diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..03c7f11 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tiff-4.0.3.tar.gz diff --git a/.libtiff.metadata b/.libtiff.metadata new file mode 100644 index 0000000..344cab8 --- /dev/null +++ b/.libtiff.metadata @@ -0,0 +1 @@ +652e97b78f1444237a82cbcfe014310e776eb6f0 SOURCES/tiff-4.0.3.tar.gz diff --git a/SOURCES/libtiff-CVE-2012-4447.patch b/SOURCES/libtiff-CVE-2012-4447.patch new file mode 100644 index 0000000..ebf9a00 --- /dev/null +++ b/SOURCES/libtiff-CVE-2012-4447.patch @@ -0,0 +1,40 @@ +Upstream patch for CVE-2012-4447. + + +diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c +--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500 +@@ -644,6 +644,20 @@ + return bytes; + } + ++static tmsize_t ++add_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 + m2; ++ ++ /* if either input is zero, assume overflow already occurred */ ++ if (m1 == 0 || m2 == 0) ++ bytes = 0; ++ else if (bytes <= m1 || bytes <= m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + static int + PixarLogFixupTags(TIFF* tif) + { +@@ -671,9 +685,11 @@ + td->td_samplesperpixel : 1); + tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ /* add one more stride in case input ends mid-stride */ ++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ +- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); ++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) diff --git a/SOURCES/libtiff-CVE-2012-4564.patch b/SOURCES/libtiff-CVE-2012-4564.patch new file mode 100644 index 0000000..3d7946c --- /dev/null +++ b/SOURCES/libtiff-CVE-2012-4564.patch @@ -0,0 +1,86 @@ +Upstream patch for CVE-2012-4564. + + +diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c +--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400 ++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500 +@@ -72,6 +72,17 @@ + exit(-2); + } + ++static tmsize_t ++multiply_ms(tmsize_t m1, tmsize_t m2) ++{ ++ tmsize_t bytes = m1 * m2; ++ ++ if (m1 && bytes / m1 != m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + int + main(int argc, char* argv[]) + { +@@ -79,7 +90,7 @@ + uint32 rowsperstrip = (uint32) -1; + double resolution = -1; + unsigned char *buf = NULL; +- tsize_t linebytes = 0; ++ tmsize_t linebytes = 0; + uint16 spp = 1; + uint16 bpp = 8; + TIFF *out; +@@ -89,6 +100,7 @@ + int c; + extern int optind; + extern char* optarg; ++ tmsize_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -221,7 +233,8 @@ + } + switch (bpp) { + case 1: +- linebytes = (spp * w + (8 - 1)) / 8; ++ /* if round-up overflows, result will be zero, OK */ ++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; + if (rowsperstrip == (uint32) -1) { + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); + } else { +@@ -230,15 +243,31 @@ + } + break; + case 8: +- linebytes = spp * w; ++ linebytes = multiply_ms(spp, w); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + break; + } +- if (TIFFScanlineSize(out) > linebytes) ++ if (linebytes == 0) { ++ fprintf(stderr, "%s: scanline size overflow\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size == 0) { ++ /* overflow - TIFFScanlineSize already printed a message */ ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ if (scanline_size < linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); + else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ buf = (unsigned char *)_TIFFmalloc(scanline_size); ++ if (buf == NULL) { ++ fprintf(stderr, "%s: Not enough memory\n", infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/SOURCES/libtiff-CVE-2013-1960.patch b/SOURCES/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000..1c8dfb7 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-1960.patch @@ -0,0 +1,145 @@ +diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 +@@ -3341,33 +3341,56 @@ + uint32 height){ + + tsize_t i=0; +- uint16 ri =0; +- uint16 v_samp=1; +- uint16 h_samp=1; +- int j=0; +- +- i++; +- +- while(i<(*striplength)){ ++ ++ while (i < *striplength) { ++ tsize_t datalen; ++ uint16 ri; ++ uint16 v_samp; ++ uint16 h_samp; ++ int j; ++ int ncomp; ++ ++ /* marker header: one or more FFs */ ++ if (strip[i] != 0xff) ++ return(0); ++ i++; ++ while (i < *striplength && strip[i] == 0xff) ++ i++; ++ if (i >= *striplength) ++ return(0); ++ /* SOI is the only pre-SOS marker without a length word */ ++ if (strip[i] == 0xd8) ++ datalen = 0; ++ else { ++ if ((*striplength - i) <= 2) ++ return(0); ++ datalen = (strip[i+1] << 8) | strip[i+2]; ++ if (datalen < 2 || datalen >= (*striplength - i)) ++ return(0); ++ } + switch( strip[i] ){ +- case 0xd8: +- /* SOI - start of image */ ++ case 0xd8: /* SOI - start of image */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; +- i+=2; + break; +- case 0xc0: +- case 0xc1: +- case 0xc3: +- case 0xc9: +- case 0xca: ++ case 0xc0: /* SOF0 */ ++ case 0xc1: /* SOF1 */ ++ case 0xc3: /* SOF3 */ ++ case 0xc9: /* SOF9 */ ++ case 0xca: /* SOF10 */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- for(j=0;j>4) > h_samp) +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ ncomp = buffer[*bufferoffset+9]; ++ if (ncomp < 1 || ncomp > 4) ++ return(0); ++ v_samp=1; ++ h_samp=1; ++ for(j=0;j>4) > h_samp) ++ h_samp = (samp>>4); ++ if( (samp & 0x0f) > v_samp) ++ v_samp = (samp & 0x0f); + } + v_samp*=8; + h_samp*=8; +@@ -3381,45 +3404,43 @@ + (unsigned char) ((height>>8) & 0xff); + buffer[*bufferoffset+6]= + (unsigned char) (height & 0xff); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; +- ++ *bufferoffset+=datalen+2; ++ /* insert a DRI marker */ + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]=0xdd; + buffer[(*bufferoffset)++]=0x00; + buffer[(*bufferoffset)++]=0x04; + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; + buffer[(*bufferoffset)++]= ri & 0xff; +- } else { +- i+=strip[i+2]+2; + } + break; +- case 0xc4: +- case 0xdb: +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ case 0xc4: /* DHT */ ++ case 0xdb: /* DQT */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + break; +- case 0xda: ++ case 0xda: /* SOS */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + } else { + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); +- i+=strip[i+2]+2; + } +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); +- *bufferoffset+=(*striplength)-i-1; ++ i += datalen + 1; ++ /* copy remainder of strip */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ++ *bufferoffset+= *striplength - i; + return(1); + default: +- i+=strip[i+2]+2; ++ /* ignore any other marker */ ++ break; + } ++ i += datalen + 1; + } +- + ++ /* failed to find SOS marker */ + return(0); + } + #endif diff --git a/SOURCES/libtiff-CVE-2013-1961.patch b/SOURCES/libtiff-CVE-2013-1961.patch new file mode 100644 index 0000000..0ea9b52 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-1961.patch @@ -0,0 +1,759 @@ +diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c +--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400 ++++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400 +@@ -512,9 +512,9 @@ + Arg args[1]; + + if (tfMultiPage) +- sprintf(buffer, "%s - page %d", fileName, tfDirectory); ++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); + else +- strcpy(buffer, fileName); ++ snprintf(buffer, sizeof(buffer), "%s", fileName); + XtSetArg(args[0], XtNlabel, buffer); + XtSetValues(labelWidget, args, 1); + } +diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c +--- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500 ++++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400 +@@ -108,7 +108,8 @@ + const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); + char compression_code[20]; + +- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); ++ snprintf(compression_code, sizeof(compression_code), "%d", ++ tif->tif_dir.td_compression ); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s compression support is not configured", + c ? c->name : compression_code ); +diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c +--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400 +@@ -711,7 +711,7 @@ + * note that this name is a special sign to TIFFClose() and + * _TIFFSetupFields() to free the field + */ +- sprintf(fld->field_name, "Tag %d", (int) tag); ++ snprintf(fld->field_name, 32, "Tag %d", (int) tag); + + return fld; + } +diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c +--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400 ++++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400 +@@ -332,7 +332,8 @@ + TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); + { char buf[2048]; + char *cp = strrchr(TIFFFileName(in), '/'); +- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); ++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", ++ cp ? cp+1 : TIFFFileName(in)); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); + } + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); +diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c +--- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400 +@@ -205,7 +205,7 @@ + } + } + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); +- sprintf(thing, "B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); +diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400 +@@ -3609,7 +3609,9 @@ + char buffer[16]; + int buflen=0; + +- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); ++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", ++ t2p->pdf_majorversion&0xff, ++ t2p->pdf_minorversion&0xff); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); + +@@ -3623,10 +3625,10 @@ + tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen ); + written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); + +@@ -3665,13 +3667,13 @@ + written += t2pWriteFile(output, (tdata_t) "/", 1); + for (i=0;i 0x7E){ +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + nextchar=1; +@@ -3679,57 +3681,57 @@ + if (nextchar==0){ + switch (name[i]){ + case 0x23: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x25: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x28: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x29: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x2F: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3C: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3E: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; +@@ -3844,14 +3846,14 @@ + tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/Length ", 8); + if(len!=0){ + written += t2p_write_pdf_stream_length(len, output); + } else { +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + } +@@ -3892,10 +3894,10 @@ + tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)len); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n", 1); + +@@ -3909,7 +3911,7 @@ + tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) + { + tsize_t written = 0; +- char buffer[16]; ++ char buffer[32]; + int buflen = 0; + + written += t2pWriteFile(output, +@@ -3948,7 +3950,6 @@ + written += t2p_write_pdf_string(t2p->pdf_datetime, output); + } + written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); +- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); + snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); + written += t2p_write_pdf_string(buffer, output); + written += t2pWriteFile(output, (tdata_t) "\n", 1); +@@ -4089,7 +4090,7 @@ + { + tsize_t written=0; + tdir_t i=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + int page=0; +@@ -4097,7 +4098,7 @@ + (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); + page = t2p->pdf_pages+1; + for (i=0;itiff_pagecount;i++){ +- buflen=sprintf(buffer, "%d", page); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", page); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + if ( ((i+1)%8)==0 ) { +@@ -4112,8 +4113,7 @@ + } + } + written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); + +@@ -4128,28 +4128,28 @@ + + unsigned int i=0; + tsize_t written=0; +- char buffer[16]; ++ char buffer[256]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "] \n", 3); + written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); +- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); +@@ -4157,15 +4157,13 @@ + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen = sprintf(buffer, "%u", i+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4177,12 +4175,10 @@ + } else { + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4191,9 +4187,7 @@ + if(t2p->tiff_transferfunctioncount != 0) { + written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); + t2pWriteFile(output, (tdata_t) "/GS1 ", 5); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4566,7 +4560,7 @@ + if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ + box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4581,7 +4575,7 @@ + } + } else { + box=t2p->pdf_imagebox; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4606,59 +4600,48 @@ + TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); + written += t2pWriteFile(output, + (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", + 42); +- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + if(tile != 0){ + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen=sprintf(buffer, "%lu", (unsigned long)tile); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); + } else { + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); + written += t2p_write_pdf_xobject_cs(t2p, output); +@@ -4702,11 +4685,10 @@ + t2p->pdf_colorspace ^= T2P_CS_PALETTE; + written += t2p_write_pdf_xobject_cs(t2p, output); + t2p->pdf_colorspace |= T2P_CS_PALETTE; +- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); + return(written); +@@ -4740,10 +4722,10 @@ + X_W /= Y_W; + Z_W /= Y_W; + Y_W = 1.0F; +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Range ", 7); +- buflen=sprintf(buffer, "[%d %d %d %d] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", + t2p->pdf_labrange[0], + t2p->pdf_labrange[1], + t2p->pdf_labrange[2], +@@ -4759,26 +4741,26 @@ + tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); + if(t2p->tiff_transferfunctioncount == 1){ +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + } else { + written += t2pWriteFile(output, (tdata_t) "[ ", 2); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 2)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4800,7 +4782,7 @@ + written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); + written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); + written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); +- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); ++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); + written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); +@@ -4827,7 +4809,7 @@ + tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[128]; ++ char buffer[256]; + int buflen=0; + + float X_W=0.0; +@@ -4895,16 +4877,16 @@ + written += t2pWriteFile(output, (tdata_t) "<< \n", 4); + if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); + } + if(t2p->pdf_colorspace & T2P_CS_CALRGB){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + X_R, Y_R, Z_R, + X_G, Y_G, Z_G, + X_B, Y_B, Z_B); +@@ -4923,11 +4905,11 @@ + tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); + +@@ -4937,11 +4919,11 @@ + tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/N ", 3); +- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); + t2p->pdf_colorspace ^= T2P_CS_ICCBASED; +@@ -5006,7 +4988,7 @@ + tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + if(t2p->pdf_compression==T2P_COMPRESS_NONE){ +@@ -5021,41 +5003,33 @@ + written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); + if(tile==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_length); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } +@@ -5082,21 +5056,17 @@ + if(t2p->pdf_compressionquality%100){ + written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); + written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen = sprintf(buffer, "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) ">>\n", 3); + } +@@ -5116,16 +5086,16 @@ + tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[21]; ++ char buffer[64]; + int buflen=0; + uint32 i=0; + + written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); + for (i=0;ipdf_xrefcount;i++){ +- sprintf(buffer, "%.10lu 00000 n \n", ++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", + (unsigned long)t2p->pdf_xrefoffsets[i]); + written += t2pWriteFile(output, (tdata_t) buffer, 20); + } +@@ -5149,17 +5119,14 @@ + snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); + + written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); +- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); +@@ -5167,9 +5134,8 @@ + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); + written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); + + return(written); +diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c +--- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400 ++++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400 +@@ -1781,8 +1781,8 @@ + imageOp = "imagemask"; + + (void)strcpy(im_x, "0"); +- (void)sprintf(im_y, "%lu", (long) h); +- (void)sprintf(im_h, "%lu", (long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); ++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); + tile_width = w; + tile_height = h; + if (TIFFIsTiled(tif)) { +@@ -1803,7 +1803,7 @@ + } + if (tile_height < h) { + fputs("/im_y 0 def\n", fd); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } else { + repeat_count = tf_numberstrips; +@@ -1815,7 +1815,7 @@ + fprintf(fd, "/im_h %lu def\n", + (unsigned long) tile_height); + (void)strcpy(im_h, "im_h"); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } + +diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c +--- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500 ++++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400 +@@ -2077,7 +2077,7 @@ + return 1; + } + +- sprintf (filenum, "-%03d%s", findex, export_ext); ++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); + filenum[14] = '\0'; + strncat (exportname, filenum, 15); + } +@@ -2230,8 +2230,8 @@ + + /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", ++ dump.infilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) + { +@@ -2249,8 +2249,8 @@ + + /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", ++ dump.outfilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) + { +diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c +--- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500 ++++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400 +@@ -260,7 +260,7 @@ + TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); + else + CopyField(TIFFTAG_FILLORDER, shortv); +- sprintf(thing, "Dithered B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + CopyField(TIFFTAG_PHOTOMETRIC, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); diff --git a/SOURCES/libtiff-CVE-2013-4231.patch b/SOURCES/libtiff-CVE-2013-4231.patch new file mode 100644 index 0000000..8ae1e12 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4231.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 17f7a19..375b152 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -333,6 +333,10 @@ readraster(void) + int status = 1; + + datasize = getc(infile); ++ ++ if (datasize > 12) ++ return 0; ++ + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; diff --git a/SOURCES/libtiff-CVE-2013-4232.patch b/SOURCES/libtiff-CVE-2013-4232.patch new file mode 100644 index 0000000..5e8612c --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4232.patch @@ -0,0 +1,12 @@ +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 92a1a3d..26a1acb 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/SOURCES/libtiff-CVE-2013-4243.patch b/SOURCES/libtiff-CVE-2013-4243.patch new file mode 100644 index 0000000..3ffc207 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4243.patch @@ -0,0 +1,37 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 2731273..1e9b4b9 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -280,6 +280,10 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -406,6 +410,10 @@ process(register int code, unsigned char** fill) + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; +@@ -436,6 +444,10 @@ process(register int code, unsigned char** fill) + } + oldcode = incode; + do { ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; diff --git a/SOURCES/libtiff-CVE-2013-4244.patch b/SOURCES/libtiff-CVE-2013-4244.patch new file mode 100644 index 0000000..792e076 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4244.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 375b152..2731273 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill) + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; diff --git a/SOURCES/libtiff-CVE-2014-8127.patch b/SOURCES/libtiff-CVE-2014-8127.patch new file mode 100644 index 0000000..d426710 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8127.patch @@ -0,0 +1,169 @@ +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 19a26e2..6667228 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif) + if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1)) + goto bad; + } ++ /* ++ * SamplesPerPixel value has changed, adjust SMinSampleValue ++ * and SMaxSampleValue arrays if necessary ++ */ ++ { ++ uint32 saved_flags; ++ saved_flags = tif->tif_flags; ++ tif->tif_flags &= ~TIFF_PERSAMPLE; ++ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE)) ++ { ++ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0])) ++ { ++ tif->tif_flags = saved_flags; ++ goto bad; ++ } ++ } ++ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE)) ++ { ++ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0])) ++ { ++ tif->tif_flags = saved_flags; ++ goto bad; ++ } ++ } ++ tif->tif_flags = saved_flags; ++ } + } + } + /* +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index fa20609..fa68d1c 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + { + if (!isTiled(tif)) + { +- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) +- goto bad; ++ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */ ++ if (tif->tif_dir.td_stripoffset) ++ { ++ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) ++ goto bad; ++ } + } + else + { +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba822a..dfc5b07 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid strip byte count, strip %lu", +@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index b5ed30b..376f4e6 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -401,6 +401,24 @@ main(int argc, char* argv[]) + return 0; + } + ++ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4) ++ { ++ TIFFError(infilename, ++ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression", ++ info_hdr.iBitCount); ++ close(fd); ++ return 0; ++ } ++ ++ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8) ++ { ++ TIFFError(infilename, ++ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression", ++ info_hdr.iBitCount); ++ close(fd); ++ return 0; ++ } ++ + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; + if( width <= 0 || length <= 0 ) +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 8608aad..426bbc0 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -372,7 +372,8 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) ++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fd1cba5..06edf93 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -257,7 +257,8 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) ++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out) + rowsize = TIFFScanlineSize(in); + rastersize = sh * rowsize; + fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); +- raster = (unsigned char*)_TIFFmalloc(rastersize); ++ raster = (unsigned char*)_TIFFmalloc(rastersize + 3); + if (!raster) { + TIFFError(TIFFFileName(in), + "Can't allocate space for raster buffer."); +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index c5dcb7c..02605df 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -171,6 +171,11 @@ main(int argc, char* argv[]) + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff --git a/SOURCES/libtiff-CVE-2014-8129.patch b/SOURCES/libtiff-CVE-2014-8129.patch new file mode 100644 index 0000000..9cd7bd9 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8129.patch @@ -0,0 +1,174 @@ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 8bf3ea7..f812fa2 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -693,6 +700,16 @@ badvalue32: + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip->field_name); ++ va_end(ap); ++ } ++ return (0); + } + + /* +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 524e127..81084ff 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +@@ -139,10 +141,28 @@ bad: + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 26a1acb..2a64ec3 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index abeb4f6..ea4f7a1 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) diff --git a/SOURCES/libtiff-CVE-2014-8130.patch b/SOURCES/libtiff-CVE-2014-8130.patch new file mode 100644 index 0000000..d6683c3 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-8130.patch @@ -0,0 +1,26 @@ +diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c +index 1387558..0a3a4a8 100644 +--- a/libtiff/tif_unix.c ++++ b/libtiff/tif_unix.c +@@ -257,6 +257,8 @@ TIFFOpenW(const wchar_t* name, const char* mode) + void* + _TIFFmalloc(tmsize_t s) + { ++ if ( s == 0 ) ++ return ((void *) NULL); + return (malloc((size_t) s)); + } + +diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c +index 2cf1de9..612a00d 100644 +--- a/libtiff/tif_win32.c ++++ b/libtiff/tif_win32.c +@@ -329,6 +329,8 @@ TIFFOpenW(const wchar_t* name, const char* mode) + void* + _TIFFmalloc(tmsize_t s) + { ++ if ( s == 0 ) ++ return ((tdata_t) NULL); + return (malloc((size_t) s)); + } + diff --git a/SOURCES/libtiff-CVE-2014-9330.patch b/SOURCES/libtiff-CVE-2014-9330.patch new file mode 100644 index 0000000..cfc83cc --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-9330.patch @@ -0,0 +1,34 @@ +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index c66a8d2..b5ed30b 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -403,6 +403,14 @@ main(int argc, char* argv[]) + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } ++ + + switch (info_hdr.iBitCount) + { +@@ -593,6 +601,14 @@ main(int argc, char* argv[]) + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff --git a/SOURCES/libtiff-CVE-2014-9655.patch b/SOURCES/libtiff-CVE-2014-9655.patch new file mode 100644 index 0000000..033c627 --- /dev/null +++ b/SOURCES/libtiff-CVE-2014-9655.patch @@ -0,0 +1,108 @@ +From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 15:50:56 +0200 +Subject: [PATCH 1/8] Fix CVE-2014-9655 + +--- + libtiff/tif_getimage.c | 20 ++++++++++++++------ + libtiff/tif_next.c | 4 +++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a85273c..1c1cf9e 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + int32 fromskew, toskew; + int ret = 1, flip; + ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ if( subsamplingver == 0 ) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); ++ return (0); ++ } ++ + buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); +@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + + TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ + scanline = TIFFScanlineSize(tif); + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) +@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 524e127..92ef6ee 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2015-1547_8784.patch b/SOURCES/libtiff-CVE-2015-1547_8784.patch new file mode 100644 index 0000000..03d9b32 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-1547_8784.patch @@ -0,0 +1,52 @@ +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index b014685..13c0848 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -107,6 +107,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; + ++ tmsize_t op_offset = 0; ++ + /* + * The scanline is composed of a sequence of constant + * color ``runs''. We shift into ``run mode'' and +@@ -120,10 +122,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; +@@ -162,9 +169,9 @@ NeXTPreDecode(TIFF* tif, uint16 s) + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; +- tif->tif_predecode = NeXTPreDecode; +- tif->tif_decoderow = NeXTDecode; +- tif->tif_decodestrip = NeXTDecode; ++ tif->tif_predecode = NeXTPreDecode; ++ tif->tif_decoderow = NeXTDecode; ++ tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; + return (1); + } diff --git a/SOURCES/libtiff-CVE-2015-7554.patch b/SOURCES/libtiff-CVE-2015-7554.patch new file mode 100644 index 0000000..cc76047 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-7554.patch @@ -0,0 +1,23 @@ +diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c +--- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 ++++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 +@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) + TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); + } + } ++ uint32 count = 0; + CopyField(TIFFTAG_PHOTOMETRIC, shortv); +- CopyField(TIFFTAG_PREDICTOR, shortv); ++ CopyField2(TIFFTAG_PREDICTOR, count, shortv); + CopyField(TIFFTAG_THRESHHOLDING, shortv); + CopyField(TIFFTAG_FILLORDER, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); +@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) + CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); + CopyField(TIFFTAG_XRESOLUTION, floatv); + CopyField(TIFFTAG_YRESOLUTION, floatv); +- CopyField(TIFFTAG_GROUP3OPTIONS, longv); ++ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); + CopyField(TIFFTAG_GROUP4OPTIONS, longv); + CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); + CopyField(TIFFTAG_PLANARCONFIG, shortv); diff --git a/SOURCES/libtiff-CVE-2015-8668.patch b/SOURCES/libtiff-CVE-2015-8668.patch new file mode 100644 index 0000000..436326e --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8668.patch @@ -0,0 +1,41 @@ +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index 376f4e6..c747c13 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -614,19 +614,27 @@ main(int argc, char* argv[]) + || info_hdr.iCompression == BMPC_RLE4 ) { + uint32 i, j, k, runlength; + uint32 compr_size, uncompr_size; ++ uint32 bits = 0; + unsigned char *comprbuf; + unsigned char *uncomprbuf; + + compr_size = file_hdr.iSize - file_hdr.iOffBits; +- uncompr_size = width * length; +- /* Detect int overflow */ +- if( uncompr_size / width != length ) +- { +- TIFFError(infilename, +- "Invalid dimensions of BMP file" ); +- close(fd); +- return -1; +- } ++ ++ bits = info_hdr.iBitCount; ++ ++ if (bits > 8) // bit depth is > 8bit, adjust size ++ { ++ uncompr_size = width * length * (bits / 8); ++ /* Detect int overflow */ ++ if (uncompr_size / width / (bits / 8) != length) { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file"); ++ close(fd); ++ return -1; ++ } ++ } ++ else ++ uncompr_size = width * length; + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff --git a/SOURCES/libtiff-CVE-2015-8683_8665.patch b/SOURCES/libtiff-CVE-2015-8683_8665.patch new file mode 100644 index 0000000..13647d0 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8683_8665.patch @@ -0,0 +1,98 @@ +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 1633325..018351b 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -182,8 +182,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +@@ -241,6 +258,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; + ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; ++ + /* Initialize to normal values */ + img->row_offset = 0; + img->col_offset = 0; +@@ -2453,29 +2473,33 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2484,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2580,7 +2604,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; diff --git a/SOURCES/libtiff-CVE-2015-8781.patch b/SOURCES/libtiff-CVE-2015-8781.patch new file mode 100644 index 0000000..f56aa90 --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8781.patch @@ -0,0 +1,159 @@ +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index eba6c08..ebbd692 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if ( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if ( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module [] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ diff --git a/SOURCES/libtiff-CVE-2015-8870.patch b/SOURCES/libtiff-CVE-2015-8870.patch new file mode 100644 index 0000000..f83d10f --- /dev/null +++ b/SOURCES/libtiff-CVE-2015-8870.patch @@ -0,0 +1,33 @@ +From fb0bc75826b860609c59848d85daa43beb7838d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 12 Jan 2017 15:34:59 +0100 +Subject: [PATCH 5/5] Fix CVE-2015-8870 + +--- + tools/bmp2tiff.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index c747c13..384cf96 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -634,7 +634,16 @@ main(int argc, char* argv[]) + } + } + else ++ { + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if (uncompr_size / width != length) { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file"); ++ close(fd); ++ return -1; ++ } ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3186.patch b/SOURCES/libtiff-CVE-2016-3186.patch new file mode 100644 index 0000000..303f446 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3186.patch @@ -0,0 +1,25 @@ +From 4c5f309925e568f3ccd4bacc1907c082401c13cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 6 Dec 2018 14:42:00 +0100 +Subject: [PATCH 01/10] Fix CVE-2016-3186 + +--- + tools/gif2tiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 1e9b4b9..e89ac5b 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -316,7 +316,7 @@ readextension(void) + char buf[255]; + + (void) getc(infile); +- while ((count = getc(infile))) ++ while ((count = getc(infile)) && count >= 0 && count <= 255) + fread(buf, 1, count, infile); + } + +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2016-3632.patch b/SOURCES/libtiff-CVE-2016-3632.patch new file mode 100644 index 0000000..bb0bc07 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3632.patch @@ -0,0 +1,26 @@ +From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:04:34 +0200 +Subject: [PATCH 4/8] Fix CVE-2016-3632 + +--- + tools/thumbnail.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fd1cba5..75e7009 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -253,7 +253,8 @@ static struct cpTag { + { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, + { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, + { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, +- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, ++ // disable BADFAXLINES, CVE-2016-3632 ++ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3945.patch b/SOURCES/libtiff-CVE-2016-3945.patch new file mode 100644 index 0000000..cb496a0 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3945.patch @@ -0,0 +1,92 @@ +From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:05:49 +0200 +Subject: [PATCH 5/8] Fix CVE-2016-3945 + +--- + tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index 737167c..5228966 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) + uint32 row, col; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ rastersize = tile_width * tile_height * sizeof (uint32); ++ if (width != (tile_width / tile_height) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); ++ wrk_linesize = tile_width * sizeof (uint32); ++ if (wrk_linesize != tile_width / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) + uint32 row; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ rastersize = width * rowsperstrip * sizeof (uint32); ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); ++ wrk_linesize = width * sizeof (uint32); ++ if (wrk_linesize != width / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3990.patch b/SOURCES/libtiff-CVE-2016-3990.patch new file mode 100644 index 0000000..c5a9e8b --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3990.patch @@ -0,0 +1,63 @@ +From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:44:22 +0200 +Subject: [PATCH 6/8] Fix CVE-2016-3990 + +--- + libtiff/tif_pixarlog.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 2793b22..c9f056e 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -462,6 +462,7 @@ typedef struct { + int state; + int user_datafmt; + int quality; ++ tsize_t tbuf_size; + #define PLSTATE_INIT 1 + + TIFFVSetMethod vgetparent; /* super-class method */ +@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif) + td->td_samplesperpixel : 1); + tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ sp->tbuf_size = tbuf_size; + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); +@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + } + + llen = sp->stride * td->td_imagewidth; +- ++ if (llen > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); ++ exit (0); ++ } + for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { ++ if (up > sp->tbuf+sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); ++ exit (0); ++ } + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalDifferenceF((float *)bp, llen, +@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + "ZLib cannot deal with buffers this size"); + return (0); + } ++ if (sp->stream.avail_in > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name); ++ return (0); ++ } + + do { + if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) { +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-3991.patch b/SOURCES/libtiff-CVE-2016-3991.patch new file mode 100644 index 0000000..0ca667d --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-3991.patch @@ -0,0 +1,111 @@ +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ea4f7a1..f04e2eb 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, + } + + tile_buffsize = tilesize; ++ if (tilesize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); ++ exit(-1); ++ } + + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; +- } ++ if (tl != (tile_buffsize / tile_rowsize)) ++ { ++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ } + + tilebuf = _TIFFmalloc(tile_buffsize); + if (tilebuf == 0) +@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; + ++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) ++ { ++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); ++ exit(-1); ++ } ++ + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) + { +@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tilesize, tl * tile_rowsize); + #endif + tile_buffsize = tl * tile_rowsize; ++ if (tl != tile_buffsize / tile_rowsize) ++ { ++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + } + + tilebuf = _TIFFmalloc(tile_buffsize); +@@ -5931,12 +5952,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + + tile_rowsize = TIFFTileRowSize(in); ++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); ++ exit(-1); ++ } + buffsize = tlsize * ntiles; ++ if (tlsize != (buffsize / ntiles)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } + +- + if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) + { + buffsize = ntiles * tl * tile_rowsize; ++ if (ntiles != (buffsize / tl / tile_rowsize)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ + #ifdef DEBUG2 + TIFFError("loadImage", + "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", +@@ -5955,8 +5991,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); + stsize = TIFFStripSize(in); + nstrips = TIFFNumberOfStrips(in); ++ if (nstrips == 0 || stsize == 0) ++ { ++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); ++ exit(-1); ++ } ++ + buffsize = stsize * nstrips; +- ++ if (stsize != (buffsize / nstrips)) ++ { ++ TIFFError("loadImage", "Integer overflow when calculating buffer size"); ++ exit(-1); ++ } ++ uint32 buffsize_check; ++ buffsize_check = ((length * width * spp * bps) + 7); ++ if (length != ((buffsize_check - 7) / width / spp / bps)) ++ { ++ TIFFError("loadImage", "Integer overflow detected."); ++ exit(-1); ++ } + if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) + { + buffsize = ((length * width * spp * bps) + 7) / 8; diff --git a/SOURCES/libtiff-CVE-2016-5320.patch b/SOURCES/libtiff-CVE-2016-5320.patch new file mode 100644 index 0000000..fc05ed6 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-5320.patch @@ -0,0 +1,45 @@ +From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 11 Jul 2016 16:54:49 +0200 +Subject: [PATCH 8/8] Fix CVE-2016-5320 + +--- + libtiff/tif_pixarlog.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index c9f056e..c961529 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -462,7 +462,7 @@ typedef struct { + int state; + int user_datafmt; + int quality; +- tsize_t tbuf_size; ++ tmsize_t tbuf_size; + #define PLSTATE_INIT 1 + + TIFFVSetMethod vgetparent; /* super-class method */ +@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif) + if (tbuf_size == 0) + return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); ++ sp->tbuf_size = tbuf_size; + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) +@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); + return (0); + } ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size"); ++ return (0); ++ } + do { + int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); + if (state == Z_STREAM_END) { +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-5652.patch b/SOURCES/libtiff-CVE-2016-5652.patch new file mode 100644 index 0000000..a50d1e6 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-5652.patch @@ -0,0 +1,48 @@ +From bb2505b3d099104a296823fc3a456680417475b0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 12 Jan 2017 11:30:40 +0100 +Subject: [PATCH 4/5] Fix CVE-2016-5652 + +--- + tools/tiff2pdf.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index fbca305..9df5b16 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2826,21 +2826,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count > 0) { +- _TIFFmemcpy(buffer, jpt, count); ++ if (count >= 4) { ++ /* Ignore EOI marker of JpegTables */ ++ _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; ++ /* Store last 2 bytes of the JpegTables */ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; +- } +- if (count > 0) { + xuint32 = bufferoffset; ++ bufferoffset -= 2; + bufferoffset += TIFFReadRawTile( + input, + tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), ++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); +- buffer[xuint32-2]=table_end[0]; +- buffer[xuint32-1]=table_end[1]; ++ /* Overwrite SOI marker of image scan with previously */ ++ /* saved end of JpegTables */ ++ buffer[xuint32-2]=table_end[0]; ++ buffer[xuint32-1]=table_end[1]; + } else { + bufferoffset += TIFFReadRawTile( + input, +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch b/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch new file mode 100644 index 0000000..445f5ad --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch @@ -0,0 +1,300 @@ +From 6c4480d2980dc61f3fcd4f43a499e69764133f1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Wed, 11 Jan 2017 12:50:33 +0100 +Subject: [PATCH 1/5] Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, + CVE-2016-9537 + +--- + libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++----------------------------- + libtiff/tif_write.c | 7 +++++++ + tools/thumbnail.c | 7 ++++++- + tools/tiff2pdf.c | 22 ++++++++++++++++++-- + tools/tiffcrop.c | 31 ++++++++++++++++++++++++---- + 5 files changed, 83 insertions(+), 39 deletions(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index c961529..6128f2f 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -981,17 +981,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2) + a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; + } + } else { +- ip += n - 1; /* point to last one */ +- wp += n - 1; /* point to last one */ +- n -= stride; +- while (n > 0) { +- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) +- n -= stride; +- } +- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) ++ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) ++ n -= stride; ++ while (n > 0) { ++ REPEAT(stride, ++ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); ++ wp++; ip++) ++ n -= stride; ++ } + } + } + } +@@ -1034,17 +1031,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride, + a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; + } + } else { +- ip += n - 1; /* point to last one */ +- wp += n - 1; /* point to last one */ ++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { +- REPEAT(stride, wp[0] = CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) +- n -= stride; +- } +- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) ++ REPEAT(stride, ++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); ++ wp++; ip++) ++ n -= stride; ++ } + } + } + } +@@ -1087,18 +1081,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride, + ip += 4; + } + } else { +- wp += n + stride - 1; /* point to last one */ +- ip += n + stride - 1; /* point to last one */ +- n -= stride; +- while (n > 0) { +- REPEAT(stride, wp[0] = CLAMP(ip[0]); +- wp[stride] -= wp[0]; +- wp[stride] &= mask; +- wp--; ip--) +- n -= stride; +- } +- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) +- } ++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) ++ n -= stride; ++ while (n > 0) { ++ REPEAT(stride, ++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); ++ wp++; ip++) ++ n -= stride; ++ } ++ } + } + } + +diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c +index 8792123..ce671af 100644 +--- a/libtiff/tif_write.c ++++ b/libtiff/tif_write.c +@@ -742,7 +742,14 @@ TIFFFlushData1(TIFF* tif) + if (!TIFFAppendToStrip(tif, + isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, + tif->tif_rawdata, tif->tif_rawcc)) ++ { ++ /* We update those variables even in case of error since there's */ ++ /* code that doesn't really check the return code of this */ ++ /* function */ ++ tif->tif_rawcc = 0; ++ tif->tif_rawcp = tif->tif_rawdata; + return (0); ++ } + tif->tif_rawcc = 0; + tif->tif_rawcp = tif->tif_rawdata; + } +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index e14d290..9a9c439 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -587,12 +587,17 @@ generateThumbnail(TIFF* in, TIFF* out) + rowsize = TIFFScanlineSize(in); + rastersize = sh * rowsize; + fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); +- raster = (unsigned char*)_TIFFmalloc(rastersize + 3); ++ /* +3 : add a few guard bytes since setrow() can read a bit */ ++ /* outside buffer */ ++ raster = (unsigned char*)_TIFFmalloc(rastersize+3); + if (!raster) { + TIFFError(TIFFFileName(in), + "Can't allocate space for raster buffer."); + return 0; + } ++ raster[rastersize] = 0; ++ raster[rastersize+1] = 0; ++ raster[rastersize+2] = 0; + rp = raster; + for (s = 0; s < ns; s++) { + (void) TIFFReadEncodedStrip(in, s, rp, -1); +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 2a64ec3..fbca305 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -285,7 +285,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t); + int t2p_process_ojpeg_tables(T2P*, TIFF*); + #endif + #ifdef JPEG_SUPPORT +-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); ++int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); + #endif + void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); + void t2p_write_advance_directory(T2P*, TIFF*); +@@ -2348,7 +2348,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ + if(!t2p_process_jpeg_strip( + stripbuffer, + &striplength, +- buffer, ++ buffer, ++ t2p->tiff_datasize, + &bufferoffset, + i, + t2p->tiff_length)){ +@@ -3378,6 +3379,7 @@ int t2p_process_jpeg_strip( + unsigned char* strip, + tsize_t* striplength, + unsigned char* buffer, ++ tsize_t buffersize, + tsize_t* bufferoffset, + tstrip_t no, + uint32 height){ +@@ -3412,6 +3414,8 @@ int t2p_process_jpeg_strip( + } + switch( strip[i] ){ + case 0xd8: /* SOI - start of image */ ++ if( *bufferoffset + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; + break; +@@ -3421,12 +3425,18 @@ int t2p_process_jpeg_strip( + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ + if(no==0){ ++ if( *bufferoffset + datalen + 2 + 6 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ if( *bufferoffset + 9 >= buffersize ) ++ return(0); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; ++ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) ++ return(0); + for(j=0;j>4) > h_samp) +@@ -3458,20 +3468,28 @@ int t2p_process_jpeg_strip( + break; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ ++ if( *bufferoffset + datalen + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; + break; + case 0xda: /* SOS */ + if(no==0){ ++ if( *bufferoffset + datalen + 2 > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; + } else { ++ if( *bufferoffset + 2 > buffersize ) ++ return(0); + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); + } + i += datalen + 1; + /* copy remainder of strip */ ++ if( *bufferoffset + *striplength - i > buffersize ) ++ return(0); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; + return(1); +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f04e2eb..02c53cd 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5744,7 +5744,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + { + uint32 i; + float xres = 0.0, yres = 0.0; +- uint16 nstrips = 0, ntiles = 0, planar = 0; ++ uint32 nstrips = 0, ntiles = 0; ++ uint16 planar = 0; + uint16 bps = 0, spp = 0, res_unit = 0; + uint16 orientation = 0; + uint16 input_compression = 0, input_photometric = 0; +@@ -6049,17 +6050,31 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + } + + read_buff = *read_ptr; ++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ ++ /* outside buffer */ + if (!read_buff) +- read_buff = (unsigned char *)_TIFFmalloc(buffsize); ++ { ++ if( buffsize > 0xFFFFFFFFU - 3 ) ++ { ++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ return (-1); ++ } ++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); ++ } + else + { + if (prev_readsize < buffsize) ++ { ++ if( buffsize > 0xFFFFFFFFU - 3 ) + { +- new_buff = _TIFFrealloc(read_buff, buffsize); ++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ return (-1); ++ } ++ new_buff = _TIFFrealloc(read_buff, buffsize+3); + if (!new_buff) + { + free (read_buff); +- read_buff = (unsigned char *)_TIFFmalloc(buffsize); ++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + } + else + read_buff = new_buff; +@@ -6071,6 +6086,9 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } ++ read_buff[buffsize] = 0; ++ read_buff[buffsize+1] = 0; ++ read_buff[buffsize+2] = 0; + + prev_readsize = buffsize; + *read_ptr = read_buff; +@@ -8877,6 +8895,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width, + } + + bytes_per_pixel = ((bps * spp) + 7) / 8; ++ if( bytes_per_pixel > sizeof(swapbuff) ) ++ { ++ TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); ++ return (1); ++ } + switch (bps / 8) + { + case 8: /* Use memcpy for multiple bytes per sample data */ +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-9535.patch b/SOURCES/libtiff-CVE-2016-9535.patch new file mode 100644 index 0000000..7ec32cf --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-9535.patch @@ -0,0 +1,613 @@ +From f42765c206cc2e4a77f5e3c107a9a258d981c98e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Mon, 16 Jan 2017 18:13:13 +0100 +Subject: [PATCH 2/5] Fix CVE-2016-9535 + +--- + libtiff/tif_fax3.c | 3 +- + libtiff/tif_lzw.c | 9 +- + libtiff/tif_predict.c | 285 +++++++++++++++++++++++++++++++++----------------- + libtiff/tif_predict.h | 6 +- + 4 files changed, 203 insertions(+), 100 deletions(-) + +diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c +index 2b2dccd..777ef8f 100644 +--- a/libtiff/tif_fax3.c ++++ b/libtiff/tif_fax3.c +@@ -442,8 +442,9 @@ _TIFFFax3fillruns(unsigned char* buf, uint32* runs, uint32* erun, uint32 lastx) + FILL(n, cp); + run &= 7; + } ++ /* Explicit 0xff masking to make icc -check=conversions happy */ + if (run) +- cp[0] |= 0xff00 >> run; ++ cp[0] = (unsigned char)((cp[0] | (0xff00 >> run))&0xff); + } else + cp[0] |= _fillmasks[run]>>bx; + x += runs[1]; +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index fd9c7a0..d7fbe74 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -830,13 +830,15 @@ LZWPreEncode(TIFF* tif, uint16 s) + } else \ + rat = (incount<<8) / outcount; \ + } ++ ++/* Explicit 0xff masking to make icc -check=conversions happy */ + #define PutNextCode(op, c) { \ + nextdata = (nextdata << nbits) | c; \ + nextbits += nbits; \ +- *op++ = (unsigned char)(nextdata >> (nextbits-8)); \ ++ *op++ = (unsigned char)((nextdata >> (nextbits-8))&0xff); \ + nextbits -= 8; \ + if (nextbits >= 8) { \ +- *op++ = (unsigned char)(nextdata >> (nextbits-8)); \ ++ *op++ = (unsigned char)((nextdata >> (nextbits-8))&0xff); \ + nextbits -= 8; \ + } \ + outcount += nbits; \ +@@ -1042,8 +1044,9 @@ LZWPostEncode(TIFF* tif) + sp->enc_oldcode = (hcode_t) -1; + } + PutNextCode(op, CODE_EOI); ++ /* Explicit 0xff masking to make icc -check=conversions happy */ + if (nextbits > 0) +- *op++ = (unsigned char)(nextdata << (8-nextbits)); ++ *op++ = (unsigned char)((nextdata << (8-nextbits))&0xff); + tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata); + return (1); + } +diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c +index f93c664..39d764f 100644 +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -34,16 +34,18 @@ + + #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data) + +-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); +-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); ++static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); + static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); + static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); + static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s); +@@ -207,7 +209,24 @@ PredictorSetupEncode(TIFF* tif) + sp->encodetile = tif->tif_encodetile; + tif->tif_encodetile = PredictorEncodeTile; + } +- } ++ ++ /* ++ * If the data is horizontally differenced 16-bit data that ++ * requires byte-swapping, then it must be byte swapped after ++ * the differenciation step. We do this with a special-purpose ++ * routine and override the normal post decoding logic that ++ * the library setup when the directory was read. ++ */ ++ if (tif->tif_flags & TIFF_SWAB) { ++ if (sp->encodepfunc == horDiff16) { ++ sp->encodepfunc = swabHorDiff16; ++ tif->tif_postdecode = _TIFFNoPostDecode; ++ } else if (sp->encodepfunc == horDiff32) { ++ sp->encodepfunc = swabHorDiff32; ++ tif->tif_postdecode = _TIFFNoPostDecode; ++ } ++ } ++ } + + else if (sp->predictor == 3) { + sp->encodepfunc = fpDiff; +@@ -239,13 +258,25 @@ PredictorSetupEncode(TIFF* tif) + case 0: ; \ + } + +-static void ++/* Remarks related to C standard compliance in all below functions : */ ++/* - to avoid any undefined behaviour, we only operate on unsigned types */ ++/* since the behaviour of "overflows" is defined (wrap over) */ ++/* - when storing into the byte stream, we explicitly mask with 0xff so */ ++/* as to make icc -check=conversions happy (not necessary by the standard) */ ++ ++static int + horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) + { + tmsize_t stride = PredictorState(tif)->stride; + +- char* cp = (char*) cp0; +- assert((cc%stride)==0); ++ unsigned char* cp = (unsigned char*) cp0; ++ if((cc%stride)!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horAcc8", ++ "%s", "(cc%stride)!=0"); ++ return 0; ++ } ++ + if (cc > stride) { + /* + * Pipeline the most common cases. +@@ -257,9 +288,9 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) + cc -= 3; + cp += 3; + while (cc>0) { +- cp[0] = (char) (cr += cp[0]); +- cp[1] = (char) (cg += cp[1]); +- cp[2] = (char) (cb += cp[2]); ++ cp[0] = (unsigned char) ((cr += cp[0]) & 0xff); ++ cp[1] = (unsigned char) ((cg += cp[1]) & 0xff); ++ cp[2] = (unsigned char) ((cb += cp[2]) & 0xff); + cc -= 3; + cp += 3; + } +@@ -271,10 +302,10 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) + cc -= 4; + cp += 4; + while (cc>0) { +- cp[0] = (char) (cr += cp[0]); +- cp[1] = (char) (cg += cp[1]); +- cp[2] = (char) (cb += cp[2]); +- cp[3] = (char) (ca += cp[3]); ++ cp[0] = (unsigned char) ((cr += cp[0]) & 0xff); ++ cp[1] = (unsigned char) ((cg += cp[1]) & 0xff); ++ cp[2] = (unsigned char) ((cb += cp[2]) & 0xff); ++ cp[3] = (unsigned char) ((ca += cp[3]) & 0xff); + cc -= 4; + cp += 4; + } +@@ -282,77 +313,71 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) + cc -= stride; + do { + REPEAT4(stride, cp[stride] = +- (char) (cp[stride] + *cp); cp++) ++ (unsigned char) ((cp[stride] + *cp) & 0xff); cp++) + cc -= stride; + } while (cc>0); + } + } ++ return 1; + } + +-static void ++static int + swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) + { +- tmsize_t stride = PredictorState(tif)->stride; + uint16* wp = (uint16*) cp0; + tmsize_t wc = cc / 2; + +- assert((cc%(2*stride))==0); +- +- if (wc > stride) { +- TIFFSwabArrayOfShort(wp, wc); +- wc -= stride; +- do { +- REPEAT4(stride, wp[stride] += wp[0]; wp++) +- wc -= stride; +- } while (wc > 0); +- } ++ TIFFSwabArrayOfShort(wp, wc); ++ return horAcc16(tif, cp0, cc); + } + +-static void ++static int + horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) + { + tmsize_t stride = PredictorState(tif)->stride; + uint16* wp = (uint16*) cp0; + tmsize_t wc = cc / 2; + +- assert((cc%(2*stride))==0); ++ if((cc%(2*stride))!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horAcc16", ++ "%s", "cc%(2*stride))!=0"); ++ return 0; ++ } + + if (wc > stride) { + wc -= stride; + do { +- REPEAT4(stride, wp[stride] += wp[0]; wp++) ++ REPEAT4(stride, wp[stride] = (uint16)(((unsigned int)wp[stride] + (unsigned int)wp[0]) & 0xffff); wp++) + wc -= stride; + } while (wc > 0); + } ++ return 1; + } + +-static void ++static int + swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) + { +- tmsize_t stride = PredictorState(tif)->stride; + uint32* wp = (uint32*) cp0; + tmsize_t wc = cc / 4; + +- assert((cc%(4*stride))==0); +- +- if (wc > stride) { +- TIFFSwabArrayOfLong(wp, wc); +- wc -= stride; +- do { +- REPEAT4(stride, wp[stride] += wp[0]; wp++) +- wc -= stride; +- } while (wc > 0); +- } ++ TIFFSwabArrayOfLong(wp, wc); ++ return horAcc32(tif, cp0, cc); + } + +-static void ++static int + horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) + { + tmsize_t stride = PredictorState(tif)->stride; + uint32* wp = (uint32*) cp0; + tmsize_t wc = cc / 4; + +- assert((cc%(4*stride))==0); ++ if((cc%(4*stride))!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horAcc32", ++ "%s", "cc%(4*stride))!=0"); ++ return 0; ++ } + + if (wc > stride) { + wc -= stride; +@@ -361,12 +386,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) + wc -= stride; + } while (wc > 0); + } ++ return 1; + } + + /* + * Floating point predictor accumulation routine. + */ +-static void ++static int + fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + { + tmsize_t stride = PredictorState(tif)->stride; +@@ -374,15 +400,22 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count = cc; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + +- assert((cc%(bps*stride))==0); ++ if(cc%(bps*stride)!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "fpAcc", ++ "%s", "cc%(bps*stride))!=0"); ++ return 0; ++ } + ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) +- return; ++ return 0; + + while (count > stride) { +- REPEAT4(stride, cp[stride] += cp[0]; cp++) ++ REPEAT4(stride, cp[stride] = ++ (unsigned char) ((cp[stride] + cp[0]) & 0xff); cp++) + count -= stride; + } + +@@ -400,6 +433,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) + } + } + _TIFFfree(tmp); ++ return 1; + } + + /* +@@ -415,8 +449,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + assert(sp->decodepfunc != NULL); + + if ((*sp->decoderow)(tif, op0, occ0, s)) { +- (*sp->decodepfunc)(tif, op0, occ0); +- return 1; ++ return (*sp->decodepfunc)(tif, op0, occ0); + } else + return 0; + } +@@ -439,10 +472,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + if ((*sp->decodetile)(tif, op0, occ0, s)) { + tmsize_t rowsize = sp->rowsize; + assert(rowsize > 0); +- assert((occ0%rowsize)==0); ++ if((occ0%rowsize) !=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile", ++ "%s", "occ0%rowsize != 0"); ++ return 0; ++ } + assert(sp->decodepfunc != NULL); + while (occ0 > 0) { +- (*sp->decodepfunc)(tif, op0, rowsize); ++ if( !(*sp->decodepfunc)(tif, op0, rowsize) ) ++ return 0; + occ0 -= rowsize; + op0 += rowsize; + } +@@ -451,14 +490,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + return 0; + } + +-static void ++static int + horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) + { + TIFFPredictorState* sp = PredictorState(tif); + tmsize_t stride = sp->stride; +- char* cp = (char*) cp0; ++ unsigned char* cp = (unsigned char*) cp0; + +- assert((cc%stride)==0); ++ if((cc%stride)!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horDiff8", ++ "%s", "(cc%stride)!=0"); ++ return 0; ++ } + + if (cc > stride) { + cc -= stride; +@@ -466,67 +510,92 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) + * Pipeline the most common cases. + */ + if (stride == 3) { +- int r1, g1, b1; +- int r2 = cp[0]; +- int g2 = cp[1]; +- int b2 = cp[2]; ++ unsigned int r1, g1, b1; ++ unsigned int r2 = cp[0]; ++ unsigned int g2 = cp[1]; ++ unsigned int b2 = cp[2]; + do { +- r1 = cp[3]; cp[3] = r1-r2; r2 = r1; +- g1 = cp[4]; cp[4] = g1-g2; g2 = g1; +- b1 = cp[5]; cp[5] = b1-b2; b2 = b1; ++ r1 = cp[3]; cp[3] = (unsigned char)((r1-r2)&0xff); r2 = r1; ++ g1 = cp[4]; cp[4] = (unsigned char)((g1-g2)&0xff); g2 = g1; ++ b1 = cp[5]; cp[5] = (unsigned char)((b1-b2)&0xff); b2 = b1; + cp += 3; + } while ((cc -= 3) > 0); + } else if (stride == 4) { +- int r1, g1, b1, a1; +- int r2 = cp[0]; +- int g2 = cp[1]; +- int b2 = cp[2]; +- int a2 = cp[3]; ++ unsigned int r1, g1, b1, a1; ++ unsigned int r2 = cp[0]; ++ unsigned int g2 = cp[1]; ++ unsigned int b2 = cp[2]; ++ unsigned int a2 = cp[3]; + do { +- r1 = cp[4]; cp[4] = r1-r2; r2 = r1; +- g1 = cp[5]; cp[5] = g1-g2; g2 = g1; +- b1 = cp[6]; cp[6] = b1-b2; b2 = b1; +- a1 = cp[7]; cp[7] = a1-a2; a2 = a1; ++ r1 = cp[4]; cp[4] = (unsigned char)((r1-r2)&0xff); r2 = r1; ++ g1 = cp[5]; cp[5] = (unsigned char)((g1-g2)&0xff); g2 = g1; ++ b1 = cp[6]; cp[6] = (unsigned char)((b1-b2)&0xff); b2 = b1; ++ a1 = cp[7]; cp[7] = (unsigned char)((a1-a2)&0xff); a2 = a1; + cp += 4; + } while ((cc -= 4) > 0); + } else { + cp += cc - 1; + do { +- REPEAT4(stride, cp[stride] -= cp[0]; cp--) ++ REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--) + } while ((cc -= stride) > 0); + } + } ++ return 1; + } + +-static void ++static int + horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) + { + TIFFPredictorState* sp = PredictorState(tif); + tmsize_t stride = sp->stride; +- int16 *wp = (int16*) cp0; ++ uint16 *wp = (uint16*) cp0; + tmsize_t wc = cc/2; + +- assert((cc%(2*stride))==0); ++ if((cc%(2*stride))!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horDiff8", ++ "%s", "(cc%(2*stride))!=0"); ++ return 0; ++ } + + if (wc > stride) { + wc -= stride; + wp += wc - 1; + do { +- REPEAT4(stride, wp[stride] -= wp[0]; wp--) ++ REPEAT4(stride, wp[stride] = (uint16)(((unsigned int)wp[stride] - (unsigned int)wp[0]) & 0xffff); wp--) + wc -= stride; + } while (wc > 0); + } ++ return 1; + } + +-static void ++static int ++swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) ++{ ++ uint16* wp = (uint16*) cp0; ++ tmsize_t wc = cc / 2; ++ ++ if( !horDiff16(tif, cp0, cc) ) ++ return 0; ++ ++ TIFFSwabArrayOfShort(wp, wc); ++ return 1; ++} ++ ++static int + horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) + { + TIFFPredictorState* sp = PredictorState(tif); + tmsize_t stride = sp->stride; +- int32 *wp = (int32*) cp0; ++ uint32 *wp = (uint32*) cp0; + tmsize_t wc = cc/4; + +- assert((cc%(4*stride))==0); ++ if((cc%(4*stride))!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "horDiff32", ++ "%s", "(cc%(4*stride))!=0"); ++ return 0; ++ } + + if (wc > stride) { + wc -= stride; +@@ -536,12 +605,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) + wc -= stride; + } while (wc > 0); + } ++ return 1; ++} ++ ++static int ++swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) ++{ ++ uint32* wp = (uint32*) cp0; ++ tmsize_t wc = cc / 4; ++ ++ if( !horDiff32(tif, cp0, cc) ) ++ return 0; ++ ++ TIFFSwabArrayOfLong(wp, wc); ++ return 1; + } + + /* + * Floating point predictor differencing routine. + */ +-static void ++static int + fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + { + tmsize_t stride = PredictorState(tif)->stride; +@@ -549,12 +632,18 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + tmsize_t wc = cc / bps; + tmsize_t count; + uint8 *cp = (uint8 *) cp0; +- uint8 *tmp = (uint8 *)_TIFFmalloc(cc); ++ uint8 *tmp; + +- assert((cc%(bps*stride))==0); ++ if((cc%(bps*stride))!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "fpDiff", ++ "%s", "(cc%(bps*stride))!=0"); ++ return 0; ++ } + ++ tmp = (uint8 *)_TIFFmalloc(cc); + if (!tmp) +- return; ++ return 0; + + _TIFFmemcpy(tmp, cp0, cc); + for (count = 0; count < wc; count++) { +@@ -573,7 +662,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) + cp = (uint8 *) cp0; + cp += cc - stride - 1; + for (count = cc; count > stride; count -= stride) +- REPEAT4(stride, cp[stride] -= cp[0]; cp--) ++ REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--) ++ return 1; + } + + static int +@@ -586,7 +676,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + assert(sp->encoderow != NULL); + + /* XXX horizontal differencing alters user's data XXX */ +- (*sp->encodepfunc)(tif, bp, cc); ++ if( !(*sp->encodepfunc)(tif, bp, cc) ) ++ return 0; + return (*sp->encoderow)(tif, bp, cc, s); + } + +@@ -621,7 +712,13 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s) + + rowsize = sp->rowsize; + assert(rowsize > 0); +- assert((cc0%rowsize)==0); ++ if((cc0%rowsize)!=0) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", ++ "%s", "(cc0%rowsize)!=0"); ++ _TIFFfree( working_copy ); ++ return 0; ++ } + while (cc > 0) { + (*sp->encodepfunc)(tif, bp, rowsize); + cc -= rowsize; +diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h +index dc7144c..1585a58 100644 +--- a/libtiff/tif_predict.h ++++ b/libtiff/tif_predict.h +@@ -30,6 +30,8 @@ + * ``Library-private'' Support for the Predictor Tag + */ + ++typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size); ++ + /* + * Codecs that want to support the Predictor tag must place + * this structure first in their private state block so that +@@ -43,12 +45,12 @@ typedef struct { + TIFFCodeMethod encoderow; /* parent codec encode/decode row */ + TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */ + TIFFCodeMethod encodetile; /* parent codec encode/decode tile */ +- TIFFPostMethod encodepfunc; /* horizontal differencer */ ++ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */ + + TIFFCodeMethod decoderow; /* parent codec encode/decode row */ + TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */ + TIFFCodeMethod decodetile; /* parent codec encode/decode tile */ +- TIFFPostMethod decodepfunc; /* horizontal accumulator */ ++ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */ + + TIFFVGetMethod vgetparent; /* super-class method */ + TIFFVSetMethod vsetparent; /* super-class method */ +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2016-9540.patch b/SOURCES/libtiff-CVE-2016-9540.patch new file mode 100644 index 0000000..b473d86 --- /dev/null +++ b/SOURCES/libtiff-CVE-2016-9540.patch @@ -0,0 +1,34 @@ +From aa6829cda019f56ed882b2db2d1e84c994412f9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Wed, 11 Jan 2017 12:58:22 +0100 +Subject: [PATCH 3/5] Fix CVE-2016-9540 + +--- + tools/tiffcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 8c696db..2903461 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1330,7 +1330,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer) + uint32 colb = 0; + uint32 col; + +- for (col = 0; col < imagewidth; col += tw) { ++ for (col = 0; col < imagewidth && colb < imagew; col += tw) { + if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0 + && !ignore) { + TIFFError(TIFFFileName(in), +@@ -1515,7 +1515,7 @@ DECLAREwriteFunc(writeBufferToContigTiles) + uint32 colb = 0; + uint32 col; + +- for (col = 0; col < imagewidth; col += tw) { ++ for (col = 0; col < imagewidth && colb < imagew; col += tw) { + /* + * Tile is clipped horizontally. Calculate + * visible portion and skewing factors. +-- +2.7.4 + diff --git a/SOURCES/libtiff-CVE-2018-10779.patch b/SOURCES/libtiff-CVE-2018-10779.patch new file mode 100644 index 0000000..3241375 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-10779.patch @@ -0,0 +1,32 @@ +From 12f57b64abecdb610aee44b70d2379c301ce5b09 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Wed, 15 Aug 2018 16:34:40 +0200 +Subject: [PATCH 04/10] TIFFSetupStrips(): avoid potential uint32 overflow on + 32-bit systems with large number of strips. Probably relates to + http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 + +--- + libtiff/tif_write.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c +index ce671af..c7c29a5 100644 +--- a/libtiff/tif_write.c ++++ b/libtiff/tif_write.c +@@ -484,9 +484,11 @@ TIFFSetupStrips(TIFF* tif) + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) + td->td_stripsperimage /= td->td_samplesperpixel; + td->td_stripoffset = (uint64 *) +- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); ++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), ++ "for \"StripOffsets\" array"); + td->td_stripbytecount = (uint64 *) +- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); ++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), ++ "for \"StripByteCounts\" array"); + if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) + return (0); + /* +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-10963.patch b/SOURCES/libtiff-CVE-2018-10963.patch new file mode 100644 index 0000000..21ff7f1 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-10963.patch @@ -0,0 +1,31 @@ +From db1b2741b413714c69f67842d40d78d793ef47e8 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 14:24:15 +0200 +Subject: [PATCH 05/10] TIFFWriteDirectorySec: avoid assertion. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 + +--- + libtiff/tif_dirwrite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index fa68d1c..fd0d31c 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -688,8 +688,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + } + break; + default: +- assert(0); /* we should never get here */ +- break; ++ TIFFErrorExt(tif->tif_clientdata,module, ++ "Cannot write tag %d (%s)", ++ TIFFFieldTag(o), ++ o->field_name ? o->field_name : "unknown"); ++ goto bad; + } + } + } +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch new file mode 100644 index 0000000..a437365 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-12900.patch @@ -0,0 +1,29 @@ +From 38e3984b95ed5dc9820cba7af13c9a000eba9742 Mon Sep 17 00:00:00 2001 +From: pgajdos +Date: Tue, 13 Nov 2018 09:03:31 +0100 +Subject: [PATCH 06/10] prevent integer overflow + +--- + tools/tiffcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2903461..754ee9f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1402,6 +1402,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + status = 0; + goto done; + } ++ if (0xFFFFFFFF / tilew < spp) ++ { ++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); ++ status = 0; ++ goto done; ++ } + /* + * Tile is clipped horizontally. Calculate + * visible portion and skewing factors. +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-17100.patch b/SOURCES/libtiff-CVE-2018-17100.patch new file mode 100644 index 0000000..524bc78 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-17100.patch @@ -0,0 +1,39 @@ +From b103d539e2421a66db911f069885ffbd5760bffd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 6 Dec 2018 14:58:16 +0100 +Subject: [PATCH 07/10] Fix CVE-2018-17100 + +--- + tools/ppm2tiff.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index 8e168ad..fc97983 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-17101.patch b/SOURCES/libtiff-CVE-2018-17101.patch new file mode 100644 index 0000000..f6c0bd9 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-17101.patch @@ -0,0 +1,71 @@ +From 666a205254d095947de95670f014fe30137c0014 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 6 Dec 2018 14:59:10 +0100 +Subject: [PATCH 08/10] Fix CVE-2018-17101 + +--- + tools/pal2rgb.c | 18 +++++++++++++++++- + tools/tiff2bw.c | 18 +++++++++++++++++- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 426bbc0..994757a 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -389,7 +389,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 02605df..53067e7 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -427,7 +427,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-18557.patch b/SOURCES/libtiff-CVE-2018-18557.patch new file mode 100644 index 0000000..27d476c --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-18557.patch @@ -0,0 +1,89 @@ +From ac1ad5a48fe981a8a9b6911886894520bbe0c71e Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 14 Oct 2018 16:38:29 +0200 +Subject: [PATCH 09/10] JBIG: fix potential out-of-bounds write in JBIGDecode() + +JBIGDecode doesn't check if the user provided buffer is large enough +to store the JBIG decoded image, which can potentially cause out-of-bounds +write in the buffer. +This issue was reported and analyzed by Thomas Dullien. + +Also fixes a (harmless) potential use of uninitialized memory when +tif->tif_rawsize > tif->tif_rawcc + +And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure +that whole strip data is provided to JBIGDecode() +--- + libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 37878f6..667f3ff 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + struct jbg_dec_state decoder; + int decodeStatus = 0; + unsigned char* pImage = NULL; +- (void) size, (void) s; ++ unsigned long decodedSize; ++ (void) s; + + if (isFillOrder(tif, tif->tif_dir.td_fillorder)) + { +- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); ++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); + } + + jbg_dec_init(&decoder); + + #if defined(HAVE_JBG_NEWLEN) +- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); ++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); + /* + * I do not check the return status of jbg_newlen because even if this + * function fails it does not necessarily mean that decoding the image +@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + */ + #endif /* HAVE_JBG_NEWLEN */ + +- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, +- (size_t)tif->tif_rawdatasize, NULL); ++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, ++ (size_t)tif->tif_rawcc, NULL); + if (JBG_EOK != decodeStatus) + { + /* +@@ -97,9 +98,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + return 0; + } + ++ decodedSize = jbg_dec_getsize(&decoder); ++ if( (tmsize_t)decodedSize < size ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "JBIG", ++ "Only decoded %lu bytes, whereas %lu requested", ++ decodedSize, (unsigned long)size); ++ } ++ else if( (tmsize_t)decodedSize > size ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "JBIG", ++ "Decoded %lu bytes, whereas %lu were requested", ++ decodedSize, (unsigned long)size); ++ jbg_dec_free(&decoder); ++ return 0; ++ } + pImage = jbg_dec_getimage(&decoder, 0); +- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); ++ _TIFFmemcpy(buffer, pImage, decodedSize); + jbg_dec_free(&decoder); ++ ++ tif->tif_rawcp += tif->tif_rawcc; ++ tif->tif_rawcc = 0; ++ + return 1; + } + +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-18661.patch b/SOURCES/libtiff-CVE-2018-18661.patch new file mode 100644 index 0000000..dc7014f --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-18661.patch @@ -0,0 +1,196 @@ +From c188f95bd865b1428f88c193b895fe9b3f6767e9 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 30 Oct 2018 18:50:27 +0100 +Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of + memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / + CVE-2018-18661 + +--- + libtiff/tiffiop.h | 1 + + tools/tiff2bw.c | 63 +++++++++++++++++++++++++++++++++++++++-------- + tools/tiffcrop.c | 5 ---- + 3 files changed, 54 insertions(+), 15 deletions(-) + +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 53357d8..8d1357b 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -66,6 +66,7 @@ extern void *lfind(const void *, const void *, size_t *, size_t, + #endif + + #define streq(a,b) (strcmp(a,b) == 0) ++#define strneq(a,b,n) (strncmp(a,b,n) == 0) + + #ifndef TRUE + #define TRUE 1 +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 53067e7..ad797b2 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -40,9 +40,7 @@ + #endif + + #include "tiffio.h" +- +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#define strneq(a,b,n) (strncmp(a,b,n) == 0) ++#include "tiffiop.h" + + /* x% weighting -> fraction of full color */ + #define PCT(x) (((x)*255+127)/100) +@@ -130,6 +128,11 @@ main(int argc, char* argv[]) + extern int optind; + extern char *optarg; + ++ in = (TIFF *) NULL; ++ out = (TIFF *) NULL; ++ inbuf = (unsigned char *) NULL; ++ outbuf = (unsigned char *) NULL; ++ + while ((c = getopt(argc, argv, "c:r:R:G:B:")) != -1) + switch (c) { + case 'c': /* compression scheme */ +@@ -163,24 +166,24 @@ main(int argc, char* argv[]) + fprintf(stderr, + "%s: Bad photometric; can only handle RGB and Palette images.\n", + argv[optind]); +- return (-1); ++ goto tiff2bw_error; + } + TIFFGetField(in, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel); + if (samplesperpixel != 1 && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u.\n", + argv[optind], samplesperpixel); +- return (-1); ++ goto tiff2bw_error; + } + if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", + argv[optind], samplesperpixel); +- return (-1); ++ goto tiff2bw_error; + } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, + " %s: Sorry, only handle 8-bit samples.\n", argv[optind]); +- return (-1); ++ goto tiff2bw_error; + } + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &w); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &h); +@@ -188,7 +191,7 @@ main(int argc, char* argv[]) + + out = TIFFOpen(argv[optind+1], "w"); + if (out == NULL) +- return (-1); ++ goto tiff2bw_error; + TIFFSetField(out, TIFFTAG_IMAGEWIDTH, w); + TIFFSetField(out, TIFFTAG_IMAGELENGTH, h); + TIFFSetField(out, TIFFTAG_BITSPERSAMPLE, 8); +@@ -214,6 +217,11 @@ main(int argc, char* argv[]) + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ if( !outbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + +@@ -237,6 +245,11 @@ main(int argc, char* argv[]) + #undef CVT + } + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -247,6 +260,11 @@ main(int argc, char* argv[]) + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -256,23 +274,48 @@ main(int argc, char* argv[]) + } + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): ++ { ++ tmsize_t inbufsize; + rowsize = TIFFScanlineSize(in); +- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); ++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); ++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + for (s = 0; s < 3; s++) + if (TIFFReadScanline(in, + inbuf+s*rowsize, row, s) < 0) +- return (-1); ++ goto tiff2bw_error; + compresssep(outbuf, + inbuf, inbuf+rowsize, inbuf+2*rowsize, w); + if (TIFFWriteScanline(out, outbuf, row, 0) < 0) + break; + } + break; ++ } + } + #undef pack ++ if (inbuf) ++ _TIFFfree(inbuf); ++ if (outbuf) ++ _TIFFfree(outbuf); ++ TIFFClose(in); + TIFFClose(out); + return (0); ++ ++ tiff2bw_error: ++ if (inbuf) ++ _TIFFfree(inbuf); ++ if (outbuf) ++ _TIFFfree(outbuf); ++ if (out) ++ TIFFClose(out); ++ if (in) ++ TIFFClose(in); ++ return (-1); + } + + static int +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 02c53cd..0192f3f 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -148,11 +148,6 @@ extern int getopt(int, char**, char*); + #define PATH_MAX 1024 + #endif + +-#ifndef streq +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#endif +-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) +- + #define TRUE 1 + #define FALSE 0 + +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-7456.patch b/SOURCES/libtiff-CVE-2018-7456.patch new file mode 100644 index 0000000..5ae9a50 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-7456.patch @@ -0,0 +1,222 @@ +From 52dcdc1d89925fe7e362b2cc9cae699773f9618e Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Sun, 8 Apr 2018 14:07:08 -0400 +Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory + +The TIFFPrintDirectory function relies on the following assumptions, +supposed to be guaranteed by the specification: + +(a) A Transfer Function field is only present if the TIFF file has + photometric type < 3. + +(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field + has count SamplesPerPixel - (Color Channels) and contains + information about supplementary channels. + +While respect of (a) and (b) are essential for the well functioning of +TIFFPrintDirectory, no checks are realized neither by the callee nor +by TIFFPrintDirectory itself. Hence, following scenarios might happen +and trigger the NULL pointer dereference: + +(1) TIFF File of photometric type 4 or more has illegal Transfer + Function field. + +(2) TIFF File has photometric type 3 or less and defines a + SamplesPerPixel field such that SamplesPerPixel > Color Channels + without defining all extra samples in the ExtraSamples fields. + +In this patch, we address both issues with respect of the following +principles: + +(A) In the case of (1), the defined transfer table should be printed + safely even if it isn't 'legal'. This allows us to avoid expensive + checks in TIFFPrintDirectory. Also, it is quite possible that + an alternative photometric type would be developed (not part of the + standard) and would allow definition of Transfer Table. We want + libtiff to be able to handle this scenario out of the box. + +(B) In the case of (2), the transfer table should be printed at its + right size, that is if TIFF file has photometric type Palette + then the transfer table should have one row and not three, even + if two extra samples are declared. + +In order to fulfill (A) we simply add a new 'i < 3' end condition to +the broken TIFFPrintDirectory loop. This makes sure that in any case +where (b) would be respected but not (a), everything stays fine. + +(B) is fulfilled by the loop condition +'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as +long as (b) is respected. + +Naturally, we also make sure (b) is respected. This is done in the +TIFFReadDirectory function by making sure any non-color channel is +counted in ExtraSamples. + +This commit addresses CVE-2018-7456. +--- + libtiff/tif_dirread.c | 61 +++++++++++++++++++++++++++++++++++++++++++ + libtiff/tif_print.c | 2 +- + libtiff/tif_unix.c | 8 ++++++ + libtiff/tif_win32.c | 8 ++++++ + libtiff/tiffio.h | 1 + + 5 files changed, 79 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 6667228..4f07bc8 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin + static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); + static void ChopUpSingleUncompressedStrip(TIFF*); + static uint64 TIFFReadUInt64(const uint8 *value); ++static int _TIFFGetMaxColorChannels(uint16 photometric); + + typedef union _UInt64Aligned_t + { +@@ -3415,6 +3416,34 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c + } + } + ++/* ++ * Return the maximum number of color channels specified for a given photometric ++ * type. 0 is returned if photometric type isn't supported or no default value ++ * is defined by the specification. ++ */ ++static int _TIFFGetMaxColorChannels( uint16 photometric ) ++{ ++ switch (photometric) { ++ case PHOTOMETRIC_PALETTE: ++ case PHOTOMETRIC_MINISWHITE: ++ case PHOTOMETRIC_MINISBLACK: ++ return 1; ++ case PHOTOMETRIC_YCBCR: ++ case PHOTOMETRIC_RGB: ++ case PHOTOMETRIC_CIELAB: ++ return 3; ++ case PHOTOMETRIC_SEPARATED: ++ case PHOTOMETRIC_MASK: ++ return 4; ++ case PHOTOMETRIC_LOGL: ++ case PHOTOMETRIC_LOGLUV: ++ case PHOTOMETRIC_ITULAB: ++ case PHOTOMETRIC_ICCLAB: ++ default: ++ return 0; ++ } ++} ++ + /* + * Read the next TIFF directory from a file and convert it to the internal + * format. We read directories sequentially. +@@ -3430,6 +3459,7 @@ TIFFReadDirectory(TIFF* tif) + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int color_channels; + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3909,6 +3939,37 @@ TIFFReadDirectory(TIFF* tif) + } + } + } ++ ++ /* ++ * Make sure all non-color channels are extrasamples. ++ * If it's not the case, define them as such. ++ */ ++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); ++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { ++ uint16 old_extrasamples; ++ uint16 *new_sampleinfo; ++ ++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " ++ "color channels and ExtraSamples doesn't match SamplesPerPixel. " ++ "Defining non-color channels as ExtraSamples."); ++ ++ old_extrasamples = tif->tif_dir.td_extrasamples; ++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); ++ ++ // sampleinfo should contain information relative to these new extra samples ++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); ++ if (!new_sampleinfo) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " ++ "temporary new sampleinfo array (%d 16 bit elements)", ++ tif->tif_dir.td_extrasamples); ++ goto bad; ++ } ++ ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); ++ _TIFFfree(new_sampleinfo); ++ } ++ + /* + * Verify Palette image has a Colormap. + */ +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index b323ef1..8c075e5 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -541,7 +541,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + for (l = 0; l < n; l++) { + fprintf(fd, " %2lu: %5u", + l, td->td_transferfunction[0][l]); +- for (i = 1; i < td->td_samplesperpixel; i++) ++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) + fprintf(fd, " %5u", + td->td_transferfunction[i][l]); + fputc('\n', fd); +diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c +index 0a3a4a8..5c00917 100644 +--- a/libtiff/tif_unix.c ++++ b/libtiff/tif_unix.c +@@ -262,6 +262,14 @@ _TIFFmalloc(tmsize_t s) + return (malloc((size_t) s)); + } + ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb == 0 || siz == 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { +diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c +index 4a2466f..ef6be08 100644 +--- a/libtiff/tif_win32.c ++++ b/libtiff/tif_win32.c +@@ -334,6 +334,14 @@ _TIFFmalloc(tmsize_t s) + return (malloc((size_t) s)); + } + ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) ++{ ++ if( nmemb == 0 || siz == 0 ) ++ return ((void *) NULL); ++ ++ return calloc((size_t) nmemb, (size_t)siz); ++} ++ + void + _TIFFfree(void* p) + { +diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h +index 038b670..9b39392 100644 +--- a/libtiff/tiffio.h ++++ b/libtiff/tiffio.h +@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void); + */ + + extern void* _TIFFmalloc(tmsize_t s); ++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); + extern void* _TIFFrealloc(void* p, tmsize_t s); + extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-8905.patch b/SOURCES/libtiff-CVE-2018-8905.patch new file mode 100644 index 0000000..6b16f2b --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-8905.patch @@ -0,0 +1,52 @@ +From ba8ce45d1eda9c6291af38f41f09a5c9d238f707 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH 03/10] LZWDecodeCompat(): fix potential index-out-of-bounds + write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / + CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. +--- + libtiff/tif_lzw.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index d7fbe74..af35c2a 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -589,6 +589,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -733,12 +734,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length, occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else + *op++ = code, occ--; + } +-- +2.17.2 + diff --git a/SOURCES/libtiff-am-version.patch b/SOURCES/libtiff-am-version.patch new file mode 100644 index 0000000..c94c2e0 --- /dev/null +++ b/SOURCES/libtiff-am-version.patch @@ -0,0 +1,31 @@ +Back off the minimum required automake version to 1.11. There isn't +anything in libtiff currently that actually requires 1.12, and changing +this allows the package to be built on pre-F18 machines for easier testing. + +This patch can go away once we no longer care about testing on pre-F18. + + +diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am +--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 ++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am +--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 ++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/SOURCES/libtiff-coverity.patch b/SOURCES/libtiff-coverity.patch new file mode 100644 index 0000000..39c84e3 --- /dev/null +++ b/SOURCES/libtiff-coverity.patch @@ -0,0 +1,215 @@ +From f4ee7a53cc422490986225c49f92935b3ba52866 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Thu, 13 Dec 2018 17:06:44 +0100 +Subject: [PATCH] Fix Covscan defects + +--- + contrib/addtiffo/addtiffo.c | 3 ++- + libtiff/tif_dir.c | 2 +- + libtiff/tif_ojpeg.c | 7 ++++++- + tools/gif2tiff.c | 21 +++++++++++++++------ + tools/ras2tiff.c | 22 +++++++++++++++++++++- + tools/rasterfile.h | 16 +++++++++------- + tools/tiffcrop.c | 4 ++++ + 7 files changed, 58 insertions(+), 17 deletions(-) + +diff --git a/contrib/addtiffo/addtiffo.c b/contrib/addtiffo/addtiffo.c +index d3920e2..47f5fa8 100644 +--- a/contrib/addtiffo/addtiffo.c ++++ b/contrib/addtiffo/addtiffo.c +@@ -120,7 +120,8 @@ int main( int argc, char ** argv ) + while( nOverviewCount < argc - 2 && nOverviewCount < 100 ) + { + anOverviews[nOverviewCount] = atoi(argv[nOverviewCount+2]); +- if( anOverviews[nOverviewCount] <= 0) ++ if( (anOverviews[nOverviewCount] <= 0) || ++ ((anOverviews[nOverviewCount] > 1024))) + { + fprintf( stderr, "Incorrect parameters\n" ); + return(1); +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f812fa2..9c613da 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -706,7 +706,7 @@ badvaluedouble: + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %f for \"%s\" tag", + tif->tif_name, dblval, +- fip->field_name); ++ fip ? fip->field_name : "Unknown"); + va_end(ap); + } + return (0); +diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c +index 6ea3c38..1d9c77c 100644 +--- a/libtiff/tif_ojpeg.c ++++ b/libtiff/tif_ojpeg.c +@@ -528,6 +528,8 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap) + uint32 ma; + uint64* mb; + uint32 n; ++ const TIFFField* fip; ++ + switch(tag) + { + case TIFFTAG_JPEGIFOFFSET: +@@ -597,7 +599,10 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap) + default: + return (*sp->vsetparent)(tif,tag,ap); + } +- TIFFSetFieldBit(tif,TIFFFieldWithTag(tif,tag)->field_bit); ++ fip = TIFFFieldWithTag(tif,tag); ++ if( fip == NULL ) /* shouldn't happen */ ++ return(0); ++ TIFFSetFieldBit(tif,fip->field_bit); + tif->tif_flags|=TIFF_DIRTYDIRECT; + return(1); + } +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index e89ac5b..012345d 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #include + + #ifdef HAVE_UNISTD_H +@@ -266,13 +267,15 @@ readgifimage(char* mode) + unsigned char localmap[256][3]; + int localbits; + int status; ++ size_t raster_size; + +- if (fread(buf, 1, 9, infile) == 0) { +- perror(filename); ++ if (fread(buf, 1, 9, infile) != 9) { ++ fprintf(stderr, "short read from file %s (%s)\n", ++ filename, strerror(errno)); + return (0); + } +- width = buf[4] + (buf[5] << 8); +- height = buf[6] + (buf[7] << 8); ++ width = (buf[4] + (buf[5] << 8)) & 0xffff; /* 16 bit */ ++ height = (buf[6] + (buf[7] << 8)) & 0xffff; /* 16 bit */ + local = buf[8] & 0x80; + interleaved = buf[8] & 0x40; + +@@ -280,11 +283,17 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } +- if (width == 0 || height == 0) { ++ if (width == 0UL || height == 0UL || (width > 2000000000UL / height)) { + fprintf(stderr, "Invalid value of width or height\n"); + return(0); + } +- if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { ++ raster_size=width*height; ++ if ((raster_size/width) == height) { ++ raster_size += EXTRAFUDGE; /* Add elbow room */ ++ } else { ++ raster_size=0; ++ } ++ if ((raster = (unsigned char*) _TIFFmalloc(raster_size)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); + } +diff --git a/tools/ras2tiff.c b/tools/ras2tiff.c +index ec8a071..007dd8c 100644 +--- a/tools/ras2tiff.c ++++ b/tools/ras2tiff.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #ifdef HAVE_UNISTD_H + # include +@@ -122,6 +123,25 @@ main(int argc, char* argv[]) + fclose(in); + return (-3); + } ++ if ((h.ras_width <= 0) || (h.ras_width >= INT_MAX) || ++ (h.ras_height <= 0) || (h.ras_height >= INT_MAX) || ++ (h.ras_depth <= 0) || (h.ras_depth >= INT_MAX) || ++ (h.ras_length <= 0) || (h.ras_length >= INT_MAX) || ++ (h.ras_type < 0) || ++ (h.ras_maptype < 0) || ++ (h.ras_maplength < 0) || (h.ras_maplength >= INT_MAX)) { ++ fprintf(stderr, "%s: Improper image header.\n", argv[optind]); ++ fclose(in); ++ return (-2); ++ } ++ if ((h.ras_depth != 1) && ++ (h.ras_depth != 8) && ++ (h.ras_depth != 24)) { ++ fprintf(stderr, "%s: Improper image depth (%d).\n", ++ argv[optind], h.ras_depth); ++ fclose(in); ++ return (-2); ++ } + out = TIFFOpen(argv[optind+1], "w"); + if (out == NULL) + { +@@ -153,7 +173,7 @@ main(int argc, char* argv[]) + mapsize = 1< mapsize*3) { + fprintf(stderr, +- "%s: Huh, %ld colormap entries, should be %d?\n", ++ "%s: Huh, %d colormap entries, should be %d?\n", + argv[optind], h.ras_maplength, mapsize*3); + return (-7); + } +diff --git a/tools/rasterfile.h b/tools/rasterfile.h +index 833e095..33da707 100644 +--- a/tools/rasterfile.h ++++ b/tools/rasterfile.h +@@ -1,17 +1,19 @@ + /* $Header: /cvs/libtiff/tools/rasterfile.h,v 1.3 2003/11/12 19:14:33 dron Exp $ */ + ++#include "tiff.h" ++ + /* + * Description of header for files containing raster images + */ + struct rasterfile { + char ras_magic[4]; /* magic number */ +- long ras_width; /* width (pixels) of image */ +- long ras_height; /* height (pixels) of image */ +- long ras_depth; /* depth (1, 8, or 24 bits) of pixel */ +- long ras_length; /* length (bytes) of image */ +- long ras_type; /* type of file; see RT_* below */ +- long ras_maptype; /* type of colormap; see RMT_* below */ +- long ras_maplength; /* length (bytes) of following map */ ++ int32 ras_width; /* width (pixels) of image */ ++ int32 ras_height; /* height (pixels) of image */ ++ int32 ras_depth; /* depth (1, 8, or 24 bits) of pixel */ ++ int32 ras_length; /* length (bytes) of image */ ++ int32 ras_type; /* type of file; see RT_* below */ ++ int32 ras_maptype; /* type of colormap; see RMT_* below */ ++ int32 ras_maplength; /* length (bytes) of following map */ + /* color map follows for ras_maplength bytes, followed by image */ + }; + #define RAS_MAGIC "\x59\xa6\x6a\x95" +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0192f3f..ae6ec1a 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2029,6 +2029,10 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + { + crop_data->zones++; + opt_offset = strchr(opt_ptr, ':'); ++ if (!opt_offset) { ++ TIFFError("Wrong parameter syntax for -Z", "tiffcrop -h"); ++ exit(-1); ++ } + *opt_offset = '\0'; + crop_data->zonelist[i].position = atoi(opt_ptr); + crop_data->zonelist[i].total = atoi(opt_offset + 1); +-- +2.21.0 + diff --git a/SOURCES/libtiff-jpeg-test.patch b/SOURCES/libtiff-jpeg-test.patch new file mode 100644 index 0000000..92cff7e --- /dev/null +++ b/SOURCES/libtiff-jpeg-test.patch @@ -0,0 +1,122 @@ +Back-port upstream patch to avoid assuming quite so much about what libjpeg +will return. Needed because libjpeg-turbo with the jpeg8 API broke the +expectations of the previous coding. + + +diff -Naur tiff-4.0.3.orig/test/raw_decode.c tiff-4.0.3/test/raw_decode.c +--- tiff-4.0.3.orig/test/raw_decode.c 2012-07-06 13:05:16.000000000 -0400 ++++ tiff-4.0.3/test/raw_decode.c 2012-12-19 13:04:37.609738276 -0500 +@@ -71,33 +71,54 @@ + return 1; + } + +-static int check_rgb_pixel( int pixel, int red, int green, int blue, unsigned char *buffer ) { ++static int check_rgb_pixel( int pixel, ++ int min_red, int max_red, ++ int min_green, int max_green, ++ int min_blue, int max_blue, ++ unsigned char *buffer ) { + unsigned char *rgb = buffer + 3 * pixel; + +- if( rgb[0] == red && rgb[1] == green && rgb[2] == blue ) { ++ if( rgb[0] >= min_red && rgb[0] <= max_red && ++ rgb[1] >= min_green && rgb[1] <= max_green && ++ rgb[2] >= min_blue && rgb[2] <= max_blue ) { + return 0; + } + + fprintf( stderr, "Pixel %d did not match expected results.\n", pixel ); +- fprintf( stderr, "Expect: %3d %3d %3d\n", red, green, blue ); +- fprintf( stderr, " Got: %3d %3d %3d\n", rgb[0], rgb[1], rgb[2] ); ++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d)\n", ++ rgb[0], min_red, max_red, ++ rgb[1], min_green, max_green, ++ rgb[2], min_blue, max_blue ); + return 1; + } + +-static int check_rgba_pixel( int pixel, int red, int green, int blue, int alpha, uint32 *buffer ) { ++static int check_rgba_pixel( int pixel, ++ int min_red, int max_red, ++ int min_green, int max_green, ++ int min_blue, int max_blue, ++ int min_alpha, int max_alpha, ++ uint32 *buffer ) { + /* RGBA images are upside down - adjust for normal ordering */ + int adjusted_pixel = pixel % 128 + (127 - (pixel/128)) * 128; + uint32 rgba = buffer[adjusted_pixel]; + +- if( TIFFGetR(rgba) == (uint32) red && TIFFGetG(rgba) == (uint32) green && +- TIFFGetB(rgba) == (uint32) blue && TIFFGetA(rgba) == (uint32) alpha ) { ++ if( TIFFGetR(rgba) >= (uint32) min_red && ++ TIFFGetR(rgba) <= (uint32) max_red && ++ TIFFGetG(rgba) >= (uint32) min_green && ++ TIFFGetG(rgba) <= (uint32) max_green && ++ TIFFGetB(rgba) >= (uint32) min_blue && ++ TIFFGetB(rgba) <= (uint32) max_blue && ++ TIFFGetA(rgba) >= (uint32) min_alpha && ++ TIFFGetA(rgba) <= (uint32) max_alpha ) { + return 0; + } + + fprintf( stderr, "Pixel %d did not match expected results.\n", pixel ); +- fprintf( stderr, "Expect: %3d %3d %3d %3d\n", red, green, blue, alpha ); +- fprintf( stderr, " Got: %3d %3d %3d %3d\n", +- TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), TIFFGetA(rgba) ); ++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d), A=%d (expected %d..%d)\n", ++ TIFFGetR(rgba), min_red, max_red, ++ TIFFGetG(rgba), min_green, max_green, ++ TIFFGetB(rgba), min_blue, max_blue, ++ TIFFGetA(rgba), min_alpha, max_alpha ); + return 1; + } + +@@ -191,15 +212,17 @@ + return 1; + } + +-#if JPEG_LIB_VERSION >= 70 +- pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer ); +- pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer ); +- pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer ); +-#else +- pixel_status |= check_rgb_pixel( 0, 15, 0, 18, buffer ); +- pixel_status |= check_rgb_pixel( 64, 0, 0, 2, buffer ); +- pixel_status |= check_rgb_pixel( 512, 6, 36, 182, buffer ); +-#endif ++ /* ++ * JPEG decoding is inherently inexact, so we can't test for exact ++ * pixel values. (Well, if we knew exactly which libjpeg version ++ * we were using, and with what settings, we could expect specific ++ * values ... but it's not worth the trouble to keep track of.) ++ * Hence, use ranges of expected values. The ranges may need to be ++ * widened over time as more versions of libjpeg appear. ++ */ ++ pixel_status |= check_rgb_pixel( 0, 15, 18, 0, 0, 18, 41, buffer ); ++ pixel_status |= check_rgb_pixel( 64, 0, 0, 0, 0, 0, 2, buffer ); ++ pixel_status |= check_rgb_pixel( 512, 5, 6, 34, 36, 182, 196, buffer ); + + free( buffer ); + +@@ -224,15 +247,12 @@ + * accomplish it from the YCbCr subsampled buffer ourselves in which + * case the results may be subtly different but similar. + */ +-#if JPEG_LIB_VERSION >= 70 +- pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer ); +- pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer ); +- pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer ); +-#else +- pixel_status |= check_rgba_pixel( 0, 15, 0, 18, 255, rgba_buffer ); +- pixel_status |= check_rgba_pixel( 64, 0, 0, 2, 255, rgba_buffer ); +- pixel_status |= check_rgba_pixel( 512, 6, 36, 182, 255, rgba_buffer ); +-#endif ++ pixel_status |= check_rgba_pixel( 0, 15, 18, 0, 0, 18, 41, 255, 255, ++ rgba_buffer ); ++ pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 0, 0, 2, 255, 255, ++ rgba_buffer ); ++ pixel_status |= check_rgba_pixel( 512, 5, 6, 34, 36, 182, 196, 255, 255, ++ rgba_buffer ); + + free( rgba_buffer ); + TIFFClose(tif); diff --git a/SOURCES/libtiff-make-check.patch b/SOURCES/libtiff-make-check.patch new file mode 100644 index 0000000..46796d4 --- /dev/null +++ b/SOURCES/libtiff-make-check.patch @@ -0,0 +1,26 @@ +diff --git a/html/man/Makefile.am b/html/man/Makefile.am +index ca222de..c7421ac 100644 +--- a/html/man/Makefile.am ++++ b/html/man/Makefile.am +@@ -85,7 +85,6 @@ docfiles = \ + ras2tiff.1.html \ + raw2tiff.1.html \ + rgb2ycbcr.1.html \ +- sgi2tiff.1.html \ + thumbnail.1.html \ + tiff2bw.1.html \ + tiff2pdf.1.html \ +@@ -96,12 +95,10 @@ docfiles = \ + tiffcrop.1.html \ + tiffdither.1.html \ + tiffdump.1.html \ +- tiffgt.1.html \ + tiffinfo.1.html \ + tiffmedian.1.html \ + tiffset.1.html \ +- tiffsplit.1.html \ +- tiffsv.1.html ++ tiffsplit.1.html + + dist_doc_DATA = $(indexfile) $(docfiles) + diff --git a/SOURCES/libtiff-manpage-update.patch b/SOURCES/libtiff-manpage-update.patch new file mode 100644 index 0000000..12d2aef --- /dev/null +++ b/SOURCES/libtiff-manpage-update.patch @@ -0,0 +1,119 @@ +diff --git a/man/tiff2ps.1 b/man/tiff2ps.1 +index c3a9bac..a826ad7 100644 +--- a/man/tiff2ps.1 ++++ b/man/tiff2ps.1 +@@ -100,6 +100,9 @@ Generate \*(Ps Level 2. + Generate \*(Ps Level 3. It basically allows one to use the /flateDecode + filter for ZIP compressed TIFF images. + .TP ++.B \-8 ++Disable use of ASCII85 encoding with PostScript Level 2/3 ++.TP + .B \-a + Generate output for all IFDs (pages) in the input file. + .TP +@@ -123,6 +126,9 @@ directory to the specified directory number. + This option is useful for selecting individual pages in a + multi-page (e.g. facsimile) file. + .TP ++.B \-D ++Enable duplex printing (two pages per sheet of paper) ++.TP + .B \-e + Force the generation of Encapsulated \*(Ps (implies + .BR \-z ). +@@ -185,6 +191,10 @@ like which are hidden using the + .I SubIFD + tag. + .TP ++.B \-O ++Write PostScript to specified file instead of standard output ++Set the initial ++.TP + .B \-p + Force the generation of (non-Encapsulated) \*(Ps. + .TP +@@ -188,6 +188,9 @@ Set the initial + .B \-p + Force the generation of (non-Encapsulated) \*(Ps. + .TP ++.B \-P ++Set optional PageOrientation DSC comment to Landscape or Portrait. ++.TP + .B \-r 90|180|270|auto + Rotate image by 90, 180, 270 degrees or auto. Auto picks the best + fit for the image on the specified paper size (eg portrait +@@ -197,6 +207,12 @@ counterclockwise. Auto rotates 90 degrees ccw to produce landscape. + .B \-s + Generate output for a single IFD (page) in the input file. + .TP ++.B \-t ++Specify the document title string ++.TP ++.B \-T ++Print pages for top edge binding ++.TP + .B \-w + Specify the horizontal size of the printed area (in inches). + .TP +diff --git a/man/tiffcp.1 b/man/tiffcp.1 +index 5fdcc47..bf50130 100644 +--- a/man/tiffcp.1 ++++ b/man/tiffcp.1 +@@ -60,6 +60,9 @@ in a file, but it is explicitly intended to not alter or convert + the image data content in any way. + .SH OPTIONS + .TP ++.BI \-a ++Append to an existing output file instead of overwriting it ++.TP + .BI \-b " image" + subtract the following monochrome image from all others + processed. This can be used to remove a noise bias +@@ -179,6 +182,9 @@ overwritten and not when it is appended to. + .B \-M + Suppress the use of memory-mapped files when reading images. + .TP ++.BI \-o " offset" ++Set initial directory offset ++.TP + .B \-p + Specify the planar configuration to use in writing image data + that has one 8-bit sample per pixel. +@@ -228,6 +228,9 @@ appear in a tile. + .B \-x + Force the output file to be written with PAGENUMBER value in sequence. + .TP ++.B \-8 ++Write BigTIFF instead of classic TIFF format. ++.TP + .BI \-,= character + substitute + .I character +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 0f81b19..8c696db 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -409,6 +409,10 @@ char* stuff[] = { + " -s write output in strips", + " -t write output in tiles", + " -8 write BigTIFF instead of default ClassicTIFF", ++" -B write big-endian instead of native byte order", ++" -L write little-endian instead of native byte order", ++" -M disable use of memory-mapped files", ++" -C disable strip chopping", + " -i ignore read errors", + " -b file[,#] bias (dark) monochrome image to be subtracted from all others", + " -,=% use % rather than , to separate image #'s (per Note below)", +diff --git a/man/tiff2ps.1 b/man/tiff2ps.1 +index b4a304a..0d672b0 100644 +--- a/man/tiff2ps.1 ++++ b/man/tiff2ps.1 +@@ -149,6 +149,7 @@ be split in several pages. Options + and + .B \-W + are mutually exclusive. ++.TP + .B \-i + Enable/disable pixel interpolation. This option requires a + single numeric value: zero to disable pixel interpolation and diff --git a/SOURCES/libtiff-printdir-width.patch b/SOURCES/libtiff-printdir-width.patch new file mode 100644 index 0000000..f41f027 --- /dev/null +++ b/SOURCES/libtiff-printdir-width.patch @@ -0,0 +1,20 @@ +Back-patch upstream patch of 2012-12-12 ("Fix TIFF_VARIABLE/TIFF_VARIABLE2 +confusion in TIFFPrintDirectory"). + + +diff -Naur tiff-4.0.3.orig/libtiff/tif_print.c tiff-4.0.3/libtiff/tif_print.c +--- tiff-4.0.3.orig/libtiff/tif_print.c 2012-08-19 12:56:35.000000000 -0400 ++++ tiff-4.0.3/libtiff/tif_print.c 2012-12-12 16:53:05.355927641 -0500 +@@ -582,10 +582,10 @@ + continue; + + if(fip->field_passcount) { +- if (fip->field_readcount == TIFF_VARIABLE ) { ++ if (fip->field_readcount == TIFF_VARIABLE2 ) { + if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1) + continue; +- } else if (fip->field_readcount == TIFF_VARIABLE2 ) { ++ } else if (fip->field_readcount == TIFF_VARIABLE ) { + uint16 small_value_count; + if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1) + continue; diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec new file mode 100644 index 0000000..59cbd7b --- /dev/null +++ b/SPECS/libtiff.spec @@ -0,0 +1,789 @@ +Summary: Library of functions for manipulating TIFF format image files +Name: libtiff +Version: 4.0.3 +Release: 32%{?dist} + +License: libtiff +Group: System Environment/Libraries +URL: http://www.remotesensing.org/libtiff/ + +Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz + +Patch0: libtiff-am-version.patch +Patch1: libtiff-CVE-2012-4447.patch +Patch2: libtiff-CVE-2012-4564.patch +Patch3: libtiff-printdir-width.patch +Patch4: libtiff-jpeg-test.patch +Patch5: libtiff-CVE-2013-1960.patch +Patch6: libtiff-CVE-2013-1961.patch +Patch7: libtiff-manpage-update.patch +Patch8: libtiff-make-check.patch +Patch9: libtiff-CVE-2013-4231.patch +Patch10: libtiff-CVE-2013-4232.patch +Patch11: libtiff-CVE-2013-4244.patch +Patch12: libtiff-CVE-2013-4243.patch +Patch13: libtiff-CVE-2014-9330.patch +Patch14: libtiff-CVE-2014-8127.patch +Patch15: libtiff-CVE-2014-8129.patch +Patch16: libtiff-CVE-2014-8130.patch +Patch17: libtiff-CVE-2014-9655.patch +Patch18: libtiff-CVE-2015-1547_8784.patch +Patch19: libtiff-CVE-2015-7554.patch +Patch20: libtiff-CVE-2015-8683_8665.patch +Patch21: libtiff-CVE-2015-8668.patch +Patch22: libtiff-CVE-2015-8781.patch +Patch23: libtiff-CVE-2016-3632.patch +Patch24: libtiff-CVE-2016-3945.patch +Patch25: libtiff-CVE-2016-3990.patch +Patch26: libtiff-CVE-2016-3991.patch +Patch27: libtiff-CVE-2016-5320.patch +Patch28: libtiff-CVE-2016-9533_9534_9536_9537.patch +Patch29: libtiff-CVE-2016-9535.patch +Patch30: libtiff-CVE-2016-9540.patch +Patch31: libtiff-CVE-2016-5652.patch +Patch32: libtiff-CVE-2015-8870.patch +Patch33: libtiff-CVE-2016-3186.patch +Patch34: libtiff-CVE-2018-7456.patch +Patch35: libtiff-CVE-2018-8905.patch +Patch36: libtiff-CVE-2018-10779.patch +Patch37: libtiff-CVE-2018-10963.patch +Patch38: libtiff-CVE-2018-12900.patch +Patch39: libtiff-CVE-2018-17100.patch +Patch40: libtiff-CVE-2018-17101.patch +Patch41: libtiff-CVE-2018-18557.patch +Patch42: libtiff-CVE-2018-18661.patch +Patch43: libtiff-coverity.patch + +BuildRequires: zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: libtool automake autoconf pkgconfig + +%description +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%package devel +Summary: Development tools for programs which will use the libtiff library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig%{?_isa} + +%description devel +This package contains the header files and documentation necessary for +developing programs which will manipulate TIFF format image files +using the libtiff library. + +If you need to develop programs which will manipulate TIFF format +image files, you should install this package. You'll also need to +install the libtiff package. + +%package static +Summary: Static TIFF image format file library +Group: Development/Libraries +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The libtiff-static package contains the statically linkable version of libtiff. +Linking to static libraries is discouraged for most applications, but it is +necessary for some boot packages. + +%package tools +Summary: Command-line utility programs for manipulating TIFF files +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +This package contains command-line programs for manipulating TIFF format +image files using the libtiff library. + +%prep +%setup -q -n tiff-%{version} + +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 + +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + +%build +export CFLAGS="%{optflags} -fno-strict-aliasing" +%configure --enable-ld-version-script +make %{?_smp_mflags} + +%install +make DESTDIR=$RPM_BUILD_ROOT install + +# remove what we didn't want installed +rm $RPM_BUILD_ROOT%{_libdir}/*.la +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/ + +# no libGL dependency, please +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt + +# no sgi2tiff or tiffsv, either +rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv + +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 +rm -f html/man/tiffgt.1.html +rm -f html/man/sgi2tiff.1.html +rm -f html/man/tiffsv.1.html + +# multilib header hack +# we only apply this to known Red Hat multilib arches, per bug #233091 +case `uname -i` in + i386 | ppc | s390 | sparc ) + wordsize="32" + ;; + x86_64 | ppc64 | s390x | sparc64 ) + wordsize="64" + ;; + *) + wordsize="" + ;; +esac + +if test -n "$wordsize" +then + mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \ + $RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h + + cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h < + +#if __WORDSIZE == 32 +# include "tiffconf-32.h" +#elif __WORDSIZE == 64 +# include "tiffconf-64.h" +#else +# error "unexpected value for __WORDSIZE macro" +#endif + +#endif +EOF + +fi +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%check +LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check + +# don't include documentation Makefiles, they are a multilib hazard +find html -name 'Makefile*' | xargs rm + +%files +%doc COPYRIGHT README RELEASE-DATE VERSION +%{_libdir}/libtiff.so.* +%{_libdir}/libtiffxx.so.* + +%files devel +%doc TODO ChangeLog html +%{_includedir}/* +%{_libdir}/libtiff.so +%{_libdir}/libtiffxx.so +%{_libdir}/pkgconfig/libtiff*.pc +%{_mandir}/man3/* + +%files static +%{_libdir}/*.a + +%files tools +%{_bindir}/* +%{_mandir}/man1/* + +%changelog +* Tue Apr 30 2019 Nikola Forró - 4.0.3-32 +- Fix one more Covscan defect +- Related: #1647965 + +* Tue Apr 30 2019 Nikola Forró - 4.0.3-31 +- Fix processing of RAS files without colormap +- Related: #1647965 + +* Thu Dec 13 2018 Nikola Forró - 4.0.3-30 +- Fix various Covscan defects +- Related: #1647965 + +* Thu Dec 13 2018 Nikola Forró - 4.0.3-29 +- Fix compiler warning introduced by patch for CVE-2018-18661 +- Related: #1647965 + +* Thu Dec 06 2018 Nikola Forró - 4.0.3-28 +- Fix CVE-2016-3186 +- Resolves: #1319503 +- Fix CVE-2018-7456 +- Resolves: #1561318 +- Fix CVE-2018-8905 +- Resolves: #1574548 +- Fix CVE-2018-10779 +- Resolves: #1598503 +- Fix CVE-2018-10963 +- Resolves: #1598726 +- Fix CVE-2018-12900 +- Resolves: #1600430 +- Fix CVE-2018-17100 +- Resolves: #1632578 +- Fix CVE-2018-17101 +- Resolves: #1632579 +- Fix CVE-2018-18557 +- Resolves: #1647737 +- Fix CVE-2018-18661 +- Resolves: #1647965 + +* Wed Jan 18 2017 Nikola Forró - 4.0.3-27 +- Fix CWE-476 defect found by covscan +- Related: #1412081 + +* Wed Jan 11 2017 Nikola Forró - 4.0.3-26 +- Add patches for CVEs: + CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, + CVE-2016-9536, CVE-2016-9537, CVE-2016-9540, + CVE-2016-5652, CVE-2015-8870 +- Resolves: #1412081 + +* Wed Jul 27 2016 Nikola Forró - 4.0.3-25 +- Add patches for CVEs: + CVE-2015-7554, CVE-2015-8683, CVE-2015-8665, + CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, + CVE-2015-8784 +- Related: #1299921 + +* Tue Jul 26 2016 Nikola Forró - 4.0.3-24 +- Update patches for CVEs: + CVE-2014-8127, CVE-2014-8130 +- Related: #1299921 + +* Mon Jul 25 2016 Petr Hracek - 4.0.3-23 +- Update patches: + CVE-2014-9330, CVE-2014-8127, CVE-2014-8129 + CVE-2014-8130 +- Related: #1299921 + +* Tue Jul 19 2016 Nikola Forró - 4.0.3-22 +- Update patch for CVE-2015-8668 +- Related: #1299921 + +* Mon Jul 11 2016 Nikola Forró - 4.0.3-21 +- Remove patches for CVEs: + CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, + CVE-2014-9330, CVE-2015-7554, CVE-2015-8665, + CVE-2015-8683, CVE-2015-8781, CVE-2015-8784 +- Add patches for CVEs: + CVE-2016-3632, CVE-2016-3945, CVE-2016-3990, + CVE-2016-3991, CVE-2016-5320 +- Update patches for CVEs: + CVE-2014-9655, CVE-2015-1547, CVE-2015-8668 +- Related: #1299921 + +* Tue Apr 19 2016 Petr Hracek - 4.0.3-20 +- CVE-2014-8127 should contain only two fixes +- Related: #1299921 + +* Fri Apr 01 2016 Petr Hracek - 4.0.3-19 +- Revert previous patch CVE-2014-8127 +- Related: #1299921 + +* Thu Mar 31 2016 Petr Hracek - 4.0.3-18 +- Fixed wrongly applied patch CVE-2014-8127 +- Related: #1299921 + +* Tue Mar 15 2016 Petr Hracek - 4.0.3-17 +- Fixed patch CVE-2015-8668. Wrongly applied by me +- Related: #1299921 + +* Tue Mar 08 2016 Petr Hracek - 4.0.3-16 +- Fixed patches on preview CVEs +- Related: #1299921 + +* Wed Feb 03 2016 Petr Hracek - 4.0.3-15 +- This resolves several CVEs +- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130 +- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781 +- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683 +- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668 +- Resolves: #1299921 + +* Thu Feb 13 2014 Petr Hracek - 4.0.3-14 +- Resolves: #996827 CVE-2013-4243 libtiff various flaws + +* Fri Jan 24 2014 Daniel Mach - 4.0.3-13 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 4.0.3-12 +- Mass rebuild 2013-12-27 + +* Wed Dec 18 2013 Petr Hracek - 4.0.3-11 +- Correct man page option -W +Resolves: #510240 + +* Thu Dec 12 2013 Petr Hracek - 4.0.3-10 +- Resolves: #996827 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 + libtiff various flaws + +* Mon Oct 21 2013 Petr Hracek - 4.0.3-9 +- Resolves: #1017070 - make check moved to %check section + +* Tue Oct 08 2013 Petr Hracek - 4.0.3-8 +- tiff2ps manual page doesn't contain help for all options +- tiffcp options differ in program help and manual page +Resolves: #510240 +Resolves: #510258 + +* Mon Aug 12 2013 Jaromír Končický - 4.0.3-7 +- man page fixing (#510240 #510258) + +* Thu May 2 2013 Tom Lane 4.0.3-6 +- Add upstream patches for CVE-2013-1960, CVE-2013-1961 +Resolves: #958609 + +* Thu Feb 14 2013 Fedora Release Engineering - 4.0.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 4.0.3-4 +- rebuild due to "jpeg8-ABI" feature drop + +* Wed Dec 19 2012 Tom Lane 4.0.3-3 +- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8 + +* Thu Dec 13 2012 Tom Lane 4.0.3-2 +- Add upstream patches for CVE-2012-4447, CVE-2012-4564 + (note: CVE-2012-5581 is already fixed in 4.0.3) +Resolves: #880907 + +* Thu Oct 4 2012 Tom Lane 4.0.3-1 +- Update to libtiff 4.0.3 + +* Fri Aug 3 2012 Tom Lane 4.0.2-6 +- Remove compat subpackage; no longer needed +- Minor specfile cleanup per suggestions from Tom Callaway +Related: #845110 + +* Thu Aug 2 2012 Tom Lane 4.0.2-5 +- Add accessor functions for opaque type TIFFField (backport of not-yet-released + upstream feature addition; needed to fix freeimage) + +* Sun Jul 22 2012 Tom Lane 4.0.2-4 +- Add patches for CVE-2012-3401 +Resolves: #841736 + +* Thu Jul 19 2012 Fedora Release Engineering - 4.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Karsten Hopp 4.0.2-2 +- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390* + +* Thu Jun 28 2012 Tom Lane 4.0.2-1 +- Update to libtiff 4.0.2, includes fix for CVE-2012-2113 + (note that CVE-2012-2088 does not apply to 4.0.x) +- Update libtiff-compat to 3.9.6 and add patches to it for + CVE-2012-2088, CVE-2012-2113 +Resolves: #832866 + +* Fri Jun 1 2012 Tom Lane 4.0.1-2 +- Enable JBIG support +Resolves: #826240 + +* Sun May 6 2012 Tom Lane 4.0.1-1 +- Update to libtiff 4.0.1, adds BigTIFF support and other features; + library soname is bumped from libtiff.so.3 to libtiff.so.5 +Resolves: #782383 +- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage + so that dependent packages won't be broken while rebuilding proceeds + +* Thu Apr 5 2012 Tom Lane 3.9.5-3 +- Add fix for CVE-2012-1173 +Resolves: #CVE-2012-1173 + +* Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Apr 12 2011 Tom Lane 3.9.5-1 +- Update to libtiff 3.9.5, incorporating all our previous patches plus other + fixes, notably the fix for CVE-2009-5022 +Related: #695885 + +* Mon Mar 21 2011 Tom Lane 3.9.4-4 +- Fix incorrect fix for CVE-2011-0192 +Resolves: #684007 +Related: #688825 +- Add fix for CVE-2011-1167 +Resolves: #689574 + +* Wed Mar 2 2011 Tom Lane 3.9.4-3 +- Add patch for CVE-2011-0192 +Resolves: #681672 +- Fix non-security-critical potential SIGSEGV in gif2tiff +Related: #648820 + +* Tue Feb 08 2011 Fedora Release Engineering - 3.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jun 22 2010 Tom Lane 3.9.4-1 +- Update to libtiff 3.9.4, for numerous bug fixes including fixes for + CVE-2010-1411, CVE-2010-2065, CVE-2010-2067 +Resolves: #554371 +Related: #460653, #588784, #601274, #599576, #592361, #603024 +- Add fixes for multiple SIGSEGV problems +Resolves: #583081 +Related: #603081, #603699, #603703 + +* Tue Jan 5 2010 Tom Lane 3.9.2-3 +- Apply Adam Goode's fix for Warmerdam's fix +Resolves: #552360 +Resolves: #533353 +- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG + images; this isn't enough to make it really work correctly though +Related: #460322 + +* Wed Dec 16 2009 Tom Lane 3.9.2-2 +- Apply Warmerdam's partial fix for bug #460322 ... better than nothing. +Related: #460322 + +* Thu Dec 3 2009 Tom Lane 3.9.2-1 +- Update to libtiff 3.9.2; stop carrying a lot of old patches +Resolves: #520734 +- Split command-line tools into libtiff-tools subpackage +Resolves: #515170 +- Use build system's libtool instead of what package contains; + among other cleanup this gets rid of unwanted rpath specs in executables +Related: #226049 + +* Thu Oct 15 2009 Tom Lane 3.8.2-16 +- add sparc/sparc64 to multilib header support + +* Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Tom Lane 3.8.2-14 +- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347) +Related: #510041 + +* Wed Jul 1 2009 Tom Lane 3.8.2-13 +- Fix some more LZW decoding vulnerabilities (CVE-2009-2285) +Related: #507465 +- Update upstream URL + +* Wed Feb 25 2009 Fedora Release Engineering - 3.8.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 26 2008 Tom Lane 3.8.2-11 +- Fix LZW decoding vulnerabilities (CVE-2008-2327) +Related: #458674 +- Use -fno-strict-aliasing per rpmdiff recommendation + +* Tue Feb 19 2008 Fedora Release Engineering - 3.8.2-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Tom Lane 3.8.2-9 +- Update License tag +- Rebuild to fix Fedora toolchain issues + +* Thu Jul 19 2007 Tom Lane 3.8.2-8 +- Restore static library to distribution, in a separate -static subpackage +Resolves: #219905 +- Don't apply multilib header hack to unrecognized architectures +Resolves: #233091 +- Remove documentation for programs we don't ship +Resolves: #205079 +Related: #185145 + +* Tue Jan 16 2007 Tom Lane 3.8.2-7 +- Remove Makefiles from the shipped /usr/share/doc/html directories +Resolves: bz #222729 + +* Tue Sep 5 2006 Jindrich Novy - 3.8.2-6 +- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362) +- fix typo in man page for tiffset (#186297) +- use %%{?dist} + +* Mon Jul 24 2006 Matthias Clasen +- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461 + CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) + +* Wed Jul 12 2006 Jesse Keating - 3.8.2-4.1 +- rebuild + +* Fri Jun 2 2006 Matthias Clasen - 3.8.2-3 +- Fix multilib conflict + +* Thu May 25 2006 Matthias Clasen - 3.8.2-3 +- Fix overflows in tiffsplit + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-2 +- Drop tiffgt to get rid of the libGL dependency (#190768) + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-1 +- Update to 3.8.2 + +* Fri Feb 10 2006 Jesse Keating - 3.7.4-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.7.4-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 16 2005 Matthias Clasen 3.7.4-3 +- Don't ship static libs + +* Fri Nov 11 2005 Matthias Saou 3.7.4-2 +- Remove useless explicit dependencies. +- Minor spec file cleanups. +- Move make check to %%check. +- Add _smp_mflags. + +* Thu Sep 29 2005 Matthias Clasen - 3.7.4-1 +- Update to 3.7.4 +- Drop upstreamed patches + +* Wed Jun 29 2005 Matthias Clasen - 3.7.2-1 +- Update to 3.7.2 +- Drop upstreamed patches + +* Fri May 6 2005 Matthias Clasen - 3.7.1-6 +- Fix a stack overflow + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-5 +- Don't use mktemp + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-4 +- Rebuild with gcc4 + +* Wed Jan 5 2005 Matthias Clasen - 3.7.1-3 +- Drop the largefile patch again +- Fix a problem with the handling of alpha channels +- Fix an integer overflow in tiffdump (#143576) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-2 +- Readd the largefile patch (#143560) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-1 +- Upgrade to 3.7.1 +- Remove upstreamed patches +- Remove specfile cruft +- make check + +* Thu Oct 14 2004 Matthias Clasen 3.6.1-7 +- fix some integer and buffer overflows (#134853, #134848) + +* Tue Oct 12 2004 Matthias Clasen 3.6.1-6 +- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483 + +* Mon Sep 27 2004 Rik van Riel 3.6.1-4 +- compile using RPM_OPT_FLAGS (bz #133650) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 20 2004 Matthias Clasen 3.6.1-2 +- Fix and use the makeflags patch + +* Wed May 19 2004 Matthias Clasen 3.6.1-1 +- Upgrade to 3.6.1 +- Adjust patches +- Don't install tiffgt man page (#104864) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sat Feb 21 2004 Florian La Roche +- really add symlink to shared lib by running ldconfig at compile time + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Oct 09 2003 Florian La Roche +- link shared lib against -lm (Jakub Jelinek) + +* Thu Sep 25 2003 Jeremy Katz 3.5.7-13 +- rebuild to fix gzipped file md5sum (#91281) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Feb 11 2003 Phil Knirsch 3.5.7-11 +- Fixed rebuild problems. + +* Tue Feb 04 2003 Florian La Roche +- add symlink to shared lib + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Tim Powers 3.5.7-8 +- rebuild on all arches + +* Mon Aug 19 2002 Phil Knirsch 3.5.7-7 +- Added LFS support (#71593) + +* Tue Jun 25 2002 Phil Knirsch 3.5.7-6 +- Fixed wrong exit code of tiffcp app (#67240) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed May 15 2002 Phil Knirsch +- Fixed segfault in fax2tiff tool (#64708). + +* Mon Feb 25 2002 Phil Knirsch +- Fixed problem with newer bash versions setting CDPATH (#59741) + +* Tue Feb 19 2002 Phil Knirsch +- Update to current release 3.5.7 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Tue Aug 28 2001 Phil Knirsch +- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x + and ia64 were missing (#52129). + +* Tue Jun 26 2001 Philipp Knirsch +- Hopefully final symlink fix + +* Thu Jun 21 2001 Than Ngo +- add missing libtiff symlink + +* Fri Mar 16 2001 Crutcher Dunnavant +- killed tiff-to-ps.fpi filter + +* Wed Feb 28 2001 Philipp Knirsch +- Fixed missing devel version dependancy. + +* Tue Dec 19 2000 Philipp Knirsch +- rebuild + +* Mon Aug 7 2000 Crutcher Dunnavant +- added a tiff-to-ps.fpi filter for printing + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Thu Jul 13 2000 Nalin Dahyabhai +- apply Peter Skarpetis's fix for the 32-bit conversion + +* Mon Jul 3 2000 Nalin Dahyabhai +- make man pages non-executable (#12811) + +* Mon Jun 12 2000 Nalin Dahyabhai +- remove CVS repo info from data directories + +* Thu May 18 2000 Nalin Dahyabhai +- fix build rooting +- fix syntax error in configure script +- move man pages to {_mandir} + +* Wed May 17 2000 Nalin Dahyabhai +- rebuild for an errata release + +* Wed Mar 29 2000 Nalin Dahyabhai +- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix + +* Tue Mar 28 2000 Nalin Dahyabhai +- fix fax2ps swapping height and width in the bounding box + +* Mon Mar 27 2000 Nalin Dahyabhai +- move man pages from devel package to the regular one +- integrate Frank Warmerdam's fixed .fax handling code (keep until next release + of libtiff) +- fix fax2ps breakage (bug #8345) + +* Sat Feb 05 2000 Nalin Dahyabhai +- set MANDIR=man3 to make multifunction man pages friendlier + +* Mon Jan 31 2000 Nalin Dahyabhai +- fix URLs + +* Fri Jan 28 2000 Nalin Dahyabhai +- link shared library against libjpeg and libz + +* Tue Jan 18 2000 Nalin Dahyabhai +- enable zip and jpeg codecs +- change defattr in normal package to 0755 +- add defattr to -devel package + +* Wed Dec 22 1999 Bill Nottingham +- update to 3.5.4 + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 6) + +* Wed Jan 13 1999 Cristian Gafton +- build for glibc 2.1 + +* Wed Jun 10 1998 Prospector System +- translations modified for de + +* Wed Jun 10 1998 Michael Fulbright +- rebuilt against fixed jpeg libs (libjpeg-6b) + +* Thu May 07 1998 Prospector System +- translations modified for de, fr, tr + +* Mon Oct 13 1997 Donnie Barnes +- new version to replace the one from libgr +- patched for glibc +- added shlib support