx.so @@ -215,97 +162,139 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog -* Tue Apr 22 2025 Michal Hlavinka - 4.0.9-34 -- fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363) +* Mon Mar 31 2025 Michal Hlavinka - 4.6.0-6 +- drop unused compat libtiff.so.5 (RHEL-85372) -* Thu Aug 29 2024 Michal Hlavinka - 4.0.9-33 -- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927) +* Tue Oct 29 2024 Troy Dawson - 4.6.0-5 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu May 16 2024 Matej Mužila - 4.0.9-32 -- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209 -- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406 +* Wed Aug 21 2024 Michal Hlavinka - 4.6.0-4 +- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52926) -* Fri Jan 05 2024 Matej Mužila - 4.0.9-31 -- Fix CVE-2022-3599 CVE-2022-4645 -- Resolves: RHEL-5399 +* Mon Jun 24 2024 Troy Dawson - 4.6.0-3 +- Bump release for June 2024 mass rebuild -* Thu Sep 21 2023 Ondrej Sloup - 4.0.9-30 -- Bump specfile to retrigger gating -- Add tests folder for standard beakerlib -- Related: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688 +* Mon Jan 29 2024 Matej Mužila - 4.6.0-2 +- migrated to SPDX license -* Tue Aug 08 2023 Matej Mužila - 4.0.9-29 -- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 -- Resolves: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688 +* Mon Jan 29 2024 Matej Mužila - 4.6.0-1 +- New upstream release 4.6.0 (#2153870) -* Tue May 16 2023 Matej Mužila - 4.0.9-28 -- Fix CVE-2022-48281 -- Resolves: CVE-2022-48281 +* Thu Jan 25 2024 Fedora Release Engineering - 4.5.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Mon Jan 16 2023 Matej Mužila - 4.0.9-27 -- Fix various CVEs -- Resolves: CVE-2022-3627 CVE-2022-3970 +* Sun Jan 21 2024 Fedora Release Engineering - 4.5.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Mon Oct 24 2022 Matej Mužila - 4.0.9-26 -- Fix various CVEs -- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953 +* Thu Oct 05 2023 Matej Mužila - 4.5.0-3 +- New upstream release 4.5.0 (#2153870) +- Fix CVE-2022-3570, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2519, + CVE-2022-2953, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, + CVE-2022-3627, CVE-2022-3970 (#2142735, #2118854, #2118867, #2118875, + #2122795, #2134437, #2142737, #2148881, #2148888, #2148894, #2148897, + #2148919) -* Tue Sep 06 2022 Matej Mužila - 4.0.9-25 -- Fix CVE-2022-2867 (#2118857) -- Fix CVE-2022-2868 (#2118882) -- Fix CVE-2022-2869 (#2118878) +* Mon Aug 28 2023 Nikola Forró - 4.4.0-8 +- Enable support for LERC compression (#2234459) -* Mon Jul 18 2022 Matej Mužila - 4.0.9-24 -- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 -- Resolves: #2103222 +* Thu Jul 20 2023 Fedora Release Engineering - 4.4.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Thu May 12 2022 Matej Mužila - 4.0.9-23 -- Fix various CVEs -- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865 - CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355 +* Sun Feb 19 2023 Antonio Trande - 4.4.0-6 +- Fix CVE-2023-0804 (#2170195) -* Wed Sep 29 2021 Nikola Forró - 4.0.9-21 -- Fix CVE-2020-19131 (#2006535) +* Thu Jan 19 2023 Fedora Release Engineering - 4.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Thu Apr 29 2021 Nikola Forró - 4.0.9-20 -- Rebuild for fixed binutils (#1954437) +* Mon Aug 01 2022 Nikola Forró - 4.4.0-4 +- Fix CVE-2022-34526 (#2112760) -* Fri Apr 09 2021 Nikola Forró - 4.0.9-19 -- Fix CVE-2020-35521 (#1945539) -- Fix CVE-2020-35522 (#1945555) -- Fix CVE-2020-35523 (#1945542) -- Fix CVE-2020-35524 (#1945546) +* Thu Jul 21 2022 Fedora Release Engineering - 4.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Thu Feb 20 2020 Nikola Forró - 4.0.9-18 -- Fix CVE-2019-17546 (#1771372) +* Tue Jul 05 2022 Nikola Forró - 4.4.0-2 +- Fix CVE-2022-2056, CVE-2022-2057 and CVE-2022-2058 (#2103840) -* Thu Nov 28 2019 Nikola Forró - 4.0.9-17 -- Add upstream test suite and enable it in gating +* Mon Jun 06 2022 Nikola Forró - 4.4.0-1 +- New upstream release 4.4.0 (#2088783) -* Wed Nov 27 2019 Nikola Forró - 4.0.9-16 -- Fix CVE-2019-14973 (#1755705) +* Fri Mar 18 2022 Nikola Forró - 4.3.0-6 +- Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and CVE-2022-0909 (#2064152) -* Wed Jun 12 2019 Nikola Forró - 4.0.9-15 -- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579) +* Fri Mar 18 2022 Nikola Forró - 4.3.0-5 +- Fix CVE-2022-0865 (#2065359), CVE-2022-0891 (#2065389) and CVE-2022-0924 (#2064154) -* Thu Jun 06 2019 Nikola Forró - 4.0.9-14 -- Fix CVE-2018-12900 (#1595579) +* Tue Feb 15 2022 Nikola Forró - 4.3.0-4 +- Fix CVE-2022-0561 (#2054499) and CVE-2022-0562 (#2054498) -* Thu Dec 13 2018 Nikola Forró - 4.0.9-13 -- Fix compiler warning introduced by patch for CVE-2018-18661 +* Thu Jan 20 2022 Nikola Forró - 4.3.0-3 +- Fix CVE-2022-22844 (#2042604) -* Wed Nov 14 2018 Nikola Forró - 4.0.9-12 -- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452) +* Thu Jul 22 2021 Fedora Release Engineering - 4.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Mon Oct 15 2018 Nikola Forró - 4.0.9-11 -- Fix important Covscan defects (#1602597) +* Tue Apr 20 2021 Nikola Forró - 4.3.0-1 +- New upstream release 4.3.0 (#1950306) -* Mon Oct 15 2018 Nikola Forró - 4.0.9-10 -- Fix CVE-2018-17100 (#1631073) +* Tue Feb 02 2021 Nikola Forró - 4.2.0-1 +- New upstream release 4.2.0 (#1909412) + +* Tue Jan 26 2021 Fedora Release Engineering - 4.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 04 2021 Nikola Forró - 4.1.0-6 +- Build with ZSTD and WEBP support (#1911969) + +* Mon Nov 02 2020 Nikola Forró - 4.1.0-5 +- Remove libtiff-devel dependency on arch-specific pkgconfig + +* Tue Jul 28 2020 Fedora Release Engineering - 4.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 4.1.0-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed Jan 29 2020 Fedora Release Engineering - 4.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 05 2019 Nikola Forró - 4.1.0-1 +- New upstream version libtiff-4.1.0 (#1768276) + +* Thu Jul 25 2019 Fedora Release Engineering - 4.0.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jun 12 2019 Nikola Forró - 4.0.10-5 +- Fix CVE-2018-19210 (#1649387) + +* Fri Feb 15 2019 Nikola Forró - 4.0.10-4 +- Fix CVE-2019-7663 (#1677529) + +* Fri Feb 01 2019 Fedora Release Engineering - 4.0.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 30 2019 Nikola Forró - 4.0.10-2 +- Fix CVE-2019-6128 (#1667124) + +* Wed Nov 14 2018 Nikola Forró - 4.0.10-1 +- New upstream version libtiff-4.0.10 + +* Thu Oct 11 2018 Nikola Forró - 4.0.9-13 +- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079) + +* Thu Oct 11 2018 Nikola Forró - 4.0.9-12 +- Fix CVE-2018-10779 (#1577316) + +* Fri Jul 13 2018 Fedora Release Engineering - 4.0.9-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 06 2018 Nikola Forró - 4.0.9-10 +- Fix CVE-2017-11613 (#1475531) * Wed May 30 2018 Nikola Forró - 4.0.9-9 -- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708) - and CVE-2018-10963 (#1579060) +- Fix CVE-2017-9935, CVE-2017-18013 (#1530441), + CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061) * Tue Apr 17 2018 Nikola Forró - 4.0.9-8 - Fix CVE-2018-7456 (#1556709) diff --git a/sources b/sources new file mode 100644 index 0000000..2c37446 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (tiff-4.6.0.tar.gz) = 80a117780fe5e2519b5c6661efa90a8a1e4591eb6300068b611ff9887285641c0782d9835482f589d6d109c3be6ffab8831c3561bb40e2456258deb1e896f08e