diff --git a/jpegint.h b/jpegint.h deleted file mode 100644 index bdcf0a2..0000000 --- a/jpegint.h +++ /dev/null @@ -1,392 +0,0 @@ -/* - * jpegint.h - * - * Copyright (C) 1991-1997, Thomas G. Lane. - * This file is part of the Independent JPEG Group's software. - * For conditions of distribution and use, see the accompanying README file. - * - * This file provides common declarations for the various JPEG modules. - * These declarations are considered internal to the JPEG library; most - * applications using the library shouldn't need to include this file. - */ - - -/* Declarations for both compression & decompression */ - -typedef enum { /* Operating modes for buffer controllers */ - JBUF_PASS_THRU, /* Plain stripwise operation */ - /* Remaining modes require a full-image buffer to have been created */ - JBUF_SAVE_SOURCE, /* Run source subobject only, save output */ - JBUF_CRANK_DEST, /* Run dest subobject only, using saved data */ - JBUF_SAVE_AND_PASS /* Run both subobjects, save output */ -} J_BUF_MODE; - -/* Values of global_state field (jdapi.c has some dependencies on ordering!) */ -#define CSTATE_START 100 /* after create_compress */ -#define CSTATE_SCANNING 101 /* start_compress done, write_scanlines OK */ -#define CSTATE_RAW_OK 102 /* start_compress done, write_raw_data OK */ -#define CSTATE_WRCOEFS 103 /* jpeg_write_coefficients done */ -#define DSTATE_START 200 /* after create_decompress */ -#define DSTATE_INHEADER 201 /* reading header markers, no SOS yet */ -#define DSTATE_READY 202 /* found SOS, ready for start_decompress */ -#define DSTATE_PRELOAD 203 /* reading multiscan file in start_decompress*/ -#define DSTATE_PRESCAN 204 /* performing dummy pass for 2-pass quant */ -#define DSTATE_SCANNING 205 /* start_decompress done, read_scanlines OK */ -#define DSTATE_RAW_OK 206 /* start_decompress done, read_raw_data OK */ -#define DSTATE_BUFIMAGE 207 /* expecting jpeg_start_output */ -#define DSTATE_BUFPOST 208 /* looking for SOS/EOI in jpeg_finish_output */ -#define DSTATE_RDCOEFS 209 /* reading file in jpeg_read_coefficients */ -#define DSTATE_STOPPING 210 /* looking for EOI in jpeg_finish_decompress */ - - -/* Declarations for compression modules */ - -/* Master control module */ -struct jpeg_comp_master { - JMETHOD(void, prepare_for_pass, (j_compress_ptr cinfo)); - JMETHOD(void, pass_startup, (j_compress_ptr cinfo)); - JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean call_pass_startup; /* True if pass_startup must be called */ - boolean is_last_pass; /* True during last pass */ -}; - -/* Main buffer control (downsampled-data buffer) */ -struct jpeg_c_main_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, process_data, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, JDIMENSION *in_row_ctr, - JDIMENSION in_rows_avail)); -}; - -/* Compression preprocessing (downsampling input buffer control) */ -struct jpeg_c_prep_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, pre_process_data, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, - JDIMENSION *in_row_ctr, - JDIMENSION in_rows_avail, - JSAMPIMAGE output_buf, - JDIMENSION *out_row_group_ctr, - JDIMENSION out_row_groups_avail)); -}; - -/* Coefficient buffer control */ -struct jpeg_c_coef_controller { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(boolean, compress_data, (j_compress_ptr cinfo, - JSAMPIMAGE input_buf)); -}; - -/* Colorspace conversion */ -struct jpeg_color_converter { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - JMETHOD(void, color_convert, (j_compress_ptr cinfo, - JSAMPARRAY input_buf, JSAMPIMAGE output_buf, - JDIMENSION output_row, int num_rows)); -}; - -/* Downsampling */ -struct jpeg_downsampler { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - JMETHOD(void, downsample, (j_compress_ptr cinfo, - JSAMPIMAGE input_buf, JDIMENSION in_row_index, - JSAMPIMAGE output_buf, - JDIMENSION out_row_group_index)); - - boolean need_context_rows; /* TRUE if need rows above & below */ -}; - -/* Forward DCT (also controls coefficient quantization) */ -struct jpeg_forward_dct { - JMETHOD(void, start_pass, (j_compress_ptr cinfo)); - /* perhaps this should be an array??? */ - JMETHOD(void, forward_DCT, (j_compress_ptr cinfo, - jpeg_component_info * compptr, - JSAMPARRAY sample_data, JBLOCKROW coef_blocks, - JDIMENSION start_row, JDIMENSION start_col, - JDIMENSION num_blocks)); -}; - -/* Entropy encoding */ -struct jpeg_entropy_encoder { - JMETHOD(void, start_pass, (j_compress_ptr cinfo, boolean gather_statistics)); - JMETHOD(boolean, encode_mcu, (j_compress_ptr cinfo, JBLOCKROW *MCU_data)); - JMETHOD(void, finish_pass, (j_compress_ptr cinfo)); -}; - -/* Marker writing */ -struct jpeg_marker_writer { - JMETHOD(void, write_file_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_frame_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_scan_header, (j_compress_ptr cinfo)); - JMETHOD(void, write_file_trailer, (j_compress_ptr cinfo)); - JMETHOD(void, write_tables_only, (j_compress_ptr cinfo)); - /* These routines are exported to allow insertion of extra markers */ - /* Probably only COM and APPn markers should be written this way */ - JMETHOD(void, write_marker_header, (j_compress_ptr cinfo, int marker, - unsigned int datalen)); - JMETHOD(void, write_marker_byte, (j_compress_ptr cinfo, int val)); -}; - - -/* Declarations for decompression modules */ - -/* Master control module */ -struct jpeg_decomp_master { - JMETHOD(void, prepare_for_output_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, finish_output_pass, (j_decompress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean is_dummy_pass; /* True during 1st pass for 2-pass quant */ -}; - -/* Input control module */ -struct jpeg_input_controller { - JMETHOD(int, consume_input, (j_decompress_ptr cinfo)); - JMETHOD(void, reset_input_controller, (j_decompress_ptr cinfo)); - JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, finish_input_pass, (j_decompress_ptr cinfo)); - - /* State variables made visible to other modules */ - boolean has_multiple_scans; /* True if file has multiple scans */ - boolean eoi_reached; /* True when EOI has been consumed */ -}; - -/* Main buffer control (downsampled-data buffer) */ -struct jpeg_d_main_controller { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, process_data, (j_decompress_ptr cinfo, - JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); -}; - -/* Coefficient buffer control */ -struct jpeg_d_coef_controller { - JMETHOD(void, start_input_pass, (j_decompress_ptr cinfo)); - JMETHOD(int, consume_data, (j_decompress_ptr cinfo)); - JMETHOD(void, start_output_pass, (j_decompress_ptr cinfo)); - JMETHOD(int, decompress_data, (j_decompress_ptr cinfo, - JSAMPIMAGE output_buf)); - /* Pointer to array of coefficient virtual arrays, or NULL if none */ - jvirt_barray_ptr *coef_arrays; -}; - -/* Decompression postprocessing (color quantization buffer control) */ -struct jpeg_d_post_controller { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, J_BUF_MODE pass_mode)); - JMETHOD(void, post_process_data, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, - JDIMENSION *in_row_group_ctr, - JDIMENSION in_row_groups_avail, - JSAMPARRAY output_buf, - JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); -}; - -/* Marker reading & parsing */ -struct jpeg_marker_reader { - JMETHOD(void, reset_marker_reader, (j_decompress_ptr cinfo)); - /* Read markers until SOS or EOI. - * Returns same codes as are defined for jpeg_consume_input: - * JPEG_SUSPENDED, JPEG_REACHED_SOS, or JPEG_REACHED_EOI. - */ - JMETHOD(int, read_markers, (j_decompress_ptr cinfo)); - /* Read a restart marker --- exported for use by entropy decoder only */ - jpeg_marker_parser_method read_restart_marker; - - /* State of marker reader --- nominally internal, but applications - * supplying COM or APPn handlers might like to know the state. - */ - boolean saw_SOI; /* found SOI? */ - boolean saw_SOF; /* found SOF? */ - int next_restart_num; /* next restart number expected (0-7) */ - unsigned int discarded_bytes; /* # of bytes skipped looking for a marker */ -}; - -/* Entropy decoding */ -struct jpeg_entropy_decoder { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(boolean, decode_mcu, (j_decompress_ptr cinfo, - JBLOCKROW *MCU_data)); - - /* This is here to share code between baseline and progressive decoders; */ - /* other modules probably should not use it */ - boolean insufficient_data; /* set TRUE after emitting warning */ -}; - -/* Inverse DCT (also performs dequantization) */ -typedef JMETHOD(void, inverse_DCT_method_ptr, - (j_decompress_ptr cinfo, jpeg_component_info * compptr, - JCOEFPTR coef_block, - JSAMPARRAY output_buf, JDIMENSION output_col)); - -struct jpeg_inverse_dct { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - /* It is useful to allow each component to have a separate IDCT method. */ - inverse_DCT_method_ptr inverse_DCT[MAX_COMPONENTS]; -}; - -/* Upsampling (note that upsampler must also call color converter) */ -struct jpeg_upsampler { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, upsample, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, - JDIMENSION *in_row_group_ctr, - JDIMENSION in_row_groups_avail, - JSAMPARRAY output_buf, - JDIMENSION *out_row_ctr, - JDIMENSION out_rows_avail)); - - boolean need_context_rows; /* TRUE if need rows above & below */ -}; - -/* Colorspace conversion */ -struct jpeg_color_deconverter { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, color_convert, (j_decompress_ptr cinfo, - JSAMPIMAGE input_buf, JDIMENSION input_row, - JSAMPARRAY output_buf, int num_rows)); -}; - -/* Color quantization or color precision reduction */ -struct jpeg_color_quantizer { - JMETHOD(void, start_pass, (j_decompress_ptr cinfo, boolean is_pre_scan)); - JMETHOD(void, color_quantize, (j_decompress_ptr cinfo, - JSAMPARRAY input_buf, JSAMPARRAY output_buf, - int num_rows)); - JMETHOD(void, finish_pass, (j_decompress_ptr cinfo)); - JMETHOD(void, new_color_map, (j_decompress_ptr cinfo)); -}; - - -/* Miscellaneous useful macros */ - -#undef MAX -#define MAX(a,b) ((a) > (b) ? (a) : (b)) -#undef MIN -#define MIN(a,b) ((a) < (b) ? (a) : (b)) - - -/* We assume that right shift corresponds to signed division by 2 with - * rounding towards minus infinity. This is correct for typical "arithmetic - * shift" instructions that shift in copies of the sign bit. But some - * C compilers implement >> with an unsigned shift. For these machines you - * must define RIGHT_SHIFT_IS_UNSIGNED. - * RIGHT_SHIFT provides a proper signed right shift of an INT32 quantity. - * It is only applied with constant shift counts. SHIFT_TEMPS must be - * included in the variables of any routine using RIGHT_SHIFT. - */ - -#ifdef RIGHT_SHIFT_IS_UNSIGNED -#define SHIFT_TEMPS INT32 shift_temp; -#define RIGHT_SHIFT(x,shft) \ - ((shift_temp = (x)) < 0 ? \ - (shift_temp >> (shft)) | ((~((INT32) 0)) << (32-(shft))) : \ - (shift_temp >> (shft))) -#else -#define SHIFT_TEMPS -#define RIGHT_SHIFT(x,shft) ((x) >> (shft)) -#endif - - -/* Short forms of external names for systems with brain-damaged linkers. */ - -#ifdef NEED_SHORT_EXTERNAL_NAMES -#define jinit_compress_master jICompress -#define jinit_c_master_control jICMaster -#define jinit_c_main_controller jICMainC -#define jinit_c_prep_controller jICPrepC -#define jinit_c_coef_controller jICCoefC -#define jinit_color_converter jICColor -#define jinit_downsampler jIDownsampler -#define jinit_forward_dct jIFDCT -#define jinit_huff_encoder jIHEncoder -#define jinit_phuff_encoder jIPHEncoder -#define jinit_marker_writer jIMWriter -#define jinit_master_decompress jIDMaster -#define jinit_d_main_controller jIDMainC -#define jinit_d_coef_controller jIDCoefC -#define jinit_d_post_controller jIDPostC -#define jinit_input_controller jIInCtlr -#define jinit_marker_reader jIMReader -#define jinit_huff_decoder jIHDecoder -#define jinit_phuff_decoder jIPHDecoder -#define jinit_inverse_dct jIIDCT -#define jinit_upsampler jIUpsampler -#define jinit_color_deconverter jIDColor -#define jinit_1pass_quantizer jI1Quant -#define jinit_2pass_quantizer jI2Quant -#define jinit_merged_upsampler jIMUpsampler -#define jinit_memory_mgr jIMemMgr -#define jdiv_round_up jDivRound -#define jround_up jRound -#define jcopy_sample_rows jCopySamples -#define jcopy_block_row jCopyBlocks -#define jzero_far jZeroFar -#define jpeg_zigzag_order jZIGTable -#define jpeg_natural_order jZAGTable -#endif /* NEED_SHORT_EXTERNAL_NAMES */ - - -/* Compression module initialization routines */ -EXTERN(void) jinit_compress_master JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_c_master_control JPP((j_compress_ptr cinfo, - boolean transcode_only)); -EXTERN(void) jinit_c_main_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_c_prep_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_c_coef_controller JPP((j_compress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_color_converter JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_downsampler JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_forward_dct JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_huff_encoder JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_phuff_encoder JPP((j_compress_ptr cinfo)); -EXTERN(void) jinit_marker_writer JPP((j_compress_ptr cinfo)); -/* Decompression module initialization routines */ -EXTERN(void) jinit_master_decompress JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_d_main_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_d_coef_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_d_post_controller JPP((j_decompress_ptr cinfo, - boolean need_full_buffer)); -EXTERN(void) jinit_input_controller JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_marker_reader JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_huff_decoder JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_phuff_decoder JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_inverse_dct JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_upsampler JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_color_deconverter JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_1pass_quantizer JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_2pass_quantizer JPP((j_decompress_ptr cinfo)); -EXTERN(void) jinit_merged_upsampler JPP((j_decompress_ptr cinfo)); -/* Memory manager initialization */ -EXTERN(void) jinit_memory_mgr JPP((j_common_ptr cinfo)); - -/* Utility routines in jutils.c */ -EXTERN(long) jdiv_round_up JPP((long a, long b)); -EXTERN(long) jround_up JPP((long a, long b)); -EXTERN(void) jcopy_sample_rows JPP((JSAMPARRAY input_array, int source_row, - JSAMPARRAY output_array, int dest_row, - int num_rows, JDIMENSION num_cols)); -EXTERN(void) jcopy_block_row JPP((JBLOCKROW input_row, JBLOCKROW output_row, - JDIMENSION num_blocks)); -EXTERN(void) jzero_far JPP((void FAR * target, size_t bytestozero)); -/* Constant tables in jutils.c */ -#if 0 /* This table is not actually needed in v6a */ -extern const int jpeg_zigzag_order[]; /* natural coef order to zigzag order */ -#endif -extern const int jpeg_natural_order[]; /* zigzag coef order to natural order */ - -/* Suppress undefined-structure complaints if necessary. */ - -#ifdef INCOMPLETE_TYPES_BROKEN -#ifndef AM_MEMORY_MANAGER /* only jmemmgr.c defines these */ -struct jvirt_sarray_control { long dummy; }; -struct jvirt_barray_control { long dummy; }; -#endif -#endif /* INCOMPLETE_TYPES_BROKEN */ diff --git a/tiff-3.8.2-CVE-2009-2347.patch b/tiff-3.8.2-CVE-2009-2347.patch deleted file mode 100644 index 9f1a6b5..0000000 --- a/tiff-3.8.2-CVE-2009-2347.patch +++ /dev/null @@ -1,170 +0,0 @@ -Fix several places in tiff2rgba and rgb2ycbcr that were being careless about -possible integer overflow in calculation of buffer sizes. - -CVE-2009-2347 - - -diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c ---- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 -+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 -@@ -202,6 +202,17 @@ - #undef LumaBlue - #undef V2Code - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - /* - * Convert a strip of RGB data to YCbCr and - * sample to generate the output data. -@@ -278,10 +289,19 @@ - float floatv; - char *stringv; - uint32 longv; -+ tsize_t raster_size; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c ---- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 -+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 -@@ -124,6 +124,17 @@ - return (0); - } - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - static int - cvt_by_tile( TIFF *in, TIFF *out ) - -@@ -133,6 +144,7 @@ - uint32 tile_width, tile_height; - uint32 row, col; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -150,7 +162,14 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) tile_width, (unsigned long) tile_height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -158,7 +177,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); - if (!wrk_line) { -@@ -226,6 +245,7 @@ - uint32 width, height; /* image width & height */ - uint32 row; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -241,7 +261,14 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) rowsperstrip); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -249,7 +276,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); - if (!wrk_line) { -@@ -328,14 +355,22 @@ - uint32* raster; /* retrieve RGBA image */ - uint32 width, height; /* image width & height */ - uint32 row; -- -+ tsize_t raster_size; -+ - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); - - rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -353,7 +388,7 @@ - */ - if( no_alpha ) - { -- int pixel_count = width * height; -+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; - unsigned char *src, *dst; - - src = (unsigned char *) raster; - diff --git a/tiff-3.8.2-bnc444079.patch b/tiff-3.8.2-bnc444079.patch deleted file mode 100644 index 11efbb7..0000000 --- a/tiff-3.8.2-bnc444079.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- libtiff/tif_dirread.c -+++ libtiff/tif_dirread.c -@@ -870,7 +870,7 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); diff --git a/tiff-3.8.2-lzw-CVE-2009-2285.patch b/tiff-3.8.2-lzw-CVE-2009-2285.patch deleted file mode 100644 index 36933a7..0000000 --- a/tiff-3.8.2-lzw-CVE-2009-2285.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -422,7 +422,7 @@ - if (code == CODE_EOI) - break; - -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); -@@ -625,7 +625,7 @@ - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch deleted file mode 100644 index 4f581fc..0000000 --- a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -237,6 +237,11 @@ - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); - } - return (1); - } -@@ -416,6 +421,13 @@ - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -613,6 +625,12 @@ - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch b/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch deleted file mode 100644 index 7e18b07..0000000 --- a/tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- libtiff/tif_lzw.c -+++ libtiff/tif_lzw.c -@@ -408,6 +408,8 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; -@@ -604,6 +606,7 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; diff --git a/tiff-3.8.2-tiff2pdf.patch b/tiff-3.8.2-tiff2pdf.patch deleted file mode 100644 index 2403a1b..0000000 --- a/tiff-3.8.2-tiff2pdf.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tools/tiff2pdf.c -+++ tools/tiff2pdf.c -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;i 2) -- strcpy(fname, argv[2]); -+ snprintf(fname, sizeof(fname), "%s", argv[2]); - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -- strcat(path, ".tif"); -+ snprintf(path, sizeof(path), "%s.tif", fname); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) - return (-2); diff --git a/tiff-3.8.2.tar.bz2 b/tiff-3.8.2.tar.bz2 deleted file mode 100644 index cd90277..0000000 --- a/tiff-3.8.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6d33a5ef592c832372c6aa3ae397437a7382f603871863071440ffe909aadb03 -size 1095536 diff --git a/tiff-3.8.2-seek.patch b/tiff-3.9.2-seek.patch similarity index 74% rename from tiff-3.8.2-seek.patch rename to tiff-3.9.2-seek.patch index 2efff14..674cd81 100644 --- a/tiff-3.8.2-seek.patch +++ b/tiff-3.9.2-seek.patch @@ -1,6 +1,8 @@ ---- libtiff/tiffiop.h +Index: libtiff/tiffiop.h +=================================================================== +--- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h -@@ -184,7 +184,7 @@ +@@ -209,7 +209,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size)) #define TIFFSeekFile(tif, off, whence) \ diff --git a/tiff-3.9.2.tar.bz2 b/tiff-3.9.2.tar.bz2 new file mode 100644 index 0000000..9e8ff12 --- /dev/null +++ b/tiff-3.9.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8952149cbcd937ac620f913981dc0ffc7db79696c2f0d559b71d5cd51721e6e +size 1160792 diff --git a/tiff-am.patch b/tiff-am.patch deleted file mode 100644 index 3cff9d3..0000000 --- a/tiff-am.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.am -+++ Makefile.am -@@ -26,7 +26,7 @@ - docdir = $(LIBTIFF_DOCDIR) - - AUTOMAKE_OPTIONS = dist-zip foreign --ACLOCAL_AMFLAGS = -I ./m4 -+ACLOCAL_AMFLAGS = -I m4 - - docfiles = \ - COPYRIGHT \ diff --git a/tiff.changes b/tiff.changes index 2a7b7f2..d77c763 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 16 13:37:23 CET 2010 - pgajdos@suse.cz + +- updated to 3.9.2: fixed many CVE's and obsoletes almost all + our patches (see ChangeLog for details) + ------------------------------------------------------------------- Tue Dec 15 19:38:18 CET 2009 - jengelh@medozas.de diff --git a/tiff.spec b/tiff.spec index 3c449a6..e8b2683 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,5 +1,5 @@ # -# spec file for package tiff (Version 3.8.2) +# spec file for package tiff (Version 3.9.2) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -28,22 +28,16 @@ Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ -Version: 3.8.2 -Release: 145 +Version: 3.9.2 +Release: 1 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 -Source1: jpegint.h Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch -Patch3: tiff-%{version}-tiff2pdf.patch -Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch -Patch5: tiff-%{version}-tif_lzw.c-CVE-2008-2327.patch -Patch6: tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch -Patch7: tiff-am.patch -Patch8: tiff-3.8.2-bnc444079.patch -Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch -Patch10: tiff-%{version}-CVE-2009-2347.patch +# FYI: this issue is solved another way +# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 +# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -101,15 +95,6 @@ the libtiff library. %prep %setup -q %patch2 -%patch3 -%patch4 -%patch5 -%patch6 -%patch7 -%patch8 -%patch9 -%patch10 -p1 -cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 @@ -145,7 +130,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) /usr/bin/* %doc html -%doc README COPYRIGHT +%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DAT %doc %{_mandir}/man1/* %files -n libtiff3