Accepting request 289542 from graphics
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/289542 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=52
This commit is contained in:
commit
b3b29da624
32
bfriesen.2805.patch
Normal file
32
bfriesen.2805.patch
Normal file
@ -0,0 +1,32 @@
|
||||
---------------------
|
||||
PatchSet 2805
|
||||
Date: 2012/11/18 19:51:52
|
||||
Author: bfriesen
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
|
||||
require malloc() to return NULL pointer if requested allocation
|
||||
size is zero. Assure that _TIFFmalloc does.
|
||||
|
||||
Members:
|
||||
ChangeLog:1.924->1.925
|
||||
libtiff/tif_unix.c:1.23->1.24
|
||||
libtiff/tif_vms.c:1.11->1.12
|
||||
libtiff/tif_win32.c:1.39->1.40
|
||||
|
||||
Index: libtiff/libtiff/tif_unix.c
|
||||
diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24
|
||||
--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012
|
||||
+++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012
|
||||
@@ -257,6 +257,9 @@
|
||||
void*
|
||||
_TIFFmalloc(tmsize_t s)
|
||||
{
|
||||
+ if (s == 0)
|
||||
+ return ((void *) NULL);
|
||||
+
|
||||
return (malloc((size_t) s));
|
||||
}
|
||||
|
||||
|
336
erouault.2856.patch
Normal file
336
erouault.2856.patch
Normal file
@ -0,0 +1,336 @@
|
||||
---------------------
|
||||
PatchSet 2856
|
||||
Date: 2014/12/21 17:15:31
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
Fix various crasher bugs on fuzzed images.
|
||||
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
|
||||
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
|
||||
the directory
|
||||
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
|
||||
TransferFunction if BitsPerSample has not yet been read, otherwise reading
|
||||
it later will cause user code to crash if BitsPerSample > 1
|
||||
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
|
||||
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
|
||||
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
|
||||
instead of imagewidth to avoid crash
|
||||
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
|
||||
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
|
||||
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
|
||||
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
|
||||
* tools/tiffdump.c: fix crash due to overflow of entry count.
|
||||
|
||||
Members:
|
||||
ChangeLog:1.960->1.961
|
||||
libtiff/tif_dir.c:1.117->1.118
|
||||
libtiff/tif_dirread.c:1.180->1.181
|
||||
libtiff/tif_getimage.c:1.82->1.83
|
||||
libtiff/tif_next.c:1.13->1.14
|
||||
tools/bmp2tiff.c:1.23->1.24
|
||||
tools/tiff2pdf.c:1.77->1.78
|
||||
tools/tiffcrop.c:1.23->1.24
|
||||
tools/tiffdump.c:1.28->1.29
|
||||
|
||||
Index: libtiff/libtiff/tif_dir.c
|
||||
diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118
|
||||
--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014
|
||||
+++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014
|
||||
@@ -160,6 +160,7 @@
|
||||
TIFFDirectory* td = &tif->tif_dir;
|
||||
int status = 1;
|
||||
uint32 v32, i, v;
|
||||
+ double dblval;
|
||||
char* s;
|
||||
const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
|
||||
uint32 standard_tag = tag;
|
||||
@@ -284,10 +285,16 @@
|
||||
setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
|
||||
break;
|
||||
case TIFFTAG_XRESOLUTION:
|
||||
- td->td_xresolution = (float) va_arg(ap, double);
|
||||
+ dblval = va_arg(ap, double);
|
||||
+ if( dblval < 0 )
|
||||
+ goto badvaluedouble;
|
||||
+ td->td_xresolution = (float) dblval;
|
||||
break;
|
||||
case TIFFTAG_YRESOLUTION:
|
||||
- td->td_yresolution = (float) va_arg(ap, double);
|
||||
+ dblval = va_arg(ap, double);
|
||||
+ if( dblval < 0 )
|
||||
+ goto badvaluedouble;
|
||||
+ td->td_yresolution = (float) dblval;
|
||||
break;
|
||||
case TIFFTAG_PLANARCONFIG:
|
||||
v = (uint16) va_arg(ap, uint16_vap);
|
||||
@@ -694,6 +701,16 @@
|
||||
va_end(ap);
|
||||
}
|
||||
return (0);
|
||||
+badvaluedouble:
|
||||
+ {
|
||||
+ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "%s: Bad value %f for \"%s\" tag",
|
||||
+ tif->tif_name, dblval,
|
||||
+ fip ? fip->field_name : "Unknown");
|
||||
+ va_end(ap);
|
||||
+ }
|
||||
+ return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
Index: libtiff/libtiff/tif_dirread.c
|
||||
diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181
|
||||
--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014
|
||||
+++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014
|
||||
@@ -3430,6 +3430,8 @@
|
||||
const TIFFField* fip;
|
||||
uint32 fii=FAILED_FII;
|
||||
toff_t nextdiroff;
|
||||
+ int bitspersample_read = FALSE;
|
||||
+
|
||||
tif->tif_diroff=tif->tif_nextdiroff;
|
||||
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
|
||||
return 0; /* last offset or bad offset (IFD looping) */
|
||||
@@ -3706,6 +3708,8 @@
|
||||
}
|
||||
if (!TIFFSetField(tif,dp->tdir_tag,value))
|
||||
goto bad;
|
||||
+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
|
||||
+ bitspersample_read = TRUE;
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_SMINSAMPLEVALUE:
|
||||
@@ -3763,6 +3767,19 @@
|
||||
uint32 countrequired;
|
||||
uint32 incrementpersample;
|
||||
uint16* value=NULL;
|
||||
+ /* It would be dangerous to instanciate those tag values */
|
||||
+ /* since if td_bitspersample has not yet been read (due to */
|
||||
+ /* unordered tags), it could be read afterwards with a */
|
||||
+ /* values greater than the default one (1), which may cause */
|
||||
+ /* crashes in user code */
|
||||
+ if( !bitspersample_read )
|
||||
+ {
|
||||
+ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,
|
||||
+ "Ignoring %s since BitsPerSample tag not found",
|
||||
+ fip ? fip->field_name : "unknown tagname");
|
||||
+ continue;
|
||||
+ }
|
||||
countpersample=(1L<<tif->tif_dir.td_bitspersample);
|
||||
if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
|
||||
{
|
||||
Index: libtiff/libtiff/tif_getimage.c
|
||||
diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83
|
||||
--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012
|
||||
+++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */
|
||||
+/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1991-1997 Sam Leffler
|
||||
@@ -182,8 +182,23 @@
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
+ if( td->td_samplesperpixel != 3 )
|
||||
+ {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
|
||||
+ {
|
||||
+ sprintf(emsg,
|
||||
+ "Sorry, can not handle image with %s=%d and %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "Bits/sample", td->td_bitspersample);
|
||||
+ return 0;
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
sprintf(emsg, "Sorry, can not handle image with %s=%d",
|
||||
Index: libtiff/libtiff/tif_next.c
|
||||
diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14
|
||||
--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010
|
||||
+++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014
|
||||
@@ -102,6 +102,8 @@
|
||||
default: {
|
||||
uint32 npixels = 0, grey;
|
||||
uint32 imagewidth = tif->tif_dir.td_imagewidth;
|
||||
+ if( isTiled(tif) )
|
||||
+ imagewidth = tif->tif_dir.td_tilewidth;
|
||||
|
||||
/*
|
||||
* The scanline is composed of a sequence of constant
|
||||
Index: libtiff/tools/bmp2tiff.c
|
||||
diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24
|
||||
--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010
|
||||
+++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014
|
||||
@@ -403,6 +403,13 @@
|
||||
|
||||
width = info_hdr.iWidth;
|
||||
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
|
||||
+ if( width <= 0 || length <= 0 )
|
||||
+ {
|
||||
+ TIFFError(infilename,
|
||||
+ "Invalid dimensions of BMP file" );
|
||||
+ close(fd);
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
switch (info_hdr.iBitCount)
|
||||
{
|
||||
@@ -593,6 +600,14 @@
|
||||
|
||||
compr_size = file_hdr.iSize - file_hdr.iOffBits;
|
||||
uncompr_size = width * length;
|
||||
+ /* Detect int overflow */
|
||||
+ if( uncompr_size / width != length )
|
||||
+ {
|
||||
+ TIFFError(infilename,
|
||||
+ "Invalid dimensions of BMP file" );
|
||||
+ close(fd);
|
||||
+ return -1;
|
||||
+ }
|
||||
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
|
||||
if (!comprbuf) {
|
||||
TIFFError(infilename,
|
||||
Index: libtiff/tools/tiff2pdf.c
|
||||
diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78
|
||||
--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014
|
||||
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014
|
||||
@@ -1167,6 +1167,15 @@
|
||||
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
|
||||
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
|
||||
TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
|
||||
+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
|
||||
+ {
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Invalid tile count, %s",
|
||||
+ TIFFFileName(input));
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
|
||||
}
|
||||
if( t2p->tiff_tiles[i].tiles_tilecount > 0){
|
||||
@@ -1552,6 +1561,22 @@
|
||||
#endif
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
+ if( t2p->tiff_samplesperpixel != 3){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Unsupported samplesperpixel = %d for CIELAB",
|
||||
+ t2p->tiff_samplesperpixel);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
+ if( t2p->tiff_bitspersample != 8){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Invalid bitspersample = %d for CIELAB",
|
||||
+ t2p->tiff_bitspersample);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
t2p->pdf_labrange[0]= -127;
|
||||
t2p->pdf_labrange[1]= 127;
|
||||
t2p->pdf_labrange[2]= -127;
|
||||
@@ -1567,6 +1592,22 @@
|
||||
t2p->pdf_colorspace=T2P_CS_LAB;
|
||||
break;
|
||||
case PHOTOMETRIC_ITULAB:
|
||||
+ if( t2p->tiff_samplesperpixel != 3){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Unsupported samplesperpixel = %d for ITULAB",
|
||||
+ t2p->tiff_samplesperpixel);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
+ if( t2p->tiff_bitspersample != 8){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Invalid bitspersample = %d for ITULAB",
|
||||
+ t2p->tiff_bitspersample);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
t2p->pdf_labrange[0]=-85;
|
||||
t2p->pdf_labrange[1]=85;
|
||||
t2p->pdf_labrange[2]=-75;
|
||||
Index: libtiff/tools/tiffcrop.c
|
||||
diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24
|
||||
--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014
|
||||
+++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014
|
||||
@@ -1205,9 +1205,10 @@
|
||||
tsize_t tilesize = TIFFTileSize(out);
|
||||
unsigned char *tilebuf = NULL;
|
||||
|
||||
- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
|
||||
- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
|
||||
- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
||||
+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
|
||||
+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
|
||||
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
|
||||
+ return 1;
|
||||
|
||||
tile_buffsize = tilesize;
|
||||
if (tilesize < (tsize_t)(tl * tile_rowsize))
|
||||
Index: libtiff/tools/tiffdump.c
|
||||
diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29
|
||||
--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014
|
||||
+++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014
|
||||
@@ -374,6 +374,8 @@
|
||||
void* datamem;
|
||||
uint64 dataoffset;
|
||||
int datatruncated;
|
||||
+ int datasizeoverflow;
|
||||
+
|
||||
tag = *(uint16*)dp;
|
||||
if (swabflag)
|
||||
TIFFSwabShort(&tag);
|
||||
@@ -412,13 +414,14 @@
|
||||
else
|
||||
typewidth = datawidth[type];
|
||||
datasize = count*typewidth;
|
||||
+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
|
||||
datafits = 1;
|
||||
datamem = dp;
|
||||
dataoffset = 0;
|
||||
datatruncated = 0;
|
||||
if (!bigtiff)
|
||||
{
|
||||
- if (datasize>4)
|
||||
+ if (datasizeoverflow || datasize>4)
|
||||
{
|
||||
uint32 dataoffset32;
|
||||
datafits = 0;
|
||||
@@ -432,7 +435,7 @@
|
||||
}
|
||||
else
|
||||
{
|
||||
- if (datasize>8)
|
||||
+ if (datasizeoverflow || datasize>8)
|
||||
{
|
||||
datafits = 0;
|
||||
datamem = NULL;
|
||||
@@ -442,7 +445,7 @@
|
||||
}
|
||||
dp += sizeof(uint64);
|
||||
}
|
||||
- if (datasize>0x10000)
|
||||
+ if (datasizeoverflow || datasize>0x10000)
|
||||
{
|
||||
datatruncated = 1;
|
||||
count = 0x10000/typewidth;
|
47
erouault.2857.patch
Normal file
47
erouault.2857.patch
Normal file
@ -0,0 +1,47 @@
|
||||
---------------------
|
||||
PatchSet 2857
|
||||
Date: 2014/12/21 18:28:37
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
|
||||
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
|
||||
Description: fix for Debian bug #741451
|
||||
tiffcp crashes when converting JPEG-encoded TIFF to a different
|
||||
encoding (like none or lzw). For example this will probably fail:
|
||||
tiffcp -c none jpeg_encoded_file.tif output.tif
|
||||
The reason is that when the input file contains JPEG data,
|
||||
the tiffcp code forces conversion to RGB space. However,
|
||||
the output normally inherits YCbCr subsampling parameters
|
||||
from the input, which leads to a smaller working buffer
|
||||
than necessary. The buffer is subsequently overrun inside
|
||||
cpStripToTile() (called from writeBufferToContigTiles).
|
||||
Note that the resulting TIFF file would be scrambled even
|
||||
if tiffcp wouldn't crash, since the output file would contain
|
||||
RGB data intepreted as subsampled YCbCr values.
|
||||
This patch fixes the problem by forcing RGB space on the output
|
||||
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
|
||||
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
|
||||
|
||||
Members:
|
||||
ChangeLog:1.961->1.962
|
||||
tools/tiffcp.c:1.50->1.51
|
||||
|
||||
Index: libtiff/tools/tiffcp.c
|
||||
diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51
|
||||
--- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013
|
||||
+++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014
|
||||
@@ -633,6 +633,12 @@
|
||||
TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
|
||||
samplesperpixel == 1 ?
|
||||
PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV);
|
||||
+ else if (input_compression == COMPRESSION_JPEG &&
|
||||
+ samplesperpixel == 3 ) {
|
||||
+ /* RGB conversion was forced above
|
||||
+ hence the output will be of the same type */
|
||||
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB);
|
||||
+ }
|
||||
else
|
||||
CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT);
|
||||
if (fillorder != 0)
|
35
erouault.2858.patch
Normal file
35
erouault.2858.patch
Normal file
@ -0,0 +1,35 @@
|
||||
---------------------
|
||||
PatchSet 2858
|
||||
Date: 2014/12/21 19:36:36
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading
|
||||
TIFFTAG_SAMPLESPERPIXEL
|
||||
|
||||
Members:
|
||||
ChangeLog:1.962->1.963
|
||||
tools/tiff2pdf.c:1.78->1.79
|
||||
|
||||
Index: libtiff/tools/tiff2pdf.c
|
||||
diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79
|
||||
--- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014
|
||||
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014
|
||||
@@ -1166,7 +1166,15 @@
|
||||
t2p->tiff_pages[i].page_tilecount;
|
||||
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
|
||||
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
|
||||
- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
|
||||
+ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
|
||||
+ {
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Missing SamplesPerPixel, %s",
|
||||
+ TIFFFileName(input));
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
|
||||
{
|
||||
TIFFError(
|
47
erouault.2859.patch
Normal file
47
erouault.2859.patch
Normal file
@ -0,0 +1,47 @@
|
||||
---------------------
|
||||
PatchSet 2859
|
||||
Date: 2014/12/21 20:07:48
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
|
||||
|
||||
Members:
|
||||
ChangeLog:1.963->1.964
|
||||
libtiff/tif_next.c:1.14->1.15
|
||||
|
||||
|
||||
Index: libtiff/libtiff/tif_next.c
|
||||
diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15
|
||||
--- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014
|
||||
+++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014
|
||||
@@ -141,10 +141,27 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+static int
|
||||
+NeXTPreDecode(TIFF* tif, uint16 s)
|
||||
+{
|
||||
+ static const char module[] = "NeXTPreDecode";
|
||||
+ TIFFDirectory *td = &tif->tif_dir;
|
||||
+ (void)s;
|
||||
+
|
||||
+ if( td->td_bitspersample != 2 )
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
|
||||
+ td->td_bitspersample);
|
||||
+ return (0);
|
||||
+ }
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
int
|
||||
TIFFInitNeXT(TIFF* tif, int scheme)
|
||||
{
|
||||
(void) scheme;
|
||||
+ tif->tif_predecode = NeXTPreDecode;
|
||||
tif->tif_decoderow = NeXTDecode;
|
||||
tif->tif_decodestrip = NeXTDecode;
|
||||
tif->tif_decodetile = NeXTDecode;
|
85
erouault.2860.patch
Normal file
85
erouault.2860.patch
Normal file
@ -0,0 +1,85 @@
|
||||
---------------------
|
||||
PatchSet 2860
|
||||
Date: 2014/12/21 20:52:42
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
|
||||
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
|
||||
COMPRESSION_CCITTFAX4
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
|
||||
|
||||
Members:
|
||||
ChangeLog:1.964->1.965
|
||||
tools/thumbnail.c:1.17->1.18
|
||||
tools/tiffcmp.c:1.16->1.17
|
||||
|
||||
|
||||
Index: libtiff/tools/thumbnail.c
|
||||
diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18
|
||||
--- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014
|
||||
+++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014
|
||||
@@ -274,7 +274,26 @@
|
||||
{
|
||||
struct cpTag *p;
|
||||
for (p = tags; p < &tags[NTAGS]; p++)
|
||||
- cpTag(in, out, p->tag, p->count, p->type);
|
||||
+ {
|
||||
+ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
|
||||
+ /* if we request a tag that is defined in a codec, but that codec */
|
||||
+ /* isn't used */
|
||||
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
|
||||
+ {
|
||||
+ uint16 compression;
|
||||
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
|
||||
+ compression != COMPRESSION_CCITTFAX3 )
|
||||
+ continue;
|
||||
+ }
|
||||
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
|
||||
+ {
|
||||
+ uint16 compression;
|
||||
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
|
||||
+ compression != COMPRESSION_CCITTFAX4 )
|
||||
+ continue;
|
||||
+ }
|
||||
+ cpTag(in, out, p->tag, p->count, p->type);
|
||||
+ }
|
||||
}
|
||||
#undef NTAGS
|
||||
|
||||
Index: libtiff/tools/tiffcmp.c
|
||||
diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17
|
||||
--- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010
|
||||
+++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014
|
||||
@@ -260,6 +260,7 @@
|
||||
static int
|
||||
cmptags(TIFF* tif1, TIFF* tif2)
|
||||
{
|
||||
+ uint16 compression1, compression2;
|
||||
CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType");
|
||||
CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth");
|
||||
CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength");
|
||||
@@ -276,8 +277,20 @@
|
||||
CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat");
|
||||
CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution");
|
||||
CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution");
|
||||
- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
|
||||
- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
|
||||
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
|
||||
+ compression1 == COMPRESSION_CCITTFAX3 &&
|
||||
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
|
||||
+ compression2 == COMPRESSION_CCITTFAX3 )
|
||||
+ {
|
||||
+ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
|
||||
+ }
|
||||
+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
|
||||
+ compression1 == COMPRESSION_CCITTFAX4 &&
|
||||
+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
|
||||
+ compression2 == COMPRESSION_CCITTFAX4 )
|
||||
+ {
|
||||
+ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
|
||||
+ }
|
||||
CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit");
|
||||
CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration");
|
||||
CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");
|
33
erouault.2861.patch
Normal file
33
erouault.2861.patch
Normal file
@ -0,0 +1,33 @@
|
||||
---------------------
|
||||
PatchSet 2861
|
||||
Date: 2014/12/21 21:53:59
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/thumbnail.c: fix out-of-buffer write
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
|
||||
|
||||
Members:
|
||||
ChangeLog:1.965->1.966
|
||||
tools/thumbnail.c:1.18->1.19
|
||||
|
||||
Index: libtiff/tools/thumbnail.c
|
||||
diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19
|
||||
--- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014
|
||||
+++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014
|
||||
@@ -568,7 +568,13 @@
|
||||
err -= limit;
|
||||
sy++;
|
||||
if (err >= limit)
|
||||
- rows[nrows++] = br + bpr*sy;
|
||||
+ {
|
||||
+ /* We should perhaps error loudly, but I can't make sense of that */
|
||||
+ /* code... */
|
||||
+ if( nrows == 256 )
|
||||
+ break;
|
||||
+ rows[nrows++] = br + bpr*sy;
|
||||
+ }
|
||||
}
|
||||
setrow(row, nrows, rows);
|
||||
row += tnw;
|
44
erouault.2862.patch
Normal file
44
erouault.2862.patch
Normal file
@ -0,0 +1,44 @@
|
||||
---------------------
|
||||
PatchSet 2862
|
||||
Date: 2014/12/21 22:04:31
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
|
||||
copying. The right fix would be to properly copy it, but not worth the burden
|
||||
for those esoteric utilities.
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
|
||||
|
||||
Members:
|
||||
ChangeLog:1.966->1.967
|
||||
tools/pal2rgb.c:1.13->1.14
|
||||
tools/thumbnail.c:1.19->1.20
|
||||
|
||||
|
||||
Index: libtiff/tools/pal2rgb.c
|
||||
diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14
|
||||
--- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010
|
||||
+++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014
|
||||
@@ -372,7 +372,7 @@
|
||||
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
|
||||
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
|
||||
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
|
||||
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
||||
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
|
||||
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
|
||||
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
|
||||
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
|
||||
Index: libtiff/tools/thumbnail.c
|
||||
diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20
|
||||
--- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014
|
||||
+++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014
|
||||
@@ -257,7 +257,7 @@
|
||||
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
|
||||
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
|
||||
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
|
||||
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
||||
+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
|
||||
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
|
||||
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
|
||||
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
|
31
erouault.2863.patch
Normal file
31
erouault.2863.patch
Normal file
@ -0,0 +1,31 @@
|
||||
---------------------
|
||||
PatchSet 2863
|
||||
Date: 2014/12/21 22:58:29
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if
|
||||
SamplesPerPixel = 3. Enforce that
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
|
||||
|
||||
Members:
|
||||
ChangeLog:1.967->1.968
|
||||
tools/tiff2bw.c:1.16->1.17
|
||||
|
||||
Index: libtiff/tools/tiff2bw.c
|
||||
diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17
|
||||
--- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013
|
||||
+++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014
|
||||
@@ -171,6 +171,11 @@
|
||||
argv[optind], samplesperpixel);
|
||||
return (-1);
|
||||
}
|
||||
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
|
||||
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
|
||||
+ argv[optind], samplesperpixel);
|
||||
+ return (-1);
|
||||
+ }
|
||||
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
|
||||
if (bitspersample != 8) {
|
||||
fprintf(stderr,
|
90
erouault.2876.patch
Normal file
90
erouault.2876.patch
Normal file
@ -0,0 +1,90 @@
|
||||
---------------------
|
||||
PatchSet 2876
|
||||
Date: 2014/12/29 14:09:11
|
||||
Author: erouault
|
||||
Branch: HEAD
|
||||
Tag: (none)
|
||||
Log:
|
||||
* libtiff/tif_next.c: add new tests to check that we don't read outside of
|
||||
the compressed input stream buffer.
|
||||
|
||||
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
|
||||
|
||||
Members:
|
||||
ChangeLog:1.980->1.981
|
||||
libtiff/tif_getimage.c:1.85->1.86
|
||||
libtiff/tif_next.c:1.15->1.16
|
||||
|
||||
Index: libtiff/libtiff/tif_getimage.c
|
||||
diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86
|
||||
--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014
|
||||
+++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014
|
||||
@@ -1871,7 +1871,7 @@
|
||||
|
||||
(void) y;
|
||||
fromskew = (fromskew * 10) / 4;
|
||||
- if ((h & 3) == 0 && (w & 1) == 0) {
|
||||
+ if ((w & 3) == 0 && (h & 1) == 0) {
|
||||
for (; h >= 2; h -= 2) {
|
||||
x = w>>2;
|
||||
do {
|
||||
@@ -1948,7 +1948,7 @@
|
||||
/* XXX adjust fromskew */
|
||||
do {
|
||||
x = w>>2;
|
||||
- do {
|
||||
+ while(x>0) {
|
||||
int32 Cb = pp[4];
|
||||
int32 Cr = pp[5];
|
||||
|
||||
@@ -1959,7 +1959,8 @@
|
||||
|
||||
cp += 4;
|
||||
pp += 6;
|
||||
- } while (--x);
|
||||
+ x--;
|
||||
+ }
|
||||
|
||||
if( (w&3) != 0 )
|
||||
{
|
||||
@@ -2050,7 +2051,7 @@
|
||||
fromskew = (fromskew * 4) / 2;
|
||||
do {
|
||||
x = w>>1;
|
||||
- do {
|
||||
+ while(x>0) {
|
||||
int32 Cb = pp[2];
|
||||
int32 Cr = pp[3];
|
||||
|
||||
@@ -2059,7 +2060,8 @@
|
||||
|
||||
cp += 2;
|
||||
pp += 4;
|
||||
- } while (--x);
|
||||
+ x --;
|
||||
+ }
|
||||
|
||||
if( (w&1) != 0 )
|
||||
{
|
||||
Index: libtiff/libtiff/tif_next.c
|
||||
diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16
|
||||
--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014
|
||||
+++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014
|
||||
@@ -71,7 +71,7 @@
|
||||
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
|
||||
return (0);
|
||||
}
|
||||
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
|
||||
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
|
||||
n = *bp++, cc--;
|
||||
switch (n) {
|
||||
case LITERALROW:
|
||||
@@ -90,6 +90,8 @@
|
||||
* The scanline has a literal span that begins at some
|
||||
* offset.
|
||||
*/
|
||||
+ if( cc < 4 )
|
||||
+ goto bad;
|
||||
off = (bp[0] * 256) + bp[1];
|
||||
n = (bp[2] * 256) + bp[3];
|
||||
if (cc < 4+n || off+n > scanline)
|
16
tiff-dither-malloc-check.patch
Normal file
16
tiff-dither-malloc-check.patch
Normal file
@ -0,0 +1,16 @@
|
||||
Index: tools/tiffdither.c
|
||||
===================================================================
|
||||
--- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100
|
||||
+++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100
|
||||
@@ -77,6 +77,11 @@
|
||||
outlinesize = TIFFScanlineSize(out);
|
||||
outline = (unsigned char *) _TIFFmalloc(outlinesize);
|
||||
|
||||
+ if (! (inputline && thisline && nextline && outline)) {
|
||||
+ fprintf(stderr, "Out of memory.\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Get first line
|
||||
*/
|
12
tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
Normal file
12
tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: libtiff/tif_dirinfo.c
|
||||
===================================================================
|
||||
--- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100
|
||||
+++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100
|
||||
@@ -141,6 +141,7 @@
|
||||
{ TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
|
||||
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
|
||||
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
|
||||
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
|
||||
/* begin DNG tags */
|
||||
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
|
||||
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },
|
12
tiff-handle-TIFFTAG_PREDICTOR.patch
Normal file
12
tiff-handle-TIFFTAG_PREDICTOR.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: libtiff/tif_dirinfo.c
|
||||
===================================================================
|
||||
--- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100
|
||||
+++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100
|
||||
@@ -142,6 +142,7 @@
|
||||
{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
|
||||
{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
|
||||
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
|
||||
+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL },
|
||||
/* begin DNG tags */
|
||||
{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
|
||||
{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },
|
20
tiff.changes
20
tiff.changes
@ -1,3 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com
|
||||
|
||||
- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128,
|
||||
CVE-2014-8129, CVE-2014-8130, CVE-2015-1547
|
||||
bnc#914890, bnc#916925, bnc#916927
|
||||
+ erouault.2856.patch
|
||||
+ erouault.2857.patch
|
||||
+ erouault.2858.patch
|
||||
+ erouault.2859.patch
|
||||
+ erouault.2860.patch
|
||||
+ erouault.2861.patch
|
||||
+ erouault.2862.patch
|
||||
+ erouault.2863.patch
|
||||
+ erouault.2876.patch
|
||||
+ bfriesen.2805.patch
|
||||
+ tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
|
||||
+ tiff-handle-TIFFTAG_PREDICTOR.patch
|
||||
+ tiff-dither-malloc-check.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 22 19:58:43 UTC 2014 - meissner@suse.com
|
||||
|
||||
|
29
tiff.spec
29
tiff.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package tiff
|
||||
#
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -60,6 +60,20 @@ Patch8: tiff-4.0.3-CVE-2013-4232.patch
|
||||
Patch9: tiff-4.0.3-CVE-2013-4231.patch
|
||||
Patch10: tiff-4.0.3-CVE-2013-4244.patch
|
||||
Patch11: tiff-4.0.3-CVE-2013-4243.patch
|
||||
Patch12: erouault.2856.patch
|
||||
Patch13: erouault.2857.patch
|
||||
Patch14: erouault.2858.patch
|
||||
Patch15: erouault.2859.patch
|
||||
Patch16: erouault.2860.patch
|
||||
Patch17: erouault.2861.patch
|
||||
Patch18: erouault.2862.patch
|
||||
Patch19: erouault.2863.patch
|
||||
Patch20: erouault.2876.patch
|
||||
Patch21: bfriesen.2805.patch
|
||||
Patch22: tiff-dither-malloc-check.patch
|
||||
Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
|
||||
Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch
|
||||
|
||||
# FYI: this issue is solved another way
|
||||
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
|
||||
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
|
||||
@ -115,6 +129,19 @@ the libtiff library.
|
||||
%patch9
|
||||
%patch10
|
||||
%patch11
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22
|
||||
%patch23
|
||||
%patch24
|
||||
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS -fPIE"
|
||||
|
Loading…
Reference in New Issue
Block a user