Git-Url:
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=7114af2d3b184ec5ed8a5bfa011b19a8fb9df698
commit 7114af2d3b184ec5ed8a5bfa011b19a8fb9df698
Author: Michel Hermier <herm...@frugalware.org>
Date: Tue Apr 20 13:17:31 2010 +0200
libtiff-3.9.2-1-i686
* Bump version.
diff --git a/source/lib/libtiff/CVE-2006-2193.patch
b/source/lib/libtiff/CVE-2006-2193.patch
deleted file mode 100644
index 7ebd932..0000000
--- a/source/lib/libtiff/CVE-2006-2193.patch
+++ /dev/null
@@ -1,19 +0,0 @@
- * SECURITY UPDATE: Arbitrary command execution with crafted TIF files.
- * Add debian/patches/tiff2pdf-octal-printf.patch:
- - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
- signed char (it printed a signed integer, which overflew the buffer and
- was wrong anyway).
- - CVE-2006-2193
-
-diff -ruN tiff-3.7.4-old/tools/tiff2pdf.c tiff-3.7.4/tools/tiff2pdf.c
---- tiff-3.7.4-old/tools/tiff2pdf.c 2005-06-23 15:30:28.000000000 +0200
-+++ tiff-3.7.4/tools/tiff2pdf.c 2006-06-02 18:15:11.000000000 +0200
-@@ -3758,7 +3758,7 @@
- written += TIFFWriteFile(output, (tdata_t) "(", 1);
- for (i=0;i<len;i++){
- if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
-- sprintf(buffer, "\\%.3o", pdfstr[i]);
-+ sprintf(buffer, "\\%.3hho", pdfstr[i]);
- written += TIFFWriteFile(output, (tdata_t) buffer, 4);
- } else {
- switch (pdfstr[i]){
diff --git a/source/lib/libtiff/FrugalBuild b/source/lib/libtiff/FrugalBuild
index c5b9adf..766259e 100644
--- a/source/lib/libtiff/FrugalBuild
+++ b/source/lib/libtiff/FrugalBuild
@@ -3,22 +3,16 @@
# Maintainer: voroskoi <voros...@frugalware.org>
pkgname=libtiff
-pkgver=3.8.2
-pkgrel=4
+pkgver=3.9.2
+pkgrel=1
pkgdesc="Library for manipulation of TIFF images"
url="http://libtiff.maptools.org";
depends=('libstdc++' 'zlib')
groups=('lib')
archs=('i686' 'x86_64' 'ppc')
up2date="lynx -dump 'http://libtiff.maptools.org/' | grep 'Stable Release' |
cut -d v -f 2"
-source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-$pkgver.tar.gz
CVE-2006-2193.patch \
- libtiff-3.8.2-ormandy.patch tiffsplit-overflow.patch \
- libtiff-3.8.2-CVE-2009-2347.patch)
-sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' \
- 'f4af800713a048dd4db5ce9a2cb39c87ebf0c9dc' \
- '61c5f52e1182a6ca7b59045ae76609e16ef4b3a0' \
- 'eba26a1340806b89e4305cc0cf9d6485f69a610f' \
- 'b202adf57a61587c809795d731cc3cb5939e646d')
+source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-$pkgver.tar.gz)
+sha1sums=('5c054d31e350e53102221b7760c3700cf70b4327')
build() {
Fcd tiff-"$pkgver"
diff --git a/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch
b/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch
deleted file mode 100644
index d631b6e..0000000
--- a/source/lib/libtiff/libtiff-3.8.2-CVE-2009-2347.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
-possible integer overflow in calculation of buffer sizes.
-
-CVE-2009-2347
-
-
-diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
---- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
-+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
-@@ -202,6 +202,17 @@
- #undef LumaBlue
- #undef V2Code
-
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t prod = m1 * m2;
-+
-+ if (m1 && prod / m1 != m2)
-+ prod = 0; /* overflow */
-+
-+ return prod;
-+}
-+
- /*
- * Convert a strip of RGB data to YCbCr and
- * sample to generate the output data.
-@@ -278,10 +289,19 @@
- float floatv;
- char *stringv;
- uint32 longv;
-+ tsize_t raster_size;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+
-+ raster_size = multiply(multiply(width, height), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
---- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
-@@ -124,6 +124,17 @@
- return (0);
- }
-
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t prod = m1 * m2;
-+
-+ if (m1 && prod / m1 != m2)
-+ prod = 0; /* overflow */
-+
-+ return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
-
-@@ -133,6 +144,7 @@
- uint32 tile_width, tile_height;
- uint32 row, col;
- uint32 *wrk_line;
-+ tsize_t raster_size;
- int ok = 1;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -150,7 +162,14 @@
- /*
- * Allocate tile buffer
- */
-- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+ raster_size = multiply(multiply(tile_width, tile_height), sizeof
(uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) tile_width, (unsigned long) tile_height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -158,7 +177,7 @@
-
- /*
- * Allocate a scanline buffer for swapping during the vertical
-- * mirroring pass.
-+ * mirroring pass. (Request can't overflow given prior checks.)
- */
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
- if (!wrk_line) {
-@@ -226,6 +245,7 @@
- uint32 width, height; /* image width & height */
- uint32 row;
- uint32 *wrk_line;
-+ tsize_t raster_size;
- int ok = 1;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -241,7 +261,14 @@
- /*
- * Allocate strip buffer
- */
-- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) rowsperstrip);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -249,7 +276,7 @@
-
- /*
- * Allocate a scanline buffer for swapping during the vertical
-- * mirroring pass.
-+ * mirroring pass. (Request can't overflow given prior checks.)
- */
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
- if (!wrk_line) {
-@@ -328,14 +355,22 @@
- uint32* raster; /* retrieve RGBA image */
- uint32 width, height; /* image width & height */
- uint32 row;
--
-+ tsize_t raster_size;
-+
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-
- rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
-
-- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+ raster_size = multiply(multiply(width, height), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -353,7 +388,7 @@
- */
- if( no_alpha )
- {
-- int pixel_count = width * height;
-+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
- unsigned char *src, *dst;
-
- src = (unsigned char *) raster;
diff --git a/source/lib/libtiff/libtiff-3.8.2-ormandy.patch
b/source/lib/libtiff/libtiff-3.8.2-ormandy.patch
deleted file mode 100644
index adaad38..0000000
--- a/source/lib/libtiff/libtiff-3.8.2-ormandy.patch
+++ /dev/null
@@ -1,672 +0,0 @@
-# Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
-# CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
-
-diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
-@@ -122,6 +122,7 @@
- {
- static const char module[] = "_TIFFVSetField";
-
-+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
- TIFFDirectory* td = &tif->tif_dir;
- int status = 1;
- uint32 v32, i, v;
-@@ -195,10 +196,12 @@
- break;
- case TIFFTAG_ORIENTATION:
- v = va_arg(ap, uint32);
-+ const TIFFFieldInfo* fip;
- if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+ fip = _TIFFFieldWithTag(tif, tag);
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "Bad value %lu for \"%s\" tag ignored",
-- v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ v, fip ? fip->field_name : "Unknown");
- } else
- td->td_orientation = (uint16) v;
- break;
-@@ -387,11 +390,15 @@
- * happens, for example, when tiffcp is used to convert between
- * compression schemes and codec-specific tags are blindly copied.
- */
-+ /*
-+ * better not dereference fip if it is NULL.
-+ * -- tav...@google.com 15 Jun 2006
-+ */
- if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- status = 0;
- break;
- }
-@@ -468,7 +475,7 @@
- if (fip->field_type == TIFF_ASCII)
- _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
- else {
-- tv->value = _TIFFmalloc(tv_size * tv->count);
-+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag
Value");
- if (!tv->value) {
- status = 0;
- goto end;
-@@ -563,7 +570,7 @@
- }
- }
- if (status) {
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+ TIFFSetFieldBit(tif, fip->field_bit);
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- }
-
-@@ -572,12 +579,12 @@
- return (status);
- badvalue:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
-- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- badvalue32:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for
\"%s\"",
-- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- }
-@@ -813,12 +820,16 @@
- * If the client tries to get a tag that is not valid
- * for the image's codec then we'll arrive here.
- */
-+ /*
-+ * dont dereference fip if it's NULL.
-+ * -- tav...@google.com 15 Jun 2006
-+ */
- if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
- {
- TIFFErrorExt(tif->tif_clientdata,
"_TIFFVGetField",
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- ret_val = 0;
- break;
- }
-diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000
+0100
-@@ -775,7 +775,8 @@
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
- "Internal error, unknown tag 0x%x",
- (unsigned int) tag);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-@@ -789,7 +790,8 @@
- if (!fip) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
- "Internal error, unknown tag %s", field_name);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000
+0100
-@@ -29,6 +29,9 @@
- *
- * Directory Read Support Routines.
- */
-+
-+#include <limits.h>
-+
- #include "tiffiop.h"
-
- #define IGNORE 0 /* tag placeholder used below */
-@@ -81,6 +84,7 @@
- uint16 dircount;
- toff_t nextdiroff;
- int diroutoforderwarning = 0;
-+ int compressionknown = 0;
- toff_t* new_dirlist;
-
- tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@
- } else {
- toff_t off = tif->tif_diroff;
-
-- if (off + sizeof (uint16) > tif->tif_size) {
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%s: Can not read TIFF directory count",
-- tif->tif_name);
-- return (0);
-+ /*
-+ * Check for integer overflow when validating the dir_off,
otherwise
-+ * a very high offset may cause an OOB read and crash the
client.
-+ * -- tav...@google.com, 14 Jun 2006.
-+ */
-+ if (off + sizeof (uint16) > tif->tif_size ||
-+ off > (UINT_MAX - sizeof(uint16))) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "%s: Can not read TIFF directory count",
-+ tif->tif_name);
-+ return (0);
- } else
-- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof
(uint16));
-+ _TIFFmemcpy(&dircount, tif->tif_base + off,
-+ sizeof (uint16));
- off += sizeof (uint16);
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
-+
- if (fix >= tif->tif_nfields ||
- tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-
-@@ -264,17 +276,23 @@
- dp->tdir_tag,
- dp->tdir_tag,
- dp->tdir_type);
--
-- TIFFMergeFieldInfo(tif,
-- _TIFFCreateAnonFieldInfo(tif,
-- dp->tdir_tag,
-- (TIFFDataType) dp->tdir_type),
-- 1 );
-+ /*
-+ * creating anonymous fields prior to
knowing the compression
-+ * algorithm (ie, when the field info
has been merged) could cause
-+ * crashes with pathological
directories.
-+ * -- tav...@google.com 15 Jun 2006
-+ */
-+ if (compressionknown)
-+ TIFFMergeFieldInfo(tif,
_TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
-+ (TIFFDataType) dp->tdir_type),
1 );
-+ else goto ignore;
-+
- fix = 0;
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
- }
-+
- /*
- * Null out old tags that we ignore.
- */
-@@ -326,6 +344,7 @@
- dp->tdir_type, dp->tdir_offset);
- if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
- goto bad;
-+ else compressionknown++;
- break;
- /* XXX: workaround for broken TIFFs */
- } else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@
- * Attempt to deal with a missing StripByteCounts tag.
- */
- if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
- /*
- * Some manufacturers violate the spec by not giving
- * the size of the strips. In this case, assume there
-@@ -556,7 +576,7 @@
- "%s: TIFF directory is missing required "
- "\"%s\" field, calculating from imagelength",
- tif->tif_name,
--
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- /*
-@@ -580,6 +600,7 @@
- } else if (td->td_nstrips == 1
- && td->td_stripoffset[0] != 0
- && BYTECOUNTLOOKSBAD) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Plexus (and others) sometimes give a value of zero for
- * a tag when they don't know what the correct value is! Try
-@@ -589,13 +610,14 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
--
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if(EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
- && td->td_nstrips > 2
- && td->td_compression == COMPRESSION_NONE
- && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Some vendors fill StripByteCount array with absolutely
- * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
--
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- }
-@@ -870,7 +892,13 @@
-
- register TIFFDirEntry *dp;
- register TIFFDirectory *td = &tif->tif_dir;
-- uint16 i;
-+
-+ /* i is used to iterate over td->td_nstrips, so must be
-+ * at least the same width.
-+ * -- tav...@google.com 15 Jun 2006
-+ */
-+
-+ uint32 i;
-
- if (td->td_stripbytecount)
- _TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
- if (count > dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (0);
- } else if (count < dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (1);
- }
-@@ -970,6 +1000,7 @@
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
- int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- tsize_t cc = dir->tdir_count * w;
-
- /* Check for overflow. */
-@@ -1013,7 +1044,7 @@
- bad:
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Error fetching data for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- return (tsize_t) 0;
- }
-
-@@ -1039,10 +1070,12 @@
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+ const TIFFFieldInfo* fip;
- if (denom == 0) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s: Rational with zero denominator (num = %lu)",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+ fip ? fip->field_name : "Unknown", num);
- return (0);
- } else {
- if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@
- static int
- TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
- {
-+ /*
-+ * Prevent overflowing the v stack arrays below by performing a sanity
-+ * check on tdir_count, this should never be greater than two.
-+ * -- tav...@google.com 14 Jun 2006.
-+ */
-+ if (dir->tdir_count > 2) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
dir->tdir_tag);
-+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-+ "unexpected count for field \"%s\", %lu,
expected 2; ignored.",
-+ fip ? fip->field_name : "Unknown",
-+ dir->tdir_count);
-+ return 0;
-+ }
-+
- switch (dir->tdir_type) {
- case TIFF_BYTE:
- case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@
- case TIFF_DOUBLE:
- return (TIFFFetchDoubleArray(tif, dir, (double*) v));
- default:
-+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
dir->tdir_tag);
- /* TIFF_NOTYPE */
- /* TIFF_ASCII */
- /* TIFF_UNDEFINED */
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "cannot read TIFF_ANY type %d for field \"%s\"",
- dir->tdir_type,
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-- return (0);
-+ fip ? fip->field_name : "Unknown");
-+ return (0); }
- }
- return (1);
- }
-@@ -1351,6 +1399,9 @@
- int ok = 0;
- const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
-
-+ if (fip == NULL) {
-+ return (0);
-+ }
- if (dp->tdir_count > 1) { /* array of values */
- char* cp = NULL;
-
-@@ -1493,6 +1544,7 @@
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata,
tif->tif_name,
- "Cannot handle different per-sample values for
field \"%s\"",
-- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1534,6 +1587,7 @@
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@
- check_count = samples;
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata,
tif->tif_name,
- "Cannot handle different per-sample values for
field \"%s\"",
-- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1574,6 +1629,7 @@
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for
field \"%s\"",
-- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- Fax3BaseState* sp = Fax3State(tif);
-+ const TIFFFieldInfo* fip;
-
- assert(sp != 0);
- assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
-@@ -722,15 +722,31 @@
- segment_width = TIFFhowmany(segment_width, sp->h_sampling);
- segment_height = TIFFhowmany(segment_height, sp->v_sampling);
- }
-- if (sp->cinfo.d.image_width != segment_width ||
-- sp->cinfo.d.image_height != segment_height) {
-+ if (sp->cinfo.d.image_width < segment_width ||
-+ sp->cinfo.d.image_height < segment_height) {
- TIFFWarningExt(tif->tif_clientdata, module,
- "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
- segment_width,
- segment_height,
- sp->cinfo.d.image_width,
- sp->cinfo.d.image_height);
-+ }
-+
-+ if (sp->cinfo.d.image_width > segment_width ||
-+ sp->cinfo.d.image_height > segment_height) {
-+ /*
-+ * This case could be dangerous, if the strip or tile size has
been
-+ * reported as less than the amount of data jpeg will return,
some
-+ * potential security issues arise. Catch this case and error
out.
-+ * -- tav...@google.com 14 Jun 2006
-+ */
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "JPEG strip/tile size exceeds expected dimensions,"
-+ "expected %dx%d, got %dx%d", segment_width,
segment_height,
-+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+ return (0);
- }
-+
- if (sp->cinfo.d.num_components !=
- (td->td_planarconfig == PLANARCONFIG_CONTIG ?
- td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@
- sp->cinfo.d.comp_info[0].v_samp_factor,
- sp->h_sampling, sp->v_sampling);
-
-+ /*
-+ * There are potential security issues here for
decoders that
-+ * have already allocated buffers based on the
expected sampling
-+ * factors. Lets check the sampling factors
dont exceed what
-+ * we were expecting.
-+ * -- tav...@google.com 14 June 2006
-+ */
-+ if (sp->cinfo.d.comp_info[0].h_samp_factor >
sp->h_sampling ||
-+ sp->cinfo.d.comp_info[0].v_samp_factor
> sp->v_sampling) {
-+
TIFFErrorExt(tif->tif_clientdata, module,
-+ "Cannot honour JPEG
sampling factors that"
-+ " exceed those
specified.");
-+ return (0);
-+ }
-+
-+
- /*
- * XXX: Files written by the Intergraph software
- * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@
- {
- JPEGState *sp = JState(tif);
-
-- assert(sp != 0);
-+ /* assert(sp != 0); */
-
- tif->tif_tagmethods.vgetfield = sp->vgetparent;
- tif->tif_tagmethods.vsetfield = sp->vsetparent;
-
-- if( sp->cinfo_initialized )
-- TIFFjpeg_destroy(sp); /* release libjpeg resources */
-- if (sp->jpegtables) /* tag value */
-- _TIFFfree(sp->jpegtables);
-+ if (sp != NULL) {
-+ if( sp->cinfo_initialized )
-+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
-+ if (sp->jpegtables) /* tag value */
-+ _TIFFfree(sp->jpegtables);
-+ }
-+
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
-
-@@ -1541,6 +1576,7 @@
- {
- JPEGState* sp = JState(tif);
- TIFFDirectory* td = &tif->tif_dir;
-+ const TIFFFieldInfo* fip;
- uint32 v32;
-
- assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-@@ -1726,7 +1768,11 @@
- {
- JPEGState* sp = JState(tif);
-
-- assert(sp != NULL);
-+ /* assert(sp != NULL); */
-+ if (sp == NULL) {
-+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown
JPEGState");
-+ return;
-+ }
-
- (void) flags;
- if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
-@@ -105,11 +105,16 @@
- * as codes of the form <color><npixels>
- * until we've filled the scanline.
- */
-+ /*
-+ * Ensure the run does not exceed the scanline
-+ * bounds, potentially resulting in a security issue.
-+ * -- tav...@google.com 14 Jun 2006.
-+ */
- op = row;
- for (;;) {
- grey = (n>>6) & 0x3;
- n &= 0x3f;
-- while (n-- > 0)
-+ while (n-- > 0 && npixels < imagewidth)
- SETPIXEL(op, grey);
- if (npixels >= (int) imagewidth)
- break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c
tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000
+0100
-@@ -768,7 +768,19 @@
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabArrayOfShort(up, nsamples);
-
-- for (i = 0; i < nsamples; i += llen, up += llen) {
-+ /*
-+ * if llen is not an exact multiple of nsamples, the decode operation
-+ * may overflow the output buffer, so truncate it enough to prevent that
-+ * but still salvage as much data as possible.
-+ * -- tav...@google.com 14th June 2006
-+ */
-+ if (nsamples % llen)
-+ TIFFWarningExt(tif->tif_clientdata, module,
-+ "%s: stride %lu is not a multiple of sample
count, "
-+ "%lu, data truncated.", tif->tif_name, llen,
nsamples);
-+
-+
-+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
- switch (sp->user_datafmt) {
- case PIXARLOGDATAFMT_FLOAT:
- horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
-+#include <limits.h>
-+
- int TIFFFillStrip(TIFF*, tstrip_t);
- int TIFFFillTile(TIFF*, ttile_t);
- static int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+ /*
-+ * This sanity check could potentially overflow, causing an OOB
read.
-+ * verify that offset + bytecount is > offset.
-+ * -- tav...@google.com 14 Jun 2006
-+ */
-+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
- /*
- * This error message might seem strange, but it's
- * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+ /*
-+ * We must check this calculation doesnt overflow, potentially
-+ * causing an OOB read.
-+ * -- tav...@google.com 15 Jun 2006
-+ */
-+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
- tif->tif_curtile = NOTILE;
- return (0);
- }
diff --git a/source/lib/libtiff/tiffsplit-overflow.patch
b/source/lib/libtiff/tiffsplit-overflow.patch
deleted file mode 100644
index 36a613f..0000000
--- a/source/lib/libtiff/tiffsplit-overflow.patch
+++ /dev/null
@@ -1,22 +0,0 @@
---- tiff-3.8.2/tools/tiffsplit.c.overflow 2006-05-25 22:37:11.000000000
-0400
-+++ tiff-3.8.2/tools/tiffsplit.c 2006-05-25 22:42:42.000000000 -0400
-@@ -60,14 +60,16 @@
- fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n");
- return (-3);
- }
-- if (argc > 2)
-- strcpy(fname, argv[2]);
-+ if (argc > 2) {
-+ strncpy(fname, argv[2], 1024);
-+ fname[1024] = '\0';
-+ }
- in = TIFFOpen(argv[1], "r");
- if (in != NULL) {
- do {
- char path[1024+1];
- newfilename();
-- strcpy(path, fname);
-+ strncpy(path, fname, 1020);
- strcat(path, ".tif");
- out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
- if (out == NULL)
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git
