From f3c286f31594108683d476f6ca6deb86f05f8a5a5dbd459488643a6ccc9c5f0a Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 30 May 2022 07:12:53 +0000 Subject: [PATCH] Accepting request 979753 from home:dirkmueller:Factory - update to 4.4.0: * TIFFIsBigTiff() function added. * Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added. * LZWDecode(): major speed improvements (~30% faster) * Predictor 2 (horizontal differenciation): support 64-bit * Support libjpeg 9d * avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is attempted to be created * tif_jbig.c: fix crash when reading a file with multiple IFD in memory-mapped mode and when bit reversal is needed * TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and size of zero * TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime check * TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer and size of zero * TIFFReadDirectory(): avoid calling memcpy() with a null source pointer and size of zero * TIFFYCbCrToRGBInit(): avoid Integer-overflow * TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return error if returned pointer is NULL (fixes #342) * OJPEG: avoid assertion when using TIFFReadScanline() * TIFFReadDirectory: fix OJPEG hack * LZW codec: fix support for strips/tiles > 2 GB on Windows * TIFFAppendToStrip(): fix rewrite-in-place logic * Fix TIFFRewriteDirectory discarding directories. * TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance tag on a non EXIF directory * Fix Segmentation fault printing GPS directory if Altitude tag is present * tif_jpeg.c: do not emit progressive scans with mozjpeg. (#266) OBS-URL: https://build.opensuse.org/request/show/979753 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=152 --- tiff-4.3.0.tar.gz | 3 - tiff-4.4.0.tar.xz | 3 + tiff-4.4.0.tar.xz.sig | Bin 0 -> 310 bytes tiff-CVE-2022-0561.patch | 29 ---- tiff-CVE-2022-0562.patch | 27 ---- tiff-CVE-2022-0865.patch | 34 ---- tiff-CVE-2022-0907.patch | 89 ---------- tiff-CVE-2022-0908.patch | 29 ---- tiff-CVE-2022-0909.patch | 32 ---- tiff-CVE-2022-0924.patch | 53 ------ tiff-CVE-2022-1056,CVE-2022-0891.patch | 214 ------------------------- tiff.changes | 41 +++++ tiff.keyring | 29 ++++ tiff.spec | 24 +-- 14 files changed, 78 insertions(+), 529 deletions(-) delete mode 100644 tiff-4.3.0.tar.gz create mode 100644 tiff-4.4.0.tar.xz create mode 100644 tiff-4.4.0.tar.xz.sig delete mode 100644 tiff-CVE-2022-0561.patch delete mode 100644 tiff-CVE-2022-0562.patch delete mode 100644 tiff-CVE-2022-0865.patch delete mode 100644 tiff-CVE-2022-0907.patch delete mode 100644 tiff-CVE-2022-0908.patch delete mode 100644 tiff-CVE-2022-0909.patch delete mode 100644 tiff-CVE-2022-0924.patch delete mode 100644 tiff-CVE-2022-1056,CVE-2022-0891.patch create mode 100644 tiff.keyring diff --git a/tiff-4.3.0.tar.gz b/tiff-4.3.0.tar.gz deleted file mode 100644 index 56948f6..0000000 --- a/tiff-4.3.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8 -size 2808254 diff --git a/tiff-4.4.0.tar.xz b/tiff-4.4.0.tar.xz new file mode 100644 index 0000000..d3cfcd4 --- /dev/null +++ b/tiff-4.4.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:49307b510048ccc7bc40f2cba6e8439182fe6e654057c1a1683139bf2ecb1dc1 +size 1929292 diff --git a/tiff-4.4.0.tar.xz.sig b/tiff-4.4.0.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..04e6c70e52d5cc010eb8e555cc8d2f2f1f04f629e6fe6248f65c8d1da696a616 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SW*e79j+&`h9`!xaMP-7mJrO>%YW%J=lE(0%C{4{{RXJ5Hst) z#Ctv1eLTkp|7&89QN%#uEvkG+`-ZZCo$U&-P(hsbZ)1vuaNug{l zro5C|1Q82+3YZ;yk?jPb8?Rwa#}|k)@B(}tdHKZBzD$101uwB>RyP(NiGVlTsA zxcp%Pl8*Qt{B8zM#!raS7(v?O(M@r6D>7djIQ1XXyhr4zt9?0h@YMKarDu%@2ln?w zkC6;Df9hL=oDI{?vM`(QB)0E#)l)m}8A$ -Date: Sun, 6 Feb 2022 13:08:38 +0100 -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 23194ced..50ebf8ac 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); -+ if( dir->tdir_count ) -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); - _TIFFfree(data); - data=resizeddata; - } --- -GitLab - diff --git a/tiff-CVE-2022-0562.patch b/tiff-CVE-2022-0562.patch deleted file mode 100644 index 2b66c64..0000000 --- a/tiff-CVE-2022-0562.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 5 Feb 2022 20:36:41 +0100 -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 2bbc4585..23194ced 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - } - -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); -+ if (old_extrasamples > 0) -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); - _TIFFfree(new_sampleinfo); - } --- -GitLab - diff --git a/tiff-CVE-2022-0865.patch b/tiff-CVE-2022-0865.patch deleted file mode 100644 index 779f948..0000000 --- a/tiff-CVE-2022-0865.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 24 Feb 2022 22:26:02 +0100 -Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD - in memory-mapped mode and when bit reversal is needed (fixes #385) - ---- - libtiff/tif_jbig.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 74086338..8bfa4cef 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) - */ - tif->tif_flags |= TIFF_NOBITREV; - tif->tif_flags &= ~TIFF_MAPPED; -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial -+ * value to be consistent with the state of a non-memory mapped file. -+ */ -+ if (tif->tif_flags&TIFF_BUFFERMMAP) { -+ tif->tif_rawdata = NULL; -+ tif->tif_rawdatasize = 0; -+ tif->tif_flags &= ~TIFF_BUFFERMMAP; -+ tif->tif_flags |= TIFF_MYBUFFER; -+ } - - /* Setup the function pointers for encode, decode, and cleanup. */ - tif->tif_setupdecode = JBIGSetupDecode; --- -GitLab - diff --git a/tiff-CVE-2022-0907.patch b/tiff-CVE-2022-0907.patch deleted file mode 100644 index 13d3713..0000000 --- a/tiff-CVE-2022-0907.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 -From: Augustus -Date: Mon, 7 Mar 2022 18:21:49 +0800 -Subject: [PATCH] add checks for return value of limitMalloc (#392) - ---- - tools/tiffcrop.c | 33 +++++++++++++++++++++------------ - 1 file changed, 21 insertions(+), 12 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index f2e5474a..9b8acc7e 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -7406,7 +7406,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - if (!sect_buff) - { - sect_buff = (unsigned char *)limitMalloc(sectsize); -- *sect_buff_ptr = sect_buff; -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - else -@@ -7422,15 +7426,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - else - sect_buff = new_buff; - -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - } - -- if (!sect_buff) -- { -- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -- return (-1); -- } - prev_sectsize = sectsize; - *sect_buff_ptr = sect_buff; - -@@ -7697,7 +7701,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - if (!crop_buff) - { - crop_buff = (unsigned char *)limitMalloc(cropsize); -- *crop_buff_ptr = crop_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - prev_cropsize = cropsize; - } -@@ -7713,15 +7721,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - } - else - crop_buff = new_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - } - } - -- if (!crop_buff) -- { -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -- return (-1); -- } - *crop_buff_ptr = crop_buff; - - if (crop->crop_mode & CROP_INVERT) -@@ -9280,3 +9288,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui - * fill-column: 78 - * End: - */ -+ --- -GitLab - diff --git a/tiff-CVE-2022-0908.patch b/tiff-CVE-2022-0908.patch deleted file mode 100644 index 8d83797..0000000 --- a/tiff-CVE-2022-0908.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Feb 2022 15:28:43 +0100 -Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #383) - ---- - libtiff/tif_dirread.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 50ebf8ac..2ec44a4f 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5091,7 +5091,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ if (dp->tdir_count > 0 ) -+ { -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ } - o[(uint32_t)dp->tdir_count]=0; - if (data!=0) - _TIFFfree(data); --- -GitLab - diff --git a/tiff-CVE-2022-0909.patch b/tiff-CVE-2022-0909.patch deleted file mode 100644 index df86130..0000000 --- a/tiff-CVE-2022-0909.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 8 Mar 2022 16:22:04 +0000 -Subject: [PATCH] fix the FPE in tiffcrop (#393) - ---- - libtiff/tif_dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 57055ca9..59b346ca 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -333,13 +333,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) - break; - case TIFFTAG_XRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); - break; --- -GitLab - diff --git a/tiff-CVE-2022-0924.patch b/tiff-CVE-2022-0924.patch deleted file mode 100644 index d4728b6..0000000 --- a/tiff-CVE-2022-0924.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) - ---- - tools/tiffcp.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 224583e0..aa32b118 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - tdata_t obuf; - tstrip_t strip = 0; - tsample_t s; -+ uint16_t bps = 0, bytes_per_sample; - - obuf = limitMalloc(stripsize); - if (obuf == NULL) - return (0); - _TIFFmemset(obuf, 0, stripsize); - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ bytes_per_sample = bps/8; - for (s = 0; s < spp; s++) { - uint32_t row; - for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - - cpContigBufToSeparateBuf( - obuf, (uint8_t*) buf + row * rowsize + s, -- nrows, imagewidth, 0, 0, spp, 1); -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { - TIFFError(TIFFFileName(out), - "Error, can't write strip %"PRIu32, --- -GitLab - diff --git a/tiff-CVE-2022-1056,CVE-2022-0891.patch b/tiff-CVE-2022-1056,CVE-2022-0891.patch deleted file mode 100644 index dca23df..0000000 --- a/tiff-CVE-2022-1056,CVE-2022-0891.patch +++ /dev/null @@ -1,214 +0,0 @@ -From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in - extractImageSection - ---- - tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- - 1 file changed, 36 insertions(+), 56 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index f2e5474a..e62bcc71 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -105,8 +105,8 @@ - * of messages to monitor progress without enabling dump logs. - */ - --static char tiffcrop_version_id[] = "2.4"; --static char tiffcrop_rev_date[] = "12-13-2010"; -+static char tiffcrop_version_id[] = "2.4.1"; -+static char tiffcrop_rev_date[] = "03-03-2010"; - - #include "tif_config.h" - #include "libport.h" -@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - uint32_t img_length; - #endif -- uint32_t j, shift1, shift2, trailing_bits; -+ uint32_t j, shift1, trailing_bits; - uint32_t row, first_row, last_row, first_col, last_col; - uint32_t src_offset, dst_offset, row_offset, col_offset; -- uint32_t offset1, offset2, full_bytes; -+ uint32_t offset1, full_bytes; - uint32_t sect_width; - #ifdef DEVELMODE - uint32_t sect_length; -@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - int k; - unsigned char bitset; -- static char *bitarray = NULL; - #endif - - img_width = image->width; -@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - dst_offset = 0; - - #ifdef DEVELMODE -- if (bitarray == NULL) -- { -- if ((bitarray = (char *)malloc(img_width)) == NULL) -- { -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); -- return (-1); -- } -- } -+ char bitarray[39]; - #endif - -- /* rows, columns, width, length are expressed in pixels */ -+ /* rows, columns, width, length are expressed in pixels -+ * first_row, last_row, .. are index into image array starting at 0 to width-1, -+ * last_col shall be also extracted. */ - first_row = section->y1; - last_row = section->y2; - first_col = section->x1; -@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - sect_length = last_row - first_row + 1; - #endif -- img_rowsize = ((img_width * bps + 7) / 8) * spp; -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = (sect_width * bps) % 8; -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved -+ * samples rather than separate planes so the same logic works to extract regions -+ * regardless of the way the data are organized in the input file. -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 -+ */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", -@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if ((bps % 8) == 0) - { -- col_offset = first_col * spp * bps / 8; -+ col_offset = (first_col * spp * bps) / 8; - for (row = first_row; row <= last_row; row++) - { -- /* row_offset = row * img_width * spp * bps / 8; */ - row_offset = row * img_rowsize; - src_offset = row_offset + col_offset; - -@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - } - else - { /* bps != 8 */ -- shift1 = spp * ((first_col * bps) % 8); -- shift2 = spp * ((last_col * bps) % 8); -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + (first_col * bps / 8); -- offset2 = row_offset + (last_col * bps / 8); -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ - - #ifdef DEVELMODE - for (j = 0, k = 7; j < 8; j++, k--) -@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - sprintf(&bitarray[9], " "); - for (j = 10, k = 7; j < 18; j++, k--) - { -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; - sprintf(&bitarray[j], (bitset) ? "1" : "0"); - } - bitarray[18] = '\0'; -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", -- row, offset1, shift1, offset2, shift2); -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", -+ row, offset1, shift1, offset1+full_bytes, trailing_bits); - #endif - - bytebuff1 = bytebuff2 = 0; -@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if (trailing_bits != 0) - { -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); - sect_buff[dst_offset] = bytebuff2; - #ifdef DEVELMODE - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", -- offset2, dst_offset); -+ offset1 + full_bytes, dst_offset); - for (j = 30, k = 7; j < 38; j++, k--) - { - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; -@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - for (j = 0; j <= full_bytes; j++) - { -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); - } - #ifdef DEVELMODE -@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - dst_offset += full_bytes; - -+ /* Copy the trailing_bits for the last byte in the destination buffer. -+ Could come from one ore two bytes of the source buffer. */ - if (trailing_bits != 0) - { - #ifdef DEVELMODE -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); --#endif -- if (shift2 > shift1) -- { -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); -- sect_buff[dst_offset] = bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 > Shift1\n"); -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); - #endif -+ /* More than necessary bits are already copied into last destination buffer, -+ * only masking of last byte in destination buffer is necessary.*/ -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); - } -- else -- { -- if (shift2 < shift1) -- { -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); -- sect_buff[dst_offset] &= bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 < Shift1\n"); --#endif -- } --#ifdef DEVELMODE -- else -- TIFFError ("", " Shift2 == Shift1\n"); --#endif -- } -- } - #ifdef DEVELMODE - sprintf(&bitarray[28], " "); - sprintf(&bitarray[29], " "); -@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, - width = sections[i].x2 - sections[i].x1 + 1; - length = sections[i].y2 - sections[i].y1 + 1; - sectsize = (uint32_t) -- ceil((width * image->bps + 7) / (double)8) * image->spp * length; -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; - /* allocate a buffer if we don't have one already */ - if (createImageSection(sectsize, sect_buff_ptr)) - { --- -GitLab - diff --git a/tiff.changes b/tiff.changes index 796f206..81c4926 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Sun May 29 20:32:14 UTC 2022 - Dirk Müller + +- update to 4.4.0: + * TIFFIsBigTiff() function added. + * Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added. + * LZWDecode(): major speed improvements (~30% faster) + * Predictor 2 (horizontal differenciation): support 64-bit + * Support libjpeg 9d + * avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is attempted + to be created + * tif_jbig.c: fix crash when reading a file with multiple IFD in + memory-mapped mode and when bit reversal is needed + * TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and + size of zero + * TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime + check + * TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer + and size of zero + * TIFFReadDirectory(): avoid calling memcpy() with a null source pointer and + size of zero + * TIFFYCbCrToRGBInit(): avoid Integer-overflow + * TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return error if + returned pointer is NULL (fixes #342) + * OJPEG: avoid assertion when using TIFFReadScanline() + * TIFFReadDirectory: fix OJPEG hack + * LZW codec: fix support for strips/tiles > 2 GB on Windows + * TIFFAppendToStrip(): fix rewrite-in-place logic + * Fix TIFFRewriteDirectory discarding directories. + * TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance tag on + a non EXIF directory + * Fix Segmentation fault printing GPS directory if Altitude tag is present + * tif_jpeg.c: do not emit progressive scans with mozjpeg. (#266) + * _TIFFRewriteField(): fix when writing a IFD with a single tile that is a + sparse one, on big endian hosts + * Fix all remaining uses of legacy Deflate compression id and warn on use. +- drop tiff-CVE-2022-0907.patch, tiff-CVE-2022-0561.patch, tiff-CVE-2022-0562.patch, + tiff-CVE-2022-0865.patch, tiff-CVE-2022-0909.patch, tiff-CVE-2022-0924.patch, + tiff-CVE-2022-0908.patch: all upstream +- add signature validation, adds tiff.keyring + ------------------------------------------------------------------- Mon May 9 10:50:34 UTC 2022 - Michael Vetter diff --git a/tiff.keyring b/tiff.keyring new file mode 100644 index 0000000..99aa836 --- /dev/null +++ b/tiff.keyring @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFWDB10BCADeJcYKb4zsG2fs3MWGf996ZS4KIiOBRNQtQwCI5+h3K8m1qDur +qyRZ50tB/ODJwJNqdKGdGyrIvGDynsS9JsZMJ2PVoI9IK+X/vQiokx9lJCuDXTtw +1THmA85lyl1blLe3j6tA74MSXDiT3nVk375djTz+zOGxa/Ueg49tM+DjltYpkVsG +TCc29/QJ4rZmto0Lj8iU+9S7S8H/2/54qUn7vFzfzsTkI8fiLM0deCzONzE7j9Ho +vj/8dSHmB5GOGtLf2kMHbgDhHfs61UN4FawugnilCfrxVzi5EmmEByP8Zp6h/or5 ++QrTCFrVEW+zRXDGsqicN01rK22/JvyUbpyNABEBAAG0KUV2ZW4gUm91YXVsdCA8 +ZXZlbi5yb3VhdWx0QHNwYXRpYWx5cy5jb20+iQE4BBMBAgAiBQJVgwddAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAz67/Eez3YfZphB/9H/fWUakZqzlqi +NhZbev0um5GUYBERB7cp8JqmILF6TzCvievmR8q0zJb3vyc+8Kjti/n5CyziWDtH +XqibyhsoAFoOHhyMjQVj/hFR6oCWxF6fASkzpUSoDAHtVpFXqaLrbI1B2Fb9JpTs +VrHz0HVaW30E7eybmi7oYjV4T1bO22D/aH80zx3i6cLnoGqMCHmKrwNOK7A95mKj +k9s9GRbamR/3ef8BDF3xikDe8nSxICVc3WJbMHcGjHU6p8C/RzCvWqfHDtTuiWcG +feqaA1LmBKtpIHwG1uigM8+MJT+S+NYljTLqbz0FsORbUQ1QqXuqrfNoBqAEbLxg +esSGPx7UuQENBFWDB10BCADwo42Jwl14Tq3xhPM+1BSOfy3Aw6wTXsWzxoDABs+8 +42WhD53vn7MnOSz2VX4cTvw4ioi+N3NB2zaHGNTrwyV3DExh0d8ZNq53IXoMYfot +Uv/lZ6QHJB+kIYe+twOjkKCYj4jt1m7aEDZ3Ra4aoZbYWfFbQNZ0tnUKFVUBWcWQ +jyCWC84BdXkbxcmsr2njocqyu0lfjXpVcCBcTCcgf/LHy79asm4jgB0XpE+e8ri8 +kEadj7x7x4rrhJfa9t3oJ3AZ3rmo5zzFdbJtNKhCmwCoHrvRNWOPn6u5E7YYW9kB +xgzUUhh1g2F9RMbh3CZjICi9HtbWK3slWGYTaMt4lg/ZABEBAAGJAR8EGAECAAkF +AlWDB10CGwwACgkQM+u/xHs92H2a0wf/XV0XjqMWufAIKkvL6CmrZrCixWmPOiC1 +q8894h+gR5JpKD9h0gLJhtk4tLMy+pDmNSxPXsoRYHneJIqHl1M72Q7vEhTKIVXn +h9A306ZjCHTTNSQ3npNG1wpO0LyLDmn+Zvd1JBoFyCzsTPZ+TbUYvVJT0CeFbJBe +1JzoO1Mi2fOtA91GuYtstWLNccDbv2b5s+JSbAf3ix3+qiUpA5fglWFljCYPxzkA +eU8AReBpuirD0ZQ1Z7GJDJs2zHKZu5BqCTf5gpVLUHCXd3F46CZ4IaVrOGhNP1Ki +KemC/dPHz7Ku7HN0tqmmmu12nvUACBckNsVebCefOFrkGtdryHQ1Zw== +=4/vP +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tiff.spec b/tiff.spec index f1c04de..5dddc4a 100644 --- a/tiff.spec +++ b/tiff.spec @@ -19,26 +19,20 @@ %define asan_build 0 %define debug_build 0 Name: tiff -Version: 4.3.0 +Version: 4.4.0 Release: 0 Summary: Tools for Converting from and to the Tagged Image File Format License: HPND Group: Productivity/Graphics/Convertors -URL: http://www.simplesystems.org/libtiff/ -Source: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz +URL: https://libtiff.gitlab.io/libtiff/ +Source: https://download.osgeo.org/libtiff/tiff-%{version}.tar.xz +Source1: https://download.osgeo.org/libtiff/tiff-%{version}.tar.xz.sig Source2: README.SUSE Source3: baselibs.conf +Source99: tiff.keyring Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch -Patch2: tiff-CVE-2022-1056,CVE-2022-0891.patch -Patch3: tiff-CVE-2022-0908.patch -Patch4: tiff-CVE-2022-0924.patch -Patch5: tiff-CVE-2022-0909.patch -Patch6: tiff-CVE-2022-0865.patch -Patch7: tiff-CVE-2022-0562.patch -Patch8: tiff-CVE-2022-0561.patch -Patch9: tiff-CVE-2022-0907.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -78,14 +72,6 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %build CFLAGS="%{optflags} -fPIE"