[arch-commits] Commit in libtiff/trunk (9 files)

Eric Bélanger eric at archlinux.org
Thu Aug 27 05:54:59 UTC 2009


    Date: Thursday, August 27, 2009 @ 01:54:59
  Author: eric
Revision: 50445

upgpkg: libtiff 3.9.0-1
    Upstream update, Updated url, Updated patches

Added:
  libtiff/trunk/tiff-3.9.0-CVE-2009-2347.patch
Modified:
  libtiff/trunk/ChangeLog
  libtiff/trunk/PKGBUILD
Deleted:
  libtiff/trunk/CVE-2006-3459-3465.patch
  libtiff/trunk/tiff-3.8.2-CVE-2008-2327.patch
  libtiff/trunk/tiff-3.8.2-CVE-2009-2347.patch
  libtiff/trunk/tiff2pdf-compression.patch
  libtiff/trunk/tiff2pdf-octal-printf.patch
  libtiff/trunk/tiffsplit-fname-overflow.patch

--------------------------------+
 CVE-2006-3459-3465.patch       |  669 ---------------------------------------
 ChangeLog                      |    7 
 PKGBUILD                       |   31 -
 tiff-3.8.2-CVE-2008-2327.patch |   64 ---
 tiff-3.8.2-CVE-2009-2347.patch |  170 ---------
 tiff-3.9.0-CVE-2009-2347.patch |   29 +
 tiff2pdf-compression.patch     |   44 --
 tiff2pdf-octal-printf.patch    |   11 
 tiffsplit-fname-overflow.patch |   19 -
 9 files changed, 46 insertions(+), 998 deletions(-)

Deleted: CVE-2006-3459-3465.patch
===================================================================
--- CVE-2006-3459-3465.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ CVE-2006-3459-3465.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,669 +0,0 @@
-diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
---- tiff-3.8.2/libtiff/tif_dir.c	2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dir.c	2006-07-14 13:52:01.027562000 +0100
-@@ -122,6 +122,7 @@
- {
- 	static const char module[] = "_TIFFVSetField";
- 	
-+	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
- 	TIFFDirectory* td = &tif->tif_dir;
- 	int status = 1;
- 	uint32 v32, i, v;
-@@ -195,10 +196,12 @@
- 		break;
- 	case TIFFTAG_ORIENTATION:
- 		v = va_arg(ap, uint32);
-+		const TIFFFieldInfo* fip;
- 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+			fip = _TIFFFieldWithTag(tif, tag);
- 			TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- 			    "Bad value %lu for \"%s\" tag ignored",
--			    v, _TIFFFieldWithTag(tif, tag)->field_name);
-+			    v, fip ? fip->field_name : "Unknown");
- 		} else
- 			td->td_orientation = (uint16) v;
- 		break;
-@@ -387,11 +390,15 @@
- 	     * happens, for example, when tiffcp is used to convert between
- 	     * compression schemes and codec-specific tags are blindly copied.
-              */
-+	    /* 
-+	     * better not dereference fip if it is NULL.
-+	     * -- taviso at google.com 15 Jun 2006
-+	     */
-             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
- 		TIFFErrorExt(tif->tif_clientdata, module,
- 		    "%s: Invalid %stag \"%s\" (not supported by codec)",
- 		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
--		    _TIFFFieldWithTag(tif, tag)->field_name);
-+		    fip ? fip->field_name : "Unknown");
- 		status = 0;
- 		break;
-             }
-@@ -468,7 +475,7 @@
- 	    if (fip->field_type == TIFF_ASCII)
- 		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
- 	    else {
--                tv->value = _TIFFmalloc(tv_size * tv->count);
-+                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
- 		if (!tv->value) {
- 		    status = 0;
- 		    goto end;
-@@ -563,7 +570,7 @@
-           }
- 	}
- 	if (status) {
--		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+		TIFFSetFieldBit(tif, fip->field_bit);
- 		tif->tif_flags |= TIFF_DIRTYDIRECT;
- 	}
- 
-@@ -572,12 +579,12 @@
- 	return (status);
- badvalue:
- 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
--		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+		  tif->tif_name, v, fip ? fip->field_name : "Unknown");
- 	va_end(ap);
- 	return (0);
- badvalue32:
- 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
--		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+		   tif->tif_name, v32, fip ? fip->field_name : "Unknown");
- 	va_end(ap);
- 	return (0);
- }
-@@ -813,12 +820,16 @@
-              * If the client tries to get a tag that is not valid
-              * for the image's codec then we'll arrive here.
-              */
-+	    /*
-+	     * dont dereference fip if it's NULL.
-+	     * -- taviso at google.com 15 Jun 2006
-+	     */
-             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
-             {
- 				TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
-                           "%s: Invalid %stag \"%s\" (not supported by codec)",
-                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
--                          _TIFFFieldWithTag(tif, tag)->field_name);
-+                          fip ? fip->field_name : "Unknown");
-                 ret_val = 0;
-                 break;
-             }
-diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
---- tiff-3.8.2/libtiff/tif_dirinfo.c	2006-02-07 13:51:03.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c	2006-07-14 13:52:00.953558000 +0100
-@@ -775,7 +775,8 @@
- 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
- 			  "Internal error, unknown tag 0x%x",
-                           (unsigned int) tag);
--		assert(fip != NULL);
-+		/* assert(fip != NULL); */
-+
- 		/*NOTREACHED*/
- 	}
- 	return (fip);
-@@ -789,7 +790,8 @@
- 	if (!fip) {
- 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
- 			  "Internal error, unknown tag %s", field_name);
--		assert(fip != NULL);
-+		/* assert(fip != NULL); */
-+		
- 		/*NOTREACHED*/
- 	}
- 	return (fip);
-diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
---- tiff-3.8.2/libtiff/tif_dirread.c	2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirread.c	2006-07-14 13:52:00.842557000 +0100
-@@ -29,6 +29,9 @@
-  *
-  * Directory Read Support Routines.
-  */
-+
-+#include <limits.h>
-+
- #include "tiffiop.h"
- 
- #define	IGNORE	0		/* tag placeholder used below */
-@@ -81,6 +84,7 @@
- 	uint16 dircount;
- 	toff_t nextdiroff;
- 	int diroutoforderwarning = 0;
-+	int compressionknown = 0;
- 	toff_t* new_dirlist;
- 
- 	tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@
- 	} else {
- 		toff_t off = tif->tif_diroff;
- 
--		if (off + sizeof (uint16) > tif->tif_size) {
--			TIFFErrorExt(tif->tif_clientdata, module,
--			    "%s: Can not read TIFF directory count",
--                            tif->tif_name);
--			return (0);
-+		/*
-+		 * Check for integer overflow when validating the dir_off, otherwise
-+		 * a very high offset may cause an OOB read and crash the client.
-+		 * -- taviso at google.com, 14 Jun 2006.
-+		 */
-+		if (off + sizeof (uint16) > tif->tif_size || 
-+			off > (UINT_MAX - sizeof(uint16))) {
-+				TIFFErrorExt(tif->tif_clientdata, module,
-+				    "%s: Can not read TIFF directory count",
-+				    tif->tif_name);
-+				return (0);
- 		} else
--			_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
-+			_TIFFmemcpy(&dircount, tif->tif_base + off,
-+					sizeof (uint16));
- 		off += sizeof (uint16);
- 		if (tif->tif_flags & TIFF_SWAB)
- 			TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@
- 		while (fix < tif->tif_nfields &&
- 		       tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- 			fix++;
-+
- 		if (fix >= tif->tif_nfields ||
- 		    tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
- 
-@@ -264,17 +276,23 @@
- 						       dp->tdir_tag,
- 						       dp->tdir_tag,
- 						       dp->tdir_type);
--
--                    TIFFMergeFieldInfo(tif,
--                                       _TIFFCreateAnonFieldInfo(tif,
--						dp->tdir_tag,
--						(TIFFDataType) dp->tdir_type),
--				       1 );
-+					/*
-+					 * creating anonymous fields prior to knowing the compression
-+					 * algorithm (ie, when the field info has been merged) could cause
-+					 * crashes with pathological directories.
-+					 * -- taviso at google.com 15 Jun 2006
-+					 */
-+					if (compressionknown)
-+			                    TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
-+						(TIFFDataType) dp->tdir_type), 1 );
-+					else goto ignore;
-+		    
-                     fix = 0;
-                     while (fix < tif->tif_nfields &&
-                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- 			fix++;
- 		}
-+		
- 		/*
- 		 * Null out old tags that we ignore.
- 		 */
-@@ -326,6 +344,7 @@
- 				    dp->tdir_type, dp->tdir_offset);
- 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
- 					goto bad;
-+				else compressionknown++;
- 				break;
- 			/* XXX: workaround for broken TIFFs */
- 			} else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@
- 	 * Attempt to deal with a missing StripByteCounts tag.
- 	 */
- 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- 		/*
- 		 * Some manufacturers violate the spec by not giving
- 		 * the size of the strips.  In this case, assume there
-@@ -556,7 +576,7 @@
- 			"%s: TIFF directory is missing required "
- 			"\"%s\" field, calculating from imagelength",
- 			tif->tif_name,
--		        _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+		        fip ? fip->field_name : "Unknown");
- 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- 		    goto bad;
- /* 
-@@ -580,6 +600,7 @@
- 	} else if (td->td_nstrips == 1 
-                    && td->td_stripoffset[0] != 0 
-                    && BYTECOUNTLOOKSBAD) {
-+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- 		/*
- 		 * XXX: Plexus (and others) sometimes give a value of zero for
- 		 * a tag when they don't know what the correct value is!  Try
-@@ -589,13 +610,14 @@
- 		TIFFWarningExt(tif->tif_clientdata, module,
- 	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
-                             tif->tif_name,
--		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+		            fip ? fip->field_name : "Unknown");
- 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)
- 		    goto bad;
- 	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
- 		   && td->td_nstrips > 2
- 		   && td->td_compression == COMPRESSION_NONE
- 		   && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- 		/*
- 		 * XXX: Some vendors fill StripByteCount array with absolutely
- 		 * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@
- 		TIFFWarningExt(tif->tif_clientdata, module,
- 	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
-                             tif->tif_name,
--		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+		            fip ? fip->field_name : "Unknown");
- 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- 		    goto bad;
- 	}
-@@ -870,7 +892,13 @@
- 
- 	register TIFFDirEntry *dp;
- 	register TIFFDirectory *td = &tif->tif_dir;
--	uint16 i;
-+	
-+	/* i is used to iterate over td->td_nstrips, so must be
-+	 * at least the same width.
-+	 * -- taviso at google.com 15 Jun 2006
-+	 */
-+
-+	uint32 i;
- 
- 	if (td->td_stripbytecount)
- 		_TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
- 	if (count > dir->tdir_count) {
- 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
--		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+		    fip ? fip->field_name : "Unknown",
- 		    dir->tdir_count, count);
- 		return (0);
- 	} else if (count < dir->tdir_count) {
- 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
--		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+		    fip ? fip->field_name : "Unknown",
- 		    dir->tdir_count, count);
- 		return (1);
- 	}
-@@ -970,6 +1000,7 @@
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
- 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- 	tsize_t cc = dir->tdir_count * w;
- 
- 	/* Check for overflow. */
-@@ -1013,7 +1044,7 @@
- bad:
- 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- 		     "Error fetching data for field \"%s\"",
--		     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+		     fip ? fip->field_name : "Unknown");
- 	return (tsize_t) 0;
- }
- 
-@@ -1039,10 +1070,12 @@
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+	const TIFFFieldInfo* fip;
- 	if (denom == 0) {
-+		fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- 		    "%s: Rational with zero denominator (num = %lu)",
--		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+		    fip ? fip->field_name : "Unknown", num);
- 		return (0);
- 	} else {
- 		if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@
- static int
- TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
- {
-+	/*
-+	 * Prevent overflowing the v stack arrays below by performing a sanity
-+	 * check on tdir_count, this should never be greater than two.
-+	 * -- taviso at google.com 14 Jun 2006.
-+	 */
-+	if (dir->tdir_count > 2) {
-+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-+				"unexpected count for field \"%s\", %lu, expected 2; ignored.",
-+				fip ? fip->field_name : "Unknown",
-+				dir->tdir_count);
-+		return 0;
-+	}
-+
- 	switch (dir->tdir_type) {
- 		case TIFF_BYTE:
- 		case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@
- 	case TIFF_DOUBLE:
- 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));
- 	default:
-+		{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- 		/* TIFF_NOTYPE */
- 		/* TIFF_ASCII */
- 		/* TIFF_UNDEFINED */
- 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- 			     "cannot read TIFF_ANY type %d for field \"%s\"",
- 			     dir->tdir_type,
--			     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
--		return (0);
-+			     fip ? fip->field_name : "Unknown");
-+		return (0); }
- 	}
- 	return (1);
- }
-@@ -1351,6 +1399,9 @@
- 	int ok = 0;
- 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
- 
-+	if (fip == NULL) {
-+		return (0);
-+	}
- 	if (dp->tdir_count > 1) {		/* array of values */
- 		char* cp = NULL;
- 
-@@ -1493,6 +1544,7 @@
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
- 
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@
- 
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
-@@ -1534,6 +1587,7 @@
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
- 
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@
-                 check_count = samples;
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
-@@ -1574,6 +1629,7 @@
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
- 
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@
- 
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c	2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c	2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- 	Fax3BaseState* sp = Fax3State(tif);
-+	const TIFFFieldInfo* fip;
- 
- 	assert(sp != 0);
- 	assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- 	default:
- 		return (*sp->vsetparent)(tif, tag, ap);
- 	}
--	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+	
-+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+		TIFFSetFieldBit(tif, fip->field_bit);
-+	} else {
-+		return (0);
-+	}
-+
- 	tif->tif_flags |= TIFF_DIRTYDIRECT;
- 	return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c	2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c	2006-07-14 13:52:00.655560000 +0100
-@@ -722,15 +722,31 @@
- 		segment_width = TIFFhowmany(segment_width, sp->h_sampling);
- 		segment_height = TIFFhowmany(segment_height, sp->v_sampling);
- 	}
--	if (sp->cinfo.d.image_width != segment_width ||
--	    sp->cinfo.d.image_height != segment_height) {
-+	if (sp->cinfo.d.image_width < segment_width ||
-+	    sp->cinfo.d.image_height < segment_height) {
- 		TIFFWarningExt(tif->tif_clientdata, module,
-                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
-                           segment_width, 
-                           segment_height,
-                           sp->cinfo.d.image_width, 
-                           sp->cinfo.d.image_height);
-+	} 
-+	
-+	if (sp->cinfo.d.image_width > segment_width ||
-+			sp->cinfo.d.image_height > segment_height) {
-+		/*
-+		 * This case could be dangerous, if the strip or tile size has been
-+		 * reported as less than the amount of data jpeg will return, some
-+		 * potential security issues arise. Catch this case and error out.
-+		 * -- taviso at google.com 14 Jun 2006
-+		 */
-+		TIFFErrorExt(tif->tif_clientdata, module, 
-+			"JPEG strip/tile size exceeds expected dimensions,"
-+			"expected %dx%d, got %dx%d", segment_width, segment_height,
-+			sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+		return (0);
- 	}
-+
- 	if (sp->cinfo.d.num_components !=
- 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
- 	     td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@
-                                     sp->cinfo.d.comp_info[0].v_samp_factor,
-                                     sp->h_sampling, sp->v_sampling);
- 
-+				/*
-+				 * There are potential security issues here for decoders that
-+				 * have already allocated buffers based on the expected sampling
-+				 * factors. Lets check the sampling factors dont exceed what
-+				 * we were expecting.
-+				 * -- taviso at google.com 14 June 2006
-+				 */
-+				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
-+					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
-+						TIFFErrorExt(tif->tif_clientdata, module,
-+							"Cannot honour JPEG sampling factors that"
-+							" exceed those specified.");
-+						return (0);
-+				}
-+
-+
- 			    /*
- 			     * XXX: Files written by the Intergraph software
- 			     * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@
- {
- 	JPEGState *sp = JState(tif);
- 	
--	assert(sp != 0);
-+	/* assert(sp != 0); */
- 
- 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
- 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
- 
--	if( sp->cinfo_initialized )
--	    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
--	if (sp->jpegtables)		/* tag value */
--		_TIFFfree(sp->jpegtables);
-+	if (sp != NULL) {
-+		if( sp->cinfo_initialized )
-+		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
-+		if (sp->jpegtables)		/* tag value */
-+			_TIFFfree(sp->jpegtables);
-+	}
-+
- 	_TIFFfree(tif->tif_data);	/* release local state */
- 	tif->tif_data = NULL;
- 
-@@ -1541,6 +1576,7 @@
- {
- 	JPEGState* sp = JState(tif);
- 	TIFFDirectory* td = &tif->tif_dir;
-+	const TIFFFieldInfo* fip;
- 	uint32 v32;
- 
- 	assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- 	default:
- 		return (*sp->vsetparent)(tif, tag, ap);
- 	}
--	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+		TIFFSetFieldBit(tif, fip->field_bit);
-+	} else {
-+		return (0);
-+	}
-+
- 	tif->tif_flags |= TIFF_DIRTYDIRECT;
- 	return (1);
- }
-@@ -1726,7 +1768,11 @@
- {
- 	JPEGState* sp = JState(tif);
- 
--	assert(sp != NULL);
-+	/* assert(sp != NULL); */
-+	if (sp == NULL) {
-+		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
-+		return;
-+	}
- 
- 	(void) flags;
- 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c	2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c	2006-07-14 13:52:00.556567000 +0100
-@@ -105,11 +105,16 @@
- 			 * as codes of the form <color><npixels>
- 			 * until we've filled the scanline.
- 			 */
-+			/*
-+			 * Ensure the run does not exceed the scanline
-+			 * bounds, potentially resulting in a security issue.
-+			 * -- taviso at google.com 14 Jun 2006.
-+			 */
- 			op = row;
- 			for (;;) {
- 				grey = (n>>6) & 0x3;
- 				n &= 0x3f;
--				while (n-- > 0)
-+				while (n-- > 0 && npixels < imagewidth)
- 					SETPIXEL(op, grey);
- 				if (npixels >= (int) imagewidth)
- 					break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c	2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c	2006-07-14 13:52:00.483557000 +0100
-@@ -768,7 +768,19 @@
- 	if (tif->tif_flags & TIFF_SWAB)
- 		TIFFSwabArrayOfShort(up, nsamples);
- 
--	for (i = 0; i < nsamples; i += llen, up += llen) {
-+	/* 
-+	 * if llen is not an exact multiple of nsamples, the decode operation
-+	 * may overflow the output buffer, so truncate it enough to prevent that
-+	 * but still salvage as much data as possible.
-+	 * -- taviso at google.com 14th June 2006
-+	 */
-+	if (nsamples % llen) 
-+		TIFFWarningExt(tif->tif_clientdata, module,
-+				"%s: stride %lu is not a multiple of sample count, "
-+				"%lu, data truncated.", tif->tif_name, llen, nsamples);
-+				
-+	
-+	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
- 		switch (sp->user_datafmt)  {
- 		case PIXARLOGDATAFMT_FLOAT:
- 			horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c	2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c	2006-07-14 13:52:00.467568000 +0100
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
- 
-+#include <limits.h>
-+
- 	int TIFFFillStrip(TIFF*, tstrip_t);
- 	int TIFFFillTile(TIFF*, ttile_t);
- static	int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@
- 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- 			_TIFFfree(tif->tif_rawdata);
- 		tif->tif_flags &= ~TIFF_MYBUFFER;
--		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+		/*
-+		 * This sanity check could potentially overflow, causing an OOB read.
-+		 * verify that offset + bytecount is > offset.
-+		 * -- taviso at google.com 14 Jun 2006
-+		 */
-+		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+			bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
- 			/*
- 			 * This error message might seem strange, but it's
- 			 * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@
- 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- 			_TIFFfree(tif->tif_rawdata);
- 		tif->tif_flags &= ~TIFF_MYBUFFER;
--		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+		/*
-+		 * We must check this calculation doesnt overflow, potentially
-+		 * causing an OOB read.
-+		 * -- taviso at google.com 15 Jun 2006
-+		 */
-+		if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+			bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
- 			tif->tif_curtile = NOTILE;
- 			return (0);
- 		}

Modified: ChangeLog
===================================================================
--- ChangeLog	2009-08-26 21:37:43 UTC (rev 50444)
+++ ChangeLog	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,3 +1,10 @@
+2009-08-26  Eric Belanger  <eric at archlinux.org>
+
+	* libtiff 3.9.0-1
+	* Upstream update
+	* Updated url
+	* Updated patches
+
 2009-08-14  Eric Belanger  <eric at archlinux.org>
 
 	* libtiff 3.8.2-6

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2009-08-26 21:37:43 UTC (rev 50444)
+++ PKGBUILD	2009-08-27 05:54:59 UTC (rev 50445)
@@ -3,39 +3,28 @@
 # Contributor: dorphell <dorphell at archlinux.org>
 
 pkgname=libtiff
-pkgver=3.8.2
-pkgrel=6
+pkgver=3.9.0
+pkgrel=1
 pkgdesc="Library for manipulation of TIFF images"
 arch=('i686' 'x86_64')
-url="http://www.libtiff.org/"
+url="http://www.remotesensing.org/libtiff/"
 license=('custom')
 depends=('libjpeg>=7' 'zlib')
 makedepends=('libgl' 'freeglut' 'libxmu' 'libxi')
 optdepends=('freeglut: for using tiffgt')
 options=('!libtool')
 source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz \
-	tiff2pdf-octal-printf.patch tiffsplit-fname-overflow.patch \
-	CVE-2006-3459-3465.patch tiff2pdf-compression.patch \
-        tiff-3.8.2-CVE-2008-2327.patch libtiff-CVE-2009-2285.patch \
-        tiff-3.8.2-CVE-2009-2347.patch)
-md5sums=('fbb6f446ea4ed18955e2714934e5b698' 'd54368687d2645ffbbe6c2df384b11bf'\
-         '323352fd60a7bd3ffac8724c3c031669' '624d3067e6a4c0680767eb62253ea980'\
-         'b443ffca9d498bb3a88c17da0200025b' 'c2c2e22557d9c63011df5777dda6a86b'\
-         'ff61077408727a82281f77a94f555e2a' 'd3b02693cca83e63005b162edd43016b')
-sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' 'c79245249634a121bfaff6cfecb763f72fe7f8eb'\
-         'dc86bb68c7831ff70ff01d952d553be9f986be46' '85dc50a60a10025757e249d869dab7eb73ba6e3c'\
-         '508751f55131356ea8a7e7c4994ffbc9bd881769' '1da2ec6a47c0666cad9d07fb8427c1c75ca27b10'\
-         'eadce8c8bd72ea9c74f35300bf299131813b0c8b' '3017201b7f500389acfa775479a6fdd069e9a099')
+         libtiff-CVE-2009-2285.patch \
+        tiff-3.9.0-CVE-2009-2347.patch)
+md5sums=('74c0072edc1ac8ca6b8af009a31151e5' 'ff61077408727a82281f77a94f555e2a'\
+         '867fa3ec83e748abf247f9706ef13f9a')
+sha1sums=('e525879da8416e00ccd58617b2850341a429e23c' 'eadce8c8bd72ea9c74f35300bf299131813b0c8b'\
+         'cf8b68ed8f218d2429ab296c2033dc0292efe299')
 
 build() {
   cd "${srcdir}/tiff-${pkgver}"
-  patch -p1 < ../tiff2pdf-octal-printf.patch || return 1
-  patch -p1 < ../tiffsplit-fname-overflow.patch || return 1
-  patch -p1 < ../CVE-2006-3459-3465.patch || return 1
-  patch -p1 < ../tiff2pdf-compression.patch || return 1
-  patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1
   patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
-  patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1
+  patch -p0 < ../tiff-3.9.0-CVE-2009-2347.patch || return 1
   ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man || return 1
   make || return 1
   make DESTDIR="${pkgdir}" install || return 1

Deleted: tiff-3.8.2-CVE-2008-2327.patch
===================================================================
--- tiff-3.8.2-CVE-2008-2327.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff-3.8.2-CVE-2008-2327.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,64 +0,0 @@
-Fixes security issues in libTIFF's handling of LZW-encoded
-images.  The use of uninitialized data could lead to a buffer
-underflow and a crash or arbitrary code execution.
-
-CVE-ID: CVE-2008-2327
-Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
-
-Index: tiff-3.8.2/libtiff/tif_lzw.c
-===================================================================
---- tiff-3.8.2.orig/libtiff/tif_lzw.c
-+++ tiff-3.8.2/libtiff/tif_lzw.c
-@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
-                     sp->dec_codetab[code].length = 1;
-                     sp->dec_codetab[code].next = NULL;
-                 } while (code--);
-+		/*
-+		* Zero-out the unused entries
-+		*/
-+		_TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
-+		(CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
-+
- 	}
- 	return (1);
- }
-@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
- 			break;
- 		if (code == CODE_CLEAR) {
- 			free_entp = sp->dec_codetab + CODE_FIRST;
-+			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- 			nbits = BITS_MIN;
- 			nbitsmask = MAXCODE(BITS_MIN);
- 			maxcodep = sp->dec_codetab + nbitsmask-1;
- 			NextCode(tif, sp, bp, code, GetNextCode);
- 			if (code == CODE_EOI)
- 				break;
-+			if (code == CODE_CLEAR) {
-+				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+				"LZWDecode: Corrupted LZW table at scanline %d",
-+				tif->tif_row);
-+				return (0);
-+			}
- 			*op++ = (char)code, occ--;
- 			oldcodep = sp->dec_codetab + code;
- 			continue;
-@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
- 			break;
- 		if (code == CODE_CLEAR) {
- 			free_entp = sp->dec_codetab + CODE_FIRST;
-+			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- 			nbits = BITS_MIN;
- 			nbitsmask = MAXCODE(BITS_MIN);
- 			maxcodep = sp->dec_codetab + nbitsmask;
- 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
- 			if (code == CODE_EOI)
- 				break;
-+			if (code == CODE_CLEAR) {
-+				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+				"LZWDecode: Corrupted LZW table at scanline %d",
-+				tif->tif_row);
-+				return (0);
-+			}
- 			*op++ = code, occ--;
- 			oldcodep = sp->dec_codetab + code;
- 			continue;

Deleted: tiff-3.8.2-CVE-2009-2347.patch
===================================================================
--- tiff-3.8.2-CVE-2009-2347.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff-3.8.2-CVE-2009-2347.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,170 +0,0 @@
-Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
-possible integer overflow in calculation of buffer sizes.
-
-CVE-2009-2347
-
-
-diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
---- tiff-3.8.2.orig/tools/rgb2ycbcr.c	2004-09-03 03:57:13.000000000 -0400
-+++ tiff-3.8.2/tools/rgb2ycbcr.c	2009-07-10 17:12:32.000000000 -0400
-@@ -202,6 +202,17 @@
- #undef LumaBlue
- #undef V2Code
- 
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;		/* overflow */
-+
-+    return prod;
-+}
-+
- /*
-  * Convert a strip of RGB data to YCbCr and
-  * sample to generate the output data.
-@@ -278,10 +289,19 @@
- 	float floatv;
- 	char *stringv;
- 	uint32 longv;
-+	tsize_t raster_size;
- 
- 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
--	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+
-+	raster_size = multiply(multiply(width, height), sizeof (uint32));
-+	if (!raster_size) {
-+		TIFFError(TIFFFileName(in),
-+			  "Can't allocate buffer for raster of size %lux%lu",
-+			  (unsigned long) width, (unsigned long) height);
-+		return (0);
-+	}
-+	raster = (uint32*)_TIFFmalloc(raster_size);
- 	if (raster == 0) {
- 		TIFFError(TIFFFileName(in), "No space for raster buffer");
- 		return (0);
-diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
---- tiff-3.8.2.orig/tools/tiff2rgba.c	2004-11-07 06:08:37.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2rgba.c	2009-07-10 17:06:42.000000000 -0400
-@@ -124,6 +124,17 @@
-     return (0);
- }
- 
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;		/* overflow */
-+
-+    return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
- 
-@@ -133,6 +144,7 @@
-     uint32  tile_width, tile_height;
-     uint32  row, col;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -150,7 +162,14 @@
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) tile_width, (unsigned long) tile_height);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -158,7 +177,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -226,6 +245,7 @@
-     uint32  width, height;		/* image width & height */
-     uint32  row;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -241,7 +261,14 @@
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) width, (unsigned long) rowsperstrip);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -249,7 +276,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -328,14 +355,22 @@
-     uint32* raster;			/* retrieve RGBA image */
-     uint32  width, height;		/* image width & height */
-     uint32  row;
--        
-+    tsize_t raster_size;
-+
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- 
-     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
-     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- 
--    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+    raster_size = multiply(multiply(width, height), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) width, (unsigned long) height);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -353,7 +388,7 @@
-     */
-     if( no_alpha )
-     {
--        int	pixel_count = width * height;
-+        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
-         unsigned char *src, *dst;
- 
-         src = (unsigned char *) raster;
-

Added: tiff-3.9.0-CVE-2009-2347.patch
===================================================================
--- tiff-3.9.0-CVE-2009-2347.patch	                        (rev 0)
+++ tiff-3.9.0-CVE-2009-2347.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -0,0 +1,29 @@
+--- tools/tiff2rgba.c.orig	2009-08-27 00:05:33.000000000 -0400
++++ tools/tiff2rgba.c	2009-08-27 00:23:44.000000000 -0400
+@@ -236,6 +236,7 @@
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+     uint32  *wrk_line;
++    size_t pixel_count;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -251,7 +252,17 @@
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++   pixel_count = width * rowsperstrip;
++
++    /* XXX: Check the integer overflow. */
++    if (!width || !rowsperstrip || pixel_count / width != rowsperstrip) {
++        TIFFError(TIFFFileName(in),
++		  "Malformed input file; can't allocate buffer for raster of %lux%lu size",
++		  (unsigned long)width, (unsigned long)rowsperstrip);
++        return 0;
++    }
++
++   raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);

Deleted: tiff2pdf-compression.patch
===================================================================
--- tiff2pdf-compression.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff2pdf-compression.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,44 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c	8 Jun 2006 11:27:11 -0000	1.35
-+++ tiff-3.8.2/tools/tiff2pdf.c	19 Jun 2006 20:12:08 -0000	1.36
-@@ -937,7 +937,7 @@
- 
- #ifdef JPEG_SUPPORT
- 	if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
--		if(t2p->pdf_defaultcompressionquality<100 ||
-+		if(t2p->pdf_defaultcompressionquality>100 ||
- 			t2p->pdf_defaultcompressionquality<1){
- 			t2p->pdf_defaultcompressionquality=0;
- 		}
-@@ -945,25 +945,17 @@
- #endif
- #ifdef ZIP_SUPPORT
- 	if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
--		switch (t2p->pdf_defaultcompressionquality){
--			case 1: case 10: case 11: case 12: case 13: case 14: case 15:
--			case 101: case 110: case 111: case 112: case 113: case 114: case 115:
--			case 201: case 210: case 211: case 212: case 213: case 214: case 215:
--			case 301: case 310: case 311: case 312: case 313: case 314: case 315:
--			case 401: case 410: case 411: case 412: case 413: case 414: case 415:
--			case 501: case 510: case 511: case 512: case 513: case 514: case 515:
--			case 601: case 610: case 611: case 612: case 613: case 614: case 615:
--			case 701: case 710: case 711: case 712: case 713: case 714: case 715:
--			case 801: case 810: case 811: case 812: case 813: case 814: case 815:
--			case 901: case 910: case 911: case 912: case 913: case 914: case 915:
--				break;
--			default:
--				t2p->pdf_defaultcompressionquality=0;
-+ 		uint16 m=t2p->pdf_defaultcompressionquality%100;
-+ 		if(t2p->pdf_defaultcompressionquality/100 > 9 ||
-+ 			(m>1 && m<10) || m>15){
-+ 			t2p->pdf_defaultcompressionquality=0;
- 		}
- 		if(t2p->pdf_defaultcompressionquality%100 !=0){
-+ 			t2p->pdf_defaultcompressionquality/=100;
-+ 			t2p->pdf_defaultcompressionquality*=100;
- 			TIFFError(
- 				TIFF2PDF_MODULE, 
--				"PNG Group predictor differencing not implemented, assuming compresion quality %u", 
-+				"PNG Group predictor differencing not implemented, assuming compression quality %u", 
- 				t2p->pdf_defaultcompressionquality);
- 		}
- 		t2p->pdf_defaultcompressionquality%=100;

Deleted: tiff2pdf-octal-printf.patch
===================================================================
--- tiff2pdf-octal-printf.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff2pdf-octal-printf.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,11 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c.orig	2006-03-21 11:42:51.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2pdf.c	2006-06-07 17:54:01.027637232 -0400
-@@ -3668,7 +3668,7 @@
- 	written += TIFFWriteFile(output, (tdata_t) "(", 1);
- 	for (i=0;i<len;i++){
- 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
--			sprintf(buffer, "\\%.3o", pdfstr[i]);
-+			sprintf(buffer, "\\%.3hho", pdfstr[i]);
- 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);
- 		} else {
- 			switch (pdfstr[i]){

Deleted: tiffsplit-fname-overflow.patch
===================================================================
--- tiffsplit-fname-overflow.patch	2009-08-26 21:37:43 UTC (rev 50444)
+++ tiffsplit-fname-overflow.patch	2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,19 +0,0 @@
---- tiff-3.8.2/tools/tiffsplit.c.orig	2005-12-07 04:48:33.000000000 -0500
-+++ tiff-3.8.2/tools/tiffsplit.c	2006-06-01 21:20:25.039944864 -0400
-@@ -61,14 +61,13 @@
- 		return (-3);
- 	}
- 	if (argc > 2)
--		strcpy(fname, argv[2]);
-+		snprintf(fname, sizeof(fname), "%s", argv[2]);
- 	in = TIFFOpen(argv[1], "r");
- 	if (in != NULL) {
- 		do {
- 			char path[1024+1];
- 			newfilename();
--			strcpy(path, fname);
--			strcat(path, ".tif");
-+			snprintf(path, sizeof(path), "%s.tif", fname);
- 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
- 			if (out == NULL)
- 				return (-2);




More information about the arch-commits mailing list