Update of /cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics
In directory sc8-pr-cvs17:/tmp/cvs-serv2444
Modified Files:
libtiff.info libtiff.patch netpbm.info netpbm.patch
netpbm10.info netpbm10.patch
Log Message:
security fixes (thanks to Tomoaki Okayama)
Index: netpbm.patch
===================================================================
RCS file:
/cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/netpbm.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- netpbm.patch 7 Oct 2005 17:57:20 -0000 1.2
+++ netpbm.patch 29 Aug 2007 15:03:21 -0000 1.3
@@ -12,3 +12,535 @@
# push(@Makefile_config, "INSTALL = install\n");
push(@Makefile_config, 'TIFFHDR_DIR = $(LOCALBASE)/include', "\n");
push(@Makefile_config, 'TIFFLIB_DIR = $(LOCALBASE)/lib', "\n");
+--- netpbm-9.24/pnm/pstopnm.c.CAN-2005-2471 2005-08-10 13:12:38.000000000
+0200
++++ netpbm-9.24/pnm/pstopnm.c 2005-08-10 13:15:20.000000000 +0200
+@@ -480,7 +480,7 @@
+
+ sprintf(ghostscript_command,
+ "gs -sDEVICE='%s' -sOutputFile='%s' -g'%dx%d' -r'%dx%d' "
+- "-q -dNOPAUSE -",
++ "-q -dNOPAUSE -dPARANOIDSAFER -",
+ ghostscript_device, outfile_arg,
+ xsize, ysize, xres, yres);
+
+--- netpbm-9.24/pnm/pnmtopng.c.CVE-2005-3632 2005-12-05 16:05:17.000000000
+0100
++++ netpbm-9.24/pnm/pnmtopng.c 2005-12-05 16:14:40.000000000 +0100
+@@ -205,7 +205,8 @@
+ FILE *tfp;
+ #endif
+ {
+- char textline[256];
++#define MAXLINE 1024
++ char textline[MAXLINE];
+ int textpos;
+ int i, j;
+ int c;
+@@ -217,6 +218,7 @@
+ textpos = 0;
+ while ((c = getc (tfp)) != EOF) {
+ if (c != '\n' && c != EOF) {
++ if (textpos >= MAXLINE) continue;
+ textline[textpos++] = c;
+ } else {
+ textline[textpos++] = '\0';
+@@ -227,33 +229,41 @@
+ else
+ info_ptr->text[j].compression = 0;
+ cp = malloc (textpos);
++ if ( cp == NULL )
++ pm_error("out of memory");
+ info_ptr->text[j].key = cp;
+ i = 0;
+ if (textline[0] == '"') {
+ i++;
+- while (textline[i] != '"' && textline[i] != '\n')
++ while (textline[i] != '"' && textline[i] != '\n' && i<textpos)
+ *(cp++) = textline[i++];
+ i++;
+ } else {
+- while (textline[i] != ' ' && textline[i] != '\t' && textline[i] !=
'\n')
++ while (textline[i] != ' ' && textline[i] != '\t' && textline[i] !=
'\n' && i<textpos)
+ *(cp++) = textline[i++];
+ }
+ *(cp++) = '\0';
+ cp = malloc (textpos);
++ if ( cp == NULL )
++ pm_error("out of memory");
+ info_ptr->text[j].text = cp;
+- while (textline[i] == ' ' || textline[i] == '\t')
++ while ((textline[i] == ' ' || textline[i] == '\t') && i<textpos)
+ i++;
+ strcpy (cp, &textline[i]);
+ info_ptr->text[j].text_length = strlen (cp);
+ j++;
+ } else {
+ j--;
++ if ( info_ptr->text[j].text_length + textpos <= 0 )
++ pm_error("allocation underflow");
+ cp = malloc (info_ptr->text[j].text_length + textpos);
++ if ( cp == NULL )
++ pm_error("out of memory");
+ strcpy (cp, info_ptr->text[j].text);
+ strcat (cp, "\n");
+ info_ptr->text[j].text = cp;
+ i = 0;
+- while (textline[i] == ' ' || textline[i] == '\t')
++ while ((textline[i] == ' ' || textline[i] == '\t') && i<textpos)
+ i++;
+ strcat (cp, &textline[i]);
+ info_ptr->text[j].text_length = strlen (cp);
+--- netpbm-9.24/pnm/pnmtopng.c.pnmtopng-offbyone 2005-09-29
10:58:32.000000000 +0200
++++ netpbm-9.24/pnm/pnmtopng.c 2005-11-17 17:02:58.000000000 +0100
+@@ -576,8 +576,8 @@ static int convertpnm (ifp, afp, tfp)
+ int alpha_rows;
+ int alpha_cols;
+ int alpha_can_be_transparency_index;
+- gray *alphas_of_color[MAXCOLORS];
+- int alphas_of_color_cnt[MAXCOLORS];
++ gray *alphas_of_color[MAXCOLORS+1];
++ int alphas_of_color_cnt[MAXCOLORS+1];
+ int alphas_first_index[MAXCOLORS+1];
+ int mapping[MAXCOLORS];
+ int colors;
+--- netpbm-9.24/pnm/pnmindex.debiansecurity 2001-08-30 04:21:14.000000000
+0200
++++ netpbm-9.24/pnm/pnmindex 2004-01-22 15:27:01.243659161 +0100
+@@ -24,10 +24,6 @@
+ exit 1
+ }
+
+-if [ "$TMPDIR"x = ""x ] ; then
+- TMPDIR=/tmp
+-fi
+-
+ while :; do
+ case "$1" in
+
+@@ -94,8 +90,10 @@
+ fi
+
+ #tmpfile=`tempfile -p pi -m 600`
+-tmpfile=$TMPDIR/pi.tmp.$$
+-rm -f $tmpfile
++#tmpfile=$TMPDIR/pi.tmp.$$
++#rm -f $tmpfile
++tmpdir=$(mktemp -d /tmp/pi.XXXXXXXX) || exit 1 #219019
++tmpfile="$tmpdir/pi.tmp"
+ maxformat=PBM
+
+ rowfiles=()
+@@ -105,7 +103,7 @@
+
+ if [ "$title"x != ""x ] ; then
+ # rowfile=`tempfile -p pirow -m 600`
+- rowfile=$TMPDIR/pi.${row}.$$
++ rowfile="$tmpdir/pi.${row}.$$"
+ pbmtext "$title" > $rowfile
+ rowfiles=(${rowfiles[*]} $rowfile )
+ row=$(($row + 1))
+@@ -153,7 +151,7 @@
+ esac
+ fi
+
+- imagefile=$TMPDIR/pi.${row}.${col}.$$
++ imagefile="$tmpdir/pi.${row}.${col}.$$"
+ rm -f $imagefile
+ if [ "$back" = "-white" ]; then
+ pbmtext "$i" | pnmcat $back -tb $tmpfile - > $imagefile
+@@ -164,7 +162,7 @@
+ imagefiles=( ${imagefiles[*]} $imagefile )
+
+ if [ $col -ge $across ]; then
+- rowfile=$TMPDIR/pi.${row}.$$
++ rowfile="$tmpdir/pi.${row}.$$"
+ rm -f $rowfile
+
+ if [ $maxformat != PPM -o "$doquant" = "false" ]; then
+@@ -189,7 +187,7 @@
+ # Now put the final partial row in its row file.
+
+ if [ ${#imagefiles[*]} -gt 0 ]; then
+- rowfile=$TMPDIR/pi.${row}.$$
++ rowfile="$tmpdir/pi.${row}.$$"
+ rm -f $rowfile
+ if [ $maxformat != PPM -o "$doquant" = "false" ]; then
+ pnmcat $back -lr -jbottom ${imagefiles[*]} > $rowfile
+@@ -212,5 +210,9 @@
+ fi
+ rm -f ${rowfiles[*]}
+
++if [ -d "$tmpdir" ]; then
++ rm -rf "$tmpdir";
++fi
++
+ exit 0
+
+--- netpbm-9.24/pnm/pnmmargin.debiansecurity 1993-10-04 10:11:44.000000000
+0100
++++ netpbm-9.24/pnm/pnmmargin 2004-01-22 15:29:31.748349881 +0100
+@@ -11,11 +11,16 @@
+ # documentation. This software is provided "as is" without express or
+ # implied warranty.
+
+-tmp1=/tmp/pnmm1$$
+-tmp2=/tmp/pnmm2$$
+-tmp3=/tmp/pnmm3$$
+-tmp4=/tmp/pnmm4$$
+-rm -f $tmp1 $tmp2 $tmp3 $tmp4
++#tmp1=/tmp/pnmm1$$
++#tmp2=/tmp/pnmm2$$
++#tmp3=/tmp/pnmm3$$
++#tmp4=/tmp/pnmm4$$
++#rm -f $tmp1 $tmp2 $tmp3 $tmp4
++tmpdir=$(mktemp -d /tmp/ppmmargin.XXXXXXX) || exit 1 #219019
++tmp1="$tmpdir/tmp1"
++tmp2="$tmpdir/tmp2"
++tmp3="$tmpdir/tmp3"
++tmp4="$tmpdir/tmp4"
+
+ color="-gofigure"
+
+@@ -83,4 +88,7 @@
+ pnmcat -tb $tmp3 $tmp4 $tmp3
+
+ # All done.
+-rm -f $tmp1 $tmp2 $tmp3 $tmp4
++#rm -f $tmp1 $tmp2 $tmp3 $tmp4
++if [ -d "$tmpdir" ]; then
++ rm -rf "$tmpdir"
++fi
+--- netpbm-9.24/pnm/anytopnm.debiansecurity 2000-07-26 03:54:08.000000000
+0200
++++ netpbm-9.24/pnm/anytopnm 2004-01-22 15:27:01.252657947 +0100
+@@ -22,6 +22,7 @@
+ fi
+
+ tmpfiles=""
++tmpdir=$(mktemp -d /tmp/anytopnm.XXXXXXXXXX) || exit 1 #219019
+
+ # Take out all spaces
+ # Find the filename extension for last-ditch efforts later
+@@ -29,8 +30,7 @@
+
+ # Sanitize the filename by making our own temporary files as safely as
+ # possible.
+-file="/tmp/atn.stdin.$$"
+-rm -f "$file"
++file="$tmpdir/atn.stdin"
+ if [ $# -eq 0 -o "$1" = "-" ] ; then
+ cat > "$file"
+ else
+@@ -57,10 +57,6 @@
+ cat < "$1" > "$file"
+ fi
+
+-tmpfiles="$tmpfiles $file"
+-
+-
+-
+ filetype=`file "$file" | cut -d: -f2-`
+
+ case "$filetype" in
+@@ -70,7 +66,7 @@
+ ;;
+
+ *uuencoded* )
+- newfile="/tmp/atn.decode.$$"
++ newfile="$tmpdir/atn.decode"
+ rm -f "$newfile"
+ (echo begin 600 $newfile; tail +2 < "$file") | uudecode
+ tmpfiles="$tmpfiles $newfile"
+@@ -257,8 +253,7 @@
+
+ esac
+
+-
+-if [ "$tmpfiles" ] ; then
+- rm -f $tmpfiles
++if [ -d "$tmpdir" ] ; then
++ rm -rf "$tmpdir"
+ fi
+ exit 0
+--- netpbm-9.24/ppm/ppmtompeg/parallel.c.debiansecurity 2001-08-31
22:48:30.000000000 +0200
++++ netpbm-9.24/ppm/ppmtompeg/parallel.c 2004-01-22 15:27:01.257657272
+0100
+@@ -20,6 +20,8 @@
+ /*==============*
+ * HEADER FILES *
+ *==============*/
++#define _BSD_SOURCE 1
++/* This makes sure that mkstemp() is in unistd.h */
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+@@ -557,6 +559,7 @@
+ register int y;
+ int numBytes;
+ unsigned long data;
++#define TMPFILE_TEMPLATE "/tmp/ppmtompeg.XXXXXX"
+ char fileName[256];
+
+ Fsize_Note(frameNumber, yuvWidth, yuvHeight);
+@@ -575,7 +578,9 @@
+
+ if ( frameNumber != -1 ) {
+ if ( separateConversion ) {
+- sprintf(fileName, "/tmp/foobar%d", machineNumber);
++ strcpy(fileName, TMPFILE_TEMPLATE);
++ if (-1 == mkstemp(fileName))
++ pm_error( "could not create temporary convolution file");
+ filePtr = fopen(fileName, "wb");
+
+ /* read in stuff, SafeWrite to file, perform local conversion */
+--- netpbm-9.24/ppm/ppmtompeg/ppmtompeg.1.debiansecurity 2001-04-17
04:42:42.000000000 +0200
++++ netpbm-9.24/ppm/ppmtompeg/ppmtompeg.1 2004-01-22 15:27:01.259657002
+0100
+@@ -366,6 +366,9 @@
+ .SH VERSION
+ This is version 1.5 it contins new features and bug fixes from version 1.3.
+ .SH BUGS
++Not really a bug, but at least a limitation: If writing to an output file,
++ppmtompeg sometimes uses <filename>.* as temporary files.
++.LP
+ No known bugs, but if you find any, report them to [EMAIL PROTECTED]
+ .HP
+ .SH AUTHORS
+--- netpbm-9.24/ppm/ppmfade.debiansecurity 2000-09-18 23:31:04.000000000
+0200
++++ netpbm-9.24/ppm/ppmfade 2004-01-22 15:27:01.264656327 +0100
+@@ -23,6 +23,7 @@
+ #
+ #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+ use strict;
++use File::Temp "tempdir";
+
+ my $SPREAD = 1;
+ my $SHIFT = 2;
+@@ -125,20 +126,25 @@
+
+ print("Frames are " . $width . "W x " . $height . "H\n");
+
++#
++# We create a tmp-directory right here
++#
++my $tmpdir = tempdir("ppmfade.XXXXXX", CLEANUP => 1);
++
+ if ($first_file eq "undefined") {
+ print "Fading from black to ";
+- system("ppmmake \\#000 $width $height >junk1$$.ppm");
++ system("ppmmake \\#000 $width $height >$tmpdir/junk1.ppm");
+ } else {
+ print "Fading from $first_file to ";
+- system("cp", $first_file, "junk1$$.ppm");
++ system("cp", $first_file, "$tmpdir/junk1.ppm");
+ }
+
+ if ($last_file eq "undefined") {
+ print "black.\n";
+- system("ppmmake \\#000 $width $height >junk2$$.ppm");
++ system("ppmmake \\#000 $width $height >$tmpdir/junk2.ppm");
+ } else {
+ print "$last_file\n";
+- system("cp", $last_file, "junk2$$.ppm");
++ system("cp", $last_file, "$tmpdir/junk2.ppm");
+ }
+
+ #
+@@ -161,148 +167,150 @@
+ if ($mode eq $SPREAD) {
+ if ($i <= 10) {
+ my $n = $spline20[$i] * 100;
+- system("ppmspread $n junk1$$.ppm >junk3$$.ppm");
++ system("ppmspread $n $tmpdir/junk1.ppm >$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n;
+ $n = $spline20[$i] * 100;
+- system("ppmspread $n junk1$$.ppm >junk1a$$.ppm");
++ system("ppmspread $n $tmpdir/junk1.ppm >$tmpdir/junk1a.ppm");
+ $n = (1-$spline20[$i-10]) * 100;
+- system("ppmspread $n junk2$$.ppm >junk2a$$.ppm");
++ system("ppmspread $n $tmpdir/junk2.ppm >$tmpdir/junk2a.ppm");
+ $n = $spline10[$i-10];
+- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = (1-$spline20[$i-10])*100;
+- system("ppmspread $n junk2$$.ppm >junk3$$.ppm");
++ system("ppmspread $n $tmpdir/junk2.ppm >$tmpdir/junk3.ppm");
+ }
+ } elsif ($mode eq $SHIFT) {
+ if ($i <= 10) {
+ my $n = $spline20[$i] * 100;
+- system("ppmshift $n junk1$$.ppm >junk3$$.ppm");
++ system("ppmshift $n $tmpdir/junk1.ppm >$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n;
+ $n = $spline20[$i] * 100;
+- system("ppmshift $n junk1$$.ppm >junk1a$$.ppm");
++ system("ppmshift $n $tmpdir/junk1.ppm >$tmpdir/junk1a.ppm");
+ $n = (1-$spline20[$i-10])*100;
+- system("ppmshift $n junk2$$.ppm >junk2a$$.ppm");
++ system("ppmshift $n $tmpdir/junk2.ppm >$tmpdir/junk2a.ppm");
+ $n = $spline10[$i-10];
+- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = (1-$spline20[$i-10]) * 100;
+- system("ppmshift $n junk2$$.ppm >junk3$$.ppm");
++ system("ppmshift $n $tmpdir/junk2.ppm >$tmpdir/junk3.ppm");
+ }
+ } elsif ($mode eq $RELIEF) {
+ if ($i == 1) {
+- system("ppmrelief junk1$$.ppm >junk1r$$.ppm");
++ system("ppmrelief $tmpdir/junk1.ppm >$tmpdir/junk1r.ppm");
+ }
+ if ($i <= 10) {
+ my $n = $spline10[$i];
+- system("ppmmix $n junk1$$.ppm junk1r$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1r.ppm
>$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n = $spline10[$i-10];
+- system("ppmmix $n junk1r$$.ppm junk2r$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1r.ppm $tmpdir/junk2r.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = $spline10[$i-20];
+- system("ppmmix $n junk2r$$.ppm junk2$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk2r.ppm $tmpdir/junk2.ppm
>$tmpdir/junk3.ppm");
+ }
+ if ($i == 10) {
+- system("ppmrelief junk2$$.ppm >junk2r$$.ppm");
++ system("ppmrelief $tmpdir/junk2.ppm >$tmpdir/junk2r.ppm");
+ }
+ } elsif ($mode eq $OIL) {
+ if ($i == 1) {
+- system("ppmtopgm junk1$$.ppm | pgmoil >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk1o$$.ppm");
++ system("ppmtopgm $tmpdir/junk1.ppm | pgmoil >$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk1o.ppm");
+ }
+ if ($i <= 10) {
+ my $n = $spline10[$i];
+- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm
>$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n = $spline10[$i-10];
+- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = $spline10[$i-20];
+- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm
>$tmpdir/junk3.ppm");
+ }
+ if ($i == 10) {
+- system("ppmtopgm junk2$$.ppm | pgmoil >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk2o$$.ppm");
++ system("ppmtopgm $tmpdir/junk2.ppm | pgmoil >$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk2o.ppm");
+ }
+ } elsif ($mode eq $EDGE) {
+ if ($i == 1) {
+- system("ppmtopgm junk1$$.ppm | pgmedge >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk1o$$.ppm");
++ system("ppmtopgm $tmpdir/junk1.ppm | pgmedge >$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk1o.ppm");
+ }
+ if ($i <= 10) {
+ my $n = $spline10[$i];
+- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm
>$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n = $spline10[$i-10];
+- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = $spline10[$i-20];
+- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm
>$tmpdir/junk3.ppm");
+ }
+ if ($i == 10) {
+- system("ppmtopgm junk2$$.ppm | pgmedge >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk2o$$.ppm");
++ system("ppmtopgm $tmpdir/junk2.ppm | pgmedge >$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk2o.ppm");
+ }
+ } elsif ($mode eq $BENTLEY) {
+ if ($i == 1) {
+- system("ppmtopgm junk1$$.ppm | pgmbentley >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk1o$$.ppm");
++ system("ppmtopgm $tmpdir/junk1.ppm | pgmbentley
>$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk1o.ppm");
+ }
+ if ($i <= 10) {
+ my $n = $spline10[$i];
+- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm
>$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n = $spline10[$i-10];
+- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = $spline10[$i-20];
+- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm
>$tmpdir/junk3.ppm");
+ }
+ if ($i == 10) {
+- system("ppmtopgm junk2$$.ppm | pgmbentley >junko$$.ppm");
+- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " .
+- ">junk2o$$.ppm");
++ system("ppmtopgm $tmpdir/junk2.ppm | pgmbentley
>$tmpdir/junko.ppm");
++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm
$tmpdir/junko.ppm " .
++ ">$tmpdir/junk2o.ppm");
+ }
+ } elsif ($mode eq $BLOCK) {
+ if ($i <= 10) {
+ my $n = 1 - 1.9*$spline20[$i];
+- system("pnmscale $n junk1$$.ppm | " .
+- "pnmscale -width $width -height $height >junk3$$.ppm");
++ system("pnmscale $n $tmpdir/junk1.ppm | " .
++ "pnmscale -width $width -height $height
>$tmpdir/junk3.ppm");
+ } elsif ($i <= 20) {
+ my $n = $spline10[$i-10];
+- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm");
++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ my $n = 1 - 1.9*$spline20[31-$i];
+- system("pnmscale $n junk2$$.ppm | " .
+- "pnmscale -width $width -height $height >junk3$$.ppm");
++ system("pnmscale $n $tmpdir/junk2.ppm | " .
++ "pnmscale -width $width -height $height
>$tmpdir/junk3.ppm");
+ }
+ if ($i == 10) {
+- system("cp", "junk3$$.ppm", "junk1a$$.ppm");
+- system("pnmscale $n junk2$$.ppm | " .
+- "pnmscale -width $width -height $height >junk2a$$.ppm");
++ system("cp", "$tmpdir/junk3.ppm", "$tmpdir/junk1a.ppm");
++ system("pnmscale $n $tmpdir/junk2.ppm | " .
++ "pnmscale -width $width -height $height
>$tmpdir/junk2a.ppm");
+ }
+ } elsif ($mode eq $MIX) {
+ my $fade_factor = sqrt(1/($nframes-$i+1));
+- system("ppmmix $fade_factor junk1$$.ppm junk2$$.ppm >junk3$$.ppm");
++ system("ppmmix $fade_factor $tmpdir/junk1.ppm $tmpdir/junk2.ppm
>$tmpdir/junk3.ppm");
+ } else {
+ print("Internal error: impossible mode value '$mode'\n");
+ }
+
+ my $outfile = sprintf("%s.%04d.ppm", $base_name, $i);
+- system("cp", "junk3$$.ppm", $outfile);
++ system("cp", "$tmpdir/junk3.ppm", $outfile);
+ }
+
+ #
+ # Clean up shop.
+ #
+-system("rm junk*$$.ppm");
++#system("rm $tmpdir/junk*.ppm");
++# As the temporary files are automatically deleted, nothing is needed for
++# cleanup any more.
+
+ exit(0);
+
Index: netpbm10.patch
===================================================================
RCS file:
/cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/netpbm10.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- netpbm10.patch 7 Oct 2005 17:57:20 -0000 1.5
+++ netpbm10.patch 29 Aug 2007 15:03:21 -0000 1.6
@@ -53,3 +53,56 @@
}
+--- netpbm-10.25/converter/other/pstopnm.c.CAN-2005-2471 2004-06-23
04:22:33.000000000 +0200
++++ netpbm-10.25/converter/other/pstopnm.c 2005-08-09 08:41:42.000000000
+0200
+@@ -702,13 +702,13 @@
+
+ if (verbose) {
+ pm_message("execing '%s' with args '%s' (arg 0), "
+- "'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
++ "'%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'",
+ ghostscriptProg, arg0,
+- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
++ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE",
"-dPARANOIDSAFER", "-");
+ }
+
+ execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
+- "-dNOPAUSE", "-", NULL);
++ "-dNOPAUSE", "-dPARANOIDSAFER", "-", NULL);
+
+ pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
+ ghostscriptProg, errno, strerror(errno));
+--- netpbm-10.26.12/converter/other/pnmtopng.c.pnmtopng 2004-08-28
04:53:12.000000000 +0200
++++ netpbm-10.26.12/converter/other/pnmtopng.c 2005-09-16 14:17:47.129390456
+0200
+@@ -159,7 +159,7 @@
+ unsigned int * const bestMatchP) {
+
+ unsigned int paletteIndex;
+- unsigned int bestIndex;
++ unsigned int bestIndex = 0;
+ unsigned int bestMatch;
+
+ bestMatch = UINT_MAX;
+@@ -1566,7 +1566,7 @@
+ /* The color part of the color/alpha palette passed to the PNG
+ compressor
+ */
+- unsigned int palette_size;
++ unsigned int palette_size = MAXCOLORS;
+
+ gray trans_pnm[MAXCOLORS];
+ png_byte trans[MAXCOLORS];
+--- netpbm-10.26.12/converter/other/pnmtopng.c
++++ netpbm-10.26.12/converter/other/pnmtopng.c
+@@ -913,9 +913,9 @@
+ colorhist_vector chv;
+ unsigned int colors;
+
+- gray *alphas_of_color[MAXPALETTEENTRIES];
++ gray *alphas_of_color[MAXPALETTEENTRIES + 1];
+ unsigned int alphas_first_index[MAXPALETTEENTRIES];
+- unsigned int alphas_of_color_cnt[MAXPALETTEENTRIES];
++ unsigned int alphas_of_color_cnt[MAXPALETTEENTRIES + 1];
+
+ getChv(ifP, imagepos, cols, rows, maxval, format, MAXCOLORS,
+ &chv, &colors);
Index: netpbm10.info
===================================================================
RCS file:
/cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/netpbm10.info,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- netpbm10.info 5 Sep 2006 04:40:14 -0000 1.14
+++ netpbm10.info 29 Aug 2007 15:03:21 -0000 1.15
@@ -1,20 +1,20 @@
Package: netpbm10
-Version: 10.24
+Version: 10.26.39
Revision: 3
-BuildDepends: libjpeg, libpng3, libtiff
+BuildDepends: libjpeg, libpng3, libtiff, fink (>= 0.24.12-1)
Depends: %N-shlibs (= %v-%r)
Replaces: netpbm
Conflicts: netpbm
BuildDependsOnly: True
Source: mirror:sourceforge:netpbm/netpbm-%v.tgz
-Source-MD5: 06580a8cadb6908f95733dcbd3f4e3d8
-Source2: mirror:sourceforge:netpbm/netpbm-10.18.tgz
-Source2-MD5: d4421214431c0467647a4f73af5f2db1
+Source-MD5: bada0d4cbff1113ae14e3a8456c1d41a
NoSetMAKEFLAGS: true
+NoSetLDFLAGS: true
+SetLIBRARY_PATH: %p/lib
+PatchFile: %n.patch
+PatchFile-MD5: 8729d202e76346cbcbab26917f5b7cf3
PatchScript: <<
- cp -p ../netpbm-10.18/converter/other/pnmtopng.c converter/other/pnmtopng.c
- rm -fR ../netpbm-10.18
- sed 's|@PREFIX@|%p|g' <%a/%n.patch | patch -p1
+ sed 's|@PREFIX@|%p|g' < %{PatchFile} | patch -p1
cat Makefile.config.in Makefile.config.fink >Makefile.config
<<
CompileScript: make -j1
@@ -43,7 +43,15 @@
Change by J-F Mertens: pnmtopng.c extracted from old version of netpbm
since the one in the current version does not work with, e.g., latex2html.
+ Change undone in Feb. 2007 because the 'old' pnmtopng.c no longer compiles.
+ Hopefully this does not break latex2html.
+
Patches for gcc 4.0 compatibility thanks to Matt Sachs.
+
+ Security patches thanks to Tomoaki Okayama:
+ CVE-2005-2471: netpbm-10.25-CAN-2005-2471.patch (from RedHat)
+ CVE-2005-2978: netpbm-10.26.12-pnmtopng-CAN-2005-2978.patch (from SUSE)
+ CVE-2005-3662: netpbm-10.26.12-pnmtopng-overflow.patch (from SUSE)
<<
License: OSI-Approved
Homepage: http://netpbm.sourceforge.net
Index: libtiff.patch
===================================================================
RCS file:
/cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/libtiff.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- libtiff.patch 2 Aug 2006 18:52:02 -0000 1.5
+++ libtiff.patch 29 Aug 2007 15:03:21 -0000 1.6
@@ -9,3 +9,706 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+diff -ruN tiff-3.7.4-old/tools/tiff2pdf.c tiff-3.7.4/tools/tiff2pdf.c
+--- tiff-3.7.4-old/tools/tiff2pdf.c 2005-06-23 15:30:28.000000000 +0200
++++ tiff-3.7.4/tools/tiff2pdf.c 2006-06-02 18:15:11.000000000 +0200
+@@ -3758,7 +3758,7 @@
+ written += TIFFWriteFile(output, (tdata_t) "(", 1);
+ for (i=0;i<len;i++){
+ if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+- sprintf(buffer, "\\%.3o", pdfstr[i]);
++ sprintf(buffer, "\\%.3hho", pdfstr[i]);
+ written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+ } else {
+ switch (pdfstr[i]){
+
+diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c
+--- tiff-3.7.4-old/tools/tiffsplit.c 2005-05-26 20:38:48.000000000 +0200
++++ tiff-3.7.4/tools/tiffsplit.c 2006-06-01 16:00:11.000000000 +0200
+@@ -60,14 +60,13 @@
+ return (-3);
+ }
+ if (argc > 2)
+- strcpy(fname, argv[2]);
++ snprintf(fname, sizeof(fname), "%s", argv[2]);
+ in = TIFFOpen(argv[1], "r");
+ if (in != NULL) {
+ do {
+ char path[1024+1];
+ newfilename();
+- strcpy(path, fname);
+- strcat(path, ".tif");
++ snprintf(path, sizeof(path), "%s.tif", fname);
+ out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ if (out == NULL)
+ return (-2);
+
+diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
+--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
+@@ -122,6 +122,7 @@
+ {
+ static const char module[] = "_TIFFVSetField";
+
++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+ break;
+ case TIFFTAG_ORIENTATION:
+ v = va_arg(ap, uint32);
++ const TIFFFieldInfo* fip;
+ if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++ fip = _TIFFFieldWithTag(tif, tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "Bad value %lu for \"%s\" tag ignored",
+- v, _TIFFFieldWithTag(tif, tag)->field_name);
++ v, fip ? fip->field_name : "Unknown");
+ } else
+ td->td_orientation = (uint16) v;
+ break;
+@@ -387,11 +390,15 @@
+ * happens, for example, when tiffcp is used to convert between
+ * compression schemes and codec-specific tags are blindly copied.
+ */
++ /*
++ * better not dereference fip if it is NULL.
++ * -- [EMAIL PROTECTED] 15 Jun 2006
++ */
+ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ status = 0;
+ break;
+ }
+@@ -468,7 +475,7 @@
+ if (fip->field_type == TIFF_ASCII)
+ _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ else {
+- tv->value = _TIFFmalloc(tv_size * tv->count);
++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag
Value");
+ if (!tv->value) {
+ status = 0;
+ goto end;
+@@ -563,7 +570,7 @@
+ }
+ }
+ if (status) {
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++ TIFFSetFieldBit(tif, fip->field_bit);
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ }
+
+@@ -572,12 +579,12 @@
+ return (status);
+ badvalue:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ badvalue32:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for
\"%s\"",
+- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ }
+@@ -813,12 +820,16 @@
+ * If the client tries to get a tag that is not valid
+ * for the image's codec then we'll arrive here.
+ */
++ /*
++ * dont dereference fip if it's NULL.
++ * -- [EMAIL PROTECTED] 15 Jun 2006
++ */
+ if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+ {
+ TIFFErrorExt(tif->tif_clientdata,
"_TIFFVGetField",
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ ret_val = 0;
+ break;
+ }
+diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
+--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000
+0100
+@@ -775,7 +775,8 @@
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ "Internal error, unknown tag 0x%x",
+ (unsigned int) tag);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+@@ -789,7 +790,8 @@
+ if (!fip) {
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ "Internal error, unknown tag %s", field_name);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
+--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000
+0100
+@@ -29,6 +29,9 @@
+ *
+ * Directory Read Support Routines.
+ */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+
+ #define IGNORE 0 /* tag placeholder used below */
+@@ -81,6 +84,7 @@
+ uint16 dircount;
+ toff_t nextdiroff;
+ int diroutoforderwarning = 0;
++ int compressionknown = 0;
+ toff_t* new_dirlist;
+
+ tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+ } else {
+ toff_t off = tif->tif_diroff;
+
+- if (off + sizeof (uint16) > tif->tif_size) {
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%s: Can not read TIFF directory count",
+- tif->tif_name);
+- return (0);
++ /*
++ * Check for integer overflow when validating the dir_off,
otherwise
++ * a very high offset may cause an OOB read and crash the
client.
++ * -- [EMAIL PROTECTED], 14 Jun 2006.
++ */
++ if (off + sizeof (uint16) > tif->tif_size ||
++ off > (UINT_MAX - sizeof(uint16))) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Can not read TIFF directory count",
++ tif->tif_name);
++ return (0);
+ } else
+- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof
(uint16));
++ _TIFFmemcpy(&dircount, tif->tif_base + off,
++ sizeof (uint16));
+ off += sizeof (uint16);
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
++
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+
+@@ -264,17 +276,23 @@
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
+-
+- TIFFMergeFieldInfo(tif,
+- _TIFFCreateAnonFieldInfo(tif,
+- dp->tdir_tag,
+- (TIFFDataType) dp->tdir_type),
+- 1 );
++ /*
++ * creating anonymous fields prior to
knowing the compression
++ * algorithm (ie, when the field info
has been merged) could cause
++ * crashes with pathological
directories.
++ * -- [EMAIL PROTECTED] 15 Jun 2006
++ */
++ if (compressionknown)
++ TIFFMergeFieldInfo(tif,
_TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
++ (TIFFDataType) dp->tdir_type),
1 );
++ else goto ignore;
++
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ }
++
+ /*
+ * Null out old tags that we ignore.
+ */
+@@ -326,6 +344,7 @@
+ dp->tdir_type, dp->tdir_offset);
+ if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ goto bad;
++ else compressionknown++;
+ break;
+ /* XXX: workaround for broken TIFFs */
+ } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+ * Attempt to deal with a missing StripByteCounts tag.
+ */
+ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * Some manufacturers violate the spec by not giving
+ * the size of the strips. In this case, assume there
+@@ -556,7 +576,7 @@
+ "%s: TIFF directory is missing required "
+ "\"%s\" field, calculating from imagelength",
+ tif->tif_name,
+-
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ /*
+@@ -580,6 +600,7 @@
+ } else if (td->td_nstrips == 1
+ && td->td_stripoffset[0] != 0
+ && BYTECOUNTLOOKSBAD) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Plexus (and others) sometimes give a value of zero for
+ * a tag when they don't know what the correct value is! Try
+@@ -589,13 +610,14 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+-
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ && td->td_nstrips > 2
+ && td->td_compression == COMPRESSION_NONE
+ && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Some vendors fill StripByteCount array with absolutely
+ * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+-
_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ }
+@@ -870,7 +892,13 @@
+
+ register TIFFDirEntry *dp;
+ register TIFFDirectory *td = &tif->tif_dir;
+- uint16 i;
++
++ /* i is used to iterate over td->td_nstrips, so must be
++ * at least the same width.
++ * -- [EMAIL PROTECTED] 15 Jun 2006
++ */
++
++ uint32 i;
+
+ if (td->td_stripbytecount)
+ _TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+ if (count > dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (0);
+ } else if (count < dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (1);
+ }
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+ int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ tsize_t cc = dir->tdir_count * w;
+
+ /* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Error fetching data for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ return (tsize_t) 0;
+ }
+
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++ const TIFFFieldInfo* fip;
+ if (denom == 0) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s: Rational with zero denominator (num = %lu)",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++ fip ? fip->field_name : "Unknown", num);
+ return (0);
+ } else {
+ if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++ /*
++ * Prevent overflowing the v stack arrays below by performing a sanity
++ * check on tdir_count, this should never be greater than two.
++ * -- [EMAIL PROTECTED] 14 Jun 2006.
++ */
++ if (dir->tdir_count > 2) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
dir->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++ "unexpected count for field \"%s\", %lu,
expected 2; ignored.",
++ fip ? fip->field_name : "Unknown",
++ dir->tdir_count);
++ return 0;
++ }
++
+ switch (dir->tdir_type) {
+ case TIFF_BYTE:
+ case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+ case TIFF_DOUBLE:
+ return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+ default:
++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
dir->tdir_tag);
+ /* TIFF_NOTYPE */
+ /* TIFF_ASCII */
+ /* TIFF_UNDEFINED */
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "cannot read TIFF_ANY type %d for field \"%s\"",
+ dir->tdir_type,
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+- return (0);
++ fip ? fip->field_name : "Unknown");
++ return (0); }
+ }
+ return (1);
+ }
+@@ -1351,6 +1399,9 @@
+ int ok = 0;
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+
++ if (fip == NULL) {
++ return (0);
++ }
+ if (dp->tdir_count > 1) { /* array of values */
+ char* cp = NULL;
+
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata,
tif->tif_name,
+ "Cannot handle different per-sample values for
field \"%s\"",
+- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+ check_count = samples;
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata,
tif->tif_name,
+ "Cannot handle different per-sample values for
field \"%s\"",
+- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for
field \"%s\"",
+- _TIFFFieldWithTag(tif,
dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
+--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+ Fax3BaseState* sp = Fax3State(tif);
++ const TIFFFieldInfo* fip;
+
+ assert(sp != 0);
+ assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
+--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
+@@ -722,15 +722,31 @@
+ segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+ segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+ }
+- if (sp->cinfo.d.image_width != segment_width ||
+- sp->cinfo.d.image_height != segment_height) {
++ if (sp->cinfo.d.image_width < segment_width ||
++ sp->cinfo.d.image_height < segment_height) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+ segment_width,
+ segment_height,
+ sp->cinfo.d.image_width,
+ sp->cinfo.d.image_height);
++ }
++
++ if (sp->cinfo.d.image_width > segment_width ||
++ sp->cinfo.d.image_height > segment_height) {
++ /*
++ * This case could be dangerous, if the strip or tile size has
been
++ * reported as less than the amount of data jpeg will return,
some
++ * potential security issues arise. Catch this case and error
out.
++ * -- [EMAIL PROTECTED] 14 Jun 2006
++ */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "JPEG strip/tile size exceeds expected dimensions,"
++ "expected %dx%d, got %dx%d", segment_width,
segment_height,
++ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++ return (0);
+ }
++
+ if (sp->cinfo.d.num_components !=
+ (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+ td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+ sp->cinfo.d.comp_info[0].v_samp_factor,
+ sp->h_sampling, sp->v_sampling);
+
++ /*
++ * There are potential security issues here for
decoders that
++ * have already allocated buffers based on the
expected sampling
++ * factors. Lets check the sampling factors
dont exceed what
++ * we were expecting.
++ * -- [EMAIL PROTECTED] 14 June 2006
++ */
++ if (sp->cinfo.d.comp_info[0].h_samp_factor >
sp->h_sampling ||
++ sp->cinfo.d.comp_info[0].v_samp_factor
> sp->v_sampling) {
++
TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot honour JPEG
sampling factors that"
++ " exceed those
specified.");
++ return (0);
++ }
++
++
+ /*
+ * XXX: Files written by the Intergraph software
+ * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+ JPEGState *sp = JState(tif);
+
+- assert(sp != 0);
++ /* assert(sp != 0); */
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+- if( sp->cinfo_initialized )
+- TIFFjpeg_destroy(sp); /* release libjpeg resources */
+- if (sp->jpegtables) /* tag value */
+- _TIFFfree(sp->jpegtables);
++ if (sp != NULL) {
++ if( sp->cinfo_initialized )
++ TIFFjpeg_destroy(sp); /* release libjpeg resources */
++ if (sp->jpegtables) /* tag value */
++ _TIFFfree(sp->jpegtables);
++ }
++
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
+
+@@ -1541,6 +1576,7 @@
+ {
+ JPEGState* sp = JState(tif);
+ TIFFDirectory* td = &tif->tif_dir;
++ const TIFFFieldInfo* fip;
+ uint32 v32;
+
+ assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+ JPEGState* sp = JState(tif);
+
+- assert(sp != NULL);
++ /* assert(sp != NULL); */
++ if (sp == NULL) {
++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown
JPEGState");
++ return;
++ }
+
+ (void) flags;
+ if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
+diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
+--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
+@@ -105,11 +105,16 @@
+ * as codes of the form <color><npixels>
+ * until we've filled the scanline.
+ */
++ /*
++ * Ensure the run does not exceed the scanline
++ * bounds, potentially resulting in a security issue.
++ * -- [EMAIL PROTECTED] 14 Jun 2006.
++ */
+ op = row;
+ for (;;) {
+ grey = (n>>6) & 0x3;
+ n &= 0x3f;
+- while (n-- > 0)
++ while (n-- > 0 && npixels < imagewidth)
+ SETPIXEL(op, grey);
+ if (npixels >= (int) imagewidth)
+ break;
+diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c
tiff-3.8.2-goo/libtiff/tif_pixarlog.c
+--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000
+0100
+@@ -768,7 +768,19 @@
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabArrayOfShort(up, nsamples);
+
+- for (i = 0; i < nsamples; i += llen, up += llen) {
++ /*
++ * if llen is not an exact multiple of nsamples, the decode operation
++ * may overflow the output buffer, so truncate it enough to prevent that
++ * but still salvage as much data as possible.
++ * -- [EMAIL PROTECTED] 14th June 2006
++ */
++ if (nsamples % llen)
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "%s: stride %lu is not a multiple of sample
count, "
++ "%lu, data truncated.", tif->tif_name, llen,
nsamples);
++
++
++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalAccumulateF(up, llen, sp->stride,
+diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
+--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+
++#include <limits.h>
++
+ int TIFFFillStrip(TIFF*, tstrip_t);
+ int TIFFFillTile(TIFF*, ttile_t);
+ static int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++ /*
++ * This sanity check could potentially overflow, causing an OOB
read.
++ * verify that offset + bytecount is > offset.
++ * -- [EMAIL PROTECTED] 14 Jun 2006
++ */
++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+ /*
+ * This error message might seem strange, but it's
+ * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++ /*
++ * We must check this calculation doesnt overflow, potentially
++ * causing an OOB read.
++ * -- [EMAIL PROTECTED] 15 Jun 2006
++ */
++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
Index: libtiff.info
===================================================================
RCS file:
/cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/libtiff.info,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- libtiff.info 5 Sep 2006 04:40:14 -0000 1.9
+++ libtiff.info 29 Aug 2007 15:03:21 -0000 1.10
@@ -1,11 +1,12 @@
Package: libtiff
Version: 3.8.2
-Revision: 1
+Revision: 2
Depends: %N-shlibs (= %v-%r), %N-bin
-BuildDepends: libjpeg (>= 6b-3), fink (>= 0.9.9)
+BuildDepends: libjpeg (>= 6b-3), fink (>= 0.24.12)
Source: ftp://ftp.remotesensing.org/libtiff/tiff-%v.tar.gz
Source-MD5: fbb6f446ea4ed18955e2714934e5b698
-Patch: %n.patch
+PatchFile: %n.patch
+PatchFile-MD5: 8939f6447c55b85b060f4a3525bd54d3
NoSetMAKEFLAGS: true
SetMAKEFLAGS: -j1
ConfigureParams: --mandir='${prefix}/share/man' --disable-dependency-tracking
@@ -56,6 +57,11 @@
symbol in the new build system.
Previous versions by Christoph Pfisterer.
+
+ Security patches thanks to Tomoaki Okayama:
+ CVE-2006-2193: debian/patches/tiff2pdf-octal-printf.patch
+ CVE-2006-2656: debian/patches/tiffsplit-fname-overflow.patch
+ CVE-2006-3459-3465: debian/patches/CVE-2006-3459-3465.patch
<<
License: BSD
Homepage: http://remotesensing.org/libtiff/
Index: netpbm.info
===================================================================
RCS file: /cvsroot/fink/dists/10.3/unstable/main/finkinfo/graphics/netpbm.info,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- netpbm.info 5 Sep 2006 04:40:14 -0000 1.6
+++ netpbm.info 29 Aug 2007 15:03:21 -0000 1.7
@@ -1,14 +1,15 @@
Package: netpbm
Version: 9.25
-Revision: 14
-BuildDepends: libjpeg, libpng3, libtiff
+Revision: 15
+BuildDepends: libjpeg, libpng3, libtiff, fink (>= 0.24.12)
Depends: %N-shlibs (= %v-%r), %N-bin
Replaces: netpbm (<< 9.25-1), netpbm10
Conflicts: netpbm10
BuildDependsOnly: True
Source: mirror:sourceforge:%n/%n-%v.tgz
Source-MD5: cb8036f3649c93cf51ee377971ddbf1c
-Patch: %n.patch
+PatchFile: %n.patch
+PatchFile-MD5: 741be205daf067a1917c44662e64c9b6
NoSetMAKEFLAGS: true
SetMAKEFLAGS: -j1
CompileScript: <<
@@ -42,6 +43,13 @@
Description: Graphics manipulation programs and libraries
DescPort: <<
Patches for gcc 4.0 compatibility thanks to Matt Sachs.
+
+ Security patches thanks to Tomoaki Okayama:
+ CVE-2003-0924: netpbm-9.24-debiansecurity.patch (from Turbo)
+ CVE-2005-2471: netpbm-9.24-CAN-2005-2471.patch (from RedHat)
+ CVE-2005-3632: netpbm-9.24-CVE-2005-3632.diff (from RedHat)
+ CVE-2005-3662: netpbm-9.24-CVE-2005-3662.patch (from RedHat)
+ I modified netpbm-9.24-CVE-2005-3632.diff a little for avoiding conflicts.
<<
License: OSI-Approved
Homepage: http://netpbm.sourceforge.net
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Fink-commits mailing list
Fink-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fink-commits
