From bcaa13d660b4224188bc3bad6b383feb61452b468fc345f427ef4d5e4bae08f5 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 7 Jan 2010 17:50:34 +0000 Subject: [PATCH 01/10] Accepting request 28145 from home:jengelh:branches:graphics Copy from home:jengelh:branches:graphics/tiff via accept of submit request 28145 revision 5. Request was accepted with message: Reviewed ok OBS-URL: https://build.opensuse.org/request/show/28145 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=6 --- jpegint.h | 392 ++++++++++++++++++ ready | 0 tiff-3.8.2-CVE-2009-2347.patch | 170 ++++++++ tiff-3.8.2-bnc444079.patch | 11 + tiff-3.8.2-lzw-CVE-2009-2285.patch | 20 + ...-3.9.2-seek.patch => tiff-3.8.2-seek.patch | 6 +- tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch | 41 ++ tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch | 19 + tiff-3.8.2-tiff2pdf.patch | 11 + tiff-3.8.2-tiffsplit-CVE-2006-2656.patch | 19 + tiff-3.8.2.tar.bz2 | 3 + tiff-3.9.2.tar.bz2 | 3 - tiff-am.patch | 11 + tiff.changes | 6 - tiff.spec | 33 +- 15 files changed, 723 insertions(+), 22 deletions(-) create mode 100644 jpegint.h create mode 100644 ready create mode 100644 tiff-3.8.2-CVE-2009-2347.patch create mode 100644 tiff-3.8.2-bnc444079.patch create mode 100644 tiff-3.8.2-lzw-CVE-2009-2285.patch rename tiff-3.9.2-seek.patch => tiff-3.8.2-seek.patch (74%) create mode 100644 tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch create mode 100644 tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch create mode 100644 tiff-3.8.2-tiff2pdf.patch create mode 100644 tiff-3.8.2-tiffsplit-CVE-2006-2656.patch create mode 100644 tiff-3.8.2.tar.bz2 delete mode 100644 tiff-3.9.2.tar.bz2 create mode 100644 tiff-am.patch diff --git a/jpegint.h b/jpegint.h new file mode 100644 index 0000000..bdcf0a2 --- /dev/null +++ b/jpegint.h @@ -0,0 +1,392 @@ +/* + * jpegint.h + * + * Copyright (C) 1991-1997, Thomas G. Lane. + * This file is part of the Independent JPEG Group's software. + * For conditions of distribution and use, see the accompanying README file. + * + * This file provides common declarations for the various JPEG modules. + * These declarations are considered internal to the JPEG library; most + * applications using the library shouldn't need to include this file. + */ + + +/* Declarations for both compression & decompression */ + +typedef enum { /* Operating modes for buffer controllers */ + JBUF_PASS_THRU, /* Plain stripwise operation */ + /* Remaining modes require a full-image buffer to have been created */ + JBUF_SAVE_SOURCE, /* Run source subobject only, save output */ + JBUF_CRANK_DEST, /* Run dest subobject only, using saved data */ + JBUF_SAVE_AND_PASS /* Run both subobjects, save output */ +} J_BUF_MODE; + +/* Values of global_state field (jdapi.c has some dependencies on ordering!) */ +#define CSTATE_START 100 /* after create_compress */ +#define CSTATE_SCANNING 101 /* start_compress done, write_scanlines OK */ +#define CSTATE_RAW_OK 102 /* start_compress done, write_raw_data OK */ +#define CSTATE_WRCOEFS 103 /* jpeg_write_coefficients done */ +#define DSTATE_START 200 /* after create_decompress */ +#define DSTATE_INHEADER 201 /* reading header markers, no SOS yet */ +#define DSTATE_READY 202 /* found SOS, ready for start_decompress */ +#define DSTATE_PRELOAD 203 /* reading multiscan file in start_decompress*/ +#define DSTATE_PRESCAN 204 /* performing dummy pass for 2-pass quant */ +#define DSTATE_SCANNING 205 /* start_decompress done, read_scanlines OK */ +#define DSTATE_RAW_OK 206 /* start_decompress done, read_raw_data OK */ +#define DSTATE_BUFIMAGE 207 /* expecting jpeg_start_output */ +#define DSTATE_BUFPOST 208 /* looking for SOS/EOI in jpeg_finish_output */ +#define DSTATE_RDCOEFS 209 /* reading file in jpeg_read_coefficients */ +#define DSTATE_STOPPING 210 /* looking for EOI in jpeg_finish_decompress */ + + +/* Declarations for compression modules */ + +/* Master control module */ +struct jpeg_comp_master { + JMETHOD(void, prepare_for_pass, (j_compress_ptr cinfo)); + JMETHOD(void, pass_startup, (j_compress_ptr cinfo)); + JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); + + /* State variables made visible to other modules */ + boolean call_pass_startup; /* True if pass_startup must be called */ + boolean is_last_pass; /* True during last pass */ +}; + +/* Main buffer control (downsampled-data buffer) */ +struct jpeg_c_main_controller { + JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); + JMETHOD(void, process_data, (j_compress_ptr cinfo, + JSAMPARRAY input_buf, JDIMENSION *in_row_ctr, + JDIMENSION in_rows_avail)); +}; + +/* Compression preprocessing (downsampling input buffer control) */ +struct jpeg_c_prep_controller { + JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); + JMETHOD(void, pre_process_data, (j_compress_ptr cinfo, + JSAMPARRAY input_buf, + JDIMENSION *in_row_ctr, + JDIMENSION in_rows_avail, + JSAMPIMAGE output_buf, + JDIMENSION *out_row_group_ctr, + JDIMENSION out_row_groups_avail)); +}; + +/* Coefficient buffer control */ +struct jpeg_c_coef_controller { + JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); + JMETHOD(boolean, compress_data, (j_compress_ptr cinfo, + JSAMPIMAGE input_buf)); +}; + +/* Colorspace conversion */ +struct jpeg_color_converter { + JMETHOD(void, start_pass, (j_compress_ptr cinfo)); + JMETHOD(void, color_convert, (j_compress_ptr cinfo, + JSAMPARRAY input_buf, JSAMPIMAGE output_buf, + JDIMENSION output_row, int num_rows)); +}; + +/* Downsampling */ +struct jpeg_downsampler { + JMETHOD(void, start_pass, (j_compress_ptr cinfo)); + JMETHOD(void, downsample, (j_compress_ptr cinfo, + JSAMPIMAGE input_buf, JDIMENSION in_row_index, + JSAMPIMAGE output_buf, + JDIMENSION out_row_group_index)); + + boolean need_context_rows; /* TRUE if need rows above & below */ +}; + +/* Forward DCT (also controls coefficient quantization) */ +struct jpeg_forward_dct { + JMETHOD(void, start_pass, (j_compress_ptr cinfo)); + /* perhaps this should be an array??? */ + JMETHOD(void, forward_DCT, (j_compress_ptr cinfo, + jpeg_component_info * compptr, + JSAMPARRAY sample_data, JBLOCKROW coef_blocks, + JDIMENSION start_row, JDIMENSION start_col, + JDIMENSION num_blocks)); +}; + +/* Entropy encoding */ +struct jpeg_entropy_encoder { + JMETHOD(void, start_pass, (j_compress_ptr cinfo, boolean gather_statistics)); + JMETHOD(boolean, encode_mcu, (j_compress_ptr cinfo, JBLOCKROW *MCU_data)); + JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); +}; + +/* Marker writing */ +struct jpeg_marker_writer { + JMETHOD(void, write_file_header, (j_compress_ptr cinfo)); + JMETHOD(void, write_frame_header, (j_compress_ptr cinfo)); + JMETHOD(void, write_scan_header, (j_compress_ptr cinfo)); + JMETHOD(void, write_file_trailer, (j_compress_ptr cinfo)); + JMETHOD(void, write_tables_only, (j_compress_ptr cinfo)); + /* These routines are exported to allow insertion of extra markers */ + /* Probably only COM and APPn markers should be written this way */ + JMETHOD(void, write_marker_header, (j_compress_ptr cinfo, int marker, + unsigned int datalen)); + JMETHOD(void, write_marker_byte, (j_compress_ptr cinfo, int val)); +}; + + +/* Declarations for decompression modules */ + +/* Master control module */ +struct jpeg_decomp_master { + JMETHOD(void, prepare_for_output_pass, (j_decompress_ptr cinfo)); + JMETHOD(void, finish_output_pass, (j_decompress_ptr cinfo)); + + /* State variables made visible to other modules */ + boolean is_dummy_pass; /* True during 1st pass for 2-pass quant */ +}; + +/* Input control module */ +struct jpeg_input_controller { + JMETHOD(int, consume_input, (j_decompress_ptr cinfo)); + JMETHOD(void, reset_input_controller, (j_decompress_ptr cinfo)); + JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); + JMETHOD(void, finish_input_pass, (j_decompress_ptr cinfo)); + + /* State variables made visible to other modules */ + boolean has_multiple_scans; /* True if file has multiple scans */ + boolean eoi_reached; /* True when EOI has been consumed */ +}; + +/* Main buffer control (downsampled-data buffer) */ +struct jpeg_d_main_controller { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); + JMETHOD(void, process_data, (j_decompress_ptr cinfo, + JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, + JDIMENSION out_rows_avail)); +}; + +/* Coefficient buffer control */ +struct jpeg_d_coef_controller { + JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); + JMETHOD(int, consume_data, (j_decompress_ptr cinfo)); + JMETHOD(void, start_output_pass, (j_decompress_ptr cinfo)); + JMETHOD(int, decompress_data, (j_decompress_ptr cinfo, + JSAMPIMAGE output_buf)); + /* Pointer to array of coefficient virtual arrays, or NULL if none */ + jvirt_barray_ptr *coef_arrays; +}; + +/* Decompression postprocessing (color quantization buffer control) */ +struct jpeg_d_post_controller { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); + JMETHOD(void, post_process_data, (j_decompress_ptr cinfo, + JSAMPIMAGE input_buf, + JDIMENSION *in_row_group_ctr, + JDIMENSION in_row_groups_avail, + JSAMPARRAY output_buf, + JDIMENSION *out_row_ctr, + JDIMENSION out_rows_avail)); +}; + +/* Marker reading & parsing */ +struct jpeg_marker_reader { + JMETHOD(void, reset_marker_reader, (j_decompress_ptr cinfo)); + /* Read markers until SOS or EOI. + * Returns same codes as are defined for jpeg_consume_input: + * JPEG_SUSPENDED, JPEG_REACHED_SOS, or JPEG_REACHED_EOI. + */ + JMETHOD(int, read_markers, (j_decompress_ptr cinfo)); + /* Read a restart marker --- exported for use by entropy decoder only */ + jpeg_marker_parser_method read_restart_marker; + + /* State of marker reader --- nominally internal, but applications + * supplying COM or APPn handlers might like to know the state. + */ + boolean saw_SOI; /* found SOI? */ + boolean saw_SOF; /* found SOF? */ + int next_restart_num; /* next restart number expected (0-7) */ + unsigned int discarded_bytes; /* # of bytes skipped looking for a marker */ +}; + +/* Entropy decoding */ +struct jpeg_entropy_decoder { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); + JMETHOD(boolean, decode_mcu, (j_decompress_ptr cinfo, + JBLOCKROW *MCU_data)); + + /* This is here to share code between baseline and progressive decoders; */ + /* other modules probably should not use it */ + boolean insufficient_data; /* set TRUE after emitting warning */ +}; + +/* Inverse DCT (also performs dequantization) */ +typedef JMETHOD(void, inverse_DCT_method_ptr, + (j_decompress_ptr cinfo, jpeg_component_info * compptr, + JCOEFPTR coef_block, + JSAMPARRAY output_buf, JDIMENSION output_col)); + +struct jpeg_inverse_dct { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); + /* It is useful to allow each component to have a separate IDCT method. */ + inverse_DCT_method_ptr inverse_DCT[MAX_COMPONENTS]; +}; + +/* Upsampling (note that upsampler must also call color converter) */ +struct jpeg_upsampler { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); + JMETHOD(void, upsample, (j_decompress_ptr cinfo, + JSAMPIMAGE input_buf, + JDIMENSION *in_row_group_ctr, + JDIMENSION in_row_groups_avail, + JSAMPARRAY output_buf, + JDIMENSION *out_row_ctr, + JDIMENSION out_rows_avail)); + + boolean need_context_rows; /* TRUE if need rows above & below */ +}; + +/* Colorspace conversion */ +struct jpeg_color_deconverter { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); + JMETHOD(void, color_convert, (j_decompress_ptr cinfo, + JSAMPIMAGE input_buf, JDIMENSION input_row, + JSAMPARRAY output_buf, int num_rows)); +}; + +/* Color quantization or color precision reduction */ +struct jpeg_color_quantizer { + JMETHOD(void, start_pass, (j_decompress_ptr cinfo, boolean is_pre_scan)); + JMETHOD(void, color_quantize, (j_decompress_ptr cinfo, + JSAMPARRAY input_buf, JSAMPARRAY output_buf, + int num_rows)); + JMETHOD(void, finish_pass, (j_decompress_ptr cinfo)); + JMETHOD(void, new_color_map, (j_decompress_ptr cinfo)); +}; + + +/* Miscellaneous useful macros */ + +#undef MAX +#define MAX(a,b) ((a) > (b) ? (a) : (b)) +#undef MIN +#define MIN(a,b) ((a) < (b) ? (a) : (b)) + + +/* We assume that right shift corresponds to signed division by 2 with + * rounding towards minus infinity. This is correct for typical "arithmetic + * shift" instructions that shift in copies of the sign bit. But some + * C compilers implement >> with an unsigned shift. For these machines you + * must define RIGHT_SHIFT_IS_UNSIGNED. + * RIGHT_SHIFT provides a proper signed right shift of an INT32 quantity. + * It is only applied with constant shift counts. SHIFT_TEMPS must be + * included in the variables of any routine using RIGHT_SHIFT. + */ + +#ifdef RIGHT_SHIFT_IS_UNSIGNED +#define SHIFT_TEMPS INT32 shift_temp; +#define RIGHT_SHIFT(x,shft) \ + ((shift_temp = (x)) < 0 ? \ + (shift_temp >> (shft)) | ((~((INT32) 0)) << (32-(shft))) : \ + (shift_temp >> (shft))) +#else +#define SHIFT_TEMPS +#define RIGHT_SHIFT(x,shft) ((x) >> (shft)) +#endif + + +/* Short forms of external names for systems with brain-damaged linkers. */ + +#ifdef NEED_SHORT_EXTERNAL_NAMES +#define jinit_compress_master jICompress +#define jinit_c_master_control jICMaster +#define jinit_c_main_controller jICMainC +#define jinit_c_prep_controller jICPrepC +#define jinit_c_coef_controller jICCoefC +#define jinit_color_converter jICColor +#define jinit_downsampler jIDownsampler +#define jinit_forward_dct jIFDCT +#define jinit_huff_encoder jIHEncoder +#define jinit_phuff_encoder jIPHEncoder +#define jinit_marker_writer jIMWriter +#define jinit_master_decompress jIDMaster +#define jinit_d_main_controller jIDMainC +#define jinit_d_coef_controller jIDCoefC +#define jinit_d_post_controller jIDPostC +#define jinit_input_controller jIInCtlr +#define jinit_marker_reader jIMReader +#define jinit_huff_decoder jIHDecoder +#define jinit_phuff_decoder jIPHDecoder +#define jinit_inverse_dct jIIDCT +#define jinit_upsampler jIUpsampler +#define jinit_color_deconverter jIDColor +#define jinit_1pass_quantizer jI1Quant +#define jinit_2pass_quantizer jI2Quant +#define jinit_merged_upsampler jIMUpsampler +#define jinit_memory_mgr jIMemMgr +#define jdiv_round_up jDivRound +#define jround_up jRound +#define jcopy_sample_rows jCopySamples +#define jcopy_block_row jCopyBlocks +#define jzero_far jZeroFar +#define jpeg_zigzag_order jZIGTable +#define jpeg_natural_order jZAGTable +#endif /* NEED_SHORT_EXTERNAL_NAMES */ + + +/* Compression module initialization routines */ +EXTERN(void) jinit_compress_master JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_c_master_control JPP((j_compress_ptr cinfo, + boolean transcode_only)); +EXTERN(void) jinit_c_main_controller JPP((j_compress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_c_prep_controller JPP((j_compress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_c_coef_controller JPP((j_compress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_color_converter JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_downsampler JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_forward_dct JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_huff_encoder JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_phuff_encoder JPP((j_compress_ptr cinfo)); +EXTERN(void) jinit_marker_writer JPP((j_compress_ptr cinfo)); +/* Decompression module initialization routines */ +EXTERN(void) jinit_master_decompress JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_d_main_controller JPP((j_decompress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_d_coef_controller JPP((j_decompress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_d_post_controller JPP((j_decompress_ptr cinfo, + boolean need_full_buffer)); +EXTERN(void) jinit_input_controller JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_marker_reader JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_huff_decoder JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_phuff_decoder JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_inverse_dct JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_upsampler JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_color_deconverter JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_1pass_quantizer JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_2pass_quantizer JPP((j_decompress_ptr cinfo)); +EXTERN(void) jinit_merged_upsampler JPP((j_decompress_ptr cinfo)); +/* Memory manager initialization */ +EXTERN(void) jinit_memory_mgr JPP((j_common_ptr cinfo)); + +/* Utility routines in jutils.c */ +EXTERN(long) jdiv_round_up JPP((long a, long b)); +EXTERN(long) jround_up JPP((long a, long b)); +EXTERN(void) jcopy_sample_rows JPP((JSAMPARRAY input_array, int source_row, + JSAMPARRAY output_array, int dest_row, + int num_rows, JDIMENSION num_cols)); +EXTERN(void) jcopy_block_row JPP((JBLOCKROW input_row, JBLOCKROW output_row, + JDIMENSION num_blocks)); +EXTERN(void) jzero_far JPP((void FAR * target, size_t bytestozero)); +/* Constant tables in jutils.c */ +#if 0 /* This table is not actually needed in v6a */ +extern const int jpeg_zigzag_order[]; /* natural coef order to zigzag order */ +#endif +extern const int jpeg_natural_order[]; /* zigzag coef order to natural order */ + +/* Suppress undefined-structure complaints if necessary. */ + +#ifdef INCOMPLETE_TYPES_BROKEN +#ifndef AM_MEMORY_MANAGER /* only jmemmgr.c defines these */ +struct jvirt_sarray_control { long dummy; }; +struct jvirt_barray_control { long dummy; }; +#endif +#endif /* INCOMPLETE_TYPES_BROKEN */ diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/tiff-3.8.2-CVE-2009-2347.patch b/tiff-3.8.2-CVE-2009-2347.patch new file mode 100644 index 0000000..9f1a6b5 --- /dev/null +++ b/tiff-3.8.2-CVE-2009-2347.patch @@ -0,0 +1,170 @@ +Fix several places in tiff2rgba and rgb2ycbcr that were being careless about +possible integer overflow in calculation of buffer sizes. + +CVE-2009-2347 + + +diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c +--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c +--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; + diff --git a/tiff-3.8.2-bnc444079.patch b/tiff-3.8.2-bnc444079.patch new file mode 100644 index 0000000..11efbb7 --- /dev/null +++ b/tiff-3.8.2-bnc444079.patch @@ -0,0 +1,11 @@ +--- libtiff/tif_dirread.c ++++ libtiff/tif_dirread.c +@@ -870,7 +870,7 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); diff --git a/tiff-3.8.2-lzw-CVE-2009-2285.patch b/tiff-3.8.2-lzw-CVE-2009-2285.patch new file mode 100644 index 0000000..36933a7 --- /dev/null +++ b/tiff-3.8.2-lzw-CVE-2009-2285.patch @@ -0,0 +1,20 @@ +--- libtiff/tif_lzw.c ++++ libtiff/tif_lzw.c +@@ -422,7 +422,7 @@ + if (code == CODE_EOI) + break; + +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -625,7 +625,7 @@ + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/tiff-3.9.2-seek.patch b/tiff-3.8.2-seek.patch similarity index 74% rename from tiff-3.9.2-seek.patch rename to tiff-3.8.2-seek.patch index 674cd81..2efff14 100644 --- a/tiff-3.9.2-seek.patch +++ b/tiff-3.8.2-seek.patch @@ -1,8 +1,6 @@ -Index: libtiff/tiffiop.h -=================================================================== ---- libtiff/tiffiop.h.orig +--- libtiff/tiffiop.h +++ libtiff/tiffiop.h -@@ -209,7 +209,7 @@ struct tiff { +@@ -184,7 +184,7 @@ #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size)) #define TIFFSeekFile(tif, off, whence) \ diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch new file mode 100644 index 0000000..4f581fc --- /dev/null +++ b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch @@ -0,0 +1,41 @@ +--- libtiff/tif_lzw.c ++++ libtiff/tif_lzw.c +@@ -237,6 +237,11 @@ + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); + } + return (1); + } +@@ -416,6 +421,13 @@ + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -613,6 +625,12 @@ + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch new file mode 100644 index 0000000..7e18b07 --- /dev/null +++ b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch @@ -0,0 +1,19 @@ +--- libtiff/tif_lzw.c ++++ libtiff/tif_lzw.c +@@ -408,6 +408,8 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; +@@ -604,6 +606,7 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; diff --git a/tiff-3.8.2-tiff2pdf.patch b/tiff-3.8.2-tiff2pdf.patch new file mode 100644 index 0000000..2403a1b --- /dev/null +++ b/tiff-3.8.2-tiff2pdf.patch @@ -0,0 +1,11 @@ +--- tools/tiff2pdf.c ++++ tools/tiff2pdf.c +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); diff --git a/tiff-3.8.2.tar.bz2 b/tiff-3.8.2.tar.bz2 new file mode 100644 index 0000000..cd90277 --- /dev/null +++ b/tiff-3.8.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d33a5ef592c832372c6aa3ae397437a7382f603871863071440ffe909aadb03 +size 1095536 diff --git a/tiff-3.9.2.tar.bz2 b/tiff-3.9.2.tar.bz2 deleted file mode 100644 index 9e8ff12..0000000 --- a/tiff-3.9.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c8952149cbcd937ac620f913981dc0ffc7db79696c2f0d559b71d5cd51721e6e -size 1160792 diff --git a/tiff-am.patch b/tiff-am.patch new file mode 100644 index 0000000..3cff9d3 --- /dev/null +++ b/tiff-am.patch @@ -0,0 +1,11 @@ +--- Makefile.am ++++ Makefile.am +@@ -26,7 +26,7 @@ + docdir = $(LIBTIFF_DOCDIR) + + AUTOMAKE_OPTIONS = dist-zip foreign +-ACLOCAL_AMFLAGS = -I ./m4 ++ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ + COPYRIGHT \ diff --git a/tiff.changes b/tiff.changes index d77c763..2a7b7f2 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Tue Mar 16 13:37:23 CET 2010 - pgajdos@suse.cz - -- updated to 3.9.2: fixed many CVE's and obsoletes almost all - our patches (see ChangeLog for details) - ------------------------------------------------------------------- Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de diff --git a/tiff.spec b/tiff.spec index e8b2683..55efb8e 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # -# spec file for package tiff (Version 3.9.2) +# spec file for package tiff (Version 3.8.2) # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,16 +28,22 @@ Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ -Version: 3.9.2 -Release: 1 +Version: 3.8.2 +Release: 144 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 +Source1: jpegint.h Source2: README.SUSE -Source3: baselibs.conf +Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch -# FYI: this issue is solved another way -# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 -# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch +Patch3: tiff-%{version}-tiff2pdf.patch +Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch +Patch5: tiff-%{version}-tif_lzw.c-CVE-2008-2327.patch +Patch6: tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch +Patch7: tiff-am.patch +Patch8: tiff-3.8.2-bnc444079.patch +Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch +Patch10: tiff-%{version}-CVE-2009-2347.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -95,6 +101,15 @@ the libtiff library. %prep %setup -q %patch2 +%patch3 +%patch4 +%patch5 +%patch6 +%patch7 +%patch8 +%patch9 +%patch10 -p1 +cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 @@ -130,7 +145,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) /usr/bin/* %doc html -%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DAT +%doc README COPYRIGHT %doc %{_mandir}/man1/* %files -n libtiff3 From 96a02c1aebac79d73a0a3db2feeea0ab34c3bd0c5d2edeba2c95fe97d404d690 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 8 Jan 2010 16:32:36 +0000 Subject: [PATCH 02/10] checked in OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=7 --- tiff.changes | 6 ------ tiff.spec | 3 +-- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/tiff.changes b/tiff.changes index 2a7b7f2..dbc40d8 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source -- enable parallel building - ------------------------------------------------------------------- Thu Aug 6 14:02:07 CEST 2009 - pgajdos@suse.cz diff --git a/tiff.spec b/tiff.spec index 55efb8e..255d8fc 100644 --- a/tiff.spec +++ b/tiff.spec @@ -34,7 +34,6 @@ Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1: jpegint.h Source2: README.SUSE -Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf.patch Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch @@ -118,7 +117,7 @@ rm m4/ltversion.m4 m4/ltsugar.m4 m4/ltoptions.m4 m4/libtool.m4 autoreconf --force --install -v CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fstack-protector" \ ./configure --prefix=/usr --mandir=%{_mandir} --libdir=%{_libdir} --disable-static -make %{?_smp_mflags} +make %install mkdir -p $RPM_BUILD_ROOT/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} From 29f870502ff8d6ead71d5e66f7e07c9feeef331dda659d89c5302f60189f21c0 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 19 Feb 2010 15:34:57 +0000 Subject: [PATCH 03/10] converted link to branch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=8 --- tiff.changes | 6 ++++++ tiff.spec | 7 ++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/tiff.changes b/tiff.changes index dbc40d8..2a7b7f2 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- enable parallel building + ------------------------------------------------------------------- Thu Aug 6 14:02:07 CEST 2009 - pgajdos@suse.cz diff --git a/tiff.spec b/tiff.spec index 255d8fc..3c449a6 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff (Version 3.8.2) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,11 +29,12 @@ Obsoletes: tiff-64bit # Url: http://www.remotesensing.org/libtiff/ Version: 3.8.2 -Release: 144 +Release: 145 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1: jpegint.h Source2: README.SUSE +Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf.patch Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch @@ -117,7 +118,7 @@ rm m4/ltversion.m4 m4/ltsugar.m4 m4/ltoptions.m4 m4/libtool.m4 autoreconf --force --install -v CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fstack-protector" \ ./configure --prefix=/usr --mandir=%{_mandir} --libdir=%{_libdir} --disable-static -make +make %{?_smp_mflags} %install mkdir -p $RPM_BUILD_ROOT/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} From 959663707718872d0e9a5c1fa65180a9547b0a8ac10e40555bdb281489451e46 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 16 Mar 2010 13:09:34 +0000 Subject: [PATCH 04/10] - updated to 3.9.2: fixed many CVE's and obsoletes almost all our patches (see ChangeLog for details) OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=9 --- jpegint.h | 392 ------------------ tiff-3.8.2-CVE-2009-2347.patch | 170 -------- tiff-3.8.2-bnc444079.patch | 11 - tiff-3.8.2-lzw-CVE-2009-2285.patch | 20 - tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch | 41 -- tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch | 19 - tiff-3.8.2-tiff2pdf.patch | 11 - tiff-3.8.2-tiffsplit-CVE-2006-2656.patch | 19 - tiff-3.8.2.tar.bz2 | 3 - ...-3.8.2-seek.patch => tiff-3.9.2-seek.patch | 6 +- tiff-3.9.2.tar.bz2 | 3 + tiff-am.patch | 11 - tiff.changes | 6 + tiff.spec | 23 +- 14 files changed, 17 insertions(+), 718 deletions(-) delete mode 100644 jpegint.h delete mode 100644 tiff-3.8.2-CVE-2009-2347.patch delete mode 100644 tiff-3.8.2-bnc444079.patch delete mode 100644 tiff-3.8.2-lzw-CVE-2009-2285.patch delete mode 100644 tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch delete mode 100644 tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch delete mode 100644 tiff-3.8.2-tiff2pdf.patch delete mode 100644 tiff-3.8.2-tiffsplit-CVE-2006-2656.patch delete mode 100644 tiff-3.8.2.tar.bz2 rename tiff-3.8.2-seek.patch => tiff-3.9.2-seek.patch (74%) create mode 100644 tiff-3.9.2.tar.bz2 delete mode 100644 tiff-am.patch diff --git a/jpegint.h b/jpegint.h deleted file mode 100644 index bdcf0a2..0000000 --- a/jpegint.h +++ /dev/null @@ -1,392 +0,0 @@ -/* - * jpegint.h - * - * Copyright (C) 1991-1997, Thomas G. Lane. - * This file is part of the Independent JPEG Group's software. - * For conditions of distribution and use, see the accompanying README file. - * - * This file provides common declarations for the various JPEG modules. - * These declarations are considered internal to the JPEG library; most - * applications using the library shouldn't need to include this file. - */ - - -/* Declarations for both compression & decompression */ - -typedef enum { /* Operating modes for buffer controllers */ - JBUF_PASS_THRU, /* Plain stripwise operation */ - /* Remaining modes require a full-image buffer to have been created */ - JBUF_SAVE_SOURCE, /* Run source subobject only, save output */ - JBUF_CRANK_DEST, /* Run dest subobject only, using saved data */ - JBUF_SAVE_AND_PASS /* Run both subobjects, save output */ -} J_BUF_MODE; - -/* Values of global_state field (jdapi.c has some dependencies on ordering!) */ -#define CSTATE_START 100 /* after create_compress */ -#define CSTATE_SCANNING 101 /* start_compress done, write_scanlines OK */ -#define CSTATE_RAW_OK 102 /* start_compress done, write_raw_data OK */ -#define CSTATE_WRCOEFS 103 /* jpeg_write_coefficients done */ -#define DSTATE_START 200 /* after create_decompress */ -#define DSTATE_INHEADER 201 /* reading header markers, no SOS yet */ -#define DSTATE_READY 202 /* found SOS, ready for start_decompress */ -#define DSTATE_PRELOAD 203 /* reading multiscan file in start_decompress*/ -#define DSTATE_PRESCAN 204 /* performing dummy pass for 2-pass quant */ -#define DSTATE_SCANNING 205 /* start_decompress done, read_scanlines OK */ -#define DSTATE_RAW_OK 206 /* start_decompress done, read_raw_data OK */ -#define DSTATE_BUFIMAGE 207 /* expecting jpeg_start_output */ -#define DSTATE_BUFPOST 208 /* looking for SOS/EOI in jpeg_finish_output */ -#define DSTATE_RDCOEFS 209 /* reading file in jpeg_read_coefficients */ -#define DSTATE_STOPPING 210 /* looking for EOI in jpeg_finish_decompress */ - - -/* Declarations for compression modules */ - -/* Master control module */ -struct jpeg_comp_master { - JMETHOD(void, prepare_for_pass, (j_compress_ptr cinfo)); - JMETHOD(void, pass_startup, (j_compress_ptr cinfo)); - JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean call_pass_startup; /* True if pass_startup must be called */ - boolean is_last_pass; /* True during last pass */ -}; - -/* Main buffer control (downsampled-data buffer) */ -struct jpeg_c_main_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, process_data, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, JDIMENSION *in_row_ctr, - JDIMENSION in_rows_avail)); -}; - -/* Compression preprocessing (downsampling input buffer control) */ -struct jpeg_c_prep_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, pre_process_data, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, - JDIMENSION *in_row_ctr, - JDIMENSION in_rows_avail, - JSAMPIMAGE output_buf, - JDIMENSION *out_row_group_ctr, - JDIMENSION out_row_groups_avail)); -}; - -/* Coefficient buffer control */ -struct jpeg_c_coef_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(boolean, compress_data, (j_compress_ptr cinfo, - JSAMPIMAGE input_buf)); -}; - -/* Colorspace conversion */ -struct jpeg_color_converter { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - JMETHOD(void, color_convert, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, JSAMPIMAGE output_buf, - JDIMENSION output_row, int num_rows)); -}; - -/* Downsampling */ -struct jpeg_downsampler { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - JMETHOD(void, downsample, (j_compress_ptr cinfo, - JSAMPIMAGE input_buf, JDIMENSION in_row_index, - JSAMPIMAGE output_buf, - JDIMENSION out_row_group_index)); - - boolean need_context_rows; /* TRUE if need rows above & below */ -}; - -/* Forward DCT (also controls coefficient quantization) */ -struct jpeg_forward_dct { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - /* perhaps this should be an array??? */ - JMETHOD(void, forward_DCT, (j_compress_ptr cinfo, - jpeg_component_info * compptr, - JSAMPARRAY sample_data, JBLOCKROW coef_blocks, - JDIMENSION start_row, JDIMENSION start_col, - JDIMENSION num_blocks)); -}; - -/* Entropy encoding */ -struct jpeg_entropy_encoder { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, boolean gather_statistics)); - JMETHOD(boolean, encode_mcu, (j_compress_ptr cinfo, JBLOCKROW *MCU_data)); - JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); -}; - -/* Marker writing */ -struct jpeg_marker_writer { - JMETHOD(void, write_file_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_frame_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_scan_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_file_trailer, (j_compress_ptr cinfo)); - JMETHOD(void, write_tables_only, (j_compress_ptr cinfo)); - /* These routines are exported to allow insertion of extra markers */ - /* Probably only COM and APPn markers should be written this way */ - JMETHOD(void, write_marker_header, (j_compress_ptr cinfo, int marker, - unsigned int datalen)); - JMETHOD(void, write_marker_byte, (j_compress_ptr cinfo, int val)); -}; - - -/* Declarations for decompression modules */ - -/* Master control module */ -struct jpeg_decomp_master { - JMETHOD(void, prepare_for_output_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, finish_output_pass, (j_decompress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean is_dummy_pass; /* True during 1st pass for 2-pass quant */ -}; - -/* Input control module */ -struct jpeg_input_controller { - JMETHOD(int, consume_input, (j_decompress_ptr cinfo)); - JMETHOD(void, reset_input_controller, (j_decompress_ptr cinfo)); - JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, finish_input_pass, (j_decompress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean has_multiple_scans; /* True if file has multiple scans */ - boolean eoi_reached; /* True when EOI has been consumed */ -}; - -/* Main buffer control (downsampled-data buffer) */ -struct jpeg_d_main_controller { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, process_data, (j_decompress_ptr cinfo, - JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); -}; - -/* Coefficient buffer control */ -struct jpeg_d_coef_controller { - JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); - JMETHOD(int, consume_data, (j_decompress_ptr cinfo)); - JMETHOD(void, start_output_pass, (j_decompress_ptr cinfo)); - JMETHOD(int, decompress_data, (j_decompress_ptr cinfo, - JSAMPIMAGE output_buf)); - /* Pointer to array of coefficient virtual arrays, or NULL if none */ - jvirt_barray_ptr *coef_arrays; -}; - -/* Decompression postprocessing (color quantization buffer control) */ -struct jpeg_d_post_controller { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, post_process_data, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, - JDIMENSION *in_row_group_ctr, - JDIMENSION in_row_groups_avail, - JSAMPARRAY output_buf, - JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); -}; - -/* Marker reading & parsing */ -struct jpeg_marker_reader { - JMETHOD(void, reset_marker_reader, (j_decompress_ptr cinfo)); - /* Read markers until SOS or EOI. - * Returns same codes as are defined for jpeg_consume_input: - * JPEG_SUSPENDED, JPEG_REACHED_SOS, or JPEG_REACHED_EOI. - */ - JMETHOD(int, read_markers, (j_decompress_ptr cinfo)); - /* Read a restart marker --- exported for use by entropy decoder only */ - jpeg_marker_parser_method read_restart_marker; - - /* State of marker reader --- nominally internal, but applications - * supplying COM or APPn handlers might like to know the state. - */ - boolean saw_SOI; /* found SOI? */ - boolean saw_SOF; /* found SOF? */ - int next_restart_num; /* next restart number expected (0-7) */ - unsigned int discarded_bytes; /* # of bytes skipped looking for a marker */ -}; - -/* Entropy decoding */ -struct jpeg_entropy_decoder { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(boolean, decode_mcu, (j_decompress_ptr cinfo, - JBLOCKROW *MCU_data)); - - /* This is here to share code between baseline and progressive decoders; */ - /* other modules probably should not use it */ - boolean insufficient_data; /* set TRUE after emitting warning */ -}; - -/* Inverse DCT (also performs dequantization) */ -typedef JMETHOD(void, inverse_DCT_method_ptr, - (j_decompress_ptr cinfo, jpeg_component_info * compptr, - JCOEFPTR coef_block, - JSAMPARRAY output_buf, JDIMENSION output_col)); - -struct jpeg_inverse_dct { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - /* It is useful to allow each component to have a separate IDCT method. */ - inverse_DCT_method_ptr inverse_DCT[MAX_COMPONENTS]; -}; - -/* Upsampling (note that upsampler must also call color converter) */ -struct jpeg_upsampler { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, upsample, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, - JDIMENSION *in_row_group_ctr, - JDIMENSION in_row_groups_avail, - JSAMPARRAY output_buf, - JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); - - boolean need_context_rows; /* TRUE if need rows above & below */ -}; - -/* Colorspace conversion */ -struct jpeg_color_deconverter { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, color_convert, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, JDIMENSION input_row, - JSAMPARRAY output_buf, int num_rows)); -}; - -/* Color quantization or color precision reduction */ -struct jpeg_color_quantizer { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, boolean is_pre_scan)); - JMETHOD(void, color_quantize, (j_decompress_ptr cinfo, - JSAMPARRAY input_buf, JSAMPARRAY output_buf, - int num_rows)); - JMETHOD(void, finish_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, new_color_map, (j_decompress_ptr cinfo)); -}; - - -/* Miscellaneous useful macros */ - -#undef MAX -#define MAX(a,b) ((a) > (b) ? (a) : (b)) -#undef MIN -#define MIN(a,b) ((a) < (b) ? (a) : (b)) - - -/* We assume that right shift corresponds to signed division by 2 with - * rounding towards minus infinity. This is correct for typical "arithmetic - * shift" instructions that shift in copies of the sign bit. But some - * C compilers implement >> with an unsigned shift. For these machines you - * must define RIGHT_SHIFT_IS_UNSIGNED. - * RIGHT_SHIFT provides a proper signed right shift of an INT32 quantity. - * It is only applied with constant shift counts. SHIFT_TEMPS must be - * included in the variables of any routine using RIGHT_SHIFT. - */ - -#ifdef RIGHT_SHIFT_IS_UNSIGNED -#define SHIFT_TEMPS INT32 shift_temp; -#define RIGHT_SHIFT(x,shft) \ - ((shift_temp = (x)) < 0 ? \ - (shift_temp >> (shft)) | ((~((INT32) 0)) << (32-(shft))) : \ - (shift_temp >> (shft))) -#else -#define SHIFT_TEMPS -#define RIGHT_SHIFT(x,shft) ((x) >> (shft)) -#endif - - -/* Short forms of external names for systems with brain-damaged linkers. */ - -#ifdef NEED_SHORT_EXTERNAL_NAMES -#define jinit_compress_master jICompress -#define jinit_c_master_control jICMaster -#define jinit_c_main_controller jICMainC -#define jinit_c_prep_controller jICPrepC -#define jinit_c_coef_controller jICCoefC -#define jinit_color_converter jICColor -#define jinit_downsampler jIDownsampler -#define jinit_forward_dct jIFDCT -#define jinit_huff_encoder jIHEncoder -#define jinit_phuff_encoder jIPHEncoder -#define jinit_marker_writer jIMWriter -#define jinit_master_decompress jIDMaster -#define jinit_d_main_controller jIDMainC -#define jinit_d_coef_controller jIDCoefC -#define jinit_d_post_controller jIDPostC -#define jinit_input_controller jIInCtlr -#define jinit_marker_reader jIMReader -#define jinit_huff_decoder jIHDecoder -#define jinit_phuff_decoder jIPHDecoder -#define jinit_inverse_dct jIIDCT -#define jinit_upsampler jIUpsampler -#define jinit_color_deconverter jIDColor -#define jinit_1pass_quantizer jI1Quant -#define jinit_2pass_quantizer jI2Quant -#define jinit_merged_upsampler jIMUpsampler -#define jinit_memory_mgr jIMemMgr -#define jdiv_round_up jDivRound -#define jround_up jRound -#define jcopy_sample_rows jCopySamples -#define jcopy_block_row jCopyBlocks -#define jzero_far jZeroFar -#define jpeg_zigzag_order jZIGTable -#define jpeg_natural_order jZAGTable -#endif /* NEED_SHORT_EXTERNAL_NAMES */ - - -/* Compression module initialization routines */ -EXTERN(void) jinit_compress_master JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_c_master_control JPP((j_compress_ptr cinfo, - boolean transcode_only)); -EXTERN(void) jinit_c_main_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_c_prep_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_c_coef_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_color_converter JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_downsampler JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_forward_dct JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_huff_encoder JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_phuff_encoder JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_marker_writer JPP((j_compress_ptr cinfo)); -/* Decompression module initialization routines */ -EXTERN(void) jinit_master_decompress JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_d_main_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_d_coef_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_d_post_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_input_controller JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_marker_reader JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_huff_decoder JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_phuff_decoder JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_inverse_dct JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_upsampler JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_color_deconverter JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_1pass_quantizer JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_2pass_quantizer JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_merged_upsampler JPP((j_decompress_ptr cinfo)); -/* Memory manager initialization */ -EXTERN(void) jinit_memory_mgr JPP((j_common_ptr cinfo)); - -/* Utility routines in jutils.c */ -EXTERN(long) jdiv_round_up JPP((long a, long b)); -EXTERN(long) jround_up JPP((long a, long b)); -EXTERN(void) jcopy_sample_rows JPP((JSAMPARRAY input_array, int source_row, - JSAMPARRAY output_array, int dest_row, - int num_rows, JDIMENSION num_cols)); -EXTERN(void) jcopy_block_row JPP((JBLOCKROW input_row, JBLOCKROW output_row, - JDIMENSION num_blocks)); -EXTERN(void) jzero_far JPP((void FAR * target, size_t bytestozero)); -/* Constant tables in jutils.c */ -#if 0 /* This table is not actually needed in v6a */ -extern const int jpeg_zigzag_order[]; /* natural coef order to zigzag order */ -#endif -extern const int jpeg_natural_order[]; /* zigzag coef order to natural order */ - -/* Suppress undefined-structure complaints if necessary. */ - -#ifdef INCOMPLETE_TYPES_BROKEN -#ifndef AM_MEMORY_MANAGER /* only jmemmgr.c defines these */ -struct jvirt_sarray_control { long dummy; }; -struct jvirt_barray_control { long dummy; }; -#endif -#endif /* INCOMPLETE_TYPES_BROKEN */ diff --git a/tiff-3.8.2-CVE-2009-2347.patch b/tiff-3.8.2-CVE-2009-2347.patch deleted file mode 100644 index 9f1a6b5..0000000 --- a/tiff-3.8.2-CVE-2009-2347.patch +++ /dev/null @@ -1,170 +0,0 @@ -Fix several places in tiff2rgba and rgb2ycbcr that were being careless about -possible integer overflow in calculation of buffer sizes. - -CVE-2009-2347 - - -diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c ---- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 -+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 -@@ -202,6 +202,17 @@ - #undef LumaBlue - #undef V2Code - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - /* - * Convert a strip of RGB data to YCbCr and - * sample to generate the output data. -@@ -278,10 +289,19 @@ - float floatv; - char *stringv; - uint32 longv; -+ tsize_t raster_size; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c ---- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 -+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 -@@ -124,6 +124,17 @@ - return (0); - } - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - static int - cvt_by_tile( TIFF *in, TIFF *out ) - -@@ -133,6 +144,7 @@ - uint32 tile_width, tile_height; - uint32 row, col; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -150,7 +162,14 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) tile_width, (unsigned long) tile_height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -158,7 +177,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); - if (!wrk_line) { -@@ -226,6 +245,7 @@ - uint32 width, height; /* image width & height */ - uint32 row; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -241,7 +261,14 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) rowsperstrip); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -249,7 +276,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); - if (!wrk_line) { -@@ -328,14 +355,22 @@ - uint32* raster; /* retrieve RGBA image */ - uint32 width, height; /* image width & height */ - uint32 row; -- -+ tsize_t raster_size; -+ - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); - - rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -353,7 +388,7 @@ - */ - if( no_alpha ) - { -- int pixel_count = width * height; -+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; - unsigned char *src, *dst; - - src = (unsigned char *) raster; - diff --git a/tiff-3.8.2-bnc444079.patch b/tiff-3.8.2-bnc444079.patch deleted file mode 100644 index 11efbb7..0000000 --- a/tiff-3.8.2-bnc444079.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- libtiff/tif_dirread.c -+++ libtiff/tif_dirread.c -@@ -870,7 +870,7 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); diff --git a/tiff-3.8.2-lzw-CVE-2009-2285.patch b/tiff-3.8.2-lzw-CVE-2009-2285.patch deleted file mode 100644 index 36933a7..0000000 --- a/tiff-3.8.2-lzw-CVE-2009-2285.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -422,7 +422,7 @@ - if (code == CODE_EOI) - break; - -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); -@@ -625,7 +625,7 @@ - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch deleted file mode 100644 index 4f581fc..0000000 --- a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -237,6 +237,11 @@ - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); - } - return (1); - } -@@ -416,6 +421,13 @@ - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -613,6 +625,12 @@ - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch deleted file mode 100644 index 7e18b07..0000000 --- a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -408,6 +408,8 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; -@@ -604,6 +606,7 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; diff --git a/tiff-3.8.2-tiff2pdf.patch b/tiff-3.8.2-tiff2pdf.patch deleted file mode 100644 index 2403a1b..0000000 --- a/tiff-3.8.2-tiff2pdf.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tools/tiff2pdf.c -+++ tools/tiff2pdf.c -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;i 2) -- strcpy(fname, argv[2]); -+ snprintf(fname, sizeof(fname), "%s", argv[2]); - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -- strcat(path, ".tif"); -+ snprintf(path, sizeof(path), "%s.tif", fname); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) - return (-2); diff --git a/tiff-3.8.2.tar.bz2 b/tiff-3.8.2.tar.bz2 deleted file mode 100644 index cd90277..0000000 --- a/tiff-3.8.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6d33a5ef592c832372c6aa3ae397437a7382f603871863071440ffe909aadb03 -size 1095536 diff --git a/tiff-3.8.2-seek.patch b/tiff-3.9.2-seek.patch similarity index 74% rename from tiff-3.8.2-seek.patch rename to tiff-3.9.2-seek.patch index 2efff14..674cd81 100644 --- a/tiff-3.8.2-seek.patch +++ b/tiff-3.9.2-seek.patch @@ -1,6 +1,8 @@ ---- libtiff/tiffiop.h +Index: libtiff/tiffiop.h +=================================================================== +--- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h -@@ -184,7 +184,7 @@ +@@ -209,7 +209,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size)) #define TIFFSeekFile(tif, off, whence) \ diff --git a/tiff-3.9.2.tar.bz2 b/tiff-3.9.2.tar.bz2 new file mode 100644 index 0000000..9e8ff12 --- /dev/null +++ b/tiff-3.9.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8952149cbcd937ac620f913981dc0ffc7db79696c2f0d559b71d5cd51721e6e +size 1160792 diff --git a/tiff-am.patch b/tiff-am.patch deleted file mode 100644 index 3cff9d3..0000000 --- a/tiff-am.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.am -+++ Makefile.am -@@ -26,7 +26,7 @@ - docdir = $(LIBTIFF_DOCDIR) - - AUTOMAKE_OPTIONS = dist-zip foreign --ACLOCAL_AMFLAGS = -I ./m4 -+ACLOCAL_AMFLAGS = -I m4 - - docfiles = \ - COPYRIGHT \ diff --git a/tiff.changes b/tiff.changes index 2a7b7f2..d77c763 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 16 13:37:23 CET 2010 - pgajdos@suse.cz + +- updated to 3.9.2: fixed many CVE's and obsoletes almost all + our patches (see ChangeLog for details) + ------------------------------------------------------------------- Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de diff --git a/tiff.spec b/tiff.spec index 3c449a6..a444361 100644 --- a/tiff.spec +++ b/tiff.spec @@ -28,22 +28,16 @@ Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ -Version: 3.8.2 +Version: 3.9.2 Release: 145 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 -Source1: jpegint.h Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch -Patch3: tiff-%{version}-tiff2pdf.patch -Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch -Patch5: tiff-%{version}-tif_lzw.c-CVE-2008-2327.patch -Patch6: tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch -Patch7: tiff-am.patch -Patch8: tiff-3.8.2-bnc444079.patch -Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch -Patch10: tiff-%{version}-CVE-2009-2347.patch +# FYI: this issue is solved another way +# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 +# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -101,15 +95,6 @@ the libtiff library. %prep %setup -q %patch2 -%patch3 -%patch4 -%patch5 -%patch6 -%patch7 -%patch8 -%patch9 -%patch10 -p1 -cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 From 549932aa9b6c3ea7ca4f69b2239636cd9c6ea049e1be4b71d65e9ca891ec48de Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 18 Mar 2010 15:32:16 +0000 Subject: [PATCH 05/10] Updating link to change in openSUSE:Factory/tiff revision 15.0 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=b5642e0833fa27bde61dc9a0324bb6fe --- ready | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 ready diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 From 9a9b7bc7388bf1590c02b7464da1001c2dcb2f97c246aacac0ce537a9af22b06 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 22 Mar 2010 10:49:49 +0000 Subject: [PATCH 06/10] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=10 --- tiff.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiff.spec b/tiff.spec index a444361..172d0c8 100644 --- a/tiff.spec +++ b/tiff.spec @@ -130,7 +130,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) /usr/bin/* %doc html -%doc README COPYRIGHT +%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DAT %doc %{_mandir}/man1/* %files -n libtiff3 From 6d25600a01915f26e4e19bd2679e060f159f1974b0981247fe8e83605b5dfda2 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 22 Mar 2010 12:51:54 +0000 Subject: [PATCH 07/10] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=11 --- tiff.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiff.spec b/tiff.spec index 172d0c8..a38af67 100644 --- a/tiff.spec +++ b/tiff.spec @@ -130,7 +130,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) /usr/bin/* %doc html -%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DAT +%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %doc %{_mandir}/man1/* %files -n libtiff3 From 72bbc6c733eb791978f7e78531f54dfe1a012dde7cbf105217f72e77649acdab Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 25 Mar 2010 23:15:46 +0000 Subject: [PATCH 08/10] Updating link to change in openSUSE:Factory/tiff revision 16.0 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=54a32b51aaa9e986c3f0089395c6f73f --- tiff.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tiff.spec b/tiff.spec index a38af67..ede3828 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,5 +1,5 @@ # -# spec file for package tiff (Version 3.8.2) +# spec file for package tiff (Version 3.9.2) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -29,7 +29,7 @@ Obsoletes: tiff-64bit # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.2 -Release: 145 +Release: 1 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE From 860dbf9d32db9adaed73cff785433d4e85c0aaf1c6d85aeb139772b483c6f2e6 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 26 Mar 2010 08:50:15 +0000 Subject: [PATCH 09/10] - fixed typo OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=13 --- tiff.changes | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tiff.changes b/tiff.changes index d77c763..48f6c6c 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Mar 26 08:49:41 UTC 2010 - pgajdos@suse.cz + +- fixed typo + ------------------------------------------------------------------- Tue Mar 16 13:37:23 CET 2010 - pgajdos@suse.cz From 8c65c9a3eed82b03470cd80afafe65cb9ac0910386ddf52648fd66d0c4e0c62a Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Fri, 26 Mar 2010 15:15:03 +0000 Subject: [PATCH 10/10] Updating link to change in openSUSE:Factory/tiff revision 17.0 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=d2902d58de8e3963bdaa82cf5dd831c4 --- tiff.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiff.spec b/tiff.spec index ede3828..52f13a4 100644 --- a/tiff.spec +++ b/tiff.spec @@ -29,7 +29,7 @@ Obsoletes: tiff-64bit # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.2 -Release: 1 +Release: 2 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE