diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2011-04-23 09:37:37 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2011-04-23 09:42:24 +0000 |
commit | 4fae22ebc20517a01951fbc52d14eab131e66c5b (patch) | |
tree | 74643da93076f2145aa77060a3abf8d807ed9973 | |
parent | 6c830b0725e1936ca196495fcd1dfd89c91fb769 (diff) | |
download | alpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.tar.bz2 alpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.tar.xz alpine_aports-4fae22ebc20517a01951fbc52d14eab131e66c5b.zip |
main/tiff: upgrade to 3.9.5
and clean up the APKBUILD
-rw-r--r-- | main/tiff/APKBUILD | 69 | ||||
-rw-r--r-- | main/tiff/CVE-2006-3459-3465.patch | 669 | ||||
-rw-r--r-- | main/tiff/libtiff-CVE-2009-2285.patch | 22 | ||||
-rw-r--r-- | main/tiff/tiff-3.8.2-CVE-2008-2327.patch | 64 | ||||
-rw-r--r-- | main/tiff/tiff-3.8.2-CVE-2009-2347.patch | 170 | ||||
-rw-r--r-- | main/tiff/tiff-jpegfix.patch | 31 | ||||
-rw-r--r-- | main/tiff/tiff2pdf-compression.patch | 44 | ||||
-rw-r--r-- | main/tiff/tiff2pdf-octal-printf.patch | 11 | ||||
-rw-r--r-- | main/tiff/tiffsplit-fname-overflow.patch | 19 |
9 files changed, 38 insertions, 1061 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index a863e2c369..2764544fe3 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
@@ -1,36 +1,41 @@ | |||
1 | # Contributor: Leonardo Arena <rnalrd@gmail.com> | 1 | # Contributor: Leonardo Arena <rnalrd@gmail.com> |
2 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 2 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
3 | pkgname=tiff | 3 | pkgname=tiff |
4 | pkgver=3.8.2 | 4 | pkgver=3.9.5 |
5 | pkgrel=4 | 5 | pkgrel=0 |
6 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 6 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
7 | url="http://www.libtiff.org/" | 7 | url="http://www.libtiff.org/" |
8 | arch="all" | 8 | arch="all" |
9 | license="GPL" | 9 | license="GPL" |
10 | depends= | 10 | depends= |
11 | subpackages="$pkgname-doc $pkgname-dev" | 11 | depends_dev="zlib-dev jpeg-dev" |
12 | source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz | 12 | makedepends="libtool autoconf automake $depends_dev" |
13 | CVE-2006-3459-3465.patch | 13 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" |
14 | libtiff-CVE-2009-2285.patch | 14 | source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz |
15 | tiff-3.8.2-CVE-2008-2327.patch | ||
16 | tiff-3.8.2-CVE-2009-2347.patch | ||
17 | tiff2pdf-compression.patch | ||
18 | tiff2pdf-octal-printf.patch | ||
19 | tiffsplit-fname-overflow.patch | ||
20 | tiff-jpegfix.patch | ||
21 | " | 15 | " |
16 | |||
17 | _builddir="$srcdir"/$pkgname-$pkgver | ||
22 | 18 | ||
23 | build() { | 19 | prepare() { |
24 | cd "$srcdir/$pkgname-$pkgver" | 20 | local _failed= |
21 | cd "$_builddir" | ||
22 | |||
23 | for i in $source; do | ||
24 | case $i in | ||
25 | *.patch) msg $i; patch -p1 -i "$srcdir"/$i || _failed="$_failed $i";; | ||
26 | esac | ||
27 | done | ||
28 | |||
29 | rm -f libtool.m4 | ||
30 | libtoolize --force --copy \ | ||
31 | && aclocal -I . -I m4 \ | ||
32 | && automake --add-missing --copy \ | ||
33 | && autoconf \ | ||
34 | && autoheader | ||
35 | } | ||
25 | 36 | ||
26 | patch -p1 < ../tiff2pdf-octal-printf.patch || return 1 | 37 | build() { |
27 | patch -p1 < ../tiffsplit-fname-overflow.patch || return 1 | 38 | cd "$_builddir" |
28 | patch -p1 < ../CVE-2006-3459-3465.patch || return 1 | ||
29 | patch -p1 < ../tiff2pdf-compression.patch || return 1 | ||
30 | patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1 | ||
31 | patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1 | ||
32 | patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1 | ||
33 | patch -p1 < ../tiff-jpegfix.patch || return 1 | ||
34 | 39 | ||
35 | ./configure --prefix=/usr \ | 40 | ./configure --prefix=/usr \ |
36 | --sysconfdir=/etc \ | 41 | --sysconfdir=/etc \ |
@@ -38,16 +43,18 @@ build() { | |||
38 | --infodir=/usr/share/info \ | 43 | --infodir=/usr/share/info \ |
39 | --disable-cxx | 44 | --disable-cxx |
40 | make || return 1 | 45 | make || return 1 |
46 | } | ||
47 | |||
48 | package() { | ||
49 | cd "$_builddir" | ||
41 | make DESTDIR="$pkgdir" install | 50 | make DESTDIR="$pkgdir" install |
51 | rm -f "$pkgdir"/usr/lib/*.la | ||
52 | } | ||
42 | 53 | ||
54 | tools() { | ||
55 | pkgdesc="Command-line utility programs for manipulating TIFF files" | ||
56 | mkdir -p "$subpkgdir"/usr/ | ||
57 | mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ | ||
43 | } | 58 | } |
44 | 59 | ||
45 | md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz | 60 | md5sums="8fc7ce3b4e1d0cc8a319336967815084 tiff-3.9.5.tar.gz" |
46 | 624d3067e6a4c0680767eb62253ea980 CVE-2006-3459-3465.patch | ||
47 | ff61077408727a82281f77a94f555e2a libtiff-CVE-2009-2285.patch | ||
48 | c2c2e22557d9c63011df5777dda6a86b tiff-3.8.2-CVE-2008-2327.patch | ||
49 | d3b02693cca83e63005b162edd43016b tiff-3.8.2-CVE-2009-2347.patch | ||
50 | b443ffca9d498bb3a88c17da0200025b tiff2pdf-compression.patch | ||
51 | d54368687d2645ffbbe6c2df384b11bf tiff2pdf-octal-printf.patch | ||
52 | 323352fd60a7bd3ffac8724c3c031669 tiffsplit-fname-overflow.patch | ||
53 | 3353687eba89179f55f027bd571a63f5 tiff-jpegfix.patch" | ||
diff --git a/main/tiff/CVE-2006-3459-3465.patch b/main/tiff/CVE-2006-3459-3465.patch deleted file mode 100644 index cb55b03e7b..0000000000 --- a/main/tiff/CVE-2006-3459-3465.patch +++ /dev/null | |||
@@ -1,669 +0,0 @@ | |||
1 | diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c | ||
2 | --- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 | ||
3 | +++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 | ||
4 | @@ -122,6 +122,7 @@ | ||
5 | { | ||
6 | static const char module[] = "_TIFFVSetField"; | ||
7 | |||
8 | + const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); | ||
9 | TIFFDirectory* td = &tif->tif_dir; | ||
10 | int status = 1; | ||
11 | uint32 v32, i, v; | ||
12 | @@ -195,10 +196,12 @@ | ||
13 | break; | ||
14 | case TIFFTAG_ORIENTATION: | ||
15 | v = va_arg(ap, uint32); | ||
16 | + const TIFFFieldInfo* fip; | ||
17 | if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { | ||
18 | + fip = _TIFFFieldWithTag(tif, tag); | ||
19 | TIFFWarningExt(tif->tif_clientdata, tif->tif_name, | ||
20 | "Bad value %lu for \"%s\" tag ignored", | ||
21 | - v, _TIFFFieldWithTag(tif, tag)->field_name); | ||
22 | + v, fip ? fip->field_name : "Unknown"); | ||
23 | } else | ||
24 | td->td_orientation = (uint16) v; | ||
25 | break; | ||
26 | @@ -387,11 +390,15 @@ | ||
27 | * happens, for example, when tiffcp is used to convert between | ||
28 | * compression schemes and codec-specific tags are blindly copied. | ||
29 | */ | ||
30 | + /* | ||
31 | + * better not dereference fip if it is NULL. | ||
32 | + * -- taviso@google.com 15 Jun 2006 | ||
33 | + */ | ||
34 | if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { | ||
35 | TIFFErrorExt(tif->tif_clientdata, module, | ||
36 | "%s: Invalid %stag \"%s\" (not supported by codec)", | ||
37 | tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", | ||
38 | - _TIFFFieldWithTag(tif, tag)->field_name); | ||
39 | + fip ? fip->field_name : "Unknown"); | ||
40 | status = 0; | ||
41 | break; | ||
42 | } | ||
43 | @@ -468,7 +475,7 @@ | ||
44 | if (fip->field_type == TIFF_ASCII) | ||
45 | _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); | ||
46 | else { | ||
47 | - tv->value = _TIFFmalloc(tv_size * tv->count); | ||
48 | + tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); | ||
49 | if (!tv->value) { | ||
50 | status = 0; | ||
51 | goto end; | ||
52 | @@ -563,7 +570,7 @@ | ||
53 | } | ||
54 | } | ||
55 | if (status) { | ||
56 | - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); | ||
57 | + TIFFSetFieldBit(tif, fip->field_bit); | ||
58 | tif->tif_flags |= TIFF_DIRTYDIRECT; | ||
59 | } | ||
60 | |||
61 | @@ -572,12 +579,12 @@ | ||
62 | return (status); | ||
63 | badvalue: | ||
64 | TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", | ||
65 | - tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); | ||
66 | + tif->tif_name, v, fip ? fip->field_name : "Unknown"); | ||
67 | va_end(ap); | ||
68 | return (0); | ||
69 | badvalue32: | ||
70 | TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", | ||
71 | - tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); | ||
72 | + tif->tif_name, v32, fip ? fip->field_name : "Unknown"); | ||
73 | va_end(ap); | ||
74 | return (0); | ||
75 | } | ||
76 | @@ -813,12 +820,16 @@ | ||
77 | * If the client tries to get a tag that is not valid | ||
78 | * for the image's codec then we'll arrive here. | ||
79 | */ | ||
80 | + /* | ||
81 | + * dont dereference fip if it's NULL. | ||
82 | + * -- taviso@google.com 15 Jun 2006 | ||
83 | + */ | ||
84 | if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) | ||
85 | { | ||
86 | TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", | ||
87 | "%s: Invalid %stag \"%s\" (not supported by codec)", | ||
88 | tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", | ||
89 | - _TIFFFieldWithTag(tif, tag)->field_name); | ||
90 | + fip ? fip->field_name : "Unknown"); | ||
91 | ret_val = 0; | ||
92 | break; | ||
93 | } | ||
94 | diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c | ||
95 | --- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 | ||
96 | +++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 | ||
97 | @@ -775,7 +775,8 @@ | ||
98 | TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", | ||
99 | "Internal error, unknown tag 0x%x", | ||
100 | (unsigned int) tag); | ||
101 | - assert(fip != NULL); | ||
102 | + /* assert(fip != NULL); */ | ||
103 | + | ||
104 | /*NOTREACHED*/ | ||
105 | } | ||
106 | return (fip); | ||
107 | @@ -789,7 +790,8 @@ | ||
108 | if (!fip) { | ||
109 | TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", | ||
110 | "Internal error, unknown tag %s", field_name); | ||
111 | - assert(fip != NULL); | ||
112 | + /* assert(fip != NULL); */ | ||
113 | + | ||
114 | /*NOTREACHED*/ | ||
115 | } | ||
116 | return (fip); | ||
117 | diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c | ||
118 | --- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 | ||
119 | +++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 | ||
120 | @@ -29,6 +29,9 @@ | ||
121 | * | ||
122 | * Directory Read Support Routines. | ||
123 | */ | ||
124 | + | ||
125 | +#include <limits.h> | ||
126 | + | ||
127 | #include "tiffiop.h" | ||
128 | |||
129 | #define IGNORE 0 /* tag placeholder used below */ | ||
130 | @@ -81,6 +84,7 @@ | ||
131 | uint16 dircount; | ||
132 | toff_t nextdiroff; | ||
133 | int diroutoforderwarning = 0; | ||
134 | + int compressionknown = 0; | ||
135 | toff_t* new_dirlist; | ||
136 | |||
137 | tif->tif_diroff = tif->tif_nextdiroff; | ||
138 | @@ -147,13 +151,20 @@ | ||
139 | } else { | ||
140 | toff_t off = tif->tif_diroff; | ||
141 | |||
142 | - if (off + sizeof (uint16) > tif->tif_size) { | ||
143 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
144 | - "%s: Can not read TIFF directory count", | ||
145 | - tif->tif_name); | ||
146 | - return (0); | ||
147 | + /* | ||
148 | + * Check for integer overflow when validating the dir_off, otherwise | ||
149 | + * a very high offset may cause an OOB read and crash the client. | ||
150 | + * -- taviso@google.com, 14 Jun 2006. | ||
151 | + */ | ||
152 | + if (off + sizeof (uint16) > tif->tif_size || | ||
153 | + off > (UINT_MAX - sizeof(uint16))) { | ||
154 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
155 | + "%s: Can not read TIFF directory count", | ||
156 | + tif->tif_name); | ||
157 | + return (0); | ||
158 | } else | ||
159 | - _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); | ||
160 | + _TIFFmemcpy(&dircount, tif->tif_base + off, | ||
161 | + sizeof (uint16)); | ||
162 | off += sizeof (uint16); | ||
163 | if (tif->tif_flags & TIFF_SWAB) | ||
164 | TIFFSwabShort(&dircount); | ||
165 | @@ -254,6 +265,7 @@ | ||
166 | while (fix < tif->tif_nfields && | ||
167 | tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) | ||
168 | fix++; | ||
169 | + | ||
170 | if (fix >= tif->tif_nfields || | ||
171 | tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { | ||
172 | |||
173 | @@ -264,17 +276,23 @@ | ||
174 | dp->tdir_tag, | ||
175 | dp->tdir_tag, | ||
176 | dp->tdir_type); | ||
177 | - | ||
178 | - TIFFMergeFieldInfo(tif, | ||
179 | - _TIFFCreateAnonFieldInfo(tif, | ||
180 | - dp->tdir_tag, | ||
181 | - (TIFFDataType) dp->tdir_type), | ||
182 | - 1 ); | ||
183 | + /* | ||
184 | + * creating anonymous fields prior to knowing the compression | ||
185 | + * algorithm (ie, when the field info has been merged) could cause | ||
186 | + * crashes with pathological directories. | ||
187 | + * -- taviso@google.com 15 Jun 2006 | ||
188 | + */ | ||
189 | + if (compressionknown) | ||
190 | + TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, | ||
191 | + (TIFFDataType) dp->tdir_type), 1 ); | ||
192 | + else goto ignore; | ||
193 | + | ||
194 | fix = 0; | ||
195 | while (fix < tif->tif_nfields && | ||
196 | tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) | ||
197 | fix++; | ||
198 | } | ||
199 | + | ||
200 | /* | ||
201 | * Null out old tags that we ignore. | ||
202 | */ | ||
203 | @@ -326,6 +344,7 @@ | ||
204 | dp->tdir_type, dp->tdir_offset); | ||
205 | if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) | ||
206 | goto bad; | ||
207 | + else compressionknown++; | ||
208 | break; | ||
209 | /* XXX: workaround for broken TIFFs */ | ||
210 | } else if (dp->tdir_type == TIFF_LONG) { | ||
211 | @@ -540,6 +559,7 @@ | ||
212 | * Attempt to deal with a missing StripByteCounts tag. | ||
213 | */ | ||
214 | if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { | ||
215 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); | ||
216 | /* | ||
217 | * Some manufacturers violate the spec by not giving | ||
218 | * the size of the strips. In this case, assume there | ||
219 | @@ -556,7 +576,7 @@ | ||
220 | "%s: TIFF directory is missing required " | ||
221 | "\"%s\" field, calculating from imagelength", | ||
222 | tif->tif_name, | ||
223 | - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); | ||
224 | + fip ? fip->field_name : "Unknown"); | ||
225 | if (EstimateStripByteCounts(tif, dir, dircount) < 0) | ||
226 | goto bad; | ||
227 | /* | ||
228 | @@ -580,6 +600,7 @@ | ||
229 | } else if (td->td_nstrips == 1 | ||
230 | && td->td_stripoffset[0] != 0 | ||
231 | && BYTECOUNTLOOKSBAD) { | ||
232 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); | ||
233 | /* | ||
234 | * XXX: Plexus (and others) sometimes give a value of zero for | ||
235 | * a tag when they don't know what the correct value is! Try | ||
236 | @@ -589,13 +610,14 @@ | ||
237 | TIFFWarningExt(tif->tif_clientdata, module, | ||
238 | "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", | ||
239 | tif->tif_name, | ||
240 | - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); | ||
241 | + fip ? fip->field_name : "Unknown"); | ||
242 | if(EstimateStripByteCounts(tif, dir, dircount) < 0) | ||
243 | goto bad; | ||
244 | } else if (td->td_planarconfig == PLANARCONFIG_CONTIG | ||
245 | && td->td_nstrips > 2 | ||
246 | && td->td_compression == COMPRESSION_NONE | ||
247 | && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { | ||
248 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); | ||
249 | /* | ||
250 | * XXX: Some vendors fill StripByteCount array with absolutely | ||
251 | * wrong values (it can be equal to StripOffset array, for | ||
252 | @@ -604,7 +626,7 @@ | ||
253 | TIFFWarningExt(tif->tif_clientdata, module, | ||
254 | "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", | ||
255 | tif->tif_name, | ||
256 | - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); | ||
257 | + fip ? fip->field_name : "Unknown"); | ||
258 | if (EstimateStripByteCounts(tif, dir, dircount) < 0) | ||
259 | goto bad; | ||
260 | } | ||
261 | @@ -870,7 +892,13 @@ | ||
262 | |||
263 | register TIFFDirEntry *dp; | ||
264 | register TIFFDirectory *td = &tif->tif_dir; | ||
265 | - uint16 i; | ||
266 | + | ||
267 | + /* i is used to iterate over td->td_nstrips, so must be | ||
268 | + * at least the same width. | ||
269 | + * -- taviso@google.com 15 Jun 2006 | ||
270 | + */ | ||
271 | + | ||
272 | + uint32 i; | ||
273 | |||
274 | if (td->td_stripbytecount) | ||
275 | _TIFFfree(td->td_stripbytecount); | ||
276 | @@ -947,16 +975,18 @@ | ||
277 | static int | ||
278 | CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) | ||
279 | { | ||
280 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
281 | + | ||
282 | if (count > dir->tdir_count) { | ||
283 | TIFFWarningExt(tif->tif_clientdata, tif->tif_name, | ||
284 | "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", | ||
285 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, | ||
286 | + fip ? fip->field_name : "Unknown", | ||
287 | dir->tdir_count, count); | ||
288 | return (0); | ||
289 | } else if (count < dir->tdir_count) { | ||
290 | TIFFWarningExt(tif->tif_clientdata, tif->tif_name, | ||
291 | "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", | ||
292 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, | ||
293 | + fip ? fip->field_name : "Unknown", | ||
294 | dir->tdir_count, count); | ||
295 | return (1); | ||
296 | } | ||
297 | @@ -970,6 +1000,7 @@ | ||
298 | TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) | ||
299 | { | ||
300 | int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); | ||
301 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
302 | tsize_t cc = dir->tdir_count * w; | ||
303 | |||
304 | /* Check for overflow. */ | ||
305 | @@ -1013,7 +1044,7 @@ | ||
306 | bad: | ||
307 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
308 | "Error fetching data for field \"%s\"", | ||
309 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); | ||
310 | + fip ? fip->field_name : "Unknown"); | ||
311 | return (tsize_t) 0; | ||
312 | } | ||
313 | |||
314 | @@ -1039,10 +1070,12 @@ | ||
315 | static int | ||
316 | cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) | ||
317 | { | ||
318 | + const TIFFFieldInfo* fip; | ||
319 | if (denom == 0) { | ||
320 | + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
321 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
322 | "%s: Rational with zero denominator (num = %lu)", | ||
323 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); | ||
324 | + fip ? fip->field_name : "Unknown", num); | ||
325 | return (0); | ||
326 | } else { | ||
327 | if (dir->tdir_type == TIFF_RATIONAL) | ||
328 | @@ -1159,6 +1192,20 @@ | ||
329 | static int | ||
330 | TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) | ||
331 | { | ||
332 | + /* | ||
333 | + * Prevent overflowing the v stack arrays below by performing a sanity | ||
334 | + * check on tdir_count, this should never be greater than two. | ||
335 | + * -- taviso@google.com 14 Jun 2006. | ||
336 | + */ | ||
337 | + if (dir->tdir_count > 2) { | ||
338 | + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
339 | + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, | ||
340 | + "unexpected count for field \"%s\", %lu, expected 2; ignored.", | ||
341 | + fip ? fip->field_name : "Unknown", | ||
342 | + dir->tdir_count); | ||
343 | + return 0; | ||
344 | + } | ||
345 | + | ||
346 | switch (dir->tdir_type) { | ||
347 | case TIFF_BYTE: | ||
348 | case TIFF_SBYTE: | ||
349 | @@ -1329,14 +1376,15 @@ | ||
350 | case TIFF_DOUBLE: | ||
351 | return (TIFFFetchDoubleArray(tif, dir, (double*) v)); | ||
352 | default: | ||
353 | + { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
354 | /* TIFF_NOTYPE */ | ||
355 | /* TIFF_ASCII */ | ||
356 | /* TIFF_UNDEFINED */ | ||
357 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
358 | "cannot read TIFF_ANY type %d for field \"%s\"", | ||
359 | dir->tdir_type, | ||
360 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); | ||
361 | - return (0); | ||
362 | + fip ? fip->field_name : "Unknown"); | ||
363 | + return (0); } | ||
364 | } | ||
365 | return (1); | ||
366 | } | ||
367 | @@ -1351,6 +1399,9 @@ | ||
368 | int ok = 0; | ||
369 | const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); | ||
370 | |||
371 | + if (fip == NULL) { | ||
372 | + return (0); | ||
373 | + } | ||
374 | if (dp->tdir_count > 1) { /* array of values */ | ||
375 | char* cp = NULL; | ||
376 | |||
377 | @@ -1493,6 +1544,7 @@ | ||
378 | TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) | ||
379 | { | ||
380 | uint16 samples = tif->tif_dir.td_samplesperpixel; | ||
381 | + const TIFFFieldInfo* fip; | ||
382 | int status = 0; | ||
383 | |||
384 | if (CheckDirCount(tif, dir, (uint32) samples)) { | ||
385 | @@ -1510,9 +1562,10 @@ | ||
386 | |||
387 | for (i = 1; i < check_count; i++) | ||
388 | if (v[i] != v[0]) { | ||
389 | + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
390 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
391 | "Cannot handle different per-sample values for field \"%s\"", | ||
392 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); | ||
393 | + fip ? fip->field_name : "Unknown"); | ||
394 | goto bad; | ||
395 | } | ||
396 | *pl = v[0]; | ||
397 | @@ -1534,6 +1587,7 @@ | ||
398 | TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) | ||
399 | { | ||
400 | uint16 samples = tif->tif_dir.td_samplesperpixel; | ||
401 | + const TIFFFieldInfo* fip; | ||
402 | int status = 0; | ||
403 | |||
404 | if (CheckDirCount(tif, dir, (uint32) samples)) { | ||
405 | @@ -1551,9 +1605,10 @@ | ||
406 | check_count = samples; | ||
407 | for (i = 1; i < check_count; i++) | ||
408 | if (v[i] != v[0]) { | ||
409 | + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
410 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
411 | "Cannot handle different per-sample values for field \"%s\"", | ||
412 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); | ||
413 | + fip ? fip->field_name : "Unknown"); | ||
414 | goto bad; | ||
415 | } | ||
416 | *pl = v[0]; | ||
417 | @@ -1574,6 +1629,7 @@ | ||
418 | TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) | ||
419 | { | ||
420 | uint16 samples = tif->tif_dir.td_samplesperpixel; | ||
421 | + const TIFFFieldInfo* fip; | ||
422 | int status = 0; | ||
423 | |||
424 | if (CheckDirCount(tif, dir, (uint32) samples)) { | ||
425 | @@ -1591,9 +1647,10 @@ | ||
426 | |||
427 | for (i = 1; i < check_count; i++) | ||
428 | if (v[i] != v[0]) { | ||
429 | + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); | ||
430 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
431 | "Cannot handle different per-sample values for field \"%s\"", | ||
432 | - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); | ||
433 | + fip ? fip->field_name : "Unknown"); | ||
434 | goto bad; | ||
435 | } | ||
436 | *pl = v[0]; | ||
437 | diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c | ||
438 | --- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 | ||
439 | +++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 | ||
440 | @@ -1136,6 +1136,7 @@ | ||
441 | Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) | ||
442 | { | ||
443 | Fax3BaseState* sp = Fax3State(tif); | ||
444 | + const TIFFFieldInfo* fip; | ||
445 | |||
446 | assert(sp != 0); | ||
447 | assert(sp->vsetparent != 0); | ||
448 | @@ -1181,7 +1182,13 @@ | ||
449 | default: | ||
450 | return (*sp->vsetparent)(tif, tag, ap); | ||
451 | } | ||
452 | - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); | ||
453 | + | ||
454 | + if ((fip = _TIFFFieldWithTag(tif, tag))) { | ||
455 | + TIFFSetFieldBit(tif, fip->field_bit); | ||
456 | + } else { | ||
457 | + return (0); | ||
458 | + } | ||
459 | + | ||
460 | tif->tif_flags |= TIFF_DIRTYDIRECT; | ||
461 | return (1); | ||
462 | } | ||
463 | diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c | ||
464 | --- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 | ||
465 | +++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 | ||
466 | @@ -722,15 +722,31 @@ | ||
467 | segment_width = TIFFhowmany(segment_width, sp->h_sampling); | ||
468 | segment_height = TIFFhowmany(segment_height, sp->v_sampling); | ||
469 | } | ||
470 | - if (sp->cinfo.d.image_width != segment_width || | ||
471 | - sp->cinfo.d.image_height != segment_height) { | ||
472 | + if (sp->cinfo.d.image_width < segment_width || | ||
473 | + sp->cinfo.d.image_height < segment_height) { | ||
474 | TIFFWarningExt(tif->tif_clientdata, module, | ||
475 | "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", | ||
476 | segment_width, | ||
477 | segment_height, | ||
478 | sp->cinfo.d.image_width, | ||
479 | sp->cinfo.d.image_height); | ||
480 | + } | ||
481 | + | ||
482 | + if (sp->cinfo.d.image_width > segment_width || | ||
483 | + sp->cinfo.d.image_height > segment_height) { | ||
484 | + /* | ||
485 | + * This case could be dangerous, if the strip or tile size has been | ||
486 | + * reported as less than the amount of data jpeg will return, some | ||
487 | + * potential security issues arise. Catch this case and error out. | ||
488 | + * -- taviso@google.com 14 Jun 2006 | ||
489 | + */ | ||
490 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
491 | + "JPEG strip/tile size exceeds expected dimensions," | ||
492 | + "expected %dx%d, got %dx%d", segment_width, segment_height, | ||
493 | + sp->cinfo.d.image_width, sp->cinfo.d.image_height); | ||
494 | + return (0); | ||
495 | } | ||
496 | + | ||
497 | if (sp->cinfo.d.num_components != | ||
498 | (td->td_planarconfig == PLANARCONFIG_CONTIG ? | ||
499 | td->td_samplesperpixel : 1)) { | ||
500 | @@ -761,6 +777,22 @@ | ||
501 | sp->cinfo.d.comp_info[0].v_samp_factor, | ||
502 | sp->h_sampling, sp->v_sampling); | ||
503 | |||
504 | + /* | ||
505 | + * There are potential security issues here for decoders that | ||
506 | + * have already allocated buffers based on the expected sampling | ||
507 | + * factors. Lets check the sampling factors dont exceed what | ||
508 | + * we were expecting. | ||
509 | + * -- taviso@google.com 14 June 2006 | ||
510 | + */ | ||
511 | + if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || | ||
512 | + sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { | ||
513 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
514 | + "Cannot honour JPEG sampling factors that" | ||
515 | + " exceed those specified."); | ||
516 | + return (0); | ||
517 | + } | ||
518 | + | ||
519 | + | ||
520 | /* | ||
521 | * XXX: Files written by the Intergraph software | ||
522 | * has different sampling factors stored in the | ||
523 | @@ -1521,15 +1553,18 @@ | ||
524 | { | ||
525 | JPEGState *sp = JState(tif); | ||
526 | |||
527 | - assert(sp != 0); | ||
528 | + /* assert(sp != 0); */ | ||
529 | |||
530 | tif->tif_tagmethods.vgetfield = sp->vgetparent; | ||
531 | tif->tif_tagmethods.vsetfield = sp->vsetparent; | ||
532 | |||
533 | - if( sp->cinfo_initialized ) | ||
534 | - TIFFjpeg_destroy(sp); /* release libjpeg resources */ | ||
535 | - if (sp->jpegtables) /* tag value */ | ||
536 | - _TIFFfree(sp->jpegtables); | ||
537 | + if (sp != NULL) { | ||
538 | + if( sp->cinfo_initialized ) | ||
539 | + TIFFjpeg_destroy(sp); /* release libjpeg resources */ | ||
540 | + if (sp->jpegtables) /* tag value */ | ||
541 | + _TIFFfree(sp->jpegtables); | ||
542 | + } | ||
543 | + | ||
544 | _TIFFfree(tif->tif_data); /* release local state */ | ||
545 | tif->tif_data = NULL; | ||
546 | |||
547 | @@ -1541,6 +1576,7 @@ | ||
548 | { | ||
549 | JPEGState* sp = JState(tif); | ||
550 | TIFFDirectory* td = &tif->tif_dir; | ||
551 | + const TIFFFieldInfo* fip; | ||
552 | uint32 v32; | ||
553 | |||
554 | assert(sp != NULL); | ||
555 | @@ -1606,7 +1642,13 @@ | ||
556 | default: | ||
557 | return (*sp->vsetparent)(tif, tag, ap); | ||
558 | } | ||
559 | - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); | ||
560 | + | ||
561 | + if ((fip = _TIFFFieldWithTag(tif, tag))) { | ||
562 | + TIFFSetFieldBit(tif, fip->field_bit); | ||
563 | + } else { | ||
564 | + return (0); | ||
565 | + } | ||
566 | + | ||
567 | tif->tif_flags |= TIFF_DIRTYDIRECT; | ||
568 | return (1); | ||
569 | } | ||
570 | @@ -1726,7 +1768,11 @@ | ||
571 | { | ||
572 | JPEGState* sp = JState(tif); | ||
573 | |||
574 | - assert(sp != NULL); | ||
575 | + /* assert(sp != NULL); */ | ||
576 | + if (sp == NULL) { | ||
577 | + TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); | ||
578 | + return; | ||
579 | + } | ||
580 | |||
581 | (void) flags; | ||
582 | if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) | ||
583 | diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c | ||
584 | --- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 | ||
585 | +++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 | ||
586 | @@ -105,11 +105,16 @@ | ||
587 | * as codes of the form <color><npixels> | ||
588 | * until we've filled the scanline. | ||
589 | */ | ||
590 | + /* | ||
591 | + * Ensure the run does not exceed the scanline | ||
592 | + * bounds, potentially resulting in a security issue. | ||
593 | + * -- taviso@google.com 14 Jun 2006. | ||
594 | + */ | ||
595 | op = row; | ||
596 | for (;;) { | ||
597 | grey = (n>>6) & 0x3; | ||
598 | n &= 0x3f; | ||
599 | - while (n-- > 0) | ||
600 | + while (n-- > 0 && npixels < imagewidth) | ||
601 | SETPIXEL(op, grey); | ||
602 | if (npixels >= (int) imagewidth) | ||
603 | break; | ||
604 | diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c | ||
605 | --- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 | ||
606 | +++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 | ||
607 | @@ -768,7 +768,19 @@ | ||
608 | if (tif->tif_flags & TIFF_SWAB) | ||
609 | TIFFSwabArrayOfShort(up, nsamples); | ||
610 | |||
611 | - for (i = 0; i < nsamples; i += llen, up += llen) { | ||
612 | + /* | ||
613 | + * if llen is not an exact multiple of nsamples, the decode operation | ||
614 | + * may overflow the output buffer, so truncate it enough to prevent that | ||
615 | + * but still salvage as much data as possible. | ||
616 | + * -- taviso@google.com 14th June 2006 | ||
617 | + */ | ||
618 | + if (nsamples % llen) | ||
619 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
620 | + "%s: stride %lu is not a multiple of sample count, " | ||
621 | + "%lu, data truncated.", tif->tif_name, llen, nsamples); | ||
622 | + | ||
623 | + | ||
624 | + for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { | ||
625 | switch (sp->user_datafmt) { | ||
626 | case PIXARLOGDATAFMT_FLOAT: | ||
627 | horizontalAccumulateF(up, llen, sp->stride, | ||
628 | diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c | ||
629 | --- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 | ||
630 | +++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 | ||
631 | @@ -31,6 +31,8 @@ | ||
632 | #include "tiffiop.h" | ||
633 | #include <stdio.h> | ||
634 | |||
635 | +#include <limits.h> | ||
636 | + | ||
637 | int TIFFFillStrip(TIFF*, tstrip_t); | ||
638 | int TIFFFillTile(TIFF*, ttile_t); | ||
639 | static int TIFFStartStrip(TIFF*, tstrip_t); | ||
640 | @@ -272,7 +274,13 @@ | ||
641 | if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) | ||
642 | _TIFFfree(tif->tif_rawdata); | ||
643 | tif->tif_flags &= ~TIFF_MYBUFFER; | ||
644 | - if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { | ||
645 | + /* | ||
646 | + * This sanity check could potentially overflow, causing an OOB read. | ||
647 | + * verify that offset + bytecount is > offset. | ||
648 | + * -- taviso@google.com 14 Jun 2006 | ||
649 | + */ | ||
650 | + if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || | ||
651 | + bytecount > (UINT_MAX - td->td_stripoffset[strip])) { | ||
652 | /* | ||
653 | * This error message might seem strange, but it's | ||
654 | * what would happen if a read were done instead. | ||
655 | @@ -470,7 +478,13 @@ | ||
656 | if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) | ||
657 | _TIFFfree(tif->tif_rawdata); | ||
658 | tif->tif_flags &= ~TIFF_MYBUFFER; | ||
659 | - if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { | ||
660 | + /* | ||
661 | + * We must check this calculation doesnt overflow, potentially | ||
662 | + * causing an OOB read. | ||
663 | + * -- taviso@google.com 15 Jun 2006 | ||
664 | + */ | ||
665 | + if (td->td_stripoffset[tile] + bytecount > tif->tif_size || | ||
666 | + bytecount > (UINT_MAX - td->td_stripoffset[tile])) { | ||
667 | tif->tif_curtile = NOTILE; | ||
668 | return (0); | ||
669 | } | ||
diff --git a/main/tiff/libtiff-CVE-2009-2285.patch b/main/tiff/libtiff-CVE-2009-2285.patch deleted file mode 100644 index 435a84b535..0000000000 --- a/main/tiff/libtiff-CVE-2009-2285.patch +++ /dev/null | |||
@@ -1,22 +0,0 @@ | |||
1 | Index: tiff-3.8.2/libtiff/tif_lzw.c | ||
2 | =================================================================== | ||
3 | --- tiff-3.8.2.orig/libtiff/tif_lzw.c | ||
4 | +++ tiff-3.8.2/libtiff/tif_lzw.c | ||
5 | @@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize | ||
6 | NextCode(tif, sp, bp, code, GetNextCode); | ||
7 | if (code == CODE_EOI) | ||
8 | break; | ||
9 | - if (code == CODE_CLEAR) { | ||
10 | + if (code >= CODE_CLEAR) { | ||
11 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
12 | "LZWDecode: Corrupted LZW table at scanline %d", | ||
13 | tif->tif_row); | ||
14 | @@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, | ||
15 | NextCode(tif, sp, bp, code, GetNextCodeCompat); | ||
16 | if (code == CODE_EOI) | ||
17 | break; | ||
18 | - if (code == CODE_CLEAR) { | ||
19 | + if (code >= CODE_CLEAR) { | ||
20 | TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
21 | "LZWDecode: Corrupted LZW table at scanline %d", | ||
22 | tif->tif_row); | ||
diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch deleted file mode 100644 index e6d74a67ab..0000000000 --- a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | Fixes security issues in libTIFF's handling of LZW-encoded | ||
2 | images. The use of uninitialized data could lead to a buffer | ||
3 | underflow and a crash or arbitrary code execution. | ||
4 | |||
5 | CVE-ID: CVE-2008-2327 | ||
6 | Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 | ||
7 | |||
8 | Index: tiff-3.8.2/libtiff/tif_lzw.c | ||
9 | =================================================================== | ||
10 | --- tiff-3.8.2.orig/libtiff/tif_lzw.c | ||
11 | +++ tiff-3.8.2/libtiff/tif_lzw.c | ||
12 | @@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) | ||
13 | sp->dec_codetab[code].length = 1; | ||
14 | sp->dec_codetab[code].next = NULL; | ||
15 | } while (code--); | ||
16 | + /* | ||
17 | + * Zero-out the unused entries | ||
18 | + */ | ||
19 | + _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, | ||
20 | + (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); | ||
21 | + | ||
22 | } | ||
23 | return (1); | ||
24 | } | ||
25 | @@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize | ||
26 | break; | ||
27 | if (code == CODE_CLEAR) { | ||
28 | free_entp = sp->dec_codetab + CODE_FIRST; | ||
29 | + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); | ||
30 | nbits = BITS_MIN; | ||
31 | nbitsmask = MAXCODE(BITS_MIN); | ||
32 | maxcodep = sp->dec_codetab + nbitsmask-1; | ||
33 | NextCode(tif, sp, bp, code, GetNextCode); | ||
34 | if (code == CODE_EOI) | ||
35 | break; | ||
36 | + if (code == CODE_CLEAR) { | ||
37 | + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
38 | + "LZWDecode: Corrupted LZW table at scanline %d", | ||
39 | + tif->tif_row); | ||
40 | + return (0); | ||
41 | + } | ||
42 | *op++ = (char)code, occ--; | ||
43 | oldcodep = sp->dec_codetab + code; | ||
44 | continue; | ||
45 | @@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, | ||
46 | break; | ||
47 | if (code == CODE_CLEAR) { | ||
48 | free_entp = sp->dec_codetab + CODE_FIRST; | ||
49 | + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); | ||
50 | nbits = BITS_MIN; | ||
51 | nbitsmask = MAXCODE(BITS_MIN); | ||
52 | maxcodep = sp->dec_codetab + nbitsmask; | ||
53 | NextCode(tif, sp, bp, code, GetNextCodeCompat); | ||
54 | if (code == CODE_EOI) | ||
55 | break; | ||
56 | + if (code == CODE_CLEAR) { | ||
57 | + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, | ||
58 | + "LZWDecode: Corrupted LZW table at scanline %d", | ||
59 | + tif->tif_row); | ||
60 | + return (0); | ||
61 | + } | ||
62 | *op++ = code, occ--; | ||
63 | oldcodep = sp->dec_codetab + code; | ||
64 | continue; | ||
diff --git a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch deleted file mode 100644 index 039d7336a2..0000000000 --- a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch +++ /dev/null | |||
@@ -1,170 +0,0 @@ | |||
1 | Fix several places in tiff2rgba and rgb2ycbcr that were being careless about | ||
2 | possible integer overflow in calculation of buffer sizes. | ||
3 | |||
4 | CVE-2009-2347 | ||
5 | |||
6 | |||
7 | diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c | ||
8 | --- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 | ||
9 | +++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 | ||
10 | @@ -202,6 +202,17 @@ | ||
11 | #undef LumaBlue | ||
12 | #undef V2Code | ||
13 | |||
14 | +static tsize_t | ||
15 | +multiply(tsize_t m1, tsize_t m2) | ||
16 | +{ | ||
17 | + tsize_t prod = m1 * m2; | ||
18 | + | ||
19 | + if (m1 && prod / m1 != m2) | ||
20 | + prod = 0; /* overflow */ | ||
21 | + | ||
22 | + return prod; | ||
23 | +} | ||
24 | + | ||
25 | /* | ||
26 | * Convert a strip of RGB data to YCbCr and | ||
27 | * sample to generate the output data. | ||
28 | @@ -278,10 +289,19 @@ | ||
29 | float floatv; | ||
30 | char *stringv; | ||
31 | uint32 longv; | ||
32 | + tsize_t raster_size; | ||
33 | |||
34 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
35 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
36 | - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); | ||
37 | + | ||
38 | + raster_size = multiply(multiply(width, height), sizeof (uint32)); | ||
39 | + if (!raster_size) { | ||
40 | + TIFFError(TIFFFileName(in), | ||
41 | + "Can't allocate buffer for raster of size %lux%lu", | ||
42 | + (unsigned long) width, (unsigned long) height); | ||
43 | + return (0); | ||
44 | + } | ||
45 | + raster = (uint32*)_TIFFmalloc(raster_size); | ||
46 | if (raster == 0) { | ||
47 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
48 | return (0); | ||
49 | diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c | ||
50 | --- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 | ||
51 | +++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 | ||
52 | @@ -124,6 +124,17 @@ | ||
53 | return (0); | ||
54 | } | ||
55 | |||
56 | +static tsize_t | ||
57 | +multiply(tsize_t m1, tsize_t m2) | ||
58 | +{ | ||
59 | + tsize_t prod = m1 * m2; | ||
60 | + | ||
61 | + if (m1 && prod / m1 != m2) | ||
62 | + prod = 0; /* overflow */ | ||
63 | + | ||
64 | + return prod; | ||
65 | +} | ||
66 | + | ||
67 | static int | ||
68 | cvt_by_tile( TIFF *in, TIFF *out ) | ||
69 | |||
70 | @@ -133,6 +144,7 @@ | ||
71 | uint32 tile_width, tile_height; | ||
72 | uint32 row, col; | ||
73 | uint32 *wrk_line; | ||
74 | + tsize_t raster_size; | ||
75 | int ok = 1; | ||
76 | |||
77 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
78 | @@ -150,7 +162,14 @@ | ||
79 | /* | ||
80 | * Allocate tile buffer | ||
81 | */ | ||
82 | - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); | ||
83 | + raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); | ||
84 | + if (!raster_size) { | ||
85 | + TIFFError(TIFFFileName(in), | ||
86 | + "Can't allocate buffer for raster of size %lux%lu", | ||
87 | + (unsigned long) tile_width, (unsigned long) tile_height); | ||
88 | + return (0); | ||
89 | + } | ||
90 | + raster = (uint32*)_TIFFmalloc(raster_size); | ||
91 | if (raster == 0) { | ||
92 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
93 | return (0); | ||
94 | @@ -158,7 +177,7 @@ | ||
95 | |||
96 | /* | ||
97 | * Allocate a scanline buffer for swapping during the vertical | ||
98 | - * mirroring pass. | ||
99 | + * mirroring pass. (Request can't overflow given prior checks.) | ||
100 | */ | ||
101 | wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); | ||
102 | if (!wrk_line) { | ||
103 | @@ -226,6 +245,7 @@ | ||
104 | uint32 width, height; /* image width & height */ | ||
105 | uint32 row; | ||
106 | uint32 *wrk_line; | ||
107 | + tsize_t raster_size; | ||
108 | int ok = 1; | ||
109 | |||
110 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
111 | @@ -241,7 +261,14 @@ | ||
112 | /* | ||
113 | * Allocate strip buffer | ||
114 | */ | ||
115 | - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); | ||
116 | + raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); | ||
117 | + if (!raster_size) { | ||
118 | + TIFFError(TIFFFileName(in), | ||
119 | + "Can't allocate buffer for raster of size %lux%lu", | ||
120 | + (unsigned long) width, (unsigned long) rowsperstrip); | ||
121 | + return (0); | ||
122 | + } | ||
123 | + raster = (uint32*)_TIFFmalloc(raster_size); | ||
124 | if (raster == 0) { | ||
125 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
126 | return (0); | ||
127 | @@ -249,7 +276,7 @@ | ||
128 | |||
129 | /* | ||
130 | * Allocate a scanline buffer for swapping during the vertical | ||
131 | - * mirroring pass. | ||
132 | + * mirroring pass. (Request can't overflow given prior checks.) | ||
133 | */ | ||
134 | wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); | ||
135 | if (!wrk_line) { | ||
136 | @@ -328,14 +355,22 @@ | ||
137 | uint32* raster; /* retrieve RGBA image */ | ||
138 | uint32 width, height; /* image width & height */ | ||
139 | uint32 row; | ||
140 | - | ||
141 | + tsize_t raster_size; | ||
142 | + | ||
143 | TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); | ||
144 | TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); | ||
145 | |||
146 | rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); | ||
147 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); | ||
148 | |||
149 | - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); | ||
150 | + raster_size = multiply(multiply(width, height), sizeof (uint32)); | ||
151 | + if (!raster_size) { | ||
152 | + TIFFError(TIFFFileName(in), | ||
153 | + "Can't allocate buffer for raster of size %lux%lu", | ||
154 | + (unsigned long) width, (unsigned long) height); | ||
155 | + return (0); | ||
156 | + } | ||
157 | + raster = (uint32*)_TIFFmalloc(raster_size); | ||
158 | if (raster == 0) { | ||
159 | TIFFError(TIFFFileName(in), "No space for raster buffer"); | ||
160 | return (0); | ||
161 | @@ -353,7 +388,7 @@ | ||
162 | */ | ||
163 | if( no_alpha ) | ||
164 | { | ||
165 | - int pixel_count = width * height; | ||
166 | + tsize_t pixel_count = (tsize_t) width * (tsize_t) height; | ||
167 | unsigned char *src, *dst; | ||
168 | |||
169 | src = (unsigned char *) raster; | ||
170 | |||
diff --git a/main/tiff/tiff-jpegfix.patch b/main/tiff/tiff-jpegfix.patch deleted file mode 100644 index ca57191dff..0000000000 --- a/main/tiff/tiff-jpegfix.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | diff -Nru tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c | ||
2 | --- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-12-22 12:45:49.969811264 -0800 | ||
3 | +++ tiff-3.9.2/libtiff/tif_jpeg.c 2009-12-22 12:47:04.433491064 -0800 | ||
4 | @@ -2014,7 +2014,14 @@ | ||
5 | if( tif->tif_diroff == 0 ) | ||
6 | { | ||
7 | #define SIZE_OF_JPEGTABLES 2000 | ||
8 | +/* | ||
9 | +The following line assumes incorrectly that all JPEG-in-TIFF files will have | ||
10 | +a JPEGTABLES tag generated and causes null-filled JPEGTABLES tags to be written | ||
11 | +when the JPEG data is placed with TIFFWriteRawStrip. The field bit should be | ||
12 | +set, anyway, later when actual JPEGTABLES header is generated, so removing it | ||
13 | +here hopefully is harmless. | ||
14 | TIFFSetFieldBit(tif, FIELD_JPEGTABLES); | ||
15 | +*/ | ||
16 | sp->jpegtables_length = SIZE_OF_JPEGTABLES; | ||
17 | sp->jpegtables = (void *) _TIFFmalloc(sp->jpegtables_length); | ||
18 | _TIFFmemset(sp->jpegtables, 0, SIZE_OF_JPEGTABLES); | ||
19 | diff -Nru tiff-3.9.2.orig/tools/tiff2pdf.c tiff-3.9.2/tools/tiff2pdf.c | ||
20 | --- tiff-3.9.2.orig/tools/tiff2pdf.c 2009-12-22 12:45:49.873825856 -0800 | ||
21 | +++ tiff-3.9.2/tools/tiff2pdf.c 2009-12-22 12:48:16.558526392 -0800 | ||
22 | @@ -3320,6 +3320,9 @@ | ||
23 | while(i<(*striplength)){ | ||
24 | switch( strip[i] ){ | ||
25 | case 0xd8: | ||
26 | + /* SOI - start of image */ | ||
27 | + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); | ||
28 | + *bufferoffset+=2; | ||
29 | i+=2; | ||
30 | break; | ||
31 | case 0xc0: | ||
diff --git a/main/tiff/tiff2pdf-compression.patch b/main/tiff/tiff2pdf-compression.patch deleted file mode 100644 index 2dae2dcd1c..0000000000 --- a/main/tiff/tiff2pdf-compression.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | --- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35 | ||
2 | +++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36 | ||
3 | @@ -937,7 +937,7 @@ | ||
4 | |||
5 | #ifdef JPEG_SUPPORT | ||
6 | if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){ | ||
7 | - if(t2p->pdf_defaultcompressionquality<100 || | ||
8 | + if(t2p->pdf_defaultcompressionquality>100 || | ||
9 | t2p->pdf_defaultcompressionquality<1){ | ||
10 | t2p->pdf_defaultcompressionquality=0; | ||
11 | } | ||
12 | @@ -945,25 +945,17 @@ | ||
13 | #endif | ||
14 | #ifdef ZIP_SUPPORT | ||
15 | if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){ | ||
16 | - switch (t2p->pdf_defaultcompressionquality){ | ||
17 | - case 1: case 10: case 11: case 12: case 13: case 14: case 15: | ||
18 | - case 101: case 110: case 111: case 112: case 113: case 114: case 115: | ||
19 | - case 201: case 210: case 211: case 212: case 213: case 214: case 215: | ||
20 | - case 301: case 310: case 311: case 312: case 313: case 314: case 315: | ||
21 | - case 401: case 410: case 411: case 412: case 413: case 414: case 415: | ||
22 | - case 501: case 510: case 511: case 512: case 513: case 514: case 515: | ||
23 | - case 601: case 610: case 611: case 612: case 613: case 614: case 615: | ||
24 | - case 701: case 710: case 711: case 712: case 713: case 714: case 715: | ||
25 | - case 801: case 810: case 811: case 812: case 813: case 814: case 815: | ||
26 | - case 901: case 910: case 911: case 912: case 913: case 914: case 915: | ||
27 | - break; | ||
28 | - default: | ||
29 | - t2p->pdf_defaultcompressionquality=0; | ||
30 | + uint16 m=t2p->pdf_defaultcompressionquality%100; | ||
31 | + if(t2p->pdf_defaultcompressionquality/100 > 9 || | ||
32 | + (m>1 && m<10) || m>15){ | ||
33 | + t2p->pdf_defaultcompressionquality=0; | ||
34 | } | ||
35 | if(t2p->pdf_defaultcompressionquality%100 !=0){ | ||
36 | + t2p->pdf_defaultcompressionquality/=100; | ||
37 | + t2p->pdf_defaultcompressionquality*=100; | ||
38 | TIFFError( | ||
39 | TIFF2PDF_MODULE, | ||
40 | - "PNG Group predictor differencing not implemented, assuming compresion quality %u", | ||
41 | + "PNG Group predictor differencing not implemented, assuming compression quality %u", | ||
42 | t2p->pdf_defaultcompressionquality); | ||
43 | } | ||
44 | t2p->pdf_defaultcompressionquality%=100; | ||
diff --git a/main/tiff/tiff2pdf-octal-printf.patch b/main/tiff/tiff2pdf-octal-printf.patch deleted file mode 100644 index f35b072378..0000000000 --- a/main/tiff/tiff2pdf-octal-printf.patch +++ /dev/null | |||
@@ -1,11 +0,0 @@ | |||
1 | --- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500 | ||
2 | +++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400 | ||
3 | @@ -3668,7 +3668,7 @@ | ||
4 | written += TIFFWriteFile(output, (tdata_t) "(", 1); | ||
5 | for (i=0;i<len;i++){ | ||
6 | if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ | ||
7 | - sprintf(buffer, "\\%.3o", pdfstr[i]); | ||
8 | + sprintf(buffer, "\\%.3hho", pdfstr[i]); | ||
9 | written += TIFFWriteFile(output, (tdata_t) buffer, 4); | ||
10 | } else { | ||
11 | switch (pdfstr[i]){ | ||
diff --git a/main/tiff/tiffsplit-fname-overflow.patch b/main/tiff/tiffsplit-fname-overflow.patch deleted file mode 100644 index cc225890ae..0000000000 --- a/main/tiff/tiffsplit-fname-overflow.patch +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | --- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500 | ||
2 | +++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400 | ||
3 | @@ -61,14 +61,13 @@ | ||
4 | return (-3); | ||
5 | } | ||
6 | if (argc > 2) | ||
7 | - strcpy(fname, argv[2]); | ||
8 | + snprintf(fname, sizeof(fname), "%s", argv[2]); | ||
9 | in = TIFFOpen(argv[1], "r"); | ||
10 | if (in != NULL) { | ||
11 | do { | ||
12 | char path[1024+1]; | ||
13 | newfilename(); | ||
14 | - strcpy(path, fname); | ||
15 | - strcat(path, ".tif"); | ||
16 | + snprintf(path, sizeof(path), "%s.tif", fname); | ||
17 | out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); | ||
18 | if (out == NULL) | ||
19 | return (-2); | ||