pool/tiff
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1094296 from graphics

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1094296
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=91
This commit is contained in:
Dominique Leuenberger 2023-06-22 21:24:58 +00:00 committed by Git OBS Bridge
commit 7741b6198a
9 changed files with 40 additions and 324 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tiff-4.5.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dafac979c5e7b6c650025569c5a4e720995ba5f17bc17e6276d1f12427be267c
size 2320900

BIN
tiff-4.5.0.tar.xz.sig
View File

Binary file not shown.

3
tiff-4.5.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3c080867114c26edab3129644a63b708028a90514b7fe3126e38e11d24f9f88a
size 2228040

BIN
tiff-4.5.1.tar.xz.sig Normal file
View File

Binary file not shown.

13
tiff-CVE-2022-48281.patch
View File

@ -1,13 +0,0 @@
Index: tiff-4.5.0/tools/tiffcrop.c
===================================================================
--- tiff-4.5.0.orig/tools/tiffcrop.c
+++ tiff-4.5.0/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct
cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(

187
tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch
View File

@ -1,187 +0,0 @@
Index: tiff-4.5.0/tools/tiffcrop.c
===================================================================
--- tiff-4.5.0.orig/tools/tiffcrop.c
+++ tiff-4.5.0/tools/tiffcrop.c
@@ -296,7 +296,6 @@ struct region
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uin
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_ma
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -7241,9 +7239,13 @@ static int correct_orientation(struct im
(uint16_t)(image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length,
- work_buff_ptr))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+ TRUE))
{
TIFFError("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7312,7 +7314,6 @@ static int extractCompositeRegions(struc
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -7573,7 +7574,6 @@ static int extractSeparateRegion(struct
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -8563,8 +8563,13 @@ static int processCropSelections(struct
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can
reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size,
+ FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %" PRIu32
@@ -8573,9 +8578,7 @@ static int processCropSelections(struct
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size =
- (((crop->combined_width * image->bps + 7) / 8) * image->spp) *
- crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -8686,10 +8689,14 @@ static int processCropSelections(struct
* ->yres, what it schouldn't do here, when more than one
* section is processed. ToDo: Therefore rotateImage() and its
* usage has to be reworked (e.g. like mirrorImage()) !!
- */
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image,
&crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ &crop->regionlist[i].length, &crop_buff,
+ &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %" PRIu16
@@ -8702,10 +8709,7 @@ static int processCropSelections(struct
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size =
- (((crop->regionlist[i].width * image->bps + 7) / 8) *
- image->spp) *
- crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
} /* for crop->selections loop */
} /* Separated Images (else case) */
@@ -8836,7 +8840,7 @@ static int createCroppedImage(struct ima
CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %" PRIu16
@@ -9552,7 +9556,8 @@ static int rotateContigSamples32bits(uin
/* Rotate an image by a multiple of 90 degrees clockwise */
static int rotateImage(uint16_t rotation, struct image_data *image,
uint32_t *img_width, uint32_t *img_length,
- unsigned char **ibuff_ptr)
+ unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -9610,6 +9615,8 @@ static int rotateImage(uint16_t rotation
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
ibuff = *ibuff_ptr;
switch (rotation)
@@ -9768,11 +9775,15 @@ static int rotateImage(uint16_t rotation
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270:
@@ -9855,11 +9866,15 @@ static int rotateImage(uint16_t rotation
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;

112
tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch
View File

@ -1,112 +0,0 @@
Index: tiff-4.5.0/tools/tiffcrop.c
===================================================================
--- tiff-4.5.0.orig/tools/tiffcrop.c
+++ tiff-4.5.0/tools/tiffcrop.c
@@ -5930,18 +5930,40 @@ static int computeInputPixelOffsets(stru
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -7300,6 +7322,46 @@ static int extractCompositeRegions(struc
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -7323,7 +7385,8 @@ static int extractCompositeRegions(struc
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError("extractCompositeRegions",
"Only equal width regions can be combined for -E "
@@ -7416,7 +7479,8 @@ static int extractCompositeRegions(struc
case EDGE_LEFT: /* splice the pieces of each row together, side by
side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError("extractCompositeRegions",
"Only equal length regions can be combined for "

35
tiff.changes
View File

@ -1,3 +1,38 @@
-------------------------------------------------------------------
Tue Jun 20 07:16:56 UTC 2023 - Martin Pluskal <mpluskal@suse.com>
- Update to version 4.5.1:
* Definition of tags reformatted (clang-format off) for better readability of tag comments in tiff.h and tif_dirinfo.c
* Do not install libtiff-4.pc when tiff-install is reset.
* Add versioninfo resource files for DLL and tools compiled with Windows MSVC and MINGW.
* Disable clang-formatting for tif_config.h.cmake.in and tiffconf.h.cmake.in because sensitive for CMake scripts.
* CMake: make WebP component name compatible with upstream ConfigWebP.cmake
* CMake: make Findliblzma with upstream CMake config file
* CMake: FindDeflate.cmake: fix several errors (issue #526).
* CMake: FindLERC.cmake: version string return added.
* CMake: export TiffConfig.cmake and TiffConfigVersion.cmake files
* CMake: fix export of INTERFACE_INCLUDE_DIRECTORIES
* Hardcode HOST_FILLORDER to FILLORDER_LSB2MSB and make 'H' flag of TIFFOpen() to warn and an alias of FILLORDER_MSB2LSB. tif_lerc.c: use WORDS_BIGENDIAN instead of HOST_BIGENDIAN.
* Optimize relative seeking within TIFFSetDirectory() by using the learned list of IFD offsets.
* Improve internal IFD offset and directory number map handling.
* Behavior of TIFFOpen() mode "r+" in the Windows implementation adjusted to that of Linux.
* TIFFDirectory td_fieldsset type changed from unsigned long, which can be 32 or 64 bits, to uint32_t (fixes issue #484).
* tif_ojpeg.c: checking for division by zero (fixes issue #554).
* LZWDecode(): avoid crash when trying to read again from a strip whith a missing end-of-information marker (fixes issue #548).
* Fixed runtime error: applying zero offset to null pointer in countInkNamesString().
* Fixing crash in TIFFUnlinkDirectory() when called with directory number zero ("TIFFUnlinkDirectory(0)") as well as fixing incorrect behaviour when unlinking the first directory.
* tif_luv: check and correct for NaN data in uv_encode() (issue #530).
* TIFFClose() avoid NULL pointer dereferencing (issue #515).
* tif_hash_set.c: include tif_hash_set.h after tif_config.h to let a chance for GDAL symbol renaming trick.
* Fax3: fix failure to decode some fax3 number_of_images and add test for Fax3 decoding issues (issue #513).
* TIFFSetDirectory() and TIFFWriteDirectorySec() avoid harmless unsigned-integer-overflow (due to gdal oss-fuzz #54311 and #54343).
* tif_ojpeg.c: fix issue #554 by checking for division by zero in OJPEGWriteHeaderInfo().
* LZWDecode(): avoid crash when trying to read again from a strip whith a missing end-of-information marker (issue #548).
- Drop no longer needed patches:
* tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch
* tiff-CVE-2022-48281.patch
* tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch
-------------------------------------------------------------------
Wed Feb 22 15:05:33 UTC 2023 - Michael Vetter <mvetter@suse.com>

11
tiff.spec
View File

@ -19,7 +19,7 @@
%define asan_build 0
%define debug_build 0
Name: tiff
Version: 4.5.0
Version: 4.5.1
Release: 0
Summary: Tools for Converting from and to the Tagged Image File Format
License: HPND
@ -33,12 +33,6 @@ Source99: tiff.keyring
Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch1: tiff-4.0.3-compress-warning.patch
# PATCH-FIX-UPSTREAM mvetter@suse.com tiff-CVE-2022-48281.patch -- bsc#1207413
Patch2: tiff-CVE-2022-48281.patch
# PATCH-FIX-UPSTREAM mvetter@suse.com -- bsc#1208226 bsc#1208227 bsc#1208228 bsc#1208229 bsc#1208230
Patch3: tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch
# PATCH-FIX-UPSTREAM mvetter@suse.com -- bsc#1208231 bsc#1208232 bsc#1208233 bsc#1208234 bsc#1208236
Patch4: tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch
BuildRequires: gcc-c++
BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel
@ -116,8 +110,7 @@ for i in tools test; do
(cd $i && make %{?_smp_mflags} check)
done
%post -n libtiff6 -p /sbin/ldconfig
%postun -n libtiff6 -p /sbin/ldconfig
%ldconfig_scriptlets -n libtiff6
%files
%{_bindir}/*