From 3cc206640a0d8d399510a3f0a8ab9d179a99e83e9c2d1814e24960ffbb071c44 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Mon, 6 Sep 2010 13:07:10 +0000
Subject: [PATCH] - fixed "Possibly exploitable memory corruption issue in
 libtiff"   (see http://bugzilla.maptools.org/show_bug.cgi?id=2228)  
 [bnc#624215]   * scanlinesize.patch - fixed crash while using libjpeg7 and
 higher   * dont-fancy-upsampling.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=23
---
 tiff-3.9.4-dont-fancy-upsampling.patch | 12 +++++
 tiff-3.9.4-scanlinesize.patch          | 65 ++++++++++++++++++++++++++
 tiff.changes                           | 10 ++++
 tiff.spec                              |  4 ++
 4 files changed, 91 insertions(+)
 create mode 100644 tiff-3.9.4-dont-fancy-upsampling.patch
 create mode 100644 tiff-3.9.4-scanlinesize.patch

diff --git a/tiff-3.9.4-dont-fancy-upsampling.patch b/tiff-3.9.4-dont-fancy-upsampling.patch
new file mode 100644
index 0000000..8e84e9c
--- /dev/null
+++ b/tiff-3.9.4-dont-fancy-upsampling.patch
@@ -0,0 +1,12 @@
+Index: tiff-3.9.4/libtiff/tif_jpeg.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_jpeg.c
++++ tiff-3.9.4/libtiff/tif_jpeg.c
+@@ -850,6 +850,7 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
+ 	if (downsampled_output) {
+ 		/* Need to use raw-data interface to libjpeg */
+ 		sp->cinfo.d.raw_data_out = TRUE;
++                sp->cinfo.d.do_fancy_upsampling = FALSE;
+ 		tif->tif_decoderow = JPEGDecodeRaw;
+ 		tif->tif_decodestrip = JPEGDecodeRaw;
+ 		tif->tif_decodetile = JPEGDecodeRaw;
diff --git a/tiff-3.9.4-scanlinesize.patch b/tiff-3.9.4-scanlinesize.patch
new file mode 100644
index 0000000..d16c62d
--- /dev/null
+++ b/tiff-3.9.4-scanlinesize.patch
@@ -0,0 +1,65 @@
+diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
+--- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 22:40:40.000000000 -0500
+@@ -988,8 +988,15 @@
+ 	tsize_t nrows;
+ 	(void) s;
+ 
+-	/* data is expected to be read in multiples of a scanline */
+-	if ( (nrows = sp->cinfo.d.image_height) ) {
++    nrows = cc / sp->bytesperline;
++    if (cc % sp->bytesperline)
++		TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
++
++    if( nrows > (int) sp->cinfo.d.image_height )
++        nrows = sp->cinfo.d.image_height;
++
++    /* data is expected to be read in multiples of a scanline */
++    if (nrows) {
+ 		/* Cb,Cr both have sampling factors 1, so this is correct */
+ 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
+ 		int samples_per_clump = sp->samplesperclump;
+@@ -1087,8 +1094,7 @@
+ 			 * TODO: resolve this */
+ 			buf += sp->bytesperline;
+ 			cc -= sp->bytesperline;
+-			nrows -= sp->v_sampling;
+-		} while (nrows > 0);
++		} while (--nrows > 0);
+ 
+ #ifdef JPEG_LIB_MK1
+ 		_TIFFfree(tmpbuf);
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_strip.c	2010-01-05 21:39:20.000000000 -0500
+@@ -238,23 +238,19 @@
+ 				     ycbcrsubsampling + 0,
+ 				     ycbcrsubsampling + 1);
+ 
+-			if (ycbcrsubsampling[0] == 0) {
++			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 					     "Invalid YCbCr subsampling");
+ 				return 0;
+ 			}
+ 
+-			scanline = TIFFroundup(td->td_imagewidth,
++			/* number of sample clumps per line */
++			scanline = TIFFhowmany(td->td_imagewidth,
+ 					       ycbcrsubsampling[0]);
+-			scanline = TIFFhowmany8(multiply(tif, scanline,
+-							 td->td_bitspersample,
+-							 "TIFFScanlineSize"));
+-			return ((tsize_t)
+-				summarize(tif, scanline,
+-					  multiply(tif, 2,
+-						scanline / ycbcrsubsampling[0],
+-						"TIFFVStripSize"),
+-					  "TIFFVStripSize"));
++			/* number of samples per line */
++			scanline = multiply(tif, scanline,
++					    ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
++					    "TIFFScanlineSize");
+ 		} else {
+ 			scanline = multiply(tif, td->td_imagewidth,
+ 					    td->td_samplesperpixel,
diff --git a/tiff.changes b/tiff.changes
index ededea8..8c94679 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Sep  6 14:56:09 CEST 2010 - pgajdos@suse.cz
+
+- fixed "Possibly exploitable memory corruption issue in libtiff"
+  (see http://bugzilla.maptools.org/show_bug.cgi?id=2228)
+  [bnc#624215]
+  * scanlinesize.patch
+- fixed crash while using libjpeg7 and higher
+  * dont-fancy-upsampling.patch
+
 -------------------------------------------------------------------
 Mon Jul 12 16:36:48 CEST 2010 - pgajdos@suse.cz
 
diff --git a/tiff.spec b/tiff.spec
index f517ddc..9400bdf 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -38,6 +38,8 @@ Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
 Patch6:         tiff-%{version}-oob-read.patch
 Patch7:         tiff-%{version}-getimage-64bit.patch
+Patch8:         tiff-%{version}-scanlinesize.patch
+Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -101,6 +103,8 @@ the libtiff library.
 %patch3 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755