Change-Id: I81949927ce8b63b89a0ea3664dbd10e24f1345c2
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4661
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,45 +0,0 @@ |
1 |
-+++ b/libtiff/tif_getimage.c 2016-09-22 14:36:19.730567366 -0700 |
|
2 |
-@@ -1822,10 +1822,10 @@ |
|
3 |
- (void) y; |
|
4 |
- /* adjust fromskew */ |
|
5 |
- fromskew = (fromskew * 18) / 4; |
|
6 |
-- if ((h & 3) == 0 && (w & 3) == 0) { |
|
7 |
-+ if ((w & 3) == 0 && (h & 1) == 0) { |
|
8 |
- for (; h >= 4; h -= 4) { |
|
9 |
- x = w>>2; |
|
10 |
-- do { |
|
11 |
-+ while(x>0) { |
|
12 |
- int32 Cb = pp[16]; |
|
13 |
- int32 Cr = pp[17]; |
|
14 |
- |
|
15 |
-@@ -1848,7 +1848,8 @@ |
|
16 |
- cp2 += 4; |
|
17 |
- cp3 += 4; |
|
18 |
- pp += 18; |
|
19 |
-- } while (--x); |
|
20 |
-+ x--; |
|
21 |
-+ } |
|
22 |
- cp += incr; |
|
23 |
- cp1 += incr; |
|
24 |
- cp2 += incr; |
|
25 |
-@@ -2094,7 +2095,7 @@ |
|
26 |
- { |
|
27 |
- (void) y; |
|
28 |
- fromskew = (fromskew * 4) / 2; |
|
29 |
-- do { |
|
30 |
-+ while(x>0) { |
|
31 |
- x = w>>1; |
|
32 |
- while(x>0) { |
|
33 |
- int32 Cb = pp[2]; |
|
34 |
-@@ -2121,7 +2122,8 @@ |
|
35 |
- |
|
36 |
- cp += toskew; |
|
37 |
- pp += fromskew; |
|
38 |
-- } while (--h); |
|
39 |
-+ x --; |
|
40 |
-+ } |
|
41 |
- } |
|
42 |
- |
|
43 |
- /* |
|
44 |
- |
45 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,22 +0,0 @@ |
1 |
-diff tools/tiffsplit.c tools/tiffsplit.c |
|
2 |
-+++ tiff-4.0.6/tools/tiffsplit.c 2016-09-22 12:58:54.257807814 -0700 |
|
3 |
-@@ -179,7 +179,8 @@ |
|
4 |
- TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); |
|
5 |
- } |
|
6 |
- } |
|
7 |
-- CopyField(TIFFTAG_PHOTOMETRIC, shortv); |
|
8 |
-+ uint32 count = 0; |
|
9 |
-+ CopyField2(TIFFTAG_PREDICTOR, count, shortv); |
|
10 |
- CopyField(TIFFTAG_PREDICTOR, shortv); |
|
11 |
- CopyField(TIFFTAG_THRESHHOLDING, shortv); |
|
12 |
- CopyField(TIFFTAG_FILLORDER, shortv); |
|
13 |
-@@ -188,7 +189,7 @@ |
|
14 |
- CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); |
|
15 |
- CopyField(TIFFTAG_XRESOLUTION, floatv); |
|
16 |
- CopyField(TIFFTAG_YRESOLUTION, floatv); |
|
17 |
-- CopyField(TIFFTAG_GROUP3OPTIONS, longv); |
|
18 |
-+ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); |
|
19 |
- CopyField(TIFFTAG_GROUP4OPTIONS, longv); |
|
20 |
- CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); |
|
21 |
- CopyField(TIFFTAG_PLANARCONFIG, shortv); |
22 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,18 +0,0 @@ |
1 |
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c |
|
2 |
-index db196e04..cd1e2358 100644 |
|
3 |
-+++ b/tools/tiff2pdf.c |
|
4 |
-@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ |
|
5 |
- return; |
|
6 |
- |
|
7 |
- t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; |
|
8 |
-- if(t2p->pdf_nopassthrough==0){ |
|
9 |
-+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ |
|
10 |
-+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ |
|
11 |
-+ /* do not take into account the number of samples, and thus */ |
|
12 |
-+ /* that can cause heap buffer overflows such as in */ |
|
13 |
-+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ |
|
14 |
-+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ |
|
15 |
- #ifdef CCITT_SUPPORT |
|
16 |
- if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 |
|
17 |
- ){ |
18 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,122 +0,0 @@ |
1 |
-diff -dupr a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
|
2 |
-+++ b/libtiff/tif_dirread.c 2017-11-13 17:27:30.914968448 -0800 |
|
3 |
-@@ -765,6 +765,67 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
4 |
- } |
|
5 |
- } |
|
6 |
- |
|
7 |
-+#define INITIAL_THRESHOLD (1024 * 1024) |
|
8 |
-+#define THRESHOLD_MULTIPLIER 10 |
|
9 |
-+#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) |
|
10 |
-+ |
|
11 |
-+static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc( |
|
12 |
-+ TIFF* tif, uint64 offset, tmsize_t size, void** pdest) |
|
13 |
-+{ |
|
14 |
-+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 |
|
15 |
-+ tmsize_t threshold = INITIAL_THRESHOLD; |
|
16 |
-+#endif |
|
17 |
-+ tmsize_t already_read = 0; |
|
18 |
-+ |
|
19 |
-+ assert( !isMapped(tif) ); |
|
20 |
-+ |
|
21 |
-+ if (!SeekOK(tif,offset)) |
|
22 |
-+ return(TIFFReadDirEntryErrIo); |
|
23 |
-+ |
|
24 |
-+ /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ |
|
25 |
-+ /* so as to avoid allocating too much memory in case the file is too */ |
|
26 |
-+ /* short. We could ask for the file size, but this might be */ |
|
27 |
-+ /* expensive with some I/O layers (think of reading a gzipped file) */ |
|
28 |
-+ /* Restrict to 64 bit processes, so as to avoid reallocs() */ |
|
29 |
-+ /* on 32 bit processes where virtual memory is scarce. */ |
|
30 |
-+ while( already_read < size ) |
|
31 |
-+ { |
|
32 |
-+ void* new_dest; |
|
33 |
-+ tmsize_t bytes_read; |
|
34 |
-+ tmsize_t to_read = size - already_read; |
|
35 |
-+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 |
|
36 |
-+ if( to_read >= threshold && threshold < MAX_THRESHOLD ) |
|
37 |
-+ { |
|
38 |
-+ to_read = threshold; |
|
39 |
-+ threshold *= THRESHOLD_MULTIPLIER; |
|
40 |
-+ } |
|
41 |
-+#endif |
|
42 |
-+ |
|
43 |
-+ new_dest = (uint8*) _TIFFrealloc( |
|
44 |
-+ *pdest, already_read + to_read); |
|
45 |
-+ if( new_dest == NULL ) |
|
46 |
-+ { |
|
47 |
-+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
|
48 |
-+ "Failed to allocate memory for %s " |
|
49 |
-+ "(%ld elements of %ld bytes each)", |
|
50 |
-+ "TIFFReadDirEntryArray", |
|
51 |
-+ (long) 1, (long) already_read + to_read); |
|
52 |
-+ return TIFFReadDirEntryErrAlloc; |
|
53 |
-+ } |
|
54 |
-+ *pdest = new_dest; |
|
55 |
-+ |
|
56 |
-+ bytes_read = TIFFReadFile(tif, |
|
57 |
-+ (char*)*pdest + already_read, to_read); |
|
58 |
-+ already_read += bytes_read; |
|
59 |
-+ if (bytes_read != to_read) { |
|
60 |
-+ return TIFFReadDirEntryErrIo; |
|
61 |
-+ } |
|
62 |
-+ } |
|
63 |
-+ return TIFFReadDirEntryErrOk; |
|
64 |
-+} |
|
65 |
-+ |
|
66 |
-+ |
|
67 |
-+ |
|
68 |
- static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value) |
|
69 |
- { |
|
70 |
- int typesize; |
|
71 |
-@@ -791,9 +852,23 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
72 |
- *count=(uint32)direntry->tdir_count; |
|
73 |
- datasize=(*count)*typesize; |
|
74 |
- assert((tmsize_t)datasize>0); |
|
75 |
-- data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); |
|
76 |
-- if (data==0) |
|
77 |
-- return(TIFFReadDirEntryErrAlloc); |
|
78 |
-+ |
|
79 |
-+ if( isMapped(tif) && datasize > tif->tif_size ) |
|
80 |
-+ return TIFFReadDirEntryErrIo; |
|
81 |
-+ |
|
82 |
-+ if( !isMapped(tif) && |
|
83 |
-+ (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || |
|
84 |
-+ (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) ) |
|
85 |
-+ { |
|
86 |
-+ data = NULL; |
|
87 |
-+ } |
|
88 |
-+ else |
|
89 |
-+ { |
|
90 |
-+ data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); |
|
91 |
-+ if (data==0) |
|
92 |
-+ return(TIFFReadDirEntryErrAlloc); |
|
93 |
-+ } |
|
94 |
-+ |
|
95 |
- if (!(tif->tif_flags&TIFF_BIGTIFF)) |
|
96 |
- { |
|
97 |
- if (datasize<=4) |
|
98 |
-@@ -804,7 +879,10 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
99 |
- uint32 offset = direntry->tdir_offset.toff_long; |
|
100 |
- if (tif->tif_flags&TIFF_SWAB) |
|
101 |
- TIFFSwabLong(&offset); |
|
102 |
-- err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
103 |
-+ if( isMapped(tif) ) |
|
104 |
-+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
105 |
-+ else |
|
106 |
-+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); |
|
107 |
- if (err!=TIFFReadDirEntryErrOk) |
|
108 |
- { |
|
109 |
- _TIFFfree(data); |
|
110 |
-@@ -822,7 +900,10 @@ static enum TIFFReadDirEntryErr TIFFRead |
|
111 |
- uint64 offset = direntry->tdir_offset.toff_long8; |
|
112 |
- if (tif->tif_flags&TIFF_SWAB) |
|
113 |
- TIFFSwabLong8(&offset); |
|
114 |
-- err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data); |
|
115 |
-+ if( isMapped(tif) ) |
|
116 |
-+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); |
|
117 |
-+ else |
|
118 |
-+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); |
|
119 |
- if (err!=TIFFReadDirEntryErrOk) |
|
120 |
- { |
|
121 |
- _TIFFfree(data); |
122 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,25 +0,0 @@ |
1 |
-From f91ca83a21a6a583050e5a5755ce1441b2bf1d7e Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Even Rouault <even.rouault@spatialys.com> |
|
3 |
-Date: Wed, 23 Aug 2017 13:21:41 +0000 |
|
4 |
-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not |
|
5 |
- finding the SubIFD tag by runtime check. Fixes |
|
6 |
- http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 |
|
7 |
- |
|
8 |
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
|
9 |
-index 38edb3fb..a85f0627 100644 |
|
10 |
-+++ b/libtiff/tif_dirwrite.c |
|
11 |
-@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) |
|
12 |
- TIFFDirEntry* nb; |
|
13 |
- for (na=0, nb=dir; ; na++, nb++) |
|
14 |
- { |
|
15 |
-- assert(na<ndir); |
|
16 |
-+ if( na == ndir ) |
|
17 |
-+ { |
|
18 |
-+ TIFFErrorExt(tif->tif_clientdata,module, |
|
19 |
-+ "Cannot find SubIFD tag"); |
|
20 |
-+ goto bad; |
|
21 |
-+ } |
|
22 |
- if (nb->tdir_tag==TIFFTAG_SUBIFD) |
|
23 |
- break; |
|
24 |
- } |
25 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,28 +0,0 @@ |
1 |
-From b6af137bf9ef852f1a48a50a5afb88f9e9da01cc Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Even Rouault <even.rouault@spatialys.com> |
|
3 |
-Date: Wed, 23 Aug 2017 13:33:42 +0000 |
|
4 |
-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not |
|
5 |
- fitting on uint32 when selecting the value of SubIFD tag by runtime check (in |
|
6 |
- TIFFWriteDirectoryTagSubifd()). Fixes |
|
7 |
- http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 |
|
8 |
- |
|
9 |
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
|
10 |
-index a85f0627..cad0a498 100644 |
|
11 |
-+++ b/libtiff/tif_dirwrite.c |
|
12 |
-@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) |
|
13 |
- for (p=0; p < tif->tif_dir.td_nsubifd; p++) |
|
14 |
- { |
|
15 |
- assert(pa != 0); |
|
16 |
-- assert(*pa <= 0xFFFFFFFFUL); |
|
17 |
-+ |
|
18 |
-+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ |
|
19 |
-+ if( *pa > 0xFFFFFFFFUL) |
|
20 |
-+ { |
|
21 |
-+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); |
|
22 |
-+ _TIFFfree(o); |
|
23 |
-+ return(0); |
|
24 |
-+ } |
|
25 |
- *pb++=(uint32)(*pa++); |
|
26 |
- } |
|
27 |
- n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); |
28 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,34 +0,0 @@ |
1 |
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Even Rouault <even.rouault@spatialys.com> |
|
3 |
-Date: Sun, 31 Dec 2017 15:09:41 +0100 |
|
4 |
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 |
|
5 |
- |
|
6 |
- libtiff/tif_print.c | 8 ++++---- |
|
7 |
- 1 file changed, 4 insertions(+), 4 deletions(-) |
|
8 |
- |
|
9 |
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c |
|
10 |
-index 9959d35..8deceb2 100644 |
|
11 |
-+++ b/libtiff/tif_print.c |
|
12 |
-@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) |
|
13 |
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
|
14 |
- fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", |
|
15 |
- (unsigned long) s, |
|
16 |
-- (unsigned __int64) td->td_stripoffset[s], |
|
17 |
-- (unsigned __int64) td->td_stripbytecount[s]); |
|
18 |
-+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, |
|
19 |
-+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); |
|
20 |
- #else |
|
21 |
- fprintf(fd, " %3lu: [%8llu, %8llu]\n", |
|
22 |
- (unsigned long) s, |
|
23 |
-- (unsigned long long) td->td_stripoffset[s], |
|
24 |
-- (unsigned long long) td->td_stripbytecount[s]); |
|
25 |
-+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, |
|
26 |
-+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); |
|
27 |
- #endif |
|
28 |
- } |
|
29 |
- } |
|
30 |
-libgit2 0.26.0 |
|
31 |
- |
32 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,153 +0,0 @@ |
1 |
-From faf20bd484aece918692831da5fad236b983fa08 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Brian May <brian@linuxpenguins.xyz> |
|
3 |
-Date: Thu, 7 Dec 2017 07:46:47 +1100 |
|
4 |
-Subject: [PATCH] Fix CVE-2017-9935 |
|
5 |
- |
|
6 |
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 |
|
7 |
- |
|
8 |
-This vulnerability - at least for the supplied test case - is because we |
|
9 |
-assume that a tiff will only have one transfer function that is the same |
|
10 |
-for all pages. This is not required by the TIFF standards. |
|
11 |
- |
|
12 |
-We than read the transfer function for every page. Depending on the |
|
13 |
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer. |
|
14 |
-We allocate this memory after we read in the transfer function for the |
|
15 |
-page. |
|
16 |
- |
|
17 |
-For the first exploit - POC1, this file has 3 pages. For the first page |
|
18 |
-we allocate 2 extra extra XREF entries. Then for the next page 2 more |
|
19 |
-entries. Then for the last page the transfer function changes and we |
|
20 |
-allocate 4 more entries. |
|
21 |
- |
|
22 |
-When we read the file into memory, we assume we have 4 bytes extra for |
|
23 |
-each and every page (as per the last transfer function we read). Which |
|
24 |
-is not correct, we only have 2 bytes extra for the first 2 pages. As a |
|
25 |
-result, we end up writing past the end of the buffer. |
|
26 |
- |
|
27 |
-There are also some related issues that this also fixes. For example, |
|
28 |
-TIFFGetField can return uninitalized pointer values, and the logic to |
|
29 |
-detect a N=3 vs N=1 transfer function seemed rather strange. |
|
30 |
- |
|
31 |
-It is also strange that we declare the transfer functions to be of type |
|
32 |
-float, when the standard says they are unsigned 16 bit values. This is |
|
33 |
-fixed in another patch. |
|
34 |
- |
|
35 |
-This patch will check to ensure that the N value for every transfer |
|
36 |
-function is the same for every page. If this changes, we abort with an |
|
37 |
-error. In theory, we should perhaps check that the transfer function |
|
38 |
-itself is identical for every page, however we don't do that due to the |
|
39 |
-confusion of the type of the data in the transfer function. |
|
40 |
- libtiff/tif_dir.c | 3 +++ |
|
41 |
- tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- |
|
42 |
- 2 files changed, 47 insertions(+), 21 deletions(-) |
|
43 |
- |
|
44 |
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c |
|
45 |
-index 2ccaf44..cbf2b69 100644 |
|
46 |
-+++ b/libtiff/tif_dir.c |
|
47 |
-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) |
|
48 |
- if (td->td_samplesperpixel - td->td_extrasamples > 1) { |
|
49 |
- *va_arg(ap, uint16**) = td->td_transferfunction[1]; |
|
50 |
- *va_arg(ap, uint16**) = td->td_transferfunction[2]; |
|
51 |
-+ } else { |
|
52 |
-+ *va_arg(ap, uint16**) = NULL; |
|
53 |
-+ *va_arg(ap, uint16**) = NULL; |
|
54 |
- } |
|
55 |
- break; |
|
56 |
- case TIFFTAG_REFERENCEBLACKWHITE: |
|
57 |
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c |
|
58 |
-index d1a9b09..c3ec074 100644 |
|
59 |
-+++ b/tools/tiff2pdf.c |
|
60 |
-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ |
|
61 |
- uint16 pagen=0; |
|
62 |
- uint16 paged=0; |
|
63 |
- uint16 xuint16=0; |
|
64 |
-+ uint16 tiff_transferfunctioncount=0; |
|
65 |
-+ float* tiff_transferfunction[3]; |
|
66 |
- |
|
67 |
- directorycount=TIFFNumberOfDirectories(input); |
|
68 |
- t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); |
|
69 |
-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ |
|
70 |
- } |
|
71 |
- #endif |
|
72 |
- if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, |
|
73 |
-- &(t2p->tiff_transferfunction[0]), |
|
74 |
-- &(t2p->tiff_transferfunction[1]), |
|
75 |
-- &(t2p->tiff_transferfunction[2]))) { |
|
76 |
-- if((t2p->tiff_transferfunction[1] != (float*) NULL) && |
|
77 |
-- (t2p->tiff_transferfunction[2] != (float*) NULL) && |
|
78 |
-- (t2p->tiff_transferfunction[1] != |
|
79 |
-- t2p->tiff_transferfunction[0])) { |
|
80 |
-- t2p->tiff_transferfunctioncount = 3; |
|
81 |
-- t2p->tiff_pages[i].page_extra += 4; |
|
82 |
-- t2p->pdf_xrefcount += 4; |
|
83 |
-- } else { |
|
84 |
-- t2p->tiff_transferfunctioncount = 1; |
|
85 |
-- t2p->tiff_pages[i].page_extra += 2; |
|
86 |
-- t2p->pdf_xrefcount += 2; |
|
87 |
-- } |
|
88 |
-- if(t2p->pdf_minorversion < 2) |
|
89 |
-- t2p->pdf_minorversion = 2; |
|
90 |
-+ &(tiff_transferfunction[0]), |
|
91 |
-+ &(tiff_transferfunction[1]), |
|
92 |
-+ &(tiff_transferfunction[2]))) { |
|
93 |
-+ |
|
94 |
-+ if((tiff_transferfunction[1] != (float*) NULL) && |
|
95 |
-+ (tiff_transferfunction[2] != (float*) NULL) |
|
96 |
-+ ) { |
|
97 |
-+ tiff_transferfunctioncount=3; |
|
98 |
-+ } else { |
|
99 |
-+ tiff_transferfunctioncount=1; |
|
100 |
-+ } |
|
101 |
- } else { |
|
102 |
-- t2p->tiff_transferfunctioncount=0; |
|
103 |
-+ tiff_transferfunctioncount=0; |
|
104 |
- } |
|
105 |
-+ |
|
106 |
-+ if (i > 0){ |
|
107 |
-+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ |
|
108 |
-+ TIFFError( |
|
109 |
-+ TIFF2PDF_MODULE, |
|
110 |
-+ "Different transfer function on page %d", |
|
111 |
-+ i); |
|
112 |
-+ t2p->t2p_error = T2P_ERR_ERROR; |
|
113 |
-+ return; |
|
114 |
-+ } |
|
115 |
-+ } |
|
116 |
-+ |
|
117 |
-+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; |
|
118 |
-+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; |
|
119 |
-+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; |
|
120 |
-+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; |
|
121 |
-+ if(tiff_transferfunctioncount == 3){ |
|
122 |
-+ t2p->tiff_pages[i].page_extra += 4; |
|
123 |
-+ t2p->pdf_xrefcount += 4; |
|
124 |
-+ if(t2p->pdf_minorversion < 2) |
|
125 |
-+ t2p->pdf_minorversion = 2; |
|
126 |
-+ } else if (tiff_transferfunctioncount == 1){ |
|
127 |
-+ t2p->tiff_pages[i].page_extra += 2; |
|
128 |
-+ t2p->pdf_xrefcount += 2; |
|
129 |
-+ if(t2p->pdf_minorversion < 2) |
|
130 |
-+ t2p->pdf_minorversion = 2; |
|
131 |
-+ } |
|
132 |
-+ |
|
133 |
- if( TIFFGetField( |
|
134 |
- input, |
|
135 |
- TIFFTAG_ICCPROFILE, |
|
136 |
-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ |
|
137 |
- &(t2p->tiff_transferfunction[1]), |
|
138 |
- &(t2p->tiff_transferfunction[2]))) { |
|
139 |
- if((t2p->tiff_transferfunction[1] != (float*) NULL) && |
|
140 |
-- (t2p->tiff_transferfunction[2] != (float*) NULL) && |
|
141 |
-- (t2p->tiff_transferfunction[1] != |
|
142 |
-- t2p->tiff_transferfunction[0])) { |
|
143 |
-+ (t2p->tiff_transferfunction[2] != (float*) NULL) |
|
144 |
-+ ) { |
|
145 |
- t2p->tiff_transferfunctioncount=3; |
|
146 |
- } else { |
|
147 |
- t2p->tiff_transferfunctioncount=1; |
|
148 |
-libgit2 0.26.0 |
|
149 |
- |
150 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,13 +0,0 @@ |
1 |
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c |
|
2 |
-index 5f5f75e2..c75f31d9 100644 |
|
3 |
-+++ b/libtiff/tif_jbig.c |
|
4 |
-@@ -94,6 +94,7 @@ |
|
5 |
- jbg_strerror(decodeStatus) |
|
6 |
- #endif |
|
7 |
- ); |
|
8 |
-+ jbg_dec_free(&decoder); |
|
9 |
- return 0; |
|
10 |
- } |
|
11 |
- |
|
12 |
- |
13 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,34 @@ |
0 |
+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Even Rouault <even.rouault@spatialys.com> |
|
2 |
+Date: Sun, 31 Dec 2017 15:09:41 +0100 |
|
3 |
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 |
|
4 |
+ |
|
5 |
+--- |
|
6 |
+ libtiff/tif_print.c | 8 ++++---- |
|
7 |
+ 1 file changed, 4 insertions(+), 4 deletions(-) |
|
8 |
+ |
|
9 |
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c |
|
10 |
+index 9959d35..8deceb2 100644 |
|
11 |
+--- a/libtiff/tif_print.c |
|
12 |
+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) |
|
13 |
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
|
14 |
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", |
|
15 |
+ (unsigned long) s, |
|
16 |
+- (unsigned __int64) td->td_stripoffset[s], |
|
17 |
+- (unsigned __int64) td->td_stripbytecount[s]); |
|
18 |
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, |
|
19 |
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); |
|
20 |
+ #else |
|
21 |
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n", |
|
22 |
+ (unsigned long) s, |
|
23 |
+- (unsigned long long) td->td_stripoffset[s], |
|
24 |
+- (unsigned long long) td->td_stripbytecount[s]); |
|
25 |
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, |
|
26 |
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); |
|
27 |
+ #endif |
|
28 |
+ } |
|
29 |
+ } |
|
30 |
+-- |
|
31 |
+libgit2 0.26.0 |
|
32 |
+ |
0 | 33 |
deleted file mode 100644 |
... | ... |
@@ -1,66 +0,0 @@ |
1 |
-From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Even Rouault <even.rouault@spatialys.com> |
|
3 |
-Date: Fri, 30 Jun 2017 17:29:44 +0000 |
|
4 |
-Subject: [PATCH] * libtiff/tif_dirwrite.c: in |
|
5 |
- TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 |
|
6 |
- data type, replace assertion that the file is BigTIFF, by a non-fatal error. |
|
7 |
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team |
|
8 |
- OWL337 |
|
9 |
- |
|
10 |
- ChangeLog | 8 ++++++++ |
|
11 |
- libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- |
|
12 |
- 2 files changed, 24 insertions(+), 4 deletions(-) |
|
13 |
- |
|
14 |
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
|
15 |
-index 2967da58..8d6686ba 100644 |
|
16 |
-+++ b/libtiff/tif_dirwrite.c |
|
17 |
-@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui |
|
18 |
- { |
|
19 |
- uint64 m; |
|
20 |
- assert(sizeof(uint64)==8); |
|
21 |
-- assert(tif->tif_flags&TIFF_BIGTIFF); |
|
22 |
-+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
|
23 |
-+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); |
|
24 |
-+ return(0); |
|
25 |
-+ } |
|
26 |
- m=value; |
|
27 |
- if (tif->tif_flags&TIFF_SWAB) |
|
28 |
- TIFFSwabLong8(&m); |
|
29 |
-@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di |
|
30 |
- { |
|
31 |
- assert(count<0x20000000); |
|
32 |
- assert(sizeof(uint64)==8); |
|
33 |
-- assert(tif->tif_flags&TIFF_BIGTIFF); |
|
34 |
-+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
|
35 |
-+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); |
|
36 |
-+ return(0); |
|
37 |
-+ } |
|
38 |
- if (tif->tif_flags&TIFF_SWAB) |
|
39 |
- TIFFSwabArrayOfLong8(value,count); |
|
40 |
- return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); |
|
41 |
-@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u |
|
42 |
- { |
|
43 |
- int64 m; |
|
44 |
- assert(sizeof(int64)==8); |
|
45 |
-- assert(tif->tif_flags&TIFF_BIGTIFF); |
|
46 |
-+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
|
47 |
-+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); |
|
48 |
-+ return(0); |
|
49 |
-+ } |
|
50 |
- m=value; |
|
51 |
- if (tif->tif_flags&TIFF_SWAB) |
|
52 |
- TIFFSwabLong8((uint64*)(&m)); |
|
53 |
-@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d |
|
54 |
- { |
|
55 |
- assert(count<0x20000000); |
|
56 |
- assert(sizeof(int64)==8); |
|
57 |
-- assert(tif->tif_flags&TIFF_BIGTIFF); |
|
58 |
-+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
|
59 |
-+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); |
|
60 |
-+ return(0); |
|
61 |
-+ } |
|
62 |
- if (tif->tif_flags&TIFF_SWAB) |
|
63 |
- TIFFSwabArrayOfLong8((uint64*)value,count); |
|
64 |
- return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); |
... | ... |
@@ -1,25 +1,16 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 |
-Version: 4.0.8 |
|
4 |
-Release: 8%{?dist} |
|
3 |
+Version: 4.0.9 |
|
4 |
+Release: 1%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
7 | 7 |
Group: System Environment/Libraries |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz |
11 |
-%define sha1 tiff=88717c97480a7976c94d23b6d9ed4ac74715267f |
|
11 |
+%define sha1 tiff=87d4543579176cc568668617c22baceccd568296 |
|
12 | 12 |
# patches: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ |
13 |
-Patch0: libtiff-4.0.6-CVE-2015-7554.patch |
|
14 |
-Patch1: libtiff-4.0.6-CVE-2015-1547.patch |
|
15 |
-Patch2: libtiff-CVE-2017-10688.patch |
|
16 |
-Patch3: libtiff-4.0.8-CVE-2017-9936.patch |
|
17 |
-Patch4: libtiff-4.0.8-CVE-2017-11335.patch |
|
18 |
-Patch5: libtiff-4.0.8-CVE-2017-12944.patch |
|
19 |
-Patch6: libtiff-4.0.8-CVE-2017-13726.patch |
|
20 |
-Patch7: libtiff-4.0.8-CVE-2017-13727.patch |
|
21 |
-Patch8: libtiff-4.0.8-CVE-2017-9935.patch |
|
22 |
-Patch9: libtiff-4.0.8-CVE-2017-18013.patch |
|
13 |
+Patch0: libtiff-4.0.9-CVE-2017-18013.patch |
|
23 | 14 |
BuildRequires: libjpeg-turbo-devel |
24 | 15 |
Requires: libjpeg-turbo |
25 | 16 |
%description |
... | ... |
@@ -35,15 +26,6 @@ It contains the libraries and header files to create applications |
35 | 35 |
%prep |
36 | 36 |
%setup -q -n tiff-%{version} |
37 | 37 |
%patch0 -p1 |
38 |
-%patch1 -p1 |
|
39 |
-%patch2 -p1 |
|
40 |
-%patch3 -p1 |
|
41 |
-%patch4 -p1 |
|
42 |
-%patch5 -p1 |
|
43 |
-%patch6 -p1 |
|
44 |
-%patch7 -p1 |
|
45 |
-%patch8 -p1 |
|
46 |
-%patch9 -p1 |
|
47 | 38 |
%build |
48 | 39 |
%configure \ |
49 | 40 |
--disable-static |
... | ... |
@@ -77,6 +59,8 @@ make %{?_smp_mflags} -k check |
77 | 77 |
%{_datadir}/man/man3/* |
78 | 78 |
|
79 | 79 |
%changelog |
80 |
+* Wed Jan 17 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-1 |
|
81 |
+- Updated to version 4.0.9 to fix CVE-2017-11613, CVE-2017-9937, |
|
80 | 82 |
* Fri Jan 12 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-8 |
81 | 83 |
- Added patch for CVE-2017-18013 |
82 | 84 |
* Mon Dec 11 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-7 |