pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 289542 from graphics

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/289542
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=52
This commit is contained in:
Dominique Leuenberger 2015-03-09 09:04:39 +00:00 committed by Git OBS Bridge
commit b3b29da624
15 changed files with 868 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bfriesen.2805.patch Normal file
View File

@ -0,0 +1,32 @@
---------------------
PatchSet 2805
Date: 2012/11/18 19:51:52
Author: bfriesen
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero. Assure that _TIFFmalloc does.
Members:
ChangeLog:1.924->1.925
libtiff/tif_unix.c:1.23->1.24
libtiff/tif_vms.c:1.11->1.12
libtiff/tif_win32.c:1.39->1.40
Index: libtiff/libtiff/tif_unix.c
diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24
--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012
+++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012
@@ -257,6 +257,9 @@
void*
_TIFFmalloc(tmsize_t s)
{
+ if (s == 0)
+ return ((void *) NULL);
+
return (malloc((size_t) s));
}

336
erouault.2856.patch Normal file
View File

@ -0,0 +1,336 @@
---------------------
PatchSet 2856
Date: 2014/12/21 17:15:31
Author: erouault
Branch: HEAD
Tag: (none)
Log:
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
Members:
ChangeLog:1.960->1.961
libtiff/tif_dir.c:1.117->1.118
libtiff/tif_dirread.c:1.180->1.181
libtiff/tif_getimage.c:1.82->1.83
libtiff/tif_next.c:1.13->1.14
tools/bmp2tiff.c:1.23->1.24
tools/tiff2pdf.c:1.77->1.78
tools/tiffcrop.c:1.23->1.24
tools/tiffdump.c:1.28->1.29
Index: libtiff/libtiff/tif_dir.c
diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118
--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014
@@ -160,6 +160,7 @@
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
+ double dblval;
char* s;
const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
uint32 standard_tag = tag;
@@ -284,10 +285,16 @@
setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
break;
case TIFFTAG_XRESOLUTION:
- td->td_xresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_xresolution = (float) dblval;
break;
case TIFFTAG_YRESOLUTION:
- td->td_yresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_yresolution = (float) dblval;
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -694,6 +701,16 @@
va_end(ap);
}
return (0);
+badvaluedouble:
+ {
+ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Bad value %f for \"%s\" tag",
+ tif->tif_name, dblval,
+ fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ }
+ return (0);
}
/*
Index: libtiff/libtiff/tif_dirread.c
diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181
--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014
@@ -3430,6 +3430,8 @@
const TIFFField* fip;
uint32 fii=FAILED_FII;
toff_t nextdiroff;
+ int bitspersample_read = FALSE;
+
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
return 0; /* last offset or bad offset (IFD looping) */
@@ -3706,6 +3708,8 @@
}
if (!TIFFSetField(tif,dp->tdir_tag,value))
goto bad;
+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
+ bitspersample_read = TRUE;
}
break;
case TIFFTAG_SMINSAMPLEVALUE:
@@ -3763,6 +3767,19 @@
uint32 countrequired;
uint32 incrementpersample;
uint16* value=NULL;
+ /* It would be dangerous to instanciate those tag values */
+ /* since if td_bitspersample has not yet been read (due to */
+ /* unordered tags), it could be read afterwards with a */
+ /* values greater than the default one (1), which may cause */
+ /* crashes in user code */
+ if( !bitspersample_read )
+ {
+ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "Ignoring %s since BitsPerSample tag not found",
+ fip ? fip->field_name : "unknown tagname");
+ continue;
+ }
countpersample=(1L<<tif->tif_dir.td_bitspersample);
if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
{
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83
--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012
+++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */
+/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -182,8 +182,23 @@
"Planarconfiguration", td->td_planarconfig);
return (0);
}
+ if( td->td_samplesperpixel != 3 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14
--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010
+++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014
@@ -102,6 +102,8 @@
default: {
uint32 npixels = 0, grey;
uint32 imagewidth = tif->tif_dir.td_imagewidth;
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
/*
* The scanline is composed of a sequence of constant
Index: libtiff/tools/bmp2tiff.c
diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24
--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010
+++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014
@@ -403,6 +403,13 @@
width = info_hdr.iWidth;
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
switch (info_hdr.iBitCount)
{
@@ -593,6 +600,14 @@
compr_size = file_hdr.iSize - file_hdr.iOffBits;
uncompr_size = width * length;
+ /* Detect int overflow */
+ if( uncompr_size / width != length )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
if (!comprbuf) {
TIFFError(infilename,
Index: libtiff/tools/tiff2pdf.c
diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78
--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014
@@ -1167,6 +1167,15 @@
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
+ {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid tile count, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
}
if( t2p->tiff_tiles[i].tiles_tilecount > 0){
@@ -1552,6 +1561,22 @@
#endif
break;
case PHOTOMETRIC_CIELAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for CIELAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for CIELAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]= -127;
t2p->pdf_labrange[1]= 127;
t2p->pdf_labrange[2]= -127;
@@ -1567,6 +1592,22 @@
t2p->pdf_colorspace=T2P_CS_LAB;
break;
case PHOTOMETRIC_ITULAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for ITULAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for ITULAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]=-85;
t2p->pdf_labrange[1]=85;
t2p->pdf_labrange[2]=-75;
Index: libtiff/tools/tiffcrop.c
diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24
--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014
+++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014
@@ -1205,9 +1205,10 @@
tsize_t tilesize = TIFFTileSize(out);
unsigned char *tilebuf = NULL;
- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
Index: libtiff/tools/tiffdump.c
diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29
--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014
+++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014
@@ -374,6 +374,8 @@
void* datamem;
uint64 dataoffset;
int datatruncated;
+ int datasizeoverflow;
+
tag = *(uint16*)dp;
if (swabflag)
TIFFSwabShort(&tag);
@@ -412,13 +414,14 @@
else
typewidth = datawidth[type];
datasize = count*typewidth;
+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
datafits = 1;
datamem = dp;
dataoffset = 0;
datatruncated = 0;
if (!bigtiff)
{
- if (datasize>4)
+ if (datasizeoverflow || datasize>4)
{
uint32 dataoffset32;
datafits = 0;
@@ -432,7 +435,7 @@
}
else
{
- if (datasize>8)
+ if (datasizeoverflow || datasize>8)
{
datafits = 0;
datamem = NULL;
@@ -442,7 +445,7 @@
}
dp += sizeof(uint64);
}
- if (datasize>0x10000)
+ if (datasizeoverflow || datasize>0x10000)
{
datatruncated = 1;
count = 0x10000/typewidth;

47
erouault.2857.patch Normal file
View File

@ -0,0 +1,47 @@
---------------------
PatchSet 2857
Date: 2014/12/21 18:28:37
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
Members:
ChangeLog:1.961->1.962
tools/tiffcp.c:1.50->1.51
Index: libtiff/tools/tiffcp.c
diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51
--- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013
+++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014
@@ -633,6 +633,12 @@
TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
samplesperpixel == 1 ?
PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV);
+ else if (input_compression == COMPRESSION_JPEG &&
+ samplesperpixel == 3 ) {
+ /* RGB conversion was forced above
+ hence the output will be of the same type */
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB);
+ }
else
CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT);
if (fillorder != 0)

35
erouault.2858.patch Normal file
View File

@ -0,0 +1,35 @@
---------------------
PatchSet 2858
Date: 2014/12/21 19:36:36
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
Members:
ChangeLog:1.962->1.963
tools/tiff2pdf.c:1.78->1.79
Index: libtiff/tools/tiff2pdf.c
diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79
--- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014
@@ -1166,7 +1166,15 @@
t2p->tiff_pages[i].page_tilecount;
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
+ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
+ {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Missing SamplesPerPixel, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
{
TIFFError(

47
erouault.2859.patch Normal file
View File

@ -0,0 +1,47 @@
---------------------
PatchSet 2859
Date: 2014/12/21 20:07:48
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
Members:
ChangeLog:1.963->1.964
libtiff/tif_next.c:1.14->1.15
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15
--- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014
+++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014
@@ -141,10 +141,27 @@
return (0);
}
+static int
+NeXTPreDecode(TIFF* tif, uint16 s)
+{
+ static const char module[] = "NeXTPreDecode";
+ TIFFDirectory *td = &tif->tif_dir;
+ (void)s;
+
+ if( td->td_bitspersample != 2 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
+ td->td_bitspersample);
+ return (0);
+ }
+ return (1);
+}
+
int
TIFFInitNeXT(TIFF* tif, int scheme)
{
(void) scheme;
+ tif->tif_predecode = NeXTPreDecode;
tif->tif_decoderow = NeXTDecode;
tif->tif_decodestrip = NeXTDecode;
tif->tif_decodetile = NeXTDecode;

85
erouault.2860.patch Normal file
View File

@ -0,0 +1,85 @@
---------------------
PatchSet 2860
Date: 2014/12/21 20:52:42
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
Members:
ChangeLog:1.964->1.965
tools/thumbnail.c:1.17->1.18
tools/tiffcmp.c:1.16->1.17
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18
--- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014
@@ -274,7 +274,26 @@
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
+ /* if we request a tag that is defined in a codec, but that codec */
+ /* isn't used */
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS
Index: libtiff/tools/tiffcmp.c
diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17
--- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010
+++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014
@@ -260,6 +260,7 @@
static int
cmptags(TIFF* tif1, TIFF* tif2)
{
+ uint16 compression1, compression2;
CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType");
CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth");
CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength");
@@ -276,8 +277,20 @@
CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat");
CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution");
CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution");
- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
+ compression1 == COMPRESSION_CCITTFAX3 &&
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+ compression2 == COMPRESSION_CCITTFAX3 )
+ {
+ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
+ }
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
+ compression1 == COMPRESSION_CCITTFAX4 &&
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+ compression2 == COMPRESSION_CCITTFAX4 )
+ {
+ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
+ }
CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit");
CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration");
CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");

33
erouault.2861.patch Normal file
View File

@ -0,0 +1,33 @@
---------------------
PatchSet 2861
Date: 2014/12/21 21:53:59
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
Members:
ChangeLog:1.965->1.966
tools/thumbnail.c:1.18->1.19
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19
--- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014
@@ -568,7 +568,13 @@
err -= limit;
sy++;
if (err >= limit)
- rows[nrows++] = br + bpr*sy;
+ {
+ /* We should perhaps error loudly, but I can't make sense of that */
+ /* code... */
+ if( nrows == 256 )
+ break;
+ rows[nrows++] = br + bpr*sy;
+ }
}
setrow(row, nrows, rows);
row += tnw;

44
erouault.2862.patch Normal file
View File

@ -0,0 +1,44 @@
---------------------
PatchSet 2862
Date: 2014/12/21 22:04:31
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
Members:
ChangeLog:1.966->1.967
tools/pal2rgb.c:1.13->1.14
tools/thumbnail.c:1.19->1.20
Index: libtiff/tools/pal2rgb.c
diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14
--- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010
+++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014
@@ -372,7 +372,7 @@
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
Index: libtiff/tools/thumbnail.c
diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20
--- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014
+++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014
@@ -257,7 +257,7 @@
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },

31
erouault.2863.patch Normal file
View File

@ -0,0 +1,31 @@
---------------------
PatchSet 2863
Date: 2014/12/21 22:58:29
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
Members:
ChangeLog:1.967->1.968
tools/tiff2bw.c:1.16->1.17
Index: libtiff/tools/tiff2bw.c
diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17
--- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013
+++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014
@@ -171,6 +171,11 @@
argv[optind], samplesperpixel);
return (-1);
}
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
if (bitspersample != 8) {
fprintf(stderr,

90
erouault.2876.patch Normal file
View File

@ -0,0 +1,90 @@
---------------------
PatchSet 2876
Date: 2014/12/29 14:09:11
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
Members:
ChangeLog:1.980->1.981
libtiff/tif_getimage.c:1.85->1.86
libtiff/tif_next.c:1.15->1.16
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86
--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014
+++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014
@@ -1871,7 +1871,7 @@
(void) y;
fromskew = (fromskew * 10) / 4;
- if ((h & 3) == 0 && (w & 1) == 0) {
+ if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
do {
@@ -1948,7 +1948,7 @@
/* XXX adjust fromskew */
do {
x = w>>2;
- do {
+ while(x>0) {
int32 Cb = pp[4];
int32 Cr = pp[5];
@@ -1959,7 +1959,8 @@
cp += 4;
pp += 6;
- } while (--x);
+ x--;
+ }
if( (w&3) != 0 )
{
@@ -2050,7 +2051,7 @@
fromskew = (fromskew * 4) / 2;
do {
x = w>>1;
- do {
+ while(x>0) {
int32 Cb = pp[2];
int32 Cr = pp[3];
@@ -2059,7 +2060,8 @@
cp += 2;
pp += 4;
- } while (--x);
+ x --;
+ }
if( (w&1) != 0 )
{
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16
--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014
+++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014
@@ -71,7 +71,7 @@
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
return (0);
}
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
n = *bp++, cc--;
switch (n) {
case LITERALROW:
@@ -90,6 +90,8 @@
* The scanline has a literal span that begins at some
* offset.
*/
+ if( cc < 4 )
+ goto bad;
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
if (cc < 4+n || off+n > scanline)

16
tiff-dither-malloc-check.patch Normal file
View File

@ -0,0 +1,16 @@
Index: tools/tiffdither.c
===================================================================
--- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100
+++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100
@@ -77,6 +77,11 @@
outlinesize = TIFFScanlineSize(out);
outline = (unsigned char *) _TIFFmalloc(outlinesize);
+ if (! (inputline && thisline && nextline && outline)) {
+ fprintf(stderr, "Out of memory.\n");
+ return;
+ }
+
/*
* Get first line
*/

12
tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch Normal file
View File

@ -0,0 +1,12 @@
Index: libtiff/tif_dirinfo.c
===================================================================
--- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100
+++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100
@@ -141,6 +141,7 @@
{ TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
/* begin DNG tags */
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },

12
tiff-handle-TIFFTAG_PREDICTOR.patch Normal file
View File

@ -0,0 +1,12 @@
Index: libtiff/tif_dirinfo.c
===================================================================
--- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100
+++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100
@@ -142,6 +142,7 @@
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL },
/* begin DNG tags */
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },

20
tiff.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com
- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128,
CVE-2014-8129, CVE-2014-8130, CVE-2015-1547
bnc#914890, bnc#916925, bnc#916927
+ erouault.2856.patch
+ erouault.2857.patch
+ erouault.2858.patch
+ erouault.2859.patch
+ erouault.2860.patch
+ erouault.2861.patch
+ erouault.2862.patch
+ erouault.2863.patch
+ erouault.2876.patch
+ bfriesen.2805.patch
+ tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+ tiff-handle-TIFFTAG_PREDICTOR.patch
+ tiff-dither-malloc-check.patch
-------------------------------------------------------------------
Mon Dec 22 19:58:43 UTC 2014 - meissner@suse.com

29
tiff.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package tiff
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -60,6 +60,20 @@ Patch8: tiff-4.0.3-CVE-2013-4232.patch
Patch9: tiff-4.0.3-CVE-2013-4231.patch
Patch10: tiff-4.0.3-CVE-2013-4244.patch
Patch11: tiff-4.0.3-CVE-2013-4243.patch
Patch12: erouault.2856.patch
Patch13: erouault.2857.patch
Patch14: erouault.2858.patch
Patch15: erouault.2859.patch
Patch16: erouault.2860.patch
Patch17: erouault.2861.patch
Patch18: erouault.2862.patch
Patch19: erouault.2863.patch
Patch20: erouault.2876.patch
Patch21: bfriesen.2805.patch
Patch22: tiff-dither-malloc-check.patch
Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@ -115,6 +129,19 @@ the libtiff library.
%patch9
%patch10
%patch11
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22
%patch23
%patch24
%build
CFLAGS="$RPM_OPT_FLAGS -fPIE"