Hello community, here is the log from the commit of package tiff.1209 for openSUSE:12.1:Update checked in at 2013-01-18 13:27:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/tiff.1209 (Old) and /work/SRC/openSUSE:12.1:Update/.tiff.1209.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.1209", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-01-09 19:40:42.352580873 +0100 +++ /work/SRC/openSUSE:12.1:Update/.tiff.1209.new/tiff.changes 2013-01-18 13:27:26.000000000 +0100 @@ -0,0 +1,443 @@ +------------------------------------------------------------------- +Mon Nov 12 14:39:37 UTC 2012 - pgaj...@suse.com + +- new patches + * tiff-3.9.5-CVE-2012-4447.patch [bnc#781995] + * tiff-3.9.5-CVE-2012-4564.patch [bnc#787892] + * tiff-3.9.5-CVE-2012-5581.patch [bnc#791607] + +------------------------------------------------------------------- +Thu Jul 12 13:56:26 UTC 2012 - pgaj...@suse.com + +- fixed CVE-2012-3401 [bnc#770816] + +------------------------------------------------------------------- +Wed Jun 20 09:55:10 UTC 2012 - pgaj...@suse.com + +- fixed + * CVE-2012-2113 [bnc#767852] + * CVE-2012-2088 [bnc#767854] + +------------------------------------------------------------------- +Mon Apr 2 12:08:30 UTC 2012 - pgaj...@suse.com + +- fixed CVE-2012-1173 [bnc#753362] + +------------------------------------------------------------------- +Fri Aug 5 21:09:33 UTC 2011 - crrodrig...@opensuse.org + +- Do not use -fno-strict-aliasing, no longer needed + and will probably slow down the code. +- Fix self-obsoletion warning + +------------------------------------------------------------------- +Thu Apr 14 14:02:12 CEST 2011 - pgaj...@suse.cz + +- updated to 3.9.5: + * fixed integer overflow CVE-2010-4665 + * fixed buffer overflow in ojpeg decoder + * upstreamed: + - oob-read.patch + - CVE-2011-0192.patch + - getimage-64bit.patch + - CVE-2011-1167.patch + - scanlinesize.patch + +------------------------------------------------------------------- +Thu Mar 31 21:49:49 CEST 2011 - pgaj...@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +------------------------------------------------------------------- +Thu Feb 17 15:40:54 CET 2011 - pgaj...@suse.cz + +- fixed buffer overflow [bnc#672510] + * CVE-2011-0192.patch + +------------------------------------------------------------------- +Mon Sep 6 14:56:09 CEST 2010 - pgaj...@suse.cz + +- fixed "Possibly exploitable memory corruption issue in libtiff" + (see http://bugzilla.maptools.org/show_bug.cgi?id=2228) + [bnc#624215] + * scanlinesize.patch +- fixed crash while using libjpeg7 and higher + * dont-fancy-upsampling.patch + +------------------------------------------------------------------- +Mon Jul 12 16:36:48 CEST 2010 - pgaj...@suse.cz + +- updated to 3.9.4: fixes CVE-2010-2065 -- obsoletes + * integer-overflow.patch + * NULL-deref.patch +- fixes CVE-2010-2067 + +------------------------------------------------------------------- +Wed Jun 23 10:32:01 CEST 2010 - pgaj...@suse.cz + +- fixed CVE-2010-2065 + * integer-overflow.patch + * NULL-deref.patch +- fixed out of bounds read + * oob-read.patch +- fixed CVE-2010-2233 + * getimage-64bit.patch +- [bnc#612879] + +------------------------------------------------------------------- +Mon Apr 26 15:07:09 CEST 2010 - pgaj...@suse.cz + +- fixed tiff2pdf output [bnc#599475] + +------------------------------------------------------------------- +Fri Mar 26 08:49:41 UTC 2010 - pgaj...@suse.cz + +- fixed typo + +------------------------------------------------------------------- +Tue Mar 16 13:37:23 CET 2010 - pgaj...@suse.cz + +- updated to 3.9.2: fixed many CVE's and obsoletes almost all + our patches (see ChangeLog for details) + +------------------------------------------------------------------- +Tue Dec 15 19:38:18 CET 2009 - jeng...@medozas.de + +- add baselibs.conf as a source +- enable parallel building + +------------------------------------------------------------------- +Thu Aug 6 14:02:07 CEST 2009 - pgaj...@suse.cz + +- fixed integer overflows [bnc#519796] + * CVE-2009-2347.patch + +------------------------------------------------------------------- +Thu Jul 2 16:33:02 CEST 2009 - nadvor...@suse.cz + +- fixed lzw overflow CVE-2009-2285 [bnc#518698] + +------------------------------------------------------------------- +Wed Feb 4 15:49:04 CET 2009 - nadvor...@suse.cz + +- fixed an endless loop on invalid images + (bnc#444079) CVE-2008-1586 + +------------------------------------------------------------------- +Tue Jan 13 16:19:37 CET 2009 - o...@suse.de + +- obsolete old libtiff-64bit on ppc64 (bnc#437293) + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - o...@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Sun Sep 7 11:24:56 CEST 2008 - sch...@suse.de + +- Fix conflicting options. + +------------------------------------------------------------------- +Tue Aug 19 17:45:10 CEST 2008 - nadvor...@suse.cz + +- fixed buffer overflows in LZW code (CVE-2008-2327) [bnc#414946] + +------------------------------------------------------------------- +Sun May 18 10:37:18 CEST 2008 - co...@suse.de + +- fix rename of xxbit packages + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - r...@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Fri Jul 27 15:58:49 CEST 2007 - r...@suse.de + +- add provides and obsoletes for libtiff to libtiff3 package + +------------------------------------------------------------------- +Thu Jul 19 15:01:40 CEST 2007 - nadvor...@suse.cz + +- renamed libtiff to libtiff3 +- do not package static libraries +- added zlib-devel to BuildRequires + +------------------------------------------------------------------- +Mon Jun 12 13:40:43 CEST 2006 - nadvor...@suse.cz + +- fixed a typo in the previous change [#179051] + +------------------------------------------------------------------- +Fri Jun 2 17:17:55 CEST 2006 - nadvor...@suse.cz + +- fixed buffer overflow in tiffsplit (CVE-2006-2656) [#179051] +- fixed buffer overflow in tiff2pdf [#179587] + +------------------------------------------------------------------- +Wed Apr 12 11:01:27 CEST 2006 - nadvor...@suse.cz + +- updated to 3.8.2 [#165237] + * bugfix release + * fixed several segfaults caused by incorrect tiff data + +------------------------------------------------------------------- +Tue Feb 7 15:09:45 CET 2006 - nadvor...@suse.cz + +- fixed crash on certain tiff images CVE-2006-0405 [#145757] + +------------------------------------------------------------------- +Wed Jan 25 21:31:02 CET 2006 - m...@suse.de + ++++ 246 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.tiff.1209.new/tiff.changes New: ---- README.SUSE baselibs.conf tiff-3.9.5-CVE-2012-1173.patch tiff-3.9.5-CVE-2012-2088.patch tiff-3.9.5-CVE-2012-2113.patch tiff-3.9.5-CVE-2012-3401.patch tiff-3.9.5-CVE-2012-4447.patch tiff-3.9.5-CVE-2012-4564.patch tiff-3.9.5-CVE-2012-5581.patch tiff-3.9.5-dont-fancy-upsampling.patch tiff-3.9.5-seek.patch tiff-3.9.5-tiff2pdf-colors.patch tiff-3.9.5.tar.bz2 tiff.changes tiff.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ # # spec file for package tiff # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tiff BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.5 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: PERMISSIVE-OSI-COMPLIANT and MIT Group: Productivity/Graphics/Convertors Source: tiff-%{version}.tar.bz2 Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch Patch9: tiff-%{version}-dont-fancy-upsampling.patch Patch10: tiff-3.9.5-CVE-2012-1173.patch Patch11: tiff-3.9.5-CVE-2012-2113.patch Patch12: tiff-3.9.5-CVE-2012-2088.patch Patch13: tiff-3.9.5-CVE-2012-3401.patch Patch14: tiff-3.9.5-CVE-2012-4447.patch Patch15: tiff-3.9.5-CVE-2012-4564.patch Patch16: tiff-3.9.5-CVE-2012-5581.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains the library and support programs for the TIFF image format. Authors: -------- Sam Leffler <s...@engr.sgi.com> %package -n libtiff3 Summary: The Tiff Library (with JPEG and compression support) License: PERMISSIVE-OSI-COMPLIANT and MIT Group: System/Libraries Provides: libtiff = %{version} Obsoletes: libtiff < %{version} # bug437293 %ifarch ppc64 Obsoletes: libtiff-64bit %endif # %description -n libtiff3 This package includes the tiff libraries. To link a program with libtiff, you will have to add -ljpeg and -lz to include the necessary libjpeg and libz in the linking process. Authors: -------- Sam Leffler <s...@engr.sgi.com> %package -n libtiff-devel Summary: Development Tools for Programs which will use the libtiff Library License: PERMISSIVE-OSI-COMPLIANT Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libjpeg-devel Requires: libstdc++-devel Requires: libtiff3 = %{version} Requires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-devel-64bit %endif # %description -n libtiff-devel This package contains the header files and static libraries for developing programs which will manipulate TIFF format image files using the libtiff library. %prep %setup -q %patch2 %patch3 -p1 %patch9 -p1 %patch10 %patch11 %patch12 %patch13 %patch14 %patch15 %patch16 -p1 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 %build rm m4/ltversion.m4 m4/ltsugar.m4 m4/ltoptions.m4 m4/libtool.m4 autoreconf --force --install -v %configure --disable-static --with-pic make %{?_smp_mflags} %install mkdir -p $RPM_BUILD_ROOT/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} make install DESTDIR=$RPM_BUILD_ROOT for f in `find $RPM_BUILD_ROOT/%{_mandir} -type f -print ` ; do if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then linkto=`sed -e "s|^\.so ||" $f` [ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f fi done cp %{S:2} . rm -rf $RPM_BUILD_ROOT/usr/share/doc/tiff* rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la find html -name "Makefile*" | xargs rm %post -n libtiff3 -p /sbin/ldconfig %postun -n libtiff3 -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) /usr/bin/* %doc html %doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %doc %{_mandir}/man1/* %files -n libtiff3 %defattr(-,root,root) %doc README COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel %defattr(-,root,root) /usr/include/* %{_libdir}/*.so %doc %{_mandir}/man3/* %changelog ++++++ README.SUSE ++++++ The documentation for tiff programs and library is in package tiff in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++ libtiff3 obsoletes "libtiff-<targettype> <= <version>" provides "libtiff-<targettype> = <version>" libtiff-devel requires -libtiff-<targettype> requires "libtiff3-<targettype> = <version>" ++++++ tiff-3.9.5-CVE-2012-1173.patch ++++++ Index: libtiff/tif_getimage.c =================================================================== --- libtiff/tif_getimage.c.orig +++ libtiff/tif_getimage.c @@ -673,18 +673,24 @@ gtTileSeparate(TIFFRGBAImage* img, uint3 unsigned char* p2; unsigned char* pa; tsize_t tilesize; + tsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; uint32 nrow; int ret = 1, flip; tilesize = TIFFTileSize(tif); - buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); + bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + buf = (unsigned char*) _TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); + _TIFFmemset(buf, 0, bufsize); p0 = buf; p1 = p0 + tilesize; p2 = p1 + tilesize; @@ -880,17 +886,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint uint32 rowsperstrip, offset_row; uint32 imagewidth = img->width; tsize_t stripsize; + tsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; int ret = 1, flip; stripsize = TIFFStripSize(tif); - p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); + bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); + _TIFFmemset(buf, 0, bufsize); p1 = p0 + stripsize; p2 = p1 + stripsize; pa = (alpha?(p2+stripsize):NULL); Index: libtiff/tiffiop.h =================================================================== --- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h @@ -246,7 +246,7 @@ struct tiff { #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) /* Safe multiply which returns zero if there is an integer overflow */ -#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) +#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) #define TIFFmax(A,B) ((A)>(B)?(A):(B)) #define TIFFmin(A,B) ((A)<(B)?(A):(B)) ++++++ tiff-3.9.5-CVE-2012-2088.patch ++++++ Index: libtiff/tif_strip.c =================================================================== --- libtiff/tif_strip.c.orig +++ libtiff/tif_strip.c @@ -107,6 +107,7 @@ tsize_t TIFFVStripSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; + uint32 stripsize; if (nrows == (uint32) -1) nrows = td->td_imagelength; @@ -122,7 +123,7 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) * YCbCr data for the extended image. */ uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; + uint32 w, scanline, samplingarea; TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ycbcrsubsampling + 0, @@ -141,13 +142,19 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); - return ((tsize_t) + stripsize = summarize(tif, scanline, multiply(tif, 2, scanline / samplingarea, - "TIFFVStripSize"), "TIFFVStripSize")); + "TIFFVStripSize"), "TIFFVStripSize"); } else - return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), - "TIFFVStripSize")); + stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), + "TIFFVStripSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) stripsize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); + stripsize = 0; + } + return (tsize_t) stripsize; } Index: libtiff/tif_tile.c =================================================================== --- libtiff/tif_tile.c.orig +++ libtiff/tif_tile.c @@ -174,7 +174,7 @@ tsize_t TIFFTileRowSize(TIFF* tif) { TIFFDirectory *td = &tif->tif_dir; - tsize_t rowsize; + uint32 rowsize; if (td->td_tilelength == 0 || td->td_tilewidth == 0) return ((tsize_t) 0); @@ -193,7 +193,7 @@ tsize_t TIFFVTileSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; - tsize_t tilesize; + uint32 tilesize; if (td->td_tilelength == 0 || td->td_tilewidth == 0 || td->td_tiledepth == 0) @@ -209,12 +209,12 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) * horizontal/vertical subsampling area include * YCbCr data for the extended image. */ - tsize_t w = + uint32 w = TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); - tsize_t rowsize = + uint32 rowsize = TIFFhowmany8(multiply(tif, w, td->td_bitspersample, "TIFFVTileSize")); - tsize_t samplingarea = + uint32 samplingarea = td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; if (samplingarea == 0) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); @@ -230,8 +230,13 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) } else tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), "TIFFVTileSize"); - return ((tsize_t) - multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); + tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) tilesize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); + tilesize = 0; + } + return (tsize_t) tilesize; } /* ++++++ tiff-3.9.5-CVE-2012-2113.patch ++++++ mv Index: tools/tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.37.2.19 Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -431,6 +431,34 @@ t2p_unmapproc(thandle_t handle, tdata_t (void) handle, (void) data, (void) offset; } +static uint64 +checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) +{ + uint64 bytes = summand1 + summand2; + + if (bytes - summand1 != summand2) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; +} + +static uint64 +checkMultiply64(uint64 first, uint64 second, T2P* t2p) +{ + uint64 bytes = first * second; + + if (second && bytes / second != first) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; +} + /* This is the main function. @@ -1773,9 +1801,7 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* tstrip_t i=0; tstrip_t stripcount=0; #endif -#ifdef OJPEG_SUPPORT - tsize_t k = 0; -#endif + uint64 k = 0; if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT @@ -1803,19 +1829,25 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* } stripcount=TIFFNumberOfStrips(input); for(i=0;i<stripcount;i++){ - k += sbc[i]; + k = checkAdd64(k, sbc[i], t2p); } if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ if(t2p->tiff_datasize < k) { - t2p->pdf_ojpegiflength=t2p->tiff_datasize; - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=6; - t2p->tiff_datasize+=2*stripcount; TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); + t2p->pdf_ojpegiflength=t2p->tiff_datasize; + k = checkAdd64(k, t2p->tiff_datasize, t2p); + k = checkAdd64(k, 6, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } return; @@ -1828,9 +1860,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* } } } - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=2*stripcount; - t2p->tiff_datasize+=2048; + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, 2048, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } #endif @@ -1839,11 +1876,11 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ - t2p->tiff_datasize += count; - t2p->tiff_datasize -= 2; /* don't use EOI of header */ + k += count; + k -= 2; /* don't use EOI of header */ } } else { - t2p->tiff_datasize = 2; /* SOI for first strip */ + k = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ @@ -1854,18 +1891,33 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* return; } for(i=0;i<stripcount;i++){ - t2p->tiff_datasize += sbc[i]; - t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ + k = checkAdd64(k, sbc[i], t2p); + k -=4; /* don't use SOI or EOI of strip */ + } + k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } - t2p->tiff_datasize +=2; /* use EOI of last strip */ return; } #endif (void) 0; } - t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; + k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ - t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); + } + if (k == 0) { + /* Assume we had overflow inside TIFFScanlineSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } + + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } return; @@ -1883,6 +1935,7 @@ void t2p_read_tiff_size_tile(T2P* t2p, T #ifdef JPEG_SUPPORT unsigned char* jpt; #endif + uint64 k; edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); @@ -1894,14 +1947,17 @@ void t2p_read_tiff_size_tile(T2P* t2p, T #endif ){ t2p->tiff_datasize=TIFFTileSize(input); + if (t2p->tiff_datasize == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); - t2p->tiff_datasize=tbc[tile]; + k=tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ - t2p->tiff_datasize+=2048; - return; + k = checkAdd64(k, 2048, t2p); } #endif #ifdef JPEG_SUPPORT @@ -1909,18 +1965,33 @@ void t2p_read_tiff_size_tile(T2P* t2p, T uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ if(count > 4){ - t2p->tiff_datasize += count; - t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ + k = checkAdd64(k, count, t2p); + k -= 2; /* don't use EOI of header or SOI of tile */ } } } #endif + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } } - t2p->tiff_datasize=TIFFTileSize(input); + k = TIFFTileSize(input); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ - t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); + } + if (k == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } + + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } return; @@ -2013,6 +2084,10 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p uint32 max_striplength=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_G4){ @@ -2586,6 +2661,10 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P uint32 xuint32=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); ++++++ tiff-3.9.5-CVE-2012-3401.patch ++++++ Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -1066,6 +1066,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* "Can't set directory %u of input file %s", i, TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; return; } if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ ++++++ tiff-3.9.5-CVE-2012-4447.patch ++++++ Index: libtiff/tif_pixarlog.c =================================================================== --- libtiff/tif_pixarlog.c.orig +++ libtiff/tif_pixarlog.c @@ -93,6 +93,8 @@ #include <stdlib.h> #include <math.h> +#include <limits.h> + /* Tables for converting to/from 11 bit coded values */ #define TSIZE 2048 /* decode table size (11-bit tokens) */ @@ -664,7 +666,15 @@ PixarLogSetupDecode(TIFF* tif) td->td_rowsperstrip), sizeof(uint16)); if (tbuf_size == 0) return (0); - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + + int i_stride = sp->stride * sizeof(uint16); + if (tbuf_size > (INT_MAX - i_stride)) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!", + tif->tif_name); + return (0); + } + + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) @@ -829,7 +839,15 @@ PixarLogSetupEncode(TIFF* tif) td->td_rowsperstrip), sizeof(uint16)); if (tbuf_size == 0) return (0); - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + + int i_stride = sp->stride * sizeof(uint16); + if (tbuf_size > (INT_MAX - i_stride)) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!", + tif->tif_name); + return (0); + } + + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) ++++++ tiff-3.9.5-CVE-2012-4564.patch ++++++ Index: tools/ppm2tiff.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v --- tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 +++ tools/ppm2tiff.c 31 Oct 2012 06:25:13 -0000 @@ -89,6 +89,7 @@ int c; extern int optind; extern char* optarg; + tsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -237,8 +238,16 @@ } if (TIFFScanlineSize(out) > linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); - else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + scanline_size = TIFFScanlineSize(out); + if (scanline_size != 0) + buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + fprintf(stderr, "%s: scanline size overflow\n",infile); + (void) TIFFClose(out); + exit(-2); + } + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); ++++++ tiff-3.9.5-CVE-2012-5581.patch ++++++ Index: tiff-3.9.5/libtiff/tif_dir.c =================================================================== --- tiff-3.9.5.orig/libtiff/tif_dir.c +++ tiff-3.9.5/libtiff/tif_dir.c @@ -493,32 +493,27 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va status = 0; goto end; } - - if ((fip->field_passcount + if (fip->field_tag == TIFFTAG_DOTRANGE + && strcmp(fip->field_name,"DotRange") == 0) { + /* TODO: This is an evil exception and should not have been + handled this way ... likely best if we move it into + the directory structure with an explicit field in + libtiff 4.1 and assign it a FIELD_ value */ + uint16 v[2]; + v[0] = (uint16)va_arg(ap, int); + v[1] = (uint16)va_arg(ap, int); + _TIFFmemcpy(tv->value, &v, 4); + } else if (fip->field_passcount || fip->field_writecount == TIFF_VARIABLE || fip->field_writecount == TIFF_VARIABLE2 || fip->field_writecount == TIFF_SPP - || tv->count > 1) - && fip->field_tag != TIFFTAG_PAGENUMBER - && fip->field_tag != TIFFTAG_HALFTONEHINTS - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING - && fip->field_tag != TIFFTAG_DOTRANGE) { + || tv->count > 1) { _TIFFmemcpy(tv->value, va_arg(ap, void *), tv->count * tv_size); } else { - /* - * XXX: The following loop required to handle - * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS, - * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags. - * These tags are actually arrays and should be passed as - * array pointers to TIFFSetField() function, but actually - * passed as a list of separate values. This behaviour - * must be changed in the future! - */ - int i; + assert( tv->count == 1 ); char *val = (char *)tv->value; - for (i = 0; i < tv->count; i++, val += tv_size) { switch (fip->field_type) { case TIFF_BYTE: case TIFF_UNDEFINED: @@ -577,7 +572,6 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va status = 0; break; } - } } } } ++++++ tiff-3.9.5-dont-fancy-upsampling.patch ++++++ Index: tiff-3.9.4/libtiff/tif_jpeg.c =================================================================== --- tiff-3.9.4.orig/libtiff/tif_jpeg.c +++ tiff-3.9.4/libtiff/tif_jpeg.c @@ -850,6 +850,7 @@ JPEGPreDecode(TIFF* tif, tsample_t s) if (downsampled_output) { /* Need to use raw-data interface to libjpeg */ sp->cinfo.d.raw_data_out = TRUE; + sp->cinfo.d.do_fancy_upsampling = FALSE; tif->tif_decoderow = JPEGDecodeRaw; tif->tif_decodestrip = JPEGDecodeRaw; tif->tif_decodetile = JPEGDecodeRaw; ++++++ tiff-3.9.5-seek.patch ++++++ Index: libtiff/tiffiop.h =================================================================== --- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h @@ -209,7 +209,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size)) #define TIFFSeekFile(tif, off, whence) \ - ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)) + ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0) #define TIFFCloseFile(tif) \ ((*(tif)->tif_closeproc)((tif)->tif_clientdata)) #define TIFFGetFileSize(tif) \ ++++++ tiff-3.9.5-tiff2pdf-colors.patch ++++++ --- tiff-3.9.2_/tools/tiff2pdf.c 2009-01-01 01:10:43.000000000 +0100 +++ tiff-3.9.2/tools/tiff2pdf.c 2010-04-24 17:39:00.000000000 +0200 @@ -5072,7 +5072,7 @@ if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) { written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24); + written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24); } break; #endif -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org