Subject: Re: CVS commit: pkgsrc/graphics/tiff
To: None <pkgsrc-changes@NetBSD.org>
From: Takahiro Kambe <taca@back-street.net>
List: pkgsrc-changes
Date: 08/03/2006 18:41:52
In message <20060802154225.A7C5B211CA@cvs.netbsd.org>
on Wed, 2 Aug 2006 15:42:25 +0000 (UTC),
Lubomir Sedlacik <salo@netbsd.org> wrote:
> Module Name: pkgsrc
> Committed By: salo
> Date: Wed Aug 2 15:42:25 UTC 2006
>
> Modified Files:
> pkgsrc/graphics/tiff: Makefile distinfo
> Added Files:
> pkgsrc/graphics/tiff/patches: patch-av patch-aw patch-ax patch-ay
> patch-az patch-ba patch-bb patch-bc
>
> Log Message:
> Security fixes for SA21304:
Hi,
Here is a modified patch-av which should be used with gcc<3.
(Tested on unsupported NetBSD 1.6.2_STABLE...)
--
Takahiro Kambe <taca@back-street.net>
----------------------------------------------------------------
$NetBSD: patch-av,v 1.4.6.1 2006/08/02 17:56:46 ghen Exp $
Security fix for SA21304.
--- libtiff/tif_dir.c.orig Wed Mar 22 01:42:50 2006
+++ libtiff/tif_dir.c
@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
@@ -193,15 +194,18 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
td->td_fillorder = (uint16) v;
break;
break;
- case TIFFTAG_ORIENTATION:
+ case TIFFTAG_ORIENTATION: {
+ const TIFFFieldInfo* fip;
v = va_arg(ap, uint32);
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
"Bad value %lu for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
+ }
case TIFFTAG_SAMPLESPERPIXEL:
/* XXX should cross check -- e.g. if pallette, then 1 */
v = va_arg(ap, uint32);
@@ -387,11 +391,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
* happens, for example, when tiffcp is used to convert between
* compression schemes and codec-specific tags are blindly copied.
*/
+ /*
+ * better not dereference fip if it is NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -468,7 +476,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
if (fip->field_type == TIFF_ASCII)
_TIFFsetString((char **)&tv->value, va_arg(ap, char *));
else {
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
if (!tv->value) {
status = 0;
goto end;
@@ -563,7 +571,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -572,12 +580,12 @@ end:
return (status);
badvalue:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -813,12 +821,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
* If the client tries to get a tag that is not valid
* for the image's codec then we'll arrive here.
*/
+ /*
+ * dont dereference fip if it's NULL.
+ * -- taviso@google.com 15 Jun 2006
+ */
if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
{
TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}