Auto sync2gitlab import of libtiff-4.0.9-21.el8.src.rpm
This commit is contained in:
parent
30a64345a4
commit
cdaa44c4b3
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
/tiff-4.0.9.tar.gz
|
36
libtiff-CVE-2017-18013.patch
Normal file
36
libtiff-CVE-2017-18013.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
||||
Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
|
||||
pointer dereference on corrupted file. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
|
||||
|
||||
---
|
||||
libtiff/tif_print.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 10a588e..b9b53a0 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned __int64) td->td_stripoffset[s],
|
||||
- (unsigned __int64) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
|
||||
#else
|
||||
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned long long) td->td_stripoffset[s],
|
||||
- (unsigned long long) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
|
164
libtiff-CVE-2017-9935.patch
Normal file
164
libtiff-CVE-2017-9935.patch
Normal file
@ -0,0 +1,164 @@
|
||||
From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
|
||||
From: Brian May <brian@linuxpenguins.xyz>
|
||||
Date: Thu, 7 Dec 2017 07:46:47 +1100
|
||||
Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
|
||||
|
||||
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
||||
|
||||
This vulnerability - at least for the supplied test case - is because we
|
||||
assume that a tiff will only have one transfer function that is the same
|
||||
for all pages. This is not required by the TIFF standards.
|
||||
|
||||
We than read the transfer function for every page. Depending on the
|
||||
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
|
||||
We allocate this memory after we read in the transfer function for the
|
||||
page.
|
||||
|
||||
For the first exploit - POC1, this file has 3 pages. For the first page
|
||||
we allocate 2 extra extra XREF entries. Then for the next page 2 more
|
||||
entries. Then for the last page the transfer function changes and we
|
||||
allocate 4 more entries.
|
||||
|
||||
When we read the file into memory, we assume we have 4 bytes extra for
|
||||
each and every page (as per the last transfer function we read). Which
|
||||
is not correct, we only have 2 bytes extra for the first 2 pages. As a
|
||||
result, we end up writing past the end of the buffer.
|
||||
|
||||
There are also some related issues that this also fixes. For example,
|
||||
TIFFGetField can return uninitalized pointer values, and the logic to
|
||||
detect a N=3 vs N=1 transfer function seemed rather strange.
|
||||
|
||||
It is also strange that we declare the transfer functions to be of type
|
||||
float, when the standard says they are unsigned 16 bit values. This is
|
||||
fixed in another patch.
|
||||
|
||||
This patch will check to ensure that the N value for every transfer
|
||||
function is the same for every page. If this changes, we abort with an
|
||||
error. In theory, we should perhaps check that the transfer function
|
||||
itself is identical for every page, however we don't do that due to the
|
||||
confusion of the type of the data in the transfer function.
|
||||
---
|
||||
libtiff/tif_dir.c | 3 +++
|
||||
tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
|
||||
2 files changed, 49 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index f00f808..c36a5f3 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[1];
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[2];
|
||||
+ } else {
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_REFERENCEBLACKWHITE:
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index bdb9126..bd23c9e 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -239,7 +239,7 @@ typedef struct {
|
||||
float tiff_whitechromaticities[2];
|
||||
float tiff_primarychromaticities[6];
|
||||
float tiff_referenceblackwhite[2];
|
||||
- float* tiff_transferfunction[3];
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
||||
1 : interpolate */
|
||||
uint16 tiff_transferfunctioncount;
|
||||
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 pagen=0;
|
||||
uint16 paged=0;
|
||||
uint16 xuint16=0;
|
||||
+ uint16 tiff_transferfunctioncount=0;
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
if(directorycount > TIFF_DIR_MAX) {
|
||||
@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
}
|
||||
#endif
|
||||
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
|
||||
- &(t2p->tiff_transferfunction[0]),
|
||||
- &(t2p->tiff_transferfunction[1]),
|
||||
- &(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
- t2p->tiff_transferfunctioncount = 3;
|
||||
- t2p->tiff_pages[i].page_extra += 4;
|
||||
- t2p->pdf_xrefcount += 4;
|
||||
- } else {
|
||||
- t2p->tiff_transferfunctioncount = 1;
|
||||
- t2p->tiff_pages[i].page_extra += 2;
|
||||
- t2p->pdf_xrefcount += 2;
|
||||
- }
|
||||
- if(t2p->pdf_minorversion < 2)
|
||||
- t2p->pdf_minorversion = 2;
|
||||
+ &(tiff_transferfunction[0]),
|
||||
+ &(tiff_transferfunction[1]),
|
||||
+ &(tiff_transferfunction[2]))) {
|
||||
+
|
||||
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ ) {
|
||||
+ tiff_transferfunctioncount=3;
|
||||
+ } else {
|
||||
+ tiff_transferfunctioncount=1;
|
||||
+ }
|
||||
} else {
|
||||
- t2p->tiff_transferfunctioncount=0;
|
||||
+ tiff_transferfunctioncount=0;
|
||||
}
|
||||
+
|
||||
+ if (i > 0){
|
||||
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Different transfer function on page %d",
|
||||
+ i);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
|
||||
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
|
||||
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
|
||||
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
|
||||
+ if(tiff_transferfunctioncount == 3){
|
||||
+ t2p->tiff_pages[i].page_extra += 4;
|
||||
+ t2p->pdf_xrefcount += 4;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ } else if (tiff_transferfunctioncount == 1){
|
||||
+ t2p->tiff_pages[i].page_extra += 2;
|
||||
+ t2p->pdf_xrefcount += 2;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ }
|
||||
+
|
||||
if( TIFFGetField(
|
||||
input,
|
||||
TIFFTAG_ICCPROFILE,
|
||||
@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[0]),
|
||||
&(t2p->tiff_transferfunction[1]),
|
||||
&(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ ) {
|
||||
t2p->tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
t2p->tiff_transferfunctioncount=1;
|
||||
--
|
||||
2.17.0
|
||||
|
31
libtiff-CVE-2018-10963.patch
Normal file
31
libtiff-CVE-2018-10963.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 12 May 2018 14:24:15 +0200
|
||||
Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
|
||||
|
||||
---
|
||||
libtiff/tif_dirwrite.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||
index c68d6d2..5d0a669 100644
|
||||
--- a/libtiff/tif_dirwrite.c
|
||||
+++ b/libtiff/tif_dirwrite.c
|
||||
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||
}
|
||||
break;
|
||||
default:
|
||||
- assert(0); /* we should never get here */
|
||||
- break;
|
||||
+ TIFFErrorExt(tif->tif_clientdata,module,
|
||||
+ "Cannot write tag %d (%s)",
|
||||
+ TIFFFieldTag(o),
|
||||
+ o->field_name ? o->field_name : "unknown");
|
||||
+ goto bad;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
|
47
libtiff-CVE-2018-12900.patch
Normal file
47
libtiff-CVE-2018-12900.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
||||
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
|
||||
|
||||
fixes bug 2833
|
||||
---
|
||||
tools/tiffcp.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index 489459a..0c66229 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <limits.h>
|
||||
|
||||
#include <ctype.h>
|
||||
|
||||
@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
||||
int status = 1;
|
||||
uint32 imagew = TIFFRasterScanlineSize(in);
|
||||
uint32 tilew = TIFFTileRowSize(in);
|
||||
- int iskew = imagew - tilew*spp;
|
||||
+ int iskew;
|
||||
tsize_t tilesize = TIFFTileSize(in);
|
||||
tdata_t tilebuf;
|
||||
uint8* bufp = (uint8*) buf;
|
||||
@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
||||
uint32 row;
|
||||
uint16 bps = 0, bytes_per_sample;
|
||||
|
||||
+ if (tilew && spp > (INT_MAX / tilew))
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ iskew = imagew - tilew*spp;
|
||||
tilebuf = _TIFFmalloc(tilesize);
|
||||
if (tilebuf == 0)
|
||||
return 0;
|
||||
--
|
||||
2.21.0
|
||||
|
39
libtiff-CVE-2018-17100.patch
Normal file
39
libtiff-CVE-2018-17100.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
|
||||
From: Young_X <YangX92@hotmail.com>
|
||||
Date: Sat, 8 Sep 2018 14:46:27 +0800
|
||||
Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
|
||||
|
||||
---
|
||||
tools/ppm2tiff.c | 13 +++++++------
|
||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||
index 91415e9..81ffa3d 100644
|
||||
--- a/tools/ppm2tiff.c
|
||||
+++ b/tools/ppm2tiff.c
|
||||
@@ -72,15 +72,16 @@ BadPPM(char* file)
|
||||
exit(-2);
|
||||
}
|
||||
|
||||
+
|
||||
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||
+
|
||||
static tmsize_t
|
||||
multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||
{
|
||||
- tmsize_t bytes = m1 * m2;
|
||||
-
|
||||
- if (m1 && bytes / m1 != m2)
|
||||
- bytes = 0;
|
||||
-
|
||||
- return bytes;
|
||||
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
|
||||
+ return 0;
|
||||
+ return m1 * m2;
|
||||
}
|
||||
|
||||
int
|
||||
--
|
||||
2.17.2
|
||||
|
107
libtiff-CVE-2018-18557.patch
Normal file
107
libtiff-CVE-2018-18557.patch
Normal file
@ -0,0 +1,107 @@
|
||||
From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 14 Oct 2018 16:38:29 +0200
|
||||
Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
|
||||
|
||||
JBIGDecode doesn't check if the user provided buffer is large enough
|
||||
to store the JBIG decoded image, which can potentially cause out-of-bounds
|
||||
write in the buffer.
|
||||
This issue was reported and analyzed by Thomas Dullien.
|
||||
|
||||
Also fixes a (harmless) potential use of uninitialized memory when
|
||||
tif->tif_rawsize > tif->tif_rawcc
|
||||
|
||||
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
|
||||
that whole strip data is provided to JBIGDecode()
|
||||
---
|
||||
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
|
||||
libtiff/tif_read.c | 6 ++++++
|
||||
2 files changed, 32 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
||||
index 7a14dd9..8136c77 100644
|
||||
--- a/libtiff/tif_jbig.c
|
||||
+++ b/libtiff/tif_jbig.c
|
||||
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
||||
struct jbg_dec_state decoder;
|
||||
int decodeStatus = 0;
|
||||
unsigned char* pImage = NULL;
|
||||
- (void) size, (void) s;
|
||||
+ unsigned long decodedSize;
|
||||
+ (void) s;
|
||||
|
||||
if (isFillOrder(tif, tif->tif_dir.td_fillorder))
|
||||
{
|
||||
- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
|
||||
+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
|
||||
}
|
||||
|
||||
jbg_dec_init(&decoder);
|
||||
|
||||
#if defined(HAVE_JBG_NEWLEN)
|
||||
- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
|
||||
+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
|
||||
/*
|
||||
* I do not check the return status of jbg_newlen because even if this
|
||||
* function fails it does not necessarily mean that decoding the image
|
||||
@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
||||
*/
|
||||
#endif /* HAVE_JBG_NEWLEN */
|
||||
|
||||
- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
|
||||
- (size_t)tif->tif_rawdatasize, NULL);
|
||||
+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
|
||||
+ (size_t)tif->tif_rawcc, NULL);
|
||||
if (JBG_EOK != decodeStatus)
|
||||
{
|
||||
/*
|
||||
@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ decodedSize = jbg_dec_getsize(&decoder);
|
||||
+ if( (tmsize_t)decodedSize < size )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata, "JBIG",
|
||||
+ "Only decoded %lu bytes, whereas %lu requested",
|
||||
+ decodedSize, (unsigned long)size);
|
||||
+ }
|
||||
+ else if( (tmsize_t)decodedSize > size )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, "JBIG",
|
||||
+ "Decoded %lu bytes, whereas %lu were requested",
|
||||
+ decodedSize, (unsigned long)size);
|
||||
+ jbg_dec_free(&decoder);
|
||||
+ return 0;
|
||||
+ }
|
||||
pImage = jbg_dec_getimage(&decoder, 0);
|
||||
- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
|
||||
+ _TIFFmemcpy(buffer, pImage, decodedSize);
|
||||
jbg_dec_free(&decoder);
|
||||
+
|
||||
+ tif->tif_rawcp += tif->tif_rawcc;
|
||||
+ tif->tif_rawcc = 0;
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||
index 2ba985a..04100f4 100644
|
||||
--- a/libtiff/tif_read.c
|
||||
+++ b/libtiff/tif_read.c
|
||||
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
|
||||
return 0;
|
||||
whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
|
||||
|| isMapped(tif);
|
||||
+ if( td->td_compression == COMPRESSION_JBIG )
|
||||
+ {
|
||||
+ /* Ideally plugins should have a way to declare they don't support
|
||||
+ * chunk strip */
|
||||
+ whole_strip = 1;
|
||||
+ }
|
||||
#else
|
||||
whole_strip = 1;
|
||||
#endif
|
||||
--
|
||||
2.17.2
|
||||
|
121
libtiff-CVE-2018-18661.patch
Normal file
121
libtiff-CVE-2018-18661.patch
Normal file
@ -0,0 +1,121 @@
|
||||
From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
||||
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
||||
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
|
||||
CVE-2018-18661
|
||||
|
||||
---
|
||||
libtiff/tiffiop.h | 1 +
|
||||
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
|
||||
tools/tiffcrop.c | 5 -----
|
||||
3 files changed, 27 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||
index daa291c..08e5dc4 100644
|
||||
--- a/libtiff/tiffiop.h
|
||||
+++ b/libtiff/tiffiop.h
|
||||
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||
#endif
|
||||
|
||||
#define streq(a,b) (strcmp(a,b) == 0)
|
||||
+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
||||
|
||||
#ifndef TRUE
|
||||
#define TRUE 1
|
||||
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
||||
index dad54af..1f3bb2c 100644
|
||||
--- a/tools/tiff2bw.c
|
||||
+++ b/tools/tiff2bw.c
|
||||
@@ -40,9 +40,7 @@
|
||||
#endif
|
||||
|
||||
#include "tiffio.h"
|
||||
-
|
||||
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
||||
-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
||||
+#include "tiffiop.h"
|
||||
|
||||
/* x% weighting -> fraction of full color */
|
||||
#define PCT(x) (((x)*256+50)/100)
|
||||
@@ -223,6 +221,11 @@ main(int argc, char* argv[])
|
||||
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
|
||||
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
|
||||
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
||||
+ if( !outbuf )
|
||||
+ {
|
||||
+ fprintf(stderr, "Out of memory\n");
|
||||
+ goto tiff2bw_error;
|
||||
+ }
|
||||
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
||||
TIFFDefaultStripSize(out, rowsperstrip));
|
||||
|
||||
@@ -246,6 +249,11 @@ main(int argc, char* argv[])
|
||||
#undef CVT
|
||||
}
|
||||
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
||||
+ if( !inbuf )
|
||||
+ {
|
||||
+ fprintf(stderr, "Out of memory\n");
|
||||
+ goto tiff2bw_error;
|
||||
+ }
|
||||
for (row = 0; row < h; row++) {
|
||||
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
||||
break;
|
||||
@@ -256,6 +264,11 @@ main(int argc, char* argv[])
|
||||
break;
|
||||
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
|
||||
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
||||
+ if( !inbuf )
|
||||
+ {
|
||||
+ fprintf(stderr, "Out of memory\n");
|
||||
+ goto tiff2bw_error;
|
||||
+ }
|
||||
for (row = 0; row < h; row++) {
|
||||
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
||||
break;
|
||||
@@ -265,8 +278,16 @@ main(int argc, char* argv[])
|
||||
}
|
||||
break;
|
||||
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
|
||||
+ {
|
||||
+ tmsize_t inbufsize;
|
||||
rowsize = TIFFScanlineSize(in);
|
||||
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
|
||||
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
|
||||
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
|
||||
+ if( !inbuf )
|
||||
+ {
|
||||
+ fprintf(stderr, "Out of memory\n");
|
||||
+ goto tiff2bw_error;
|
||||
+ }
|
||||
for (row = 0; row < h; row++) {
|
||||
for (s = 0; s < 3; s++)
|
||||
if (TIFFReadScanline(in,
|
||||
@@ -278,6 +299,7 @@ main(int argc, char* argv[])
|
||||
break;
|
||||
}
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
#undef pack
|
||||
if (inbuf)
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index c60cb38..3862b1c 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||
|
||||
#define TIFF_UINT32_MAX 0xFFFFFFFFU
|
||||
|
||||
-#ifndef streq
|
||||
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
||||
-#endif
|
||||
-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
|
||||
-
|
||||
#define TRUE 1
|
||||
#define FALSE 0
|
||||
|
||||
--
|
||||
2.17.2
|
||||
|
128
libtiff-CVE-2018-5784.patch
Normal file
128
libtiff-CVE-2018-5784.patch
Normal file
@ -0,0 +1,128 @@
|
||||
From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Fri, 23 Mar 2018 15:35:39 +0100
|
||||
Subject: [PATCH] Fix for bug 2772
|
||||
|
||||
It is possible to craft a TIFF document where the IFD list is circular,
|
||||
leading to an infinite loop while traversing the chain. The libtiff
|
||||
directory reader has a failsafe that will break out of this loop after
|
||||
reading 65535 directory entries, but it will continue processing,
|
||||
consuming time and resources to process what is essentially a bogus TIFF
|
||||
document.
|
||||
|
||||
This change fixes the above behavior by breaking out of processing when
|
||||
a TIFF document has >= 65535 directories and terminating with an error.
|
||||
---
|
||||
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
|
||||
tools/tiff2pdf.c | 10 ++++++++++
|
||||
tools/tiffcrop.c | 13 +++++++++++--
|
||||
3 files changed, 34 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
|
||||
index c61ffbb..03b3573 100644
|
||||
--- a/contrib/addtiffo/tif_overview.c
|
||||
+++ b/contrib/addtiffo/tif_overview.c
|
||||
@@ -65,6 +65,8 @@
|
||||
# define MAX(a,b) ((a>b) ? a : b)
|
||||
#endif
|
||||
|
||||
+#define TIFF_DIR_MAX 65534
|
||||
+
|
||||
void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
|
||||
int (*)(double,void*), void * );
|
||||
|
||||
@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
|
||||
{
|
||||
toff_t nBaseDirOffset;
|
||||
toff_t nOffset;
|
||||
+ tdir_t iNumDir;
|
||||
|
||||
(void) bUseSubIFDs;
|
||||
|
||||
@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
|
||||
return 0;
|
||||
|
||||
TIFFWriteDirectory( hTIFF );
|
||||
- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
|
||||
+ iNumDir = TIFFNumberOfDirectories(hTIFF);
|
||||
+ if( iNumDir > TIFF_DIR_MAX )
|
||||
+ {
|
||||
+ TIFFErrorExt( TIFFClientdata(hTIFF),
|
||||
+ "TIFF_WriteOverview",
|
||||
+ "File `%s' has too many directories.\n",
|
||||
+ TIFFFileName(hTIFF) );
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
|
||||
|
||||
nOffset = TIFFCurrentDirOffset( hTIFF );
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index 454befb..bdb9126 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
|
||||
|
||||
#define PS_UNIT_SIZE 72.0F
|
||||
|
||||
+#define TIFF_DIR_MAX 65534
|
||||
+
|
||||
/* This type is of PDF color spaces. */
|
||||
typedef enum {
|
||||
T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
|
||||
@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 xuint16=0;
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
+ if(directorycount > TIFF_DIR_MAX) {
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "TIFF contains too many directories, %s",
|
||||
+ TIFFFileName(input));
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
|
||||
if(t2p->tiff_pages==NULL){
|
||||
TIFFError(
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index c69177e..c60cb38 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||
#define DUMP_TEXT 1
|
||||
#define DUMP_RAW 2
|
||||
|
||||
+#define TIFF_DIR_MAX 65534
|
||||
+
|
||||
/* Offsets into buffer for margins and fixed width and length segments */
|
||||
struct offset {
|
||||
uint32 tmargin;
|
||||
@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
|
||||
pageNum = -1;
|
||||
else
|
||||
total_images = 0;
|
||||
- /* read multiple input files and write to output file(s) */
|
||||
+ /* Read multiple input files and write to output file(s) */
|
||||
while (optind < argc - 1)
|
||||
{
|
||||
in = TIFFOpen (argv[optind], "r");
|
||||
@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
|
||||
return (-3);
|
||||
|
||||
/* If only one input file is specified, we can use directory count */
|
||||
- total_images = TIFFNumberOfDirectories(in);
|
||||
+ total_images = TIFFNumberOfDirectories(in);
|
||||
+ if (total_images > TIFF_DIR_MAX)
|
||||
+ {
|
||||
+ TIFFError (TIFFFileName(in), "File contains too many directories");
|
||||
+ if (out != NULL)
|
||||
+ (void) TIFFClose(out);
|
||||
+ return (1);
|
||||
+ }
|
||||
if (image_count == 0)
|
||||
{
|
||||
dirnum = 0;
|
||||
--
|
||||
2.13.6
|
||||
|
170
libtiff-CVE-2018-7456.patch
Normal file
170
libtiff-CVE-2018-7456.patch
Normal file
@ -0,0 +1,170 @@
|
||||
From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||
Date: Tue, 17 Apr 2018 18:42:09 +0200
|
||||
Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
|
||||
|
||||
The TIFFPrintDirectory function relies on the following assumptions,
|
||||
supposed to be guaranteed by the specification:
|
||||
|
||||
(a) A Transfer Function field is only present if the TIFF file has
|
||||
photometric type < 3.
|
||||
|
||||
(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
|
||||
has count SamplesPerPixel - (Color Channels) and contains
|
||||
information about supplementary channels.
|
||||
|
||||
While respect of (a) and (b) are essential for the well functioning of
|
||||
TIFFPrintDirectory, no checks are realized neither by the callee nor
|
||||
by TIFFPrintDirectory itself. Hence, following scenarios might happen
|
||||
and trigger the NULL pointer dereference:
|
||||
|
||||
(1) TIFF File of photometric type 4 or more has illegal Transfer
|
||||
Function field.
|
||||
|
||||
(2) TIFF File has photometric type 3 or less and defines a
|
||||
SamplesPerPixel field such that SamplesPerPixel > Color Channels
|
||||
without defining all extra samples in the ExtraSamples fields.
|
||||
|
||||
In this patch, we address both issues with respect of the following
|
||||
principles:
|
||||
|
||||
(A) In the case of (1), the defined transfer table should be printed
|
||||
safely even if it isn't 'legal'. This allows us to avoid expensive
|
||||
checks in TIFFPrintDirectory. Also, it is quite possible that
|
||||
an alternative photometric type would be developed (not part of the
|
||||
standard) and would allow definition of Transfer Table. We want
|
||||
libtiff to be able to handle this scenario out of the box.
|
||||
|
||||
(B) In the case of (2), the transfer table should be printed at its
|
||||
right size, that is if TIFF file has photometric type Palette
|
||||
then the transfer table should have one row and not three, even
|
||||
if two extra samples are declared.
|
||||
|
||||
In order to fulfill (A) we simply add a new 'i < 3' end condition to
|
||||
the broken TIFFPrintDirectory loop. This makes sure that in any case
|
||||
where (b) would be respected but not (a), everything stays fine.
|
||||
|
||||
(B) is fulfilled by the loop condition
|
||||
'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
|
||||
long as (b) is respected.
|
||||
|
||||
Naturally, we also make sure (b) is respected. This is done in the
|
||||
TIFFReadDirectory function by making sure any non-color channel is
|
||||
counted in ExtraSamples.
|
||||
|
||||
This commit addresses CVE-2018-7456.
|
||||
---
|
||||
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||
libtiff/tif_print.c | 2 +-
|
||||
2 files changed, 63 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index 5e62e81..80aaf8d 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
|
||||
static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
|
||||
static void ChopUpSingleUncompressedStrip(TIFF*);
|
||||
static uint64 TIFFReadUInt64(const uint8 *value);
|
||||
+static int _TIFFGetMaxColorChannels(uint16 photometric);
|
||||
|
||||
static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
|
||||
|
||||
@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Return the maximum number of color channels specified for a given photometric
|
||||
+ * type. 0 is returned if photometric type isn't supported or no default value
|
||||
+ * is defined by the specification.
|
||||
+ */
|
||||
+static int _TIFFGetMaxColorChannels( uint16 photometric )
|
||||
+{
|
||||
+ switch (photometric) {
|
||||
+ case PHOTOMETRIC_PALETTE:
|
||||
+ case PHOTOMETRIC_MINISWHITE:
|
||||
+ case PHOTOMETRIC_MINISBLACK:
|
||||
+ return 1;
|
||||
+ case PHOTOMETRIC_YCBCR:
|
||||
+ case PHOTOMETRIC_RGB:
|
||||
+ case PHOTOMETRIC_CIELAB:
|
||||
+ return 3;
|
||||
+ case PHOTOMETRIC_SEPARATED:
|
||||
+ case PHOTOMETRIC_MASK:
|
||||
+ return 4;
|
||||
+ case PHOTOMETRIC_LOGL:
|
||||
+ case PHOTOMETRIC_LOGLUV:
|
||||
+ case PHOTOMETRIC_CFA:
|
||||
+ case PHOTOMETRIC_ITULAB:
|
||||
+ case PHOTOMETRIC_ICCLAB:
|
||||
+ default:
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Read the next TIFF directory from a file and convert it to the internal
|
||||
* format. We read directories sequentially.
|
||||
@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
|
||||
uint32 fii=FAILED_FII;
|
||||
toff_t nextdiroff;
|
||||
int bitspersample_read = FALSE;
|
||||
+ int color_channels;
|
||||
|
||||
tif->tif_diroff=tif->tif_nextdiroff;
|
||||
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
|
||||
@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Make sure all non-color channels are extrasamples.
|
||||
+ * If it's not the case, define them as such.
|
||||
+ */
|
||||
+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
|
||||
+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
|
||||
+ uint16 old_extrasamples;
|
||||
+ uint16 *new_sampleinfo;
|
||||
+
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
|
||||
+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
|
||||
+ "Defining non-color channels as ExtraSamples.");
|
||||
+
|
||||
+ old_extrasamples = tif->tif_dir.td_extrasamples;
|
||||
+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
|
||||
+
|
||||
+ // sampleinfo should contain information relative to these new extra samples
|
||||
+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
|
||||
+ if (!new_sampleinfo) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
|
||||
+ "temporary new sampleinfo array (%d 16 bit elements)",
|
||||
+ tif->tif_dir.td_extrasamples);
|
||||
+ goto bad;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
|
||||
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
|
||||
+ _TIFFfree(new_sampleinfo);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Verify Palette image has a Colormap.
|
||||
*/
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 24d4b98..10a588e 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
uint16 i;
|
||||
fprintf(fd, " %2ld: %5u",
|
||||
l, td->td_transferfunction[0][l]);
|
||||
- for (i = 1; i < td->td_samplesperpixel; i++)
|
||||
+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
|
||||
fprintf(fd, " %5u",
|
||||
td->td_transferfunction[i][l]);
|
||||
fputc('\n', fd);
|
||||
--
|
||||
2.17.0
|
||||
|
53
libtiff-CVE-2018-8905.patch
Normal file
53
libtiff-CVE-2018-8905.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 12 May 2018 15:32:31 +0200
|
||||
Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
|
||||
write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
|
||||
CVE-2018-8905
|
||||
|
||||
The fix consists in using the similar code LZWDecode() to validate we
|
||||
don't write outside of the output buffer.
|
||||
---
|
||||
libtiff/tif_lzw.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
|
||||
index bc8f9c8..186ea3c 100644
|
||||
--- a/libtiff/tif_lzw.c
|
||||
+++ b/libtiff/tif_lzw.c
|
||||
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
char *tp;
|
||||
unsigned char *bp;
|
||||
int code, nbits;
|
||||
+ int len;
|
||||
long nextbits, nextdata, nbitsmask;
|
||||
code_t *codep, *free_entp, *maxcodep, *oldcodep;
|
||||
|
||||
@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||
} while (--occ);
|
||||
break;
|
||||
}
|
||||
- assert(occ >= codep->length);
|
||||
- op += codep->length;
|
||||
- occ -= codep->length;
|
||||
- tp = op;
|
||||
+ len = codep->length;
|
||||
+ tp = op + len;
|
||||
do {
|
||||
- *--tp = codep->value;
|
||||
- } while( (codep = codep->next) != NULL );
|
||||
+ int t;
|
||||
+ --tp;
|
||||
+ t = codep->value;
|
||||
+ codep = codep->next;
|
||||
+ *tp = (char)t;
|
||||
+ } while (codep && tp > op);
|
||||
+ assert(occ >= len);
|
||||
+ op += len;
|
||||
+ occ -= len;
|
||||
} else {
|
||||
*op++ = (char)code;
|
||||
occ--;
|
||||
--
|
||||
2.17.0
|
||||
|
424
libtiff-CVE-2019-14973.patch
Normal file
424
libtiff-CVE-2019-14973.patch
Normal file
@ -0,0 +1,424 @@
|
||||
From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 10 Aug 2019 18:25:03 +0200
|
||||
Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
|
||||
implementation-defined behaviour (CVE-2019-14973)
|
||||
|
||||
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
|
||||
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
|
||||
signed), which was especially easily triggered on 32-bit builds (with recent
|
||||
enough compilers that assume that signed multiplication cannot overflow, since
|
||||
this is undefined behaviour by the C standard). The original issue which lead to
|
||||
this fix was trigged from tif_fax3.c
|
||||
|
||||
There were also unsafe (implementation defied), and broken in practice on 64bit
|
||||
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
|
||||
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
|
||||
at that time exploits, but are better to fix in a more bullet-proof way.
|
||||
Or similarly use of (int64)uint64_var <= 0.
|
||||
---
|
||||
libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
|
||||
libtiff/tif_getimage.c | 6 ++----
|
||||
libtiff/tif_luv.c | 8 +------
|
||||
libtiff/tif_pixarlog.c | 7 +-----
|
||||
libtiff/tif_read.c | 38 +++++++++-----------------------
|
||||
libtiff/tif_strip.c | 35 ++++--------------------------
|
||||
libtiff/tif_tile.c | 27 +++--------------------
|
||||
libtiff/tiffiop.h | 7 +++++-
|
||||
8 files changed, 71 insertions(+), 106 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
|
||||
index 10b8d00..38a98b6 100644
|
||||
--- a/libtiff/tif_aux.c
|
||||
+++ b/libtiff/tif_aux.c
|
||||
@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
|
||||
return bytes;
|
||||
}
|
||||
|
||||
+tmsize_t
|
||||
+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
|
||||
+{
|
||||
+ if( first <= 0 || second <= 0 )
|
||||
+ {
|
||||
+ if( tif != NULL && where != NULL )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, where,
|
||||
+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if( first > TIFF_TMSIZE_T_MAX / second )
|
||||
+ {
|
||||
+ if( tif != NULL && where != NULL )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, where,
|
||||
+ "Integer overflow in %s", where);
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return first * second;
|
||||
+}
|
||||
+
|
||||
+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
|
||||
+{
|
||||
+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
|
||||
+ {
|
||||
+ if( tif != NULL && module != NULL )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return (tmsize_t)val;
|
||||
+}
|
||||
+
|
||||
void*
|
||||
_TIFFCheckRealloc(TIFF* tif, void* buffer,
|
||||
tmsize_t nmemb, tmsize_t elem_size, const char* what)
|
||||
{
|
||||
void* cp = NULL;
|
||||
- tmsize_t bytes = nmemb * elem_size;
|
||||
-
|
||||
+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
|
||||
/*
|
||||
- * XXX: Check for integer overflow.
|
||||
+ * Check for integer overflow.
|
||||
*/
|
||||
- if (nmemb && elem_size && bytes / elem_size == nmemb)
|
||||
- cp = _TIFFrealloc(buffer, bytes);
|
||||
+ if (count != 0)
|
||||
+ {
|
||||
+ cp = _TIFFrealloc(buffer, count);
|
||||
+ }
|
||||
|
||||
if (cp == NULL) {
|
||||
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index fc554cc..ec09fea 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
uint32 leftmost_tw;
|
||||
|
||||
tilesize = TIFFTileSize(tif);
|
||||
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
|
||||
+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
|
||||
if (bufsize == 0) {
|
||||
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
uint16 colorchannels;
|
||||
|
||||
stripsize = TIFFStripSize(tif);
|
||||
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
|
||||
+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
|
||||
if (bufsize == 0) {
|
||||
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
|
||||
return (0);
|
||||
}
|
||||
|
||||
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
|
||||
index 4b25244..c4cb73a 100644
|
||||
--- a/libtiff/tif_luv.c
|
||||
+++ b/libtiff/tif_luv.c
|
||||
@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
|
||||
return (SGILOGDATAFMT_UNKNOWN);
|
||||
}
|
||||
|
||||
-
|
||||
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||
-
|
||||
static tmsize_t
|
||||
multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||
{
|
||||
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
|
||||
- return 0;
|
||||
- return m1 * m2;
|
||||
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
|
||||
}
|
||||
|
||||
static int
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index 979858d..8e9eaa1 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
|
||||
return guess;
|
||||
}
|
||||
|
||||
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||
-
|
||||
static tmsize_t
|
||||
multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||
{
|
||||
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
|
||||
- return 0;
|
||||
- return m1 * m2;
|
||||
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
|
||||
}
|
||||
|
||||
static tmsize_t
|
||||
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||
index 04100f4..9a0e6e9 100644
|
||||
--- a/libtiff/tif_read.c
|
||||
+++ b/libtiff/tif_read.c
|
||||
@@ -31,9 +31,6 @@
|
||||
#include "tiffiop.h"
|
||||
#include <stdio.h>
|
||||
|
||||
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||
-
|
||||
int TIFFFillStrip(TIFF* tif, uint32 strip);
|
||||
int TIFFFillTile(TIFF* tif, uint32 tile);
|
||||
static int TIFFStartStrip(TIFF* tif, uint32 strip);
|
||||
@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
|
||||
#define THRESHOLD_MULTIPLIER 10
|
||||
#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
|
||||
|
||||
+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
|
||||
+
|
||||
/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
|
||||
* Returns 1 in case of success, 0 otherwise. */
|
||||
static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
|
||||
@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
|
||||
return ((tmsize_t)(-1));
|
||||
}
|
||||
bytecount = td->td_stripbytecount[strip];
|
||||
- if ((int64)bytecount <= 0) {
|
||||
-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
- TIFFErrorExt(tif->tif_clientdata, module,
|
||||
- "%I64u: Invalid strip byte count, strip %lu",
|
||||
- (unsigned __int64) bytecount,
|
||||
- (unsigned long) strip);
|
||||
-#else
|
||||
- TIFFErrorExt(tif->tif_clientdata, module,
|
||||
- "%llu: Invalid strip byte count, strip %lu",
|
||||
- (unsigned long long) bytecount,
|
||||
- (unsigned long) strip);
|
||||
-#endif
|
||||
- return ((tmsize_t)(-1));
|
||||
- }
|
||||
- bytecountm = (tmsize_t)bytecount;
|
||||
- if ((uint64)bytecountm!=bytecount) {
|
||||
- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
|
||||
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
|
||||
+ if (bytecountm == 0) {
|
||||
return ((tmsize_t)(-1));
|
||||
}
|
||||
if (size != (tmsize_t)(-1) && size < bytecountm)
|
||||
@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
|
||||
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
||||
{
|
||||
uint64 bytecount = td->td_stripbytecount[strip];
|
||||
- if ((int64)bytecount <= 0) {
|
||||
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
"Invalid strip byte count %I64u, strip %lu",
|
||||
@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
|
||||
(bytecount - 4096) / 10 > (uint64)stripsize )
|
||||
{
|
||||
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
|
||||
- if( (int64)newbytecount >= 0 )
|
||||
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
|
||||
{
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFWarningExt(tif->tif_clientdata, module,
|
||||
@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
|
||||
bytecount64 = td->td_stripbytecount[tile];
|
||||
if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
|
||||
bytecount64 = (uint64)size;
|
||||
- bytecountm = (tmsize_t)bytecount64;
|
||||
- if ((uint64)bytecountm!=bytecount64)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
|
||||
+ if( bytecountm == 0 ) {
|
||||
return ((tmsize_t)(-1));
|
||||
}
|
||||
return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
|
||||
@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
|
||||
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
||||
{
|
||||
uint64 bytecount = td->td_stripbytecount[tile];
|
||||
- if ((int64)bytecount <= 0) {
|
||||
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
"%I64u: Invalid tile byte count, tile %lu",
|
||||
@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
|
||||
(bytecount - 4096) / 10 > (uint64)stripsize )
|
||||
{
|
||||
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
|
||||
- if( (int64)newbytecount >= 0 )
|
||||
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
|
||||
{
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFWarningExt(tif->tif_clientdata, module,
|
||||
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
|
||||
index 6e9f2ef..321ad6b 100644
|
||||
--- a/libtiff/tif_strip.c
|
||||
+++ b/libtiff/tif_strip.c
|
||||
@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
|
||||
{
|
||||
static const char module[] = "TIFFVStripSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFVStripSize64(tif,nrows);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
|
||||
{
|
||||
static const char module[] = "TIFFStripSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFStripSize64(tif);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
|
||||
{
|
||||
static const char module[] = "TIFFScanlineSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFScanlineSize64(tif);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m) {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
|
||||
{
|
||||
static const char module[] = "TIFFRasterScanlineSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFRasterScanlineSize64(tif);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/* vim: set ts=8 sts=8 sw=8 noet: */
|
||||
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
|
||||
index 388e168..7d05750 100644
|
||||
--- a/libtiff/tif_tile.c
|
||||
+++ b/libtiff/tif_tile.c
|
||||
@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
|
||||
{
|
||||
static const char module[] = "TIFFTileRowSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFTileRowSize64(tif);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
|
||||
{
|
||||
static const char module[] = "TIFFVTileSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFVTileSize64(tif,nrows);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
|
||||
{
|
||||
static const char module[] = "TIFFTileSize";
|
||||
uint64 m;
|
||||
- tmsize_t n;
|
||||
m=TIFFTileSize64(tif);
|
||||
- n=(tmsize_t)m;
|
||||
- if ((uint64)n!=m)
|
||||
- {
|
||||
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||
- n=0;
|
||||
- }
|
||||
- return(n);
|
||||
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||
index 08e5dc4..d4b8631 100644
|
||||
--- a/libtiff/tiffiop.h
|
||||
+++ b/libtiff/tiffiop.h
|
||||
@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||
#define FALSE 0
|
||||
#endif
|
||||
|
||||
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||
+
|
||||
typedef struct client_info {
|
||||
struct client_info *next;
|
||||
void *data;
|
||||
@@ -260,7 +263,7 @@ struct tiff {
|
||||
#define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
|
||||
#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
|
||||
|
||||
-/* Safe multiply which returns zero if there is an integer overflow */
|
||||
+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
|
||||
#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
|
||||
|
||||
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
|
||||
@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
|
||||
|
||||
extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
|
||||
extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
|
||||
+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
|
||||
+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
|
||||
extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
|
||||
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
104
libtiff-CVE-2019-17546.patch
Normal file
104
libtiff-CVE-2019-17546.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Thu, 15 Aug 2019 15:05:28 +0200
|
||||
Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
|
||||
write heap buffer overflow, especially on 32 bit builds. Fixes
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
|
||||
Fuzz
|
||||
|
||||
---
|
||||
libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index ec09fea..c6edd27 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
fromskew = (w < imagewidth ? imagewidth - w : 0);
|
||||
for (row = 0; row < h; row += nrow)
|
||||
{
|
||||
+ uint32 temp;
|
||||
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
|
||||
nrow = (row + rowstoread > h ? h - row : rowstoread);
|
||||
nrowsub = nrow;
|
||||
if ((nrowsub%subsamplingver)!=0)
|
||||
nrowsub+=subsamplingver-nrowsub%subsamplingver;
|
||||
+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
|
||||
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
|
||||
+ return 0;
|
||||
+ }
|
||||
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
|
||||
TIFFComputeStrip(tif,row+img->row_offset, 0),
|
||||
(void**)(&buf),
|
||||
maxstripsize,
|
||||
- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
|
||||
+ temp * scanline)==(tmsize_t)(-1)
|
||||
&& (buf == NULL || img->stoponerr))
|
||||
{
|
||||
ret = 0;
|
||||
@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
fromskew = (w < imagewidth ? imagewidth - w : 0);
|
||||
for (row = 0; row < h; row += nrow)
|
||||
{
|
||||
+ uint32 temp;
|
||||
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
|
||||
nrow = (row + rowstoread > h ? h - row : rowstoread);
|
||||
offset_row = row + img->row_offset;
|
||||
+ temp = (row + img->row_offset)%rowsperstrip + nrow;
|
||||
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
|
||||
+ return 0;
|
||||
+ }
|
||||
if( buf == NULL )
|
||||
{
|
||||
if (_TIFFReadEncodedStripAndAllocBuffer(
|
||||
tif, TIFFComputeStrip(tif, offset_row, 0),
|
||||
(void**) &buf, bufsize,
|
||||
- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||
+ temp * scanline)==(tmsize_t)(-1)
|
||||
&& (buf == NULL || img->stoponerr))
|
||||
{
|
||||
ret = 0;
|
||||
@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
}
|
||||
}
|
||||
else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
|
||||
- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||
+ p0, temp * scanline)==(tmsize_t)(-1)
|
||||
&& img->stoponerr)
|
||||
{
|
||||
ret = 0;
|
||||
@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
}
|
||||
if (colorchannels > 1
|
||||
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
|
||||
- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
|
||||
+ p1, temp * scanline) == (tmsize_t)(-1)
|
||||
&& img->stoponerr)
|
||||
{
|
||||
ret = 0;
|
||||
@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
}
|
||||
if (colorchannels > 1
|
||||
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
|
||||
- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
|
||||
+ p2, temp * scanline) == (tmsize_t)(-1)
|
||||
&& img->stoponerr)
|
||||
{
|
||||
ret = 0;
|
||||
@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
if (alpha)
|
||||
{
|
||||
if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
|
||||
- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||
+ pa, temp * scanline)==(tmsize_t)(-1)
|
||||
&& img->stoponerr)
|
||||
{
|
||||
ret = 0;
|
||||
--
|
||||
2.21.1
|
||||
|
89
libtiff-CVE-2020-19131.patch
Normal file
89
libtiff-CVE-2020-19131.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Mon, 11 Feb 2019 23:08:25 +0100
|
||||
Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4
|
||||
|
||||
too much bytes were processed, causing a heap buffer overrun
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2831
|
||||
the loop counter must be
|
||||
for (col = 0; col < width; col += 8 / bps)
|
||||
|
||||
Also the values were not properly calculated. It should be
|
||||
255-x, 15-x, 3-x for bps 8, 4, 2.
|
||||
|
||||
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
|
||||
(substracting from a binary number composed of all 1 is like inverting
|
||||
the bits)
|
||||
---
|
||||
tools/tiffcrop.c | 37 ++++++-------------------------------
|
||||
1 file changed, 6 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 3862b1c..a612914 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -9142,7 +9142,6 @@ static int
|
||||
invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
|
||||
{
|
||||
uint32 row, col;
|
||||
- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
|
||||
unsigned char *src;
|
||||
uint16 *src_uint16;
|
||||
uint32 *src_uint32;
|
||||
@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
||||
for (row = 0; row < length; row++)
|
||||
for (col = 0; col < width; col++)
|
||||
{
|
||||
- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
|
||||
+ *src_uint32 = ~(*src_uint32);
|
||||
src_uint32++;
|
||||
}
|
||||
break;
|
||||
@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
||||
for (row = 0; row < length; row++)
|
||||
for (col = 0; col < width; col++)
|
||||
{
|
||||
- *src_uint16 = (uint16)0xFFFF - *src_uint16;
|
||||
+ *src_uint16 = ~(*src_uint16);
|
||||
src_uint16++;
|
||||
}
|
||||
break;
|
||||
- case 8: for (row = 0; row < length; row++)
|
||||
- for (col = 0; col < width; col++)
|
||||
- {
|
||||
- *src = (uint8)255 - *src;
|
||||
- src++;
|
||||
- }
|
||||
- break;
|
||||
- case 4: for (row = 0; row < length; row++)
|
||||
- for (col = 0; col < width; col++)
|
||||
- {
|
||||
- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
|
||||
- bytebuff2 = 16 - (*src & 15);
|
||||
- *src = bytebuff1 << 4 & bytebuff2;
|
||||
- src++;
|
||||
- }
|
||||
- break;
|
||||
- case 2: for (row = 0; row < length; row++)
|
||||
- for (col = 0; col < width; col++)
|
||||
- {
|
||||
- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
|
||||
- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
|
||||
- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
|
||||
- bytebuff4 = 4 - (uint8)(*src & 3);
|
||||
- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
|
||||
- src++;
|
||||
- }
|
||||
- break;
|
||||
+ case 8:
|
||||
+ case 4:
|
||||
+ case 2:
|
||||
case 1: for (row = 0; row < length; row++)
|
||||
- for (col = 0; col < width; col += 8 /(spp * bps))
|
||||
+ for (col = 0; col < width; col += 8 / bps)
|
||||
{
|
||||
*src = ~(*src);
|
||||
src++;
|
||||
--
|
||||
2.32.0
|
||||
|
86
libtiff-CVE-2020-35521_CVE-2020-35522.patch
Normal file
86
libtiff-CVE-2020-35521_CVE-2020-35522.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Sun, 15 Nov 2020 17:02:51 +0100
|
||||
Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
|
||||
|
||||
fixes #207
|
||||
fixes #209
|
||||
---
|
||||
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
|
||||
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
||||
index 4de96ae..e6de220 100644
|
||||
--- a/tools/tiff2rgba.c
|
||||
+++ b/tools/tiff2rgba.c
|
||||
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
|
||||
int process_by_block = 0; /* default is whole image at once */
|
||||
int no_alpha = 0;
|
||||
int bigtiff_output = 0;
|
||||
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
|
||||
+/* malloc size limit (in bytes)
|
||||
+ * disabled when set to 0 */
|
||||
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
|
||||
|
||||
|
||||
static int tiffcvt(TIFF* in, TIFF* out);
|
||||
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
|
||||
extern char *optarg;
|
||||
#endif
|
||||
|
||||
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
|
||||
+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
|
||||
switch (c) {
|
||||
+ case 'M':
|
||||
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
|
||||
+ break;
|
||||
case 'b':
|
||||
process_by_block = 1;
|
||||
break;
|
||||
@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
||||
(unsigned long)width, (unsigned long)height);
|
||||
return 0;
|
||||
}
|
||||
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
|
||||
+ TIFFError(TIFFFileName(in),
|
||||
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
|
||||
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
|
||||
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
||||
@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
|
||||
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
|
||||
|
||||
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in),
|
||||
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
|
||||
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
|
||||
+ return 0;
|
||||
+ }
|
||||
if( process_by_block && TIFFIsTiled( in ) )
|
||||
return( cvt_by_tile( in, out ) );
|
||||
else if( process_by_block )
|
||||
@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||
}
|
||||
|
||||
static char* stuff[] = {
|
||||
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
|
||||
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
|
||||
"where comp is one of the following compression algorithms:",
|
||||
" jpeg\t\tJPEG encoding",
|
||||
" zip\t\tZip/Deflate encoding",
|
||||
@@ -543,6 +563,7 @@ static char* stuff[] = {
|
||||
" -b (progress by block rather than as a whole image)",
|
||||
" -n don't emit alpha component.",
|
||||
" -8 write BigTIFF file instead of ClassicTIFF",
|
||||
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
|
||||
NULL
|
||||
};
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
50
libtiff-CVE-2020-35523.patch
Normal file
50
libtiff-CVE-2020-35523.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Tue, 10 Nov 2020 01:54:30 +0100
|
||||
Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
|
||||
|
||||
fixes #211
|
||||
---
|
||||
libtiff/tif_getimage.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index c6edd27..b1f7cc9 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -31,6 +31,7 @@
|
||||
*/
|
||||
#include "tiffiop.h"
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
|
||||
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
|
||||
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
|
||||
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
|
||||
flip = setorientation(img);
|
||||
if (flip & FLIP_VERTICALLY) {
|
||||
- y = h - 1;
|
||||
- toskew = -(int32)(tw + w);
|
||||
+ if ((tw + w) > INT_MAX) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
||||
+ return (0);
|
||||
+ }
|
||||
+ y = h - 1;
|
||||
+ toskew = -(int32)(tw + w);
|
||||
}
|
||||
else {
|
||||
- y = 0;
|
||||
- toskew = -(int32)(tw - w);
|
||||
+ if (tw > (INT_MAX + w)) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
||||
+ return (0);
|
||||
+ }
|
||||
+ y = 0;
|
||||
+ toskew = -(int32)(tw - w);
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.31.1
|
||||
|
39
libtiff-CVE-2020-35524.patch
Normal file
39
libtiff-CVE-2020-35524.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Sat, 14 Nov 2020 12:53:01 +0000
|
||||
Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
|
||||
JPEG YCbCr
|
||||
|
||||
fixes #220
|
||||
---
|
||||
tools/tiff2pdf.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index a15a3ef..db380ec 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
|
||||
#endif
|
||||
(void) 0;
|
||||
}
|
||||
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
||||
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
||||
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
||||
+#ifdef JPEG_SUPPORT
|
||||
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
|
||||
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
|
||||
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
|
||||
+ } else
|
||||
+#endif
|
||||
+ {
|
||||
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
||||
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
||||
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
||||
+ }
|
||||
}
|
||||
if (k == 0) {
|
||||
/* Assume we had overflow inside TIFFScanlineSize */
|
||||
--
|
||||
2.31.1
|
||||
|
31
libtiff-am-version.patch
Normal file
31
libtiff-am-version.patch
Normal file
@ -0,0 +1,31 @@
|
||||
Back off the minimum required automake version to 1.11. There isn't
|
||||
anything in libtiff currently that actually requires 1.12, and changing
|
||||
this allows the package to be built on pre-F18 machines for easier testing.
|
||||
|
||||
This patch can go away once we no longer care about testing on pre-F18.
|
||||
|
||||
|
||||
diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
|
||||
--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
|
||||
+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
docdir = $(LIBTIFF_DOCDIR)
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
docfiles = \
|
||||
diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
|
||||
--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
|
||||
+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
# Process this file with automake to produce Makefile.in.
|
||||
|
||||
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
|
||||
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
|
||||
|
||||
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
|
||||
|
42
libtiff-coverity.patch
Normal file
42
libtiff-coverity.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||
index 81ffa3d..a02e865 100644
|
||||
--- a/tools/ppm2tiff.c
|
||||
+++ b/tools/ppm2tiff.c
|
||||
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
|
||||
if (TIFFWriteScanline(out, buf, row, 0) < 0)
|
||||
break;
|
||||
}
|
||||
+ if (in != stdin)
|
||||
+ fclose(in);
|
||||
(void) TIFFClose(out);
|
||||
if (buf)
|
||||
_TIFFfree(buf);
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index bd23c9e..a15a3ef 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
|
||||
"for t2p_readwrite_pdf_image_tile, %s",
|
||||
(unsigned long) t2p->tiff_datasize,
|
||||
TIFFFileName(input));
|
||||
+ _TIFFfree(buffer);
|
||||
t2p->t2p_error = T2P_ERR_ERROR;
|
||||
return(0);
|
||||
}
|
||||
@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
|
||||
{
|
||||
uint32 i;
|
||||
|
||||
- /* For the 3 first samples, there is overlapping between souce and
|
||||
- destination, so use memmove().
|
||||
- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
||||
- for(i = 0; i < 3 && i < samplecount; i++)
|
||||
- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
+ /* For the 3 first samples, there is overlapping between souce and
|
||||
+ destination, so use memmove().
|
||||
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
||||
+ for(i = 0; i < 3 && i < samplecount; i++)
|
||||
+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
for(; i < samplecount; i++)
|
||||
memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
||||
|
12
libtiff-make-check.patch
Normal file
12
libtiff-make-check.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
|
||||
index 587296c..696005e 100644
|
||||
--- a/html/man/Makefile.am
|
||||
+++ b/html/man/Makefile.am
|
||||
@@ -92,7 +92,6 @@ docfiles = \
|
||||
tiffcrop.1.html \
|
||||
tiffdither.1.html \
|
||||
tiffdump.1.html \
|
||||
- tiffgt.1.html \
|
||||
tiffinfo.1.html \
|
||||
tiffmedian.1.html \
|
||||
tiffset.1.html \
|
751
libtiff.spec
Normal file
751
libtiff.spec
Normal file
@ -0,0 +1,751 @@
|
||||
Summary: Library of functions for manipulating TIFF format image files
|
||||
Name: libtiff
|
||||
Version: 4.0.9
|
||||
Release: 21%{?dist}
|
||||
License: libtiff
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.simplesystems.org/libtiff/
|
||||
|
||||
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
|
||||
|
||||
Patch0: libtiff-am-version.patch
|
||||
Patch1: libtiff-make-check.patch
|
||||
Patch2: libtiff-CVE-2018-5784.patch
|
||||
Patch3: libtiff-CVE-2018-7456.patch
|
||||
Patch4: libtiff-CVE-2017-9935.patch
|
||||
Patch5: libtiff-CVE-2017-18013.patch
|
||||
Patch6: libtiff-CVE-2018-8905.patch
|
||||
Patch7: libtiff-CVE-2018-10963.patch
|
||||
Patch8: libtiff-CVE-2018-17100.patch
|
||||
Patch9: libtiff-coverity.patch
|
||||
Patch10: libtiff-CVE-2018-18557.patch
|
||||
Patch11: libtiff-CVE-2018-18661.patch
|
||||
Patch12: libtiff-CVE-2018-12900.patch
|
||||
Patch13: libtiff-CVE-2019-14973.patch
|
||||
Patch14: libtiff-CVE-2019-17546.patch
|
||||
Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch
|
||||
Patch16: libtiff-CVE-2020-35523.patch
|
||||
Patch17: libtiff-CVE-2020-35524.patch
|
||||
Patch18: libtiff-CVE-2020-19131.patch
|
||||
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
||||
BuildRequires: libtool automake autoconf pkgconfig
|
||||
|
||||
%description
|
||||
The libtiff package contains a library of functions for manipulating
|
||||
TIFF (Tagged Image File Format) image format files. TIFF is a widely
|
||||
used file format for bitmapped images. TIFF files usually end in the
|
||||
.tif extension and they are often quite large.
|
||||
|
||||
The libtiff package should be installed if you need to manipulate TIFF
|
||||
format image files.
|
||||
|
||||
%package devel
|
||||
Summary: Development tools for programs which will use the libtiff library
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Requires: pkgconfig%{?_isa}
|
||||
|
||||
%description devel
|
||||
This package contains the header files and documentation necessary for
|
||||
developing programs which will manipulate TIFF format image files
|
||||
using the libtiff library.
|
||||
|
||||
If you need to develop programs which will manipulate TIFF format
|
||||
image files, you should install this package. You'll also need to
|
||||
install the libtiff package.
|
||||
|
||||
%package static
|
||||
Summary: Static TIFF image format file library
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description static
|
||||
The libtiff-static package contains the statically linkable version of libtiff.
|
||||
Linking to static libraries is discouraged for most applications, but it is
|
||||
necessary for some boot packages.
|
||||
|
||||
%package tools
|
||||
Summary: Command-line utility programs for manipulating TIFF files
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description tools
|
||||
This package contains command-line programs for manipulating TIFF format
|
||||
image files using the libtiff library.
|
||||
|
||||
%prep
|
||||
%setup -q -n tiff-%{version}
|
||||
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
|
||||
# Use build system's libtool.m4, not the one in the package.
|
||||
rm -f libtool.m4
|
||||
|
||||
libtoolize --force --copy
|
||||
aclocal -I . -I m4
|
||||
automake --add-missing --copy
|
||||
autoconf
|
||||
autoheader
|
||||
|
||||
%build
|
||||
export CFLAGS="%{optflags} -fno-strict-aliasing"
|
||||
%configure --enable-ld-version-script
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
|
||||
# remove what we didn't want installed
|
||||
rm $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/
|
||||
|
||||
# no libGL dependency, please
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt
|
||||
|
||||
# no sgi2tiff or tiffsv, either
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1
|
||||
rm -f html/man/tiffgt.1.html
|
||||
rm -f html/man/sgi2tiff.1.html
|
||||
rm -f html/man/tiffsv.1.html
|
||||
|
||||
# multilib header hack
|
||||
# we only apply this to known Red Hat multilib arches, per bug #233091
|
||||
case `uname -i` in
|
||||
i386 | ppc | s390 | sparc )
|
||||
wordsize="32"
|
||||
;;
|
||||
x86_64 | ppc64 | s390x | sparc64 )
|
||||
wordsize="64"
|
||||
;;
|
||||
*)
|
||||
wordsize=""
|
||||
;;
|
||||
esac
|
||||
|
||||
if test -n "$wordsize"
|
||||
then
|
||||
mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \
|
||||
$RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h
|
||||
|
||||
cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h <<EOF
|
||||
#ifndef TIFFCONF_H_MULTILIB
|
||||
#define TIFFCONF_H_MULTILIB
|
||||
|
||||
#include <bits/wordsize.h>
|
||||
|
||||
#if __WORDSIZE == 32
|
||||
# include "tiffconf-32.h"
|
||||
#elif __WORDSIZE == 64
|
||||
# include "tiffconf-64.h"
|
||||
#else
|
||||
# error "unexpected value for __WORDSIZE macro"
|
||||
#endif
|
||||
|
||||
#endif
|
||||
EOF
|
||||
|
||||
fi
|
||||
|
||||
%ldconfig_scriptlets
|
||||
|
||||
%check
|
||||
LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
|
||||
|
||||
# don't include documentation Makefiles, they are a multilib hazard
|
||||
find html -name 'Makefile*' | xargs rm
|
||||
|
||||
%files
|
||||
%doc COPYRIGHT README RELEASE-DATE VERSION
|
||||
%{_libdir}/libtiff.so.*
|
||||
%{_libdir}/libtiffxx.so.*
|
||||
|
||||
%files devel
|
||||
%doc TODO ChangeLog html
|
||||
%{_includedir}/*
|
||||
%{_libdir}/libtiff.so
|
||||
%{_libdir}/libtiffxx.so
|
||||
%{_libdir}/pkgconfig/libtiff*.pc
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%files static
|
||||
%{_libdir}/*.a
|
||||
|
||||
%files tools
|
||||
%{_bindir}/*
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
|
||||
- Fix CVE-2020-19131 (#2006535)
|
||||
|
||||
* Thu Apr 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-20
|
||||
- Rebuild for fixed binutils (#1954437)
|
||||
|
||||
* Fri Apr 09 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-19
|
||||
- Fix CVE-2020-35521 (#1945539)
|
||||
- Fix CVE-2020-35522 (#1945555)
|
||||
- Fix CVE-2020-35523 (#1945542)
|
||||
- Fix CVE-2020-35524 (#1945546)
|
||||
|
||||
* Thu Feb 20 2020 Nikola Forró <nforro@redhat.com> - 4.0.9-18
|
||||
- Fix CVE-2019-17546 (#1771372)
|
||||
|
||||
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-17
|
||||
- Add upstream test suite and enable it in gating
|
||||
|
||||
* Wed Nov 27 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-16
|
||||
- Fix CVE-2019-14973 (#1755705)
|
||||
|
||||
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-15
|
||||
- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579)
|
||||
|
||||
* Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-14
|
||||
- Fix CVE-2018-12900 (#1595579)
|
||||
|
||||
* Thu Dec 13 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
|
||||
- Fix compiler warning introduced by patch for CVE-2018-18661
|
||||
|
||||
* Wed Nov 14 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
|
||||
- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452)
|
||||
|
||||
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-11
|
||||
- Fix important Covscan defects (#1602597)
|
||||
|
||||
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
|
||||
- Fix CVE-2018-17100 (#1631073)
|
||||
|
||||
* Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9
|
||||
- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708)
|
||||
and CVE-2018-10963 (#1579060)
|
||||
|
||||
* Tue Apr 17 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-8
|
||||
- Fix CVE-2018-7456 (#1556709)
|
||||
|
||||
* Fri Mar 23 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-7
|
||||
- Fix CVE-2018-5784 (#1537742)
|
||||
|
||||
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-6
|
||||
- Add missing gcc-c++ build dependency
|
||||
|
||||
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-5
|
||||
- Add missing gcc build dependency
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.9-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.0.9-3
|
||||
- Switch to %%ldconfig_scriptlets
|
||||
|
||||
* Mon Dec 11 2017 Nikola Forró <nforro@redhat.com> - 4.0.9-2
|
||||
- Fix unescaped macro in changelog entry (#1523643)
|
||||
|
||||
* Thu Nov 23 2017 Nikola Forró <nforro@redhat.com> - 4.0.9-1
|
||||
- New upstream version libtiff-4.0.9 (#1514863)
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.8-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Mon May 22 2017 Nikola Forró <nforro@redhat.com> - 4.0.8-1
|
||||
- New upstream version libtiff-4.0.8 (#1453030)
|
||||
|
||||
* Wed Apr 12 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-5
|
||||
- Fix CVE-2017-759{2,3,4,5,6,7,8,9}, CVE-2017-760{0,1,2} (#1441273)
|
||||
|
||||
* Wed Apr 05 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-4
|
||||
- Fix CVE-2016-1026{6,7,8,9}, CVE-2016-1027{0,1,2} (#1438464)
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.7-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Tue Jan 24 2017 Nikola Forró <nforro@redhat.com> - 4.0.7-2
|
||||
- Fix Hylafax breakage (#1416042)
|
||||
|
||||
* Mon Nov 21 2016 Nikola Forró <nforro@redhat.com> - 4.0.7-1
|
||||
- New upstream version libtiff-4.0.7 (#1396769)
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Fri Oct 09 2015 Petr Hracek <phracek@redhat.com> - 4.0.6-1
|
||||
- New upstream version libtiff-4.0.6 (#1262585)
|
||||
|
||||
* Wed Sep 09 2015 Petr Hracek <phracek@redhat.com> - 4.0.5-1
|
||||
- New upstream version libtiff-4.0.5 (#1258286)
|
||||
|
||||
* Mon Jun 22 2015 Petr Hracek <phracek@redhat.com> - 4.0.4-1
|
||||
- New upstream version libtiff-4.0.4 (#1234191)
|
||||
|
||||
* Fri Jun 19 2015 Petr Hracek <phracek@redhat.com> - 4.0.4beta-1
|
||||
- New upstream version libtiff-4.0.4beta (#1186219)
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-21
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Tue May 19 2015 Petr Hracek <phracek@redhat.com> - 4.0.3-20
|
||||
- CVE-2014-9655 and CVE-2015-1547 #1190710
|
||||
|
||||
* Sat May 02 2015 Kalev Lember <kalevlember@gmail.com> - 4.0.3-19
|
||||
- Rebuilt for GCC 5 C++11 ABI change
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-18
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Tue Aug 12 2014 Kalev Lember <kalevlember@gmail.com> - 4.0.3-17
|
||||
- Rebuilt for libjbig soname bump
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-16
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Wed May 21 2014 Petr Hracek <phracek@redhat.com> - 4.0.3-15
|
||||
- Add upstream patches for CVE-2013-4243 (#996832)
|
||||
|
||||
* Thu Dec 19 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-14
|
||||
- Fix: #1044609 Can't install both architectures
|
||||
|
||||
* Wed Dec 18 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-13
|
||||
- Fix #510240 Correct tiff2ps man option -W
|
||||
|
||||
* Wed Oct 16 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-12
|
||||
- make check moved to %%check section (#1017070)
|
||||
|
||||
* Tue Oct 08 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-11
|
||||
- Resolves: #510258, #510240 - man page corrections
|
||||
|
||||
* Mon Aug 19 2013 Petr Hracek <phracek@redhat.com> 4.0.3-10
|
||||
- Add upstream patches for CVE-2013-4244
|
||||
Resolves: #996468
|
||||
|
||||
* Wed Aug 14 2013 Petr Hracek <phracek@redhat.com> 4.0.3-9
|
||||
- Add upstream patches for CVE-2013-4231 CVE-2013-4232
|
||||
Resolves: #995965 #995975
|
||||
|
||||
* Mon Aug 12 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-8
|
||||
- Manpage fixing (#510240, #510258)
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Thu May 2 2013 Tom Lane <tgl@redhat.com> 4.0.3-6
|
||||
- Add upstream patches for CVE-2013-1960, CVE-2013-1961
|
||||
Resolves: #958609
|
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
* Fri Jan 18 2013 Adam Tkac <atkac redhat com> - 4.0.3-4
|
||||
- rebuild due to "jpeg8-ABI" feature drop
|
||||
|
||||
* Wed Dec 19 2012 Tom Lane <tgl@redhat.com> 4.0.3-3
|
||||
- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8
|
||||
|
||||
* Thu Dec 13 2012 Tom Lane <tgl@redhat.com> 4.0.3-2
|
||||
- Add upstream patches for CVE-2012-4447, CVE-2012-4564
|
||||
(note: CVE-2012-5581 is already fixed in 4.0.3)
|
||||
Resolves: #880907
|
||||
|
||||
* Thu Oct 4 2012 Tom Lane <tgl@redhat.com> 4.0.3-1
|
||||
- Update to libtiff 4.0.3
|
||||
|
||||
* Fri Aug 3 2012 Tom Lane <tgl@redhat.com> 4.0.2-6
|
||||
- Remove compat subpackage; no longer needed
|
||||
- Minor specfile cleanup per suggestions from Tom Callaway
|
||||
Related: #845110
|
||||
|
||||
* Thu Aug 2 2012 Tom Lane <tgl@redhat.com> 4.0.2-5
|
||||
- Add accessor functions for opaque type TIFFField (backport of not-yet-released
|
||||
upstream feature addition; needed to fix freeimage)
|
||||
|
||||
* Sun Jul 22 2012 Tom Lane <tgl@redhat.com> 4.0.2-4
|
||||
- Add patches for CVE-2012-3401
|
||||
Resolves: #841736
|
||||
|
||||
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Tue Jul 03 2012 Karsten Hopp <karsten@redhat.com> 4.0.2-2
|
||||
- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390*
|
||||
|
||||
* Thu Jun 28 2012 Tom Lane <tgl@redhat.com> 4.0.2-1
|
||||
- Update to libtiff 4.0.2, includes fix for CVE-2012-2113
|
||||
(note that CVE-2012-2088 does not apply to 4.0.x)
|
||||
- Update libtiff-compat to 3.9.6 and add patches to it for
|
||||
CVE-2012-2088, CVE-2012-2113
|
||||
Resolves: #832866
|
||||
|
||||
* Fri Jun 1 2012 Tom Lane <tgl@redhat.com> 4.0.1-2
|
||||
- Enable JBIG support
|
||||
Resolves: #826240
|
||||
|
||||
* Sun May 6 2012 Tom Lane <tgl@redhat.com> 4.0.1-1
|
||||
- Update to libtiff 4.0.1, adds BigTIFF support and other features;
|
||||
library soname is bumped from libtiff.so.3 to libtiff.so.5
|
||||
Resolves: #782383
|
||||
- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage
|
||||
so that dependent packages won't be broken while rebuilding proceeds
|
||||
|
||||
* Thu Apr 5 2012 Tom Lane <tgl@redhat.com> 3.9.5-3
|
||||
- Add fix for CVE-2012-1173
|
||||
Resolves: #CVE-2012-1173
|
||||
|
||||
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||
|
||||
* Tue Apr 12 2011 Tom Lane <tgl@redhat.com> 3.9.5-1
|
||||
- Update to libtiff 3.9.5, incorporating all our previous patches plus other
|
||||
fixes, notably the fix for CVE-2009-5022
|
||||
Related: #695885
|
||||
|
||||
* Mon Mar 21 2011 Tom Lane <tgl@redhat.com> 3.9.4-4
|
||||
- Fix incorrect fix for CVE-2011-0192
|
||||
Resolves: #684007
|
||||
Related: #688825
|
||||
- Add fix for CVE-2011-1167
|
||||
Resolves: #689574
|
||||
|
||||
* Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
|
||||
- Add patch for CVE-2011-0192
|
||||
Resolves: #681672
|
||||
- Fix non-security-critical potential SIGSEGV in gif2tiff
|
||||
Related: #648820
|
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.4-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
||||
* Tue Jun 22 2010 Tom Lane <tgl@redhat.com> 3.9.4-1
|
||||
- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
|
||||
CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
|
||||
Resolves: #554371
|
||||
Related: #460653, #588784, #601274, #599576, #592361, #603024
|
||||
- Add fixes for multiple SIGSEGV problems
|
||||
Resolves: #583081
|
||||
Related: #603081, #603699, #603703
|
||||
|
||||
* Tue Jan 5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
|
||||
- Apply Adam Goode's fix for Warmerdam's fix
|
||||
Resolves: #552360
|
||||
Resolves: #533353
|
||||
- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG
|
||||
images; this isn't enough to make it really work correctly though
|
||||
Related: #460322
|
||||
|
||||
* Wed Dec 16 2009 Tom Lane <tgl@redhat.com> 3.9.2-2
|
||||
- Apply Warmerdam's partial fix for bug #460322 ... better than nothing.
|
||||
Related: #460322
|
||||
|
||||
* Thu Dec 3 2009 Tom Lane <tgl@redhat.com> 3.9.2-1
|
||||
- Update to libtiff 3.9.2; stop carrying a lot of old patches
|
||||
Resolves: #520734
|
||||
- Split command-line tools into libtiff-tools subpackage
|
||||
Resolves: #515170
|
||||
- Use build system's libtool instead of what package contains;
|
||||
among other cleanup this gets rid of unwanted rpath specs in executables
|
||||
Related: #226049
|
||||
|
||||
* Thu Oct 15 2009 Tom Lane <tgl@redhat.com> 3.8.2-16
|
||||
- add sparc/sparc64 to multilib header support
|
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-15
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
* Mon Jul 13 2009 Tom Lane <tgl@redhat.com> 3.8.2-14
|
||||
- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347)
|
||||
Related: #510041
|
||||
|
||||
* Wed Jul 1 2009 Tom Lane <tgl@redhat.com> 3.8.2-13
|
||||
- Fix some more LZW decoding vulnerabilities (CVE-2009-2285)
|
||||
Related: #507465
|
||||
- Update upstream URL
|
||||
|
||||
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-12
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||
|
||||
* Tue Aug 26 2008 Tom Lane <tgl@redhat.com> 3.8.2-11
|
||||
- Fix LZW decoding vulnerabilities (CVE-2008-2327)
|
||||
Related: #458674
|
||||
- Use -fno-strict-aliasing per rpmdiff recommendation
|
||||
|
||||
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 3.8.2-10
|
||||
- Autorebuild for GCC 4.3
|
||||
|
||||
* Wed Aug 22 2007 Tom Lane <tgl@redhat.com> 3.8.2-9
|
||||
- Update License tag
|
||||
- Rebuild to fix Fedora toolchain issues
|
||||
|
||||
* Thu Jul 19 2007 Tom Lane <tgl@redhat.com> 3.8.2-8
|
||||
- Restore static library to distribution, in a separate -static subpackage
|
||||
Resolves: #219905
|
||||
- Don't apply multilib header hack to unrecognized architectures
|
||||
Resolves: #233091
|
||||
- Remove documentation for programs we don't ship
|
||||
Resolves: #205079
|
||||
Related: #185145
|
||||
|
||||
* Tue Jan 16 2007 Tom Lane <tgl@redhat.com> 3.8.2-7
|
||||
- Remove Makefiles from the shipped /usr/share/doc/html directories
|
||||
Resolves: bz #222729
|
||||
|
||||
* Tue Sep 5 2006 Jindrich Novy <jnovy@redhat.com> - 3.8.2-6
|
||||
- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362)
|
||||
- fix typo in man page for tiffset (#186297)
|
||||
- use %%{?dist}
|
||||
|
||||
* Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com>
|
||||
- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
|
||||
CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
|
||||
|
||||
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.8.2-4.1
|
||||
- rebuild
|
||||
|
||||
* Fri Jun 2 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
|
||||
- Fix multilib conflict
|
||||
|
||||
* Thu May 25 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
|
||||
- Fix overflows in tiffsplit
|
||||
|
||||
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-2
|
||||
- Drop tiffgt to get rid of the libGL dependency (#190768)
|
||||
|
||||
* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-1
|
||||
- Update to 3.8.2
|
||||
|
||||
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2.1
|
||||
- bump again for double-long bug on ppc(64)
|
||||
|
||||
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2
|
||||
- rebuilt for new gcc4.1 snapshot and glibc changes
|
||||
|
||||
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Wed Nov 16 2005 Matthias Clasen <mclasen@redhat.com> 3.7.4-3
|
||||
- Don't ship static libs
|
||||
|
||||
* Fri Nov 11 2005 Matthias Saou <http://freshrpms.net/> 3.7.4-2
|
||||
- Remove useless explicit dependencies.
|
||||
- Minor spec file cleanups.
|
||||
- Move make check to %%check.
|
||||
- Add _smp_mflags.
|
||||
|
||||
* Thu Sep 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.4-1
|
||||
- Update to 3.7.4
|
||||
- Drop upstreamed patches
|
||||
|
||||
* Wed Jun 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.2-1
|
||||
- Update to 3.7.2
|
||||
- Drop upstreamed patches
|
||||
|
||||
* Fri May 6 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-6
|
||||
- Fix a stack overflow
|
||||
|
||||
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-5
|
||||
- Don't use mktemp
|
||||
|
||||
* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-4
|
||||
- Rebuild with gcc4
|
||||
|
||||
* Wed Jan 5 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-3
|
||||
- Drop the largefile patch again
|
||||
- Fix a problem with the handling of alpha channels
|
||||
- Fix an integer overflow in tiffdump (#143576)
|
||||
|
||||
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-2
|
||||
- Readd the largefile patch (#143560)
|
||||
|
||||
* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-1
|
||||
- Upgrade to 3.7.1
|
||||
- Remove upstreamed patches
|
||||
- Remove specfile cruft
|
||||
- make check
|
||||
|
||||
* Thu Oct 14 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-7
|
||||
- fix some integer and buffer overflows (#134853, #134848)
|
||||
|
||||
* Tue Oct 12 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-6
|
||||
- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483
|
||||
|
||||
* Mon Sep 27 2004 Rik van Riel <riel@redhat.com> 3.6.1-4
|
||||
- compile using RPM_OPT_FLAGS (bz #133650)
|
||||
|
||||
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Thu May 20 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-2
|
||||
- Fix and use the makeflags patch
|
||||
|
||||
* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-1
|
||||
- Upgrade to 3.6.1
|
||||
- Adjust patches
|
||||
- Don't install tiffgt man page (#104864)
|
||||
|
||||
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
|
||||
- really add symlink to shared lib by running ldconfig at compile time
|
||||
|
||||
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Thu Oct 09 2003 Florian La Roche <Florian.LaRoche@redhat.de>
|
||||
- link shared lib against -lm (Jakub Jelinek)
|
||||
|
||||
* Thu Sep 25 2003 Jeremy Katz <katzj@redhat.com> 3.5.7-13
|
||||
- rebuild to fix gzipped file md5sum (#91281)
|
||||
|
||||
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Tue Feb 11 2003 Phil Knirsch <pknirsch@redhat.com> 3.5.7-11
|
||||
- Fixed rebuild problems.
|
||||
|
||||
* Tue Feb 04 2003 Florian La Roche <Florian.LaRoche@redhat.de>
|
||||
- add symlink to shared lib
|
||||
|
||||
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
|
||||
- rebuilt
|
||||
|
||||
* Thu Dec 12 2002 Tim Powers <timp@redhat.com> 3.5.7-8
|
||||
- rebuild on all arches
|
||||
|
||||
* Mon Aug 19 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-7
|
||||
- Added LFS support (#71593)
|
||||
|
||||
* Tue Jun 25 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-6
|
||||
- Fixed wrong exit code of tiffcp app (#67240)
|
||||
|
||||
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
|
||||
- automated rebuild
|
||||
|
||||
* Thu May 23 2002 Tim Powers <timp@redhat.com>
|
||||
- automated rebuild
|
||||
|
||||
* Wed May 15 2002 Phil Knirsch <pknirsch@redhat.com>
|
||||
- Fixed segfault in fax2tiff tool (#64708).
|
||||
|
||||
* Mon Feb 25 2002 Phil Knirsch <pknirsch@redhat.com>
|
||||
- Fixed problem with newer bash versions setting CDPATH (#59741)
|
||||
|
||||
* Tue Feb 19 2002 Phil Knirsch <pknirsch@redhat.com>
|
||||
- Update to current release 3.5.7
|
||||
|
||||
* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
|
||||
- automated rebuild
|
||||
|
||||
* Tue Aug 28 2001 Phil Knirsch <phil@redhat.de>
|
||||
- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x
|
||||
and ia64 were missing (#52129).
|
||||
|
||||
* Tue Jun 26 2001 Philipp Knirsch <pknirsch@redhat.de>
|
||||
- Hopefully final symlink fix
|
||||
|
||||
* Thu Jun 21 2001 Than Ngo <than@redhat.com>
|
||||
- add missing libtiff symlink
|
||||
|
||||
* Fri Mar 16 2001 Crutcher Dunnavant <crutcher@redhat.com>
|
||||
- killed tiff-to-ps.fpi filter
|
||||
|
||||
* Wed Feb 28 2001 Philipp Knirsch <pknirsch@redhat.de>
|
||||
- Fixed missing devel version dependancy.
|
||||
|
||||
* Tue Dec 19 2000 Philipp Knirsch <pknirsch@redhat.de>
|
||||
- rebuild
|
||||
|
||||
* Mon Aug 7 2000 Crutcher Dunnavant <crutcher@redhat.com>
|
||||
- added a tiff-to-ps.fpi filter for printing
|
||||
|
||||
* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
|
||||
- automatic rebuild
|
||||
|
||||
* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- apply Peter Skarpetis's fix for the 32-bit conversion
|
||||
|
||||
* Mon Jul 3 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- make man pages non-executable (#12811)
|
||||
|
||||
* Mon Jun 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- remove CVS repo info from data directories
|
||||
|
||||
* Thu May 18 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix build rooting
|
||||
- fix syntax error in configure script
|
||||
- move man pages to {_mandir}
|
||||
|
||||
* Wed May 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- rebuild for an errata release
|
||||
|
||||
* Wed Mar 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix
|
||||
|
||||
* Tue Mar 28 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix fax2ps swapping height and width in the bounding box
|
||||
|
||||
* Mon Mar 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- move man pages from devel package to the regular one
|
||||
- integrate Frank Warmerdam's fixed .fax handling code (keep until next release
|
||||
of libtiff)
|
||||
- fix fax2ps breakage (bug #8345)
|
||||
|
||||
* Sat Feb 05 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- set MANDIR=man3 to make multifunction man pages friendlier
|
||||
|
||||
* Mon Jan 31 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix URLs
|
||||
|
||||
* Fri Jan 28 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- link shared library against libjpeg and libz
|
||||
|
||||
* Tue Jan 18 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- enable zip and jpeg codecs
|
||||
- change defattr in normal package to 0755
|
||||
- add defattr to -devel package
|
||||
|
||||
* Wed Dec 22 1999 Bill Nottingham <notting@redhat.com>
|
||||
- update to 3.5.4
|
||||
|
||||
* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
|
||||
- auto rebuild in the new build environment (release 6)
|
||||
|
||||
* Wed Jan 13 1999 Cristian Gafton <gafton@redhat.com>
|
||||
- build for glibc 2.1
|
||||
|
||||
* Wed Jun 10 1998 Prospector System <bugs@redhat.com>
|
||||
- translations modified for de
|
||||
|
||||
* Wed Jun 10 1998 Michael Fulbright <msf@redhat.com>
|
||||
- rebuilt against fixed jpeg libs (libjpeg-6b)
|
||||
|
||||
* Thu May 07 1998 Prospector System <bugs@redhat.com>
|
||||
- translations modified for de, fr, tr
|
||||
|
||||
* Mon Oct 13 1997 Donnie Barnes <djb@redhat.com>
|
||||
- new version to replace the one from libgr
|
||||
- patched for glibc
|
||||
- added shlib support
|
Loading…
Reference in New Issue
Block a user