From c734e623721e45eae0a078566f810ea70605c4264cfe34681294bcd1ff32daef Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 20 Jun 2017 08:59:59 +0000 Subject: [PATCH] 4.0.8 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=103 --- tiff-4.0.7-CVE-2015-7554.patch | 18 -- tiff-4.0.7-CVE-2017-5225.patch | 54 ---- tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch | 16 -- tiff-4.0.7.tar.gz | 3 - tiff-4.0.8.tar.gz | 3 + tiff-CVE-2016-10266.patch | 24 -- tiff-CVE-2016-10267.patch | 33 --- tiff-CVE-2016-10268.patch | 11 - tiff-CVE-2016-10269.patch | 85 ------ tiff-CVE-2016-10270.patch | 77 ------ tiff-CVE-2016-10271.patch | 11 - tiff-CVE-2016-10272.patch | 11 - tiff.changes | 345 ++++++++++++++++++++++++- tiff.spec | 28 +- 14 files changed, 342 insertions(+), 377 deletions(-) delete mode 100644 tiff-4.0.7-CVE-2015-7554.patch delete mode 100644 tiff-4.0.7-CVE-2017-5225.patch delete mode 100644 tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch delete mode 100644 tiff-4.0.7.tar.gz create mode 100644 tiff-4.0.8.tar.gz delete mode 100644 tiff-CVE-2016-10266.patch delete mode 100644 tiff-CVE-2016-10267.patch delete mode 100644 tiff-CVE-2016-10268.patch delete mode 100644 tiff-CVE-2016-10269.patch delete mode 100644 tiff-CVE-2016-10270.patch delete mode 100644 tiff-CVE-2016-10271.patch delete mode 100644 tiff-CVE-2016-10272.patch diff --git a/tiff-4.0.7-CVE-2015-7554.patch b/tiff-4.0.7-CVE-2015-7554.patch deleted file mode 100644 index 585d0ef..0000000 --- a/tiff-4.0.7-CVE-2015-7554.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- libtiff/tif_dirinfo.c 12 Dec 2015 18:04:26 -0000 1.124 -+++ libtiff/tif_dirinfo.c 12 Jan 2016 15:01:21 -0000 -@@ -87,6 +87,7 @@ - { TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL }, - { TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL }, - { TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL }, -+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL }, - { TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL }, - { TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL }, - { TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL }, -@@ -95,6 +96,7 @@ - { TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL }, - { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, - { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, -+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, - { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, - { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, - { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, diff --git a/tiff-4.0.7-CVE-2017-5225.patch b/tiff-4.0.7-CVE-2017-5225.patch deleted file mode 100644 index 502c606..0000000 --- a/tiff-4.0.7-CVE-2017-5225.patch +++ /dev/null @@ -1,54 +0,0 @@ ---- tiff-4.0.7/tools/tiffcp.c 2016-10-12 03:45:17.405273596 +0200 -+++ tiff-4.0.7/tools/tiffcp.c 2017-01-13 10:56:23.389485957 +0100 -@@ -592,7 +592,7 @@ - static int - tiffcp(TIFF* in, TIFF* out) - { -- uint16 bitspersample, samplesperpixel = 1; -+ uint16 bitspersample = 1, samplesperpixel = 1; - uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; - copyFunc cf; - uint32 width, length; -@@ -1068,6 +1068,16 @@ - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpContig2SeparateByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1121,6 +1131,16 @@ - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpSeparate2ContigByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1763,7 +1783,7 @@ - uint32 w, l, tw, tl; - int bychunk; - -- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); -+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); - if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { - fprintf(stderr, - "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch b/tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch deleted file mode 100644 index 2fd02ab..0000000 --- a/tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/libtiff/tif_fax3.h -+++ b/libtiff/tif_fax3.h -@@ -81,10 +81,12 @@ extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32); - #define S_MakeUp 11 - #define S_EOL 12 - -+/* WARNING: do not change the layout of this structure as the Halyfax software */ -+/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */ - typedef struct { /* state table entry */ - unsigned char State; /* see above */ - unsigned char Width; /* width of code in bits */ -- uint16 Param; /* unsigned 16-bit run length in bits */ -+ uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */ - } TIFFFaxTabEnt; - - extern const TIFFFaxTabEnt TIFFFaxMainTable[]; diff --git a/tiff-4.0.7.tar.gz b/tiff-4.0.7.tar.gz deleted file mode 100644 index 50c863d..0000000 --- a/tiff-4.0.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 -size 2076392 diff --git a/tiff-4.0.8.tar.gz b/tiff-4.0.8.tar.gz new file mode 100644 index 0000000..bba6cd6 --- /dev/null +++ b/tiff-4.0.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 +size 2065574 diff --git a/tiff-CVE-2016-10266.patch b/tiff-CVE-2016-10266.patch deleted file mode 100644 index 775d786..0000000 --- a/tiff-CVE-2016-10266.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - rowsperstrip=td->td_rowsperstrip; - if (rowsperstrip>td->td_imagelength) - rowsperstrip=td->td_imagelength; -- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); -+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); - stripinplane=(strip%stripsperplane); - plane=(uint16)(strip/stripsperplane); - rows=td->td_imagelength-stripinplane*rowsperstrip; ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -250,6 +250,10 @@ struct tiff { - #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ - ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ - 0U) -+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ -+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ -+#define TIFFhowmany_32_maxuint_compat(x, y) \ -+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) - #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) - #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) - #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/tiff-CVE-2016-10267.patch b/tiff-CVE-2016-10267.patch deleted file mode 100644 index be101a8..0000000 --- a/tiff-CVE-2016-10267.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- a/libtiff/tif_ojpeg.c -+++ b/libtiff/tif_ojpeg.c -@@ -244,6 +244,7 @@ typedef enum { - - typedef struct { - TIFF* tif; -+ int decoder_ok; - #ifndef LIBJPEG_ENCAP_EXTERNAL - JMP_BUF exit_jmpbuf; - #endif -@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) - } - sp->write_curstrile++; - } -+ sp->decoder_ok = 1; - return(1); - } - -@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) - static int - OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) - { -+ static const char module[]="OJPEGDecode"; - OJPEGState* sp=(OJPEGState*)tif->tif_data; - (void)s; -+ if( !sp->decoder_ok ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); -+ return 0; -+ } - if (sp->libjpeg_jpeg_query_style==0) - { - if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/tiff-CVE-2016-10268.patch b/tiff-CVE-2016-10268.patch deleted file mode 100644 index b99a291..0000000 --- a/tiff-CVE-2016-10268.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips) - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 row = 0; - _TIFFmemset(buf, 0, stripsize); -- for (s = 0; s < ns; s++) { -+ for (s = 0; s < ns && row < imagelength; s++) { - tsize_t cc = (row + rowsperstrip > imagelength) ? - TIFFVStripSize(in, imagelength - row) : stripsize; - if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 diff --git a/tiff-CVE-2016-10269.patch b/tiff-CVE-2016-10269.patch deleted file mode 100644 index dae9c24..0000000 --- a/tiff-CVE-2016-10269.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -158,6 +158,7 @@ - typedef struct logLuvState LogLuvState; - - struct logLuvState { -+ int encoder_state; /* 1 if encoder correctly initialized */ - int user_datafmt; /* user data format */ - int encode_meth; /* encoding method */ - int pixel_size; /* bytes per pixel */ -@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) - td->td_photometric, "must be either LogLUV or LogL"); - break; - } -+ sp->encoder_state = 1; - return (1); - notsupported: - TIFFErrorExt(tif->tif_clientdata, module, -@@ -1563,19 +1565,27 @@ notsupported: - static void - LogLuvClose(TIFF* tif) - { -+ LogLuvState* sp = (LogLuvState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* - * For consistency, we always want to write out the same - * bitspersample and sampleformat for our TIFF file, - * regardless of the data format being used by the application. - * Since this routine is called after tags have been set but - * before they have been recorded in the file, we reset them here. -+ * Note: this is really a nasty approach. See PixarLogClose - */ -- td->td_samplesperpixel = -- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -- td->td_bitspersample = 16; -- td->td_sampleformat = SAMPLEFORMAT_INT; -+ if( sp->encoder_state ) -+ { -+ /* See PixarLogClose. Might avoid issues with tags whose size depends -+ * on those below, but not completely sure this is enough. */ -+ td->td_samplesperpixel = -+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -+ td->td_bitspersample = 16; -+ td->td_sampleformat = SAMPLEFORMAT_INT; -+ } - } - - static void ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) - static void - PixarLogClose(TIFF* tif) - { -+ PixarLogState* sp = (PixarLogState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* In a really sneaky (and really incorrect, and untruthful, and - * troublesome, and error-prone) maneuver that completely goes against - * the spirit of TIFF, and breaks TIFF, on close, we covertly -@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) - * readers that don't know about PixarLog, or how to set - * the PIXARLOGDATFMT pseudo-tag. - */ -- td->td_bitspersample = 8; -- td->td_sampleformat = SAMPLEFORMAT_UINT; -+ -+ if (sp->state&PLSTATE_INIT) { -+ /* We test the state to avoid an issue such as in -+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 -+ * What appends in that case is that the bitspersample is 1 and -+ * a TransferFunction is set. The size of the TransferFunction -+ * depends on 1<td_bitspersample = 8; -+ td->td_sampleformat = SAMPLEFORMAT_UINT; -+ } - } - - static void diff --git a/tiff-CVE-2016-10270.patch b/tiff-CVE-2016-10270.patch deleted file mode 100644 index c8ac7ce..0000000 --- a/tiff-CVE-2016-10270.patch +++ /dev/null @@ -1,77 +0,0 @@ ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - uint64 rowblockbytes; - uint64 stripbytes; - uint32 strip; -- uint64 nstrips64; -- uint32 nstrips32; -+ uint32 nstrips; - uint32 rowsperstrip; - uint64* newcounts; - uint64* newoffsets; -@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - return; - - /* -- * never increase the number of strips in an image -+ * never increase the number of rows per strip - */ - if (rowsperstrip >= td->td_rowsperstrip) - return; -- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); -- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ -- return; -- nstrips32 = (uint32)nstrips64; -+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); -+ if( nstrips == 0 ) -+ return; - -- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); -- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripOffsets\" array"); - if (newcounts == NULL || newoffsets == NULL) { - /* -@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - * Fill the strip information arrays with new bytecounts and offsets - * that reflect the broken-up format. - */ -- for (strip = 0; strip < nstrips32; strip++) { -+ for (strip = 0; strip < nstrips; strip++) { - if (stripbytes > bytecount) - stripbytes = bytecount; - newcounts[strip] = stripbytes; -- newoffsets[strip] = offset; -+ newoffsets[strip] = stripbytes ? offset : 0; - offset += stripbytes; - bytecount -= stripbytes; - } - /* - * Replace old single strip info with multi-strip info. - */ -- td->td_stripsperimage = td->td_nstrips = nstrips32; -+ td->td_stripsperimage = td->td_nstrips = nstrips; - TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - - _TIFFfree(td->td_stripbytecount); ---- a/libtiff/tif_strip.c -+++ b/libtiff/tif_strip.c -@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) - TIFFDirectory *td = &tif->tif_dir; - uint32 nstrips; - -- /* If the value was already computed and store in td_nstrips, then return it, -- since ChopUpSingleUncompressedStrip might have altered and resized the -- since the td_stripbytecount and td_stripoffset arrays to the new value -- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in -- tif_dirread.c ~line 3612. -- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ -- if( td->td_nstrips ) -- return td->td_nstrips; -- - nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : - TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); - if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/tiff-CVE-2016-10271.patch b/tiff-CVE-2016-10271.patch deleted file mode 100644 index 919cb82..0000000 --- a/tiff-CVE-2016-10271.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) - (unsigned long) strip, (unsigned long)rows); - return 0; - } -- bufp += bytes_read; -+ bufp += stripsize; - } - - return 1; diff --git a/tiff-CVE-2016-10272.patch b/tiff-CVE-2016-10272.patch deleted file mode 100644 index fbb47b1..0000000 --- a/tiff-CVE-2016-10272.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ - return(0); - } - if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { -- if (count >= 4) { -+ if (count > 4) { - /* Ignore EOI marker of JpegTables */ - _TIFFmemcpy(buffer, jpt, count - 2); - bufferoffset += count - 2; diff --git a/tiff.changes b/tiff.changes index 268f073..6395aa8 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,334 @@ +------------------------------------------------------------------- +Tue Jun 20 08:15:57 UTC 2017 - fstrba@suse.com + +- Upgrade to upstream relaase 4.0.8 + * libtiff/tif_getimage.c, libtiff/tif_open.c + + add parenthesis to fix cppcheck clarifyCalculation warnings + * libtiff/tif_predict.c, libtiff/tif_print.c + + fix printf unsigned vs signed formatting (cppcheck + invalidPrintfArgType_uint warnings) + * libtiff/tif_read.c, libtiff/tiffiop.h + + fix uint32 overflow in TIFFReadEncodedStrip() that caused an + integer division by zero. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c + + fix heap-based buffer overflow on generation of PixarLog / LUV + compressed files, with ColorMap, TransferFunction attached and + nasty plays with bitspersample. The fix for LUV has not been + tested, but suffers from the same kind of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + * libtiff/tif_strip.c + + revert the change in TIFFNumberOfStrips() done for + http://bugzilla.maptools.org/show_bug.cgi?id=2587 / + CVE-2016-9273 since the above change is a better fix that + makes it unnecessary. + * libtiff/tif_dirread.c + + modify ChopUpSingleUncompressedStrip() to instanciate compute + ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), + instead of a logic based on the total size of data. Which is + faulty is the total size of data is not sufficient to fill the + whole image, and thus results in reading outside of the + StripByCounts/StripOffsets arrays when using + TIFFReadScanline(). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + * libtiff/tif_ojpeg.c + + make OJPEGDecode() early exit in case of failure in + OJPEGPreDecode(). This will avoid a divide by zero, and + potential other issues. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + * libtiff/tif_write.c + + fix misleading indentation as warned by GCC. + * libtiff/tif_fax3.h + + revert change done on 2016-01-09 that made Param member of + TIFFFaxTabEnt structure a uint16 to reduce size of the + binary. It happens that the Hylafax software uses the tables + that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, + TIFFFaxBlackTable), although they are not in a public libtiff + header. Raised by Lee Howard. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636 + * libtiff/tiffio.h, libtiff/tif_getimage.c + + add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants + of the functions without ext, with an extra argument to control + the stop_on_error behaviour. + * libtiff/tif_getimage.c + + fix potential memory leaks in error code path of + TIFFRGBAImageBegin(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627 + * libtiff/tif_jpeg.c + + increase libjpeg max memory usable to 10 MB instead of libjpeg + 1MB default. This helps when creating files with "big" tile, + without using libjpeg temporary files. + Related to https://trac.osgeo.org/gdal/ticket/6757 + * libtiff/tif_jpeg.c + + avoid integer division by zero in JPEGSetupEncode() when + horizontal or vertical sampling is set to 0. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 + * libtiff/tif_dirwrite.c + + in TIFFWriteDirectoryTagCheckedRational, replace assertion by + runtime check to error out if passed value is strictly + negative. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 + * libtiff/tif_dirread.c + + avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and + TIFFReadDirEntryCheckedSrational(), and return 0 in that case + (instead of infinity as before presumably) Apparently some + sanitizers do not like those divisions by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c + + implement various clampings of double to other data types to + avoid undefined behaviour if the output range isn't big enough + to hold the input value. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 + http://bugzilla.maptools.org/show_bug.cgi?id=2642 + http://bugzilla.maptools.org/show_bug.cgi?id=2646 + http://bugzilla.maptools.org/show_bug.cgi?id=2647 + * libtiff/tif_jpeg.c + + validate BitsPerSample in JPEGSetupEncode() to avoid undefined + behaviour caused by invalid shift exponent. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 + * libtiff/tif_read.c + + avoid potential undefined behaviour on signed integer addition + in TIFFReadRawStrip1() in isMapped() case. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 + * libtiff/tif_getimage.c + + add explicit uint32 cast in putagreytile to avoid + UndefinedBehaviorSanitizer warning. Patch by Nicolas Pena. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658 + * libtiff/tif_read.c + + TIFFReadBufferSetup(): use _TIFFcalloc() to zero initialize + tif_rawdata. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 + * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c + + add _TIFFcalloc() + * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c + + return 0 in Encode functions instead of -1 when + TIFFFlushData1() fails. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130 + * libtiff/tif_ojpeg.c + + fix leak in OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by + Nicolas Pena. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 + * libtiff/tif_jpeg.c + + only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling + tag is not explicitly present. This helps a bit to reduce the + I/O amount when the tag is present (especially on cloud hosted + files). + * libtiff/tif_lzw.c + + in LZWPostEncode(), increase, if necessary, the code bit-width + after flushing the remaining code and before emitting the EOI + code. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982 + * libtiff/tif_pixarlog.c + + fix memory leak in error code path of PixarLogSetupDecode(). + Patch by Nicolas Pena. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665 + * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c + + fix GCC 7 -Wimplicit-fallthrough warnings. + * libtiff/tif_dirread.c + + fix memory leak in non DEFER_STRILE_LOAD mode (ie default) + when there is both a StripOffsets and TileOffsets tag, or a + StripByteCounts and TileByteCounts + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 + * libtiff/tif_ojpeg.c + + fix potential memory leak in + OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable + Patch by Nicolas Pena. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 + * libtiff/tif_fax3.c + + avoid crash in Fax3Close() on empty file. Patch by Alan + Coopersmith + complement by myself. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673 + * libtiff/tif_read.c + + TIFFFillStrip(): add limitation to the number of bytes read + in case td_stripbytecount[strip] is bigger than reasonable, + so as to avoid excessive memory allocation. + * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c + + fix memory leak when the underlying codec (ZIP, PixarLog) + succeeds its setupdecode() method, but PredictorSetup fails. + Credit to OSS-Fuzz (locally run, on GDAL) + * libtiff/tif_read.c + + TIFFFillStrip() and TIFFFillTile(): avoid excessive memory + allocation in case of shorten files. Only effective on 64 bit + builds and non-mapped cases. + Credit to OSS-Fuzz (locally run, on GDAL) + * libtiff/tif_read.c + + TIFFFillStripPartial() / TIFFSeek(), avoid potential integer + overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode. + Should especially occur on 32 bit platforms. + * libtiff/tif_read.c + + TIFFFillStripPartial() + + avoid excessive memory allocation in case of shorten files. + Only effective on 64 bit builds. + Credit to OSS-Fuzz (locally run, on GDAL) + * libtiff/tif_read.c + + update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with + tif_rawdataloaded when calling TIFFStartStrip() or + TIFFFillStripPartial(). This avoids reading beyond tif_rawdata + when bytecount > tif_rawdatasize. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + * libtiff/tif_color.c + + avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 + Credit to OSS-Fuzz + * libtiff/tif_pixarlog.c, tif_luv.c + + avoid potential int32 overflows in multiply_ms() and add_ms(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + * libtiff/tif_packbits.c + + fix out-of-buffer read in PackBitsDecode() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + * libtiff/tif_luv.c + + LogL16InitState(): avoid excessive memory allocation when + RowsPerStrip tag is missing. + Credit to OSS-Fuzz (locally run, on GDAL) + * libtiff/tif_lzw.c + + update dec_bitsleft at beginning of LZWDecode(), and update + tif_rawcc at end of LZWDecode(). This is needed to properly + work with the latest chnges in tif_read.c in + CHUNKY_STRIP_READ_SUPPORT mode. + * libtiff/tif_pixarlog.c + + PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc + with avail_in at beginning and end of function, similarly to + what is done in LZWDecode(). Likely needed so that it works + properly with latest chnges in tif_read.c in + CHUNKY_STRIP_READ_SUPPORT mode. But untested... + * libtiff/tif_getimage.c + + initYCbCrConversion(): add basic validation of luma and + refBlackWhite coefficients (just check they are not NaN for + now), to avoid potential float to int overflows. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + * libtiff/tif_read.c + + _TIFFVSetField(): fix outside range cast of double to float. + Credit to Google Autofuzz project + * libtiff/tif_getimage.c + + initYCbCrConversion(): check luma[1] is not zero to avoid + division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + * libtiff/tif_read.c + + _TIFFVSetField(): fix outside range cast of double to float. + Credit to Google Autofuzz project + * libtiff/tif_getimage.c + + initYCbCrConversion(): check luma[1] is not zero to avoid + division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + * libtiff/tif_getimage.c + + initYCbCrConversion(): stricter validation for refBlackWhite + coefficients values. To avoid invalid float->int32 conversion. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + * tools/fax2tiff.c (main) + + Applied patch by Joerg Ahrens to fix passing client data for + Win32 builds using tif_win32.c (USE_WIN32_FILEIO defined) for + file I/O. Patch was provided via email on November 20, 2016. + * tools/tiffcp.c + + avoid uint32 underflow in cpDecodedStrips that can cause + various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + * tools/tiffcrop.c + + fix readContigStripsIntoBuffer() in -i (ignore) mode so that + the output buffer is correctly incremented to avoid write + outside bounds. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + * tools/tiffcrop.c + + add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap + allocated buffer. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + * tools/tiffcrop.c + + fix integer division by zero when BitsPerSample is missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + * tools/tiffinfo.c + + fix null pointer dereference in -r mode when the image has no + StripByteCount tag. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + * tools/tiffcp.c + + avoid potential division by zero is BitsPerSamples tag is + missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + * tools/tif_dir.c + + when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit + the return number of inks to SamplesPerPixel, so that code + that parses ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + * tools/tiffcp.c + + avoid potential division by zero is BitsPerSamples tag is + missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + * tools/tiffcp.c + + fix uint32 underflow/overflow that can cause heap-based buffer + overflow. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + * tools/tiffcp.c + + replace assert( (bps % 8) == 0 ) by a non assert check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + * tools/tiff2ps.c + + fix 2 heap-based buffer overflows (in PSDataBW and + PSDataColorContig). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and + http://bugzilla.maptools.org/show_bug.cgi?id=2634. + * tools/tiff2pdf.c + + prevent heap-based buffer overflow in -j mode on a paletted + image. Note: this fix errors out before the overflow happens. + There could probably be a better fix. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635 + * tools/tiff2pdf.c + + fix wrong usage of memcpy() that can trigger unspecified behaviour. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638 + * tools/tiff2pdf.c + + avoid potential invalid memory read in t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + * tools/tiff2pdf.c + + avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + * tools/tiffcrop.c + + remove extraneous TIFFClose() in error code path, that caused + double free. + Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 + * tools/tiffcp.c + + error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap + based overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + * tools/raw2tiff.c + + avoid integer division by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631 + * tools/tiff2ps.c + + call TIFFClose() in error code paths. + * tools/fax2tiff.c + + emit appropriate message if the input file is empty. Patch by + Alan Coopersmith. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672 + * tools/tiff2bw.c + + close TIFF handle in error code path. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677 +- Removed patches: + * tiff-4.0.7-CVE-2015-7554.patch + * tiff-4.0.7-CVE-2017-5225.patch + * tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch + * tiff-CVE-2016-10266.patch + * tiff-CVE-2016-10267.patch + * tiff-CVE-2016-10268.patch + * tiff-CVE-2016-10269.patch + * tiff-CVE-2016-10270.patch + * tiff-CVE-2016-10271.patch + * tiff-CVE-2016-10272.patch + + Fixed upstream + ------------------------------------------------------------------- Wed Mar 29 07:55:02 UTC 2017 - fstrba@suse.com @@ -26,14 +357,14 @@ Wed Mar 29 07:55:02 UTC 2017 - fstrba@suse.com crafted TIFF image (bsc#1031250) * tiff-CVE-2016-10271.patch + Upstream fix for CVE-2016-10271, LibTIFF 4.0.7 allows remote - attackers to cause a denial of service (heap-based buffer - over-read and buffer overflow) or possibly have unspecified - other impact via a crafted TIFF image (bsc#1031249) + attackers to cause a denial of service (heap-based buffer + over-read and buffer overflow) or possibly have unspecified + other impact via a crafted TIFF image (bsc#1031249) * tiff-CVE-2016-10272.patch + Upstream fix for CVE-2016-10272, LibTIFF 4.0.7 allows remote - attackers to cause a denial of service (heap-based buffer - overflow) or possibly have unspecified other impact via a - crafted TIFF image (bsc#1031247) + attackers to cause a denial of service (heap-based buffer + overflow) or possibly have unspecified other impact via a + crafted TIFF image (bsc#1031247) ------------------------------------------------------------------- Thu Feb 2 13:40:16 UTC 2017 - fstrba@suse.com @@ -203,7 +534,7 @@ Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com a memcpy(). + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should return -1 in case of failure of tif_encodestrip() as documented - * tools/fax2tiff.c + * tools/fax2tiff.D c + Fix segfault when specifying -r without argument. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572 * tools/Makefile.am diff --git a/tiff.spec b/tiff.spec index 465f3e2..cf71c78 100644 --- a/tiff.spec +++ b/tiff.spec @@ -17,7 +17,7 @@ Name: tiff -Version: 4.0.7 +Version: 4.0.8 Release: 0 Summary: Tools for Converting from and to the Tagged Image File Format License: HPND @@ -29,22 +29,6 @@ Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch3: tiff-4.0.7-CVE-2015-7554.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2656 and -# http://bugzilla.maptools.org/show_bug.cgi?id=2657 -Patch4: tiff-4.0.7-CVE-2017-5225.patch -# http://http://bugzilla.maptools.org/show_bug.cgi?id=2636 -# bsc#1022103 -Patch5: tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch - -Patch6: tiff-CVE-2016-10266.patch -Patch7: tiff-CVE-2016-10267.patch -Patch8: tiff-CVE-2016-10268.patch -Patch9: tiff-CVE-2016-10269.patch -Patch10: tiff-CVE-2016-10270.patch -Patch11: tiff-CVE-2016-10271.patch -Patch12: tiff-CVE-2016-10272.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -108,16 +92,6 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 -%patch3 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 %build CFLAGS="%{optflags} -fPIE"