[mingw-libtiff: 9/18] - Update to 3.9.4 - Merged the native Fedora package changes up to 3.9.4-1 - Fixes CVE-2010-1411 (RH
Kalev Lember
kalev at fedoraproject.org
Tue Mar 6 19:47:49 UTC 2012
commit 6e63b9fa1bf916e620dc6a12c8f8e48e8192855a
Author: epienbro <epienbro at fedoraproject.org>
Date: Fri Jun 25 12:48:14 2010 +0000
- Update to 3.9.4
- Merged the native Fedora package changes up to 3.9.4-1
- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's
.cvsignore | 2 +-
libtiff-3.8.2-CVE-2006-2193.patch | 11 -
libtiff-3.8.2-lzw-bugs.patch | 58 ---
libtiff-3.8.2-ormandy.patch | 669 -------------------------
libtiff-3samples.patch | 21 +
libtiff-acversion.patch | 16 +
libtiff-checkbytecount.patch | 48 ++
libtiff-getimage-64bit.patch | 48 ++
libtiff-mantypo.patch | 17 +
libtiff-mingw32-libjpeg-7-compatibility.patch | 32 ++
libtiff-scanlinesize.patch | 72 +++
libtiff-subsampling.patch | 51 ++
libtiff-tiffdump.patch | 35 ++
libtiff-unknown-fix.patch | 47 ++
libtiff-ycbcr-clamp.patch | 35 ++
mingw32-libtiff.spec | 48 ++-
sources | 2 +-
tiffsplit-overflow.patch | 22 -
18 files changed, 463 insertions(+), 771 deletions(-)
---
diff --git a/.cvsignore b/.cvsignore
index d85724d..37e1552 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-tiff-3.8.2.tar.gz
+tiff-3.9.4.tar.gz
diff --git a/libtiff-3samples.patch b/libtiff-3samples.patch
new file mode 100644
index 0000000..c305bd0
--- /dev/null
+++ b/libtiff-3samples.patch
@@ -0,0 +1,21 @@
+Patch for bug #603081: failure to guard against bogus SamplesPerPixel
+when converting a YCbCr image to RGB.
+
+This patch duplicates into PickContigCase() a safety check that already
+existed in PickSeparateCase().
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400
+@@ -2397,7 +2397,7 @@
+ }
+ break;
+ case PHOTOMETRIC_YCBCR:
+- if (img->bitspersample == 8)
++ if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ {
+ if (initYCbCrConversion(img)!=0)
+ {
diff --git a/libtiff-acversion.patch b/libtiff-acversion.patch
new file mode 100644
index 0000000..fc3a136
--- /dev/null
+++ b/libtiff-acversion.patch
@@ -0,0 +1,16 @@
+This patch is needed for building the package as of F-11. It can be
+dropped whenever autoconf 2.63 is no longer used on any live branch.
+
+
+diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
+--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400
++++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400
+@@ -24,7 +24,7 @@
+
+ dnl Process this file with autoconf to produce a configure script.
+
+-AC_PREREQ(2.64)
++AC_PREREQ(2.63)
+ AC_INIT([LibTIFF Software],[3.9.4],[tiff at lists.maptools.org],[tiff])
+ AC_CONFIG_AUX_DIR(config)
+ AC_CONFIG_MACRO_DIR(m4)
diff --git a/libtiff-checkbytecount.patch b/libtiff-checkbytecount.patch
new file mode 100644
index 0000000..ecd8a9f
--- /dev/null
+++ b/libtiff-checkbytecount.patch
@@ -0,0 +1,48 @@
+Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
+missing strip byte counts too. Testing shows that tiffsplit.c has an issue
+too.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
+--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400
+@@ -1920,6 +1920,10 @@
+ sp->in_buffer_file_pos=0;
+ else
+ {
++ if (sp->tif->tif_dir.td_stripbytecount == 0) {
++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++ return(0);
++ }
+ sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
+ if (sp->in_buffer_file_togo==0)
+ sp->in_buffer_file_pos=0;
+diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
+--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400
+@@ -237,7 +237,10 @@
+ tstrip_t s, ns = TIFFNumberOfStrips(in);
+ uint32 *bytecounts;
+
+- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++ return (0);
++ }
+ for (s = 0; s < ns; s++) {
+ if (bytecounts[s] > (uint32)bufsize) {
+ buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+ ttile_t t, nt = TIFFNumberOfTiles(in);
+ uint32 *bytecounts;
+
+- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++ return (0);
++ }
+ for (t = 0; t < nt; t++) {
+ if (bytecounts[t] > (uint32) bufsize) {
+ buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
diff --git a/libtiff-getimage-64bit.patch b/libtiff-getimage-64bit.patch
new file mode 100644
index 0000000..2f3d68e
--- /dev/null
+++ b/libtiff-getimage-64bit.patch
@@ -0,0 +1,48 @@
+Fix misbehavior on 64-bit machines when trying to flip a downsampled image
+vertically: unsigned ints will be widened to 64 bits the wrong way.
+See RH bug #583081.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ uint32* cp2;
++ int32 incr = 2*toskew+w;
+ (void) y;
+ fromskew = (fromskew / 2) * 6;
+ cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+ cp2 ++ ;
+ pp += 6;
+ }
+- cp += toskew*2+w;
+- cp2 += toskew*2+w;
++ cp += incr;
++ cp2 += incr;
+ pp += fromskew;
+ h-=2;
+ }
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ uint32* cp2;
++ int32 incr = 2*toskew+w;
+ (void) y;
+ fromskew = (fromskew / 2) * 4;
+ cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+ cp2 ++;
+ pp += 4;
+ } while (--x);
+- cp += toskew*2+w;
+- cp2 += toskew*2+w;
++ cp += incr;
++ cp2 += incr;
+ pp += fromskew;
+ h-=2;
+ }
diff --git a/libtiff-mantypo.patch b/libtiff-mantypo.patch
new file mode 100644
index 0000000..c7e91b4
--- /dev/null
+++ b/libtiff-mantypo.patch
@@ -0,0 +1,17 @@
+Minor typo, reported upstream at
+http://bugzilla.maptools.org/show_bug.cgi?id=2129
+This patch should not be needed as of libtiff 4.0.
+
+
+diff -Naur tiff-3.9.2.orig/man/tiffset.1 tiff-3.9.2/man/tiffset.1
+--- tiff-3.9.2.orig/man/tiffset.1 2006-04-20 08:17:19.000000000 -0400
++++ tiff-3.9.2/man/tiffset.1 2009-12-03 12:11:58.000000000 -0500
+@@ -60,7 +60,7 @@
+ ``Anonymous'':
+ .RS
+ .nf
+-tiffset \-s 305 Anonymous a.tif
++tiffset \-s 315 Anonymous a.tif
+ .fi
+ .RE
+ .PP
diff --git a/libtiff-mingw32-libjpeg-7-compatibility.patch b/libtiff-mingw32-libjpeg-7-compatibility.patch
index 4cc6e28..9ecb365 100644
--- a/libtiff-mingw32-libjpeg-7-compatibility.patch
+++ b/libtiff-mingw32-libjpeg-7-compatibility.patch
@@ -60,3 +60,35 @@
std_fill_input_buffer(j_decompress_ptr cinfo)
{
JPEGState* sp = (JPEGState* ) cinfo;
+--- libtiff/tif_ojpeg.c.orig 2010-06-25 14:42:58.387654713 +0200
++++ libtiff/tif_ojpeg.c 2010-06-25 14:43:24.483651879 +0200
+@@ -383,9 +383,9 @@
+ static void OJPEGLibjpegJpegErrorMgrOutputMessage(jpeg_common_struct* cinfo);
+ static void OJPEGLibjpegJpegErrorMgrErrorExit(jpeg_common_struct* cinfo);
+ static void OJPEGLibjpegJpegSourceMgrInitSource(jpeg_decompress_struct* cinfo);
+-static boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo);
++static jpeg_boolean OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo);
+ static void OJPEGLibjpegJpegSourceMgrSkipInputData(jpeg_decompress_struct* cinfo, long num_bytes);
+-static boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired);
++static jpeg_boolean OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired);
+ static void OJPEGLibjpegJpegSourceMgrTermSource(jpeg_decompress_struct* cinfo);
+
+ int
+@@ -2388,7 +2388,7 @@
+ (void)cinfo;
+ }
+
+-static boolean
++static jpeg_boolean
+ OJPEGLibjpegJpegSourceMgrFillInputBuffer(jpeg_decompress_struct* cinfo)
+ {
+ TIFF* tif=(TIFF*)cinfo->client_data;
+@@ -2414,7 +2414,7 @@
+ jpeg_encap_unwind(tif);
+ }
+
+-static boolean
++static jpeg_boolean
+ OJPEGLibjpegJpegSourceMgrResyncToRestart(jpeg_decompress_struct* cinfo, int desired)
+ {
+ TIFF* tif=(TIFF*)cinfo->client_data;
diff --git a/libtiff-scanlinesize.patch b/libtiff-scanlinesize.patch
new file mode 100644
index 0000000..57fe809
--- /dev/null
+++ b/libtiff-scanlinesize.patch
@@ -0,0 +1,72 @@
+Partial fix for issues filed upstream at
+http://bugzilla.maptools.org/show_bug.cgi?id=2140
+This stops the tiffcmp core dump noted in bug #460322, but isn't enough
+to make tiffcmp return the right answer (it emits a bunch of error
+messages instead).
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
+--- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500
+@@ -988,8 +988,15 @@
+ tsize_t nrows;
+ (void) s;
+
+- /* data is expected to be read in multiples of a scanline */
+- if ( (nrows = sp->cinfo.d.image_height) ) {
++ nrows = cc / sp->bytesperline;
++ if (cc % sp->bytesperline)
++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
++
++ if( nrows > (int) sp->cinfo.d.image_height )
++ nrows = sp->cinfo.d.image_height;
++
++ /* data is expected to be read in multiples of a scanline */
++ if (nrows) {
+ /* Cb,Cr both have sampling factors 1, so this is correct */
+ JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;
+ int samples_per_clump = sp->samplesperclump;
+@@ -1087,8 +1094,7 @@
+ * TODO: resolve this */
+ buf += sp->bytesperline;
+ cc -= sp->bytesperline;
+- nrows -= sp->v_sampling;
+- } while (nrows > 0);
++ } while (--nrows > 0);
+
+ #ifdef JPEG_LIB_MK1
+ _TIFFfree(tmpbuf);
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500
+@@ -238,23 +238,19 @@
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
+
+- if (ycbcrsubsampling[0] == 0) {
++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Invalid YCbCr subsampling");
+ return 0;
+ }
+
+- scanline = TIFFroundup(td->td_imagewidth,
++ /* number of sample clumps per line */
++ scanline = TIFFhowmany(td->td_imagewidth,
+ ycbcrsubsampling[0]);
+- scanline = TIFFhowmany8(multiply(tif, scanline,
+- td->td_bitspersample,
+- "TIFFScanlineSize"));
+- return ((tsize_t)
+- summarize(tif, scanline,
+- multiply(tif, 2,
+- scanline / ycbcrsubsampling[0],
+- "TIFFVStripSize"),
+- "TIFFVStripSize"));
++ /* number of samples per line */
++ scanline = multiply(tif, scanline,
++ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
++ "TIFFScanlineSize");
+ } else {
+ scanline = multiply(tif, td->td_imagewidth,
+ td->td_samplesperpixel,
diff --git a/libtiff-subsampling.patch b/libtiff-subsampling.patch
new file mode 100644
index 0000000..a44406b
--- /dev/null
+++ b/libtiff-subsampling.patch
@@ -0,0 +1,51 @@
+Use the spec-mandated default YCbCrSubSampling values in strip size
+calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
+See bug #603703.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
+
+NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400
+@@ -124,9 +124,9 @@
+ uint16 ycbcrsubsampling[2];
+ tsize_t w, scanline, samplingarea;
+
+- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1 );
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+ if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+ && !isUpSampled(tif)) {
+ uint16 ycbcrsubsampling[2];
+
+- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1);
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -308,9 +308,9 @@
+ && !isUpSampled(tif)) {
+ uint16 ycbcrsubsampling[2];
+
+- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1);
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
diff --git a/libtiff-tiffdump.patch b/libtiff-tiffdump.patch
new file mode 100644
index 0000000..cb77796
--- /dev/null
+++ b/libtiff-tiffdump.patch
@@ -0,0 +1,35 @@
+Make tiffdump more paranoid about checking the count field of a directory
+entry.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
+
+
+diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
+--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400
+@@ -46,6 +46,7 @@
+ # include <io.h>
+ #endif
+
++#include "tiffiop.h"
+ #include "tiffio.h"
+
+ #ifndef O_BINARY
+@@ -317,7 +318,7 @@
+ printf(">\n");
+ continue;
+ }
+- space = dp->tdir_count * datawidth[dp->tdir_type];
++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
+ if (space <= 0) {
+ printf(">\n");
+ Error("Invalid count for tag %u", dp->tdir_tag);
+@@ -709,7 +710,7 @@
+ w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
+ cc = dir->tdir_count * w;
+ if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
+- && read(fd, cp, cc) != -1) {
++ && read(fd, cp, cc) == cc) {
+ if (swabflag) {
+ switch (dir->tdir_type) {
+ case TIFF_SHORT:
diff --git a/libtiff-unknown-fix.patch b/libtiff-unknown-fix.patch
new file mode 100644
index 0000000..5c3b32e
--- /dev/null
+++ b/libtiff-unknown-fix.patch
@@ -0,0 +1,47 @@
+Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
+sometimes complain about out-of-order tags when there weren't really any.
+Fix by decoupling that logic from the tag search logic.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
+--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400
+@@ -83,6 +83,7 @@
+ const TIFFFieldInfo* fip;
+ size_t fix;
+ uint16 dircount;
++ uint16 previous_tag = 0;
+ int diroutoforderwarning = 0, compressionknown = 0;
+ int haveunknowntags = 0;
+
+@@ -163,23 +164,24 @@
+
+ if (dp->tdir_tag == IGNORE)
+ continue;
+- if (fix >= tif->tif_nfields)
+- fix = 0;
+
+ /*
+ * Silicon Beach (at least) writes unordered
+ * directory tags (violating the spec). Handle
+ * it here, but be obnoxious (maybe they'll fix it?).
+ */
+- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
++ if (dp->tdir_tag < previous_tag) {
+ if (!diroutoforderwarning) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: invalid TIFF directory; tags are not sorted in ascending order",
+ tif->tif_name);
+ diroutoforderwarning = 1;
+ }
+- fix = 0; /* O(n^2) */
+ }
++ previous_tag = dp->tdir_tag;
++ if (fix >= tif->tif_nfields ||
++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
++ fix = 0; /* O(n^2) */
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
diff --git a/libtiff-ycbcr-clamp.patch b/libtiff-ycbcr-clamp.patch
new file mode 100644
index 0000000..fbd10bb
--- /dev/null
+++ b/libtiff-ycbcr-clamp.patch
@@ -0,0 +1,35 @@
+Using an array to clamp translated YCbCr values is insecure, because if the
+TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
+values could be very far out of range (much further than the current array
+size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
+favor of using a comparison-based macro to clamp. See RH bug #583081.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
+--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+ uint32 *r, uint32 *g, uint32 *b)
+ {
++ int32 i;
++
+ /* XXX: Only 8-bit YCbCr input supported for now */
+ Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+
+- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++ *r = CLAMP(i, 0, 255);
++ i = ycbcr->Y_tab[Y]
++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++ *g = CLAMP(i, 0, 255);
++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++ *b = CLAMP(i, 0, 255);
+ }
+
+ /*
diff --git a/mingw32-libtiff.spec b/mingw32-libtiff.spec
index a64c728..b7450c2 100644
--- a/mingw32-libtiff.spec
+++ b/mingw32-libtiff.spec
@@ -7,17 +7,23 @@
Summary: MinGW Windows port of the LibTIFF library
Name: mingw32-libtiff
-Version: 3.8.2
-Release: 20%{?dist}
+Version: 3.9.4
+Release: 1%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.remotesensing.org/libtiff/
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
-Patch0: tiffsplit-overflow.patch
-Patch1: libtiff-3.8.2-ormandy.patch
-Patch2: libtiff-3.8.2-CVE-2006-2193.patch
-Patch4: libtiff-3.8.2-lzw-bugs.patch
+Patch1: libtiff-acversion.patch
+Patch2: libtiff-mantypo.patch
+Patch3: libtiff-scanlinesize.patch
+Patch4: libtiff-getimage-64bit.patch
+Patch5: libtiff-ycbcr-clamp.patch
+Patch6: libtiff-3samples.patch
+Patch7: libtiff-subsampling.patch
+Patch8: libtiff-unknown-fix.patch
+Patch9: libtiff-checkbytecount.patch
+Patch10: libtiff-tiffdump.patch
Patch100: libtiff-mingw32-libjpeg-7-compatibility.patch
@@ -29,6 +35,10 @@ BuildRequires: mingw32-filesystem >= 35
BuildRequires: mingw32-gcc
BuildRequires: mingw32-gcc-c++
BuildRequires: mingw32-binutils
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
+
%description
The libtiff package contains a library of functions for manipulating
@@ -56,14 +66,29 @@ Static version of the MinGW Windows LibTIFF library.
%setup -q -n tiff-%{version}
# Patches from the native Fedora package:
-%patch0 -p1 -b .overflow
-%patch1 -p1 -b .ormandy
-%patch2 -p1 -b .CVE-2006-2193
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
# MinGW specific patches
%patch100 -p0
+# Use build system's libtool.m4, not the one in the package.
+rm -f libtool.m4
+
+libtoolize --force --copy
+aclocal -I . -I m4
+automake --add-missing --copy
+autoconf
+autoheader
+
%build
export MINGW32_CFLAGS="%{_mingw32_cflags} -fno-strict-aliasing"
@@ -105,6 +130,11 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Jun 25 2010 Erik van Pienbroek <epienbro at fedoraproject.org> - 3.9.4-1
+- Update to 3.9.4
+- Merged the native Fedora package changes up to 3.9.4-1
+- Fixes CVE-2010-1411 (RHBZ #592361) and various other CVE's
+
* Fri Sep 18 2009 Erik van Pienbroek <epienbro at fedoraproject.org> - 3.8.2-20
- Rebuild because of broken mingw32-gcc/mingw32-binutils
diff --git a/sources b/sources
index 1c867c8..a73728b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz
+2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz
More information about the scm-commits
mailing list