Hello community, here is the log from the commit of package tiff.3578 for openSUSE:13.1:Update checked in at 2015-03-09 10:52:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/tiff.3578 (Old) and /work/SRC/openSUSE:13.1:Update/.tiff.3578.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.3578" Changes: -------- New Changes file: --- /dev/null 2015-02-28 12:43:00.252025756 +0100 +++ /work/SRC/openSUSE:13.1:Update/.tiff.3578.new/tiff.changes 2015-03-09 10:52:49.000000000 +0100 @@ -0,0 +1,573 @@ +------------------------------------------------------------------- +Mon Feb 16 08:14:26 UTC 2015 - pgaj...@suse.com + +- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, + CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 + bnc#914890, bnc#916925, bnc#916927 + + erouault.2856.patch + + erouault.2857.patch + + erouault.2858.patch + + erouault.2859.patch + + erouault.2860.patch + + erouault.2861.patch + + erouault.2862.patch + + erouault.2863.patch + + erouault.2876.patch + + bfriesen.2805.patch + + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + + tiff-handle-TIFFTAG_PREDICTOR.patch + + tiff-dither-malloc-check.patch + +------------------------------------------------------------------- +Wed Aug 21 12:57:57 UTC 2013 - pgaj...@suse.com + +- security update + * CVE-2013-4232.patch [bnc#834477] + * CVE-2013-4231.patch [bnc#834477] + * CVE-2013-4244.patch [bnc#834788] + * CVE-2013-4243.patch [bnc#834779] + +------------------------------------------------------------------- +Wed Jun 26 10:48:50 UTC 2013 - pgaj...@suse.com + +- tiff2pdf: introduced warning when the compression isn't lzw or + none [bnc#819142] +- tiff2pdf: fixed crash [bnc#821872] + +------------------------------------------------------------------- +Tue Apr 30 13:20:50 UTC 2013 - pgaj...@suse.com + +- security update + * CVE-2013-1961.patch [bnc#818117] + * CVE-2013-1960.patch [bnc#817573] + +------------------------------------------------------------------- +Fri Apr 5 10:23:51 UTC 2013 - idon...@suse.com + +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Mon Nov 5 09:27:59 UTC 2012 - pgaj...@suse.com + +- updated to 4.0.3: + * Add some TIFF/FX support in libtiff. + * Fix bug rewriting image tiles in a compressed file. + * Fix read past end of data buffer. + * etc., see ChangeLog +- removed upstreamed patches: + * bigendian.patch + * dont-fancy-upsampling.patch + * CVE-2012-3401.patch +- new patch: + * test-jpeg-turbo.patch + * CVE-2012-4564.patch [bnc#787892] + +------------------------------------------------------------------- +Mon Jul 23 09:52:50 UTC 2012 - pgaj...@suse.com + +- fixed CVE-2012-3401 [bnc#770816] + +------------------------------------------------------------------- +Thu Jun 28 10:16:29 UTC 2012 - meiss...@suse.com + +- RGBA is packed in host order, use the right macros to unpack + and verify in raw_decode test. + +------------------------------------------------------------------- +Wed Jun 20 09:29:37 UTC 2012 - pgaj...@suse.com + +- updated to 4.0.2: [bnc#767852] [bnc#767854] + tif_getimage.c: added support for _SEPARATED CMYK images. + tif_getimage.c: Added support for greyscale + alpha. + Added TIFFCreateCustomDirectory() and TIFFCreateEXIFDirectory() functions. + tif_print.c: Lots of fixes around printing corrupt or hostile input. + Improve handling of corrupt ycbcrsubsampling values. + tif_unix.c: use strerror to get meaningful error messages. + tif_jpeg.c: fix serious bugs in JPEGDecodeRaw(). + tif_jpeg.c: Fix size overflow (zdi-can-1221,CVE-2012-1173). + tiff2pdf: Defend against integer overflows while calculating required + buffer sizes (CVE-2012-2113). + +------------------------------------------------------------------- +Tue Apr 10 17:37:25 UTC 2012 - br...@aljex.com + +- Fix building on older targets from SUSE 10.0 to current. +- Add jbig support + +------------------------------------------------------------------- +Thu Mar 29 09:51:49 UTC 2012 - idon...@suse.com + +- Add lzma support +- Implement %check +- Drop visibility patch because it breaks compilation + +------------------------------------------------------------------- +Wed Mar 28 18:06:34 UTC 2012 - i...@marguerite.su + +- change package name libtiff4 to libtiff5. + library number is 5 actually. + +------------------------------------------------------------------- +Wed Mar 28 17:29:16 UTC 2012 - i...@marguerite.su + +- Update to 4.0.1 + * configure.ac + - Add libtiff private dependency on -llzma for pkg-config + - Add support for using library symbol versioning on + ELF systems with the GNU linker. + * libtiff/tif_win32.c: Eliminate some minor 64-bit warnings in + tif_win32.c + * libtiff/tif_jpeg.c: Extra caution for case where sp is NULL. + * libtiff/tif_dir.c, libtiff/tif_dirread.c: Extra caution around + assumption tag fetching is always successful. + * libtiff/tiffio.h: Use double-underbar syntax in GCC printf + attribute specification to lessen the risk of accidental macro + substitution. + * Update automake used to 1.11.3. + +------------------------------------------------------------------- +Wed Mar 28 12:12:23 UTC 2012 - cfarr...@suse.com + +- license update: HPND + tiff license most akin to spdx recognised + http://www.spdx.org/licenses/HPND + +------------------------------------------------------------------- +Tue Jan 10 01:21:45 UTC 2012 - crrodrig...@opensuse.org + +- remove libjpeg-devel and zlib-devel from libtiff-devel + requires as they are _not_ required to use the library. + Now, this _will_ break packages with wrong buildrequires + for good. + +------------------------------------------------------------------- +Tue Jan 10 00:55:53 UTC 2012 - crrodrig...@opensuse.org + +- Hide private symbols using gcc visibility, this has been + applied only to functions that the source code clearly states + that are internal to the library. +- Run spec cleaner + +------------------------------------------------------------------- +Wed Nov 23 09:31:16 UTC 2011 - co...@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Fri Aug 5 21:09:33 UTC 2011 - crrodrig...@opensuse.org + +- Do not use -fno-strict-aliasing, no longer needed + and will probably slow down the code. +- Fix self-obsoletion warning + +------------------------------------------------------------------- +Thu Apr 14 14:02:12 CEST 2011 - pgaj...@suse.cz + +- updated to 3.9.5: + * fixed integer overflow CVE-2010-4665 + * fixed buffer overflow in ojpeg decoder + * upstreamed: + - oob-read.patch + - CVE-2011-0192.patch + - getimage-64bit.patch + - CVE-2011-1167.patch + - scanlinesize.patch + +------------------------------------------------------------------- +Thu Mar 31 21:49:49 CEST 2011 - pgaj...@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +------------------------------------------------------------------- +Thu Feb 17 15:40:54 CET 2011 - pgaj...@suse.cz + +- fixed buffer overflow [bnc#672510] + * CVE-2011-0192.patch + +------------------------------------------------------------------- +Mon Sep 6 14:56:09 CEST 2010 - pgaj...@suse.cz + +- fixed "Possibly exploitable memory corruption issue in libtiff" + (see http://bugzilla.maptools.org/show_bug.cgi?id=2228) + [bnc#624215] + * scanlinesize.patch +- fixed crash while using libjpeg7 and higher ++++ 376 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.tiff.3578.new/tiff.changes New: ---- README.SUSE baselibs.conf bfriesen.2805.patch erouault.2856.patch erouault.2857.patch erouault.2858.patch erouault.2859.patch erouault.2860.patch erouault.2861.patch erouault.2862.patch erouault.2863.patch erouault.2876.patch tiff-4.0.3-CVE-2012-4564.patch tiff-4.0.3-CVE-2013-1960.patch tiff-4.0.3-CVE-2013-1961.patch tiff-4.0.3-CVE-2013-4231.patch tiff-4.0.3-CVE-2013-4232.patch tiff-4.0.3-CVE-2013-4243.patch tiff-4.0.3-CVE-2013-4244.patch tiff-4.0.3-compress-warning.patch tiff-4.0.3-double-free.patch tiff-4.0.3-seek.patch tiff-4.0.3-test-jpeg-turbo.patch tiff-4.0.3-tiff2pdf-colors.patch tiff-4.0.3.tar.gz tiff-dither-malloc-check.patch tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch tiff-handle-TIFFTAG_PREDICTOR.patch tiff.changes tiff.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ # # spec file for package tiff # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tiff BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool %if 0%{?suse_version} > 1030 BuildRequires: lzma-devel %endif %if 0%{?suse_version} <= 1000 BuildRequires: pkgconfig %endif %if 0%{?suse_version} > 1000 BuildRequires: pkg-config %endif BuildRequires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-64bit %endif %if 0%{?suse_version} > 1210 BuildRequires: libjbig-devel %endif Version: 4.0.3 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: HPND Group: Productivity/Graphics/Convertors Url: http://www.remotesensing.org/libtiff Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Source2: README.SUSE Source3: baselibs.conf Patch0: tiff-%{version}-test-jpeg-turbo.patch Patch1: tiff-%{version}-seek.patch Patch2: tiff-%{version}-tiff2pdf-colors.patch Patch3: tiff-%{version}-CVE-2012-4564.patch Patch4: tiff-%{version}-CVE-2013-1961.patch Patch5: tiff-%{version}-CVE-2013-1960.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2443 Patch6: tiff-%{version}-double-free.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch7: tiff-%{version}-compress-warning.patch Patch8: tiff-4.0.3-CVE-2013-4232.patch Patch9: tiff-4.0.3-CVE-2013-4231.patch Patch10: tiff-4.0.3-CVE-2013-4244.patch Patch11: tiff-4.0.3-CVE-2013-4243.patch Patch12: erouault.2856.patch Patch13: erouault.2857.patch Patch14: erouault.2858.patch Patch15: erouault.2859.patch Patch16: erouault.2860.patch Patch17: erouault.2861.patch Patch18: erouault.2862.patch Patch19: erouault.2863.patch Patch20: erouault.2876.patch Patch21: bfriesen.2805.patch Patch22: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch Patch23: tiff-handle-TIFFTAG_PREDICTOR.patch Patch24: tiff-dither-malloc-check.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains the library and support programs for the TIFF image format. %package -n libtiff5 Summary: The Tiff Library (with JPEG and compression support) Group: System/Libraries Provides: libtiff = %{version} # bug437293 %ifarch ppc64 Obsoletes: libtiff-64bit %endif # %description -n libtiff5 This package includes the tiff libraries. To link a program with libtiff, you will have to add -ljpeg and -lz to include the necessary libjpeg and libz in the linking process. %package -n libtiff-devel Summary: Development Tools for Programs which will use the libtiff Library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libstdc++-devel Requires: libtiff5 = %{version} # bug437293 %ifarch ppc64 Obsoletes: tiff-devel-64bit %endif # %description -n libtiff-devel This package contains the header files and static libraries for developing programs which will manipulate TIFF format image files using the libtiff library. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 %patch4 %patch5 %patch6 %patch7 -p1 %patch8 %patch9 %patch10 %patch11 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 %patch23 %patch24 %build %configure --disable-static --with-pic make %{?_smp_mflags} %install mkdir -p %{buildroot}/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} %makeinstall for f in `find %{buildroot}/%{_mandir} -type f -print ` ; do if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then linkto=`sed -e "s|^\.so ||" $f` [ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f fi done cp %{SOURCE2} . rm -rf %{buildroot}%{_datadir}/doc/tiff* rm -f %{buildroot}/%{_libdir}/*.la find html -name "Makefile*" | xargs rm %check cd test make %{?_smp_mflags} check %post -n libtiff5 -p /sbin/ldconfig %postun -n libtiff5 -p /sbin/ldconfig %files %defattr(-,root,root) %{_bindir}/* %doc html %doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %doc %{_mandir}/man1/* %files -n libtiff5 %defattr(-,root,root) %doc README COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %doc %{_mandir}/man3/* %changelog ++++++ README.SUSE ++++++ The documentation for tiff programs and library is in package tiff in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++ libtiff5 obsoletes "libtiff-<targettype> <= <version>" provides "libtiff-<targettype> = <version>" libtiff-devel requires -libtiff-<targettype> requires "libtiff5-<targettype> = <version>" ++++++ bfriesen.2805.patch ++++++ --------------------- PatchSet 2805 Date: 2012/11/18 19:51:52 Author: bfriesen Branch: HEAD Tag: (none) Log: * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require malloc() to return NULL pointer if requested allocation size is zero. Assure that _TIFFmalloc does. Members: ChangeLog:1.924->1.925 libtiff/tif_unix.c:1.23->1.24 libtiff/tif_vms.c:1.11->1.12 libtiff/tif_win32.c:1.39->1.40 Index: libtiff/libtiff/tif_unix.c diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24 --- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012 +++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012 @@ -257,6 +257,9 @@ void* _TIFFmalloc(tmsize_t s) { + if (s == 0) + return ((void *) NULL); + return (malloc((size_t) s)); } ++++++ erouault.2856.patch ++++++ --------------------- PatchSet 2856 Date: 2014/12/21 17:15:31 Author: erouault Branch: HEAD Tag: (none) Log: Fix various crasher bugs on fuzzed images. * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count. Members: ChangeLog:1.960->1.961 libtiff/tif_dir.c:1.117->1.118 libtiff/tif_dirread.c:1.180->1.181 libtiff/tif_getimage.c:1.82->1.83 libtiff/tif_next.c:1.13->1.14 tools/bmp2tiff.c:1.23->1.24 tools/tiff2pdf.c:1.77->1.78 tools/tiffcrop.c:1.23->1.24 tools/tiffdump.c:1.28->1.29 Index: libtiff/libtiff/tif_dir.c diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118 --- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014 +++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014 @@ -160,6 +160,7 @@ TIFFDirectory* td = &tif->tif_dir; int status = 1; uint32 v32, i, v; + double dblval; char* s; const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); uint32 standard_tag = tag; @@ -284,10 +285,16 @@ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); break; case TIFFTAG_XRESOLUTION: - td->td_xresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = (float) dblval; break; case TIFFTAG_YRESOLUTION: - td->td_yresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = (float) dblval; break; case TIFFTAG_PLANARCONFIG: v = (uint16) va_arg(ap, uint16_vap); @@ -694,6 +701,16 @@ va_end(ap); } return (0); +badvaluedouble: + { + const TIFFField* fip=TIFFFieldWithTag(tif,tag); + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %f for \"%s\" tag", + tif->tif_name, dblval, + fip ? fip->field_name : "Unknown"); + va_end(ap); + } + return (0); } /* Index: libtiff/libtiff/tif_dirread.c diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181 --- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014 +++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014 @@ -3430,6 +3430,8 @@ const TIFFField* fip; uint32 fii=FAILED_FII; toff_t nextdiroff; + int bitspersample_read = FALSE; + tif->tif_diroff=tif->tif_nextdiroff; if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) return 0; /* last offset or bad offset (IFD looping) */ @@ -3706,6 +3708,8 @@ } if (!TIFFSetField(tif,dp->tdir_tag,value)) goto bad; + if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) + bitspersample_read = TRUE; } break; case TIFFTAG_SMINSAMPLEVALUE: @@ -3763,6 +3767,19 @@ uint32 countrequired; uint32 incrementpersample; uint16* value=NULL; + /* It would be dangerous to instanciate those tag values */ + /* since if td_bitspersample has not yet been read (due to */ + /* unordered tags), it could be read afterwards with a */ + /* values greater than the default one (1), which may cause */ + /* crashes in user code */ + if( !bitspersample_read ) + { + fip = TIFFFieldWithTag(tif,dp->tdir_tag); + TIFFWarningExt(tif->tif_clientdata,module, + "Ignoring %s since BitsPerSample tag not found", + fip ? fip->field_name : "unknown tagname"); + continue; + } countpersample=(1L<<tif->tif_dir.td_bitspersample); if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) { Index: libtiff/libtiff/tif_getimage.c diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83 --- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012 +++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014 @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */ +/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -182,8 +182,23 @@ "Planarconfiguration", td->td_planarconfig); return (0); } + if( td->td_samplesperpixel != 3 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } break; case PHOTOMETRIC_CIELAB: + if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "Bits/sample", td->td_bitspersample); + return 0; + } break; default: sprintf(emsg, "Sorry, can not handle image with %s=%d", Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14 --- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010 +++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014 @@ -102,6 +102,8 @@ default: { uint32 npixels = 0, grey; uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; /* * The scanline is composed of a sequence of constant Index: libtiff/tools/bmp2tiff.c diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24 --- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010 +++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014 @@ -403,6 +403,13 @@ width = info_hdr.iWidth; length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; + if( width <= 0 || length <= 0 ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } switch (info_hdr.iBitCount) { @@ -593,6 +600,14 @@ compr_size = file_hdr.iSize - file_hdr.iOffBits; uncompr_size = width * length; + /* Detect int overflow */ + if( uncompr_size / width != length ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); if (!comprbuf) { TIFFError(infilename, Index: libtiff/tools/tiff2pdf.c diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78 --- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014 +++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014 @@ -1167,6 +1167,15 @@ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( + TIFF2PDF_MODULE, + "Invalid tile count, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->tiff_tiles[i].tiles_tilecount/= xuint16; } if( t2p->tiff_tiles[i].tiles_tilecount > 0){ @@ -1552,6 +1561,22 @@ #endif break; case PHOTOMETRIC_CIELAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for CIELAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for CIELAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]= -127; t2p->pdf_labrange[1]= 127; t2p->pdf_labrange[2]= -127; @@ -1567,6 +1592,22 @@ t2p->pdf_colorspace=T2P_CS_LAB; break; case PHOTOMETRIC_ITULAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for ITULAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for ITULAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]=-85; t2p->pdf_labrange[1]=85; t2p->pdf_labrange[2]=-75; Index: libtiff/tools/tiffcrop.c diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24 --- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014 +++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014 @@ -1205,9 +1205,10 @@ tsize_t tilesize = TIFFTileSize(out); unsigned char *tilebuf = NULL; - TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); - TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); - TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) Index: libtiff/tools/tiffdump.c diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29 --- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014 +++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014 @@ -374,6 +374,8 @@ void* datamem; uint64 dataoffset; int datatruncated; + int datasizeoverflow; + tag = *(uint16*)dp; if (swabflag) TIFFSwabShort(&tag); @@ -412,13 +414,14 @@ else typewidth = datawidth[type]; datasize = count*typewidth; + datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); datafits = 1; datamem = dp; dataoffset = 0; datatruncated = 0; if (!bigtiff) { - if (datasize>4) + if (datasizeoverflow || datasize>4) { uint32 dataoffset32; datafits = 0; @@ -432,7 +435,7 @@ } else { - if (datasize>8) + if (datasizeoverflow || datasize>8) { datafits = 0; datamem = NULL; @@ -442,7 +445,7 @@ } dp += sizeof(uint64); } - if (datasize>0x10000) + if (datasizeoverflow || datasize>0x10000) { datatruncated = 1; count = 0x10000/typewidth; ++++++ erouault.2857.patch ++++++ --------------------- PatchSet 2857 Date: 2014/12/21 18:28:37 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) Description: fix for Debian bug #741451 tiffcp crashes when converting JPEG-encoded TIFF to a different encoding (like none or lzw). For example this will probably fail: tiffcp -c none jpeg_encoded_file.tif output.tif The reason is that when the input file contains JPEG data, the tiffcp code forces conversion to RGB space. However, the output normally inherits YCbCr subsampling parameters from the input, which leads to a smaller working buffer than necessary. The buffer is subsequently overrun inside cpStripToTile() (called from writeBufferToContigTiles). Note that the resulting TIFF file would be scrambled even if tiffcp wouldn't crash, since the output file would contain RGB data intepreted as subsampled YCbCr values. This patch fixes the problem by forcing RGB space on the output TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. Author: Tomasz Buchert <tomasz.buch...@inria.fr> Members: ChangeLog:1.961->1.962 tools/tiffcp.c:1.50->1.51 Index: libtiff/tools/tiffcp.c diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51 --- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013 +++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014 @@ -633,6 +633,12 @@ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, samplesperpixel == 1 ? PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); + else if (input_compression == COMPRESSION_JPEG && + samplesperpixel == 3 ) { + /* RGB conversion was forced above + hence the output will be of the same type */ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); + } else CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); if (fillorder != 0) ++++++ erouault.2858.patch ++++++ --------------------- PatchSet 2858 Date: 2014/12/21 19:36:36 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiff2pdf.c: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL Members: ChangeLog:1.962->1.963 tools/tiff2pdf.c:1.78->1.79 Index: libtiff/tools/tiff2pdf.c diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79 --- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014 +++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014 @@ -1166,7 +1166,15 @@ t2p->tiff_pages[i].page_tilecount; if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ - TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) + { + TIFFError( + TIFF2PDF_MODULE, + "Missing SamplesPerPixel, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) { TIFFError( ++++++ erouault.2859.patch ++++++ --------------------- PatchSet 2859 Date: 2014/12/21 20:07:48 Author: erouault Branch: HEAD Tag: (none) Log: * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) Members: ChangeLog:1.963->1.964 libtiff/tif_next.c:1.14->1.15 Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15 --- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014 +++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014 @@ -141,10 +141,27 @@ return (0); } +static int +NeXTPreDecode(TIFF* tif, uint16 s) +{ + static const char module[] = "NeXTPreDecode"; + TIFFDirectory *td = &tif->tif_dir; + (void)s; + + if( td->td_bitspersample != 2 ) + { + TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", + td->td_bitspersample); + return (0); + } + return (1); +} + int TIFFInitNeXT(TIFF* tif, int scheme) { (void) scheme; + tif->tif_predecode = NeXTPreDecode; tif->tif_decoderow = NeXTDecode; tif->tif_decodestrip = NeXTDecode; tif->tif_decodetile = NeXTDecode; ++++++ erouault.2860.patch ++++++ --------------------- PatchSet 2860 Date: 2014/12/21 20:52:42 Author: erouault Branch: HEAD Tag: (none) Log: * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) Members: ChangeLog:1.964->1.965 tools/thumbnail.c:1.17->1.18 tools/tiffcmp.c:1.16->1.17 Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18 --- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014 @@ -274,7 +274,26 @@ { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ + /* if we request a tag that is defined in a codec, but that codec */ + /* isn't used */ + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS Index: libtiff/tools/tiffcmp.c diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17 --- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010 +++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014 @@ -260,6 +260,7 @@ static int cmptags(TIFF* tif1, TIFF* tif2) { + uint16 compression1, compression2; CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); @@ -276,8 +277,20 @@ CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); - CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); - CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX3 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX3 ) + { + CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); + } + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX4 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX4 ) + { + CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + } CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); ++++++ erouault.2861.patch ++++++ --------------------- PatchSet 2861 Date: 2014/12/21 21:53:59 Author: erouault Branch: HEAD Tag: (none) Log: * tools/thumbnail.c: fix out-of-buffer write http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) Members: ChangeLog:1.965->1.966 tools/thumbnail.c:1.18->1.19 Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19 --- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014 @@ -568,7 +568,13 @@ err -= limit; sy++; if (err >= limit) - rows[nrows++] = br + bpr*sy; + { + /* We should perhaps error loudly, but I can't make sense of that */ + /* code... */ + if( nrows == 256 ) + break; + rows[nrows++] = br + bpr*sy; + } } setrow(row, nrows, rows); row += tnw; ++++++ erouault.2862.patch ++++++ --------------------- PatchSet 2862 Date: 2014/12/21 22:04:31 Author: erouault Branch: HEAD Tag: (none) Log: * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not worth the burden for those esoteric utilities. http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) Members: ChangeLog:1.966->1.967 tools/pal2rgb.c:1.13->1.14 tools/thumbnail.c:1.19->1.20 Index: libtiff/tools/pal2rgb.c diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14 --- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010 +++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014 @@ -372,7 +372,7 @@ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20 --- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014 @@ -257,7 +257,7 @@ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, ++++++ erouault.2863.patch ++++++ --------------------- PatchSet 2863 Date: 2014/12/21 22:58:29 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiff2bw.c: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) Members: ChangeLog:1.967->1.968 tools/tiff2bw.c:1.16->1.17 Index: libtiff/tools/tiff2bw.c diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17 --- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013 +++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014 @@ -171,6 +171,11 @@ argv[optind], samplesperpixel); return (-1); } + if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", + argv[optind], samplesperpixel); + return (-1); + } TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); if (bitspersample != 8) { fprintf(stderr, ++++++ erouault.2876.patch ++++++ --------------------- PatchSet 2876 Date: 2014/12/29 14:09:11 Author: erouault Branch: HEAD Tag: (none) Log: * libtiff/tif_next.c: add new tests to check that we don't read outside of the compressed input stream buffer. * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height Members: ChangeLog:1.980->1.981 libtiff/tif_getimage.c:1.85->1.86 libtiff/tif_next.c:1.15->1.16 Index: libtiff/libtiff/tif_getimage.c diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86 --- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014 +++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014 @@ -1871,7 +1871,7 @@ (void) y; fromskew = (fromskew * 10) / 4; - if ((h & 3) == 0 && (w & 1) == 0) { + if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; do { @@ -1948,7 +1948,7 @@ /* XXX adjust fromskew */ do { x = w>>2; - do { + while(x>0) { int32 Cb = pp[4]; int32 Cr = pp[5]; @@ -1959,7 +1959,8 @@ cp += 4; pp += 6; - } while (--x); + x--; + } if( (w&3) != 0 ) { @@ -2050,7 +2051,7 @@ fromskew = (fromskew * 4) / 2; do { x = w>>1; - do { + while(x>0) { int32 Cb = pp[2]; int32 Cr = pp[3]; @@ -2059,7 +2060,8 @@ cp += 2; pp += 4; - } while (--x); + x --; + } if( (w&1) != 0 ) { Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16 --- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014 +++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014 @@ -71,7 +71,7 @@ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); return (0); } - for (row = buf; occ > 0; occ -= scanline, row += scanline) { + for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -90,6 +90,8 @@ * The scanline has a literal span that begins at some * offset. */ + if( cc < 4 ) + goto bad; off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; if (cc < 4+n || off+n > scanline) ++++++ tiff-4.0.3-CVE-2012-4564.patch ++++++ https://bugzilla.redhat.com/attachment.cgi?id=635949&action=diff Index: tools/ppm2tiff.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v --- tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 +++ tools/ppm2tiff.c 31 Oct 2012 06:25:13 -0000 @@ -89,6 +89,7 @@ int c; extern int optind; extern char* optarg; + tmsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -237,8 +238,16 @@ } if (TIFFScanlineSize(out) > linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); - else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + scanline_size = TIFFScanlineSize(out); + if (scanline_size != 0) + buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + fprintf(stderr, "%s: scanline size overflow\n",infile); + (void) TIFFClose(out); + exit(-2); + } + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); ++++++ tiff-4.0.3-CVE-2013-1960.patch ++++++ https://bugzilla.novell.com/show_bug.cgi?id=817573#c1 CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip() ======================================================================================= A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j<buffer[*bufferoffset+9];j++){ - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j<ncomp;j++){ + uint16 samp = buffer[*bufferoffset+11+(3*j)]; + if( (samp>>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; @@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; - + *bufferoffset+=datalen+2; + /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; - case 0xc4: - case 0xdb: - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; break; - case 0xda: + case 0xda: /* SOS */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); - *bufferoffset+=(*striplength)-i-1; + i += datalen + 1; + /* copy remainder of strip */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; return(1); default: - i+=strip[i+2]+2; + /* ignore any other marker */ + break; } + i += datalen + 1; } - + /* failed to find SOS marker */ return(0); } #endif ++++++ tiff-4.0.3-CVE-2013-1961.patch ++++++ ++++ 774 lines (skipped) ++++++ tiff-4.0.3-CVE-2013-4231.patch ++++++ Index: gif2tiff.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/gif2tiff.c,v retrieving revision 1.12 diff -u -r1.12 gif2tiff.c --- tools/gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12 +++ tools/gif2tiff.c 13 Aug 2013 08:25:38 -0000 @@ -333,6 +333,10 @@ int status = 1; datasize = getc(infile); + + if (datasize > 12) + return 0; + clear = 1 << datasize; eoi = clear + 1; avail = clear + 2; ++++++ tiff-4.0.3-CVE-2013-4232.patch ++++++ Index: tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.71 diff -u -r1.71 tiff2pdf.c --- tools/tiff2pdf.c 2 May 2013 14:54:08 -0000 1.71 +++ toolstiff2pdf.c 13 Aug 2013 04:45:40 -0000 @@ -2462,6 +2462,7 @@ TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; _TIFFfree(buffer); + return(0); } else { buffer=samplebuffer; t2p->tiff_datasize *= t2p->tiff_samplesperpixel; ++++++ tiff-4.0.3-CVE-2013-4243.patch ++++++ Index: tools/gif2tiff.c =================================================================== --- tools/gif2tiff.c.orig +++ tools/gif2tiff.c @@ -280,6 +280,10 @@ readgifimage(char* mode) fprintf(stderr, "no colormap present for image\n"); return (0); } + if (width == 0 || height == 0) { + fprintf(stderr, "Invalid value of width or height\n"); + return(0); + } if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { fprintf(stderr, "not enough memory for image\n"); return (0); @@ -406,6 +410,10 @@ process(register int code, unsigned char fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); return 0; } + if (*fill >= raster + width*height) { + fprintf(stderr, "raster full before eoi code\n"); + return 0; + } *(*fill)++ = suffix[code]; firstchar = oldcode = code; return 1; @@ -436,6 +444,10 @@ process(register int code, unsigned char } oldcode = incode; do { + if (*fill >= raster + width*height) { + fprintf(stderr, "raster full before eoi code\n"); + return 0; + } *(*fill)++ = *--stackp; } while (stackp > stack); return 1; ++++++ tiff-4.0.3-CVE-2013-4244.patch ++++++ Index: gif2tiff.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/gif2tiff.c,v retrieving revision 1.12 diff -u -r1.12 gif2tiff.c --- tools/gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12 +++ tools/gif2tiff.c 14 Aug 2013 04:28:07 -0000 @@ -398,6 +398,10 @@ } if (oldcode == -1) { + if (code >= clear) { + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } *(*fill)++ = suffix[code]; firstchar = oldcode = code; return 1; ++++++ tiff-4.0.3-compress-warning.patch ++++++ Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c +++ tiff-4.0.3/tools/tiff2pdf.c @@ -1264,6 +1264,15 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* return; } + if(t2p->tiff_compression != COMPRESSION_LZW && + t2p->tiff_compression != COMPRESSION_NONE){ + TIFFWarning( + TIFF2PDF_MODULE, + "%s is not compressed with LZW or NONE.\n" + "tiff2pdf result may be incorrect in that case.\n" + "Consider to use tiffcp(1) to change compress algorithm first.", + TIFFFileName(input) ); + } if( TIFFIsCODECConfigured(t2p->tiff_compression) == 0){ TIFFError( TIFF2PDF_MODULE, ++++++ tiff-4.0.3-double-free.patch ++++++ Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -2436,7 +2436,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p TIFFReadEncodedStrip(input, i, (tdata_t) &buffer[bufferoffset], - stripsize); + TIFFmin(stripsize, t2p->tiff_datasize - bufferoffset)); if(read==-1){ TIFFError(TIFF2PDF_MODULE, "Error on decoding strip %u of %s", ++++++ tiff-4.0.3-seek.patch ++++++ Index: tiff-4.0.1/libtiff/tiffiop.h =================================================================== --- tiff-4.0.1.orig/libtiff/tiffiop.h +++ tiff-4.0.1/libtiff/tiffiop.h @@ -213,7 +213,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,(buf),(size))) #define TIFFSeekFile(tif, off, whence) \ - ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(off),(whence))) + ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0) #define TIFFCloseFile(tif) \ ((*(tif)->tif_closeproc)((tif)->tif_clientdata)) #define TIFFGetFileSize(tif) \ ++++++ tiff-4.0.3-test-jpeg-turbo.patch ++++++ >From ChangeLog: * test/raw_decode.c (main): Test fixes to work with IJG JPEG 7+. IJG JPEG 7+ uses a different upsampling algorithm which produces different numeric results. this seems not apply for libjpeg-turbo. Sent to t...@lists.maptools.org on 2012-11-05. Index: tiff-4.0.3/test/raw_decode.c =================================================================== --- tiff-4.0.3.orig/test/raw_decode.c +++ tiff-4.0.3/test/raw_decode.c @@ -191,7 +191,7 @@ main(int argc, char **argv) return 1; } -#if JPEG_LIB_VERSION >= 70 +#if JPEG_LIB_VERSION >= 70 && !defined(LIBJPEG_TURBO_VERSION) pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer ); pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer ); pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer ); @@ -224,7 +224,7 @@ main(int argc, char **argv) * accomplish it from the YCbCr subsampled buffer ourselves in which * case the results may be subtly different but similar. */ -#if JPEG_LIB_VERSION >= 70 +#if JPEG_LIB_VERSION >= 70 && !defined(LIBJPEG_TURBO_VERSION) pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer ); pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer ); pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer ); ++++++ tiff-4.0.3-tiff2pdf-colors.patch ++++++ diff -urN tiff-4.0.1.orig/tools/tiff2pdf.c tiff-4.0.1/tools/tiff2pdf.c --- tiff-4.0.1.orig/tools/tiff2pdf.c 2012-03-29 01:03:15.656848587 +0800 +++ tiff-4.0.1/tools/tiff2pdf.c 2012-03-29 01:03:27.591699381 +0800 @@ -4991,7 +4991,7 @@ if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) { written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24); + written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24); } break; #endif ++++++ tiff-dither-malloc-check.patch ++++++ Index: tools/tiffdither.c =================================================================== --- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100 +++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100 @@ -77,6 +77,11 @@ outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); + if (! (inputline && thisline && nextline && outline)) { + fprintf(stderr, "Out of memory.\n"); + return; + } + /* * Get first line */ ++++++ tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch ++++++ Index: libtiff/tif_dirinfo.c =================================================================== --- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100 +++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100 @@ -141,6 +141,7 @@ { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, /* begin DNG tags */ { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, ++++++ tiff-handle-TIFFTAG_PREDICTOR.patch ++++++ Index: libtiff/tif_dirinfo.c =================================================================== --- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100 +++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100 @@ -142,6 +142,7 @@ { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, /* begin DNG tags */ { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
