commit tiff.5380 for openSUSE:13.2:Update
Hello community,
here is the log from the commit of package tiff.5380 for openSUSE:13.2:Update checked in at 2016-07-27 15:28:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/tiff.5380 (Old)
and /work/SRC/openSUSE:13.2:Update/.tiff.5380.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.5380"
Changes:
--------
New Changes file:
--- /dev/null 2016-07-07 10:01:34.856033756 +0200
+++ /work/SRC/openSUSE:13.2:Update/.tiff.5380.new/tiff.changes 2016-07-27 15:28:54.000000000 +0200
@@ -0,0 +1,709 @@
+-------------------------------------------------------------------
+Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com
+
+- Added patches:
+ * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
+ * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
+ * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
+ - Upstream commits to fix CVE-2016-5314 [bsc#984831],
+ CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842],
+ CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351]
+
+-------------------------------------------------------------------
+Wed Apr 6 13:56:19 UTC 2016 - fstrba@suse.com
+
+- Added patch:
+ * tiff-4.0.6-CVE-2016-3186.patch
+ - fix CVE-2016-3186: buffer overflow in gif2tiff [bsc#973340]
+
+-------------------------------------------------------------------
+Mon Feb 1 08:01:19 UTC 2016 - fstrba@suse.com
+
+- Added patch:
+ * tiff-4.0.6-CVE-2015-8782.patch
+ - fix CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds
+ writes for invalid images (upstream bug #2522) [bsc#964225]
+
+-------------------------------------------------------------------
+Wed Jan 13 17:03:31 UTC 2016 - fstrba@suse.com
+
+- Added patch:
+ * tiff-4.0.6-CVE-2015-7554.patch
+ - fix CVE-2015-7554: Out-of-bounds Write in the thumbnail and
+ tiffcmp tools (upsteam bug #2499) [bsc#960341]
+
+-------------------------------------------------------------------
+Mon Jan 11 13:53:42 UTC 2016 - kstreitova@suse.com
+
+- Added patch:
+ * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
+ - fix uninitialized memory in NeXTDecode (upstream bug #2508)
+ [bsc#942690]
+
+-------------------------------------------------------------------
+Tue Dec 8 15:55:30 UTC 2015 - p.drouand@gmail.com
+
+- Update to version 4.0.6
+ * Supports CMake 2.8.9 and later.
+ * Add missing file which wasn't being distributed, causing unit
+ tests to fail.
+ * Make shared/static library building configurable.
+ * CMake reads all version information directly from configure.ac
+ to avoid duplication of values.
+ * CMake builds are now included in 'distcheck' target.
+ * Autotools 'make distcheck' now tests the CMake-based build if
+ CMake is available.
+ * Fixes to avoid undefined behaviour of signed types (C standard
+ compliance).
+ * Fixes to avoid possible isses when casting to unsigned char.
+ * Fixes to avoid undefined behaviour with shifts.
+ * Fix generation of output with 16 bit or 32 bit integer, when
+ byte swapping is needed, in horizontal predictor (#2521).
+ * Fix decoding when there is a single pixel to decode
+ (unlikely case...) and byte swapping is involved.
+ * Add add explicit masking with 0xff before casting to uchar in
+ floating-point horizontal differencing and accumulation routines.
+ * Eliminate requirement for and use of 64-bit constant values.
+ * tiffgt : Silence glut API deprecation warnings on MacOS X.
+ * fax2ps : Detect failure to write to temporary file.
+- Changes from version 4.0.5
+ * Support for configure/build using CMake.
+ * Support for large (> 2GB) files under Microsoft Windows.
+ * Configuration and building using CMake is now supported under
+ Microsoft Windows and on Unix-type systems.
+ * Test for and use fseeko() if it is available. This allows supporting
+ large files on Unix-type systems with a 32-bit 'long' type and a
+ 64-bit 'off_t' type.
+ * tiffiop.h: Macros added to use 64-bit equivalents for all standard
+ I/O and POSIX APIs used by libtiff and its tools which are limited
+ to 2GB in Windows builds. Note that these 64-bit equivalents were
+ introduced by the CRT provided with Visual Studio 2005 and if the
+ necessary CRT is not installed on the target computer, the program
+ will not run. The wrapper macros will not be activated unless the
+ definition _MSC_VER is at least 1400 or __MSVCRT_VERSION__ is at
+ least 0x800.
+ * tif_unix.c: Updated to support large files under Microsoft Windows.
+ This makes tif_unix.c a completely viable candidate for use under
+ Windows (in spite of its name) if the CRT is modern enough. Please
+ note that tif_win32.c already supported large files, but only
+ 'tiffinfo' and 'tiffdump' made any provision to support large files
+ under Windows.
+ * _tiffReadProc() and _tiffWriteProc() are modified to chunk I/O to a
+ maximum size of 2GB for extremely large I/O requests. This surmounts
+ limitations in the Microsoft Windows read() and write() APIs (which
+ are limited to the range of a 32-bit 'int'), and may avoid poor
+ behavior with extremely large I/O requests on other systems.
+ * Updated to use I/O wrapper macros from tiffiop.h in order to
+ support large files under Microsoft Windows.
+
+-------------------------------------------------------------------
+Tue Aug 4 08:17:35 UTC 2015 - kstreitova@suse.com
+
+- use spec-cleaner
+
+-------------------------------------------------------------------
+Wed Jul 1 07:17:13 UTC 2015 - pgajdos@suse.com
+
+- update to 4.0.4
+D tiff-4.0.3-double-free.patch
+D tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+D tiff-4.0.3-CVE-2013-1961.patch
+D erouault.2862.patch
+D bfriesen.2805.patch
+D tiff-4.0.3-CVE-2013-4232.patch
+D tiff-4.0.3-CVE-2013-4244.patch
+D erouault.2861.patch
+D erouault.2857.patch
+D erouault.2856.patch
+D erouault.2859.patch
+D tiff-4.0.3-CVE-2012-4564.patch
+D tiff-4.0.3-tiff2pdf-colors.patch
+D erouault.2876.patch
+D erouault.2860.patch
+D tiff-dither-malloc-check.patch
+D tiff-4.0.3-CVE-2013-1960.patch
+D erouault.2858.patch
+D tiff-handle-TIFFTAG_PREDICTOR.patch
+D tiff-4.0.3-CVE-2013-4231.patch
+D tiff-4.0.3-CVE-2013-4243.patch
+D erouault.2863.patch
+D tiff-4.0.3-test-jpeg-turbo.patch
+
+-------------------------------------------------------------------
+Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com
+
+- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128,
+ CVE-2014-8129, CVE-2014-8130, CVE-2015-1547
+ bnc#914890, bnc#916925, bnc#916927
+ + erouault.2856.patch
+ + erouault.2857.patch
+ + erouault.2858.patch
+ + erouault.2859.patch
+ + erouault.2860.patch
+ + erouault.2861.patch
+ + erouault.2862.patch
+ + erouault.2863.patch
+ + erouault.2876.patch
+ + bfriesen.2805.patch
+ + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+ + tiff-handle-TIFFTAG_PREDICTOR.patch
+ + tiff-dither-malloc-check.patch
+
+-------------------------------------------------------------------
+Mon Dec 22 19:58:43 UTC 2014 - meissner@suse.com
+
+- build with PIE
+
+-------------------------------------------------------------------
+Wed Aug 21 12:57:57 UTC 2013 - pgajdos@suse.com
+
+- security update
+ * CVE-2013-4232.patch [bnc#834477]
+ * CVE-2013-4231.patch [bnc#834477]
+ * CVE-2013-4244.patch [bnc#834788]
+ * CVE-2013-4243.patch [bnc#834779]
+
+-------------------------------------------------------------------
+Wed Jun 26 10:48:50 UTC 2013 - pgajdos@suse.com
+
+- tiff2pdf: introduced warning when the compression isn't lzw or
+ none [bnc#819142]
+- tiff2pdf: fixed crash [bnc#821872]
+
+-------------------------------------------------------------------
+Tue Apr 30 13:20:50 UTC 2013 - pgajdos@suse.com
+
+- security update
+ * CVE-2013-1961.patch [bnc#818117]
+ * CVE-2013-1960.patch [bnc#817573]
+
+-------------------------------------------------------------------
+Fri Apr 5 10:23:51 UTC 2013 - idonmez@suse.com
+
+- Add Source URL, see https://en.opensuse.org/SourceUrls
+
+-------------------------------------------------------------------
+Mon Nov 5 09:27:59 UTC 2012 - pgajdos@suse.com
+
+- updated to 4.0.3:
+ * Add some TIFF/FX support in libtiff.
+ * Fix bug rewriting image tiles in a compressed file.
+ * Fix read past end of data buffer.
+ * etc., see ChangeLog
+- removed upstreamed patches:
+ * bigendian.patch
+ * dont-fancy-upsampling.patch
+ * CVE-2012-3401.patch
+- new patch:
++++ 512 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.2:Update/.tiff.5380.new/tiff.changes
New:
----
README.SUSE
baselibs.conf
tiff-4.0.3-compress-warning.patch
tiff-4.0.3-seek.patch
tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
tiff-4.0.6-CVE-2015-7554.patch
tiff-4.0.6-CVE-2015-8782.patch
tiff-4.0.6-CVE-2016-3186.patch
tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
tiff-4.0.6.tar.gz
tiff.changes
tiff.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tiff.spec ++++++
#
# spec file for package tiff
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: tiff
Version: 4.0.6
Release: 0
Summary: Tools for Converting from and to the Tiff Format
License: HPND
Group: Productivity/Graphics/Convertors
Url: http://www.remotesensing.org/libtiff
Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Source2: README.SUSE
Source3: baselibs.conf
Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch1: tiff-4.0.3-compress-warning.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2508
Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2499
Patch3: tiff-4.0.6-CVE-2015-7554.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2522
Patch4: tiff-4.0.6-CVE-2015-8782.patch
#
Patch5: tiff-4.0.6-CVE-2016-3186.patch
#
Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
BuildRequires: gcc-c++
BuildRequires: libjpeg-devel
BuildRequires: libtool
BuildRequires: zlib-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} > 1030
BuildRequires: lzma-devel
%endif
%if 0%{?suse_version} <= 1000
BuildRequires: pkgconfig
%endif
%if 0%{?suse_version} > 1000
BuildRequires: pkg-config
%endif
# bug437293
%ifarch ppc64
Obsoletes: tiff-64bit
%endif
%if 0%{?suse_version} > 1210
BuildRequires: libjbig-devel
%endif
%description
This package contains the library and support programs for the TIFF
image format.
%package -n libtiff5
Summary: The Tiff Library (with JPEG and compression support)
Group: System/Libraries
Provides: libtiff = %{version}
# bug437293
%ifarch ppc64
Obsoletes: libtiff-64bit
%endif
#
%description -n libtiff5
This package includes the tiff libraries. To link a program with
libtiff, you will have to add -ljpeg and -lz to include the necessary
libjpeg and libz in the linking process.
%package -n libtiff-devel
Summary: Development Tools for Programs which will use the libtiff Library
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libstdc++-devel
Requires: libtiff5 = %{version}
# bug437293
%ifarch ppc64
Obsoletes: tiff-devel-64bit
%endif
#
%description -n libtiff-devel
This package contains the header files and static libraries for
developing programs which will manipulate TIFF format image files using
the libtiff library.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
CFLAGS="%{optflags} -fPIE"
%configure --disable-static --with-pic
make %{?_smp_mflags} LDFLAGS="-pie"
%install
mkdir -p %{buildroot}/{%{_mandir}/{man1,man3},usr/{bin,lib,include}}
make DESTDIR=%{buildroot} install %{?_smp_mflags}
for f in `find %{buildroot}/%{_mandir} -type f -print ` ; do
if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then
linkto=`sed -e "s|^\.so ||" $f`
[ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f
fi
done
cp %{SOURCE2} .
rm -rf %{buildroot}%{_datadir}/doc/tiff*
find %{buildroot} -type f -name "*.la" -delete -print
find html -name "Makefile*" | xargs rm
%check
cd test
make %{?_smp_mflags} check
%post -n libtiff5 -p /sbin/ldconfig
%postun -n libtiff5 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%{_bindir}/*
%doc html
%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE
%{_mandir}/man1/*
%files -n libtiff5
%defattr(-,root,root)
%doc README COPYRIGHT README.SUSE
%{_libdir}/*.so.*
%files -n libtiff-devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
%changelog
++++++ README.SUSE ++++++
The documentation for tiff programs and library is in package tiff
in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++
libtiff5
obsoletes "libtiff-<targettype> <= <version>"
provides "libtiff-<targettype> = <version>"
libtiff-devel
requires -libtiff-<targettype>
requires "libtiff5-<targettype> = <version>"
++++++ tiff-4.0.3-compress-warning.patch ++++++
Index: tiff-4.0.3/tools/tiff2pdf.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2pdf.c
+++ tiff-4.0.3/tools/tiff2pdf.c
@@ -1264,6 +1264,15 @@ void t2p_read_tiff_data(T2P* t2p, TIFF*
return;
}
+ if(t2p->tiff_compression != COMPRESSION_LZW &&
+ t2p->tiff_compression != COMPRESSION_NONE){
+ TIFFWarning(
+ TIFF2PDF_MODULE,
+ "%s is not compressed with LZW or NONE.\n"
+ "tiff2pdf result may be incorrect in that case.\n"
+ "Consider to use tiffcp(1) to change compress algorithm first.",
+ TIFFFileName(input) );
+ }
if( TIFFIsCODECConfigured(t2p->tiff_compression) == 0){
TIFFError(
TIFF2PDF_MODULE,
++++++ tiff-4.0.3-seek.patch ++++++
Index: tiff-4.0.1/libtiff/tiffiop.h
===================================================================
--- tiff-4.0.1.orig/libtiff/tiffiop.h
+++ tiff-4.0.1/libtiff/tiffiop.h
@@ -213,7 +213,7 @@ struct tiff {
#define TIFFWriteFile(tif, buf, size) \
((*(tif)->tif_writeproc)((tif)->tif_clientdata,(buf),(size)))
#define TIFFSeekFile(tif, off, whence) \
- ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(off),(whence)))
+ ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0)
#define TIFFCloseFile(tif) \
((*(tif)->tif_closeproc)((tif)->tif_clientdata))
#define TIFFGetFileSize(tif) \
++++++ tiff-4.0.4-uninitialized_mem_NeXTDecode.patch ++++++
--- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
+++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -106,6 +106,7 @@
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
+ tmsize_t op_offset = 0;
/*
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;
++++++ tiff-4.0.6-CVE-2015-7554.patch ++++++
--- libtiff/tif_dirinfo.c 12 Dec 2015 18:04:26 -0000 1.124
+++ libtiff/tif_dirinfo.c 12 Jan 2016 15:01:21 -0000
@@ -87,6 +87,7 @@
{ TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL },
{ TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL },
{ TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL },
+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL },
{ TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL },
{ TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL },
{ TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL },
@@ -95,6 +96,7 @@
{ TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL },
{ TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL },
{ TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
++++++ tiff-4.0.6-CVE-2015-8782.patch ++++++
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
tp = (int16*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (int16*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 2*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ if( cc < 2 )
+ break;
+ rc = *bp++ + (2-128);
b = (int16)(*bp++ << shft);
cc -= 2;
while (rc-- && i < npixels)
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32 *)op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32 *) sp->tbuf;
}
/* copy to array of uint32 */
bp = (unsigned char*) tif->tif_rawcp;
cc = tif->tif_rawcc;
- for (i = 0; i < npixels && cc > 0; i++) {
+ for (i = 0; i < npixels && cc >= 3; i++) {
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
bp += 3;
cc -= 3;
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 4*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
+ if( cc < 2 )
+ break;
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ cc -= 2;
while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogL16Encode";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (int16*) bp;
else {
tp = (int16*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode24";
LogLuvState* sp = EncoderState(tif);
tmsize_t i;
tmsize_t npixels;
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* write out encoded pixels */
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
static int
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode32";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
++++++ tiff-4.0.6-CVE-2016-3186.patch ++++++
--- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200
+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200
@@ -349,7 +349,7 @@
int status = 1;
(void) getc(infile);
- while ((count = getc(infile)) && count <= 255)
+ while ((count = getc(infile)) && count > 0 && count <= 255)
if (fread(buf, 1, count, infile) != (size_t) count) {
fprintf(stderr, "short read from file %s (%s)\n",
filename, strerror(errno));
++++++ tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch ++++++
--- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200
+++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200
@@ -1243,6 +1243,14 @@
assert(sp != NULL);
assert(td->td_photometric == PHOTOMETRIC_LOGL);
+ if( td->td_samplesperpixel != 1 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Sorry, can not handle LogL image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
+
/* for some reason, we can't do this in TIFFInitLogL16 */
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
sp->user_datafmt = LogL16GuessDataFmt(td);
++++++ tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch ++++++
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200
@@ -457,6 +457,7 @@
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -692,6 +693,7 @@
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -781,6 +783,12 @@
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ /* Check that we will not fill more than what was allocated */
+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {
++++++ tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch ++++++
--- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200
+++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200
@@ -38,6 +38,8 @@
static int TIFFCheckRead(TIFF*, int);
static tmsize_t
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
+static tmsize_t
+TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
#define NOSTRIP ((uint32)(-1)) /* undefined state */
#define NOTILE ((uint32)(-1)) /* undefined state */
@@ -350,6 +352,24 @@
stripsize=TIFFVStripSize(tif,rows);
if (stripsize==0)
return((tmsize_t)(-1));
+
+ /* shortcut to avoid an extra memcpy() */
+ if( td->td_compression == COMPRESSION_NONE &&
+ size!=(tmsize_t)(-1) && size >= stripsize &&
+ !isMapped(tif) &&
+ ((tif->tif_flags&TIFF_NOREADRAW)==0) )
+ {
+ if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
+ return ((tmsize_t)(-1));
+
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits(buf,stripsize);
+
+ (*tif->tif_postdecode)(tif,buf,stripsize);
+ return (stripsize);
+ }
+
if ((size!=(tmsize_t)(-1))&&(size
participants (1)
-
root@hilbert.suse.de