kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update to 3.9.0:

Browse source 
MAJOR CHANGES:
  * New tiffcrop utility contributed by Richard Nolde. tiffcrop does the
    same as tiffcp, but also can crop, extract, rotate and mirror images.
  * tif_jbig.c: Added support for JBIG compression scheme (34661 code),
    contributed by Lee Howard.
  * Totally new implementation of OJPEG module from Joris Van Damme. No
    need to patch libjpeg anymore. Many OJPEG files should be supported
    now that was not supported previously.

------------------------------------------------

CHANGES IN THE SOFTWARE CONFIGURATION:
  * tif_config.wince.h, tiffconf.wince.h, tif_wince.c: WinCE-specific
    compatibility stuff from Mateusz Loskot.
  * Rename config.h.vc and tif_config.h.vc to config.vc.h and
    tif_config.vc.h for easier identification by folks using an IDE.
  * configure, configure.ac: OJPEG support enabled by default (i.e., whe
    the conformant JPEG support enabled).
  * README.vms, Makefile.am, configure.com, libtiff/{Makefile.am,
    tif_config.h-vms, tif_stream.cxx, tif_vms.c, tiffconf.h-vms}: Added
    support for OpenVMS by Alexey Chupahin.
  * nmake.opt: use /EHsc for VS2005 compatibility. Also define
    _CRT_SECURE_NO_DEPRECATE to avoid noise on VS2005.

------------------------------------------------

CHANGES IN LIBTIFF:
  * tif_dirinfo.c (_TIFFFindFieldInfo): Don't attempt to bsearch() on a
    NULL fieldinfo list. (_TIFFFindFieldInfoByName): Don't attempt to
    lfind() on a NULL fieldinfo list.
  * tif_jpeg.c: Changed JPEGInitializeLibJPEG() so that it will convert
    from decompressor to compressor or compress to decompress if required
    by the force arguments. This works around a problem in where the
    JPEGFixupTestSubsampling() may cause a decompressor to be setup on a
    directory when later a compressor is required with the force flag set.
    Occurs with the addtiffo program for instance.
  * tif_dirwrite.c: Fixed swapping of byte arrays stored in-place in tag
    offsets as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1363
  * tif_getimage.c: workaround for 'Fractional scanline' error reading
    OJPEG images with rowsperstrip that is not a multiple of vertical
    subsampling factor. This bug is mentioned in
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1390 and
    http://www.asmail.be/msg0054766825.html
  * tif_dirread.c: Added special function to handle SubjectDistance EXIF
    tag as per bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1362
  * tif_dirread.c, tif_read.c: Type of the byte counters changed from
    tsize_t to uint32 to be able to work with data arrays larger than 2GB.
    Fixes bug http://bugzilla.remotesensing.org/show_bug.cgi?id=89 Idea
    submitted by Matt Hancher.
  * tif_dir.c: Workaround for incorrect TIFFs with ExtraSamples == 999
    produced by Corel Draw. As per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1490
  * tif_write.c: TIFFAppendToStrip() - clear sorted flag if we move a
    strip. http://bugzilla.remotesensing.org/show_bug.cgi?id=1359
  * tif_fax3.c: Save the state of printdir codec dependent method.
  * tif_jpeg.c: Save the state of printdir codec dependent method as per
    bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1273
  * tif_win32.c: Fixed problem with offset value manipulation as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1322
  * tif_fax3.c, tif_next.c, tif_pixarlog.c: Fixed multiple
    vulnerabilities, as per Gentoo bug ():
    http://bugs.gentoo.org/show_bug.cgi?id=142383
  * tif_lzw.c, tif_zip.c: Fixed problems with mixing encoding and decoding
    on the same read-write TIFF handle. The LZW code can now maintain
    encode and decode state at the same time. The ZIP code will switch
    back and forth as needed.
    http://bugzilla.remotesensing.org/show_bug.cgi?id=757
  * tif_msdos.c: Avoid handle leak for failed opens. c/o Thierry Pierron
  * tif_dirwrite.c: take care not to flush out buffer of strip/tile data
    in _TIFFWriteDirectory if TIFF_BEENWRITING not set. Relates to bug
    report by Peng Gao with black strip at bottom of images.
  * tif_dirwrite.c: make sure to use uint32 for wordcount in
    TIFFWriteNormanTag if writecount is VARIABLE2 for ASCII fields. It
    already seems to have been done for other field types. Needed for
    "tiffset" on files with geotiff ascii text.
  * tif_dirinfo.c: Added missed EXIF tag ColorSpace (40961).
  * tif_dirread.c: Move IFD fetching code in the separate function
    TIFFFetchDirectory() avoiding code duplication in TIFFReadDirectory()
    and TIFFReadCustomDirectory().
  * tif_readdir.c: Added case in EstimateStripByteCounts() for tiled
    files. Modified TIFFReadDirectory() to not invoke
    EstimateStripByteCounts() for case where entry 0 and 1 are unequal but
    one of them is zero.
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1204
  * tif_open.c, tif_dirread.c, tiffiop.h: Move IFD looping checking code
    in the separate function TIFFCheckDirOffset().
  * tif_aux.c: Added _TIFFCheckRealloc() function.
  * tif_fax3.c: Fixed problems in fax decoder as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1194
  * tif_jbig.c: Added support for JBIG compression scheme (34661 code)
    contributed by Lee Howard. As per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=896
  * tif_getimage.c: Added support for planarconfig separate non-subsampled
    YCbCr (i.e. separate YCbCr with subsampling [1,1]).
  * tif_getimage.c: Revision of all RGB(A) put routines:
       * Conversion of unassociated alpha to associated alpha now done
         with more performant LUT, and calculation more correct.
       * Conversion of 16bit data to 8bit data now done with more
         performant LUT, and calculation more correct
       * Bugfix of handling of 16bit RGB with unassociated alpha
  * tif_ojpeg.c: totally new implementation
  * tif_getimage.c: removed TIFFTAG_JPEGCOLORMODE handling of OJPEG images
    in favor of tif_getimage.c native handling of YCbCr and desubsampling.
  * tif_jpeg.c: JPEGVSetField() so that altering the photometric
    interpretation causes the "upsampled" flag to be recomputed. Fixes
    peculiar bug where photometric flag had to be set before jpegcolormode
    flag.

------------------------------------------------

CHANGES IN THE TOOLS:
  * tiff2ps.c: Added support 16-bit images as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1566. Patch from
    William Bader.
  * tiff2pdf.c: Fix for TIFFTAG_JPEGTABLES tag fetching and significant
    upgrade of the whole utility as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1560. Now we don't
    need tiffiop.h in tiff2pdf anymore and will open output PDF file using
    TIFFClientOpen() machinery as it is implemented by Leon Bottou.
  * tiffcrop.c: New tiffcrop utility contributed by Richard Nolde. As per
    bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1383
  * tiff2pdf.c: Do not assume inches when the resolution units do not
    specified. As per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1366
  * tiffset.c: Properly handle tags with TIFF_VARIABLE writecount. As per
    bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1350
  * tif2rgba.c: This utility does not work properly on big-endian
    architectures. It was fixed including the bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1149
  * tiff2pdf.c: Fix handling of -q values.
    http://bugzilla.remotesensing.org/show_bug.cgi?id=587
  * tiffcmp.c: Fixed floating point comparison logic as per bug
    http://bugzilla.remotesensing.org/show_bug.cgi?id=1191
  * tiff2pdf.c: Fixed buffer overflow condition in t2p_write_pdf_string()
    as per bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1196

------------------------------------------------

CHANGES IN THE CONTRIB AREA:
  * contrib/addtiffo/tif_overview.c: Fix problems with odd sized output
    blocks in TIFF_DownSample_Subsampled() (bug 1542).
  * contrib/dbs/xtiff/xtiff.c: Make xtiff utility compilable. Though it is
    still far from the state of being working and useful.
This commit is contained in:
wiz 2009-08-24 08:50:33 +00:00
parent 390dc12805
commit 248c677349
18 changed files with 18 additions and 1126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
graphics/tiff/Makefile
View file

@ -1,7 +1,6 @@
# $NetBSD: Makefile,v 1.88 2009/07/19 11:45:09 tron Exp $
# $NetBSD: Makefile,v 1.89 2009/08/24 08:50:33 wiz Exp $
DISTNAME= tiff-3.8.2
PKGREVISION= 6
DISTNAME= tiff-3.9.0
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
@ -26,6 +25,12 @@ CONFIGURE_ARGS+= --without-x # just in case detects gl to build tiffgt
TEST_TARGET= check
post-install:
cd ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man3 && for file in *.3tiff; do\
target=`echo $$file | sed "s/3tiff/3/"`; \
${MV} $$file $$target; \
done
.include "options.mk"
.include "../../devel/zlib/buildlink3.mk"

7
graphics/tiff/PLIST
View file

@ -1,4 +1,4 @@
@comment $NetBSD: PLIST,v 1.11 2009/06/14 17:59:29 joerg Exp $
@comment $NetBSD: PLIST,v 1.12 2009/08/24 08:50:33 wiz Exp $
bin/bmp2tiff
bin/fax2ps
bin/fax2tiff
@ -15,6 +15,7 @@ bin/tiff2ps
bin/tiff2rgba
bin/tiffcmp
bin/tiffcp
bin/tiffcrop
bin/tiffdither
bin/tiffdump
bin/tiffinfo
@ -45,6 +46,7 @@ man/man1/tiff2ps.1
man/man1/tiff2rgba.1
man/man1/tiffcmp.1
man/man1/tiffcp.1
man/man1/tiffcrop.1
man/man1/tiffdither.1
man/man1/tiffdump.1
man/man1/tiffgt.1
@ -94,6 +96,7 @@ man/man3/libtiff.3
share/doc/tiff/COPYRIGHT
share/doc/tiff/ChangeLog
share/doc/tiff/README
share/doc/tiff/README.vms
share/doc/tiff/RELEASE-DATE
share/doc/tiff/TODO
share/doc/tiff/VERSION
@ -179,6 +182,7 @@ share/doc/tiff/html/man/tiff2ps.1.html
share/doc/tiff/html/man/tiff2rgba.1.html
share/doc/tiff/html/man/tiffcmp.1.html
share/doc/tiff/html/man/tiffcp.1.html
share/doc/tiff/html/man/tiffcrop.1.html
share/doc/tiff/html/man/tiffdither.1.html
share/doc/tiff/html/man/tiffdump.1.html
share/doc/tiff/html/man/tiffgt.1.html
@ -222,3 +226,4 @@ share/doc/tiff/html/v3.7.4.html
share/doc/tiff/html/v3.8.0.html
share/doc/tiff/html/v3.8.1.html
share/doc/tiff/html/v3.8.2.html
share/doc/tiff/html/v3.9.0beta.html

23
graphics/tiff/distinfo
View file

@ -1,20 +1,5 @@
$NetBSD: distinfo,v 1.43 2009/07/19 11:45:09 tron Exp $
$NetBSD: distinfo,v 1.44 2009/08/24 08:50:33 wiz Exp $
SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb
RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d
Size (tiff-3.8.2.tar.gz) = 1336295 bytes
SHA1 (patch-aa) = edac79a6f3b61e9fc787fe14f750d88023a29bfa
SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72
SHA1 (patch-ac) = 24bb2d78d63df7f02d128c7dc6a4c8db50fac891
SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347
SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff
SHA1 (patch-av) = 38852ef5028f6c0ad7a3e5497248f264f0cb7366
SHA1 (patch-aw) = 8df07a9bc23092cfde2b364a1965efcfdc848b1e
SHA1 (patch-ax) = 1a111d7a80bf98a650d147c035cd719d34aafc8a
SHA1 (patch-ay) = db50f1d97b5d3b94e4d470b49642fe105977e0b7
SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8
SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae
SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08
SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc
SHA1 (patch-ca) = 3c90d9735f0586632db05ceb50b336cbfdf279b6
SHA1 (patch-cb) = 349c8764091d69f5eca84588837022d218b2165c
SHA1 (tiff-3.9.0.tar.gz) = e525879da8416e00ccd58617b2850341a429e23c
RMD160 (tiff-3.9.0.tar.gz) = be5bdb33c30a23fd0969981bfda1fe8e79f8879f
Size (tiff-3.9.0.tar.gz) = 1399851 bytes

17
graphics/tiff/patches/patch-aa
View file

@ -1,17 +0,0 @@
$NetBSD: patch-aa,v 1.17 2005/07/14 13:43:28 wiz Exp $
--- man/Makefile.in.orig 2005-07-05 16:38:13.000000000 +0000
+++ man/Makefile.in
@@ -380,11 +380,7 @@ install-man3: $(man3_MANS) $(man_MANS)
for i in $$list; do \
if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
else file=$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 3*) ;; \
- *) ext='3' ;; \
- esac; \
+ ext='3'; \
inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
inst=`echo $$inst | sed -e 's/^.*\///'`; \
inst=`echo $$inst | sed '$(transform)'`.$$ext; \

26
graphics/tiff/patches/patch-ab
View file

@ -1,26 +0,0 @@
$NetBSD: patch-ab,v 1.18 2006/02/20 17:56:36 joerg Exp $
--- libtiff/tiffio.h.orig 2006-02-20 17:43:42.000000000 +0000
+++ libtiff/tiffio.h
@@ -30,6 +30,10 @@
/*
* TIFF I/O Library Definitions.
*/
+
+/* NULL */
+#include <stddef.h>
+
#include "tiff.h"
#include "tiffvers.h"
@@ -97,10 +101,6 @@ typedef HFILE thandle_t; /* client data
typedef void* thandle_t; /* client data handle */
#endif /* USE_WIN32_FILEIO */
-#ifndef NULL
-# define NULL (void *)0
-#endif
-
/*
* Flags to pass to TIFFPrintDirectory to control
* printing of data structures that are potentially

77
graphics/tiff/patches/patch-ac
View file

@ -1,77 +0,0 @@
$NetBSD: patch-ac,v 1.20 2009/06/22 14:54:44 drochner Exp $
--- libtiff/tif_lzw.c.orig 2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_lzw.c
@@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif)
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
+
+
}
return (1);
}
@@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
+
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
+
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -647,6 +670,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
}
oldcodep = codep;
if (code >= 256) {
+ char *op_orig = op;
/*
* Code maps to a string, copy string
* value to output (written in reverse).
@@ -681,7 +705,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
tp = op;
do {
*--tp = codep->value;
- } while( (codep = codep->next) != NULL);
+ } while( (codep = codep->next) != NULL && tp > op_orig);
} else
*op++ = code, occ--;
}

122
graphics/tiff/patches/patch-at
View file

@ -1,122 +0,0 @@
$NetBSD: patch-at,v 1.6 2006/03/14 14:08:30 drochner Exp $
--- configure.orig 2006-03-13 15:58:42.000000000 +0100
+++ configure
@@ -12439,6 +12439,117 @@ done
+for ac_func in lfind
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func (); below.
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ <limits.h> exists even on freestanding compilers. */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+char (*f) () = $ac_func;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != $ac_func;
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ eval "$as_ac_var=yes"
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+eval "$as_ac_var=no"
+fi
+rm -f conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+else
+ case $LIBOBJS in
+ "$ac_func.$ac_objext" | \
+ *" $ac_func.$ac_objext" | \
+ "$ac_func.$ac_objext "* | \
+ *" $ac_func.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS $ac_func.$ac_objext" ;;
+esac
+
+fi
+done
+
+
+
echo "$as_me:$LINENO: checking native cpu bit order" >&5
echo $ECHO_N "checking native cpu bit order... $ECHO_C" >&6
case "$target_cpu" in

15
graphics/tiff/patches/patch-au
View file

@ -1,15 +0,0 @@
$NetBSD: patch-au,v 1.5 2006/06/08 11:05:14 salo Exp $
Security fix for CVE-2006-2193, from Ubuntu.
--- tools/tiff2pdf.c.orig 2006-03-21 17:42:51.000000000 +0100
+++ tools/tiff2pdf.c 2006-06-08 12:39:11.000000000 +0200
@@ -3668,7 +3668,7 @@
written += TIFFWriteFile(output, (tdata_t) "(", 1);
for (i=0;i<len;i++){
if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
- sprintf(buffer, "\\%.3o", pdfstr[i]);
+ sprintf(buffer, "\\%.3hho", pdfstr[i]);
written += TIFFWriteFile(output, (tdata_t) buffer, 4);
} else {
switch (pdfstr[i]){

103
graphics/tiff/patches/patch-av
View file

@ -1,103 +0,0 @@
$NetBSD: patch-av,v 1.6 2006/08/03 15:17:49 taca Exp $
Security fix for SA21304.
--- libtiff/tif_dir.c.orig Wed Mar 22 01:42:50 2006
+++ libtiff/tif_dir.c
@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -193,15 +194,18 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
td->td_fillorder = (uint16) v;
break;
break;
- case TIFFTAG_ORIENTATION:
+ case TIFFTAG_ORIENTATION: {
+ const TIFFFieldInfo* fip;
v = va_arg(ap, uint32);
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
+ }
case TIFFTAG_SAMPLESPERPIXEL:
/* XXX should cross check -- e.g. if pallette, then 1 */
v = va_arg(ap, uint32);
@@ -387,11 +391,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +476,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +571,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +580,12 @@ end:
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +821,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}

26
graphics/tiff/patches/patch-aw
View file

@ -1,26 +0,0 @@
$NetBSD: patch-aw,v 1.5 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_dirinfo.c.orig 2006-02-07 14:51:03.000000000 +0100
+++ libtiff/tif_dirinfo.c 2006-08-02 17:18:41.000000000 +0200
@@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char
if (!fip) {
TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);

308
graphics/tiff/patches/patch-ax
View file

@ -1,308 +0,0 @@
$NetBSD: patch-ax,v 1.5 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_dirread.c.orig 2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_dirread.c 2006-08-02 17:18:41.000000000 +0200
@@ -81,6 +81,7 @@ TIFFReadDirectory(TIFF* tif)
uint16 dircount;
toff_t nextdiroff;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -147,13 +148,20 @@ TIFFReadDirectory(TIFF* tif)
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso@google.com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off + sizeof (uint16) < off) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Can not read TIFF directory count",
tif->tif_name);
return (0);
} else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -254,6 +262,7 @@ TIFFReadDirectory(TIFF* tif)
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -264,17 +273,23 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_tag,
dp->tdir_tag,
dp->tdir_type);
+ /*
+ * creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
- TIFFMergeFieldInfo(tif,
- _TIFFCreateAnonFieldInfo(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1 );
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
}
+
/*
* Null out old tags that we ignore.
*/
@@ -326,6 +341,7 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -540,6 +556,7 @@ TIFFReadDirectory(TIFF* tif)
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -556,7 +573,7 @@ TIFFReadDirectory(TIFF* tif)
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -580,6 +597,7 @@ TIFFReadDirectory(TIFF* tif)
} else if (td->td_nstrips == 1
&& td->td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Plexus (and others) sometimes give a value of zero for
* a tag when they don't know what the correct value is! Try
@@ -589,13 +607,14 @@ TIFFReadDirectory(TIFF* tif)
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
&& td->td_nstrips > 2
&& td->td_compression == COMPRESSION_NONE
&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* XXX: Some vendors fill StripByteCount array with absolutely
* wrong values (it can be equal to StripOffset array, for
@@ -604,7 +623,7 @@ TIFFReadDirectory(TIFF* tif)
TIFFWarningExt(tif->tif_clientdata, module,
"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -870,7 +889,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso@google.com 15 Jun 2006
+ */
+
+ uint32 i;
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
@@ -947,16 +972,18 @@ MissingRequired(TIFF* tif, const char* t
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -970,6 +997,7 @@ static tsize_t
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -1013,7 +1041,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d
bad:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (tsize_t) 0;
}
@@ -1039,10 +1067,12 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry*
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -1159,6 +1189,20 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEn
static int
TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
{
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso@google.com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_BYTE:
case TIFF_SBYTE:
@@ -1329,14 +1373,15 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
dir->tdir_type,
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
- return (0);
+ fip ? fip->field_name : "Unknown");
+ return (0); }
}
return (1);
}
@@ -1351,6 +1396,9 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1493,6 +1541,7 @@ static int
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1510,9 +1559,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1534,6 +1584,7 @@ static int
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1551,9 +1602,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1574,6 +1626,7 @@ static int
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1591,9 +1644,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];

29
graphics/tiff/patches/patch-ay
View file

@ -1,29 +0,0 @@
$NetBSD: patch-ay,v 1.3 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_fax3.c.orig 2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_fax3.c 2006-08-02 17:18:41.000000000 +0200
@@ -1136,6 +1136,7 @@ static int
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1181,7 +1182,13 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}

119
graphics/tiff/patches/patch-az
View file

@ -1,119 +0,0 @@
$NetBSD: patch-az,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_jpeg.c.orig 2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_jpeg.c 2006-08-02 17:18:41.000000000 +0200
@@ -722,8 +722,8 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarningExt(tif->tif_clientdata, module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
@@ -731,6 +731,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
}
+
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
+ }
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -762,6 +778,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
sp->h_sampling, sp->v_sampling);
/*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso@google.com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
+ /*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
* TIFF tags and in the JPEG structures. We will
@@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif)
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
+ if (sp != NULL) {
if( sp->cinfo_initialized )
TIFFjpeg_destroy(sp); /* release libjpeg resources */
if (sp->jpegtables) /* tag value */
_TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
@@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
assert(sp != NULL);
@@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
@@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long f
{
JPEGState* sp = JState(tif);
- assert(sp != NULL);
+ /* assert(sp != NULL); */
+ if (sp == NULL) {
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))

24
graphics/tiff/patches/patch-ba
View file

@ -1,24 +0,0 @@
$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < scanline)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;

27
graphics/tiff/patches/patch-bb
View file

@ -1,27 +0,0 @@
$NetBSD: patch-bb,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_pixarlog.c.orig 2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_pixarlog.c 2006-08-02 17:18:41.000000000 +0200
@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,

37
graphics/tiff/patches/patch-bc
View file

@ -1,37 +0,0 @@
$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_read.c.orig 2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_read.c 2006-08-02 17:18:41.000000000 +0200
@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ (td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if ( td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ (td->td_stripoffset[tile] + bytecount) <
+ td->td_stripoffset[tile]) {
tif->tif_curtile = NOTILE;
return (0);
}

47
graphics/tiff/patches/patch-ca
View file

@ -1,47 +0,0 @@
$NetBSD: patch-ca,v 1.1 2009/07/19 11:45:09 tron Exp $
Patch for CVE-2009-2347, taken from here:
http://bugzilla.maptools.org/show_bug.cgi?id=2079
--- tools/rgb2ycbcr.c.orig 2004-09-03 08:57:13.000000000 +0100
+++ tools/rgb2ycbcr.c 2009-07-19 12:39:06.000000000 +0100
@@ -202,6 +202,17 @@
#undef LumaBlue
#undef V2Code
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
/*
* Convert a strip of RGB data to YCbCr and
* sample to generate the output data.
@@ -278,10 +289,19 @@
float floatv;
char *stringv;
uint32 longv;
+ tsize_t raster_size;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);

126
graphics/tiff/patches/patch-cb
View file

@ -1,126 +0,0 @@
$NetBSD: patch-cb,v 1.1 2009/07/19 11:45:09 tron Exp $
Patch for CVE-2009-2347, taken from here:
http://bugzilla.maptools.org/show_bug.cgi?id=2079
--- tools/tiff2rgba.c.orig 2004-11-07 11:08:37.000000000 +0000
+++ tools/tiff2rgba.c 2009-07-19 12:39:06.000000000 +0100
@@ -124,6 +124,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -133,6 +144,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -150,7 +162,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -158,7 +177,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -226,6 +245,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -241,7 +261,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -249,7 +276,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {
@@ -328,14 +355,22 @@
uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */
uint32 row;
-
+ tsize_t raster_size;
+
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ raster_size = multiply(multiply(width, height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -353,7 +388,7 @@
*/
if( no_alpha )
{
- int pixel_count = width * height;
+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
unsigned char *src, *dst;
src = (unsigned char *) raster;