Compare commits
No commits in common. "imports/c8s/libtiff-4.0.9-26.el8_7" and "c8" have entirely different histories.
imports/c8
...
c8
|
@ -0,0 +1,97 @@
|
|||
From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001
|
||||
From: Su_Laus <sulau@freenet.de>
|
||||
Date: Thu, 25 Aug 2022 16:11:41 +0200
|
||||
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
|
||||
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
|
||||
#411 and #413)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
|
||||
|
||||
Code analysis:
|
||||
|
||||
With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
|
||||
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
|
||||
|
||||
Execution of the else-clause often leads to buffer-overflows.
|
||||
|
||||
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
|
||||
|
||||
The MR solves issues #411 and #413.
|
||||
|
||||
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
|
||||
---
|
||||
tools/tiffcrop.c | 27 +++++++++++++++++++++++----
|
||||
1 file changed, 23 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index ff118496..848b2b49 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -106,9 +106,11 @@
|
||||
* lower level, scanline level routines. Debug reports a limited set
|
||||
* of messages to monitor progress without enabling dump logs.
|
||||
*
|
||||
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
||||
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
||||
* In no case should the options be applied to a given selection successively.
|
||||
- */
|
||||
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
||||
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
||||
+ */
|
||||
|
||||
static char tiffcrop_version_id[] = "2.4";
|
||||
static char tiffcrop_rev_date[] = "12-13-2010";
|
||||
@@ -754,7 +756,11 @@ static char* usage_info[] = {
|
||||
" The four debug/dump options are independent, though it makes little sense to",
|
||||
" specify a dump file without specifying a detail level.",
|
||||
" ",
|
||||
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
|
||||
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
|
||||
+" In no case should the options be applied to a given selection successively.",
|
||||
+" ",
|
||||
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
|
||||
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
|
||||
" ",
|
||||
NULL
|
||||
};
|
||||
@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
||||
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
|
||||
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
|
||||
if (XY + Z + R + S > 1) {
|
||||
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
|
||||
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+
|
||||
+ /* Check for not allowed combination:
|
||||
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
||||
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
||||
+. */
|
||||
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
|
||||
+ TIFFError("tiffcrop input error",
|
||||
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
} /* end process_command_opts */
|
||||
|
||||
/* Start a new output file if one has not been previously opened or
|
||||
@@ -2381,6 +2398,7 @@ main(int argc, char* argv[])
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
|
||||
if (crop.selections > 0)
|
||||
{
|
||||
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
|
||||
@@ -2397,6 +2415,7 @@ main(int argc, char* argv[])
|
||||
exit (-1);
|
||||
}
|
||||
}
|
||||
+ /* Format and write selected image parts to output file(s). */
|
||||
if (page.mode == PAGE_MODE_NONE)
|
||||
{ /* Whole image or sections not based on output page size */
|
||||
if (crop.selections > 0)
|
|
@ -0,0 +1,37 @@
|
|||
From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Tue, 8 Nov 2022 15:16:58 +0100
|
||||
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
|
||||
overflow on strips/tiles > 2 GB
|
||||
|
||||
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
|
||||
|
||||
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
|
||||
---
|
||||
libtiff/tif_getimage.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index b1f7cc95..00cd5510 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
||||
return( ok );
|
||||
|
||||
for( i_row = 0; i_row < read_ysize; i_row++ ) {
|
||||
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
|
||||
- raster + (read_ysize - i_row - 1) * read_xsize,
|
||||
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
|
||||
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
|
||||
read_xsize * sizeof(uint32) );
|
||||
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
|
||||
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
|
||||
0, sizeof(uint32) * (tile_xsize - read_xsize) );
|
||||
}
|
||||
|
||||
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
|
||||
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
|
||||
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
|
||||
0, sizeof(uint32) * tile_xsize );
|
||||
}
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Tue, 16 May 2023 13:04:55 +0200
|
||||
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
|
||||
Fix #488.
|
||||
|
||||
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
|
||||
---
|
||||
tools/tiffcrop.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 848b2b49..7f738d91 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
|
||||
else
|
||||
{
|
||||
- prev_cropsize = seg_buffs[0].size;
|
||||
+ prev_cropsize = seg_buffs[i].size;
|
||||
if (prev_cropsize < cropsize)
|
||||
{
|
||||
next_buff = _TIFFrealloc(crop_buff, cropsize);
|
|
@ -0,0 +1,128 @@
|
|||
From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 5 Feb 2023 15:53:16 +0000
|
||||
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
|
||||
CVE-2023-0804) tiffcrop: added check for assumption on composite images
|
||||
(fixes #496)
|
||||
|
||||
Closes #501, #500, #498, #497 et #496
|
||||
|
||||
See merge request libtiff/libtiff!466
|
||||
|
||||
(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00)
|
||||
---
|
||||
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 66 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 7f738d91..77923cf3 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||
|
||||
crop->regionlist[i].buffsize = buffsize;
|
||||
crop->bufftotal += buffsize;
|
||||
+
|
||||
+ /* For composite images with more than one region, the
|
||||
+ * combined_length or combined_width always needs to be equal,
|
||||
+ * respectively.
|
||||
+ * Otherwise, even the first section/region copy
|
||||
+ * action might cause buffer overrun. */
|
||||
if (crop->img_mode == COMPOSITE_IMAGES)
|
||||
{
|
||||
switch (crop->edge_ref)
|
||||
{
|
||||
case EDGE_LEFT:
|
||||
case EDGE_RIGHT:
|
||||
+ if (i > 0 && zlength != crop->combined_length)
|
||||
+ {
|
||||
+ TIFFError(
|
||||
+ "computeInputPixelOffsets",
|
||||
+ "Only equal length regions can be combined for "
|
||||
+ "-E left or right");
|
||||
+ return (-1);
|
||||
+ }
|
||||
crop->combined_length = zlength;
|
||||
crop->combined_width += zwidth;
|
||||
break;
|
||||
case EDGE_BOTTOM:
|
||||
case EDGE_TOP: /* width from left, length from top */
|
||||
default:
|
||||
+ if (i > 0 && zwidth != crop->combined_width)
|
||||
+ {
|
||||
+ TIFFError("computeInputPixelOffsets",
|
||||
+ "Only equal width regions can be "
|
||||
+ "combined for -E "
|
||||
+ "top or bottom");
|
||||
+ return (-1);
|
||||
+ }
|
||||
crop->combined_width = zwidth;
|
||||
crop->combined_length += zlength;
|
||||
break;
|
||||
@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||
crop->combined_width = 0;
|
||||
crop->combined_length = 0;
|
||||
|
||||
+ /* If there is more than one region, check beforehand whether all the width
|
||||
+ * and length values of the regions are the same, respectively. */
|
||||
+ switch (crop->edge_ref)
|
||||
+ {
|
||||
+ default:
|
||||
+ case EDGE_TOP:
|
||||
+ case EDGE_BOTTOM:
|
||||
+ for (i = 1; i < crop->selections; i++)
|
||||
+ {
|
||||
+ uint32_t crop_width0 =
|
||||
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
|
||||
+ uint32_t crop_width1 =
|
||||
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
|
||||
+ if (crop_width0 != crop_width1)
|
||||
+ {
|
||||
+ TIFFError("extractCompositeRegions",
|
||||
+ "Only equal width regions can be combined for -E "
|
||||
+ "top or bottom");
|
||||
+ return (1);
|
||||
+ }
|
||||
+ }
|
||||
+ break;
|
||||
+ case EDGE_LEFT:
|
||||
+ case EDGE_RIGHT:
|
||||
+ for (i = 1; i < crop->selections; i++)
|
||||
+ {
|
||||
+ uint32_t crop_length0 =
|
||||
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
|
||||
+ uint32_t crop_length1 =
|
||||
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
|
||||
+ if (crop_length0 != crop_length1)
|
||||
+ {
|
||||
+ TIFFError("extractCompositeRegions",
|
||||
+ "Only equal length regions can be combined for "
|
||||
+ "-E left or right");
|
||||
+ return (1);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < crop->selections; i++)
|
||||
{
|
||||
/* rows, columns, width, length are expressed in pixels */
|
||||
@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||
default:
|
||||
case EDGE_TOP:
|
||||
case EDGE_BOTTOM:
|
||||
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
|
||||
+ if ((crop->selections > i + 1) &&
|
||||
+ (crop_width != crop->regionlist[i + 1].width))
|
||||
{
|
||||
TIFFError ("extractCompositeRegions",
|
||||
"Only equal width regions can be combined for -E top or bottom");
|
||||
@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||
break;
|
||||
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
|
||||
case EDGE_RIGHT:
|
||||
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
|
||||
+ if ((crop->selections > i + 1) &&
|
||||
+ (crop_length != crop->regionlist[i + 1].length))
|
||||
{
|
||||
TIFFError ("extractCompositeRegions",
|
||||
"Only equal length regions can be combined for -E left or right");
|
|
@ -0,0 +1,260 @@
|
|||
From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001
|
||||
From: Su_Laus <sulau@freenet.de>
|
||||
Date: Tue, 30 Aug 2022 16:56:48 +0200
|
||||
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
|
||||
related TIFFTAG_NUMBEROFINKS value
|
||||
|
||||
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
|
||||
|
||||
Behaviour for writing:
|
||||
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
|
||||
`NumberOfInks` is automatically set when `InkNames` is set.
|
||||
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||
|
||||
Behaviour for reading:
|
||||
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
|
||||
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||
|
||||
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
|
||||
|
||||
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
|
||||
|
||||
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
|
||||
|
||||
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
|
||||
---
|
||||
libtiff/tif_dir.c | 118 ++++++++++++++++++++++++-----------------
|
||||
libtiff/tif_dir.h | 2 +
|
||||
libtiff/tif_dirinfo.c | 2 +-
|
||||
libtiff/tif_dirwrite.c | 5 ++
|
||||
libtiff/tif_print.c | 4 ++
|
||||
5 files changed, 82 insertions(+), 49 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index ad550c65..cb329fd8 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
|
||||
+ * Count ink names separated by \0. Returns
|
||||
* zero if the ink names are not as expected.
|
||||
*/
|
||||
-static uint32
|
||||
-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
|
||||
+static uint16
|
||||
+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
|
||||
{
|
||||
- TIFFDirectory* td = &tif->tif_dir;
|
||||
- uint16 i = td->td_samplesperpixel;
|
||||
+ uint16 i = 0;
|
||||
+ const char *ep = s + slen;
|
||||
+ const char *cp = s;
|
||||
|
||||
if (slen > 0) {
|
||||
- const char* ep = s+slen;
|
||||
- const char* cp = s;
|
||||
- for (; i > 0; i--) {
|
||||
+ do {
|
||||
for (; cp < ep && *cp != '\0'; cp++) {}
|
||||
if (cp >= ep)
|
||||
goto bad;
|
||||
cp++; /* skip \0 */
|
||||
- }
|
||||
- return ((uint32)(cp-s));
|
||||
+ i++;
|
||||
+ } while (cp < ep);
|
||||
+ return (i);
|
||||
}
|
||||
bad:
|
||||
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
|
||||
- "%s: Invalid InkNames value; expecting %d names, found %d",
|
||||
- tif->tif_name,
|
||||
- td->td_samplesperpixel,
|
||||
- td->td_samplesperpixel-i);
|
||||
+ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink",
|
||||
+ tif->tif_name, slen, i);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
|
||||
break;
|
||||
case TIFFTAG_INKNAMES:
|
||||
- v = (uint16) va_arg(ap, uint16_vap);
|
||||
- s = va_arg(ap, char*);
|
||||
- v = checkInkNamesString(tif, v, s);
|
||||
- status = v > 0;
|
||||
- if( v > 0 ) {
|
||||
- _TIFFsetNString(&td->td_inknames, s, v);
|
||||
- td->td_inknameslen = v;
|
||||
+ {
|
||||
+ v = (uint16) va_arg(ap, uint16_vap);
|
||||
+ s = va_arg(ap, char*);
|
||||
+ uint16 ninksinstring;
|
||||
+ ninksinstring = countInkNamesString(tif, v, s);
|
||||
+ status = ninksinstring > 0;
|
||||
+ if(ninksinstring > 0 ) {
|
||||
+ _TIFFsetNString(&td->td_inknames, s, v);
|
||||
+ td->td_inknameslen = v;
|
||||
+ /* Set NumberOfInks to the value ninksinstring */
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != ninksinstring) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d",
|
||||
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
|
||||
+ td->td_numberofinks = ninksinstring;
|
||||
+ }
|
||||
+ } else {
|
||||
+ td->td_numberofinks = ninksinstring;
|
||||
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
|
||||
+ }
|
||||
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ break;
|
||||
+ case TIFFTAG_NUMBEROFINKS:
|
||||
+ v = (uint16)va_arg(ap, uint16_vap);
|
||||
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
|
||||
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
|
||||
+ {
|
||||
+ if (v != td->td_numberofinks) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)",
|
||||
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
|
||||
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
|
||||
+ status = 0;
|
||||
+ }
|
||||
+ } else {
|
||||
+ td->td_numberofinks = (uint16)v;
|
||||
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_PERSAMPLE:
|
||||
@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
|
||||
return 0;
|
||||
|
||||
- if( tag == TIFFTAG_NUMBEROFINKS )
|
||||
- {
|
||||
- int i;
|
||||
- for (i = 0; i < td->td_customValueCount; i++) {
|
||||
- uint16 val;
|
||||
- TIFFTagValue *tv = td->td_customValues + i;
|
||||
- if (tv->info->field_tag != tag)
|
||||
- continue;
|
||||
- if( tv->value == NULL )
|
||||
- return 0;
|
||||
- val = *(uint16 *)tv->value;
|
||||
- /* Truncate to SamplesPerPixel, since the */
|
||||
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
|
||||
- /* inknames. */
|
||||
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
|
||||
- if( val > td->td_samplesperpixel )
|
||||
- {
|
||||
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
|
||||
- "Truncating NumberOfInks from %u to %u",
|
||||
- val, td->td_samplesperpixel);
|
||||
- val = td->td_samplesperpixel;
|
||||
- }
|
||||
- *va_arg(ap, uint16*) = val;
|
||||
- return 1;
|
||||
- }
|
||||
- return 0;
|
||||
- }
|
||||
|
||||
/*
|
||||
* We want to force the custom code to be used for custom
|
||||
@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
case TIFFTAG_INKNAMES:
|
||||
*va_arg(ap, char**) = td->td_inknames;
|
||||
break;
|
||||
+ case TIFFTAG_NUMBEROFINKS:
|
||||
+ *va_arg(ap, uint16 *) = td->td_numberofinks;
|
||||
+ break;
|
||||
default:
|
||||
{
|
||||
int i;
|
||||
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
|
||||
index 5a380767..b5881b02 100644
|
||||
--- a/libtiff/tif_dir.h
|
||||
+++ b/libtiff/tif_dir.h
|
||||
@@ -113,6 +113,7 @@ typedef struct {
|
||||
/* CMYK parameters */
|
||||
int td_inknameslen;
|
||||
char* td_inknames;
|
||||
+ uint16 td_numberofinks; /* number of inks in InkNames string */
|
||||
|
||||
int td_customValueCount;
|
||||
TIFFTagValue *td_customValues;
|
||||
@@ -168,6 +169,7 @@ typedef struct {
|
||||
#define FIELD_TRANSFERFUNCTION 44
|
||||
#define FIELD_INKNAMES 46
|
||||
#define FIELD_SUBIFD 49
|
||||
+#define FIELD_NUMBEROFINKS 50
|
||||
/* FIELD_CUSTOM (see tiffio.h) 65 */
|
||||
/* end of support for well-known tags; codec-private tags follow */
|
||||
#define FIELD_CODEC 66 /* base of codec-private tags */
|
||||
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
|
||||
index 4904f540..8bbc8323 100644
|
||||
--- a/libtiff/tif_dirinfo.c
|
||||
+++ b/libtiff/tif_dirinfo.c
|
||||
@@ -106,7 +106,7 @@ tiffFields[] = {
|
||||
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
|
||||
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
|
||||
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
|
||||
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
|
||||
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
|
||||
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
|
||||
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
|
||||
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
|
||||
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||
index 03a9f296..994fa57a 100644
|
||||
--- a/libtiff/tif_dirwrite.c
|
||||
+++ b/libtiff/tif_dirwrite.c
|
||||
@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
|
||||
goto bad;
|
||||
}
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||
+ {
|
||||
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
|
||||
+ goto bad;
|
||||
+ }
|
||||
if (TIFFFieldSet(tif,FIELD_SUBIFD))
|
||||
{
|
||||
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index b9b53a0f..9caba038 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
}
|
||||
fputs("\n", fd);
|
||||
}
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
|
||||
+ fprintf(fd, " NumberOfInks: %d\n",
|
||||
+ td->td_numberofinks);
|
||||
+ }
|
||||
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
|
||||
fprintf(fd, " Thresholding: ");
|
||||
switch (td->td_threshholding) {
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Library of functions for manipulating TIFF format image files
|
||||
Name: libtiff
|
||||
Version: 4.0.9
|
||||
Release: 26%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: libtiff
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.simplesystems.org/libtiff/
|
||||
|
@ -45,6 +45,11 @@ Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
|
|||
Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
|
||||
Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
|
||||
Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
|
||||
Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
|
||||
Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
|
||||
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
|
||||
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
|
||||
Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
|
||||
|
||||
|
||||
BuildRequires: gcc, gcc-c++
|
||||
|
@ -199,6 +204,27 @@ find html -name 'Makefile*' | xargs rm
|
|||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
|
||||
- Fix CVE-2022-3599 CVE-2022-4645
|
||||
- Resolves: RHEL-5399
|
||||
|
||||
* Thu Sep 21 2023 Ondrej Sloup <osloup@redhat.com> - 4.0.9-30
|
||||
- Bump specfile to retrigger gating
|
||||
- Add tests folder for standard beakerlib
|
||||
- Related: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
|
||||
|
||||
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-29
|
||||
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
|
||||
- Resolves: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
|
||||
|
||||
* Tue May 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-28
|
||||
- Fix CVE-2022-48281
|
||||
- Resolves: CVE-2022-48281
|
||||
|
||||
* Mon Jan 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-27
|
||||
- Fix various CVEs
|
||||
- Resolves: CVE-2022-3627 CVE-2022-3970
|
||||
|
||||
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-26
|
||||
- Fix various CVEs
|
||||
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953
|
||||
|
|
Loading…
Reference in New Issue