[arch-commits] Commit in libtiff/trunk (9 files)
Eric Bélanger
eric at archlinux.org
Thu Aug 27 05:54:59 UTC 2009
Date: Thursday, August 27, 2009 @ 01:54:59
Author: eric
Revision: 50445
upgpkg: libtiff 3.9.0-1
Upstream update, Updated url, Updated patches
Added:
libtiff/trunk/tiff-3.9.0-CVE-2009-2347.patch
Modified:
libtiff/trunk/ChangeLog
libtiff/trunk/PKGBUILD
Deleted:
libtiff/trunk/CVE-2006-3459-3465.patch
libtiff/trunk/tiff-3.8.2-CVE-2008-2327.patch
libtiff/trunk/tiff-3.8.2-CVE-2009-2347.patch
libtiff/trunk/tiff2pdf-compression.patch
libtiff/trunk/tiff2pdf-octal-printf.patch
libtiff/trunk/tiffsplit-fname-overflow.patch
--------------------------------+
CVE-2006-3459-3465.patch | 669 ---------------------------------------
ChangeLog | 7
PKGBUILD | 31 -
tiff-3.8.2-CVE-2008-2327.patch | 64 ---
tiff-3.8.2-CVE-2009-2347.patch | 170 ---------
tiff-3.9.0-CVE-2009-2347.patch | 29 +
tiff2pdf-compression.patch | 44 --
tiff2pdf-octal-printf.patch | 11
tiffsplit-fname-overflow.patch | 19 -
9 files changed, 46 insertions(+), 998 deletions(-)
Deleted: CVE-2006-3459-3465.patch
===================================================================
--- CVE-2006-3459-3465.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ CVE-2006-3459-3465.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,669 +0,0 @@
-diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
-@@ -122,6 +122,7 @@
- {
- static const char module[] = "_TIFFVSetField";
-
-+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
- TIFFDirectory* td = &tif->tif_dir;
- int status = 1;
- uint32 v32, i, v;
-@@ -195,10 +196,12 @@
- break;
- case TIFFTAG_ORIENTATION:
- v = va_arg(ap, uint32);
-+ const TIFFFieldInfo* fip;
- if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+ fip = _TIFFFieldWithTag(tif, tag);
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "Bad value %lu for \"%s\" tag ignored",
-- v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ v, fip ? fip->field_name : "Unknown");
- } else
- td->td_orientation = (uint16) v;
- break;
-@@ -387,11 +390,15 @@
- * happens, for example, when tiffcp is used to convert between
- * compression schemes and codec-specific tags are blindly copied.
- */
-+ /*
-+ * better not dereference fip if it is NULL.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
- if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- status = 0;
- break;
- }
-@@ -468,7 +475,7 @@
- if (fip->field_type == TIFF_ASCII)
- _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
- else {
-- tv->value = _TIFFmalloc(tv_size * tv->count);
-+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
- if (!tv->value) {
- status = 0;
- goto end;
-@@ -563,7 +570,7 @@
- }
- }
- if (status) {
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+ TIFFSetFieldBit(tif, fip->field_bit);
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- }
-
-@@ -572,12 +579,12 @@
- return (status);
- badvalue:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
-- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- badvalue32:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
-- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- }
-@@ -813,12 +820,16 @@
- * If the client tries to get a tag that is not valid
- * for the image's codec then we'll arrive here.
- */
-+ /*
-+ * dont dereference fip if it's NULL.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
- if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
- {
- TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- ret_val = 0;
- break;
- }
-diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
-@@ -775,7 +775,8 @@
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
- "Internal error, unknown tag 0x%x",
- (unsigned int) tag);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-@@ -789,7 +790,8 @@
- if (!fip) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
- "Internal error, unknown tag %s", field_name);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
-@@ -29,6 +29,9 @@
- *
- * Directory Read Support Routines.
- */
-+
-+#include <limits.h>
-+
- #include "tiffiop.h"
-
- #define IGNORE 0 /* tag placeholder used below */
-@@ -81,6 +84,7 @@
- uint16 dircount;
- toff_t nextdiroff;
- int diroutoforderwarning = 0;
-+ int compressionknown = 0;
- toff_t* new_dirlist;
-
- tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@
- } else {
- toff_t off = tif->tif_diroff;
-
-- if (off + sizeof (uint16) > tif->tif_size) {
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%s: Can not read TIFF directory count",
-- tif->tif_name);
-- return (0);
-+ /*
-+ * Check for integer overflow when validating the dir_off, otherwise
-+ * a very high offset may cause an OOB read and crash the client.
-+ * -- taviso at google.com, 14 Jun 2006.
-+ */
-+ if (off + sizeof (uint16) > tif->tif_size ||
-+ off > (UINT_MAX - sizeof(uint16))) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "%s: Can not read TIFF directory count",
-+ tif->tif_name);
-+ return (0);
- } else
-- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
-+ _TIFFmemcpy(&dircount, tif->tif_base + off,
-+ sizeof (uint16));
- off += sizeof (uint16);
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
-+
- if (fix >= tif->tif_nfields ||
- tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-
-@@ -264,17 +276,23 @@
- dp->tdir_tag,
- dp->tdir_tag,
- dp->tdir_type);
--
-- TIFFMergeFieldInfo(tif,
-- _TIFFCreateAnonFieldInfo(tif,
-- dp->tdir_tag,
-- (TIFFDataType) dp->tdir_type),
-- 1 );
-+ /*
-+ * creating anonymous fields prior to knowing the compression
-+ * algorithm (ie, when the field info has been merged) could cause
-+ * crashes with pathological directories.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
-+ if (compressionknown)
-+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
-+ (TIFFDataType) dp->tdir_type), 1 );
-+ else goto ignore;
-+
- fix = 0;
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
- }
-+
- /*
- * Null out old tags that we ignore.
- */
-@@ -326,6 +344,7 @@
- dp->tdir_type, dp->tdir_offset);
- if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
- goto bad;
-+ else compressionknown++;
- break;
- /* XXX: workaround for broken TIFFs */
- } else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@
- * Attempt to deal with a missing StripByteCounts tag.
- */
- if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * Some manufacturers violate the spec by not giving
- * the size of the strips. In this case, assume there
-@@ -556,7 +576,7 @@
- "%s: TIFF directory is missing required "
- "\"%s\" field, calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- /*
-@@ -580,6 +600,7 @@
- } else if (td->td_nstrips == 1
- && td->td_stripoffset[0] != 0
- && BYTECOUNTLOOKSBAD) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Plexus (and others) sometimes give a value of zero for
- * a tag when they don't know what the correct value is! Try
-@@ -589,13 +610,14 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if(EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
- && td->td_nstrips > 2
- && td->td_compression == COMPRESSION_NONE
- && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Some vendors fill StripByteCount array with absolutely
- * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- }
-@@ -870,7 +892,13 @@
-
- register TIFFDirEntry *dp;
- register TIFFDirectory *td = &tif->tif_dir;
-- uint16 i;
-+
-+ /* i is used to iterate over td->td_nstrips, so must be
-+ * at least the same width.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
-+
-+ uint32 i;
-
- if (td->td_stripbytecount)
- _TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
- if (count > dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (0);
- } else if (count < dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (1);
- }
-@@ -970,6 +1000,7 @@
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
- int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- tsize_t cc = dir->tdir_count * w;
-
- /* Check for overflow. */
-@@ -1013,7 +1044,7 @@
- bad:
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Error fetching data for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- return (tsize_t) 0;
- }
-
-@@ -1039,10 +1070,12 @@
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+ const TIFFFieldInfo* fip;
- if (denom == 0) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s: Rational with zero denominator (num = %lu)",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+ fip ? fip->field_name : "Unknown", num);
- return (0);
- } else {
- if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@
- static int
- TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
- {
-+ /*
-+ * Prevent overflowing the v stack arrays below by performing a sanity
-+ * check on tdir_count, this should never be greater than two.
-+ * -- taviso at google.com 14 Jun 2006.
-+ */
-+ if (dir->tdir_count > 2) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
-+ fip ? fip->field_name : "Unknown",
-+ dir->tdir_count);
-+ return 0;
-+ }
-+
- switch (dir->tdir_type) {
- case TIFF_BYTE:
- case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@
- case TIFF_DOUBLE:
- return (TIFFFetchDoubleArray(tif, dir, (double*) v));
- default:
-+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- /* TIFF_NOTYPE */
- /* TIFF_ASCII */
- /* TIFF_UNDEFINED */
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "cannot read TIFF_ANY type %d for field \"%s\"",
- dir->tdir_type,
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-- return (0);
-+ fip ? fip->field_name : "Unknown");
-+ return (0); }
- }
- return (1);
- }
-@@ -1351,6 +1399,9 @@
- int ok = 0;
- const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
-
-+ if (fip == NULL) {
-+ return (0);
-+ }
- if (dp->tdir_count > 1) { /* array of values */
- char* cp = NULL;
-
-@@ -1493,6 +1544,7 @@
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1534,6 +1587,7 @@
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@
- check_count = samples;
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1574,6 +1629,7 @@
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- Fax3BaseState* sp = Fax3State(tif);
-+ const TIFFFieldInfo* fip;
-
- assert(sp != 0);
- assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
-@@ -722,15 +722,31 @@
- segment_width = TIFFhowmany(segment_width, sp->h_sampling);
- segment_height = TIFFhowmany(segment_height, sp->v_sampling);
- }
-- if (sp->cinfo.d.image_width != segment_width ||
-- sp->cinfo.d.image_height != segment_height) {
-+ if (sp->cinfo.d.image_width < segment_width ||
-+ sp->cinfo.d.image_height < segment_height) {
- TIFFWarningExt(tif->tif_clientdata, module,
- "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
- segment_width,
- segment_height,
- sp->cinfo.d.image_width,
- sp->cinfo.d.image_height);
-+ }
-+
-+ if (sp->cinfo.d.image_width > segment_width ||
-+ sp->cinfo.d.image_height > segment_height) {
-+ /*
-+ * This case could be dangerous, if the strip or tile size has been
-+ * reported as less than the amount of data jpeg will return, some
-+ * potential security issues arise. Catch this case and error out.
-+ * -- taviso at google.com 14 Jun 2006
-+ */
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "JPEG strip/tile size exceeds expected dimensions,"
-+ "expected %dx%d, got %dx%d", segment_width, segment_height,
-+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+ return (0);
- }
-+
- if (sp->cinfo.d.num_components !=
- (td->td_planarconfig == PLANARCONFIG_CONTIG ?
- td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@
- sp->cinfo.d.comp_info[0].v_samp_factor,
- sp->h_sampling, sp->v_sampling);
-
-+ /*
-+ * There are potential security issues here for decoders that
-+ * have already allocated buffers based on the expected sampling
-+ * factors. Lets check the sampling factors dont exceed what
-+ * we were expecting.
-+ * -- taviso at google.com 14 June 2006
-+ */
-+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
-+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Cannot honour JPEG sampling factors that"
-+ " exceed those specified.");
-+ return (0);
-+ }
-+
-+
- /*
- * XXX: Files written by the Intergraph software
- * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@
- {
- JPEGState *sp = JState(tif);
-
-- assert(sp != 0);
-+ /* assert(sp != 0); */
-
- tif->tif_tagmethods.vgetfield = sp->vgetparent;
- tif->tif_tagmethods.vsetfield = sp->vsetparent;
-
-- if( sp->cinfo_initialized )
-- TIFFjpeg_destroy(sp); /* release libjpeg resources */
-- if (sp->jpegtables) /* tag value */
-- _TIFFfree(sp->jpegtables);
-+ if (sp != NULL) {
-+ if( sp->cinfo_initialized )
-+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
-+ if (sp->jpegtables) /* tag value */
-+ _TIFFfree(sp->jpegtables);
-+ }
-+
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
-
-@@ -1541,6 +1576,7 @@
- {
- JPEGState* sp = JState(tif);
- TIFFDirectory* td = &tif->tif_dir;
-+ const TIFFFieldInfo* fip;
- uint32 v32;
-
- assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-@@ -1726,7 +1768,11 @@
- {
- JPEGState* sp = JState(tif);
-
-- assert(sp != NULL);
-+ /* assert(sp != NULL); */
-+ if (sp == NULL) {
-+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
-+ return;
-+ }
-
- (void) flags;
- if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
-@@ -105,11 +105,16 @@
- * as codes of the form <color><npixels>
- * until we've filled the scanline.
- */
-+ /*
-+ * Ensure the run does not exceed the scanline
-+ * bounds, potentially resulting in a security issue.
-+ * -- taviso at google.com 14 Jun 2006.
-+ */
- op = row;
- for (;;) {
- grey = (n>>6) & 0x3;
- n &= 0x3f;
-- while (n-- > 0)
-+ while (n-- > 0 && npixels < imagewidth)
- SETPIXEL(op, grey);
- if (npixels >= (int) imagewidth)
- break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
-@@ -768,7 +768,19 @@
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabArrayOfShort(up, nsamples);
-
-- for (i = 0; i < nsamples; i += llen, up += llen) {
-+ /*
-+ * if llen is not an exact multiple of nsamples, the decode operation
-+ * may overflow the output buffer, so truncate it enough to prevent that
-+ * but still salvage as much data as possible.
-+ * -- taviso at google.com 14th June 2006
-+ */
-+ if (nsamples % llen)
-+ TIFFWarningExt(tif->tif_clientdata, module,
-+ "%s: stride %lu is not a multiple of sample count, "
-+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
-+
-+
-+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
- switch (sp->user_datafmt) {
- case PIXARLOGDATAFMT_FLOAT:
- horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
-+#include <limits.h>
-+
- int TIFFFillStrip(TIFF*, tstrip_t);
- int TIFFFillTile(TIFF*, ttile_t);
- static int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+ /*
-+ * This sanity check could potentially overflow, causing an OOB read.
-+ * verify that offset + bytecount is > offset.
-+ * -- taviso at google.com 14 Jun 2006
-+ */
-+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
- /*
- * This error message might seem strange, but it's
- * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+ /*
-+ * We must check this calculation doesnt overflow, potentially
-+ * causing an OOB read.
-+ * -- taviso at google.com 15 Jun 2006
-+ */
-+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
- tif->tif_curtile = NOTILE;
- return (0);
- }
Modified: ChangeLog
===================================================================
--- ChangeLog 2009-08-26 21:37:43 UTC (rev 50444)
+++ ChangeLog 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,3 +1,10 @@
+2009-08-26 Eric Belanger <eric at archlinux.org>
+
+ * libtiff 3.9.0-1
+ * Upstream update
+ * Updated url
+ * Updated patches
+
2009-08-14 Eric Belanger <eric at archlinux.org>
* libtiff 3.8.2-6
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2009-08-26 21:37:43 UTC (rev 50444)
+++ PKGBUILD 2009-08-27 05:54:59 UTC (rev 50445)
@@ -3,39 +3,28 @@
# Contributor: dorphell <dorphell at archlinux.org>
pkgname=libtiff
-pkgver=3.8.2
-pkgrel=6
+pkgver=3.9.0
+pkgrel=1
pkgdesc="Library for manipulation of TIFF images"
arch=('i686' 'x86_64')
-url="http://www.libtiff.org/"
+url="http://www.remotesensing.org/libtiff/"
license=('custom')
depends=('libjpeg>=7' 'zlib')
makedepends=('libgl' 'freeglut' 'libxmu' 'libxi')
optdepends=('freeglut: for using tiffgt')
options=('!libtool')
source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz \
- tiff2pdf-octal-printf.patch tiffsplit-fname-overflow.patch \
- CVE-2006-3459-3465.patch tiff2pdf-compression.patch \
- tiff-3.8.2-CVE-2008-2327.patch libtiff-CVE-2009-2285.patch \
- tiff-3.8.2-CVE-2009-2347.patch)
-md5sums=('fbb6f446ea4ed18955e2714934e5b698' 'd54368687d2645ffbbe6c2df384b11bf'\
- '323352fd60a7bd3ffac8724c3c031669' '624d3067e6a4c0680767eb62253ea980'\
- 'b443ffca9d498bb3a88c17da0200025b' 'c2c2e22557d9c63011df5777dda6a86b'\
- 'ff61077408727a82281f77a94f555e2a' 'd3b02693cca83e63005b162edd43016b')
-sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' 'c79245249634a121bfaff6cfecb763f72fe7f8eb'\
- 'dc86bb68c7831ff70ff01d952d553be9f986be46' '85dc50a60a10025757e249d869dab7eb73ba6e3c'\
- '508751f55131356ea8a7e7c4994ffbc9bd881769' '1da2ec6a47c0666cad9d07fb8427c1c75ca27b10'\
- 'eadce8c8bd72ea9c74f35300bf299131813b0c8b' '3017201b7f500389acfa775479a6fdd069e9a099')
+ libtiff-CVE-2009-2285.patch \
+ tiff-3.9.0-CVE-2009-2347.patch)
+md5sums=('74c0072edc1ac8ca6b8af009a31151e5' 'ff61077408727a82281f77a94f555e2a'\
+ '867fa3ec83e748abf247f9706ef13f9a')
+sha1sums=('e525879da8416e00ccd58617b2850341a429e23c' 'eadce8c8bd72ea9c74f35300bf299131813b0c8b'\
+ 'cf8b68ed8f218d2429ab296c2033dc0292efe299')
build() {
cd "${srcdir}/tiff-${pkgver}"
- patch -p1 < ../tiff2pdf-octal-printf.patch || return 1
- patch -p1 < ../tiffsplit-fname-overflow.patch || return 1
- patch -p1 < ../CVE-2006-3459-3465.patch || return 1
- patch -p1 < ../tiff2pdf-compression.patch || return 1
- patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1
patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
- patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1
+ patch -p0 < ../tiff-3.9.0-CVE-2009-2347.patch || return 1
./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man || return 1
make || return 1
make DESTDIR="${pkgdir}" install || return 1
Deleted: tiff-3.8.2-CVE-2008-2327.patch
===================================================================
--- tiff-3.8.2-CVE-2008-2327.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff-3.8.2-CVE-2008-2327.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,64 +0,0 @@
-Fixes security issues in libTIFF's handling of LZW-encoded
-images. The use of uninitialized data could lead to a buffer
-underflow and a crash or arbitrary code execution.
-
-CVE-ID: CVE-2008-2327
-Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
-
-Index: tiff-3.8.2/libtiff/tif_lzw.c
-===================================================================
---- tiff-3.8.2.orig/libtiff/tif_lzw.c
-+++ tiff-3.8.2/libtiff/tif_lzw.c
-@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
- sp->dec_codetab[code].length = 1;
- sp->dec_codetab[code].next = NULL;
- } while (code--);
-+ /*
-+ * Zero-out the unused entries
-+ */
-+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
-+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
-+
- }
- return (1);
- }
-@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
- break;
- if (code == CODE_CLEAR) {
- free_entp = sp->dec_codetab + CODE_FIRST;
-+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
-+ if (code == CODE_CLEAR) {
-+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+ "LZWDecode: Corrupted LZW table at scanline %d",
-+ tif->tif_row);
-+ return (0);
-+ }
- *op++ = (char)code, occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
-@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
- break;
- if (code == CODE_CLEAR) {
- free_entp = sp->dec_codetab + CODE_FIRST;
-+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
- if (code == CODE_EOI)
- break;
-+ if (code == CODE_CLEAR) {
-+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+ "LZWDecode: Corrupted LZW table at scanline %d",
-+ tif->tif_row);
-+ return (0);
-+ }
- *op++ = code, occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
Deleted: tiff-3.8.2-CVE-2009-2347.patch
===================================================================
--- tiff-3.8.2-CVE-2009-2347.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff-3.8.2-CVE-2009-2347.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,170 +0,0 @@
-Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
-possible integer overflow in calculation of buffer sizes.
-
-CVE-2009-2347
-
-
-diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
---- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
-+++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
-@@ -202,6 +202,17 @@
- #undef LumaBlue
- #undef V2Code
-
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t prod = m1 * m2;
-+
-+ if (m1 && prod / m1 != m2)
-+ prod = 0; /* overflow */
-+
-+ return prod;
-+}
-+
- /*
- * Convert a strip of RGB data to YCbCr and
- * sample to generate the output data.
-@@ -278,10 +289,19 @@
- float floatv;
- char *stringv;
- uint32 longv;
-+ tsize_t raster_size;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+
-+ raster_size = multiply(multiply(width, height), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
---- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
-@@ -124,6 +124,17 @@
- return (0);
- }
-
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t prod = m1 * m2;
-+
-+ if (m1 && prod / m1 != m2)
-+ prod = 0; /* overflow */
-+
-+ return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
-
-@@ -133,6 +144,7 @@
- uint32 tile_width, tile_height;
- uint32 row, col;
- uint32 *wrk_line;
-+ tsize_t raster_size;
- int ok = 1;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -150,7 +162,14 @@
- /*
- * Allocate tile buffer
- */
-- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) tile_width, (unsigned long) tile_height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -158,7 +177,7 @@
-
- /*
- * Allocate a scanline buffer for swapping during the vertical
-- * mirroring pass.
-+ * mirroring pass. (Request can't overflow given prior checks.)
- */
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
- if (!wrk_line) {
-@@ -226,6 +245,7 @@
- uint32 width, height; /* image width & height */
- uint32 row;
- uint32 *wrk_line;
-+ tsize_t raster_size;
- int ok = 1;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -241,7 +261,14 @@
- /*
- * Allocate strip buffer
- */
-- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) rowsperstrip);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -249,7 +276,7 @@
-
- /*
- * Allocate a scanline buffer for swapping during the vertical
-- * mirroring pass.
-+ * mirroring pass. (Request can't overflow given prior checks.)
- */
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
- if (!wrk_line) {
-@@ -328,14 +355,22 @@
- uint32* raster; /* retrieve RGBA image */
- uint32 width, height; /* image width & height */
- uint32 row;
--
-+ tsize_t raster_size;
-+
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-
- rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
-
-- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+ raster_size = multiply(multiply(width, height), sizeof (uint32));
-+ if (!raster_size) {
-+ TIFFError(TIFFFileName(in),
-+ "Can't allocate buffer for raster of size %lux%lu",
-+ (unsigned long) width, (unsigned long) height);
-+ return (0);
-+ }
-+ raster = (uint32*)_TIFFmalloc(raster_size);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -353,7 +388,7 @@
- */
- if( no_alpha )
- {
-- int pixel_count = width * height;
-+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
- unsigned char *src, *dst;
-
- src = (unsigned char *) raster;
-
Added: tiff-3.9.0-CVE-2009-2347.patch
===================================================================
--- tiff-3.9.0-CVE-2009-2347.patch (rev 0)
+++ tiff-3.9.0-CVE-2009-2347.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -0,0 +1,29 @@
+--- tools/tiff2rgba.c.orig 2009-08-27 00:05:33.000000000 -0400
++++ tools/tiff2rgba.c 2009-08-27 00:23:44.000000000 -0400
+@@ -236,6 +236,7 @@
+ uint32 width, height; /* image width & height */
+ uint32 row;
+ uint32 *wrk_line;
++ size_t pixel_count;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -251,7 +252,17 @@
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ pixel_count = width * rowsperstrip;
++
++ /* XXX: Check the integer overflow. */
++ if (!width || !rowsperstrip || pixel_count / width != rowsperstrip) {
++ TIFFError(TIFFFileName(in),
++ "Malformed input file; can't allocate buffer for raster of %lux%lu size",
++ (unsigned long)width, (unsigned long)rowsperstrip);
++ return 0;
++ }
++
++ raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
Deleted: tiff2pdf-compression.patch
===================================================================
--- tiff2pdf-compression.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff2pdf-compression.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,44 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35
-+++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36
-@@ -937,7 +937,7 @@
-
- #ifdef JPEG_SUPPORT
- if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
-- if(t2p->pdf_defaultcompressionquality<100 ||
-+ if(t2p->pdf_defaultcompressionquality>100 ||
- t2p->pdf_defaultcompressionquality<1){
- t2p->pdf_defaultcompressionquality=0;
- }
-@@ -945,25 +945,17 @@
- #endif
- #ifdef ZIP_SUPPORT
- if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
-- switch (t2p->pdf_defaultcompressionquality){
-- case 1: case 10: case 11: case 12: case 13: case 14: case 15:
-- case 101: case 110: case 111: case 112: case 113: case 114: case 115:
-- case 201: case 210: case 211: case 212: case 213: case 214: case 215:
-- case 301: case 310: case 311: case 312: case 313: case 314: case 315:
-- case 401: case 410: case 411: case 412: case 413: case 414: case 415:
-- case 501: case 510: case 511: case 512: case 513: case 514: case 515:
-- case 601: case 610: case 611: case 612: case 613: case 614: case 615:
-- case 701: case 710: case 711: case 712: case 713: case 714: case 715:
-- case 801: case 810: case 811: case 812: case 813: case 814: case 815:
-- case 901: case 910: case 911: case 912: case 913: case 914: case 915:
-- break;
-- default:
-- t2p->pdf_defaultcompressionquality=0;
-+ uint16 m=t2p->pdf_defaultcompressionquality%100;
-+ if(t2p->pdf_defaultcompressionquality/100 > 9 ||
-+ (m>1 && m<10) || m>15){
-+ t2p->pdf_defaultcompressionquality=0;
- }
- if(t2p->pdf_defaultcompressionquality%100 !=0){
-+ t2p->pdf_defaultcompressionquality/=100;
-+ t2p->pdf_defaultcompressionquality*=100;
- TIFFError(
- TIFF2PDF_MODULE,
-- "PNG Group predictor differencing not implemented, assuming compresion quality %u",
-+ "PNG Group predictor differencing not implemented, assuming compression quality %u",
- t2p->pdf_defaultcompressionquality);
- }
- t2p->pdf_defaultcompressionquality%=100;
Deleted: tiff2pdf-octal-printf.patch
===================================================================
--- tiff2pdf-octal-printf.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ tiff2pdf-octal-printf.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,11 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400
-@@ -3668,7 +3668,7 @@
- written += TIFFWriteFile(output, (tdata_t) "(", 1);
- for (i=0;i<len;i++){
- if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
-- sprintf(buffer, "\\%.3o", pdfstr[i]);
-+ sprintf(buffer, "\\%.3hho", pdfstr[i]);
- written += TIFFWriteFile(output, (tdata_t) buffer, 4);
- } else {
- switch (pdfstr[i]){
Deleted: tiffsplit-fname-overflow.patch
===================================================================
--- tiffsplit-fname-overflow.patch 2009-08-26 21:37:43 UTC (rev 50444)
+++ tiffsplit-fname-overflow.patch 2009-08-27 05:54:59 UTC (rev 50445)
@@ -1,19 +0,0 @@
---- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500
-+++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400
-@@ -61,14 +61,13 @@
- return (-3);
- }
- if (argc > 2)
-- strcpy(fname, argv[2]);
-+ snprintf(fname, sizeof(fname), "%s", argv[2]);
- in = TIFFOpen(argv[1], "r");
- if (in != NULL) {
- do {
- char path[1024+1];
- newfilename();
-- strcpy(path, fname);
-- strcat(path, ".tif");
-+ snprintf(path, sizeof(path), "%s.tif", fname);
- out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
- if (out == NULL)
- return (-2);
More information about the arch-commits
mailing list