Accepting request 67297 from graphics

Accepted submit request 67297 from user coolo OBS-URL: https://build.opensuse.org/request/show/67297 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=29
2011-04-14 13:06:42 +00:00 · 2011-04-14 13:06:42 +00:00 · e09c112462
commit e09c112462
parent e33da85bbc 11986f854c
12 changed files with 17 additions and 229 deletions
--- a/tiff-3.9.4-CVE-2011-0192.patch
+++ b/tiff-3.9.4-CVE-2011-0192.patch
@ -1,29 +0,0 @@
 Protect against a fax VL(n) codeword commanding a move left.  Without
 this, a malicious input file can generate an indefinitely large series
 of runs without a0 ever reaching the right margin, thus overrunning
 our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
 version of a patch proposed by Drew Yao of Apple Product Security.
 It adds an unexpected() report, and disallows the equality case except
 for the first run of a line, since emitting a run without increasing a0
 still allows buffer overrun.  (We have to allow it for the first run to
 cover the case of encoding a zero-length run at start of line using VL.)
 http://bugzilla.maptools.org/show_bug.cgi?id=2297
 diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
 --- libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
 +++ libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
@@ -478,6 +478,12 @@
 	    break;							\
 	case S_VL:							\
 	    CHECK_b1;							\
 +	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
 +		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
 +		    unexpected("VL", a0);				\
 +		    goto eol2d;						\
 +		}							\
 +	    }								\
 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
 	    b1 -= *--pb;						\
 	    break;							\
--- a/tiff-3.9.4-CVE-2011-1167.patch
+++ b/tiff-3.9.4-CVE-2011-1167.patch
@ -1,68 +0,0 @@
 Index: libtiff/tif_thunder.c
 ===================================================================
 --- libtiff/tif_thunder.c.orig
 +++ libtiff/tif_thunder.c
@@ -25,6 +25,7 @@
  */
 #include "tiffiop.h"
 +#include <assert.h>
 #ifdef THUNDER_SUPPORT
 /*
  * TIFF Library.
@@ -55,12 +56,32 @@
 static const int twobitdeltas[4] = { 0, 1, 0, -1 };
 static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
 -#define	SETPIXEL(op, v) { \
 -	lastpixel = (v) & 0xf; \
 -	if (npixels++ & 1) \
 -	    *op++ |= lastpixel; \
 -	else \
 +#define	SETPIXEL(op, v) {                     \
 +	lastpixel = (v) & 0xf;                \
 +        if ( npixels < maxpixels )         \
 +        {                                     \
 +	  if (npixels++ & 1)                  \
 +	    *op++ |= lastpixel;               \
 +	  else                                \
 	    op[0] = (tidataval_t) (lastpixel << 4); \
 +        }                                     \
 +}
 +
 +static int
 +ThunderSetupDecode(TIFF* tif)
 +{
 +	static const char module[] = "ThunderSetupDecode";
 +
 +        if( tif->tif_dir.td_bitspersample != 4 )
 +        {
 +                TIFFErrorExt(tif->tif_clientdata, module,
 +                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
 +                             (int) tif->tif_dir.td_bitspersample );
 +                return 0;
 +        }
 +        
 +
 +	return (1);
 }
 static int
@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
 		occ -= tif->tif_scanlinesize;
 		row += tif->tif_scanlinesize;
 	}
 -	return (1);
 +
 +        return (1);
 }
 int
@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
 	(void) scheme;
 	tif->tif_decoderow = ThunderDecodeRow;
 	tif->tif_decodestrip = ThunderDecodeRow;
 +        tif->tif_setupdecode = ThunderSetupDecode;
 	return (1);
 }
 #endif /* THUNDER_SUPPORT */
--- a/tiff-3.9.4-getimage-64bit.patch
+++ b/tiff-3.9.4-getimage-64bit.patch
@ -1,41 +0,0 @@
 diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
 --- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
 +++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-10 15:07:28.000000000 -0400
@@ -1846,6 +1846,7 @@
 DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
 {
 	uint32* cp2;
 +	int32 incr = 2*toskew+w;
 	(void) y;
 	fromskew = (fromskew / 2) * 6;
 	cp2 = cp+w+toskew;
@@ -1872,8 +1873,8 @@
 			cp2 ++ ;
 			pp += 6;
 		}
 -		cp += toskew*2+w;
 -		cp2 += toskew*2+w;
 +		cp += incr;
 +		cp2 += incr;
 		pp += fromskew;
 		h-=2;
 	}
@@ -1939,6 +1940,7 @@
 DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
 {
 	uint32* cp2;
 +	int32 incr = 2*toskew+w;
 	(void) y;
 	fromskew = (fromskew / 2) * 4;
 	cp2 = cp+w+toskew;
@@ -1953,8 +1955,8 @@
 			cp2 ++;
 			pp += 4;
 		} while (--x);
 -		cp += toskew*2+w;
 -		cp2 += toskew*2+w;
 +		cp += incr;
 +		cp2 += incr;
 		pp += fromskew;
 		h-=2;
 	}
--- a/tiff-3.9.4-oob-read.patch
+++ b/tiff-3.9.4-oob-read.patch
@ -1,12 +0,0 @@
 diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
 --- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
 +++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
@@ -2397,7 +2397,7 @@
 			}
 			break;
 		case PHOTOMETRIC_YCBCR:
 -			if (img->bitspersample == 8)
 +			if ((img->bitspersample==8) && (img->samplesperpixel==3))
 			{
 				if (initYCbCrConversion(img)!=0)
 				{
--- a/tiff-3.9.4-scanlinesize.patch
+++ b/tiff-3.9.4-scanlinesize.patch
@ -1,65 +0,0 @@
 diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
 --- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
 +++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 22:40:40.000000000 -0500
@@ -988,8 +988,15 @@
 	tsize_t nrows;
 	(void) s;
 -	/* data is expected to be read in multiples of a scanline */
 -	if ( (nrows = sp->cinfo.d.image_height) ) {
 +    nrows = cc / sp->bytesperline;
 +    if (cc % sp->bytesperline)
 +		TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
 +
 +    if( nrows > (int) sp->cinfo.d.image_height )
 +        nrows = sp->cinfo.d.image_height;
 +
 +    /* data is expected to be read in multiples of a scanline */
 +    if (nrows) {
 		/* Cb,Cr both have sampling factors 1, so this is correct */
 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
 		int samples_per_clump = sp->samplesperclump;
@@ -1087,8 +1094,7 @@
 			 * TODO: resolve this */
 			buf += sp->bytesperline;
 			cc -= sp->bytesperline;
 -			nrows -= sp->v_sampling;
 -		} while (nrows > 0);
 +		} while (--nrows > 0);
 #ifdef JPEG_LIB_MK1
 		_TIFFfree(tmpbuf);
 diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
 --- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
 +++ tiff-3.9.2/libtiff/tif_strip.c	2010-01-05 21:39:20.000000000 -0500
@@ -238,23 +238,19 @@
 				     ycbcrsubsampling + 0,
 				     ycbcrsubsampling + 1);
 -			if (ycbcrsubsampling[0] == 0) {
 +			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 					     "Invalid YCbCr subsampling");
 				return 0;
 			}
 -			scanline = TIFFroundup(td->td_imagewidth,
 +			/* number of sample clumps per line */
 +			scanline = TIFFhowmany(td->td_imagewidth,
 					       ycbcrsubsampling[0]);
 -			scanline = TIFFhowmany8(multiply(tif, scanline,
 -							 td->td_bitspersample,
 -							 "TIFFScanlineSize"));
 -			return ((tsize_t)
 -				summarize(tif, scanline,
 -					  multiply(tif, 2,
 -						scanline / ycbcrsubsampling[0],
 -						"TIFFVStripSize"),
 -					  "TIFFVStripSize"));
 +			/* number of samples per line */
 +			scanline = multiply(tif, scanline,
 +					    ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
 +					    "TIFFScanlineSize");
 		} else {
 			scanline = multiply(tif, td->td_imagewidth,
 					    td->td_samplesperpixel,
--- a/tiff-3.9.4.tar.bz2
+++ b/tiff-3.9.4.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a2102a511ebee0d99d769e70efe017c7a114cd17c98f338dd5e073a6b61cd6ba
 size 1116882
--- a/tiff-3.9.5-dont-fancy-upsampling.patch
+++ b/tiff-3.9.5-dont-fancy-upsampling.patch
--- a/tiff-3.9.5-seek.patch
+++ b/tiff-3.9.5-seek.patch
--- a/tiff-3.9.5-tiff2pdf-colors.patch
+++ b/tiff-3.9.5-tiff2pdf-colors.patch
--- a/tiff-3.9.5.tar.bz2
+++ b/tiff-3.9.5.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:69d6692ca085662b33aee0775efcd29a7d92c073289949142e2359787bd7c469
 size 1180957
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Thu Apr 14 14:02:12 CEST 2011 - pgajdos@suse.cz
 - updated to 3.9.5:
  * fixed integer overflow CVE-2010-4665
  * fixed buffer overflow in ojpeg decoder
  * upstreamed:
    - oob-read.patch
    - CVE-2011-0192.patch
    - getimage-64bit.patch
    - CVE-2011-1167.patch
    - scanlinesize.patch
 -------------------------------------------------------------------
 Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz
--- a/tiff.spec
+++ b/tiff.spec
@ -28,7 +28,7 @@ Obsoletes:      tiff-64bit
 %endif
 #
 Url:            http://www.remotesensing.org/libtiff/
-Version:        3.9.4
+Version:        3.9.5
 Release:        4
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
@ -36,12 +36,7 @@ Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
 Patch6:         tiff-%{version}-oob-read.patch
 Patch7:         tiff-%{version}-getimage-64bit.patch
 Patch8:         tiff-%{version}-scanlinesize.patch
 Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
 Patch10:        tiff-%{version}-CVE-2011-0192.patch
 Patch11:        tiff-3.9.4-CVE-2011-1167.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -103,12 +98,7 @@ the libtiff library.
 %setup -q 
 %patch2
 %patch3 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10
 %patch11
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755