aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2011-04-23 09:37:37 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2011-04-23 09:42:24 +0000
commit4fae22ebc20517a01951fbc52d14eab131e66c5b (patch)
tree74643da93076f2145aa77060a3abf8d807ed9973
parent6c830b0725e1936ca196495fcd1dfd89c91fb769 (diff)
downloadalpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.tar.bz2
alpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.tar.xz
alpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.zip
main/tiff: upgrade to 3.9.5
and clean up the APKBUILD
Diffstat
-rw-r--r--main/tiff/APKBUILD69
-rw-r--r--main/tiff/CVE-2006-3459-3465.patch669
-rw-r--r--main/tiff/libtiff-CVE-2009-2285.patch22
-rw-r--r--main/tiff/tiff-3.8.2-CVE-2008-2327.patch64
-rw-r--r--main/tiff/tiff-3.8.2-CVE-2009-2347.patch170
-rw-r--r--main/tiff/tiff-jpegfix.patch31
-rw-r--r--main/tiff/tiff2pdf-compression.patch44
-rw-r--r--main/tiff/tiff2pdf-octal-printf.patch11
-rw-r--r--main/tiff/tiffsplit-fname-overflow.patch19
9 files changed, 38 insertions, 1061 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index a863e2c369..2764544fe3 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -1,36 +1,41 @@
1# Contributor: Leonardo Arena <rnalrd@gmail.com> 1# Contributor: Leonardo Arena <rnalrd@gmail.com>
2# Maintainer: Michael Mason <ms13sp@gmail.com> 2# Maintainer: Michael Mason <ms13sp@gmail.com>
3pkgname=tiff 3pkgname=tiff
4pkgver=3.8.2 4pkgver=3.9.5
5pkgrel=4 5pkgrel=0
6pkgdesc="Provides support for the Tag Image File Format or TIFF" 6pkgdesc="Provides support for the Tag Image File Format or TIFF"
7url="http://www.libtiff.org/" 7url="http://www.libtiff.org/"
8arch="all" 8arch="all"
9license="GPL" 9license="GPL"
10depends= 10depends=
11subpackages="$pkgname-doc $pkgname-dev" 11depends_dev="zlib-dev jpeg-dev"
12source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz 12makedepends="libtool autoconf automake $depends_dev"
13 CVE-2006-3459-3465.patch 13subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
14 libtiff-CVE-2009-2285.patch 14source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
15 tiff-3.8.2-CVE-2008-2327.patch
16 tiff-3.8.2-CVE-2009-2347.patch
17 tiff2pdf-compression.patch
18 tiff2pdf-octal-printf.patch
19 tiffsplit-fname-overflow.patch
20 tiff-jpegfix.patch
21 " 15 "
16
17_builddir="$srcdir"/$pkgname-$pkgver
22 18
23build() { 19prepare() {
24 cd "$srcdir/$pkgname-$pkgver" 20 local _failed=
21 cd "$_builddir"
22
23 for i in $source; do
24 case $i in
25 *.patch) msg $i; patch -p1 -i "$srcdir"/$i || _failed="$_failed $i";;
26 esac
27 done
28
29 rm -f libtool.m4
30 libtoolize --force --copy \
31 && aclocal -I . -I m4 \
32 && automake --add-missing --copy \
33 && autoconf \
34 && autoheader
35}
25 36
26 patch -p1 < ../tiff2pdf-octal-printf.patch || return 1 37build() {
27 patch -p1 < ../tiffsplit-fname-overflow.patch || return 1 38 cd "$_builddir"
28 patch -p1 < ../CVE-2006-3459-3465.patch || return 1
29 patch -p1 < ../tiff2pdf-compression.patch || return 1
30 patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1
31 patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
32 patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1
33 patch -p1 < ../tiff-jpegfix.patch || return 1
34 39
35 ./configure --prefix=/usr \ 40 ./configure --prefix=/usr \
36 --sysconfdir=/etc \ 41 --sysconfdir=/etc \
@@ -38,16 +43,18 @@ build() {
38 --infodir=/usr/share/info \ 43 --infodir=/usr/share/info \
39 --disable-cxx 44 --disable-cxx
40 make || return 1 45 make || return 1
46}
47
48package() {
49 cd "$_builddir"
41 make DESTDIR="$pkgdir" install 50 make DESTDIR="$pkgdir" install
51 rm -f "$pkgdir"/usr/lib/*.la
52}
42 53
54tools() {
55 pkgdesc="Command-line utility programs for manipulating TIFF files"
56 mkdir -p "$subpkgdir"/usr/
57 mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
43} 58}
44 59
45md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz 60md5sums="8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz"
46624d3067e6a4c0680767eb62253ea980 CVE-2006-3459-3465.patch
47ff61077408727a82281f77a94f555e2a libtiff-CVE-2009-2285.patch
48c2c2e22557d9c63011df5777dda6a86b tiff-3.8.2-CVE-2008-2327.patch
49d3b02693cca83e63005b162edd43016b tiff-3.8.2-CVE-2009-2347.patch
50b443ffca9d498bb3a88c17da0200025b tiff2pdf-compression.patch
51d54368687d2645ffbbe6c2df384b11bf tiff2pdf-octal-printf.patch
52323352fd60a7bd3ffac8724c3c031669 tiffsplit-fname-overflow.patch
533353687eba89179f55f027bd571a63f5 tiff-jpegfix.patch"
diff --git a/main/tiff/CVE-2006-3459-3465.patch b/main/tiff/CVE-2006-3459-3465.patch
deleted file mode 100644
index cb55b03e7b..0000000000
--- a/main/tiff/CVE-2006-3459-3465.patch
+++ /dev/null
@@ -1,669 +0,0 @@
1diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
2--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
3+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
4@@ -122,6 +122,7 @@
5 {
6 static const char module[] = "_TIFFVSetField";
7
8+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
9 TIFFDirectory* td = &tif->tif_dir;
10 int status = 1;
11 uint32 v32, i, v;
12@@ -195,10 +196,12 @@
13 break;
14 case TIFFTAG_ORIENTATION:
15 v = va_arg(ap, uint32);
16+ const TIFFFieldInfo* fip;
17 if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
18+ fip = _TIFFFieldWithTag(tif, tag);
19 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
20 "Bad value %lu for \"%s\" tag ignored",
21- v, _TIFFFieldWithTag(tif, tag)->field_name);
22+ v, fip ? fip->field_name : "Unknown");
23 } else
24 td->td_orientation = (uint16) v;
25 break;
26@@ -387,11 +390,15 @@
27 * happens, for example, when tiffcp is used to convert between
28 * compression schemes and codec-specific tags are blindly copied.
29 */
30+ /*
31+ * better not dereference fip if it is NULL.
32+ * -- taviso@google.com 15 Jun 2006
33+ */
34 if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
35 TIFFErrorExt(tif->tif_clientdata, module,
36 "%s: Invalid %stag \"%s\" (not supported by codec)",
37 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
38- _TIFFFieldWithTag(tif, tag)->field_name);
39+ fip ? fip->field_name : "Unknown");
40 status = 0;
41 break;
42 }
43@@ -468,7 +475,7 @@
44 if (fip->field_type == TIFF_ASCII)
45 _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
46 else {
47- tv->value = _TIFFmalloc(tv_size * tv->count);
48+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
49 if (!tv->value) {
50 status = 0;
51 goto end;
52@@ -563,7 +570,7 @@
53 }
54 }
55 if (status) {
56- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
57+ TIFFSetFieldBit(tif, fip->field_bit);
58 tif->tif_flags |= TIFF_DIRTYDIRECT;
59 }
60
61@@ -572,12 +579,12 @@
62 return (status);
63 badvalue:
64 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
65- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
66+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
67 va_end(ap);
68 return (0);
69 badvalue32:
70 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
71- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
72+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
73 va_end(ap);
74 return (0);
75 }
76@@ -813,12 +820,16 @@
77 * If the client tries to get a tag that is not valid
78 * for the image's codec then we'll arrive here.
79 */
80+ /*
81+ * dont dereference fip if it's NULL.
82+ * -- taviso@google.com 15 Jun 2006
83+ */
84 if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
85 {
86 TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
87 "%s: Invalid %stag \"%s\" (not supported by codec)",
88 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
89- _TIFFFieldWithTag(tif, tag)->field_name);
90+ fip ? fip->field_name : "Unknown");
91 ret_val = 0;
92 break;
93 }
94diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
95--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
96+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
97@@ -775,7 +775,8 @@
98 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
99 "Internal error, unknown tag 0x%x",
100 (unsigned int) tag);
101- assert(fip != NULL);
102+ /* assert(fip != NULL); */
103+
104 /*NOTREACHED*/
105 }
106 return (fip);
107@@ -789,7 +790,8 @@
108 if (!fip) {
109 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
110 "Internal error, unknown tag %s", field_name);
111- assert(fip != NULL);
112+ /* assert(fip != NULL); */
113+
114 /*NOTREACHED*/
115 }
116 return (fip);
117diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
118--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
119+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
120@@ -29,6 +29,9 @@
121 *
122 * Directory Read Support Routines.
123 */
124+
125+#include <limits.h>
126+
127 #include "tiffiop.h"
128
129 #define IGNORE 0 /* tag placeholder used below */
130@@ -81,6 +84,7 @@
131 uint16 dircount;
132 toff_t nextdiroff;
133 int diroutoforderwarning = 0;
134+ int compressionknown = 0;
135 toff_t* new_dirlist;
136
137 tif->tif_diroff = tif->tif_nextdiroff;
138@@ -147,13 +151,20 @@
139 } else {
140 toff_t off = tif->tif_diroff;
141
142- if (off + sizeof (uint16) > tif->tif_size) {
143- TIFFErrorExt(tif->tif_clientdata, module,
144- "%s: Can not read TIFF directory count",
145- tif->tif_name);
146- return (0);
147+ /*
148+ * Check for integer overflow when validating the dir_off, otherwise
149+ * a very high offset may cause an OOB read and crash the client.
150+ * -- taviso@google.com, 14 Jun 2006.
151+ */
152+ if (off + sizeof (uint16) > tif->tif_size ||
153+ off > (UINT_MAX - sizeof(uint16))) {
154+ TIFFErrorExt(tif->tif_clientdata, module,
155+ "%s: Can not read TIFF directory count",
156+ tif->tif_name);
157+ return (0);
158 } else
159- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
160+ _TIFFmemcpy(&dircount, tif->tif_base + off,
161+ sizeof (uint16));
162 off += sizeof (uint16);
163 if (tif->tif_flags & TIFF_SWAB)
164 TIFFSwabShort(&dircount);
165@@ -254,6 +265,7 @@
166 while (fix < tif->tif_nfields &&
167 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
168 fix++;
169+
170 if (fix >= tif->tif_nfields ||
171 tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
172
173@@ -264,17 +276,23 @@
174 dp->tdir_tag,
175 dp->tdir_tag,
176 dp->tdir_type);
177-
178- TIFFMergeFieldInfo(tif,
179- _TIFFCreateAnonFieldInfo(tif,
180- dp->tdir_tag,
181- (TIFFDataType) dp->tdir_type),
182- 1 );
183+ /*
184+ * creating anonymous fields prior to knowing the compression
185+ * algorithm (ie, when the field info has been merged) could cause
186+ * crashes with pathological directories.
187+ * -- taviso@google.com 15 Jun 2006
188+ */
189+ if (compressionknown)
190+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
191+ (TIFFDataType) dp->tdir_type), 1 );
192+ else goto ignore;
193+
194 fix = 0;
195 while (fix < tif->tif_nfields &&
196 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
197 fix++;
198 }
199+
200 /*
201 * Null out old tags that we ignore.
202 */
203@@ -326,6 +344,7 @@
204 dp->tdir_type, dp->tdir_offset);
205 if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
206 goto bad;
207+ else compressionknown++;
208 break;
209 /* XXX: workaround for broken TIFFs */
210 } else if (dp->tdir_type == TIFF_LONG) {
211@@ -540,6 +559,7 @@
212 * Attempt to deal with a missing StripByteCounts tag.
213 */
214 if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
215+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
216 /*
217 * Some manufacturers violate the spec by not giving
218 * the size of the strips. In this case, assume there
219@@ -556,7 +576,7 @@
220 "%s: TIFF directory is missing required "
221 "\"%s\" field, calculating from imagelength",
222 tif->tif_name,
223- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
224+ fip ? fip->field_name : "Unknown");
225 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
226 goto bad;
227 /*
228@@ -580,6 +600,7 @@
229 } else if (td->td_nstrips == 1
230 && td->td_stripoffset[0] != 0
231 && BYTECOUNTLOOKSBAD) {
232+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
233 /*
234 * XXX: Plexus (and others) sometimes give a value of zero for
235 * a tag when they don't know what the correct value is! Try
236@@ -589,13 +610,14 @@
237 TIFFWarningExt(tif->tif_clientdata, module,
238 "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
239 tif->tif_name,
240- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
241+ fip ? fip->field_name : "Unknown");
242 if(EstimateStripByteCounts(tif, dir, dircount) < 0)
243 goto bad;
244 } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
245 && td->td_nstrips > 2
246 && td->td_compression == COMPRESSION_NONE
247 && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
248+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
249 /*
250 * XXX: Some vendors fill StripByteCount array with absolutely
251 * wrong values (it can be equal to StripOffset array, for
252@@ -604,7 +626,7 @@
253 TIFFWarningExt(tif->tif_clientdata, module,
254 "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
255 tif->tif_name,
256- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
257+ fip ? fip->field_name : "Unknown");
258 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
259 goto bad;
260 }
261@@ -870,7 +892,13 @@
262
263 register TIFFDirEntry *dp;
264 register TIFFDirectory *td = &tif->tif_dir;
265- uint16 i;
266+
267+ /* i is used to iterate over td->td_nstrips, so must be
268+ * at least the same width.
269+ * -- taviso@google.com 15 Jun 2006
270+ */
271+
272+ uint32 i;
273
274 if (td->td_stripbytecount)
275 _TIFFfree(td->td_stripbytecount);
276@@ -947,16 +975,18 @@
277 static int
278 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
279 {
280+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
281+
282 if (count > dir->tdir_count) {
283 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
284 "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
285- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
286+ fip ? fip->field_name : "Unknown",
287 dir->tdir_count, count);
288 return (0);
289 } else if (count < dir->tdir_count) {
290 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
291 "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
292- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
293+ fip ? fip->field_name : "Unknown",
294 dir->tdir_count, count);
295 return (1);
296 }
297@@ -970,6 +1000,7 @@
298 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
299 {
300 int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
301+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
302 tsize_t cc = dir->tdir_count * w;
303
304 /* Check for overflow. */
305@@ -1013,7 +1044,7 @@
306 bad:
307 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
308 "Error fetching data for field \"%s\"",
309- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
310+ fip ? fip->field_name : "Unknown");
311 return (tsize_t) 0;
312 }
313
314@@ -1039,10 +1070,12 @@
315 static int
316 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
317 {
318+ const TIFFFieldInfo* fip;
319 if (denom == 0) {
320+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
321 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
322 "%s: Rational with zero denominator (num = %lu)",
323- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
324+ fip ? fip->field_name : "Unknown", num);
325 return (0);
326 } else {
327 if (dir->tdir_type == TIFF_RATIONAL)
328@@ -1159,6 +1192,20 @@
329 static int
330 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
331 {
332+ /*
333+ * Prevent overflowing the v stack arrays below by performing a sanity
334+ * check on tdir_count, this should never be greater than two.
335+ * -- taviso@google.com 14 Jun 2006.
336+ */
337+ if (dir->tdir_count > 2) {
338+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
339+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
340+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
341+ fip ? fip->field_name : "Unknown",
342+ dir->tdir_count);
343+ return 0;
344+ }
345+
346 switch (dir->tdir_type) {
347 case TIFF_BYTE:
348 case TIFF_SBYTE:
349@@ -1329,14 +1376,15 @@
350 case TIFF_DOUBLE:
351 return (TIFFFetchDoubleArray(tif, dir, (double*) v));
352 default:
353+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
354 /* TIFF_NOTYPE */
355 /* TIFF_ASCII */
356 /* TIFF_UNDEFINED */
357 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
358 "cannot read TIFF_ANY type %d for field \"%s\"",
359 dir->tdir_type,
360- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
361- return (0);
362+ fip ? fip->field_name : "Unknown");
363+ return (0); }
364 }
365 return (1);
366 }
367@@ -1351,6 +1399,9 @@
368 int ok = 0;
369 const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
370
371+ if (fip == NULL) {
372+ return (0);
373+ }
374 if (dp->tdir_count > 1) { /* array of values */
375 char* cp = NULL;
376
377@@ -1493,6 +1544,7 @@
378 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
379 {
380 uint16 samples = tif->tif_dir.td_samplesperpixel;
381+ const TIFFFieldInfo* fip;
382 int status = 0;
383
384 if (CheckDirCount(tif, dir, (uint32) samples)) {
385@@ -1510,9 +1562,10 @@
386
387 for (i = 1; i < check_count; i++)
388 if (v[i] != v[0]) {
389+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
390 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
391 "Cannot handle different per-sample values for field \"%s\"",
392- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
393+ fip ? fip->field_name : "Unknown");
394 goto bad;
395 }
396 *pl = v[0];
397@@ -1534,6 +1587,7 @@
398 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
399 {
400 uint16 samples = tif->tif_dir.td_samplesperpixel;
401+ const TIFFFieldInfo* fip;
402 int status = 0;
403
404 if (CheckDirCount(tif, dir, (uint32) samples)) {
405@@ -1551,9 +1605,10 @@
406 check_count = samples;
407 for (i = 1; i < check_count; i++)
408 if (v[i] != v[0]) {
409+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
410 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
411 "Cannot handle different per-sample values for field \"%s\"",
412- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
413+ fip ? fip->field_name : "Unknown");
414 goto bad;
415 }
416 *pl = v[0];
417@@ -1574,6 +1629,7 @@
418 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
419 {
420 uint16 samples = tif->tif_dir.td_samplesperpixel;
421+ const TIFFFieldInfo* fip;
422 int status = 0;
423
424 if (CheckDirCount(tif, dir, (uint32) samples)) {
425@@ -1591,9 +1647,10 @@
426
427 for (i = 1; i < check_count; i++)
428 if (v[i] != v[0]) {
429+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
430 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
431 "Cannot handle different per-sample values for field \"%s\"",
432- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
433+ fip ? fip->field_name : "Unknown");
434 goto bad;
435 }
436 *pl = v[0];
437diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
438--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
439+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
440@@ -1136,6 +1136,7 @@
441 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
442 {
443 Fax3BaseState* sp = Fax3State(tif);
444+ const TIFFFieldInfo* fip;
445
446 assert(sp != 0);
447 assert(sp->vsetparent != 0);
448@@ -1181,7 +1182,13 @@
449 default:
450 return (*sp->vsetparent)(tif, tag, ap);
451 }
452- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
453+
454+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
455+ TIFFSetFieldBit(tif, fip->field_bit);
456+ } else {
457+ return (0);
458+ }
459+
460 tif->tif_flags |= TIFF_DIRTYDIRECT;
461 return (1);
462 }
463diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
464--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
465+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
466@@ -722,15 +722,31 @@
467 segment_width = TIFFhowmany(segment_width, sp->h_sampling);
468 segment_height = TIFFhowmany(segment_height, sp->v_sampling);
469 }
470- if (sp->cinfo.d.image_width != segment_width ||
471- sp->cinfo.d.image_height != segment_height) {
472+ if (sp->cinfo.d.image_width < segment_width ||
473+ sp->cinfo.d.image_height < segment_height) {
474 TIFFWarningExt(tif->tif_clientdata, module,
475 "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
476 segment_width,
477 segment_height,
478 sp->cinfo.d.image_width,
479 sp->cinfo.d.image_height);
480+ }
481+
482+ if (sp->cinfo.d.image_width > segment_width ||
483+ sp->cinfo.d.image_height > segment_height) {
484+ /*
485+ * This case could be dangerous, if the strip or tile size has been
486+ * reported as less than the amount of data jpeg will return, some
487+ * potential security issues arise. Catch this case and error out.
488+ * -- taviso@google.com 14 Jun 2006
489+ */
490+ TIFFErrorExt(tif->tif_clientdata, module,
491+ "JPEG strip/tile size exceeds expected dimensions,"
492+ "expected %dx%d, got %dx%d", segment_width, segment_height,
493+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
494+ return (0);
495 }
496+
497 if (sp->cinfo.d.num_components !=
498 (td->td_planarconfig == PLANARCONFIG_CONTIG ?
499 td->td_samplesperpixel : 1)) {
500@@ -761,6 +777,22 @@
501 sp->cinfo.d.comp_info[0].v_samp_factor,
502 sp->h_sampling, sp->v_sampling);
503
504+ /*
505+ * There are potential security issues here for decoders that
506+ * have already allocated buffers based on the expected sampling
507+ * factors. Lets check the sampling factors dont exceed what
508+ * we were expecting.
509+ * -- taviso@google.com 14 June 2006
510+ */
511+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
512+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
513+ TIFFErrorExt(tif->tif_clientdata, module,
514+ "Cannot honour JPEG sampling factors that"
515+ " exceed those specified.");
516+ return (0);
517+ }
518+
519+
520 /*
521 * XXX: Files written by the Intergraph software
522 * has different sampling factors stored in the
523@@ -1521,15 +1553,18 @@
524 {
525 JPEGState *sp = JState(tif);
526
527- assert(sp != 0);
528+ /* assert(sp != 0); */
529
530 tif->tif_tagmethods.vgetfield = sp->vgetparent;
531 tif->tif_tagmethods.vsetfield = sp->vsetparent;
532
533- if( sp->cinfo_initialized )
534- TIFFjpeg_destroy(sp); /* release libjpeg resources */
535- if (sp->jpegtables) /* tag value */
536- _TIFFfree(sp->jpegtables);
537+ if (sp != NULL) {
538+ if( sp->cinfo_initialized )
539+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
540+ if (sp->jpegtables) /* tag value */
541+ _TIFFfree(sp->jpegtables);
542+ }
543+
544 _TIFFfree(tif->tif_data); /* release local state */
545 tif->tif_data = NULL;
546
547@@ -1541,6 +1576,7 @@
548 {
549 JPEGState* sp = JState(tif);
550 TIFFDirectory* td = &tif->tif_dir;
551+ const TIFFFieldInfo* fip;
552 uint32 v32;
553
554 assert(sp != NULL);
555@@ -1606,7 +1642,13 @@
556 default:
557 return (*sp->vsetparent)(tif, tag, ap);
558 }
559- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
560+
561+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
562+ TIFFSetFieldBit(tif, fip->field_bit);
563+ } else {
564+ return (0);
565+ }
566+
567 tif->tif_flags |= TIFF_DIRTYDIRECT;
568 return (1);
569 }
570@@ -1726,7 +1768,11 @@
571 {
572 JPEGState* sp = JState(tif);
573
574- assert(sp != NULL);
575+ /* assert(sp != NULL); */
576+ if (sp == NULL) {
577+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
578+ return;
579+ }
580
581 (void) flags;
582 if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
583diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
584--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
585+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
586@@ -105,11 +105,16 @@
587 * as codes of the form <color><npixels>
588 * until we've filled the scanline.
589 */
590+ /*
591+ * Ensure the run does not exceed the scanline
592+ * bounds, potentially resulting in a security issue.
593+ * -- taviso@google.com 14 Jun 2006.
594+ */
595 op = row;
596 for (;;) {
597 grey = (n>>6) & 0x3;
598 n &= 0x3f;
599- while (n-- > 0)
600+ while (n-- > 0 && npixels < imagewidth)
601 SETPIXEL(op, grey);
602 if (npixels >= (int) imagewidth)
603 break;
604diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
605--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
606+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
607@@ -768,7 +768,19 @@
608 if (tif->tif_flags & TIFF_SWAB)
609 TIFFSwabArrayOfShort(up, nsamples);
610
611- for (i = 0; i < nsamples; i += llen, up += llen) {
612+ /*
613+ * if llen is not an exact multiple of nsamples, the decode operation
614+ * may overflow the output buffer, so truncate it enough to prevent that
615+ * but still salvage as much data as possible.
616+ * -- taviso@google.com 14th June 2006
617+ */
618+ if (nsamples % llen)
619+ TIFFWarningExt(tif->tif_clientdata, module,
620+ "%s: stride %lu is not a multiple of sample count, "
621+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
622+
623+
624+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
625 switch (sp->user_datafmt) {
626 case PIXARLOGDATAFMT_FLOAT:
627 horizontalAccumulateF(up, llen, sp->stride,
628diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
629--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
630+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
631@@ -31,6 +31,8 @@
632 #include "tiffiop.h"
633 #include <stdio.h>
634
635+#include <limits.h>
636+
637 int TIFFFillStrip(TIFF*, tstrip_t);
638 int TIFFFillTile(TIFF*, ttile_t);
639 static int TIFFStartStrip(TIFF*, tstrip_t);
640@@ -272,7 +274,13 @@
641 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
642 _TIFFfree(tif->tif_rawdata);
643 tif->tif_flags &= ~TIFF_MYBUFFER;
644- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
645+ /*
646+ * This sanity check could potentially overflow, causing an OOB read.
647+ * verify that offset + bytecount is > offset.
648+ * -- taviso@google.com 14 Jun 2006
649+ */
650+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
651+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
652 /*
653 * This error message might seem strange, but it's
654 * what would happen if a read were done instead.
655@@ -470,7 +478,13 @@
656 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
657 _TIFFfree(tif->tif_rawdata);
658 tif->tif_flags &= ~TIFF_MYBUFFER;
659- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
660+ /*
661+ * We must check this calculation doesnt overflow, potentially
662+ * causing an OOB read.
663+ * -- taviso@google.com 15 Jun 2006
664+ */
665+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
666+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
667 tif->tif_curtile = NOTILE;
668 return (0);
669 }
diff --git a/main/tiff/libtiff-CVE-2009-2285.patch b/main/tiff/libtiff-CVE-2009-2285.patch
deleted file mode 100644
index 435a84b535..0000000000
--- a/main/tiff/libtiff-CVE-2009-2285.patch
+++ /dev/null
@@ -1,22 +0,0 @@
1Index: tiff-3.8.2/libtiff/tif_lzw.c
2===================================================================
3--- tiff-3.8.2.orig/libtiff/tif_lzw.c
4+++ tiff-3.8.2/libtiff/tif_lzw.c
5@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
6 NextCode(tif, sp, bp, code, GetNextCode);
7 if (code == CODE_EOI)
8 break;
9- if (code == CODE_CLEAR) {
10+ if (code >= CODE_CLEAR) {
11 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
12 "LZWDecode: Corrupted LZW table at scanline %d",
13 tif->tif_row);
14@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
15 NextCode(tif, sp, bp, code, GetNextCodeCompat);
16 if (code == CODE_EOI)
17 break;
18- if (code == CODE_CLEAR) {
19+ if (code >= CODE_CLEAR) {
20 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
21 "LZWDecode: Corrupted LZW table at scanline %d",
22 tif->tif_row);
diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
deleted file mode 100644
index e6d74a67ab..0000000000
--- a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
+++ /dev/null
@@ -1,64 +0,0 @@
1Fixes security issues in libTIFF's handling of LZW-encoded
2images. The use of uninitialized data could lead to a buffer
3underflow and a crash or arbitrary code execution.
4
5CVE-ID: CVE-2008-2327
6Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
7
8Index: tiff-3.8.2/libtiff/tif_lzw.c
9===================================================================
10--- tiff-3.8.2.orig/libtiff/tif_lzw.c
11+++ tiff-3.8.2/libtiff/tif_lzw.c
12@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
13 sp->dec_codetab[code].length = 1;
14 sp->dec_codetab[code].next = NULL;
15 } while (code--);
16+ /*
17+ * Zero-out the unused entries
18+ */
19+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
20+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
21+
22 }
23 return (1);
24 }
25@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
26 break;
27 if (code == CODE_CLEAR) {
28 free_entp = sp->dec_codetab + CODE_FIRST;
29+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
30 nbits = BITS_MIN;
31 nbitsmask = MAXCODE(BITS_MIN);
32 maxcodep = sp->dec_codetab + nbitsmask-1;
33 NextCode(tif, sp, bp, code, GetNextCode);
34 if (code == CODE_EOI)
35 break;
36+ if (code == CODE_CLEAR) {
37+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
38+ "LZWDecode: Corrupted LZW table at scanline %d",
39+ tif->tif_row);
40+ return (0);
41+ }
42 *op++ = (char)code, occ--;
43 oldcodep = sp->dec_codetab + code;
44 continue;
45@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
46 break;
47 if (code == CODE_CLEAR) {
48 free_entp = sp->dec_codetab + CODE_FIRST;
49+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
50 nbits = BITS_MIN;
51 nbitsmask = MAXCODE(BITS_MIN);
52 maxcodep = sp->dec_codetab + nbitsmask;
53 NextCode(tif, sp, bp, code, GetNextCodeCompat);
54 if (code == CODE_EOI)
55 break;
56+ if (code == CODE_CLEAR) {
57+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
58+ "LZWDecode: Corrupted LZW table at scanline %d",
59+ tif->tif_row);
60+ return (0);
61+ }
62 *op++ = code, occ--;
63 oldcodep = sp->dec_codetab + code;
64 continue;
diff --git a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch
deleted file mode 100644
index 039d7336a2..0000000000
--- a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch
+++ /dev/null
@@ -1,170 +0,0 @@
1Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
2possible integer overflow in calculation of buffer sizes.
3
4CVE-2009-2347
5
6
7diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
8--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
9+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
10@@ -202,6 +202,17 @@
11 #undef LumaBlue
12 #undef V2Code
13
14+static tsize_t
15+multiply(tsize_t m1, tsize_t m2)
16+{
17+ tsize_t prod = m1 * m2;
18+
19+ if (m1 && prod / m1 != m2)
20+ prod = 0; /* overflow */
21+
22+ return prod;
23+}
24+
25 /*
26 * Convert a strip of RGB data to YCbCr and
27 * sample to generate the output data.
28@@ -278,10 +289,19 @@
29 float floatv;
30 char *stringv;
31 uint32 longv;
32+ tsize_t raster_size;
33
34 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
35 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
36- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
37+
38+ raster_size = multiply(multiply(width, height), sizeof (uint32));
39+ if (!raster_size) {
40+ TIFFError(TIFFFileName(in),
41+ "Can't allocate buffer for raster of size %lux%lu",
42+ (unsigned long) width, (unsigned long) height);
43+ return (0);
44+ }
45+ raster = (uint32*)_TIFFmalloc(raster_size);
46 if (raster == 0) {
47 TIFFError(TIFFFileName(in), "No space for raster buffer");
48 return (0);
49diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
50--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
51+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
52@@ -124,6 +124,17 @@
53 return (0);
54 }
55
56+static tsize_t
57+multiply(tsize_t m1, tsize_t m2)
58+{
59+ tsize_t prod = m1 * m2;
60+
61+ if (m1 && prod / m1 != m2)
62+ prod = 0; /* overflow */
63+
64+ return prod;
65+}
66+
67 static int
68 cvt_by_tile( TIFF *in, TIFF *out )
69
70@@ -133,6 +144,7 @@
71 uint32 tile_width, tile_height;
72 uint32 row, col;
73 uint32 *wrk_line;
74+ tsize_t raster_size;
75 int ok = 1;
76
77 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
78@@ -150,7 +162,14 @@
79 /*
80 * Allocate tile buffer
81 */
82- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
83+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
84+ if (!raster_size) {
85+ TIFFError(TIFFFileName(in),
86+ "Can't allocate buffer for raster of size %lux%lu",
87+ (unsigned long) tile_width, (unsigned long) tile_height);
88+ return (0);
89+ }
90+ raster = (uint32*)_TIFFmalloc(raster_size);
91 if (raster == 0) {
92 TIFFError(TIFFFileName(in), "No space for raster buffer");
93 return (0);
94@@ -158,7 +177,7 @@
95
96 /*
97 * Allocate a scanline buffer for swapping during the vertical
98- * mirroring pass.
99+ * mirroring pass. (Request can't overflow given prior checks.)
100 */
101 wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
102 if (!wrk_line) {
103@@ -226,6 +245,7 @@
104 uint32 width, height; /* image width & height */
105 uint32 row;
106 uint32 *wrk_line;
107+ tsize_t raster_size;
108 int ok = 1;
109
110 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
111@@ -241,7 +261,14 @@
112 /*
113 * Allocate strip buffer
114 */
115- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
116+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
117+ if (!raster_size) {
118+ TIFFError(TIFFFileName(in),
119+ "Can't allocate buffer for raster of size %lux%lu",
120+ (unsigned long) width, (unsigned long) rowsperstrip);
121+ return (0);
122+ }
123+ raster = (uint32*)_TIFFmalloc(raster_size);
124 if (raster == 0) {
125 TIFFError(TIFFFileName(in), "No space for raster buffer");
126 return (0);
127@@ -249,7 +276,7 @@
128
129 /*
130 * Allocate a scanline buffer for swapping during the vertical
131- * mirroring pass.
132+ * mirroring pass. (Request can't overflow given prior checks.)
133 */
134 wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
135 if (!wrk_line) {
136@@ -328,14 +355,22 @@
137 uint32* raster; /* retrieve RGBA image */
138 uint32 width, height; /* image width & height */
139 uint32 row;
140-
141+ tsize_t raster_size;
142+
143 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
144 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
145
146 rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
147 TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
148
149- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
150+ raster_size = multiply(multiply(width, height), sizeof (uint32));
151+ if (!raster_size) {
152+ TIFFError(TIFFFileName(in),
153+ "Can't allocate buffer for raster of size %lux%lu",
154+ (unsigned long) width, (unsigned long) height);
155+ return (0);
156+ }
157+ raster = (uint32*)_TIFFmalloc(raster_size);
158 if (raster == 0) {
159 TIFFError(TIFFFileName(in), "No space for raster buffer");
160 return (0);
161@@ -353,7 +388,7 @@
162 */
163 if( no_alpha )
164 {
165- int pixel_count = width * height;
166+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
167 unsigned char *src, *dst;
168
169 src = (unsigned char *) raster;
170
diff --git a/main/tiff/tiff-jpegfix.patch b/main/tiff/tiff-jpegfix.patch
deleted file mode 100644
index ca57191dff..0000000000
--- a/main/tiff/tiff-jpegfix.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1diff -Nru tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
2--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-12-22 12:45:49.969811264 -0800
3+++ tiff-3.9.2/libtiff/tif_jpeg.c 2009-12-22 12:47:04.433491064 -0800
4@@ -2014,7 +2014,14 @@
5 if( tif->tif_diroff == 0 )
6 {
7 #define SIZE_OF_JPEGTABLES 2000
8+/*
9+The following line assumes incorrectly that all JPEG-in-TIFF files will have
10+a JPEGTABLES tag generated and causes null-filled JPEGTABLES tags to be written
11+when the JPEG data is placed with TIFFWriteRawStrip. The field bit should be
12+set, anyway, later when actual JPEGTABLES header is generated, so removing it
13+here hopefully is harmless.
14 TIFFSetFieldBit(tif, FIELD_JPEGTABLES);
15+*/
16 sp->jpegtables_length = SIZE_OF_JPEGTABLES;
17 sp->jpegtables = (void *) _TIFFmalloc(sp->jpegtables_length);
18 _TIFFmemset(sp->jpegtables, 0, SIZE_OF_JPEGTABLES);
19diff -Nru tiff-3.9.2.orig/tools/tiff2pdf.c tiff-3.9.2/tools/tiff2pdf.c
20--- tiff-3.9.2.orig/tools/tiff2pdf.c 2009-12-22 12:45:49.873825856 -0800
21+++ tiff-3.9.2/tools/tiff2pdf.c 2009-12-22 12:48:16.558526392 -0800
22@@ -3320,6 +3320,9 @@
23 while(i<(*striplength)){
24 switch( strip[i] ){
25 case 0xd8:
26+ /* SOI - start of image */
27+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
28+ *bufferoffset+=2;
29 i+=2;
30 break;
31 case 0xc0:
diff --git a/main/tiff/tiff2pdf-compression.patch b/main/tiff/tiff2pdf-compression.patch
deleted file mode 100644
index 2dae2dcd1c..0000000000
--- a/main/tiff/tiff2pdf-compression.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1--- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35
2+++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36
3@@ -937,7 +937,7 @@
4
5 #ifdef JPEG_SUPPORT
6 if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
7- if(t2p->pdf_defaultcompressionquality<100 ||
8+ if(t2p->pdf_defaultcompressionquality>100 ||
9 t2p->pdf_defaultcompressionquality<1){
10 t2p->pdf_defaultcompressionquality=0;
11 }
12@@ -945,25 +945,17 @@
13 #endif
14 #ifdef ZIP_SUPPORT
15 if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
16- switch (t2p->pdf_defaultcompressionquality){
17- case 1: case 10: case 11: case 12: case 13: case 14: case 15:
18- case 101: case 110: case 111: case 112: case 113: case 114: case 115:
19- case 201: case 210: case 211: case 212: case 213: case 214: case 215:
20- case 301: case 310: case 311: case 312: case 313: case 314: case 315:
21- case 401: case 410: case 411: case 412: case 413: case 414: case 415:
22- case 501: case 510: case 511: case 512: case 513: case 514: case 515:
23- case 601: case 610: case 611: case 612: case 613: case 614: case 615:
24- case 701: case 710: case 711: case 712: case 713: case 714: case 715:
25- case 801: case 810: case 811: case 812: case 813: case 814: case 815:
26- case 901: case 910: case 911: case 912: case 913: case 914: case 915:
27- break;
28- default:
29- t2p->pdf_defaultcompressionquality=0;
30+ uint16 m=t2p->pdf_defaultcompressionquality%100;
31+ if(t2p->pdf_defaultcompressionquality/100 > 9 ||
32+ (m>1 && m<10) || m>15){
33+ t2p->pdf_defaultcompressionquality=0;
34 }
35 if(t2p->pdf_defaultcompressionquality%100 !=0){
36+ t2p->pdf_defaultcompressionquality/=100;
37+ t2p->pdf_defaultcompressionquality*=100;
38 TIFFError(
39 TIFF2PDF_MODULE,
40- "PNG Group predictor differencing not implemented, assuming compresion quality %u",
41+ "PNG Group predictor differencing not implemented, assuming compression quality %u",
42 t2p->pdf_defaultcompressionquality);
43 }
44 t2p->pdf_defaultcompressionquality%=100;
diff --git a/main/tiff/tiff2pdf-octal-printf.patch b/main/tiff/tiff2pdf-octal-printf.patch
deleted file mode 100644
index f35b072378..0000000000
--- a/main/tiff/tiff2pdf-octal-printf.patch
+++ /dev/null
@@ -1,11 +0,0 @@
1--- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500
2+++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400
3@@ -3668,7 +3668,7 @@
4 written += TIFFWriteFile(output, (tdata_t) "(", 1);
5 for (i=0;i<len;i++){
6 if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
7- sprintf(buffer, "\\%.3o", pdfstr[i]);
8+ sprintf(buffer, "\\%.3hho", pdfstr[i]);
9 written += TIFFWriteFile(output, (tdata_t) buffer, 4);
10 } else {
11 switch (pdfstr[i]){
diff --git a/main/tiff/tiffsplit-fname-overflow.patch b/main/tiff/tiffsplit-fname-overflow.patch
deleted file mode 100644
index cc225890ae..0000000000
--- a/main/tiff/tiffsplit-fname-overflow.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1--- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500
2+++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400
3@@ -61,14 +61,13 @@
4 return (-3);
5 }
6 if (argc > 2)
7- strcpy(fname, argv[2]);
8+ snprintf(fname, sizeof(fname), "%s", argv[2]);
9 in = TIFFOpen(argv[1], "r");
10 if (in != NULL) {
11 do {
12 char path[1024+1];
13 newfilename();
14- strcpy(path, fname);
15- strcat(path, ".tif");
16+ snprintf(path, sizeof(path), "%s.tif", fname);
17 out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
18 if (out == NULL)
19 return (-2);
© 2015 Mike Crute