rpms/libtiff/devel libtiff-3samples.patch, NONE, 1.1 libtiff-checkbytecount.patch, NONE, 1.1 libtiff-getimage-64bit.patch, NONE, 1.1 libtiff-subsampling.patch, NONE, 1.1 libtiff-tiffdump.patch, NONE, 1.1 libtiff-unknown-fix.patch, NONE, 1.1 libtiff-ycbcr-clamp.patch, NONE, 1.1 .cvsignore, 1.9, 1.10 libtiff-acversion.patch, 1.2, 1.3 libtiff.spec, 1.61, 1.62 sources, 1.9, 1.10 libtiff-CVE-2009-2347.patch, 1.2, NONE libtiff-jpeg-scanline.patch, 1.2, NONE
Tom Lane
tgl at fedoraproject.org
Tue Jun 22 23:51:31 UTC 2010
- Previous message: File telepathy-glib-0.10.7.tar.gz uploaded to lookaside cache by bpepple
- Next message: rpms/libtiff/F-13 libtiff-3samples.patch, NONE, 1.1 libtiff-checkbytecount.patch, NONE, 1.1 libtiff-getimage-64bit.patch, NONE, 1.1 libtiff-subsampling.patch, NONE, 1.1 libtiff-tiffdump.patch, NONE, 1.1 libtiff-unknown-fix.patch, NONE, 1.1 libtiff-ycbcr-clamp.patch, NONE, 1.1 .cvsignore, 1.9, 1.10 libtiff-acversion.patch, 1.2, 1.3 libtiff.spec, 1.61, 1.62 sources, 1.9, 1.10 libtiff-CVE-2009-2347.patch, 1.2, NONE libtiff-jpeg-scanline.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tgl
Update of /cvs/pkgs/rpms/libtiff/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13512
Modified Files:
.cvsignore libtiff-acversion.patch libtiff.spec sources
Added Files:
libtiff-3samples.patch libtiff-checkbytecount.patch
libtiff-getimage-64bit.patch libtiff-subsampling.patch
libtiff-tiffdump.patch libtiff-unknown-fix.patch
libtiff-ycbcr-clamp.patch
Removed Files:
libtiff-CVE-2009-2347.patch libtiff-jpeg-scanline.patch
Log Message:
Update to libtiff 3.9.4, and fix assorted crashing bugs
libtiff-3samples.patch:
tif_getimage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE libtiff-3samples.patch ---
Patch for bug #603081: failure to guard against bogus SamplesPerPixel
when converting a YCbCr image to RGB.
This patch duplicates into PickContigCase() a safety check that already
existed in PickSeparateCase().
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400
@@ -2397,7 +2397,7 @@
}
break;
case PHOTOMETRIC_YCBCR:
- if (img->bitspersample == 8)
+ if ((img->bitspersample==8) && (img->samplesperpixel==3))
{
if (initYCbCrConversion(img)!=0)
{
libtiff-checkbytecount.patch:
libtiff/tif_ojpeg.c | 4 ++++
tools/tiffsplit.c | 10 ++++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
--- NEW FILE libtiff-checkbytecount.patch ---
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
missing strip byte counts too. Testing shows that tiffsplit.c has an issue
too.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400
@@ -1920,6 +1920,10 @@
sp->in_buffer_file_pos=0;
else
{
+ if (sp->tif->tif_dir.td_stripbytecount == 0) {
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+ return(0);
+ }
sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
if (sp->in_buffer_file_togo==0)
sp->in_buffer_file_pos=0;
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400
@@ -237,7 +237,10 @@
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+ return (0);
+ }
for (s = 0; s < ns; s++) {
if (bytecounts[s] > (uint32)bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@
ttile_t t, nt = TIFFNumberOfTiles(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+ return (0);
+ }
for (t = 0; t < nt; t++) {
if (bytecounts[t] > (uint32) bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
libtiff-getimage-64bit.patch:
tif_getimage.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- NEW FILE libtiff-getimage-64bit.patch ---
Fix misbehavior on 64-bit machines when trying to flip a downsampled image
vertically: unsigned ints will be widened to 64 bits the wrong way.
See RH bug #583081.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207
diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400
@@ -1846,6 +1846,7 @@
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
{
uint32* cp2;
+ int32 incr = 2*toskew+w;
(void) y;
fromskew = (fromskew / 2) * 6;
cp2 = cp+w+toskew;
@@ -1872,8 +1873,8 @@
cp2 ++ ;
pp += 6;
}
- cp += toskew*2+w;
- cp2 += toskew*2+w;
+ cp += incr;
+ cp2 += incr;
pp += fromskew;
h-=2;
}
@@ -1939,6 +1940,7 @@
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
{
uint32* cp2;
+ int32 incr = 2*toskew+w;
(void) y;
fromskew = (fromskew / 2) * 4;
cp2 = cp+w+toskew;
@@ -1953,8 +1955,8 @@
cp2 ++;
pp += 4;
} while (--x);
- cp += toskew*2+w;
- cp2 += toskew*2+w;
+ cp += incr;
+ cp2 += incr;
pp += fromskew;
h-=2;
}
libtiff-subsampling.patch:
tif_strip.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- NEW FILE libtiff-subsampling.patch ---
Use the spec-mandated default YCbCrSubSampling values in strip size
calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
See bug #603703.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.
diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
--- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c 2010-06-14 12:00:49.000000000 -0400
@@ -124,9 +124,9 @@
uint16 ycbcrsubsampling[2];
tsize_t w, scanline, samplingarea;
- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1 );
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
if (samplingarea == 0) {
@@ -234,9 +234,9 @@
&& !isUpSampled(tif)) {
uint16 ycbcrsubsampling[2];
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
@@ -308,9 +308,9 @@
&& !isUpSampled(tif)) {
uint16 ycbcrsubsampling[2];
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
libtiff-tiffdump.patch:
tiffdump.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE libtiff-tiffdump.patch ---
Make tiffdump more paranoid about checking the count field of a directory
entry.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
# include <io.h>
#endif
+#include "tiffiop.h"
#include "tiffio.h"
#ifndef O_BINARY
@@ -317,7 +318,7 @@
printf(">\n");
continue;
}
- space = dp->tdir_count * datawidth[dp->tdir_type];
+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
if (space <= 0) {
printf(">\n");
Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
cc = dir->tdir_count * w;
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
- && read(fd, cp, cc) != -1) {
+ && read(fd, cp, cc) == cc) {
if (swabflag) {
switch (dir->tdir_type) {
case TIFF_SHORT:
libtiff-unknown-fix.patch:
tif_dirread.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- NEW FILE libtiff-unknown-fix.patch ---
Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
sometimes complain about out-of-order tags when there weren't really any.
Fix by decoupling that logic from the tag search logic.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2010-06-14 10:27:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_dirread.c 2010-06-16 01:27:03.000000000 -0400
@@ -83,6 +83,7 @@
const TIFFFieldInfo* fip;
size_t fix;
uint16 dircount;
+ uint16 previous_tag = 0;
int diroutoforderwarning = 0, compressionknown = 0;
int haveunknowntags = 0;
@@ -163,23 +164,24 @@
if (dp->tdir_tag == IGNORE)
continue;
- if (fix >= tif->tif_nfields)
- fix = 0;
/*
* Silicon Beach (at least) writes unordered
* directory tags (violating the spec). Handle
* it here, but be obnoxious (maybe they'll fix it?).
*/
- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
+ if (dp->tdir_tag < previous_tag) {
if (!diroutoforderwarning) {
TIFFWarningExt(tif->tif_clientdata, module,
"%s: invalid TIFF directory; tags are not sorted in ascending order",
tif->tif_name);
diroutoforderwarning = 1;
}
- fix = 0; /* O(n^2) */
}
+ previous_tag = dp->tdir_tag;
+ if (fix >= tif->tif_nfields ||
+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
+ fix = 0; /* O(n^2) */
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
libtiff-ycbcr-clamp.patch:
tif_color.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- NEW FILE libtiff-ycbcr-clamp.patch ---
Using an array to clamp translated YCbCr values is insecure, because if the
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
values could be very far out of range (much further than the current array
size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
favor of using a comparison-based macro to clamp. See RH bug #583081.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
@@ -183,13 +183,18 @@
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
uint32 *r, uint32 *g, uint32 *b)
{
+ int32 i;
+
/* XXX: Only 8-bit YCbCr input supported for now */
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+ *r = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y]
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+ *g = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+ *b = CLAMP(i, 0, 255);
}
/*
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/devel/.cvsignore,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- .cvsignore 3 Dec 2009 18:42:07 -0000 1.9
+++ .cvsignore 22 Jun 2010 23:51:28 -0000 1.10
@@ -1 +1 @@
-tiff-3.9.2.tar.gz
+tiff-3.9.4.tar.gz
libtiff-acversion.patch:
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libtiff-acversion.patch
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/devel/libtiff-acversion.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- libtiff-acversion.patch 4 Dec 2009 17:09:32 -0000 1.2
+++ libtiff-acversion.patch 22 Jun 2010 23:51:28 -0000 1.3
@@ -2,15 +2,15 @@ This patch is needed for building the pa
dropped whenever autoconf 2.63 is no longer used on any live branch.
-diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac
---- tiff-3.9.2.orig/configure.ac 2009-11-04 12:11:20.000000000 -0500
-+++ tiff-3.9.2/configure.ac 2009-12-03 12:52:41.000000000 -0500
+diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
+--- tiff-3.9.4.orig/configure.ac 2010-06-15 14:58:12.000000000 -0400
++++ tiff-3.9.4/configure.ac 2010-06-15 17:13:11.000000000 -0400
@@ -24,7 +24,7 @@
dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.64)
+AC_PREREQ(2.63)
- AC_INIT([LibTIFF Software],[3.9.2],[tiff at lists.maptools.org],[tiff])
+ AC_INIT([LibTIFF Software],[3.9.4],[tiff at lists.maptools.org],[tiff])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_MACRO_DIR(m4)
Index: libtiff.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/devel/libtiff.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -p -r1.61 -r1.62
--- libtiff.spec 6 Jan 2010 04:31:25 -0000 1.61
+++ libtiff.spec 22 Jun 2010 23:51:29 -0000 1.62
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
-Version: 3.9.2
-Release: 3%{?dist}
+Version: 3.9.4
+Release: 1%{?dist}
License: libtiff
Group: System Environment/Libraries
@@ -10,9 +10,14 @@ URL: http://www.remotesensing.org/libtif
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
Patch1: libtiff-acversion.patch
Patch2: libtiff-mantypo.patch
-Patch3: libtiff-CVE-2009-2347.patch
-Patch4: libtiff-jpeg-scanline.patch
-Patch5: libtiff-scanlinesize.patch
+Patch3: libtiff-scanlinesize.patch
+Patch4: libtiff-getimage-64bit.patch
+Patch5: libtiff-ycbcr-clamp.patch
+Patch6: libtiff-3samples.patch
+Patch7: libtiff-subsampling.patch
+Patch8: libtiff-unknown-fix.patch
+Patch9: libtiff-checkbytecount.patch
+Patch10: libtiff-tiffdump.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@@ -70,6 +75,11 @@ image files using the libtiff library.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -181,6 +191,15 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
+* Tue Jun 22 2010 Tom Lane <tgl at redhat.com> 3.9.4-1
+- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
+ CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
+Resolves: #554371
+Related: #460653, #588784, #601274, #599576, #592361, #603024
+- Add fixes for multiple SIGSEGV problems
+Resolves: #583081
+Related: #603081, #603699, #603703
+
* Tue Jan 5 2010 Tom Lane <tgl at redhat.com> 3.9.2-3
- Apply Adam Goode's fix for Warmerdam's fix
Resolves: #552360
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/devel/sources,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- sources 3 Dec 2009 18:42:07 -0000 1.9
+++ sources 22 Jun 2010 23:51:29 -0000 1.10
@@ -1 +1 @@
-93e56e421679c591de7552db13384cb8 tiff-3.9.2.tar.gz
+2006c1bdd12644dbf02956955175afd6 tiff-3.9.4.tar.gz
--- libtiff-CVE-2009-2347.patch DELETED ---
--- libtiff-jpeg-scanline.patch DELETED ---
- Previous message: File telepathy-glib-0.10.7.tar.gz uploaded to lookaside cache by bpepple
- Next message: rpms/libtiff/F-13 libtiff-3samples.patch, NONE, 1.1 libtiff-checkbytecount.patch, NONE, 1.1 libtiff-getimage-64bit.patch, NONE, 1.1 libtiff-subsampling.patch, NONE, 1.1 libtiff-tiffdump.patch, NONE, 1.1 libtiff-unknown-fix.patch, NONE, 1.1 libtiff-ycbcr-clamp.patch, NONE, 1.1 .cvsignore, 1.9, 1.10 libtiff-acversion.patch, 1.2, 1.3 libtiff.spec, 1.61, 1.62 sources, 1.9, 1.10 libtiff-CVE-2009-2347.patch, 1.2, NONE libtiff-jpeg-scanline.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list