pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2016Q3]: pkgsrc/graphics/tiff Pullup ticket #5163 - requested ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/ed02ef03c7e7
branches:  pkgsrc-2016Q3
changeset: 408819:ed02ef03c7e7
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Mon Nov 28 20:27:03 2016 +0000

description:
Pullup ticket #5163 - requested by wiz
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.123-1.124
- graphics/tiff/PLIST                                           1.22
- graphics/tiff/distinfo                                        1.70
- graphics/tiff/patches/patch-libtiff_tif_luv.c                 deleted

---
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Sat Oct  8 06:20:39 UTC 2016

   Modified Files:
        pkgsrc/graphics/tiff: Makefile

   Log Message:
   Updated MASTER_SITES and HOMEPAGE; the old ones seem to be dead.

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Tue Nov 22 15:19:54 UTC 2016

   Modified Files:
        pkgsrc/graphics/tiff: Makefile PLIST distinfo
   Removed Files:
        pkgsrc/graphics/tiff/patches: patch-libtiff_tif_luv.c

   Log Message:
   Updated tiff to 4.0.7.

   MAJOR CHANGES:

    ? The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr
      are completely removed from the distribution. These tools were written in
      the late 1980s and early 1990s for test and demonstration purposes. In some
      cases the tools were never updated to support updates to the file format,
      or the file formats are now rarely used. In all cases these tools increased
      the libtiff security and maintenance exposure beyond the value offered by
      the tool.

   CHANGES IN LIBTIFF:

    ? libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference NULL
      pointer when values of tags with TIFF_SETGET_C16_ASCII /
      TIFF_SETGET_C32_ASCII access are 0-byte arrays. Fixes http://
      bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced by
      previous fix done on 2016-11-11 for CVE-2016-9297). Reported by Henri Salo.
      Assigned as CVE-2016-9448
    ? libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() when requesting
      Predictor tag and that the zip/lzw codec is not configured. Fixes http://
      bugzilla.maptools.org/show_bug.cgi?id=2591
    ? libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of
      tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null
      terminated, to avoid potential read outside buffer in _TIFFPrintField().
      Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
    ? libtiff/tif_dirread.c: reject images with OJPEG compression that have no
      TileOffsets/StripOffsets tag, when OJPEG compression is disabled. Prevent
      null pointer dereference in TIFFReadRawStrip1() and other functions that
      expect td_stripbytecount to be non NULL. Fixes http://bugzilla.maptools.org
      /show_bug.cgi?id=2585
    ? libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
      value when it is non-zero, instead of recomputing it. This is needed in
      TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
      array in tiffsplit (or other utilities using TIFFNumberOfStrips()). Fixes
      http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273)
    ? libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime
      checks to avoid assertions in debug mode, or buffer overflows in release
      mode. Can happen when dealing with unusual tile size like YCbCr with
      subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal Chauhan from
      the MSRC Vulnerabilities & Mitigations
    ? libtiff/tif_dir.c: discard values of SMinSampleValue and SMaxSampleValue
      when they have been read and the value of SamplesPerPixel is changed
      afterwards (like when reading a OJPEG compressed image with a missing
      SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing
      SamplesPerPixel being 3). Otherwise when rewriting the directory (for
      example with tiffset, we will expect 3 values whereas the array had been
      allocated with just one), thus causing a out of bound read access. Fixes
      http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127,
      duplicate: CVE-2016-3658)
    ? libtiff/tif_dirwrite.c: avoid null pointer dereference on td_stripoffset
      when writing directory, if FIELD_STRIPOFFSETS was artificially set for a
      hack case in OJPEG case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id
      =2500 (CVE-2014-8127, duplicate: CVE-2016-3658)
    ? libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to read floating
      point images.
    ? libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
      requirements of floating point predictor (3). Fixes CVE-2016-3622 "Divide
      By Zero in the tiff2rgba tool."
    ? libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
      allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
      Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
    ? libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
      didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure
      if that could happen in practice outside of the odd behaviour of
      t2p_seekproc() of tiff2pdf). The report points that a better fix could be
      to check the return value of TIFFFlushData1() in places where it isn't done
      currently, but it seems this patch is enough. Reported as MSVR 35095.
      Discovered by Axel Souchet & Vishal Chauhan & Suha Can from the MSRC
      Vulnerabilities & Mitigations team.
    ? libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode if more
      input samples are provided than expected by PixarLogSetupEncode. Idea based
      on libtiff-CVE-2016-3990.patch from libtiff-4.0.3-25.el7_2.src.rpm by
      Nikola Forro, but with different and simpler check. (bugzilla #2544)
    ? libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in
      TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
      tmsize_t max value (reported by Mathias Svensson)
    ? libtiff/tif_read.c: make TIFFReadEncodedStrip() and TIFFReadEncodedTile()
      directly use user provided buffer when no compression (and other
      conditions) to save a memcpy()
    ? libtiff/tif_write.c: make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile
      () directly use user provided buffer when no compression to save a memcpy
      ().
    ? libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
      PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid potential
      invalid memory write on corrupted/unexpected images when using the
      TIFFRGBAImageBegin() interface (reported by Clay Wood)
    ? libtiff/tif_pixarlog.c: fix potential buffer write overrun in
      PixarLogDecode() on corrupted/unexpected images (reported by Mathias
      Svensson) (CVE-2016-5875)
    ? libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 to
      libtiff.def
    ? libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the HAVE_SNPRINTF
      definition.
    ? libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by Edward Lam to
      define HAVE_SNPRINTF for Visual Studio 2015.
    ? libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD, fix
      regression, introduced on 2014-12-23, when reading a one-strip file without
      a StripByteCounts tag. GDAL #6490
    ? libtiff/*: upstream typo fixes (mostly contributed by Kurt Schwehr) coming
      from GDAL internal libtiff
    ? libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure a uint16
      to reduce size of the binary.
    ? libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised by GCC 6
      -Wmisleading-indentation
    ? libtiff/tif_pixarlog.c: avoid zlib error messages to pass a NULL string to
      %s formatter, which is undefined behaviour in sprintf().
    ? libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
      triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #
      2508)
    ? libtiff/tif_luv.c: fix potential out-of-bound writes in decode functions in
      non debug builds by replacing assert()s by regular if checks (bugzilla #
      2522). Fix potential out-of-bound reads in case of short input data.
    ? libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface
      in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV /
      CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix
      CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of
      Alibaba.
    ? libtiff/tif_dirread.c: workaround false positive warning of Clang Static
      Analyzer about null pointer dereference in TIFFCheckDirOffset().
    ? libtiff/tif_fax3.c: remove dead assignment in Fax3PutEOLgdal(). Found by
      Clang Static Analyzer
    ? libtiff/tif_dirwrite.c: fix truncation to 32 bit of file offsets in
      TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory
      offsets on a even offset (affects BigTIFF). This was a regression of the
      changeset of 2015-10-19.
    ? libtiff/tif_write.c: TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
      should return -1 in case of failure of tif_encodestrip() as documented
    ? libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in case of failure
      so that the above mentionned functions detect the error.
    ? libtiff/*.c: fix MSVC warnings related to cast shortening and assignment
      within conditional expression
    ? libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
    ? libtiff/tif_dirread.c: prevent reading ColorMap or TransferFunction if
      BitsPerPixel > 24, so as to avoid huge memory allocation and file read
      attempts
    ? libtiff/tif_dirread.c: remove duplicated assignment (reported by Clang
      static analyzer)
    ? libtiff/tif_dir.c, libtiff/tif_dirinfo.c, libtiff/tif_compress.c, libtiff/
      tif_jpeg_12.c: suppress warnings about 'no previous declaration/prototype'
    ? libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants by U to fix
      'warning: negative integer implicitly converted to unsigned type' warning
      (part of -Wconversion)
    ? libtiff/tif_dir.c, libtiff/tif_dirread.c, libtiff/tif_getimage.c, libtiff/
      tif_print.c: fix -Wshadow warnings (only in libtiff/)

   CHANGES IN THE TOOLS:

    ? tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff, ras2tiff,
      sgi2tiff, sgisv, and ycbcr are completely removed from the distribution.
      The libtiff tools rgb2ycbcr and thumbnail are only built in the build tree
      for testing. Old files are put in new 'archive' subdirectory of the source
      repository, but not in distribution archives. These changes are made in
      order to lessen the maintenance burden.
    ? tools/tiff2pdf.c: avoid undefined behaviour related to overlapping of
      source and destination buffer in memcpy() call in t2p_sample_rgbaa_to_rgb()
      Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
    ? tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in
      t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
      2576
    ? tools/fax2tiff.c: fix segfault when specifying -r without argument. Patch
      by Yuriy M. Kaminskiy. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
      2572
    ? tools/tiffinfo.c: fix out-of-bound read on some tiled images. (http://
      bugzilla.maptools.org/show_bug.cgi?id=2517)
    ? tools/tiffcrop.c: fix multiple uint32 overflows in
      writeBufferToSeparateStrips(), writeBufferToContigTiles() and
      writeBufferToSeparateTiles() that could cause heap buffer overflows.
      Reported by Henri Salo from Nixu Corporation. Fixes http://
      bugzilla.maptools.org/show_bug.cgi?id=2592
    ? tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
      readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet &
      Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
    ? tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG compressed
      images. Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 /
      CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the
      file stream.
    ? tools/tiffcp.c: fix out-of-bounds write on tiled images with odd tile width
      vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan
      from the MSRC Vulnerabilities & Mitigations team.
    ? tools/tiff2pdf.c: fix read -largely- outsize of buffer in
      t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG
      compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR
      35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
      Mitigations team.
    ? tools/tiffcp.c: fix read of undefined variable in case of missing required
      tags. Found on test case of MSVR 35100.
    ? tools/tiffcrop.c: fix read of undefined buffer in
      readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
      security issue but I can be wrong. Reported as MSVR 35100 by Axel Souchet
      from the MSRC Vulnerabilities & Mitigations team.
    ? tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities in heap
      or stack allocated buffers. Reported as MSVR 35093, MSVR 35096 and MSVR
      35097. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
      Vulnerabilities & Mitigations team.
    ? tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in heap allocate
      buffer in t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by
      Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
      team.
    ? tools/tiff2bw.c: fix weight computation that could result of color value
      overflow (no security implication). Fix bugzilla #2550. Patch by Frank
      Freudenberg.
    ? tools/rgb2ycbcr.c: validate values of -v and -h parameters to avoid
      potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
    ? tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From patch
      libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola
      Forro (bugzilla #2543)
    ? tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when
      -b mode is enabled, that could result in out-of-bounds write. Based
      initially on patch tiff-CVE-2016-3945.patch from
      libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
      tests that rejected valid files. (bugzilla #2545)
    ? tools/tiffcrop.c: Avoid access outside of stack allocated array on a tiled
      separate TIFF with more than 8 samples per pixel. Reported by Kaixiang
      Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321 / CVE-2016-5323
      , bugzilla #2558 / #2559)
    ? tools/tiffdump.c: fix a few misaligned 64-bit reads warned by -fsanitize
    ? tools/tiffdump.c (ReadDirectory): Remove uint32 cast to _TIFFmalloc()
      argument which resulted in Coverity report. Added more mutiplication
      overflow checks.

diffstat:

 graphics/tiff/Makefile                        |   10 +-
 graphics/tiff/PLIST                           |   18 +--
 graphics/tiff/distinfo                        |   11 +-
 graphics/tiff/patches/patch-libtiff_tif_luv.c |  162 --------------------------
 4 files changed, 11 insertions(+), 190 deletions(-)

diffs (280 lines):

diff -r 698b166f8854 -r ed02ef03c7e7 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Mon Nov 28 20:22:06 2016 +0000
+++ b/graphics/tiff/Makefile    Mon Nov 28 20:27:03 2016 +0000
@@ -1,13 +1,11 @@
-# $NetBSD: Makefile,v 1.122 2016/03/22 21:50:13 tez Exp $
+# $NetBSD: Makefile,v 1.122.6.1 2016/11/28 20:27:03 bsiegert Exp $
 
-DISTNAME=      tiff-4.0.6
-PKGREVISION=   1
+DISTNAME=      tiff-4.0.7
 CATEGORIES=    graphics
-MASTER_SITES=  ftp://ftp.remotesensing.org/pub/libtiff/ \
-               http://libtiff.maptools.org/dl/
+MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
-HOMEPAGE=      http://www.remotesensing.org/libtiff/
+HOMEPAGE=      http://simplesystems.org/libtiff/
 COMMENT=       Library and tools for reading and writing TIFF data files
 LICENSE=       mit
 
diff -r 698b166f8854 -r ed02ef03c7e7 graphics/tiff/PLIST
--- a/graphics/tiff/PLIST       Mon Nov 28 20:22:06 2016 +0000
+++ b/graphics/tiff/PLIST       Mon Nov 28 20:27:03 2016 +0000
@@ -1,14 +1,9 @@
-@comment $NetBSD: PLIST,v 1.21 2015/09/13 09:27:08 wiz Exp $
-bin/bmp2tiff
+@comment $NetBSD: PLIST,v 1.21.10.1 2016/11/28 20:27:03 bsiegert Exp $
 bin/fax2ps
 bin/fax2tiff
-bin/gif2tiff
 bin/pal2rgb
 bin/ppm2tiff
-bin/ras2tiff
 bin/raw2tiff
-bin/rgb2ycbcr
-bin/thumbnail
 bin/tiff2bw
 bin/tiff2pdf
 bin/tiff2ps
@@ -30,16 +25,12 @@
 lib/libtiff.la
 lib/libtiffxx.la
 lib/pkgconfig/libtiff-4.pc
-man/man1/bmp2tiff.1
 man/man1/fax2ps.1
 man/man1/fax2tiff.1
-man/man1/gif2tiff.1
 man/man1/pal2rgb.1
 man/man1/ppm2tiff.1
-man/man1/ras2tiff.1
 man/man1/raw2tiff.1
 man/man1/rgb2ycbcr.1
-man/man1/sgi2tiff.1
 man/man1/thumbnail.1
 man/man1/tiff2bw.1
 man/man1/tiff2pdf.1
@@ -55,7 +46,6 @@
 man/man1/tiffmedian.1
 man/man1/tiffset.1
 man/man1/tiffsplit.1
-man/man1/tiffsv.1
 man/man3/TIFFClose.3
 man/man3/TIFFDataWidth.3
 man/man3/TIFFError.3
@@ -177,18 +167,14 @@
 share/doc/tiff/html/man/TIFFstrip.3tiff.html
 share/doc/tiff/html/man/TIFFswab.3tiff.html
 share/doc/tiff/html/man/TIFFtile.3tiff.html
-share/doc/tiff/html/man/bmp2tiff.1.html
 share/doc/tiff/html/man/fax2ps.1.html
 share/doc/tiff/html/man/fax2tiff.1.html
-share/doc/tiff/html/man/gif2tiff.1.html
 share/doc/tiff/html/man/index.html
 share/doc/tiff/html/man/libtiff.3tiff.html
 share/doc/tiff/html/man/pal2rgb.1.html
 share/doc/tiff/html/man/ppm2tiff.1.html
-share/doc/tiff/html/man/ras2tiff.1.html
 share/doc/tiff/html/man/raw2tiff.1.html
 share/doc/tiff/html/man/rgb2ycbcr.1.html
-share/doc/tiff/html/man/sgi2tiff.1.html
 share/doc/tiff/html/man/thumbnail.1.html
 share/doc/tiff/html/man/tiff2bw.1.html
 share/doc/tiff/html/man/tiff2pdf.1.html
@@ -204,7 +190,6 @@
 share/doc/tiff/html/man/tiffmedian.1.html
 share/doc/tiff/html/man/tiffset.1.html
 share/doc/tiff/html/man/tiffsplit.1.html
-share/doc/tiff/html/man/tiffsv.1.html
 share/doc/tiff/html/misc.html
 share/doc/tiff/html/support.html
 share/doc/tiff/html/tools.html
@@ -251,3 +236,4 @@
 share/doc/tiff/html/v4.0.4beta.html
 share/doc/tiff/html/v4.0.5.html
 share/doc/tiff/html/v4.0.6.html
+share/doc/tiff/html/v${PKGVERSION}.html
diff -r 698b166f8854 -r ed02ef03c7e7 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Mon Nov 28 20:22:06 2016 +0000
+++ b/graphics/tiff/distinfo    Mon Nov 28 20:27:03 2016 +0000
@@ -1,8 +1,7 @@
-$NetBSD: distinfo,v 1.69 2016/03/22 21:50:13 tez Exp $
+$NetBSD: distinfo,v 1.69.6.1 2016/11/28 20:27:03 bsiegert Exp $
 
-SHA1 (tiff-4.0.6.tar.gz) = 280e27704eaca5f592b82e71ac0c78b87395e2de
-RMD160 (tiff-4.0.6.tar.gz) = 3d5d6951a36baf32ab0e0958d3b4a9413b7f2e07
-SHA512 (tiff-4.0.6.tar.gz) = 2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8
-Size (tiff-4.0.6.tar.gz) = 2192991 bytes
+SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
+RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
+SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc
+Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
-SHA1 (patch-libtiff_tif_luv.c) = dacf0ac8943e02dac1cd618af979aec5d760d855
diff -r 698b166f8854 -r ed02ef03c7e7 graphics/tiff/patches/patch-libtiff_tif_luv.c
--- a/graphics/tiff/patches/patch-libtiff_tif_luv.c     Mon Nov 28 20:22:06 2016 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,162 +0,0 @@
-$NetBSD: patch-libtiff_tif_luv.c,v 1.1 2016/03/22 21:50:13 tez Exp $
-
-Fix for CVE-2015-8781, CVE-2015-8782, CVE-2015-8783 from:
- https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65.diff
-
---- libtiff/tif_luv.c.orig
-+++ libtiff/tif_luv.c
-@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-       if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
-               tp = (int16*) op;
-       else {
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               tp = (int16*) sp->tbuf;
-       }
-       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-       cc = tif->tif_rawcc;
-       /* get each byte string */
-       for (shft = 2*8; (shft -= 8) >= 0; ) {
--              for (i = 0; i < npixels && cc > 0; )
-+              for (i = 0; i < npixels && cc > 0; ) {
-                       if (*bp >= 128) {               /* run */
--                              rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+                              if( cc < 2 )
-+                                      break;
-+                              rc = *bp++ + (2-128);
-                               b = (int16)(*bp++ << shft);
-                               cc -= 2;
-                               while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-                               while (--cc && rc-- && i < npixels)
-                                       tp[i++] |= (int16)*bp++ << shft;
-                       }
-+              }
-               if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
-                       TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
-               tp = (uint32 *)op;
-       else {
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               tp = (uint32 *) sp->tbuf;
-       }
-       /* copy to array of uint32 */
-       bp = (unsigned char*) tif->tif_rawcp;
-       cc = tif->tif_rawcc;
--      for (i = 0; i < npixels && cc > 0; i++) {
-+      for (i = 0; i < npixels && cc >= 3; i++) {
-               tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
-               bp += 3;
-               cc -= 3;
-@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-       if (sp->user_datafmt == SGILOGDATAFMT_RAW)
-               tp = (uint32*) op;
-       else {
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               tp = (uint32*) sp->tbuf;
-       }
-       _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-       cc = tif->tif_rawcc;
-       /* get each byte string */
-       for (shft = 4*8; (shft -= 8) >= 0; ) {
--              for (i = 0; i < npixels && cc > 0; )
-+              for (i = 0; i < npixels && cc > 0; ) {
-                       if (*bp >= 128) {               /* run */
-+                              if( cc < 2 )
-+                                      break;
-                               rc = *bp++ + (2-128);
-                               b = (uint32)*bp++ << shft;
--                              cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+                              cc -= 2;
-                               while (rc-- && i < npixels)
-                                       tp[i++] |= b;
-                       } else {                        /* non-run */
-@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
-                               while (--cc && rc-- && i < npixels)
-                                       tp[i++] |= (uint32)*bp++ << shft;
-                       }
-+              }
-               if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
-                       TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+      static const char module[] = "LogL16Encode";
-       LogLuvState* sp = EncoderState(tif);
-       int shft;
-       tmsize_t i;
-@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
-               tp = (int16*) bp;
-       else {
-               tp = (int16*) sp->tbuf;
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               (*sp->tfunc)(sp, bp, npixels);
-       }
-       /* compress each byte string */
-@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+      static const char module[] = "LogLuvEncode24";
-       LogLuvState* sp = EncoderState(tif);
-       tmsize_t i;
-       tmsize_t npixels;
-@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
-               tp = (uint32*) bp;
-       else {
-               tp = (uint32*) sp->tbuf;
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               (*sp->tfunc)(sp, bp, npixels);
-       }
-       /* write out encoded pixels */
-@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+      static const char module[] = "LogLuvEncode32";
-       LogLuvState* sp = EncoderState(tif);
-       int shft;
-       tmsize_t i;
-@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
-               tp = (uint32*) bp;
-       else {
-               tp = (uint32*) sp->tbuf;
--              assert(sp->tbuflen >= npixels);
-+              if(sp->tbuflen < npixels) {
-+                      TIFFErrorExt(tif->tif_clientdata, module,
-+                                               "Translation buffer too short");
-+                      return (0);
-+              }
-               (*sp->tfunc)(sp, bp, npixels);
-       }
-       /* compress each byte string */



Home | Main Index | Thread Index | Old Index