rpms/libtiff/F-11 libtiff-3samples.patch, NONE, 1.1 libtiff-CVE-2010-1411.patch, NONE, 1.1 libtiff-CVE-2010-2065.patch, NONE, 1.1 libtiff-jpeg-scanline.patch, NONE, 1.1 libtiff-subsampling.patch, NONE, 1.1 libtiff-tiff2pdf-bugs.patch, NONE, 1.1 libtiff-tiffcp-no-subsample.patch, NONE, 1.1 libtiff-tiffdump.patch, NONE, 1.1 libtiff-unknown-tags.patch, NONE, 1.1 libtiff-ycbcr-clamp.patch, NONE, 1.1 libtiff-3.8.2-ormandy.patch, 1.1, 1.2 libtiff.spec, 1.55, 1.56
Tom Lane
tgl at fedoraproject.org
Wed Jun 23 00:14:16 UTC 2010
Author: tgl
Update of /cvs/pkgs/rpms/libtiff/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv15393
Modified Files:
libtiff-3.8.2-ormandy.patch libtiff.spec
Added Files:
libtiff-3samples.patch libtiff-CVE-2010-1411.patch
libtiff-CVE-2010-2065.patch libtiff-jpeg-scanline.patch
libtiff-subsampling.patch libtiff-tiff2pdf-bugs.patch
libtiff-tiffcp-no-subsample.patch libtiff-tiffdump.patch
libtiff-unknown-tags.patch libtiff-ycbcr-clamp.patch
Log Message:
Back-port fixes for numerous crasher bugs
libtiff-3samples.patch:
tif_getimage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE libtiff-3samples.patch ---
Patch for bug #603081: failure to guard against bogus SamplesPerPixel
when converting a YCbCr image to RGB.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
diff -Naur tiff-3.8.2.orig/libtiff/tif_getimage.c tiff-3.8.2/libtiff/tif_getimage.c
--- tiff-3.8.2.orig/libtiff/tif_getimage.c 2005-12-27 06:28:23.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_getimage.c 2010-06-16 21:41:12.000000000 -0400
@@ -2384,7 +2384,7 @@
}
break;
case PHOTOMETRIC_YCBCR:
- if (img->bitspersample == 8)
+ if (img->bitspersample == 8 && img->samplesperpixel==3)
put = initYCbCrConversion(img);
break;
case PHOTOMETRIC_CIELAB:
libtiff-CVE-2010-1411.patch:
tif_fax3.c | 24 ++++++++++++++++++++----
tiffiop.h | 7 ++++++-
2 files changed, 26 insertions(+), 5 deletions(-)
--- NEW FILE libtiff-CVE-2010-1411.patch ---
Upstream patch for bug #592361 (CVE-2010-1411)
diff -Naur tiff-3.8.2.orig/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c
--- tiff-3.8.2.orig/libtiff/tif_fax3.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_fax3.c 2010-06-13 15:54:49.000000000 -0400
@@ -491,10 +491,26 @@
td->td_compression == COMPRESSION_CCITTFAX4
);
- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
-
- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
- "for Group 3/4 run arrays");
+ /*
+ Assure that allocation computations do not overflow.
+
+ TIFFroundup and TIFFSafeMultiply return zero on integer overflow
+ */
+ dsp->runs=(uint32*) NULL;
+ nruns = TIFFroundup(rowpixels,32);
+ if (needsRefLine) {
+ nruns = TIFFSafeMultiply(uint32,nruns,2);
+ }
+ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Row pixels integer overflow (rowpixels %u)",
+ rowpixels);
+ return (0);
+ }
+ dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
+ TIFFSafeMultiply(uint32,nruns,2),
+ sizeof (uint32),
+ "for Group 3/4 run arrays");
if (dsp->runs == NULL)
return (0);
dsp->curruns = dsp->runs;
diff -Naur tiff-3.8.2.orig/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h
--- tiff-3.8.2.orig/libtiff/tiffiop.h 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tiffiop.h 2010-06-13 15:52:46.000000000 -0400
@@ -222,10 +222,15 @@
#endif
/* NB: the uint32 casts are to silence certain ANSI-C compilers */
-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
+#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 0U)
#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+/* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
+
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
#define TIFFmin(A,B) ((A)<(B)?(A):(B))
libtiff-CVE-2010-2065.patch:
tif_read.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- NEW FILE libtiff-CVE-2010-2065.patch ---
Upstream patch for bug #601274 (CVE-2010-2065)
diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c
--- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_read.c 2010-06-13 16:04:13.000000000 -0400
@@ -525,16 +525,18 @@
_TIFFfree(tif->tif_rawdata);
tif->tif_rawdata = NULL;
}
+
if (bp) {
tif->tif_rawdatasize = size;
tif->tif_rawdata = (tidata_t) bp;
tif->tif_flags &= ~TIFF_MYBUFFER;
} else {
tif->tif_rawdatasize = TIFFroundup(size, 1024);
- tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
+ if (tif->tif_rawdatasize > 0)
+ tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
tif->tif_flags |= TIFF_MYBUFFER;
}
- if (tif->tif_rawdata == NULL) {
+ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: No space for data buffer at scanline %ld",
tif->tif_name, (long) tif->tif_row);
libtiff-jpeg-scanline.patch:
tif_dir.c | 7 +++++++
tif_jpeg.c | 15 +++++++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
--- NEW FILE libtiff-jpeg-scanline.patch ---
Upstream patch for tiff2ps core dump noted in bug #460322. (Note that
the tiffcmp crash mentioned there is really a different bug.)
Now also incorporating Adam Goode's patch for bug #552360. See
http://bugzilla.maptools.org/show_bug.cgi?id=1936
diff -Naur tiff-3.8.2.orig/libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c
--- tiff-3.8.2.orig/libtiff/tif_dir.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_dir.c 2010-06-13 15:32:55.000000000 -0400
@@ -1081,6 +1081,13 @@
*/
tif->tif_flags &= ~TIFF_ISTILED;
+ /*
+ * Clear other directory-specific fields.
+ */
+ tif->tif_tilesize = 0;
+ tif->tif_scanlinesize = 0;
+
+
return (1);
}
diff -Naur tiff-3.8.2.orig/libtiff/tif_jpeg.c tiff-3.8.2/libtiff/tif_jpeg.c
--- tiff-3.8.2.orig/libtiff/tif_jpeg.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_jpeg.c 2010-06-13 15:34:28.000000000 -0400
@@ -1582,7 +1582,10 @@
* Must recalculate cached tile size
* in case sampling state changed.
*/
- tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
+ if( tif->tif_tilesize > 0 )
+ tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
+ if(tif->tif_scanlinesize > 0 )
+ tif->tif_scanlinesize = TIFFScanlineSize(tif);
return (1); /* pseudo tag */
case TIFFTAG_JPEGTABLESMODE:
sp->jpegtablesmode = va_arg(ap, int);
@@ -1668,13 +1671,21 @@
return;
}
else
- {
+ {
if( !TIFFFillStrip( tif, 0 ) )
return;
}
TIFFSetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
(uint16) sp->h_sampling, (uint16) sp->v_sampling );
+
+ /*
+ ** We want to clear the loaded strip so the application has time
+ ** to set JPEGCOLORMODE or other behavior modifiers. This essentially
+ ** undoes the JPEGPreDecode triggers by TIFFFileStrip(). (#1936)
+ */
+ tif->tif_curstrip = -1;
+
#endif /* CHECK_JPEG_YCBCR_SUBSAMPLING */
}
libtiff-subsampling.patch:
tif_strip.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- NEW FILE libtiff-subsampling.patch ---
Use the spec-mandated default YCbCrSubSampling values in strip size
calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
See bug #603703.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
diff -Naur tiff-3.8.2.orig/libtiff/tif_strip.c tiff-3.8.2/libtiff/tif_strip.c
--- tiff-3.8.2.orig/libtiff/tif_strip.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_strip.c 2010-06-16 21:46:16.000000000 -0400
@@ -124,9 +124,9 @@
uint16 ycbcrsubsampling[2];
tsize_t w, scanline, samplingarea;
- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1 );
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
if (samplingarea == 0) {
@@ -234,11 +234,11 @@
&& !isUpSampled(tif)) {
uint16 ycbcrsubsampling[2];
- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
- ycbcrsubsampling + 0,
- ycbcrsubsampling + 1);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ ycbcrsubsampling + 0,
+ ycbcrsubsampling + 1);
- if (ycbcrsubsampling[0] == 0) {
+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Invalid YCbCr subsampling");
return 0;
libtiff-tiff2pdf-bugs.patch:
tiff2pdf.c | 50 +++++++++++++++++++++++++++-----------------------
1 file changed, 27 insertions(+), 23 deletions(-)
--- NEW FILE libtiff-tiff2pdf-bugs.patch ---
Fix assorted bugs in tiff2pdf: missing "return" in t2p_read_tiff_size() causes
t2p->tiff_datasize to be set entirely wrong for COMPRESSION_JPEG case,
resulting in memory stomp if actual size is larger. Also, there are a
bunch of places that try to memset() a malloc'd buffer before checking
for malloc failure, which would result in core dump if there actually
were a failure. In 3.8.2 it's also using the wrong size variable for
the output of TIFFGetField(input, TIFFTAG_JPEGTABLES, ...)
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2211
diff -Naur tiff-3.8.2.orig/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c
--- tiff-3.8.2.orig/tools/tiff2pdf.c 2006-03-21 11:42:51.000000000 -0500
+++ tiff-3.8.2/tools/tiff2pdf.c 2010-06-13 16:43:40.000000000 -0400
@@ -1758,7 +1758,6 @@
uint32* sbc=NULL;
#if defined(JPEG_SUPPORT) || defined (OJPEG_SUPPORT)
unsigned char* jpt=NULL;
- uint16 xuint16=0;
tstrip_t i=0;
tstrip_t stripcount=0;
#endif
@@ -1825,9 +1824,10 @@
#endif
#ifdef JPEG_SUPPORT
if(t2p->tiff_compression == COMPRESSION_JPEG){
- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt) != 0 ){
- if(xuint16>4){
- t2p->tiff_datasize+= xuint16;
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){
+ if(count>4){
+ t2p->tiff_datasize+= count;
t2p->tiff_datasize -=2; /* don't use EOI of header */
}
} else {
@@ -1846,6 +1846,7 @@
t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */
}
t2p->tiff_datasize +=2; /* use EOI of last strip */
+ return;
}
#endif
(void) 0;
@@ -1894,9 +1895,10 @@
#endif
#ifdef JPEG_SUPPORT
if(t2p->tiff_compression==COMPRESSION_JPEG){
- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt)!=0){
- if(xuint16>4){
- t2p->tiff_datasize+=xuint16;
+ uint32 count = 0;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){
+ if(count>4){
+ t2p->tiff_datasize+=count;
t2p->tiff_datasize-=4; /* don't use EOI of header or SOI of tile */
}
}
@@ -2078,7 +2080,6 @@
#ifdef ZIP_SUPPORT
if(t2p->pdf_compression == T2P_COMPRESS_ZIP){
buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2087,6 +2088,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
TIFFReadRawStrip(input, 0, (tdata_t) buffer, t2p->tiff_datasize);
if (t2p->tiff_fillorder==FILLORDER_LSB2MSB){
TIFFReverseBits(buffer, t2p->tiff_datasize);
@@ -2101,7 +2103,6 @@
if(t2p->tiff_dataoffset != 0){
buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2110,6 +2111,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
if(t2p->pdf_ojpegiflength==0){
inputoffset=TIFFSeekFile(input, 0, SEEK_CUR);
TIFFSeekFile(input, t2p->tiff_dataoffset, SEEK_SET);
@@ -2160,7 +2162,6 @@
return(0);
}
buffer=(unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2169,6 +2170,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
_TIFFmemcpy(buffer, t2p->pdf_ojpegdata, t2p->pdf_ojpegdatalength);
bufferoffset=t2p->pdf_ojpegdatalength;
stripcount=TIFFNumberOfStrips(input);
@@ -2200,8 +2202,8 @@
#endif
#ifdef JPEG_SUPPORT
if(t2p->tiff_compression == COMPRESSION_JPEG){
+ uint32 count = 0;
buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2210,10 +2212,11 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16_1, &jpt) != 0){
- if(xuint16_1>4){
- _TIFFmemcpy(buffer, jpt, xuint16_1);
- bufferoffset+=xuint16_1-2;
+ memset(buffer, 0, t2p->tiff_datasize);
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0){
+ if(count>4){
+ _TIFFmemcpy(buffer, jpt, count);
+ bufferoffset+=count-2;
}
}
stripcount=TIFFNumberOfStrips(input);
@@ -2262,7 +2265,6 @@
if(t2p->pdf_sample==T2P_SAMPLE_NOTHING){
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2271,6 +2273,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
stripsize=TIFFStripSize(input);
stripcount=TIFFNumberOfStrips(input);
for(i=0;i<stripcount;i++){
@@ -2300,7 +2303,6 @@
stripcount=sepstripcount/t2p->tiff_samplesperpixel;
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2309,6 +2311,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
samplebuffer = (unsigned char*) _TIFFmalloc(stripsize);
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,
@@ -2349,7 +2352,6 @@
}
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2358,6 +2360,7 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
stripsize=TIFFStripSize(input);
stripcount=TIFFNumberOfStrips(input);
for(i=0;i<stripcount;i++){
@@ -2691,6 +2694,7 @@
#ifdef JPEG_SUPPORT
if(t2p->tiff_compression == COMPRESSION_JPEG){
unsigned char table_end[2];
+ uint32 count = 0;
buffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
@@ -2701,14 +2705,14 @@
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16_1, &jpt) != 0) {
- if(xuint16_1 > 0){
- _TIFFmemcpy(buffer, jpt, xuint16_1);
- bufferoffset += xuint16_1 - 2;
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+ if(count > 0){
+ _TIFFmemcpy(buffer, jpt, count);
+ bufferoffset += count - 2;
table_end[0] = buffer[bufferoffset-2];
table_end[1] = buffer[bufferoffset-1];
}
- if(xuint16_1 > 0) {
+ if(count > 0) {
xuint32 = bufferoffset;
bufferoffset += TIFFReadRawTile(
input,
libtiff-tiffcp-no-subsample.patch:
tiffcp.c | 43 ++++++++++++++++++++++++-------------------
1 file changed, 24 insertions(+), 19 deletions(-)
--- NEW FILE libtiff-tiffcp-no-subsample.patch ---
tiffcp doesn't have any code to copy subsampled images. It can handle
JPEG-compressed input anyway by the expedient of telling the codec to
convert to RGB (and thereby upsample), but otherwise we have to punt to
avoid buffer overruns. Per bug #588784, bug #460653, and upstream bug
http://bugzilla.maptools.org/show_bug.cgi?id=2097
This patch is a bit more than minimally sized because it rearranges
some of the existing code for simplicity.
diff -Naur tiff-3.8.2.orig/tools/tiffcp.c tiff-3.8.2/tools/tiffcp.c
--- tiff-3.8.2.orig/tools/tiffcp.c 2006-03-21 11:42:51.000000000 -0500
+++ tiff-3.8.2/tools/tiffcp.c 2010-06-13 16:08:21.000000000 -0400
@@ -540,6 +540,7 @@
tiffcp(TIFF* in, TIFF* out)
{
uint16 bitspersample, samplesperpixel;
+ uint16 input_compression, input_photometric;
copyFunc cf;
uint32 width, length;
struct cpTag* p;
@@ -552,26 +553,30 @@
TIFFSetField(out, TIFFTAG_COMPRESSION, compression);
else
CopyField(TIFFTAG_COMPRESSION, compression);
+ TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+ if (input_compression == COMPRESSION_JPEG) {
+ /* Force conversion to RGB */
+ TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);
+ } else if (input_photometric == PHOTOMETRIC_YCBCR) {
+ /* Otherwise, can't handle subsampled input */
+ uint16 subsamplinghor,subsamplingver;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_YCBCRSUBSAMPLING,
+ &subsamplinghor, &subsamplingver);
+ if (subsamplinghor!=1 || subsamplingver!=1) {
+ fprintf(stderr, "tiffcp: %s: Can't copy/convert subsampled image.\n",
+ TIFFFileName(in));
+ return FALSE;
+ }
+ }
if (compression == COMPRESSION_JPEG) {
- uint16 input_compression, input_photometric;
-
- if (TIFFGetField(in, TIFFTAG_COMPRESSION, &input_compression)
- && input_compression == COMPRESSION_JPEG) {
- TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);
- }
- if (TIFFGetField(in, TIFFTAG_PHOTOMETRIC, &input_photometric)) {
- if(input_photometric == PHOTOMETRIC_RGB) {
- if (jpegcolormode == JPEGCOLORMODE_RGB)
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
- PHOTOMETRIC_YCBCR);
- else
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
- PHOTOMETRIC_RGB);
- } else
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
- input_photometric);
- }
- }
+ if (input_photometric == PHOTOMETRIC_RGB &&
+ jpegcolormode == JPEGCOLORMODE_RGB)
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR);
+ else
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, input_photometric);
+ }
else if (compression == COMPRESSION_SGILOG
|| compression == COMPRESSION_SGILOG24)
TIFFSetField(out, TIFFTAG_PHOTOMETRIC,
libtiff-tiffdump.patch:
tiffdump.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE libtiff-tiffdump.patch ---
Make tiffdump more paranoid about checking the count field of a directory
entry.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
# include <io.h>
#endif
+#include "tiffiop.h"
#include "tiffio.h"
#ifndef O_BINARY
@@ -317,7 +318,7 @@
printf(">\n");
continue;
}
- space = dp->tdir_count * datawidth[dp->tdir_type];
+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
if (space <= 0) {
printf(">\n");
Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
cc = dir->tdir_count * w;
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
- && read(fd, cp, cc) != -1) {
+ && read(fd, cp, cc) == cc) {
if (swabflag) {
switch (dir->tdir_type) {
case TIFF_SHORT:
libtiff-unknown-tags.patch:
tif_dirread.c | 103 +++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 80 insertions(+), 23 deletions(-)
--- NEW FILE libtiff-unknown-tags.patch ---
Fix for bug #554371: unknown tags have to be processed in a separate pass,
because tags might become known when we register a codec after processing
the Compression tag. We *must not* create an anonymous field entry that
conflicts with a codec-registered field! The original logic could result
in a crash if any such tags appear before Compression.
An additional bug in the original logic is that it could mishandle unknown
tags with numbers higher than the last known tag.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
diff -Naur tiff-3.8.2.orig/libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c
--- tiff-3.8.2.orig/libtiff/tif_dirread.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_dirread.c 2010-06-16 21:28:47.000000000 -0400
@@ -80,7 +80,9 @@
size_t fix;
uint16 dircount;
toff_t nextdiroff;
+ uint16 previous_tag = 0;
int diroutoforderwarning = 0;
+ int haveunknowntags = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -234,7 +236,7 @@
fix = 0;
for (dp = dir, n = dircount; n > 0; n--, dp++) {
- if (fix >= tif->tif_nfields || dp->tdir_tag == IGNORE)
+ if (dp->tdir_tag == IGNORE)
continue;
/*
@@ -242,38 +244,26 @@
* directory tags (violating the spec). Handle
* it here, but be obnoxious (maybe they'll fix it?).
*/
- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
+ if (dp->tdir_tag < previous_tag) {
if (!diroutoforderwarning) {
TIFFWarningExt(tif->tif_clientdata, module,
"%s: invalid TIFF directory; tags are not sorted in ascending order",
tif->tif_name);
diroutoforderwarning = 1;
}
- fix = 0; /* O(n^2) */
}
+ previous_tag = dp->tdir_tag;
+ if (fix >= tif->tif_nfields ||
+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
+ fix = 0; /* O(n^2) */
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-
- TIFFWarningExt(tif->tif_clientdata,
- module,
- "%s: unknown field with tag %d (0x%x) encountered",
- tif->tif_name,
- dp->tdir_tag,
- dp->tdir_tag,
- dp->tdir_type);
-
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
- fix = 0;
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
+ /* Unknown tag ... we'll deal with it below */
+ haveunknowntags = 1;
+ continue;
}
/*
* Null out old tags that we ignore.
@@ -287,8 +277,8 @@
* Check data type.
*/
fip = tif->tif_fieldinfo[fix];
- while (dp->tdir_type != (unsigned short) fip->field_type
- && fix < tif->tif_nfields) {
+ while (fix < tif->tif_nfields &&
+ dp->tdir_type != (unsigned short) fip->field_type) {
if (fip->field_type == TIFF_ANY) /* wildcard */
break;
fip = tif->tif_fieldinfo[++fix];
@@ -362,6 +352,73 @@
}
/*
+ * If we saw any unknown tags, make an extra pass over the directory
+ * to deal with them. This must be done separately because the tags
+ * could have become known when we registered a codec after finding
+ * the Compression tag. In a correctly-sorted directory there's
+ * no problem because Compression will come before any codec-private
+ * tags, but if the sorting is wrong that might not hold.
+ */
+ if (haveunknowntags) {
+ fix = 0;
+ for (dp = dir, n = dircount; n > 0; n--, dp++) {
+ if (dp->tdir_tag == IGNORE)
+ continue;
+ if (fix >= tif->tif_nfields ||
+ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
+ fix = 0; /* O(n^2) */
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+ TIFFWarningExt(tif->tif_clientdata,
+ module,
+ "%s: unknown field with tag %d (0x%x) encountered",
+ tif->tif_name,
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
+
+ TIFFMergeFieldInfo(tif,
+ _TIFFCreateAnonFieldInfo(tif,
+ dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type),
+ 1 );
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+ /* Can only get here if TIFFMergeFieldInfo failed */
+ dp->tdir_tag = IGNORE;
+ continue;
+ }
+ }
+ /*
+ * Check data type.
+ */
+ fip = tif->tif_fieldinfo[fix];
+ while (fix < tif->tif_nfields &&
+ dp->tdir_type != (unsigned short) fip->field_type) {
+ if (fip->field_type == TIFF_ANY) /* wildcard */
+ break;
+ fip = tif->tif_fieldinfo[++fix];
+ if (fix >= tif->tif_nfields ||
+ fip->field_tag != dp->tdir_tag) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: wrong data type %d for \"%s\"; tag ignored",
+ tif->tif_name, dp->tdir_type,
+ tif->tif_fieldinfo[fix-1]->field_name);
+ dp->tdir_tag = IGNORE;
+ break;
+ }
+ }
+ }
+ }
+
+ /*
* Allocate directory structure and setup defaults.
*/
if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS)) {
libtiff-ycbcr-clamp.patch:
tif_color.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- NEW FILE libtiff-ycbcr-clamp.patch ---
Using an array to clamp translated YCbCr values is insecure, because if the
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
values could be very far out of range (much further than the current array
size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
favor of using a comparison-based macro to clamp. See RH bug #583081.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
@@ -183,13 +183,18 @@
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
uint32 *r, uint32 *g, uint32 *b)
{
+ int32 i;
+
/* XXX: Only 8-bit YCbCr input supported for now */
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+ *r = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y]
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+ *g = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+ *b = CLAMP(i, 0, 255);
}
/*
libtiff-3.8.2-ormandy.patch:
tif_dir.c | 2 +-
tif_dirread.c | 44 +++++++++++++++++++++++++++++++++++++-------
tif_jpeg.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++--------
tif_next.c | 7 ++++++-
tif_pixarlog.c | 14 +++++++++++++-
tif_read.c | 18 ++++++++++++++++--
6 files changed, 120 insertions(+), 20 deletions(-)
Index: libtiff-3.8.2-ormandy.patch
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-11/libtiff-3.8.2-ormandy.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- libtiff-3.8.2-ormandy.patch 1 Aug 2006 20:27:58 -0000 1.1
+++ libtiff-3.8.2-ormandy.patch 23 Jun 2010 00:14:15 -0000 1.2
@@ -1,46 +1,11 @@
-diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
-@@ -122,6 +122,7 @@
- {
- static const char module[] = "_TIFFVSetField";
-
-+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
- TIFFDirectory* td = &tif->tif_dir;
- int status = 1;
- uint32 v32, i, v;
-@@ -195,10 +196,12 @@
- break;
- case TIFFTAG_ORIENTATION:
- v = va_arg(ap, uint32);
-+ const TIFFFieldInfo* fip;
- if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+ fip = _TIFFFieldWithTag(tif, tag);
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "Bad value %lu for \"%s\" tag ignored",
-- v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ v, fip ? fip->field_name : "Unknown");
- } else
- td->td_orientation = (uint16) v;
- break;
-@@ -387,11 +390,15 @@
- * happens, for example, when tiffcp is used to convert between
- * compression schemes and codec-specific tags are blindly copied.
- */
-+ /*
-+ * better not dereference fip if it is NULL.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
- if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- status = 0;
- break;
- }
-@@ -468,7 +475,7 @@
+Much of the original content of this patch has been removed in favor of
+the more robust solution represented by libtiff-unknown-tags.patch.
+
+
+diff -Naur tiff-3.8.2.orig/libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c
+--- tiff-3.8.2.orig/libtiff/tif_dir.c 2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_dir.c 2010-06-16 21:11:51.000000000 -0400
+@@ -468,7 +468,7 @@
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
@@ -49,74 +14,9 @@ diff -ru tiff-3.8.2/libtiff/tif_dir.c ti
if (!tv->value) {
status = 0;
goto end;
-@@ -563,7 +570,7 @@
- }
- }
- if (status) {
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+ TIFFSetFieldBit(tif, fip->field_bit);
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- }
-
-@@ -572,12 +579,12 @@
- return (status);
- badvalue:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
-- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- badvalue32:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
-- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- }
-@@ -813,12 +820,16 @@
- * If the client tries to get a tag that is not valid
- * for the image's codec then we'll arrive here.
- */
-+ /*
-+ * dont dereference fip if it's NULL.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
- if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
- {
- TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- ret_val = 0;
- break;
- }
-diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
-@@ -775,7 +775,8 @@
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
- "Internal error, unknown tag 0x%x",
- (unsigned int) tag);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-@@ -789,7 +790,8 @@
- if (!fip) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
- "Internal error, unknown tag %s", field_name);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
+diff -Naur tiff-3.8.2.orig/libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c
+--- tiff-3.8.2.orig/libtiff/tif_dirread.c 2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_dirread.c 2010-06-16 21:11:51.000000000 -0400
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
@@ -127,15 +27,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
-@@ -81,6 +84,7 @@
- uint16 dircount;
- toff_t nextdiroff;
- int diroutoforderwarning = 0;
-+ int compressionknown = 0;
- toff_t* new_dirlist;
-
- tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@
+@@ -147,13 +150,20 @@
} else {
toff_t off = tif->tif_diroff;
@@ -162,103 +54,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
-+
- if (fix >= tif->tif_nfields ||
- tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-
-@@ -264,17 +276,23 @@
- dp->tdir_tag,
- dp->tdir_tag,
- dp->tdir_type);
--
-- TIFFMergeFieldInfo(tif,
-- _TIFFCreateAnonFieldInfo(tif,
-- dp->tdir_tag,
-- (TIFFDataType) dp->tdir_type),
-- 1 );
-+ /*
-+ * creating anonymous fields prior to knowing the compression
-+ * algorithm (ie, when the field info has been merged) could cause
-+ * crashes with pathological directories.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
-+ if (compressionknown)
-+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
-+ (TIFFDataType) dp->tdir_type), 1 );
-+ else goto ignore;
-+
- fix = 0;
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
- }
-+
- /*
- * Null out old tags that we ignore.
- */
-@@ -326,6 +344,7 @@
- dp->tdir_type, dp->tdir_offset);
- if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
- goto bad;
-+ else compressionknown++;
- break;
- /* XXX: workaround for broken TIFFs */
- } else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@
- * Attempt to deal with a missing StripByteCounts tag.
- */
- if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * Some manufacturers violate the spec by not giving
- * the size of the strips. In this case, assume there
-@@ -556,7 +576,7 @@
- "%s: TIFF directory is missing required "
- "\"%s\" field, calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- /*
-@@ -580,6 +600,7 @@
- } else if (td->td_nstrips == 1
- && td->td_stripoffset[0] != 0
- && BYTECOUNTLOOKSBAD) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Plexus (and others) sometimes give a value of zero for
- * a tag when they don't know what the correct value is! Try
-@@ -589,13 +610,14 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if(EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
- && td->td_nstrips > 2
- && td->td_compression == COMPRESSION_NONE
- && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Some vendors fill StripByteCount array with absolutely
- * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- }
-@@ -870,7 +892,13 @@
+@@ -870,7 +880,13 @@
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
@@ -273,59 +69,7 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
- if (count > dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (0);
- } else if (count < dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (1);
- }
-@@ -970,6 +1000,7 @@
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
- int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- tsize_t cc = dir->tdir_count * w;
-
- /* Check for overflow. */
-@@ -1013,7 +1044,7 @@
- bad:
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Error fetching data for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- return (tsize_t) 0;
- }
-
-@@ -1039,10 +1070,12 @@
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+ const TIFFFieldInfo* fip;
- if (denom == 0) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s: Rational with zero denominator (num = %lu)",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+ fip ? fip->field_name : "Unknown", num);
- return (0);
- } else {
- if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@
+@@ -1159,6 +1175,20 @@
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
@@ -346,123 +90,9 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@
- case TIFF_DOUBLE:
- return (TIFFFetchDoubleArray(tif, dir, (double*) v));
- default:
-+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- /* TIFF_NOTYPE */
- /* TIFF_ASCII */
- /* TIFF_UNDEFINED */
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "cannot read TIFF_ANY type %d for field \"%s\"",
- dir->tdir_type,
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-- return (0);
-+ fip ? fip->field_name : "Unknown");
-+ return (0); }
- }
- return (1);
- }
-@@ -1351,6 +1399,9 @@
- int ok = 0;
- const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
-
-+ if (fip == NULL) {
-+ return (0);
-+ }
- if (dp->tdir_count > 1) { /* array of values */
- char* cp = NULL;
-
-@@ -1493,6 +1544,7 @@
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1534,6 +1587,7 @@
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@
- check_count = samples;
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1574,6 +1629,7 @@
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- Fax3BaseState* sp = Fax3State(tif);
-+ const TIFFFieldInfo* fip;
-
- assert(sp != 0);
- assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
+diff -Naur tiff-3.8.2.orig/libtiff/tif_jpeg.c tiff-3.8.2/libtiff/tif_jpeg.c
+--- tiff-3.8.2.orig/libtiff/tif_jpeg.c 2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_jpeg.c 2010-06-16 21:11:51.000000000 -0400
@@ -722,15 +722,31 @@
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
@@ -544,30 +174,7 @@ diff -ru tiff-3.8.2/libtiff/tif_jpeg.c t
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
-@@ -1541,6 +1576,7 @@
- {
- JPEGState* sp = JState(tif);
- TIFFDirectory* td = &tif->tif_dir;
-+ const TIFFFieldInfo* fip;
- uint32 v32;
-
- assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-@@ -1726,7 +1768,11 @@
+@@ -1726,7 +1761,11 @@
{
JPEGState* sp = JState(tif);
@@ -580,9 +187,9 @@ diff -ru tiff-3.8.2/libtiff/tif_jpeg.c t
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
+diff -Naur tiff-3.8.2.orig/libtiff/tif_next.c tiff-3.8.2/libtiff/tif_next.c
+--- tiff-3.8.2.orig/libtiff/tif_next.c 2005-12-21 07:33:56.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_next.c 2010-06-16 21:11:51.000000000 -0400
@@ -105,11 +105,16 @@
* as codes of the form <color><npixels>
* until we've filled the scanline.
@@ -601,9 +208,9 @@ diff -ru tiff-3.8.2/libtiff/tif_next.c t
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
+diff -Naur tiff-3.8.2.orig/libtiff/tif_pixarlog.c tiff-3.8.2/libtiff/tif_pixarlog.c
+--- tiff-3.8.2.orig/libtiff/tif_pixarlog.c 2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_pixarlog.c 2010-06-16 21:11:51.000000000 -0400
@@ -768,7 +768,19 @@
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
@@ -625,9 +232,9 @@ diff -ru tiff-3.8.2/libtiff/tif_pixarlog
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
+diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c
+--- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_read.c 2010-06-16 21:11:51.000000000 -0400
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
Index: libtiff.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libtiff/F-11/libtiff.spec,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -p -r1.55 -r1.56
--- libtiff.spec 13 Jul 2009 14:42:10 -0000 1.55
+++ libtiff.spec 23 Jun 2010 00:14:15 -0000 1.56
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 3.8.2
-Release: 14%{?dist}
+Release: 15%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.remotesensing.org/libtiff/
@@ -13,6 +13,16 @@ Patch2: libtiff-3.8.2-CVE-2006-2193.patc
Patch3: libtiff-3.8.2-mantypo.patch
Patch4: libtiff-3.8.2-lzw-bugs.patch
Patch5: libtiff-3.8.2-CVE-2009-2347.patch
+Patch6: libtiff-jpeg-scanline.patch
+Patch7: libtiff-ycbcr-clamp.patch
+Patch8: libtiff-CVE-2010-1411.patch
+Patch9: libtiff-CVE-2010-2065.patch
+Patch10: libtiff-tiffcp-no-subsample.patch
+Patch11: libtiff-tiff2pdf-bugs.patch
+Patch12: libtiff-unknown-tags.patch
+Patch13: libtiff-3samples.patch
+Patch14: libtiff-subsampling.patch
+Patch15: libtiff-tiffdump.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@@ -55,11 +65,21 @@ necessary for some boot packages.
%setup -q -n tiff-%{version}
%patch0 -p1 -b .overflow
-%patch1 -p1 -b .ormandy
+%patch1 -p1
%patch2 -p1 -b .CVE-2006-2193
%patch3 -p1 -b .mantypo
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
%build
export CFLAGS="%{optflags} -fno-strict-aliasing"
@@ -159,6 +179,13 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/*.a
%changelog
+* Tue Jun 22 2010 Tom Lane <tgl at redhat.com> 3.8.2-15
+- Add fixes for multiple SIGSEGV problems, including fixes for
+ CVE-2010-1411, CVE-2010-2065
+Resolves: #554371, #583081
+Related: #460653, #588784, #601274, #592361
+Related: #603081, #603699, #603703
+
* Mon Jul 13 2009 Tom Lane <tgl at redhat.com> 3.8.2-14
- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347)
Related: #510041
More information about the scm-commits
mailing list