rpms/libtiff/F-13 libtiff-3samples.patch, NONE, 1.1 libtiff-checkbytecount.patch, NONE, 1.1 libtiff-getimage-64bit.patch, NONE, 1.1 libtiff-subsampling.patch, NONE, 1.1 libtiff-tiffdump.patch, NONE, 1.1 libtiff-unknown-fix.patch, NONE, 1.1 libtiff-ycbcr-clamp.patch, NONE, 1.1 .cvsignore, 1.9, 1.10 libtiff-acversion.patch, 1.2, 1.3 libtiff.spec, 1.61, 1.62 sources, 1.9, 1.10 libtiff-CVE-2009-2347.patch, 1.2, NONE libtiff-jpeg-scanline.patch, 1.2, NONE

Tue Jun 22 23:58:11 UTC 2010

Author: tgl

Update of /cvs/pkgs/rpms/libtiff/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv14144

Modified Files:
	.cvsignore libtiff-acversion.patch libtiff.spec sources 
Added Files:
	libtiff-3samples.patch libtiff-checkbytecount.patch 
	libtiff-getimage-64bit.patch libtiff-subsampling.patch 
	libtiff-tiffdump.patch libtiff-unknown-fix.patch 
	libtiff-ycbcr-clamp.patch 
Removed Files:
	libtiff-CVE-2009-2347.patch libtiff-jpeg-scanline.patch 
Log Message:
Update to libtiff 3.9.4, and fix assorted crashing bugs

libtiff-3samples.patch:
 tif_getimage.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE libtiff-3samples.patch ---
Patch for bug #603081: failure to guard against bogus SamplesPerPixel
when converting a YCbCr image to RGB.

This patch duplicates into PickContigCase() a safety check that already
existed in PickSeparateCase().

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216


diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
@@ -2397,7 +2397,7 @@
 			}
 			break;
 		case PHOTOMETRIC_YCBCR:
-			if (img->bitspersample == 8)
+			if ((img->bitspersample==8) && (img->samplesperpixel==3))
 			{
 				if (initYCbCrConversion(img)!=0)
 				{

libtiff-checkbytecount.patch:
 libtiff/tif_ojpeg.c |    4 ++++
 tools/tiffsplit.c   |   10 ++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

--- NEW FILE libtiff-checkbytecount.patch ---
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
missing strip byte counts too.  Testing shows that tiffsplit.c has an issue
too.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996


diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c	2010-06-22 11:25:17.579807706 -0400
@@ -1920,6 +1920,10 @@
 							sp->in_buffer_file_pos=0;
 						else
 						{
+							if (sp->tif->tif_dir.td_stripbytecount == 0) {
+								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+								return(0);
+							}
 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
 							if (sp->in_buffer_file_togo==0)
 								sp->in_buffer_file_pos=0;
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
--- tiff-3.9.4.orig/tools/tiffsplit.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffsplit.c	2010-06-22 12:23:23.258823151 -0400
@@ -237,7 +237,10 @@
 		tstrip_t s, ns = TIFFNumberOfStrips(in);
 		uint32 *bytecounts;
 
-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+			return (0);
+		}
 		for (s = 0; s < ns; s++) {
 			if (bytecounts[s] > (uint32)bufsize) {
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@
 		ttile_t t, nt = TIFFNumberOfTiles(in);
 		uint32 *bytecounts;
 
-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+			return (0);
+		}
 		for (t = 0; t < nt; t++) {
 			if (bytecounts[t] > (uint32) bufsize) {
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);

libtiff-getimage-64bit.patch:
 tif_getimage.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- NEW FILE libtiff-getimage-64bit.patch ---
Fix misbehavior on 64-bit machines when trying to flip a downsampled image
vertically: unsigned ints will be widened to 64 bits the wrong way.
See RH bug #583081.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207


diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-10 15:07:28.000000000 -0400
@@ -1846,6 +1846,7 @@
 DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
 {
 	uint32* cp2;
+	int32 incr = 2*toskew+w;
 	(void) y;
 	fromskew = (fromskew / 2) * 6;
 	cp2 = cp+w+toskew;
@@ -1872,8 +1873,8 @@
 			cp2 ++ ;
 			pp += 6;
 		}
-		cp += toskew*2+w;
-		cp2 += toskew*2+w;
+		cp += incr;
+		cp2 += incr;
 		pp += fromskew;
 		h-=2;
 	}
@@ -1939,6 +1940,7 @@
 DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
 {
 	uint32* cp2;
+	int32 incr = 2*toskew+w;
 	(void) y;
 	fromskew = (fromskew / 2) * 4;
 	cp2 = cp+w+toskew;
@@ -1953,8 +1955,8 @@
 			cp2 ++;
 			pp += 4;
 		} while (--x);
-		cp += toskew*2+w;
-		cp2 += toskew*2+w;
+		cp += incr;
+		cp2 += incr;
 		pp += fromskew;
 		h-=2;
 	}

libtiff-subsampling.patch:
 tif_strip.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- NEW FILE libtiff-subsampling.patch ---
Use the spec-mandated default YCbCrSubSampling values in strip size
calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
See bug #603703.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215

NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.


diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
--- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_strip.c	2010-06-14 12:00:49.000000000 -0400
@@ -124,9 +124,9 @@
 		uint16 ycbcrsubsampling[2];
 		tsize_t w, scanline, samplingarea;
 
-		TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
-			      ycbcrsubsampling + 0,
-			      ycbcrsubsampling + 1 );
+		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+				      ycbcrsubsampling + 0,
+				      ycbcrsubsampling + 1);
 
 		samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
 		if (samplingarea == 0) {
@@ -234,9 +234,9 @@
 		    && !isUpSampled(tif)) {
 			uint16 ycbcrsubsampling[2];
 
-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
-				     ycbcrsubsampling + 0,
-				     ycbcrsubsampling + 1);
+			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+					      ycbcrsubsampling + 0,
+					      ycbcrsubsampling + 1);
 
 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
@@ -308,9 +308,9 @@
 		    && !isUpSampled(tif)) {
 			uint16 ycbcrsubsampling[2];
 
-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
-				     ycbcrsubsampling + 0,
-				     ycbcrsubsampling + 1);
+			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+					      ycbcrsubsampling + 0,
+					      ycbcrsubsampling + 1);
 
 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

libtiff-tiffdump.patch:
 tiffdump.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- NEW FILE libtiff-tiffdump.patch ---
Make tiffdump more paranoid about checking the count field of a directory
entry.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218


diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tiff-3.9.4.orig/tools/tiffdump.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffdump.c	2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
 # include <io.h>
 #endif
 
+#include "tiffiop.h"
 #include "tiffio.h"
 
 #ifndef O_BINARY
@@ -317,7 +318,7 @@
 			printf(">\n");
 			continue;
 		}
-		space = dp->tdir_count * datawidth[dp->tdir_type];
+		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
 		if (space <= 0) {
 			printf(">\n");
 			Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
 	cc = dir->tdir_count * w;
 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
-	    && read(fd, cp, cc) != -1) {
+	    && read(fd, cp, cc) == cc) {
 		if (swabflag) {
 			switch (dir->tdir_type) {
 			case TIFF_SHORT:

libtiff-unknown-fix.patch:
 tif_dirread.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- NEW FILE libtiff-unknown-fix.patch ---
Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
sometimes complain about out-of-order tags when there weren't really any.
Fix by decoupling that logic from the tag search logic.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210


diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
--- tiff-3.9.4.orig/libtiff/tif_dirread.c	2010-06-14 10:27:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_dirread.c	2010-06-16 01:27:03.000000000 -0400
@@ -83,6 +83,7 @@
 	const TIFFFieldInfo* fip;
 	size_t fix;
 	uint16 dircount;
+	uint16 previous_tag = 0;
 	int diroutoforderwarning = 0, compressionknown = 0;
 	int haveunknowntags = 0;
 
@@ -163,23 +164,24 @@
 
 		if (dp->tdir_tag == IGNORE)
 			continue;
-		if (fix >= tif->tif_nfields)
-			fix = 0;
 
 		/*
 		 * Silicon Beach (at least) writes unordered
 		 * directory tags (violating the spec).  Handle
 		 * it here, but be obnoxious (maybe they'll fix it?).
 		 */
-		if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
+		if (dp->tdir_tag < previous_tag) {
 			if (!diroutoforderwarning) {
 				TIFFWarningExt(tif->tif_clientdata, module,
 	"%s: invalid TIFF directory; tags are not sorted in ascending order",
 					    tif->tif_name);
 				diroutoforderwarning = 1;
 			}
-			fix = 0;			/* O(n^2) */
 		}
+		previous_tag = dp->tdir_tag;
+		if (fix >= tif->tif_nfields ||
+		    dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
+			fix = 0;			/* O(n^2) */
 		while (fix < tif->tif_nfields &&
 		    tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
 			fix++;

libtiff-ycbcr-clamp.patch:
 tif_color.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- NEW FILE libtiff-ycbcr-clamp.patch ---
Using an array to clamp translated YCbCr values is insecure, because if the
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
values could be very far out of range (much further than the current array
size, anyway), possibly resulting in SIGSEGV.  Just drop the whole idea in
favor of using a comparison-based macro to clamp.  See RH bug #583081.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208


diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
--- tiff-3.9.2.orig/libtiff/tif_color.c	2006-02-09 10:42:20.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_color.c	2010-06-10 15:53:24.000000000 -0400
@@ -183,13 +183,18 @@
 TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
 	       uint32 *r, uint32 *g, uint32 *b)
 {
+	int32 i;
+
 	/* XXX: Only 8-bit YCbCr input supported for now */
 	Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
 
-	*r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
-	*g = ycbcr->clamptab[ycbcr->Y_tab[Y]
-	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
-	*b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+	i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+	*r = CLAMP(i, 0, 255);
+	i = ycbcr->Y_tab[Y]
+	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+	*g = CLAMP(i, 0, 255);
+	i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+	*b = CLAMP(i, 0, 255);
 }
 
 /*


Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-13/.cvsignore,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- .cvsignore	3 Dec 2009 18:42:07 -0000	1.9
+++ .cvsignore	22 Jun 2010 23:58:10 -0000	1.10
@@ -1 +1 @@
-tiff-3.9.2.tar.gz
+tiff-3.9.4.tar.gz

libtiff-acversion.patch:
 configure.ac |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: libtiff-acversion.patch
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-13/libtiff-acversion.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- libtiff-acversion.patch	4 Dec 2009 17:09:32 -0000	1.2
+++ libtiff-acversion.patch	22 Jun 2010 23:58:10 -0000	1.3
@@ -2,15 +2,15 @@ This patch is needed for building the pa
 dropped whenever autoconf 2.63 is no longer used on any live branch.
 
 
-diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac
---- tiff-3.9.2.orig/configure.ac	2009-11-04 12:11:20.000000000 -0500
-+++ tiff-3.9.2/configure.ac	2009-12-03 12:52:41.000000000 -0500
+diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
+--- tiff-3.9.4.orig/configure.ac	2010-06-15 14:58:12.000000000 -0400
++++ tiff-3.9.4/configure.ac	2010-06-15 17:13:11.000000000 -0400
 @@ -24,7 +24,7 @@
  
  dnl Process this file with autoconf to produce a configure script.
  
 -AC_PREREQ(2.64)
 +AC_PREREQ(2.63)
- AC_INIT([LibTIFF Software],[3.9.2],[tiff at lists.maptools.org],[tiff])
+ AC_INIT([LibTIFF Software],[3.9.4],[tiff at lists.maptools.org],[tiff])
  AC_CONFIG_AUX_DIR(config)
  AC_CONFIG_MACRO_DIR(m4)


Index: libtiff.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-13/libtiff.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -p -r1.61 -r1.62
--- libtiff.spec	6 Jan 2010 04:31:25 -0000	1.61
+++ libtiff.spec	22 Jun 2010 23:58:11 -0000	1.62
@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
-Version: 3.9.2
-Release: 3%{?dist}
+Version: 3.9.4
+Release: 1%{?dist}
 
 License: libtiff
 Group: System Environment/Libraries
@@ -10,9 +10,14 @@ URL: http://www.remotesensing.org/libtif
 Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
 Patch1: libtiff-acversion.patch
 Patch2: libtiff-mantypo.patch
-Patch3: libtiff-CVE-2009-2347.patch
-Patch4: libtiff-jpeg-scanline.patch
-Patch5: libtiff-scanlinesize.patch
+Patch3: libtiff-scanlinesize.patch
+Patch4: libtiff-getimage-64bit.patch
+Patch5: libtiff-ycbcr-clamp.patch
+Patch6: libtiff-3samples.patch
+Patch7: libtiff-subsampling.patch
+Patch8: libtiff-unknown-fix.patch
+Patch9: libtiff-checkbytecount.patch
+Patch10: libtiff-tiffdump.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -70,6 +75,11 @@ image files using the libtiff library.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -181,6 +191,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*
 
 %changelog
+* Tue Jun 22 2010 Tom Lane <tgl at redhat.com> 3.9.4-1
+- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
+  CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
+Resolves: #554371
+Related: #460653, #588784, #601274, #599576, #592361, #603024
+- Add fixes for multiple SIGSEGV problems
+Resolves: #583081
+Related: #603081, #603699, #603703
+
 * Tue Jan  5 2010 Tom Lane <tgl at redhat.com> 3.9.2-3
 - Apply Adam Goode's fix for Warmerdam's fix
 Resolves: #552360


Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-13/sources,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- sources	3 Dec 2009 18:42:07 -0000	1.9
+++ sources	22 Jun 2010 23:58:11 -0000	1.10
@@ -1 +1 @@
-93e56e421679c591de7552db13384cb8  tiff-3.9.2.tar.gz
+2006c1bdd12644dbf02956955175afd6  tiff-3.9.4.tar.gz


--- libtiff-CVE-2009-2347.patch DELETED ---


--- libtiff-jpeg-scanline.patch DELETED ---

