Accepting request 35458 from graphics

Copy from graphics/tiff based on submit request 35458 from user pgajdos

OBS-URL: https://build.opensuse.org/request/show/35458
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=16

jpegint.h

@@ -1,392 +0,0 @@
-/*
- * jpegint.h
- *
- * Copyright (C) 1991-1997, Thomas G. Lane.
- * This file is part of the Independent JPEG Group's software.
- * For conditions of distribution and use, see the accompanying README file.
- *
- * This file provides common declarations for the various JPEG modules.
- * These declarations are considered internal to the JPEG library; most
- * applications using the library shouldn't need to include this file.
- */
-
-
-/* Declarations for both compression & decompression */
-
-typedef enum {			/* Operating modes for buffer controllers */
-	JBUF_PASS_THRU,		/* Plain stripwise operation */
-	/* Remaining modes require a full-image buffer to have been created */
-	JBUF_SAVE_SOURCE,	/* Run source subobject only, save output */
-	JBUF_CRANK_DEST,	/* Run dest subobject only, using saved data */
-	JBUF_SAVE_AND_PASS	/* Run both subobjects, save output */
-} J_BUF_MODE;
-
-/* Values of global_state field (jdapi.c has some dependencies on ordering!) */
-#define CSTATE_START	100	/* after create_compress */
-#define CSTATE_SCANNING	101	/* start_compress done, write_scanlines OK */
-#define CSTATE_RAW_OK	102	/* start_compress done, write_raw_data OK */
-#define CSTATE_WRCOEFS	103	/* jpeg_write_coefficients done */
-#define DSTATE_START	200	/* after create_decompress */
-#define DSTATE_INHEADER	201	/* reading header markers, no SOS yet */
-#define DSTATE_READY	202	/* found SOS, ready for start_decompress */
-#define DSTATE_PRELOAD	203	/* reading multiscan file in start_decompress*/
-#define DSTATE_PRESCAN	204	/* performing dummy pass for 2-pass quant */
-#define DSTATE_SCANNING	205	/* start_decompress done, read_scanlines OK */
-#define DSTATE_RAW_OK	206	/* start_decompress done, read_raw_data OK */
-#define DSTATE_BUFIMAGE	207	/* expecting jpeg_start_output */
-#define DSTATE_BUFPOST	208	/* looking for SOS/EOI in jpeg_finish_output */
-#define DSTATE_RDCOEFS	209	/* reading file in jpeg_read_coefficients */
-#define DSTATE_STOPPING	210	/* looking for EOI in jpeg_finish_decompress */
-
-
-/* Declarations for compression modules */
-
-/* Master control module */
-struct jpeg_comp_master {
-  JMETHOD(void, prepare_for_pass, (j_compress_ptr cinfo));
-  JMETHOD(void, pass_startup, (j_compress_ptr cinfo));
-  JMETHOD(void, finish_pass, (j_compress_ptr cinfo));
-
-  /* State variables made visible to other modules */
-  boolean call_pass_startup;	/* True if pass_startup must be called */
-  boolean is_last_pass;		/* True during last pass */
-};
-
-/* Main buffer control (downsampled-data buffer) */
-struct jpeg_c_main_controller {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode));
-  JMETHOD(void, process_data, (j_compress_ptr cinfo,
-			       JSAMPARRAY input_buf, JDIMENSION *in_row_ctr,
-			       JDIMENSION in_rows_avail));
-};
-
-/* Compression preprocessing (downsampling input buffer control) */
-struct jpeg_c_prep_controller {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode));
-  JMETHOD(void, pre_process_data, (j_compress_ptr cinfo,
-				   JSAMPARRAY input_buf,
-				   JDIMENSION *in_row_ctr,
-				   JDIMENSION in_rows_avail,
-				   JSAMPIMAGE output_buf,
-				   JDIMENSION *out_row_group_ctr,
-				   JDIMENSION out_row_groups_avail));
-};
-
-/* Coefficient buffer control */
-struct jpeg_c_coef_controller {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode));
-  JMETHOD(boolean, compress_data, (j_compress_ptr cinfo,
-				   JSAMPIMAGE input_buf));
-};
-
-/* Colorspace conversion */
-struct jpeg_color_converter {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo));
-  JMETHOD(void, color_convert, (j_compress_ptr cinfo,
-				JSAMPARRAY input_buf, JSAMPIMAGE output_buf,
-				JDIMENSION output_row, int num_rows));
-};
-
-/* Downsampling */
-struct jpeg_downsampler {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo));
-  JMETHOD(void, downsample, (j_compress_ptr cinfo,
-			     JSAMPIMAGE input_buf, JDIMENSION in_row_index,
-			     JSAMPIMAGE output_buf,
-			     JDIMENSION out_row_group_index));
-
-  boolean need_context_rows;	/* TRUE if need rows above & below */
-};
-
-/* Forward DCT (also controls coefficient quantization) */
-struct jpeg_forward_dct {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo));
-  /* perhaps this should be an array??? */
-  JMETHOD(void, forward_DCT, (j_compress_ptr cinfo,
-			      jpeg_component_info * compptr,
-			      JSAMPARRAY sample_data, JBLOCKROW coef_blocks,
-			      JDIMENSION start_row, JDIMENSION start_col,
-			      JDIMENSION num_blocks));
-};
-
-/* Entropy encoding */
-struct jpeg_entropy_encoder {
-  JMETHOD(void, start_pass, (j_compress_ptr cinfo, boolean gather_statistics));
-  JMETHOD(boolean, encode_mcu, (j_compress_ptr cinfo, JBLOCKROW *MCU_data));
-  JMETHOD(void, finish_pass, (j_compress_ptr cinfo));
-};
-
-/* Marker writing */
-struct jpeg_marker_writer {
-  JMETHOD(void, write_file_header, (j_compress_ptr cinfo));
-  JMETHOD(void, write_frame_header, (j_compress_ptr cinfo));
-  JMETHOD(void, write_scan_header, (j_compress_ptr cinfo));
-  JMETHOD(void, write_file_trailer, (j_compress_ptr cinfo));
-  JMETHOD(void, write_tables_only, (j_compress_ptr cinfo));
-  /* These routines are exported to allow insertion of extra markers */
-  /* Probably only COM and APPn markers should be written this way */
-  JMETHOD(void, write_marker_header, (j_compress_ptr cinfo, int marker,
-				      unsigned int datalen));
-  JMETHOD(void, write_marker_byte, (j_compress_ptr cinfo, int val));
-};
-
-
-/* Declarations for decompression modules */
-
-/* Master control module */
-struct jpeg_decomp_master {
-  JMETHOD(void, prepare_for_output_pass, (j_decompress_ptr cinfo));
-  JMETHOD(void, finish_output_pass, (j_decompress_ptr cinfo));
-
-  /* State variables made visible to other modules */
-  boolean is_dummy_pass;	/* True during 1st pass for 2-pass quant */
-};
-
-/* Input control module */
-struct jpeg_input_controller {
-  JMETHOD(int, consume_input, (j_decompress_ptr cinfo));
-  JMETHOD(void, reset_input_controller, (j_decompress_ptr cinfo));
-  JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo));
-  JMETHOD(void, finish_input_pass, (j_decompress_ptr cinfo));
-
-  /* State variables made visible to other modules */
-  boolean has_multiple_scans;	/* True if file has multiple scans */
-  boolean eoi_reached;		/* True when EOI has been consumed */
-};
-
-/* Main buffer control (downsampled-data buffer) */
-struct jpeg_d_main_controller {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode));
-  JMETHOD(void, process_data, (j_decompress_ptr cinfo,
-			       JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
-			       JDIMENSION out_rows_avail));
-};
-
-/* Coefficient buffer control */
-struct jpeg_d_coef_controller {
-  JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo));
-  JMETHOD(int, consume_data, (j_decompress_ptr cinfo));
-  JMETHOD(void, start_output_pass, (j_decompress_ptr cinfo));
-  JMETHOD(int, decompress_data, (j_decompress_ptr cinfo,
-				 JSAMPIMAGE output_buf));
-  /* Pointer to array of coefficient virtual arrays, or NULL if none */
-  jvirt_barray_ptr *coef_arrays;
-};
-
-/* Decompression postprocessing (color quantization buffer control) */
-struct jpeg_d_post_controller {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode));
-  JMETHOD(void, post_process_data, (j_decompress_ptr cinfo,
-				    JSAMPIMAGE input_buf,
-				    JDIMENSION *in_row_group_ctr,
-				    JDIMENSION in_row_groups_avail,
-				    JSAMPARRAY output_buf,
-				    JDIMENSION *out_row_ctr,
-				    JDIMENSION out_rows_avail));
-};
-
-/* Marker reading & parsing */
-struct jpeg_marker_reader {
-  JMETHOD(void, reset_marker_reader, (j_decompress_ptr cinfo));
-  /* Read markers until SOS or EOI.
-   * Returns same codes as are defined for jpeg_consume_input:
-   * JPEG_SUSPENDED, JPEG_REACHED_SOS, or JPEG_REACHED_EOI.
-   */
-  JMETHOD(int, read_markers, (j_decompress_ptr cinfo));
-  /* Read a restart marker --- exported for use by entropy decoder only */
-  jpeg_marker_parser_method read_restart_marker;
-
-  /* State of marker reader --- nominally internal, but applications
-   * supplying COM or APPn handlers might like to know the state.
-   */
-  boolean saw_SOI;		/* found SOI? */
-  boolean saw_SOF;		/* found SOF? */
-  int next_restart_num;		/* next restart number expected (0-7) */
-  unsigned int discarded_bytes;	/* # of bytes skipped looking for a marker */
-};
-
-/* Entropy decoding */
-struct jpeg_entropy_decoder {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo));
-  JMETHOD(boolean, decode_mcu, (j_decompress_ptr cinfo,
-				JBLOCKROW *MCU_data));
-
-  /* This is here to share code between baseline and progressive decoders; */
-  /* other modules probably should not use it */
-  boolean insufficient_data;	/* set TRUE after emitting warning */
-};
-
-/* Inverse DCT (also performs dequantization) */
-typedef JMETHOD(void, inverse_DCT_method_ptr,
-		(j_decompress_ptr cinfo, jpeg_component_info * compptr,
-		 JCOEFPTR coef_block,
-		 JSAMPARRAY output_buf, JDIMENSION output_col));
-
-struct jpeg_inverse_dct {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo));
-  /* It is useful to allow each component to have a separate IDCT method. */
-  inverse_DCT_method_ptr inverse_DCT[MAX_COMPONENTS];
-};
-
-/* Upsampling (note that upsampler must also call color converter) */
-struct jpeg_upsampler {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo));
-  JMETHOD(void, upsample, (j_decompress_ptr cinfo,
-			   JSAMPIMAGE input_buf,
-			   JDIMENSION *in_row_group_ctr,
-			   JDIMENSION in_row_groups_avail,
-			   JSAMPARRAY output_buf,
-			   JDIMENSION *out_row_ctr,
-			   JDIMENSION out_rows_avail));
-
-  boolean need_context_rows;	/* TRUE if need rows above & below */
-};
-
-/* Colorspace conversion */
-struct jpeg_color_deconverter {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo));
-  JMETHOD(void, color_convert, (j_decompress_ptr cinfo,
-				JSAMPIMAGE input_buf, JDIMENSION input_row,
-				JSAMPARRAY output_buf, int num_rows));
-};
-
-/* Color quantization or color precision reduction */
-struct jpeg_color_quantizer {
-  JMETHOD(void, start_pass, (j_decompress_ptr cinfo, boolean is_pre_scan));
-  JMETHOD(void, color_quantize, (j_decompress_ptr cinfo,
-				 JSAMPARRAY input_buf, JSAMPARRAY output_buf,
-				 int num_rows));
-  JMETHOD(void, finish_pass, (j_decompress_ptr cinfo));
-  JMETHOD(void, new_color_map, (j_decompress_ptr cinfo));
-};
-
-
-/* Miscellaneous useful macros */
-
-#undef MAX
-#define MAX(a,b)	((a) > (b) ? (a) : (b))
-#undef MIN
-#define MIN(a,b)	((a) < (b) ? (a) : (b))
-
-
-/* We assume that right shift corresponds to signed division by 2 with
- * rounding towards minus infinity.  This is correct for typical "arithmetic
- * shift" instructions that shift in copies of the sign bit.  But some
- * C compilers implement >> with an unsigned shift.  For these machines you
- * must define RIGHT_SHIFT_IS_UNSIGNED.
- * RIGHT_SHIFT provides a proper signed right shift of an INT32 quantity.
- * It is only applied with constant shift counts.  SHIFT_TEMPS must be
- * included in the variables of any routine using RIGHT_SHIFT.
- */
-
-#ifdef RIGHT_SHIFT_IS_UNSIGNED
-#define SHIFT_TEMPS	INT32 shift_temp;
-#define RIGHT_SHIFT(x,shft)  \
-	((shift_temp = (x)) < 0 ? \
-	 (shift_temp >> (shft)) | ((~((INT32) 0)) << (32-(shft))) : \
-	 (shift_temp >> (shft)))
-#else
-#define SHIFT_TEMPS
-#define RIGHT_SHIFT(x,shft)	((x) >> (shft))
-#endif
-
-
-/* Short forms of external names for systems with brain-damaged linkers. */
-
-#ifdef NEED_SHORT_EXTERNAL_NAMES
-#define jinit_compress_master	jICompress
-#define jinit_c_master_control	jICMaster
-#define jinit_c_main_controller	jICMainC
-#define jinit_c_prep_controller	jICPrepC
-#define jinit_c_coef_controller	jICCoefC
-#define jinit_color_converter	jICColor
-#define jinit_downsampler	jIDownsampler
-#define jinit_forward_dct	jIFDCT
-#define jinit_huff_encoder	jIHEncoder
-#define jinit_phuff_encoder	jIPHEncoder
-#define jinit_marker_writer	jIMWriter
-#define jinit_master_decompress	jIDMaster
-#define jinit_d_main_controller	jIDMainC
-#define jinit_d_coef_controller	jIDCoefC
-#define jinit_d_post_controller	jIDPostC
-#define jinit_input_controller	jIInCtlr
-#define jinit_marker_reader	jIMReader
-#define jinit_huff_decoder	jIHDecoder
-#define jinit_phuff_decoder	jIPHDecoder
-#define jinit_inverse_dct	jIIDCT
-#define jinit_upsampler		jIUpsampler
-#define jinit_color_deconverter	jIDColor
-#define jinit_1pass_quantizer	jI1Quant
-#define jinit_2pass_quantizer	jI2Quant
-#define jinit_merged_upsampler	jIMUpsampler
-#define jinit_memory_mgr	jIMemMgr
-#define jdiv_round_up		jDivRound
-#define jround_up		jRound
-#define jcopy_sample_rows	jCopySamples
-#define jcopy_block_row		jCopyBlocks
-#define jzero_far		jZeroFar
-#define jpeg_zigzag_order	jZIGTable
-#define jpeg_natural_order	jZAGTable
-#endif /* NEED_SHORT_EXTERNAL_NAMES */
-
-
-/* Compression module initialization routines */
-EXTERN(void) jinit_compress_master JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_c_master_control JPP((j_compress_ptr cinfo,
-					 boolean transcode_only));
-EXTERN(void) jinit_c_main_controller JPP((j_compress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_c_prep_controller JPP((j_compress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_c_coef_controller JPP((j_compress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_color_converter JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_downsampler JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_forward_dct JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_huff_encoder JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_phuff_encoder JPP((j_compress_ptr cinfo));
-EXTERN(void) jinit_marker_writer JPP((j_compress_ptr cinfo));
-/* Decompression module initialization routines */
-EXTERN(void) jinit_master_decompress JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_d_main_controller JPP((j_decompress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_d_coef_controller JPP((j_decompress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_d_post_controller JPP((j_decompress_ptr cinfo,
-					  boolean need_full_buffer));
-EXTERN(void) jinit_input_controller JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_marker_reader JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_huff_decoder JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_phuff_decoder JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_inverse_dct JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_upsampler JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_color_deconverter JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_1pass_quantizer JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_2pass_quantizer JPP((j_decompress_ptr cinfo));
-EXTERN(void) jinit_merged_upsampler JPP((j_decompress_ptr cinfo));
-/* Memory manager initialization */
-EXTERN(void) jinit_memory_mgr JPP((j_common_ptr cinfo));
-
-/* Utility routines in jutils.c */
-EXTERN(long) jdiv_round_up JPP((long a, long b));
-EXTERN(long) jround_up JPP((long a, long b));
-EXTERN(void) jcopy_sample_rows JPP((JSAMPARRAY input_array, int source_row,
-				    JSAMPARRAY output_array, int dest_row,
-				    int num_rows, JDIMENSION num_cols));
-EXTERN(void) jcopy_block_row JPP((JBLOCKROW input_row, JBLOCKROW output_row,
-				  JDIMENSION num_blocks));
-EXTERN(void) jzero_far JPP((void FAR * target, size_t bytestozero));
-/* Constant tables in jutils.c */
-#if 0				/* This table is not actually needed in v6a */
-extern const int jpeg_zigzag_order[]; /* natural coef order to zigzag order */
-#endif
-extern const int jpeg_natural_order[]; /* zigzag coef order to natural order */
-
-/* Suppress undefined-structure complaints if necessary. */
-
-#ifdef INCOMPLETE_TYPES_BROKEN
-#ifndef AM_MEMORY_MANAGER	/* only jmemmgr.c defines these */
-struct jvirt_sarray_control { long dummy; };
-struct jvirt_barray_control { long dummy; };
-#endif
-#endif /* INCOMPLETE_TYPES_BROKEN */

tiff-3.8.2-CVE-2009-2347.patch

@@ -1,170 +0,0 @@
-Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
-possible integer overflow in calculation of buffer sizes.
-
-CVE-2009-2347
-
-
-diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
---- tiff-3.8.2.orig/tools/rgb2ycbcr.c	2004-09-03 03:57:13.000000000 -0400
-+++ tiff-3.8.2/tools/rgb2ycbcr.c	2009-07-10 17:12:32.000000000 -0400
-@@ -202,6 +202,17 @@
- #undef LumaBlue
- #undef V2Code
- 
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;		/* overflow */
-+
-+    return prod;
-+}
-+
- /*
-  * Convert a strip of RGB data to YCbCr and
-  * sample to generate the output data.
-@@ -278,10 +289,19 @@
- 	float floatv;
- 	char *stringv;
- 	uint32 longv;
-+	tsize_t raster_size;
- 
- 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
--	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+
-+	raster_size = multiply(multiply(width, height), sizeof (uint32));
-+	if (!raster_size) {
-+		TIFFError(TIFFFileName(in),
-+			  "Can't allocate buffer for raster of size %lux%lu",
-+			  (unsigned long) width, (unsigned long) height);
-+		return (0);
-+	}
-+	raster = (uint32*)_TIFFmalloc(raster_size);
- 	if (raster == 0) {
- 		TIFFError(TIFFFileName(in), "No space for raster buffer");
- 		return (0);
-diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
---- tiff-3.8.2.orig/tools/tiff2rgba.c	2004-11-07 06:08:37.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2rgba.c	2009-07-10 17:06:42.000000000 -0400
-@@ -124,6 +124,17 @@
-     return (0);
- }
- 
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;		/* overflow */
-+
-+    return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
- 
-@@ -133,6 +144,7 @@
-     uint32  tile_width, tile_height;
-     uint32  row, col;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -150,7 +162,14 @@
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) tile_width, (unsigned long) tile_height);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -158,7 +177,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -226,6 +245,7 @@
-     uint32  width, height;		/* image width & height */
-     uint32  row;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -241,7 +261,14 @@
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) width, (unsigned long) rowsperstrip);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -249,7 +276,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -328,14 +355,22 @@
-     uint32* raster;			/* retrieve RGBA image */
-     uint32  width, height;		/* image width & height */
-     uint32  row;
--        
-+    tsize_t raster_size;
-+
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- 
-     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
-     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- 
--    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+    raster_size = multiply(multiply(width, height), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) width, (unsigned long) height);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -353,7 +388,7 @@
-     */
-     if( no_alpha )
-     {
--        int	pixel_count = width * height;
-+        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
-         unsigned char *src, *dst;
- 
-         src = (unsigned char *) raster;
-

tiff-3.8.2-bnc444079.patch

@@ -1,11 +0,0 @@
---- libtiff/tif_dirread.c
-+++ libtiff/tif_dirread.c
-@@ -870,7 +870,7 @@
- 
- 	register TIFFDirEntry *dp;
- 	register TIFFDirectory *td = &tif->tif_dir;
--	uint16 i;
-+	uint32 i;
- 
- 	if (td->td_stripbytecount)
- 		_TIFFfree(td->td_stripbytecount);

tiff-3.8.2-lzw-CVE-2009-2285.patch

@@ -1,20 +0,0 @@
---- libtiff/tif_lzw.c
-+++ libtiff/tif_lzw.c
-@@ -422,7 +422,7 @@
- 			if (code == CODE_EOI)
- 				break;
- 
--                       if (code == CODE_CLEAR) {
-+                       if (code >= CODE_CLEAR) {
-                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                                "LZWDecode: Corrupted LZW table at scanline %d",
-                                tif->tif_row);
-@@ -625,7 +625,7 @@
- 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
- 			if (code == CODE_EOI)
- 				break;
--                       if (code == CODE_CLEAR) {
-+                       if (code >= CODE_CLEAR) {
-                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                                "LZWDecode: Corrupted LZW table at scanline %d",
-                                tif->tif_row);

tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch

@@ -1,41 +0,0 @@
---- libtiff/tif_lzw.c
-+++ libtiff/tif_lzw.c
-@@ -237,6 +237,11 @@
-                     sp->dec_codetab[code].length = 1;
-                     sp->dec_codetab[code].next = NULL;
-                 } while (code--);
-+               /*
-+                * Zero-out the unused entries
-+                */
-+                _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
-+                (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
- 	}
- 	return (1);
- }
-@@ -416,6 +421,13 @@
- 			NextCode(tif, sp, bp, code, GetNextCode);
- 			if (code == CODE_EOI)
- 				break;
-+
-+                       if (code == CODE_CLEAR) {
-+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+                               "LZWDecode: Corrupted LZW table at scanline %d",
-+                               tif->tif_row);
-+                               return (0);
-+                       }
- 			*op++ = (char)code, occ--;
- 			oldcodep = sp->dec_codetab + code;
- 			continue;
-@@ -613,6 +625,12 @@
- 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
- 			if (code == CODE_EOI)
- 				break;
-+                       if (code == CODE_CLEAR) {
-+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+                               "LZWDecode: Corrupted LZW table at scanline %d",
-+                               tif->tif_row);
-+                               return (0);
-+                       }
- 			*op++ = code, occ--;
- 			oldcodep = sp->dec_codetab + code;
- 			continue;

tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch

@@ -1,19 +0,0 @@
---- libtiff/tif_lzw.c
-+++ libtiff/tif_lzw.c
-@@ -408,6 +408,8 @@
- 			break;
- 		if (code == CODE_CLEAR) {
- 			free_entp = sp->dec_codetab + CODE_FIRST;
-+			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
-+			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- 			nbits = BITS_MIN;
- 			nbitsmask = MAXCODE(BITS_MIN);
- 			maxcodep = sp->dec_codetab + nbitsmask-1;
-@@ -604,6 +606,7 @@
- 			break;
- 		if (code == CODE_CLEAR) {
- 			free_entp = sp->dec_codetab + CODE_FIRST;
-+			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- 			nbits = BITS_MIN;
- 			nbitsmask = MAXCODE(BITS_MIN);
- 			maxcodep = sp->dec_codetab + nbitsmask;

tiff-3.8.2-tiff2pdf.patch

@@ -1,11 +0,0 @@
---- tools/tiff2pdf.c
-+++ tools/tiff2pdf.c
-@@ -3668,7 +3668,7 @@
- 	written += TIFFWriteFile(output, (tdata_t) "(", 1);
- 	for (i=0;i<len;i++){
- 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
--			sprintf(buffer, "\\%.3o", pdfstr[i]);
-+			sprintf(buffer, "\\%.3o", (unsigned char)(pdfstr[i]));
- 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);
- 		} else {
- 			switch (pdfstr[i]){

tiff-3.8.2-tiffsplit-CVE-2006-2656.patch

@@ -1,19 +0,0 @@
---- tools/tiffsplit.c
-+++ tools/tiffsplit.c
-@@ -61,14 +61,13 @@
- 		return (-3);
- 	}
- 	if (argc > 2)
--		strcpy(fname, argv[2]);
-+		snprintf(fname, sizeof(fname), "%s", argv[2]);
- 	in = TIFFOpen(argv[1], "r");
- 	if (in != NULL) {
- 		do {
- 			char path[1024+1];
- 			newfilename();
--			strcpy(path, fname);
--			strcat(path, ".tif");
-+                        snprintf(path, sizeof(path), "%s.tif", fname);
- 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
- 			if (out == NULL)
- 				return (-2);

tiff-3.8.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6d33a5ef592c832372c6aa3ae397437a7382f603871863071440ffe909aadb03
-size 1095536

tiff-3.9.2-seek.patch

@@ -1,6 +1,8 @@
---- libtiff/tiffiop.h
+Index: libtiff/tiffiop.h
+===================================================================
+--- libtiff/tiffiop.h.orig
 +++ libtiff/tiffiop.h
-@@ -184,7 +184,7 @@
+@@ -209,7 +209,7 @@ struct tiff {
  #define	TIFFWriteFile(tif, buf, size) \
  	((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size))
  #define	TIFFSeekFile(tif, off, whence) \

tiff-3.9.2.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8952149cbcd937ac620f913981dc0ffc7db79696c2f0d559b71d5cd51721e6e
+size 1160792

tiff-am.patch

@@ -1,11 +0,0 @@
---- Makefile.am
-+++ Makefile.am
-@@ -26,7 +26,7 @@
- docdir = $(LIBTIFF_DOCDIR)
- 
- AUTOMAKE_OPTIONS = dist-zip foreign
--ACLOCAL_AMFLAGS = -I ./m4
-+ACLOCAL_AMFLAGS = -I m4
- 
- docfiles = \
- 	COPYRIGHT \

tiff.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 16 13:37:23 CET 2010 - pgajdos@suse.cz
+
+- updated to 3.9.2: fixed many CVE's and obsoletes almost all
+  our patches (see ChangeLog for details)
+
 -------------------------------------------------------------------
 Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de
 

tiff.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package tiff (Version 3.8.2)
+# spec file for package tiff (Version 3.9.2)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -28,22 +28,16 @@ Obsoletes:      tiff-64bit
 %endif
 #
 Url:            http://www.remotesensing.org/libtiff/
-Version:        3.8.2
-Release:        145
+Version:        3.9.2
+Release:        1
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
-Source1:        jpegint.h
 Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
-Patch3:         tiff-%{version}-tiff2pdf.patch
-Patch4:         tiff-%{version}-tiffsplit-CVE-2006-2656.patch
-Patch5:         tiff-%{version}-tif_lzw.c-CVE-2008-2327.patch
-Patch6:         tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch
-Patch7:         tiff-am.patch
-Patch8:         tiff-3.8.2-bnc444079.patch
-Patch9:         tiff-3.8.2-lzw-CVE-2009-2285.patch
-Patch10:        tiff-%{version}-CVE-2009-2347.patch
+# FYI: this issue is solved another way
+# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
+# Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -101,15 +95,6 @@ the libtiff library.
 %prep
 %setup -q 
 %patch2
-%patch3
-%patch4
-%patch5
-%patch6
-%patch7
-%patch8
-%patch9
-%patch10 -p1
-cp %{S:1} libtiff
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755
 
@@ -145,7 +130,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root)
 /usr/bin/*
 %doc html
-%doc README COPYRIGHT
+%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DAT
 %doc %{_mandir}/man1/*
 
 %files -n libtiff3