From ede1b2371ef143f3c55ab350736a0a503b1d9879 Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Sun, 21 Mar 2010 21:08:45 +0000 Subject: [PATCH] - updated to 3.9.2 (from libtiff.spec) Changed files: crossmingw32-libtiff.spec -> 1.6 libtiff-CVE-2009-2285.patch -> 1.1 libtiff-glut.patch -> 1.1 libtiff-sec.patch -> 1.3 --- crossmingw32-libtiff.spec | 19 +- libtiff-CVE-2009-2285.patch | 22 ++ libtiff-glut.patch | 22 ++ libtiff-sec.patch | 736 +++++++----------------------------- 4 files changed, 204 insertions(+), 595 deletions(-) create mode 100644 libtiff-CVE-2009-2285.patch create mode 100644 libtiff-glut.patch diff --git a/crossmingw32-libtiff.spec b/crossmingw32-libtiff.spec index b04df7a..770f25d 100644 --- a/crossmingw32-libtiff.spec +++ b/crossmingw32-libtiff.spec @@ -2,16 +2,18 @@ Summary: Library for handling TIFF files - cross Mingw32 version Summary(pl.UTF-8): Biblioteka do manipulacji plikami w formacie TIFF - wersja skrośna Mingw32 %define realname libtiff Name: crossmingw32-%{realname} -Version: 3.8.2 +Version: 3.9.2 Release: 1 License: BSD-like Group: Development/Libraries Source0: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz -# Source0-md5: fbb6f446ea4ed18955e2714934e5b698 +# Source0-md5: 93e56e421679c591de7552db13384cb8 Patch0: %{realname}-sec.patch +Patch1: %{realname}-glut.patch +Patch2: %{realname}-CVE-2009-2285.patch URL: http://www.remotesensing.org/libtiff/ BuildRequires: autoconf >= 2.59 -BuildRequires: automake +BuildRequires: automake >= 1:1.11 BuildRequires: crossmingw32-gcc-c++ BuildRequires: crossmingw32-libjpeg BuildRequires: crossmingw32-zlib @@ -32,6 +34,13 @@ BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %define __cc %{target}-gcc %define __cxx %{target}-g++ +%ifnarch %{ix86} +# arch-specific flags (like alpha's -mieee) are not valid for i386 gcc +%define optflags -O2 +%endif +# -z options are invalid for mingw linker +%define filterout_ld -Wl,-z,.* + %description This package is a library of functions that manipulate TIFF images (cross mingw32 version). @@ -106,8 +115,10 @@ Biblioteka DLL strumieni C++ libtiff dla Windows. %prep %setup -q -n tiff-%{version} %patch0 -p1 +%patch1 -p0 +%patch2 -p1 -rm -f m4/{libtool,lt*}.m4 +%{__rm} m4/{libtool,lt*}.m4 %build %{__libtoolize} diff --git a/libtiff-CVE-2009-2285.patch b/libtiff-CVE-2009-2285.patch new file mode 100644 index 0000000..435a84b --- /dev/null +++ b/libtiff-CVE-2009-2285.patch @@ -0,0 +1,22 @@ +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/libtiff-glut.patch b/libtiff-glut.patch new file mode 100644 index 0000000..aea0098 --- /dev/null +++ b/libtiff-glut.patch @@ -0,0 +1,22 @@ +--- m4/acinclude.m4~ 2005-12-06 11:40:01.000000000 +0000 ++++ m4/acinclude.m4 2008-09-05 14:24:05.000000000 +0100 +@@ -391,7 +391,7 @@ + [ax_cv_check_glut_libglut="no" + ax_save_LIBS="${LIBS}" + LIBS="" +- ax_check_libs="-lglut32 -lglut" ++ ax_check_libs="-lglut" + for ax_lib in ${ax_check_libs}; do + if test X$ax_compiler_ms = Xyes; then + ax_try_lib=`echo $ax_lib | sed -e 's/^-l//' -e 's/$/.lib/'` +--- m4/acinclude.m4~ 2008-09-05 17:45:34.000000000 +0100 ++++ m4/acinclude.m4 2008-09-05 17:53:41.000000000 +0100 +@@ -379,7 +379,7 @@ + # If X is present, assume GLUT depends on it. + # + if test "X${no_x}" != "Xyes"; then +- GLUT_LIBS="${X_PRE_LIBS} -lXmu -lXi ${X_EXTRA_LIBS} ${GLUT_LIBS}" ++ GLUT_LIBS="${X_PRE_LIBS} ${X_EXTRA_LIBS} ${GLUT_LIBS}" + fi + + AC_LANG_PUSH(C) diff --git a/libtiff-sec.patch b/libtiff-sec.patch index da335d3..7eebb74 100644 --- a/libtiff-sec.patch +++ b/libtiff-sec.patch @@ -1,299 +1,121 @@ -diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c ---- tiff-3.7.4-old/tools/tiffsplit.c 2005-05-26 20:38:48.000000000 +0200 -+++ tiff-3.7.4/tools/tiffsplit.c 2006-06-01 16:00:11.000000000 +0200 -@@ -60,14 +60,13 @@ - return (-3); - } - if (argc > 2) -- strcpy(fname, argv[2]); -+ snprintf(fname, sizeof(fname), "%s", argv[2]); - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -- strcat(path, ".tif"); -+ snprintf(path, sizeof(path), "%s.tif", fname); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) - return (-2); -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ +--- tiff-3.9.1/libtiff/tif_dir.c.orig 2009-01-01 01:10:43.000000000 +0100 ++++ tiff-3.9.1/libtiff/tif_dir.c 2009-08-31 17:46:34.892612613 +0200 +@@ -138,6 +138,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va { static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + ++ const TIFFFieldInfo* fip; TIFFDirectory* td = &tif->tif_dir; int status = 1; uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ +@@ -585,17 +586,19 @@ end: + va_end(ap); return (status); badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); ++ fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %d for \"%s\" tag", + tif->tif_name, v, +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); va_end(ap); return (0); badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); ++ fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %u for \"%s\" tag", + tif->tif_name, v32, +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); va_end(ap); return (0); } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ +--- tiff-3.9.1/libtiff/tif_dirinfo.c.orig 2008-04-11 01:05:55.000000000 +0200 ++++ tiff-3.9.1/libtiff/tif_dirinfo.c 2009-08-31 17:48:30.568606747 +0200 +@@ -807,8 +807,6 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag) TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); + "Internal error, unknown tag 0x%x", + (unsigned int) tag); - assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ +- /*NOTREACHED*/ } return (fip); -@@ -789,7 +790,8 @@ + } +@@ -821,8 +819,6 @@ _TIFFFieldWithName(TIFF* tif, const char if (!fip) { TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); + "Internal error, unknown tag %s", field_name); - assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ +- /*NOTREACHED*/ } return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 -@@ -29,6 +29,9 @@ - * - * Directory Read Support Routines. - */ -+ -+#include -+ - #include "tiffiop.h" - - #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "%s: Can not read TIFF directory count", -- tif->tif_name); -- return (0); -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off > (UINT_MAX - sizeof(uint16))) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Can not read TIFF directory count", -+ tif->tif_name); -+ return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, + } +--- tiff-3.9.1/libtiff/tif_dirread.c.orig 2009-01-01 01:10:43.000000000 +0100 ++++ tiff-3.9.1/libtiff/tif_dirread.c 2009-08-31 18:38:28.060606747 +0200 +@@ -190,6 +190,11 @@ TIFFReadDirectory(TIFF* tif) dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. + dp->tdir_tag); + ++ if (!compressionknown) { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Ignoring, compression unknown"); ++ goto ignore; ++ } + if (!_TIFFMergeFieldInfo(tif, + _TIFFCreateAnonFieldInfo(tif, + dp->tdir_tag, +@@ -583,6 +588,7 @@ TIFFReadDirectory(TIFF* tif) + * Attempt to deal with a missing StripByteCounts tag. */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -599,7 +605,7 @@ TIFFReadDirectory(TIFF* tif) + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, +@@ -626,6 +632,7 @@ TIFFReadDirectory(TIFF* tif) + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of + * zero for a tag when they don't know what the +@@ -635,7 +642,7 @@ TIFFReadDirectory(TIFF* tif) + TIFFWarningExt(tif->tif_clientdata, module, "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG +@@ -644,6 +651,7 @@ TIFFReadDirectory(TIFF* tif) + && td->td_stripbytecount[0] != td->td_stripbytecount[1] + && td->td_stripbytecount[0] != 0 + && td->td_stripbytecount[1] != 0 ) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with + * absolutely wrong values (it can be equal to +@@ -653,7 +661,7 @@ TIFFReadDirectory(TIFF* tif) + TIFFWarningExt(tif->tif_clientdata, module, "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -1024,16 +1032,18 @@ TIFFCheckDirOffset(TIFF* tif, toff_t dir static int CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) { @@ -301,29 +123,32 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c + if (count > dir->tdir_count) { TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", + "incorrect count for field \"%s\" (%u, expecting %u); tag ignored", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, + fip ? fip->field_name : "Unknown", dir->tdir_count, count); return (0); } else if (count < dir->tdir_count) { TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", + "incorrect count for field \"%s\" (%u, expecting %u); tag trimmed", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, + fip ? fip->field_name : "Unknown", dir->tdir_count, count); return (1); } -@@ -970,6 +1000,7 @@ +@@ -1153,6 +1163,7 @@ static tsize_t TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ + uint32 w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip; + /* + * FIXME: butecount should have tsize_t type, but for now libtiff + * defines tsize_t as a signed 32-bit integer and we are losing +@@ -1200,9 +1211,10 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d + } + return (cc); bad: ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Error fetching data for field \"%s\"", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); @@ -331,359 +156,88 @@ diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c return (tsize_t) 0; } -@@ -1039,10 +1070,12 @@ - static int +@@ -1229,9 +1241,10 @@ static int cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) { -+ const TIFFFieldInfo* fip; if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ const TIFFFieldInfo *fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", + "%s: Rational with zero denominator (num = %u)", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); + fip ? fip->field_name : "Unknown", num); return (0); } else { if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { +@@ -1351,9 +1364,10 @@ TIFFFetchShortPair(TIFF* tif, TIFFDirEnt + * check on tdir_count, this should never be greater than two. + */ + if (dir->tdir_count > 2) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "unexpected count for field \"%s\", %u, expected 2; ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count); + return 0; + } +@@ -1529,11 +1543,14 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr /* TIFF_NOTYPE */ /* TIFF_ASCII */ /* TIFF_UNDEFINED */ ++ { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "cannot read TIFF_ANY type %d for field \"%s\"", dir->tdir_type, - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); + fip ? fip->field_name : "Unknown"); -+ return (0); } + return (0); ++ } } return (1); } -@@ -1351,6 +1399,9 @@ +@@ -1548,6 +1565,8 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt int ok = 0; const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); -+ if (fip == NULL) { ++ if (fip == NULL) + return (0); -+ } if (dp->tdir_count > 1) { /* array of values */ char* cp = NULL; -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ +@@ -1707,9 +1726,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF for (i = 1; i < check_count; i++) if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; ++ const TIFFFieldInfo *fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; } *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ +@@ -1748,9 +1768,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD check_count = samples; for (i = 1; i < check_count; i++) if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; ++ const TIFFFieldInfo *fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; } *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ +@@ -1788,9 +1809,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi for (i = 1; i < check_count; i++) if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; ++ const TIFFFieldInfo *fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; } *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 -@@ -105,11 +105,16 @@ - * as codes of the form - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include - -+#include -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } -- 2.43.0