pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 314654 from graphics

Browse Source 
- update to 4.0.4
D    tiff-4.0.3-double-free.patch
D    tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
D    tiff-4.0.3-CVE-2013-1961.patch
D    erouault.2862.patch
D    bfriesen.2805.patch
D    tiff-4.0.3-CVE-2013-4232.patch
D    tiff-4.0.3-CVE-2013-4244.patch
D    erouault.2861.patch
D    erouault.2857.patch
D    erouault.2856.patch
D    erouault.2859.patch
D    tiff-4.0.3-CVE-2012-4564.patch
D    tiff-4.0.3-tiff2pdf-colors.patch
D    erouault.2876.patch
D    erouault.2860.patch
D    tiff-dither-malloc-check.patch
D    tiff-4.0.3-CVE-2013-1960.patch
D    erouault.2858.patch
D    tiff-handle-TIFFTAG_PREDICTOR.patch
D    tiff-4.0.3-CVE-2013-4231.patch
D    tiff-4.0.3-CVE-2013-4243.patch
D    erouault.2863.patch
D    tiff-4.0.3-test-jpeg-turbo.patch

OBS-URL: https://build.opensuse.org/request/show/314654
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=53
This commit is contained in:
Stephan Kulow 2015-07-05 15:55:35 +00:00 committed by Git OBS Bridge
commit 25d1e7dae3
27 changed files with 34 additions and 1978 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bfriesen.2805.patch
View File

@ -1,32 +0,0 @@
---------------------
PatchSet 2805
Date: 2012/11/18 19:51:52
Author: bfriesen
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero. Assure that _TIFFmalloc does.
Members:
ChangeLog:1.924->1.925
libtiff/tif_unix.c:1.23->1.24
libtiff/tif_vms.c:1.11->1.12
libtiff/tif_win32.c:1.39->1.40
Index: libtiff/libtiff/tif_unix.c
diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24
--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012
+++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012
@@ -257,6 +257,9 @@
void*
_TIFFmalloc(tmsize_t s)
{
+ if (s == 0)
+ return ((void *) NULL);
+
return (malloc((size_t) s));
}

336
erouault.2856.patch
View File

@ -1,336 +0,0 @@
---------------------
PatchSet 2856
Date: 2014/12/21 17:15:31
Author: erouault
Branch: HEAD
Tag: (none)
Log:
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
Members:
ChangeLog:1.960->1.961
libtiff/tif_dir.c:1.117->1.118
libtiff/tif_dirread.c:1.180->1.181
libtiff/tif_getimage.c:1.82->1.83
libtiff/tif_next.c:1.13->1.14
tools/bmp2tiff.c:1.23->1.24
tools/tiff2pdf.c:1.77->1.78
tools/tiffcrop.c:1.23->1.24
tools/tiffdump.c:1.28->1.29
Index: libtiff/libtiff/tif_dir.c
diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118
--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014
@@ -160,6 +160,7 @@
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
+ double dblval;
char* s;
const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
uint32 standard_tag = tag;
@@ -284,10 +285,16 @@
setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
break;
case TIFFTAG_XRESOLUTION:
- td->td_xresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_xresolution = (float) dblval;
break;
case TIFFTAG_YRESOLUTION:
- td->td_yresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_yresolution = (float) dblval;
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -694,6 +701,16 @@
va_end(ap);
}
return (0);
+badvaluedouble:
+ {
+ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Bad value %f for \"%s\" tag",
+ tif->tif_name, dblval,
+ fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ }
+ return (0);
}
/*
Index: libtiff/libtiff/tif_dirread.c
diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181
--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014
@@ -3430,6 +3430,8 @@
const TIFFField* fip;
uint32 fii=FAILED_FII;
toff_t nextdiroff;
+ int bitspersample_read = FALSE;
+
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
return 0; /* last offset or bad offset (IFD looping) */
@@ -3706,6 +3708,8 @@
}
if (!TIFFSetField(tif,dp->tdir_tag,value))
goto bad;
+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
+ bitspersample_read = TRUE;
}
break;
case TIFFTAG_SMINSAMPLEVALUE:
@@ -3763,6 +3767,19 @@
uint32 countrequired;
uint32 incrementpersample;
uint16* value=NULL;
+ /* It would be dangerous to instanciate those tag values */
+ /* since if td_bitspersample has not yet been read (due to */
+ /* unordered tags), it could be read afterwards with a */
+ /* values greater than the default one (1), which may cause */
+ /* crashes in user code */
+ if( !bitspersample_read )
+ {
+ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "Ignoring %s since BitsPerSample tag not found",
+ fip ? fip->field_name : "unknown tagname");
+ continue;
+ }
countpersample=(1L<<tif->tif_dir.td_bitspersample);
if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
{
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83
--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012
+++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */
+/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -182,8 +182,23 @@
"Planarconfiguration", td->td_planarconfig);
return (0);
}
+ if( td->td_samplesperpixel != 3 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14
--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010
+++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014
@@ -102,6 +102,8 @@
default: {
uint32 npixels = 0, grey;
uint32 imagewidth = tif->tif_dir.td_imagewidth;
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
/*
* The scanline is composed of a sequence of constant
Index: libtiff/tools/bmp2tiff.c
diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24
--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010
+++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014
@@ -403,6 +403,13 @@
width = info_hdr.iWidth;
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
switch (info_hdr.iBitCount)
{
@@ -593,6 +600,14 @@
compr_size = file_hdr.iSize - file_hdr.iOffBits;
uncompr_size = width * length;
+ /* Detect int overflow */
+ if( uncompr_size / width != length )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
if (!comprbuf) {
TIFFError(infilename,
Index: libtiff/tools/tiff2pdf.c
diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78
--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014
@@ -1167,6 +1167,15 @@
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
+ {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid tile count, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
}
if( t2p->tiff_tiles[i].tiles_tilecount > 0){
@@ -1552,6 +1561,22 @@
#endif
break;
case PHOTOMETRIC_CIELAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for CIELAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for CIELAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]= -127;
t2p->pdf_labrange[1]= 127;
t2p->pdf_labrange[2]= -127;
@@ -1567,6 +1592,22 @@
t2p->pdf_colorspace=T2P_CS_LAB;
break;
case PHOTOMETRIC_ITULAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for ITULAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for ITULAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]=-85;
t2p->pdf_labrange[1]=85;
t2p->pdf_labrange[2]=-75;
Index: libtiff/tools/tiffcrop.c
diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24
--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014
+++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014
@@ -1205,9 +1205,10 @@
tsize_t tilesize = TIFFTileSize(out);
unsigned char *tilebuf = NULL;
- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
Index: libtiff/tools/tiffdump.c
diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29
--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014
+++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014
@@ -374,6 +374,8 @@
void* datamem;
uint64 dataoffset;
int datatruncated;
+ int datasizeoverflow;
+
tag = *(uint16*)dp;
if (swabflag)
TIFFSwabShort(&tag);
@@ -412,13 +414,14 @@
else
typewidth = datawidth[type];
datasize = count*typewidth;
+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
datafits = 1;
datamem = dp;
dataoffset = 0;
datatruncated = 0;
if (!bigtiff)
{
- if (datasize>4)
+ if (datasizeoverflow || datasize>4)
{
uint32 dataoffset32;
datafits = 0;
@@ -432,7 +435,7 @@
}
else
{
- if (datasize>8)
+ if (datasizeoverflow || datasize>8)
{
datafits = 0;
datamem = NULL;
@@ -442,7 +445,7 @@
}
dp += sizeof(uint64);
}
- if (datasize>0x10000)
+ if (datasizeoverflow || datasize>0x10000)
{
datatruncated = 1;
count = 0x10000/typewidth;

47
erouault.2857.patch
View File

@ -1,47 +0,0 @@
---------------------
PatchSet 2857
Date: 2014/12/21 18:28:37
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
Members:
ChangeLog:1.961->1.962
tools/tiffcp.c:1.50->1.51
Index: libtiff/tools/tiffcp.c
diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51
--- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013
+++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014
@@ -633,6 +633,12 @@
TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
samplesperpixel == 1 ?
PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV);
+ else if (input_compression == COMPRESSION_JPEG &&
+ samplesperpixel == 3 ) {
+ /* RGB conversion was forced above
+ hence the output will be of the same type */
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB);
+ }
else
CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT);
if (fillorder != 0)

35
erouault.2858.patch
View File

@ -1,35 +0,0 @@
---------------------
PatchSet 2858
Date: 2014/12/21 19:36:36
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
Members:
ChangeLog:1.962->1.963
tools/tiff2pdf.c:1.78->1.79
Index: libtiff/tools/tiff2pdf.c
diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79
--- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014
@@ -1166,7 +1166,15 @@
t2p->tiff_pages[i].page_tilecount;
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
+ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
+ {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Missing SamplesPerPixel, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
{
TIFFError(

47
erouault.2859.patch
View File

@ -1,47 +0,0 @@
---------------------
PatchSet 2859
Date: 2014/12/21 20:07:48
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
Members:
ChangeLog:1.963->1.964
libtiff/tif_next.c:1.14->1.15
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15
--- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014
+++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014
@@ -141,10 +141,27 @@
return (0);
}
+static int
+NeXTPreDecode(TIFF* tif, uint16 s)
+{
+ static const char module[] = "NeXTPreDecode";
+ TIFFDirectory *td = &tif->tif_dir;
+ (void)s;
+
+ if( td->td_bitspersample != 2 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
+ td->td_bitspersample);
+ return (0);
+ }
+ return (1);
+}
+
int
TIFFInitNeXT(TIFF* tif, int scheme)
{
(void) scheme;
+ tif->tif_predecode = NeXTPreDecode;
tif->tif_decoderow = NeXTDecode;
tif->tif_decodestrip = NeXTDecode;
tif->tif_decodetile = NeXTDecode;

85
erouault.2860.patch
View File

@ -1,85 +0,0 @@
---------------------
PatchSet 2860
Date: 2014/12/21 20:52:42
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
Members:
ChangeLog:1.964->1.965
tools/thumbnail.c:1.17->1.18
tools/tiffcmp.c:1.16->1.17
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18
--- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014
@@ -274,7 +274,26 @@
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
+ /* if we request a tag that is defined in a codec, but that codec */
+ /* isn't used */
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS
Index: libtiff/tools/tiffcmp.c
diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17
--- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010
+++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014
@@ -260,6 +260,7 @@
static int
cmptags(TIFF* tif1, TIFF* tif2)
{
+ uint16 compression1, compression2;
CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType");
CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth");
CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength");
@@ -276,8 +277,20 @@
CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat");
CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution");
CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution");
- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
+ compression1 == COMPRESSION_CCITTFAX3 &&
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+ compression2 == COMPRESSION_CCITTFAX3 )
+ {
+ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
+ }
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
+ compression1 == COMPRESSION_CCITTFAX4 &&
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+ compression2 == COMPRESSION_CCITTFAX4 )
+ {
+ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
+ }
CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit");
CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration");
CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");

33
erouault.2861.patch
View File

@ -1,33 +0,0 @@
---------------------
PatchSet 2861
Date: 2014/12/21 21:53:59
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
Members:
ChangeLog:1.965->1.966
tools/thumbnail.c:1.18->1.19
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19
--- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014
@@ -568,7 +568,13 @@
err -= limit;
sy++;
if (err >= limit)
- rows[nrows++] = br + bpr*sy;
+ {
+ /* We should perhaps error loudly, but I can't make sense of that */
+ /* code... */
+ if( nrows == 256 )
+ break;
+ rows[nrows++] = br + bpr*sy;
+ }
}
setrow(row, nrows, rows);
row += tnw;

44
erouault.2862.patch
View File

@ -1,44 +0,0 @@
---------------------
PatchSet 2862
Date: 2014/12/21 22:04:31
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
Members:
ChangeLog:1.966->1.967
tools/pal2rgb.c:1.13->1.14
tools/thumbnail.c:1.19->1.20
Index: libtiff/tools/pal2rgb.c
diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14
--- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010
+++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014
@@ -372,7 +372,7 @@
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20
--- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014
@@ -257,7 +257,7 @@
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },

31
erouault.2863.patch
View File

@ -1,31 +0,0 @@
---------------------
PatchSet 2863
Date: 2014/12/21 22:58:29
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
Members:
ChangeLog:1.967->1.968
tools/tiff2bw.c:1.16->1.17
Index: libtiff/tools/tiff2bw.c
diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17
--- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013
+++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014
@@ -171,6 +171,11 @@
argv[optind], samplesperpixel);
return (-1);
}
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
if (bitspersample != 8) {
fprintf(stderr,

90
erouault.2876.patch
View File

@ -1,90 +0,0 @@
---------------------
PatchSet 2876
Date: 2014/12/29 14:09:11
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
Members:
ChangeLog:1.980->1.981
libtiff/tif_getimage.c:1.85->1.86
libtiff/tif_next.c:1.15->1.16
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86
--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014
+++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014
@@ -1871,7 +1871,7 @@
(void) y;
fromskew = (fromskew * 10) / 4;
- if ((h & 3) == 0 && (w & 1) == 0) {
+ if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
do {
@@ -1948,7 +1948,7 @@
/* XXX adjust fromskew */
do {
x = w>>2;
- do {
+ while(x>0) {
int32 Cb = pp[4];
int32 Cr = pp[5];
@@ -1959,7 +1959,8 @@
cp += 4;
pp += 6;
- } while (--x);
+ x--;
+ }
if( (w&3) != 0 )
{
@@ -2050,7 +2051,7 @@
fromskew = (fromskew * 4) / 2;
do {
x = w>>1;
- do {
+ while(x>0) {
int32 Cb = pp[2];
int32 Cr = pp[3];
@@ -2059,7 +2060,8 @@
cp += 2;
pp += 4;
- } while (--x);
+ x --;
+ }
if( (w&1) != 0 )
{
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16
--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014
+++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014
@@ -71,7 +71,7 @@
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
return (0);
}
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
n = *bp++, cc--;
switch (n) {
case LITERALROW:
@@ -90,6 +90,8 @@
* The scanline has a literal span that begins at some
* offset.
*/
+ if( cc < 4 )
+ goto bad;
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
if (cc < 4+n || off+n > scanline)

34
tiff-4.0.3-CVE-2012-4564.patch
View File

@ -1,34 +0,0 @@
https://bugzilla.redhat.com/attachment.cgi?id=635949&action=diff
Index: tools/ppm2tiff.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v
--- tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16
+++ tools/ppm2tiff.c 31 Oct 2012 06:25:13 -0000
@@ -89,6 +89,7 @@
int c;
extern int optind;
extern char* optarg;
+ tmsize_t scanline_size;
if (argc < 2) {
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@@ -237,8 +238,16 @@
}
if (TIFFScanlineSize(out) > linebytes)
buf = (unsigned char *)_TIFFmalloc(linebytes);
- else
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ else {
+ scanline_size = TIFFScanlineSize(out);
+ if (scanline_size != 0)
+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ else {
+ fprintf(stderr, "%s: scanline size overflow\n",infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ }
if (resolution > 0) {
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);

151
tiff-4.0.3-CVE-2013-1960.patch
View File

@ -1,151 +0,0 @@
https://bugzilla.novell.com/show_bug.cgi?id=817573#c1
CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip()
=======================================================================================
A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary.
Index: tools/tiff2pdf.c
===================================================================
--- tools/tiff2pdf.c.orig
+++ tools/tiff2pdf.c
@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip(
uint32 height){
tsize_t i=0;
- uint16 ri =0;
- uint16 v_samp=1;
- uint16 h_samp=1;
- int j=0;
-
- i++;
-
- while(i<(*striplength)){
+
+ while (i < *striplength) {
+ tsize_t datalen;
+ uint16 ri;
+ uint16 v_samp;
+ uint16 h_samp;
+ int j;
+ int ncomp;
+
+ /* marker header: one or more FFs */
+ if (strip[i] != 0xff)
+ return(0);
+ i++;
+ while (i < *striplength && strip[i] == 0xff)
+ i++;
+ if (i >= *striplength)
+ return(0);
+ /* SOI is the only pre-SOS marker without a length word */
+ if (strip[i] == 0xd8)
+ datalen = 0;
+ else {
+ if ((*striplength - i) <= 2)
+ return(0);
+ datalen = (strip[i+1] << 8) | strip[i+2];
+ if (datalen < 2 || datalen >= (*striplength - i))
+ return(0);
+ }
switch( strip[i] ){
- case 0xd8:
- /* SOI - start of image */
+ case 0xd8: /* SOI - start of image */
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
- i+=2;
break;
- case 0xc0:
- case 0xc1:
- case 0xc3:
- case 0xc9:
- case 0xca:
+ case 0xc0: /* SOF0 */
+ case 0xc1: /* SOF1 */
+ case 0xc3: /* SOF3 */
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- for(j=0;j<buffer[*bufferoffset+9];j++){
- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
+ for(j=0;j<ncomp;j++){
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+ h_samp = (samp>>4);
+ if( (samp & 0x0f) > v_samp)
+ v_samp = (samp & 0x0f);
}
v_samp*=8;
h_samp*=8;
@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip(
(unsigned char) ((height>>8) & 0xff);
buffer[*bufferoffset+6]=
(unsigned char) (height & 0xff);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
-
+ *bufferoffset+=datalen+2;
+ /* insert a DRI marker */
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=0xdd;
buffer[(*bufferoffset)++]=0x00;
buffer[(*bufferoffset)++]=0x04;
buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
buffer[(*bufferoffset)++]= ri & 0xff;
- } else {
- i+=strip[i+2]+2;
}
break;
- case 0xc4:
- case 0xdb:
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
break;
- case 0xda:
+ case 0xda: /* SOS */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
} else {
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
- i+=strip[i+2]+2;
}
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
- *bufferoffset+=(*striplength)-i-1;
+ i += datalen + 1;
+ /* copy remainder of strip */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
return(1);
default:
- i+=strip[i+2]+2;
+ /* ignore any other marker */
+ break;
}
+ i += datalen + 1;
}
-
+ /* failed to find SOS marker */
return(0);
}
#endif

774
tiff-4.0.3-CVE-2013-1961.patch
View File

@ -1,774 +0,0 @@
https://bugzilla.novell.com/show_bug.cgi?id=817573#c1
CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution
========================================================================================================
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash.
Index: contrib/dbs/xtiff/xtiff.c
===================================================================
--- contrib/dbs/xtiff/xtiff.c.orig
+++ contrib/dbs/xtiff/xtiff.c
@@ -512,9 +512,9 @@ SetNameLabel()
Arg args[1];
if (tfMultiPage)
- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
else
- strcpy(buffer, fileName);
+ snprintf(buffer, sizeof(buffer), "%s", fileName);
XtSetArg(args[0], XtNlabel, buffer);
XtSetValues(labelWidget, args, 1);
}
Index: libtiff/tif_codec.c
===================================================================
--- libtiff/tif_codec.c.orig
+++ libtiff/tif_codec.c
@@ -108,7 +108,8 @@ _notConfigured(TIFF* tif)
const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
char compression_code[20];
- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
+ snprintf(compression_code, sizeof(compression_code), "%d",
+ tif->tif_dir.td_compression );
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s compression support is not configured",
c ? c->name : compression_code );
Index: libtiff/tif_dirinfo.c
===================================================================
--- libtiff/tif_dirinfo.c.orig
+++ libtiff/tif_dirinfo.c
@@ -711,7 +711,7 @@ _TIFFCreateAnonField(TIFF *tif, uint32 t
* note that this name is a special sign to TIFFClose() and
* _TIFFSetupFields() to free the field
*/
- sprintf(fld->field_name, "Tag %d", (int) tag);
+ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
return fld;
}
Index: tools/rgb2ycbcr.c
===================================================================
--- tools/rgb2ycbcr.c.orig
+++ tools/rgb2ycbcr.c
@@ -332,7 +332,8 @@ tiffcvt(TIFF* in, TIFF* out)
TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
{ char buf[2048];
char *cp = strrchr(TIFFFileName(in), '/');
- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
+ cp ? cp+1 : TIFFFileName(in));
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
}
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
Index: tools/tiff2bw.c
===================================================================
--- tools/tiff2bw.c.orig
+++ tools/tiff2bw.c
@@ -205,7 +205,7 @@ main(int argc, char* argv[])
}
}
TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
- sprintf(thing, "B&W version of %s", argv[optind]);
+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
Index: tools/tiff2pdf.c
===================================================================
--- tools/tiff2pdf.c.orig
+++ tools/tiff2pdf.c
@@ -3609,7 +3609,9 @@ tsize_t t2p_write_pdf_header(T2P* t2p, T
char buffer[16];
int buflen=0;
- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
+ t2p->pdf_majorversion&0xff,
+ t2p->pdf_minorversion&0xff);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
@@ -3623,10 +3625,10 @@ tsize_t t2p_write_pdf_header(T2P* t2p, T
tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
- buflen=sprintf(buffer, "%lu", (unsigned long)number);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen );
written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
@@ -3665,13 +3667,13 @@ tsize_t t2p_write_pdf_name(unsigned char
written += t2pWriteFile(output, (tdata_t) "/", 1);
for (i=0;i<namelen;i++){
if ( ((unsigned char)name[i]) < 0x21){
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
nextchar=1;
}
if ( ((unsigned char)name[i]) > 0x7E){
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
nextchar=1;
@@ -3679,57 +3681,57 @@ tsize_t t2p_write_pdf_name(unsigned char
if (nextchar==0){
switch (name[i]){
case 0x23:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x25:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x28:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x29:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x2F:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x3C:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x3E:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x5B:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x5D:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x7B:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x7D:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
@@ -3844,14 +3846,14 @@ tsize_t t2p_write_pdf_stream_end(TIFF* o
tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
if(len!=0){
written += t2p_write_pdf_stream_length(len, output);
} else {
- buflen=sprintf(buffer, "%lu", (unsigned long)number);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
}
@@ -3892,10 +3894,10 @@ tsize_t t2p_write_pdf_stream_dict_end(TI
tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
- buflen=sprintf(buffer, "%lu", (unsigned long)len);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n", 1);
@@ -3909,7 +3911,7 @@ tsize_t t2p_write_pdf_stream_length(tsiz
tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
{
tsize_t written = 0;
- char buffer[16];
+ char buffer[32];
int buflen = 0;
written += t2pWriteFile(output,
@@ -3948,7 +3950,6 @@ tsize_t t2p_write_pdf_info(T2P* t2p, TIF
written += t2p_write_pdf_string(t2p->pdf_datetime, output);
}
written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
written += t2p_write_pdf_string(buffer, output);
written += t2pWriteFile(output, (tdata_t) "\n", 1);
@@ -4089,7 +4090,7 @@ tsize_t t2p_write_pdf_pages(T2P* t2p, TI
{
tsize_t written=0;
tdir_t i=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
int page=0;
@@ -4097,7 +4098,7 @@ tsize_t t2p_write_pdf_pages(T2P* t2p, TI
(tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
page = t2p->pdf_pages+1;
for (i=0;i<t2p->tiff_pagecount;i++){
- buflen=sprintf(buffer, "%d", page);
+ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
if ( ((i+1)%8)==0 ) {
@@ -4112,8 +4113,7 @@ tsize_t t2p_write_pdf_pages(T2P* t2p, TI
}
}
written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
@@ -4128,28 +4128,28 @@ tsize_t t2p_write_pdf_page(uint32 object
unsigned int i=0;
tsize_t written=0;
- char buffer[16];
+ char buffer[256];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "] \n", 3);
written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
@@ -4157,15 +4157,13 @@ tsize_t t2p_write_pdf_page(uint32 object
written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "_", 1);
- buflen = sprintf(buffer, "%u", i+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4177,12 +4175,10 @@ tsize_t t2p_write_pdf_page(uint32 object
} else {
written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4191,9 +4187,7 @@ tsize_t t2p_write_pdf_page(uint32 object
if(t2p->tiff_transferfunctioncount != 0) {
written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object + 3));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4566,7 +4560,7 @@ tsize_t t2p_write_pdf_page_content_strea
if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
- buflen=sprintf(buffer,
+ buflen=snprintf(buffer, sizeof(buffer),
"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
box.mat[0],
@@ -4581,7 +4575,7 @@ tsize_t t2p_write_pdf_page_content_strea
}
} else {
box=t2p->pdf_imagebox;
- buflen=sprintf(buffer,
+ buflen=snprintf(buffer, sizeof(buffer),
"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
box.mat[0],
@@ -4606,59 +4600,48 @@ tsize_t t2p_write_pdf_xobject_stream_dic
TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
written += t2pWriteFile(output,
(tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
42);
- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
if(tile != 0){
written += t2pWriteFile(output, (tdata_t) "_", 1);
- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
if(tile==0){
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
} else {
if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
} else {
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
}
}
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
if(tile==0){
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
} else {
if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
} else {
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
}
}
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
written += t2p_write_pdf_xobject_cs(t2p, output);
@@ -4702,11 +4685,10 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
t2p->pdf_colorspace ^= T2P_CS_PALETTE;
written += t2p_write_pdf_xobject_cs(t2p, output);
t2p->pdf_colorspace |= T2P_CS_PALETTE;
- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
return(written);
@@ -4740,10 +4722,10 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
X_W /= Y_W;
Z_W /= Y_W;
Y_W = 1.0F;
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
- buflen=sprintf(buffer, "[%d %d %d %d] \n",
+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
t2p->pdf_labrange[0],
t2p->pdf_labrange[1],
t2p->pdf_labrange[2],
@@ -4759,26 +4741,26 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
if(t2p->tiff_transferfunctioncount == 1){
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
} else {
written += t2pWriteFile(output, (tdata_t) "[ ", 2);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 2));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 3));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4800,7 +4782,7 @@ tsize_t t2p_write_pdf_transfer_dict(T2P*
written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
@@ -4827,7 +4809,7 @@ tsize_t t2p_write_pdf_transfer_stream(T2
tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[128];
+ char buffer[256];
int buflen=0;
float X_W=0.0;
@@ -4895,16 +4877,16 @@ tsize_t t2p_write_pdf_xobject_calcs(T2P*
written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
}
if(t2p->pdf_colorspace & T2P_CS_CALRGB){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
X_R, Y_R, Z_R,
X_G, Y_G, Z_G,
X_B, Y_B, Z_B);
@@ -4923,11 +4905,11 @@ tsize_t t2p_write_pdf_xobject_calcs(T2P*
tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
@@ -4937,11 +4919,11 @@ tsize_t t2p_write_pdf_xobject_icccs(T2P*
tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "/N ", 3);
- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
@@ -5006,7 +4988,7 @@ tsize_t t2p_write_pdf_xobject_decode(T2P
tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
if(t2p->pdf_compression==T2P_COMPRESS_NONE){
@@ -5021,41 +5003,33 @@ tsize_t t2p_write_pdf_xobject_stream_fil
written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
if(tile==0){
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_length);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
@@ -5082,21 +5056,17 @@ tsize_t t2p_write_pdf_xobject_stream_fil
if(t2p->pdf_compressionquality%100){
written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
- _TIFFmemset(buffer, 0x00, 16);
- buflen = sprintf(buffer, "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
}
@@ -5116,16 +5086,16 @@ tsize_t t2p_write_pdf_xobject_stream_fil
tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[21];
+ char buffer[64];
int buflen=0;
uint32 i=0;
written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
for (i=0;i<t2p->pdf_xrefcount;i++){
- sprintf(buffer, "%.10lu 00000 n \n",
+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
(unsigned long)t2p->pdf_xrefoffsets[i]);
written += t2pWriteFile(output, (tdata_t) buffer, 20);
}
@@ -5149,17 +5119,14 @@ tsize_t t2p_write_pdf_trailer(T2P* t2p,
snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
sizeof(t2p->pdf_fileid) - 1);
@@ -5167,9 +5134,8 @@ tsize_t t2p_write_pdf_trailer(T2P* t2p,
written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
sizeof(t2p->pdf_fileid) - 1);
written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
return(written);
Index: tools/tiff2ps.c
===================================================================
--- tools/tiff2ps.c.orig
+++ tools/tiff2ps.c
@@ -1781,8 +1781,8 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
imageOp = "imagemask";
(void)strcpy(im_x, "0");
- (void)sprintf(im_y, "%lu", (long) h);
- (void)sprintf(im_h, "%lu", (long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
tile_width = w;
tile_height = h;
if (TIFFIsTiled(tif)) {
@@ -1803,7 +1803,7 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
}
if (tile_height < h) {
fputs("/im_y 0 def\n", fd);
- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
}
} else {
repeat_count = tf_numberstrips;
@@ -1815,7 +1815,7 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
fprintf(fd, "/im_h %lu def\n",
(unsigned long) tile_height);
(void)strcpy(im_h, "im_h");
- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
}
}
Index: tools/tiffcrop.c
===================================================================
--- tools/tiffcrop.c.orig
+++ tools/tiffcrop.c
@@ -2077,7 +2077,7 @@ update_output_file (TIFF **tiffout, char
return 1;
}
- sprintf (filenum, "-%03d%s", findex, export_ext);
+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
filenum[14] = '\0';
strncat (exportname, filenum, 15);
}
@@ -2230,8 +2230,8 @@ main(int argc, char* argv[])
/* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
fewer than PATH_MAX */
- memset (temp_filename, '\0', PATH_MAX + 1);
- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
+ dump.infilename, dump_images,
(dump.format == DUMP_TEXT) ? "txt" : "raw");
if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
{
@@ -2249,8 +2249,8 @@ main(int argc, char* argv[])
/* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
fewer than PATH_MAX */
- memset (temp_filename, '\0', PATH_MAX + 1);
- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
+ dump.outfilename, dump_images,
(dump.format == DUMP_TEXT) ? "txt" : "raw");
if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
{
Index: tools/tiffdither.c
===================================================================
--- tools/tiffdither.c.orig
+++ tools/tiffdither.c
@@ -260,7 +260,7 @@ main(int argc, char* argv[])
TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
else
CopyField(TIFFTAG_FILLORDER, shortv);
- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
CopyField(TIFFTAG_PHOTOMETRIC, shortv);
CopyField(TIFFTAG_ORIENTATION, shortv);

19
tiff-4.0.3-CVE-2013-4231.patch
View File

@ -1,19 +0,0 @@
Index: gif2tiff.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/gif2tiff.c,v
retrieving revision 1.12
diff -u -r1.12 gif2tiff.c
--- tools/gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12
+++ tools/gif2tiff.c 13 Aug 2013 08:25:38 -0000
@@ -333,6 +333,10 @@
int status = 1;
datasize = getc(infile);
+
+ if (datasize > 12)
+ return 0;
+
clear = 1 << datasize;
eoi = clear + 1;
avail = clear + 2;

16
tiff-4.0.3-CVE-2013-4232.patch
View File

@ -1,16 +0,0 @@
Index: tiff2pdf.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
retrieving revision 1.71
diff -u -r1.71 tiff2pdf.c
--- tools/tiff2pdf.c 2 May 2013 14:54:08 -0000 1.71
+++ toolstiff2pdf.c 13 Aug 2013 04:45:40 -0000
@@ -2462,6 +2462,7 @@
TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
_TIFFfree(buffer);
+ return(0);
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;

37
tiff-4.0.3-CVE-2013-4243.patch
View File

@ -1,37 +0,0 @@
Index: tools/gif2tiff.c
===================================================================
--- tools/gif2tiff.c.orig
+++ tools/gif2tiff.c
@@ -280,6 +280,10 @@ readgifimage(char* mode)
fprintf(stderr, "no colormap present for image\n");
return (0);
}
+ if (width == 0 || height == 0) {
+ fprintf(stderr, "Invalid value of width or height\n");
+ return(0);
+ }
if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
fprintf(stderr, "not enough memory for image\n");
return (0);
@@ -406,6 +410,10 @@ process(register int code, unsigned char
fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
return 0;
}
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = suffix[code];
firstchar = oldcode = code;
return 1;
@@ -436,6 +444,10 @@ process(register int code, unsigned char
}
oldcode = incode;
do {
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = *--stackp;
} while (stackp > stack);
return 1;

19
tiff-4.0.3-CVE-2013-4244.patch
View File

@ -1,19 +0,0 @@
Index: gif2tiff.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/gif2tiff.c,v
retrieving revision 1.12
diff -u -r1.12 gif2tiff.c
--- tools/gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12
+++ tools/gif2tiff.c 14 Aug 2013 04:28:07 -0000
@@ -398,6 +398,10 @@
}
if (oldcode == -1) {
+ if (code >= clear) {
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
*(*fill)++ = suffix[code];
firstchar = oldcode = code;
return 1;

13
tiff-4.0.3-double-free.patch
View File

@ -1,13 +0,0 @@
Index: tools/tiff2pdf.c
===================================================================
--- tools/tiff2pdf.c.orig
+++ tools/tiff2pdf.c
@@ -2436,7 +2436,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p
TIFFReadEncodedStrip(input,
i,
(tdata_t) &buffer[bufferoffset],
- stripsize);
+ TIFFmin(stripsize, t2p->tiff_datasize - bufferoffset));
if(read==-1){
TIFFError(TIFF2PDF_MODULE,
"Error on decoding strip %u of %s",

30
tiff-4.0.3-test-jpeg-turbo.patch
View File

@ -1,30 +0,0 @@
From ChangeLog:
* test/raw_decode.c (main): Test fixes to work with IJG JPEG 7+.
IJG JPEG 7+ uses a different upsampling algorithm which produces
different numeric results.
this seems not apply for libjpeg-turbo. Sent to tiff@lists.maptools.org
on 2012-11-05.
Index: tiff-4.0.3/test/raw_decode.c
===================================================================
--- tiff-4.0.3.orig/test/raw_decode.c
+++ tiff-4.0.3/test/raw_decode.c
@@ -191,7 +191,7 @@ main(int argc, char **argv)
return 1;
}
-#if JPEG_LIB_VERSION >= 70
+#if JPEG_LIB_VERSION >= 70 && !defined(LIBJPEG_TURBO_VERSION)
pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer );
pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer );
pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer );
@@ -224,7 +224,7 @@ main(int argc, char **argv)
* accomplish it from the YCbCr subsampled buffer ourselves in which
* case the results may be subtly different but similar.
*/
-#if JPEG_LIB_VERSION >= 70
+#if JPEG_LIB_VERSION >= 70 && !defined(LIBJPEG_TURBO_VERSION)
pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer );
pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer );
pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer );

12
tiff-4.0.3-tiff2pdf-colors.patch
View File

@ -1,12 +0,0 @@
diff -urN tiff-4.0.1.orig/tools/tiff2pdf.c tiff-4.0.1/tools/tiff2pdf.c
--- tiff-4.0.1.orig/tools/tiff2pdf.c 2012-03-29 01:03:15.656848587 +0800
+++ tiff-4.0.1/tools/tiff2pdf.c 2012-03-29 01:03:27.591699381 +0800
@@ -4991,7 +4991,7 @@
if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) {
written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
- written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24);
+ written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24);
}
break;
#endif

3
tiff-4.0.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872
size 2051630

3
tiff-4.0.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8cb1d90c96f61cdfc0bcf036acc251c9dbe6320334da941c7a83cfe1576ef890
size 2100766

16
tiff-dither-malloc-check.patch
View File

@ -1,16 +0,0 @@
Index: tools/tiffdither.c
===================================================================
--- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100
+++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100
@@ -77,6 +77,11 @@
outlinesize = TIFFScanlineSize(out);
outline = (unsigned char *) _TIFFmalloc(outlinesize);
+ if (! (inputline && thisline && nextline && outline)) {
+ fprintf(stderr, "Out of memory.\n");
+ return;
+ }
+
/*
* Get first line
*/

12
tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
View File

@ -1,12 +0,0 @@
Index: libtiff/tif_dirinfo.c
===================================================================
--- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100
+++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100
@@ -141,6 +141,7 @@
{ TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
/* begin DNG tags */
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },

12
tiff-handle-TIFFTAG_PREDICTOR.patch
View File

@ -1,12 +0,0 @@
Index: libtiff/tif_dirinfo.c
===================================================================
--- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100
+++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100
@@ -142,6 +142,7 @@
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL },
/* begin DNG tags */
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },

28
tiff.changes
View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed Jul 1 07:17:13 UTC 2015 - pgajdos@suse.com
- update to 4.0.4
D tiff-4.0.3-double-free.patch
D tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
D tiff-4.0.3-CVE-2013-1961.patch
D erouault.2862.patch
D bfriesen.2805.patch
D tiff-4.0.3-CVE-2013-4232.patch
D tiff-4.0.3-CVE-2013-4244.patch
D erouault.2861.patch
D erouault.2857.patch
D erouault.2856.patch
D erouault.2859.patch
D tiff-4.0.3-CVE-2012-4564.patch
D tiff-4.0.3-tiff2pdf-colors.patch
D erouault.2876.patch
D erouault.2860.patch
D tiff-dither-malloc-check.patch
D tiff-4.0.3-CVE-2013-1960.patch
D erouault.2858.patch
D tiff-handle-TIFFTAG_PREDICTOR.patch
D tiff-4.0.3-CVE-2013-4231.patch
D tiff-4.0.3-CVE-2013-4243.patch
D erouault.2863.patch
D tiff-4.0.3-test-jpeg-turbo.patch
-------------------------------------------------------------------
Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com

53
tiff.spec
View File

@ -37,7 +37,7 @@ Obsoletes: tiff-64bit
%if 0%{?suse_version} > 1210
BuildRequires: libjbig-devel
%endif
Version: 4.0.3
Version: 4.0.4
Release: 0
Summary: Tools for Converting from and to the Tiff Format
License: HPND
@ -46,33 +46,9 @@ Url: http://www.remotesensing.org/libtiff
Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Source2: README.SUSE
Source3: baselibs.conf
Patch0: tiff-%{version}-test-jpeg-turbo.patch
Patch1: tiff-%{version}-seek.patch
Patch2: tiff-%{version}-tiff2pdf-colors.patch
Patch3: tiff-%{version}-CVE-2012-4564.patch
Patch4: tiff-%{version}-CVE-2013-1961.patch
Patch5: tiff-%{version}-CVE-2013-1960.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2443
Patch6: tiff-%{version}-double-free.patch
Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch7: tiff-%{version}-compress-warning.patch
Patch8: tiff-4.0.3-CVE-2013-4232.patch
Patch9: tiff-4.0.3-CVE-2013-4231.patch
Patch10: tiff-4.0.3-CVE-2013-4244.patch
Patch11: tiff-4.0.3-CVE-2013-4243.patch
Patch12: erouault.2856.patch
Patch13: erouault.2857.patch
Patch14: erouault.2858.patch
Patch15: erouault.2859.patch
Patch16: erouault.2860.patch
Patch17: erouault.2861.patch
Patch18: erouault.2862.patch
Patch19: erouault.2863.patch
Patch20: erouault.2876.patch
Patch21: bfriesen.2805.patch
Patch22: tiff-dither-malloc-check.patch
Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch
Patch1: tiff-4.0.3-compress-warning.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
@ -119,29 +95,6 @@ the libtiff library.
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3
%patch4
%patch5
%patch6
%patch7 -p1
%patch8
%patch9
%patch10
%patch11
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22
%patch23
%patch24
%build
CFLAGS="$RPM_OPT_FLAGS -fPIE"