diff -u tiff-3.9.2/debian/control tiff-3.9.2/debian/control --- tiff-3.9.2/debian/control +++ tiff-3.9.2/debian/control @@ -1,7 +1,8 @@ Source: tiff Section: libs Priority: optional -Maintainer: Jay Berkenbilt +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Jay Berkenbilt Uploaders: Josip Rodin Build-Depends: cdbs, quilt, debhelper (>= 5), zlib1g-dev, libjpeg62-dev, libxmu-dev, libglu1-mesa-dev, freeglut3-dev, libxi-dev Standards-Version: 3.8.3 diff -u tiff-3.9.2/debian/changelog tiff-3.9.2/debian/changelog --- tiff-3.9.2/debian/changelog +++ tiff-3.9.2/debian/changelog @@ -1,3 +1,210 @@ +tiff (3.9.2-2ubuntu0.16) lucid-security; urgency=medium + + * SECURITY REGRESSION: regression when saving TIFF files with compression + predictor (LP: #1439186) + - debian/patches/CVE-2014-8128-5.patch: disable until proper upstream + fix is available. + + -- Marc Deslauriers Wed, 01 Apr 2015 14:09:19 -0400 + +tiff (3.9.2-2ubuntu0.15) lucid-security; urgency=medium + + * SECURITY UPDATE: Fix multiple security issues + - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch + - debian/patches/CVE-2014-8128-5.patch + - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch + - debian/patches/read_overrun.patch + - debian/patches/CVE-2014-8130.patch + - CVE-2014-8127 (partially) + - CVE-2014-8128 + - CVE-2014-8129 + - CVE-2014-8130 + - CVE-2014-9330 + - CVE-2014-9655 + + -- Marc Deslauriers Mon, 30 Mar 2015 09:33:55 -0400 + +tiff (3.9.2-2ubuntu0.14) lucid-security; urgency=medium + + * SECURITY UPDATE: denial of service via buffer overflow in gif2tiff + - debian/patches/CVE-2013-4231.patch: validate datasize in + tools/gif2tiff.c. + - CVE-2013-4231 + * SECURITY UPDATE: denial of service via use-after-free in tiff2pdf + - debian/patches/CVE-2013-4232.patch: properly exit on error in + tools/tiff2pdf.c. + - CVE-2013-4232 + * SECURITY UPDATE: denial of service and possible code execution in + gif2tiff tool + - debian/patches/CVE-2013-4243.patch: check width and height in + tools/gif2tiff.c. + - CVE-2013-4243 + * SECURITY UPDATE: denial of service and possible code execution in + gif2tiff tool LZW decompressor + - debian/patches/CVE-2013-4244.patch: validate code size in + tools/gif2tiff.c. + - CVE-2013-4244 + + -- Marc Deslauriers Mon, 05 May 2014 15:39:39 -0400 + +tiff (3.9.2-2ubuntu0.13) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via heap + overflow in tp_process_jpeg_strip(). + - debian/patches/CVE-2013-1960.patch: improve tp_process_jpeg_strip() + logic in tools/tiff2pdf.c. + - CVE-2013-1960 + * SECURITY UPDATE: denial of service via stack overflow with malformed + image-length and resolution. + - debian/patches/CVE-2013-1961.patch: replace use of sprintf() with + snprintf() in contrib/dbs/xtiff/xtiff.c, libtiff/tif_codec.c, + libtiff/tif_dirinfo.c, tools/rgb2ycbcr.c, tools/tiff2bw.c, + tools/tiff2pdf.c, tools/tiff2ps.c, tools/tiffcrop.c, + tools/tiffdither.c. + - CVE-2013-1961 + + -- Marc Deslauriers Mon, 13 May 2013 11:29:22 -0400 + +tiff (3.9.2-2ubuntu0.12) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING, and DOTRANGE tags. + - debian/patches/CVE-2012-5581.patch: remove special cases of tags, + improve DOTRANGE tag case + - CVE-2012-5581 + + -- Seth Arnold Mon, 03 Dec 2012 12:57:33 -0800 + +tiff (3.9.2-2ubuntu0.11) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + PixarLog compression format + - debian/patches/CVE-2012-4447.patch: fix buffer size in + libtiff/tif_pixarlog.c. + - CVE-2012-4447 + * SECURITY UPDATE: denial of service and possible code execution via + crafted PPM image + - debian/patches/CVE-2012-4564.patch: check scanline_size in + tools/ppm2tiff.c. + - CVE-2012-4564 + + -- Marc Deslauriers Wed, 14 Nov 2012 11:44:34 -0500 + +tiff (3.9.2-2ubuntu0.10) lucid-security; urgency=low + + * SECURITY UPDATE: possible arbitrary code execution via heap overflow + in tiff2pdf. + - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in + tools/tiff2pdf.c. + - CVE-2012-3401 + + -- Marc Deslauriers Mon, 16 Jul 2012 09:59:18 -0400 + +tiff (3.9.2-2ubuntu0.9) lucid-security; urgency=low + + * SECURITY UPDATE: possible arbitrary code execution via buffer overflow + due to type-conversion flaw (LP: #1016324) + - debian/patches/CVE-2012-2088.patch: check for overflows in + libtiff/tif_strip.c and libtiff/tif_tile.c. + - CVE-2012-2088 + * SECURITY UPDATE: possible arbitrary code execution via integer + overflows in tiff2pdf (LP: #1016324) + - debian/patches/CVE-2012-2113.patch: check for overflows in + tools/tiff2pdf.c. + - CVE-2012-2113 + + -- Marc Deslauriers Wed, 04 Jul 2012 11:03:33 -0400 + +tiff (3.9.2-2ubuntu0.8) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + tiffdump + - debian/patches/CVE-2010-4665.patch: prevent integer overflow in + tools/tiffdump.c. + - CVE-2010-4665 + * SECURITY UPDATE: arbitrary code execution via size overflow + - debian/patches/CVE-2012-1173.patch: use TIFFSafeMultiply in + libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h. + - CVE-2012-1173 + * debian/patches/CVE-2010-1411.patch: updated to use actual upstream fix + and to get TIFFSafeMultiply macro. + + -- Marc Deslauriers Mon, 02 Apr 2012 11:50:13 -0400 + +tiff (3.9.2-2ubuntu0.7) lucid-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via malformed JPEG + - debian/patches/CVE-2009-5022.patch: check width in + libtiff/tif_ojpeg.c. + - CVE-2009-5022 + + -- Marc Deslauriers Wed, 20 Apr 2011 13:06:34 -0400 + +tiff (3.9.2-2ubuntu0.6) lucid-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via crafted + THUNDER_2BITDELTAS data + - debian/patches/CVE-2011-1167.patch: validate bitspersample and + make sure npixels is sane in libtiff/tif_thunder.c. + - CVE-2011-1167 + + -- Marc Deslauriers Wed, 30 Mar 2011 13:04:49 -0400 + +tiff (3.9.2-2ubuntu0.5) lucid-security; urgency=low + + * debian/patches/CVE-2011-0192.patch: update for regression in + processing of certain CCITTFAX4 files (LP: #731540). + - http://bugzilla.maptools.org/show_bug.cgi?id=2297 + + -- Kees Cook Mon, 14 Mar 2011 10:47:02 -0700 + +tiff (3.9.2-2ubuntu0.4) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service via invalid td_stripbytecount field + (LP: #597246) + - debian/patches/CVE-2010-2482.patch: look for missing strip byte + counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c. + - CVE-2010-2482 + * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite + values + - debian/patches/CVE-2010-2595.patch: validate values in + libtiff/tif_color.c. + - CVE-2010-2595 + * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067) + - debian/patches/CVE-2010-2597.patch: properly initialize fields in + libtiff/tif_strip.c. + - CVE-2010-2597 + - CVE-2010-2598 + * SECURITY UPDATE: denial of service via out-of-order tags + - debian/patches/CVE-2010-2630.patch: correctly handle order in + libtiff/tif_dirread.c. + - CVE-2010-2630 + * SECURITY UPDATE: denial of service and possible code execution via + heap corruption in JPEGDecodeRaw + - debian/patches/CVE-2010-3087.patch: check for overflows in + libtiff/tif_jpeg.c, libtiff/tif_strip.c. + - CVE-2010-3087 + * SECURITY UPDATE: denial of service and possible code execution via + buffer overflow in Fax4Decode + - debian/patches/CVE-2011-0192.patch: check length in + libtiff/tif_fax3.h. + - CVE-2011-0192 + + -- Marc Deslauriers Thu, 03 Mar 2011 13:42:43 -0500 + +tiff (3.9.2-2ubuntu0.3) lucid-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution and crashes via multiple + integer overflows. Backported upstream fixes: + - debian/patches/CVE-2010-1411.patch + - debian/patches/CVE-2010-2065.patch + - debian/patches/CVE-2010-2067.patch + - debian/patches/fix-64bit-flip.patch + - debian/patches/fix-ycbcr-oob-read.patch + - debian/patches/fix-unknown-tags.patch + + -- Kees Cook Thu, 17 Jun 2010 10:55:00 -0700 + tiff (3.9.2-2) unstable; urgency=low * Include patch from upstream to fix problems with TIFFReadScanline() diff -u tiff-3.9.2/debian/patches/series tiff-3.9.2/debian/patches/series --- tiff-3.9.2/debian/patches/series +++ tiff-3.9.2/debian/patches/series @@ -4,0 +5,45 @@ +CVE-2010-2065.patch +CVE-2010-2067.patch +CVE-2010-1411.patch +fix-64bit-flip.patch +fix-ycbcr-oob-read.patch +fix-unknown-tags.patch +CVE-2010-2482.patch +CVE-2010-2595.patch +CVE-2010-2597.patch +CVE-2010-2630.patch +CVE-2010-3087.patch +CVE-2011-0192.patch +CVE-2011-1167.patch +CVE-2009-5022.patch +CVE-2010-4665.patch +CVE-2012-1173.patch +CVE-2012-2088.patch +CVE-2012-2113.patch +CVE-2012-3401.patch +CVE-2012-4447.patch +CVE-2012-4564.patch +CVE-2012-5581.patch +CVE-2013-1960.patch +CVE-2013-1961.patch +CVE-2013-4231.patch +CVE-2013-4232.patch +CVE-2013-4244.patch +CVE-2013-4243.patch +CVE-2014-81xx-1.patch +CVE-2014-81xx-2.patch +CVE-2014-81xx-3.patch +CVE-2014-81xx-4.patch +CVE-2014-81xx-5.patch +CVE-2014-81xx-6.patch +CVE-2014-81xx-7.patch +CVE-2014-81xx-8.patch +CVE-2014-81xx-9.patch +CVE-2014-81xx-10.patch +CVE-2014-81xx-11.patch +CVE-2014-9655-1.patch +CVE-2014-9655-2.patch +CVE-2014-9655-3.patch +#CVE-2014-8128-5.patch +read_overrun.patch +CVE-2014-8130.patch only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/fix-ycbcr-oob-read.patch +++ tiff-3.9.2/debian/patches/fix-ycbcr-oob-read.patch @@ -0,0 +1,18 @@ +Description: fix crash on OOB reads in putcontig8bitYCbCr11tile +Bug-Ubuntu: https://bugs.launchpad.net/bugs/591605 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=603081 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=423329 + +Index: tiff-3.9.2/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2010-06-16 10:47:29.147649657 -0700 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-16 10:48:06.103986457 -0700 +@@ -2399,7 +2399,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-2.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-2.patch @@ -0,0 +1,100 @@ +Backport of: + +From a42c3be7780cc90beef9ffd14255059baef7413a Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 16:28:37 +0000 +Subject: [PATCH] * tools/tiffcp.c: fix crash when converting YCbCr + JPEG-compressed to none. Based on patch by Tomasz Buchert + (http://bugzilla.maptools.org/show_bug.cgi?id=2480) Description: fix for + Debian bug #741451 tiffcp crashes when converting JPEG-encoded TIFF to a + different encoding (like none or lzw). For example this will probably fail: + tiffcp -c none jpeg_encoded_file.tif output.tif The reason is that when the + input file contains JPEG data, the tiffcp code forces conversion to RGB + space. However, the output normally inherits YCbCr subsampling parameters + from the input, which leads to a smaller working buffer than necessary. The + buffer is subsequently overrun inside cpStripToTile() (called from + writeBufferToContigTiles). Note that the resulting TIFF file would be + scrambled even if tiffcp wouldn't crash, since the output file would contain + RGB data intepreted as subsampled YCbCr values. This patch fixes the problem + by forcing RGB space on the output TIF if the input is JPEG-encoded and + output is *not* JPEG-encoded. Author: Tomasz Buchert + + +--- + ChangeLog | 21 +++++++++++++++++++++ + tools/tiffcp.c | 6 ++++++ + 2 files changed, 27 insertions(+) + +Index: tiff-3.9.2/tools/tiffcp.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffcp.c 2015-03-30 09:36:56.238660500 -0400 ++++ tiff-3.9.2/tools/tiffcp.c 2015-03-30 09:46:35.396789554 -0400 +@@ -547,6 +547,7 @@ + tiffcp(TIFF* in, TIFF* out) + { + uint16 bitspersample, samplesperpixel; ++ uint16 input_compression, input_photometric; + copyFunc cf; + uint32 width, length; + struct cpTag* p; +@@ -559,31 +560,41 @@ + TIFFSetField(out, TIFFTAG_COMPRESSION, compression); + else + CopyField(TIFFTAG_COMPRESSION, compression); +- if (compression == COMPRESSION_JPEG) { +- uint16 input_compression, input_photometric; ++ TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); ++ if (input_compression == COMPRESSION_JPEG) { ++ /* Force conversion to RGB */ ++ TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB); ++ } else if (input_photometric == PHOTOMETRIC_YCBCR) { ++ /* Otherwise, can't handle subsampled input */ ++ uint16 subsamplinghor,subsamplingver; + +- if (TIFFGetField(in, TIFFTAG_COMPRESSION, &input_compression) +- && input_compression == COMPRESSION_JPEG) { +- TIFFSetField(in, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB); +- } +- if (TIFFGetField(in, TIFFTAG_PHOTOMETRIC, &input_photometric)) { +- if(input_photometric == PHOTOMETRIC_RGB) { +- if (jpegcolormode == JPEGCOLORMODE_RGB) +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- PHOTOMETRIC_YCBCR); +- else +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- PHOTOMETRIC_RGB); +- } else +- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, +- input_photometric); +- } +- } ++ TIFFGetFieldDefaulted(in, TIFFTAG_YCBCRSUBSAMPLING, ++ &subsamplinghor, &subsamplingver); ++ if (subsamplinghor!=1 || subsamplingver!=1) { ++ fprintf(stderr, "tiffcp: %s: Can't copy/convert subsampled image.\n", ++ TIFFFileName(in)); ++ return FALSE; ++ } ++ } ++ if (compression == COMPRESSION_JPEG) { ++ if (input_photometric == PHOTOMETRIC_RGB && ++ jpegcolormode == JPEGCOLORMODE_RGB) ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR); ++ else ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, input_photometric); ++ } + else if (compression == COMPRESSION_SGILOG + || compression == COMPRESSION_SGILOG24) + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, + samplesperpixel == 1 ? + PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); ++ else if (input_compression == COMPRESSION_JPEG && ++ samplesperpixel == 3 ) { ++ /* RGB conversion was forced above ++ hence the output will be of the same type */ ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); ++ } + else + CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); + if (fillorder != 0) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/read_overrun.patch +++ tiff-3.9.2/debian/patches/read_overrun.patch @@ -0,0 +1,68 @@ +From 5ef99cbffd5d5042fbd11f5e36d1b602e58c578d Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 7 Dec 2014 22:33:06 +0000 +Subject: [PATCH] tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run + found with Valgrind and Address Sanitizer on test suite + +--- + ChangeLog | 5 +++++ + tools/thumbnail.c | 7 ++++++- + tools/tiffcrop.c | 9 +++++++-- + 3 files changed, 18 insertions(+), 3 deletions(-) + +Index: tiff-3.9.2/tools/thumbnail.c +=================================================================== +--- tiff-3.9.2.orig/tools/thumbnail.c 2015-03-30 09:32:56.093604223 -0400 ++++ tiff-3.9.2/tools/thumbnail.c 2015-03-30 09:32:56.089604185 -0400 +@@ -590,12 +590,17 @@ + rowsize = TIFFScanlineSize(in); + rastersize = sh * rowsize; + fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); +- raster = (unsigned char*)_TIFFmalloc(rastersize); ++ /* +3 : add a few guard bytes since setrow() can read a bit */ ++ /* outside buffer */ ++ raster = (unsigned char*)_TIFFmalloc(rastersize+3); + if (!raster) { + TIFFError(TIFFFileName(in), + "Can't allocate space for raster buffer."); + return 0; + } ++ raster[rastersize] = 0; ++ raster[rastersize+1] = 0; ++ raster[rastersize+2] = 0; + rp = raster; + for (s = 0; s < ns; s++) { + (void) TIFFReadEncodedStrip(in, s, rp, -1); +Index: tiff-3.9.2/tools/tiffcrop.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffcrop.c 2015-03-30 09:32:56.093604223 -0400 ++++ tiff-3.9.2/tools/tiffcrop.c 2015-03-30 09:32:56.089604185 -0400 +@@ -5809,8 +5809,10 @@ + } + + read_buff = *read_ptr; ++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ ++ /* outside buffer */ + if (!read_buff) +- read_buff = (unsigned char *)_TIFFmalloc(buffsize); ++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + else + { + if (prev_readsize < buffsize) +@@ -5819,12 +5821,15 @@ + if (!new_buff) + { + free (read_buff); +- read_buff = (unsigned char *)_TIFFmalloc(buffsize); ++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + } + else + read_buff = new_buff; + } + } ++ read_buff[buffsize] = 0; ++ read_buff[buffsize+1] = 0; ++ read_buff[buffsize+2] = 0; + + if (!read_buff) + { only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/fix-64bit-flip.patch +++ tiff-3.9.2/debian/patches/fix-64bit-flip.patch @@ -0,0 +1,46 @@ +Description: fixes a crash when flipping an image with invalid skew. +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2207 +Origin: http://bugzilla.maptools.org/attachment.cgi?id=386 + +Index: tiff-3.9.2/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2010-06-14 12:30:53.384165703 -0700 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-14 12:31:04.934165987 -0700 +@@ -1846,6 +1846,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 6; + cp2 = cp+w+toskew; +@@ -1872,8 +1873,8 @@ + cp2 ++ ; + pp += 6; + } +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -1939,6 +1940,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 4; + cp2 = cp+w+toskew; +@@ -1953,8 +1955,8 @@ + cp2 ++; + pp += 4; + } while (--x); +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-3401.patch +++ tiff-3.9.2/debian/patches/CVE-2012-3401.patch @@ -0,0 +1,16 @@ +Description: fix possible arbitrary code execution via heap overflow + in tiff2pdf. +Origin: Patch thanks to Huzaifa Sidhpurwala + +Index: tiff-3.9.4/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiff2pdf.c 2012-07-16 09:44:41.000000000 -0400 ++++ tiff-3.9.4/tools/tiff2pdf.c 2012-07-16 09:50:48.740976594 -0400 +@@ -1119,6 +1119,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-4.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-4.patch @@ -0,0 +1,45 @@ +Backport of: + +From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 18:07:48 +0000 +Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) + +--- + ChangeLog | 5 +++++ + libtiff/tif_next.c | 17 +++++++++++++++++ + 2 files changed, 22 insertions(+) + +Index: tiff-3.9.5/libtiff/tif_next.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_next.c 2015-03-30 07:45:28.028217757 -0400 ++++ tiff-3.9.5/libtiff/tif_next.c 2015-03-30 07:46:15.784634743 -0400 +@@ -135,10 +135,27 @@ + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2009-5022.patch +++ tiff-3.9.2/debian/patches/CVE-2009-5022.patch @@ -0,0 +1,27 @@ +Description: fix arbitrary code execution via malformed JPEG +Origin: upstream, extracted from 3.9.5 tarball +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=1999 + +diff -Nur tiff-3.9.2/libtiff/tif_ojpeg.c tiff-3.9.2.new/libtiff/tif_ojpeg.c +--- tiff-3.9.2/libtiff/tif_ojpeg.c 2011-04-20 13:06:13.135292450 -0400 ++++ tiff-3.9.2.new/libtiff/tif_ojpeg.c 2011-04-20 13:06:28.295292447 -0400 +@@ -1537,7 +1537,6 @@ + OJPEGReadSkip(sp,4); + else + { +- /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */ + /* Y: Number of lines */ + if (OJPEGReadWord(sp,&p)==0) + return(0); +@@ -1555,6 +1554,11 @@ + TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width"); + return(0); + } ++ if ((uint32)p>sp->strile_width) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width"); ++ return(0); ++ } + sp->sof_x=p; + } + /* Nf: Number of image components in frame */ only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-4244.patch +++ tiff-3.9.2/debian/patches/CVE-2013-4244.patch @@ -0,0 +1,20 @@ +Description: fix denial of service and possible code execution in + gif2tiff tool LZW decompressor +Origin: upstream, cvs diff -u -r 1.13 -r 1.14 tools/gif2tiff.c +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4244 + +Index: tiff-3.9.5/tools/gif2tiff.c +=================================================================== +--- tiff-3.9.5.orig/tools/gif2tiff.c 2014-05-05 15:37:55.412706278 -0400 ++++ tiff-3.9.5/tools/gif2tiff.c 2014-05-05 15:37:55.412706278 -0400 +@@ -396,6 +396,10 @@ + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-9655-3.patch +++ tiff-3.9.2/debian/patches/CVE-2014-9655-3.patch @@ -0,0 +1,44 @@ +Backport of: + +From feed76c99f132f02a938de3b566442bff61388ef Mon Sep 17 00:00:00 2001 +From: erouault +Date: Mon, 29 Dec 2014 18:28:46 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: move test on vertical value of + YCbCr subsampling. to avoid buffer leak (fix previous fix, found by Coverity + scan) + +--- + ChangeLog | 5 +++-- + libtiff/tif_getimage.c | 12 +++++++----- + 2 files changed, 10 insertions(+), 7 deletions(-) + +Index: tiff-3.9.5/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2015-03-30 08:01:27.936586534 -0400 ++++ tiff-3.9.5/libtiff/tif_getimage.c 2015-03-30 08:02:04.644905539 -0400 +@@ -820,6 +820,12 @@ + int32 fromskew, toskew; + int ret = 1, flip; + ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ if( subsamplingver == 0 ) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); ++ return (0); ++ } ++ + buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); +@@ -837,11 +843,7 @@ + } + + TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); +- if( subsamplingver == 0 ) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); +- return (0); +- } ++ + scanline = TIFFNewScanlineSize(tif); + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-1.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-1.patch @@ -0,0 +1,239 @@ +Backport of: + +From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 15:15:31 +0000 +Subject: [PATCH] Fix various crasher bugs on fuzzed images. * + libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for + TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing + the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read + ColorMap or TransferFunction if BitsPerSample has not yet been read, + otherwise reading it later will cause user code to crash if BitsPerSample > 1 + * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with + SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample + != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images + instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int + overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to + invalid tile count (should likely be checked by libtiff too). Detect invalid + settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * + tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * + tools/tiffdump.c: fix crash due to overflow of entry count. + +--- + ChangeLog | 19 +++++++++++++++++++ + libtiff/tif_dir.c | 21 +++++++++++++++++++-- + libtiff/tif_dirread.c | 17 +++++++++++++++++ + libtiff/tif_getimage.c | 15 +++++++++++++++ + libtiff/tif_next.c | 2 ++ + tools/bmp2tiff.c | 15 +++++++++++++++ + tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ + tools/tiffcrop.c | 7 ++++--- + tools/tiffdump.c | 9 ++++++--- + 9 files changed, 138 insertions(+), 8 deletions(-) + +Index: tiff-3.9.2/libtiff/tif_dir.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_dir.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/libtiff/tif_dir.c 2015-03-30 09:31:31.960766842 -0400 +@@ -141,6 +141,7 @@ + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + + switch (tag) { +@@ -245,10 +246,16 @@ + td->td_smaxsamplevalue = va_arg(ap, double); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = va_arg(ap, uint32); +@@ -594,6 +601,16 @@ + _TIFFFieldWithTag(tif, tag)->field_name); + va_end(ap); + return (0); ++badvaluedouble: ++ { ++ const TIFFFieldInfo* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +Index: tiff-3.9.2/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2015-03-30 09:31:31.960766842 -0400 +@@ -178,8 +178,23 @@ + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +Index: tiff-3.9.2/libtiff/tif_next.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_next.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/libtiff/tif_next.c 2015-03-30 09:31:31.964766883 -0400 +@@ -96,6 +96,8 @@ + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +Index: tiff-3.9.2/tools/bmp2tiff.c +=================================================================== +--- tiff-3.9.2.orig/tools/bmp2tiff.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/tools/bmp2tiff.c 2015-03-30 09:31:31.964766883 -0400 +@@ -399,6 +399,13 @@ + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + + switch (info_hdr.iBitCount) + { +@@ -589,6 +596,14 @@ + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2015-03-30 09:31:31.964766883 -0400 +@@ -1218,6 +1218,15 @@ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1598,6 +1607,22 @@ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1613,6 +1638,22 @@ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +Index: tiff-3.9.2/tools/tiffcrop.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffcrop.c 2015-03-30 09:31:31.968766924 -0400 ++++ tiff-3.9.2/tools/tiffcrop.c 2015-03-30 09:31:31.968766924 -0400 +@@ -1189,9 +1189,10 @@ + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-9655-1.patch +++ tiff-3.9.2/debian/patches/CVE-2014-9655-1.patch @@ -0,0 +1,28 @@ +Backport of: + +From 24a2eee78bb057acb2c3992acd002654c1747718 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Wed, 24 Dec 2014 16:57:18 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: avoid divide by zero on invalid + YCbCr subsampling. http://bugzilla.maptools.org/show_bug.cgi?id=2235 + +--- + ChangeLog | 5 +++++ + libtiff/tif_getimage.c | 4 ++++ + 2 files changed, 9 insertions(+) + +Index: tiff-3.9.5/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2015-03-30 07:58:33.415068605 -0400 ++++ tiff-3.9.5/libtiff/tif_getimage.c 2015-03-30 07:59:31.335573111 -0400 +@@ -838,6 +838,10 @@ + + TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); ++ if( subsamplingver == 0 ) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); ++ return (0); ++ } + scanline = TIFFNewScanlineSize(tif); + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-4243.patch +++ tiff-3.9.2/debian/patches/CVE-2013-4243.patch @@ -0,0 +1,43 @@ +Description: fix denial of service and possible code execution in gif2tiff tool +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2451 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742917 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4243 +Origin: other, http://bugzilla.maptools.org/show_bug.cgi?id=2451#c10 + +Index: tiff-3.9.5/tools/gif2tiff.c +=================================================================== +--- tiff-3.9.5.orig/tools/gif2tiff.c 2014-05-05 15:38:06.724706461 -0400 ++++ tiff-3.9.5/tools/gif2tiff.c 2014-05-05 15:38:06.720706461 -0400 +@@ -276,6 +276,10 @@ + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -400,6 +404,10 @@ + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; +@@ -430,6 +438,10 @@ + } + oldcode = incode; + do { ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-8130.patch +++ tiff-3.9.2/debian/patches/CVE-2014-8130.patch @@ -0,0 +1,28 @@ +From 3c5eb8b1be544e41d2c336191bc4936300ad7543 Mon Sep 17 00:00:00 2001 +From: bfriesen +Date: Sun, 18 Nov 2012 17:51:52 +0000 +Subject: [PATCH] * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does + not require malloc() to return NULL pointer if requested allocation size is + zero. Assure that _TIFFmalloc does. + +--- + ChangeLog | 6 ++++++ + libtiff/tif_unix.c | 3 +++ + libtiff/tif_vms.c | 3 +++ + libtiff/tif_win32.c | 3 +++ + 4 files changed, 15 insertions(+) + +Index: tiff-3.9.5/libtiff/tif_unix.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_unix.c 2015-03-30 08:10:36.153348726 -0400 ++++ tiff-3.9.5/libtiff/tif_unix.c 2015-03-30 08:10:36.149348691 -0400 +@@ -238,6 +238,9 @@ + void* + _TIFFmalloc(tsize_t s) + { ++ if (s == 0) ++ return ((void *) NULL); ++ + return (malloc((size_t) s)); + } + only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-3.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-3.patch @@ -0,0 +1,32 @@ +From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 17:36:36 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when + reading TIFFTAG_SAMPLESPERPIXEL + +--- + ChangeLog | 5 +++++ + tools/tiff2pdf.c | 10 +++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2015-03-30 09:31:44.280891197 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2015-03-30 09:31:44.276891156 -0400 +@@ -1217,7 +1217,15 @@ + t2p->tiff_pages[i].page_tilecount; + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ +- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Missing SamplesPerPixel, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-7.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-7.patch @@ -0,0 +1,40 @@ +From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 20:04:31 +0000 +Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling + TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not + worth the burden for those esoteric utilities. + http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + +--- + ChangeLog | 7 +++++++ + tools/pal2rgb.c | 2 +- + tools/thumbnail.c | 2 +- + 3 files changed, 9 insertions(+), 2 deletions(-) + +Index: tiff-3.9.5/tools/pal2rgb.c +=================================================================== +--- tiff-3.9.5.orig/tools/pal2rgb.c 2015-03-30 07:47:16.877168091 -0400 ++++ tiff-3.9.5/tools/pal2rgb.c 2015-03-30 07:47:16.877168091 -0400 +@@ -368,7 +368,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +Index: tiff-3.9.5/tools/thumbnail.c +=================================================================== +--- tiff-3.9.5.orig/tools/thumbnail.c 2015-03-30 07:47:16.877168091 -0400 ++++ tiff-3.9.5/tools/thumbnail.c 2015-03-30 07:47:16.877168091 -0400 +@@ -237,7 +237,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-8128-5.patch +++ tiff-3.9.2/debian/patches/CVE-2014-8128-5.patch @@ -0,0 +1,21 @@ +Backport of: + +Description: fix out-of-bounds write in thumbnail and tiffcmp tools +Author: Petr Gajdos (pgajdos@suse.cz) +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2499 + +Index: tiff-3.9.5/libtiff/tif_dirinfo.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_dirinfo.c 2015-03-30 08:03:24.213596945 -0400 ++++ tiff-3.9.5/libtiff/tif_dirinfo.c 2015-03-30 08:07:16.423614207 -0400 +@@ -270,6 +270,10 @@ + 0, 0, "StoNits" }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_LONG, FIELD_CUSTOM, + 0, 0, "InteroperabilityIFDOffset" }, ++ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, FIELD_CUSTOM, ++ 1, 0, "ConsecutiveBadFaxLines" }, ++ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, FIELD_CUSTOM, ++ 0, 0, "Predictor" }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, FIELD_CUSTOM, + 0, 0, "DNGVersion" }, only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-5.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-5.patch @@ -0,0 +1,81 @@ +From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 18:52:42 +0000 +Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write + TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is + COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 + http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) + +--- + ChangeLog | 7 +++++++ + tools/thumbnail.c | 21 ++++++++++++++++++++- + tools/tiffcmp.c | 17 +++++++++++++++-- + 3 files changed, 42 insertions(+), 3 deletions(-) + +Index: tiff-3.9.5/tools/thumbnail.c +=================================================================== +--- tiff-3.9.5.orig/tools/thumbnail.c 2015-03-30 07:47:00.561025658 -0400 ++++ tiff-3.9.5/tools/thumbnail.c 2015-03-30 07:47:00.561025658 -0400 +@@ -254,7 +254,26 @@ + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ ++ /* if we request a tag that is defined in a codec, but that codec */ ++ /* isn't used */ ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +Index: tiff-3.9.5/tools/tiffcmp.c +=================================================================== +--- tiff-3.9.5.orig/tools/tiffcmp.c 2015-03-30 07:47:00.561025658 -0400 ++++ tiff-3.9.5/tools/tiffcmp.c 2015-03-30 07:47:00.561025658 -0400 +@@ -256,6 +256,7 @@ + static int + cmptags(TIFF* tif1, TIFF* tif2) + { ++ uint16 compression1, compression2; + CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); + CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); + CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); +@@ -272,8 +273,20 @@ + CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); + CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); + CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); +- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); +- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX3 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX3 ) ++ { ++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); ++ } ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX4 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX4 ) ++ { ++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ } + CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); + CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); + CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-1411.patch +++ tiff-3.9.2/debian/patches/CVE-2010-1411.patch @@ -0,0 +1,75 @@ +Description: fix integer overflows, introduce TIFFSafeMultiply +Origin: backported from libtiff 3.9.4 + +Index: tiff-3.9.2/libtiff/tif_fax3.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_fax3.c 2012-04-02 11:50:08.494094517 -0400 ++++ tiff-3.9.2/libtiff/tif_fax3.c 2012-04-02 13:22:37.794041593 -0400 +@@ -493,10 +493,27 @@ + td->td_compression == COMPRESSION_CCITTFAX4 + ); + +- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; +- nruns += 3; +- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns, sizeof (uint32), +- "for Group 3/4 run arrays"); ++ /* ++ Assure that allocation computations do not overflow. ++ ++ TIFFroundup and TIFFSafeMultiply return zero on integer overflow ++ */ ++ dsp->runs=(uint32*) NULL; ++ nruns = TIFFroundup(rowpixels,32); ++ if (needsRefLine) { ++ nruns = TIFFSafeMultiply(uint32,nruns,2); ++ } ++ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "Row pixels integer overflow (rowpixels %u)", ++ rowpixels); ++ return (0); ++ } ++ dsp->runs = (uint32*) _TIFFCheckMalloc(tif, ++ TIFFSafeMultiply(uint32,nruns,2), ++ sizeof (uint32), ++ "for Group 3/4 run arrays"); ++ + if (dsp->runs == NULL) + return (0); + dsp->curruns = dsp->runs; +Index: tiff-3.9.2/libtiff/tiffiop.h +=================================================================== +--- tiff-3.9.2.orig/libtiff/tiffiop.h 2012-04-02 11:50:08.478094517 -0400 ++++ tiff-3.9.2/libtiff/tiffiop.h 2012-04-02 13:22:37.794041593 -0400 +@@ -236,10 +236,15 @@ + #endif + + /* NB: the uint32 casts are to silence certain ANSI-C compilers */ +-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) ++#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ ++ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ ++ 0U) + #define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++ + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) + +Index: tiff-3.9.2/tools/tiffcrop.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffcrop.c 2009-11-03 10:24:12.000000000 -0500 ++++ tiff-3.9.2/tools/tiffcrop.c 2012-04-02 13:23:03.766041347 -0400 +@@ -149,10 +149,6 @@ + #endif + #define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) + +-/* NB: the uint32 casts are to silence certain ANSI-C compilers */ +-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) +-#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) +- + #define TRUE 1 + #define FALSE 0 + only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-9655-2.patch +++ tiff-3.9.2/debian/patches/CVE-2014-9655-2.patch @@ -0,0 +1,88 @@ +Backport of: + +From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Mon, 29 Dec 2014 12:09:11 +0000 +Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't + read outside of the compressed input stream buffer. + +* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height +--- + ChangeLog | 9 +++++++++ + libtiff/tif_getimage.c | 12 +++++++----- + libtiff/tif_next.c | 4 +++- + 3 files changed, 19 insertions(+), 6 deletions(-) + +Index: tiff-3.9.5/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2015-03-30 08:00:11.795924791 -0400 ++++ tiff-3.9.5/libtiff/tif_getimage.c 2015-03-30 08:00:11.791924755 -0400 +@@ -1759,7 +1759,7 @@ + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1836,7 +1836,7 @@ + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1847,7 +1847,8 @@ + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -1938,7 +1939,7 @@ + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -1947,7 +1948,8 @@ + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +Index: tiff-3.9.5/libtiff/tif_next.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_next.c 2015-03-30 08:00:11.795924791 -0400 ++++ tiff-3.9.5/libtiff/tif_next.c 2015-03-30 08:00:52.444278078 -0400 +@@ -65,7 +65,7 @@ + bp = (unsigned char *)tif->tif_rawcp; + cc = tif->tif_rawcc; + scanline = tif->tif_scanlinesize; +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -84,6 +84,8 @@ + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-4447.patch +++ tiff-3.9.2/debian/patches/CVE-2012-4447.patch @@ -0,0 +1,17 @@ +Description: fix denial of service and possible code execution via + PixarLog compression format +Origin: upstream, tif_pixarlog.c,v 1.37, tif_pixarlog.c,v 1.38 + +Index: tiff-3.9.5/libtiff/tif_pixarlog.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400 ++++ tiff-3.9.5/libtiff/tif_pixarlog.c 2012-11-14 11:28:44.947853589 -0500 +@@ -663,7 +663,7 @@ + td->td_rowsperstrip), sizeof(uint16)); + if (tbuf_size == 0) + return (0); +- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); ++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); + if (sp->tbuf == NULL) + return (0); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-4232.patch +++ tiff-3.9.2/debian/patches/CVE-2013-4232.patch @@ -0,0 +1,20 @@ +Description: fix denial of service via use-after-free in tiff2pdf +Origin: upstream, cvs diff -u -r 1.71 -r 1.72 tools/tiff2pdf.c +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719303 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4232 + +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2014-05-05 15:38:58.856707306 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2014-05-05 15:38:58.852707306 -0400 +@@ -2514,7 +2514,8 @@ + t2p->tiff_datasize, + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; +- _TIFFfree(buffer); ++ _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-6.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-6.patch @@ -0,0 +1,30 @@ +From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 19:53:59 +0000 +Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write + http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) + +--- + ChangeLog | 5 +++++ + tools/thumbnail.c | 8 +++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +Index: tiff-3.9.5/tools/thumbnail.c +=================================================================== +--- tiff-3.9.5.orig/tools/thumbnail.c 2015-03-30 07:47:09.929107438 -0400 ++++ tiff-3.9.5/tools/thumbnail.c 2015-03-30 07:47:09.929107438 -0400 +@@ -548,7 +548,13 @@ + err -= limit; + sy++; + if (err >= limit) +- rows[nrows++] = br + bpr*sy; ++ { ++ /* We should perhaps error loudly, but I can't make sense of that */ ++ /* code... */ ++ if( nrows == 256 ) ++ break; ++ rows[nrows++] = br + bpr*sy; ++ } + } + setrow(row, nrows, rows); + row += tnw; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-5581.patch +++ tiff-3.9.2/debian/patches/CVE-2012-5581.patch @@ -0,0 +1,324 @@ +Author: Frank Warmerdam +Description: * libtiff/tif_dir.c, tif_print.c : Remove FIELD_CUSTOM handling + for PAGENUMBER, HALFTONEHINTS, and YCBCRSUBSAMPLING. Implement DOTRANGE + differently. This is to avoid using special TIFFGetField/TIFFSetField rules + for these fields in non-image directories (like EXIF). + +Back-ported patch from upstream CVS by Huzaifa S. Sidhpurwala of Red Hat +Security Response Team. + +https://bugzilla.redhat.com/show_bug.cgi?id=867235 +https://bugzilla.redhat.com/attachment.cgi?id=640578 + +Index: tiff-3.9.2/libtiff/tif_dir.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_dir.c 2012-12-03 17:47:01.000000000 -0800 ++++ tiff-3.9.2/libtiff/tif_dir.c 2012-12-03 17:47:01.000000000 -0800 +@@ -487,94 +487,90 @@ + status = 0; + goto end; + } ++ if (fip->field_tag == TIFFTAG_DOTRANGE ++ && strcmp(fip->field_name,"DotRange") == 0) { ++ /* TODO: This is an evil exception and should not have been ++ handled this way ... likely best if we move it into ++ the directory structure with an explicit field in ++ libtiff 4.1 and assign it a FIELD_ value */ ++ uint16 v[2]; ++ v[0] = (uint16)va_arg(ap, int); ++ v[1] = (uint16)va_arg(ap, int); ++ _TIFFmemcpy(tv->value, &v, 4); ++ } ++ ++ else if (fip->field_passcount ++ || fip->field_writecount == TIFF_VARIABLE ++ || fip->field_writecount == TIFF_VARIABLE2 ++ || fip->field_writecount == TIFF_SPP ++ || tv->count > 1) { + +- if ((fip->field_passcount +- || fip->field_writecount == TIFF_VARIABLE +- || fip->field_writecount == TIFF_VARIABLE2 +- || fip->field_writecount == TIFF_SPP +- || tv->count > 1) +- && fip->field_tag != TIFFTAG_PAGENUMBER +- && fip->field_tag != TIFFTAG_HALFTONEHINTS +- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING +- && fip->field_tag != TIFFTAG_DOTRANGE) { + _TIFFmemcpy(tv->value, va_arg(ap, void *), + tv->count * tv_size); + } else { +- /* +- * XXX: The following loop required to handle +- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS, +- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags. +- * These tags are actually arrays and should be passed as +- * array pointers to TIFFSetField() function, but actually +- * passed as a list of separate values. This behaviour +- * must be changed in the future! +- */ +- int i; ++ assert( tv->count == 1 ); + char *val = (char *)tv->value; +- +- for (i = 0; i < tv->count; i++, val += tv_size) { +- switch (fip->field_type) { +- case TIFF_BYTE: +- case TIFF_UNDEFINED: +- { +- uint8 v = (uint8)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SBYTE: +- { +- int8 v = (int8)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SHORT: +- { +- uint16 v = (uint16)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SSHORT: +- { +- int16 v = (int16)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_LONG: +- case TIFF_IFD: +- { +- uint32 v = va_arg(ap, uint32); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SLONG: +- { +- int32 v = va_arg(ap, int32); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_RATIONAL: +- case TIFF_SRATIONAL: +- case TIFF_FLOAT: +- { +- float v = (float)va_arg(ap, double); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_DOUBLE: +- { +- double v = va_arg(ap, double); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- default: +- _TIFFmemset(val, 0, tv_size); +- status = 0; +- break; ++ switch (fip->field_type) { ++ case TIFF_BYTE: ++ case TIFF_UNDEFINED: ++ { ++ uint8 v = (uint8)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SBYTE: ++ { ++ int8 v = (int8)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SHORT: ++ { ++ uint16 v = (uint16)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SSHORT: ++ { ++ int16 v = (int16)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_LONG: ++ case TIFF_IFD: ++ { ++ uint32 v = va_arg(ap, uint32); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SLONG: ++ { ++ int32 v = va_arg(ap, int32); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_RATIONAL: ++ case TIFF_SRATIONAL: ++ case TIFF_FLOAT: ++ { ++ float v = (float)va_arg(ap, double); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_DOUBLE: ++ { ++ double v = va_arg(ap, double); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ default: ++ _TIFFmemset(val, 0, tv_size); ++ status = 0; ++ break; + } + } + } + } +- } + } + if (status) { + TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); +@@ -859,75 +855,76 @@ + *va_arg(ap, uint16*) = (uint16)tv->count; + *va_arg(ap, void **) = tv->value; + ret_val = 1; ++ } else if (fip->field_tag == TIFFTAG_DOTRANGE ++ && strcmp(fip->field_name,"DotRange") == 0) { ++ /* TODO: This is an evil exception and should not have been ++ handled this way ... likely best if we move it into ++ the directory structure with an explicit field in ++ libtiff 4.1 and assign it a FIELD_ value */ ++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0]; ++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1]; ++ ret_val = 1; + } else { +- if ((fip->field_type == TIFF_ASCII ++ if (fip->field_type == TIFF_ASCII + || fip->field_readcount == TIFF_VARIABLE + || fip->field_readcount == TIFF_VARIABLE2 + || fip->field_readcount == TIFF_SPP +- || tv->count > 1) +- && fip->field_tag != TIFFTAG_PAGENUMBER +- && fip->field_tag != TIFFTAG_HALFTONEHINTS +- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING +- && fip->field_tag != TIFFTAG_DOTRANGE) { ++ || tv->count > 1) { + *va_arg(ap, void **) = tv->value; + ret_val = 1; + } else { +- int j; + char *val = (char *)tv->value; +- +- for (j = 0; j < tv->count; +- j++, val += _TIFFDataSize(tv->info->field_type)) { +- switch (fip->field_type) { +- case TIFF_BYTE: +- case TIFF_UNDEFINED: +- *va_arg(ap, uint8*) = +- *(uint8 *)val; +- ret_val = 1; +- break; +- case TIFF_SBYTE: +- *va_arg(ap, int8*) = +- *(int8 *)val; +- ret_val = 1; +- break; +- case TIFF_SHORT: +- *va_arg(ap, uint16*) = +- *(uint16 *)val; +- ret_val = 1; +- break; +- case TIFF_SSHORT: +- *va_arg(ap, int16*) = +- *(int16 *)val; +- ret_val = 1; +- break; +- case TIFF_LONG: +- case TIFF_IFD: +- *va_arg(ap, uint32*) = +- *(uint32 *)val; +- ret_val = 1; +- break; +- case TIFF_SLONG: +- *va_arg(ap, int32*) = +- *(int32 *)val; +- ret_val = 1; +- break; +- case TIFF_RATIONAL: +- case TIFF_SRATIONAL: +- case TIFF_FLOAT: +- *va_arg(ap, float*) = +- *(float *)val; +- ret_val = 1; +- break; +- case TIFF_DOUBLE: +- *va_arg(ap, double*) = +- *(double *)val; +- ret_val = 1; +- break; +- default: +- ret_val = 0; +- break; +- } +- } +- } ++ assert( tv->count == 1 ); ++ switch (fip->field_type) { ++ case TIFF_BYTE: ++ case TIFF_UNDEFINED: ++ *va_arg(ap, uint8*) = ++ *(uint8 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SBYTE: ++ *va_arg(ap, int8*) = ++ *(int8 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SHORT: ++ *va_arg(ap, uint16*) = ++ *(uint16 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SSHORT: ++ *va_arg(ap, int16*) = ++ *(int16 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_LONG: ++ case TIFF_IFD: ++ *va_arg(ap, uint32*) = ++ *(uint32 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SLONG: ++ *va_arg(ap, int32*) = ++ *(int32 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_RATIONAL: ++ case TIFF_SRATIONAL: ++ case TIFF_FLOAT: ++ *va_arg(ap, float*) = ++ *(float *)val; ++ ret_val = 1; ++ break; ++ case TIFF_DOUBLE: ++ *va_arg(ap, double*) = ++ *(double *)val; ++ ret_val = 1; ++ break; ++ default: ++ ret_val = 0; ++ break; ++ } ++ } + } + break; + } only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-9.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-9.patch @@ -0,0 +1,35 @@ +Backport of: + +From 77837423c3a125a3b39ddae246ff904f437cf845 Mon Sep 17 00:00:00 2001 +From: bfriesen +Date: Mon, 22 Dec 2014 02:52:38 +0000 +Subject: [PATCH] * tools/tiffdump.c: Guard against arithmetic overflow when + calculating allocation buffer sizes. + +--- + ChangeLog | 5 +++++ + tools/tiffdump.c | 21 ++++++++++++++++++--- + 2 files changed, 23 insertions(+), 3 deletions(-) + +Index: tiff-3.9.2/tools/tiffdump.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffdump.c 2015-03-30 09:32:10.981158541 -0400 ++++ tiff-3.9.2/tools/tiffdump.c 2015-03-30 09:32:10.981158541 -0400 +@@ -34,6 +34,8 @@ + # include + #endif + ++#include "tiffiop.h" ++ + #ifdef HAVE_FCNTL_H + # include + #endif +@@ -288,7 +290,7 @@ + } + if (swabflag) + TIFFSwabShort(&dircount); +- dir = (TIFFDirEntry *)_TIFFmalloc(dircount * sizeof (TIFFDirEntry)); ++ dir = (TIFFDirEntry *)_TIFFmalloc(TIFFSafeMultiply(tsize_t,dircount,sizeof (TIFFDirEntry))); + if (dir == NULL) { + Fatal("No space for TIFF directory"); + goto done; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2011-1167.patch +++ tiff-3.9.2/debian/patches/CVE-2011-1167.patch @@ -0,0 +1,72 @@ +Description: fix arbitrary code execution via crafted + THUNDER_2BITDELTAS data +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2300 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2300 + +diff -Nur tiff-3.9.2/libtiff/tif_thunder.c tiff-3.9.2.new/libtiff/tif_thunder.c +--- tiff-3.9.2/libtiff/tif_thunder.c 2005-12-21 07:23:13.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_thunder.c 2011-03-30 13:04:17.912488064 -0400 +@@ -25,6 +25,7 @@ + */ + + #include "tiffiop.h" ++#include + #ifdef THUNDER_SUPPORT + /* + * TIFF Library. +@@ -55,12 +56,32 @@ + static const int twobitdeltas[4] = { 0, 1, 0, -1 }; + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; + +-#define SETPIXEL(op, v) { \ +- lastpixel = (v) & 0xf; \ +- if (npixels++ & 1) \ +- *op++ |= lastpixel; \ +- else \ ++#define SETPIXEL(op, v) { \ ++ lastpixel = (v) & 0xf; \ ++ if ( npixels < maxpixels ) \ ++ { \ ++ if (npixels++ & 1) \ ++ *op++ |= lastpixel; \ ++ else \ + op[0] = (tidataval_t) (lastpixel << 4); \ ++ } \ ++} ++ ++static int ++ThunderSetupDecode(TIFF* tif) ++{ ++ static const char module[] = "ThunderSetupDecode"; ++ ++ if( tif->tif_dir.td_bitspersample != 4 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", ++ (int) tif->tif_dir.td_bitspersample ); ++ return 0; ++ } ++ ++ ++ return (1); + } + + static int +@@ -142,7 +163,8 @@ + occ -= tif->tif_scanlinesize; + row += tif->tif_scanlinesize; + } +- return (1); ++ ++ return (1); + } + + int +@@ -151,6 +173,7 @@ + (void) scheme; + tif->tif_decoderow = ThunderDecodeRow; + tif->tif_decodestrip = ThunderDecodeRow; ++ tif->tif_setupdecode = ThunderSetupDecode; + return (1); + } + #endif /* THUNDER_SUPPORT */ only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-1961.patch +++ tiff-3.9.2/debian/patches/CVE-2013-1961.patch @@ -0,0 +1,815 @@ +Description: fix denial of service via stack overflow with malformed + image-length and resolution. +Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=736471 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=952131 + +Index: tiff-3.9.2/contrib/dbs/xtiff/xtiff.c +=================================================================== +--- tiff-3.9.2.orig/contrib/dbs/xtiff/xtiff.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/contrib/dbs/xtiff/xtiff.c 2013-05-13 13:45:45.339872301 -0400 +@@ -512,9 +512,9 @@ + Arg args[1]; + + if (tfMultiPage) +- sprintf(buffer, "%s - page %d", fileName, tfDirectory); ++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); + else +- strcpy(buffer, fileName); ++ snprintf(buffer, sizeof(buffer), "%s", fileName); + XtSetArg(args[0], XtNlabel, buffer); + XtSetValues(labelWidget, args, 1); + } +Index: tiff-3.9.2/libtiff/tif_codec.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_codec.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/libtiff/tif_codec.c 2013-05-13 13:45:45.339872301 -0400 +@@ -104,7 +104,8 @@ + const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); + char compression_code[20]; + +- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); ++ snprintf(compression_code, sizeof(compression_code), "%d", ++ tif->tif_dir.td_compression ); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s compression support is not configured", + c ? c->name : compression_code ); +Index: tiff-3.9.2/libtiff/tif_dirinfo.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_dirinfo.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/libtiff/tif_dirinfo.c 2013-05-13 13:45:45.339872301 -0400 +@@ -873,7 +873,7 @@ + * note that this name is a special sign to TIFFClose() and + * _TIFFSetupFieldInfo() to free the field + */ +- sprintf(fld->field_name, "Tag %d", (int) tag); ++ snprintf(fld->field_name, 32, "Tag %d", (int) tag); + + return fld; + } +Index: tiff-3.9.2/tools/rgb2ycbcr.c +=================================================================== +--- tiff-3.9.2.orig/tools/rgb2ycbcr.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/rgb2ycbcr.c 2013-05-13 13:45:45.339872301 -0400 +@@ -326,7 +326,8 @@ + TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); + { char buf[2048]; + char *cp = strrchr(TIFFFileName(in), '/'); +- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); ++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", ++ cp ? cp+1 : TIFFFileName(in)); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); + } + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); +Index: tiff-3.9.2/tools/tiff2bw.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2bw.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/tiff2bw.c 2013-05-13 13:45:45.339872301 -0400 +@@ -201,7 +201,7 @@ + } + } + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); +- sprintf(thing, "B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2013-05-13 13:47:11.811875010 -0400 +@@ -3683,7 +3683,9 @@ + char buffer[16]; + int buflen=0; + +- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); ++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", ++ t2p->pdf_majorversion&0xff, ++ t2p->pdf_minorversion&0xff); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); + +@@ -3697,10 +3699,10 @@ + tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen ); + written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); + +@@ -3739,13 +3741,13 @@ + written += t2pWriteFile(output, (tdata_t) "/", 1); + for (i=0;i 0x7E){ +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + nextchar=1; +@@ -3753,57 +3755,57 @@ + if (nextchar==0){ + switch (name[i]){ + case 0x23: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x25: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x28: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x29: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x2F: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3C: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3E: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; +@@ -3833,9 +3835,8 @@ + written += t2pWriteFile(output, (tdata_t) "(", 1); + for (i=0; ipdf_pages); +- written += t2pWriteFile(output, (tdata_t) buffer, buflen ); ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); ++ written += t2pWriteFile(output, (tdata_t) buffer, ++ TIFFmin((size_t)buflen, sizeof(buffer) - 1)); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + if(t2p->pdf_fitwindow){ + written += t2pWriteFile(output, +@@ -4012,7 +4014,6 @@ + tsize_t written = 0; + unsigned char* info; + char buffer[512]; +- int buflen = 0; + + if(t2p->pdf_datetime==NULL){ + t2p_pdf_tifftime(t2p, input); +@@ -4024,8 +4025,7 @@ + written += t2p_write_pdf_string(t2p->pdf_datetime, output); + } + written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); +- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); +- buflen = sprintf(buffer, "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); ++ snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); + written += t2p_write_pdf_string((unsigned char*)buffer, output); + written += t2pWriteFile(output, (tdata_t) "\n", 1); + if(t2p->pdf_creator != NULL){ +@@ -4139,9 +4139,10 @@ + + timenow=time(0); + currenttime=localtime(&timenow); +- sprintf((char *)t2p->pdf_datetime, "D:%.4d%.2d%.2d%.2d%.2d%.2d", +- (currenttime->tm_year+1900) % 65536, +- (currenttime->tm_mon+1) % 256, ++ snprintf((char *)t2p->pdf_datetime, sizeof(t2p->pdf_datetime), ++ "D:%.4d%.2d%.2d%.2d%.2d%.2d", ++ (currenttime->tm_year + 1900) % 65536, ++ (currenttime->tm_mon + 1) % 256, + (currenttime->tm_mday) % 256, + (currenttime->tm_hour) % 256, + (currenttime->tm_min) % 256, +@@ -4200,7 +4201,7 @@ + { + tsize_t written=0; + tdir_t i=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + int page=0; +@@ -4208,7 +4209,7 @@ + (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); + page = t2p->pdf_pages+1; + for (i=0;itiff_pagecount;i++){ +- buflen=sprintf(buffer, "%d", page); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", page); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + if ( ((i+1)%8)==0 ) { +@@ -4223,8 +4224,7 @@ + } + } + written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); + +@@ -4239,28 +4239,28 @@ + + unsigned int i=0; + tsize_t written=0; +- char buffer[16]; ++ char buffer[256]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "] \n", 3); + written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); +- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); +@@ -4268,15 +4268,13 @@ + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen = sprintf(buffer, "%u", i+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4288,12 +4286,10 @@ + } else { + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4302,9 +4298,7 @@ + if(t2p->tiff_transferfunctioncount != 0) { + written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); + t2pWriteFile(output, (tdata_t) "/GS1 ", 5); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4665,7 +4659,7 @@ + if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ + for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ + box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4680,7 +4674,7 @@ + } + } else { + box=t2p->pdf_imagebox; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4705,59 +4699,48 @@ + TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); + written += t2pWriteFile(output, + (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", + 42); +- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + if(tile != 0){ + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen=sprintf(buffer, "%lu", (unsigned long)tile); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); + } else { + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); + written += t2p_write_pdf_xobject_cs(t2p, output); +@@ -4801,11 +4784,10 @@ + t2p->pdf_colorspace ^= T2P_CS_PALETTE; + written += t2p_write_pdf_xobject_cs(t2p, output); + t2p->pdf_colorspace |= T2P_CS_PALETTE; +- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); + return(written); +@@ -4847,10 +4829,10 @@ + X_W /= Y_W; + Z_W /= Y_W; + Y_W = 1.0F; +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Range ", 7); +- buflen=sprintf(buffer, "[%d %d %d %d] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", + t2p->pdf_labrange[0], + t2p->pdf_labrange[1], + t2p->pdf_labrange[2], +@@ -4866,26 +4848,26 @@ + tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); + if(t2p->tiff_transferfunctioncount == 1){ +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + } else { + written += t2pWriteFile(output, (tdata_t) "[ ", 2); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 2)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4907,7 +4889,7 @@ + written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); + written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); + written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); +- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); ++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); + written += t2p_write_pdf_stream_dict(1<<(t2p->tiff_bitspersample+1), 0, output); +@@ -4934,7 +4916,7 @@ + tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[128]; ++ char buffer[256]; + int buflen=0; + + float X_W=0.0; +@@ -5002,16 +4984,16 @@ + written += t2pWriteFile(output, (tdata_t) "<< \n", 4); + if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); + } + if(t2p->pdf_colorspace & T2P_CS_CALRGB){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + X_R, Y_R, Z_R, + X_G, Y_G, Z_G, + X_B, Y_B, Z_B); +@@ -5030,11 +5012,11 @@ + tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); + +@@ -5044,11 +5026,11 @@ + tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/N ", 3); +- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); + t2p->pdf_colorspace ^= T2P_CS_ICCBASED; +@@ -5113,7 +5095,7 @@ + tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + if(t2p->pdf_compression==T2P_COMPRESS_NONE){ +@@ -5128,41 +5110,33 @@ + written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); + if(tile==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_length); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } +@@ -5189,21 +5163,17 @@ + if(t2p->pdf_compressionquality%100){ + written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); + written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen = sprintf(buffer, "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) ">>\n", 3); + } +@@ -5223,16 +5193,16 @@ + tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[21]; ++ char buffer[64]; + int buflen=0; + uint32 i=0; + + written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); + for (i=0;ipdf_xrefcount;i++){ +- sprintf(buffer, "%.10lu 00000 n \n", ++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", + (unsigned long)t2p->pdf_xrefoffsets[i]); + written += t2pWriteFile(output, (tdata_t) buffer, 20); + } +@@ -5272,25 +5242,21 @@ + "%.2hhX", fileidbuf[i]); + } + written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); +- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, 32); + written += t2pWriteFile(output, (tdata_t) "><", 2); + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, 32); + written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); + + return(written); +Index: tiff-3.9.2/tools/tiff2ps.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2ps.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/tiff2ps.c 2013-05-13 13:45:45.343872301 -0400 +@@ -1079,8 +1079,8 @@ + imageOp = "imagemask"; + + (void)strcpy(im_x, "0"); +- (void)sprintf(im_y, "%lu", (long) h); +- (void)sprintf(im_h, "%lu", (long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); ++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); + tile_width = w; + tile_height = h; + if (TIFFIsTiled(tif)) { +@@ -1101,7 +1101,7 @@ + } + if (tile_height < h) { + fputs("/im_y 0 def\n", fd); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } else { + repeat_count = tf_numberstrips; +@@ -1113,7 +1113,7 @@ + fprintf(fd, "/im_h %lu def\n", + (unsigned long) tile_height); + (void)strcpy(im_h, "im_h"); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } + +Index: tiff-3.9.2/tools/tiffcrop.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffcrop.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/tiffcrop.c 2013-05-13 13:45:45.347872301 -0400 +@@ -2053,7 +2053,7 @@ + strncpy (export_ext, ".tiff", 5); + export_ext[5] = '\0'; + +- sprintf (filenum, "-%03d%s", findex, export_ext); ++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); + filenum[15] = '\0'; + strncat (exportname, filenum, 14); + } +@@ -2203,7 +2203,8 @@ + if (dump.infile != NULL) + fclose (dump.infile); + +- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", ++ dump.infilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) + { +@@ -2219,7 +2220,8 @@ + if (dump.outfile != NULL) + fclose (dump.outfile); + +- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", ++ dump.outfilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) + { +Index: tiff-3.9.2/tools/tiffdither.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiffdither.c 2013-05-13 13:45:45.351872301 -0400 ++++ tiff-3.9.2/tools/tiffdither.c 2013-05-13 13:45:45.347872301 -0400 +@@ -256,7 +256,7 @@ + TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); + else + CopyField(TIFFTAG_FILLORDER, shortv); +- sprintf(thing, "Dithered B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + CopyField(TIFFTAG_PHOTOMETRIC, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/fix-unknown-tags.patch +++ tiff-3.9.2/debian/patches/fix-unknown-tags.patch @@ -0,0 +1,139 @@ +Description: fix crashes from unknown tag handling. +Origin: upstream 3.9.4 + +Index: tiff-3.9.2/libtiff/tif_dirread.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_dirread.c 2010-06-17 10:41:26.957649666 -0700 ++++ tiff-3.9.2/libtiff/tif_dirread.c 2010-06-17 10:41:37.935148788 -0700 +@@ -84,6 +84,7 @@ + size_t fix; + uint16 dircount; + int diroutoforderwarning = 0, compressionknown = 0; ++ int haveunknowntags = 0; + + tif->tif_diroff = tif->tif_nextdiroff; + /* +@@ -160,8 +161,10 @@ + fix = 0; + for (dp = dir, n = dircount; n > 0; n--, dp++) { + +- if (fix >= tif->tif_nfields || dp->tdir_tag == IGNORE) ++ if (dp->tdir_tag == IGNORE) + continue; ++ if (fix >= tif->tif_nfields) ++ fix = 0; + + /* + * Silicon Beach (at least) writes unordered +@@ -182,31 +185,9 @@ + fix++; + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { +- +- TIFFWarningExt(tif->tif_clientdata, +- module, +- "%s: unknown field with tag %d (0x%x) encountered", +- tif->tif_name, +- dp->tdir_tag, +- dp->tdir_tag); +- +- if (!_TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) +- { +- TIFFWarningExt(tif->tif_clientdata, +- module, +- "Registering anonymous field with tag %d (0x%x) failed", +- dp->tdir_tag, +- dp->tdir_tag); +- goto ignore; +- } +- fix = 0; +- while (fix < tif->tif_nfields && +- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) +- fix++; ++ /* Unknown tag ... we'll deal with it below */ ++ haveunknowntags = 1; ++ continue; + } + /* + * Null out old tags that we ignore. +@@ -297,6 +278,76 @@ + } + + /* ++ * If we saw any unknown tags, make an extra pass over the directory ++ * to deal with them. This must be done separately because the tags ++ * could have become known when we registered a codec after finding ++ * the Compression tag. In a correctly-sorted directory there's ++ * no problem because Compression will come before any codec-private ++ * tags, but if the sorting is wrong that might not hold. ++ */ ++ if (haveunknowntags) { ++ fix = 0; ++ for (dp = dir, n = dircount; n > 0; n--, dp++) { ++ if (dp->tdir_tag == IGNORE) ++ continue; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ if (fix >= tif->tif_nfields || ++ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { ++ ++ TIFFWarningExt(tif->tif_clientdata, ++ module, ++ "%s: unknown field with tag %d (0x%x) encountered", ++ tif->tif_name, ++ dp->tdir_tag, ++ dp->tdir_tag); ++ ++ if (!_TIFFMergeFieldInfo(tif, ++ _TIFFCreateAnonFieldInfo(tif, ++ dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), ++ 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata, ++ module, ++ "Registering anonymous field with tag %d (0x%x) failed", ++ dp->tdir_tag, ++ dp->tdir_tag); ++ dp->tdir_tag = IGNORE; ++ continue; ++ } ++ fix = 0; ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ } ++ /* ++ * Check data type. ++ */ ++ fip = tif->tif_fieldinfo[fix]; ++ while (dp->tdir_type != (unsigned short) fip->field_type ++ && fix < tif->tif_nfields) { ++ if (fip->field_type == TIFF_ANY) /* wildcard */ ++ break; ++ fip = tif->tif_fieldinfo[++fix]; ++ if (fix >= tif->tif_nfields || ++ fip->field_tag != dp->tdir_tag) { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: wrong data type %d for \"%s\"; tag ignored", ++ tif->tif_name, dp->tdir_type, ++ tif->tif_fieldinfo[fix-1]->field_name); ++ dp->tdir_tag = IGNORE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* + * XXX: OJPEG hack. + * If a) compression is OJPEG, b) planarconfig tag says it's separate, + * c) strip offsets/bytecounts tag are both present and only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2630.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2630.patch @@ -0,0 +1,44 @@ +Description: fix denial of service via out-of-order tags +Origin: upstream, r1.92.2.13 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2210 + +diff -Nur tiff-3.9.2/libtiff/tif_dirread.c tiff-3.9.2.new/libtiff/tif_dirread.c +--- tiff-3.9.2/libtiff/tif_dirread.c 2011-03-03 13:40:05.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_dirread.c 2011-03-03 13:40:11.000000000 -0500 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0, compressionknown = 0; + int haveunknowntags = 0; + +@@ -163,23 +164,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-1173.patch +++ tiff-3.9.2/debian/patches/CVE-2012-1173.patch @@ -0,0 +1,73 @@ +Description: fix arbitrary code execution via size overflow +Origin: thanks to Tom Lane of Red Hat + +Index: tiff-3.9.4/libtiff/tiffiop.h +=================================================================== +--- tiff-3.9.4.orig/libtiff/tiffiop.h 2010-06-11 22:55:16.000000000 -0400 ++++ tiff-3.9.4/libtiff/tiffiop.h 2012-04-02 10:54:54.058126125 -0400 +@@ -243,7 +243,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) +Index: tiff-3.9.4/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_getimage.c 2012-04-02 10:54:42.714126234 -0400 ++++ tiff-3.9.4/libtiff/tif_getimage.c 2012-04-02 10:54:54.058126125 -0400 +@@ -673,18 +673,24 @@ + unsigned char* p2; + unsigned char* pa; + tsize_t tilesize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -880,17 +886,23 @@ + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tsize_t stripsize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-8.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-8.patch @@ -0,0 +1,28 @@ +From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 20:58:29 +0000 +Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only + works if SamplesPerPixel = 3. Enforce that + http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) + +--- + ChangeLog | 6 ++++++ + tools/tiff2bw.c | 5 +++++ + 2 files changed, 11 insertions(+) + +Index: tiff-3.9.5/tools/tiff2bw.c +=================================================================== +--- tiff-3.9.5.orig/tools/tiff2bw.c 2015-03-30 07:47:25.321241804 -0400 ++++ tiff-3.9.5/tools/tiff2bw.c 2015-03-30 07:47:25.317241770 -0400 +@@ -167,6 +167,11 @@ + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2065.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2065.patch @@ -0,0 +1,31 @@ +Description: fix TIFFroundup integer overflow (CVE-2010-2065). +Author: Bob Friesenhahn and Kees Cook + +Index: tiff-3.9.2/libtiff/tif_ojpeg.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_ojpeg.c 2010-06-10 12:56:15.218390746 -0700 ++++ tiff-3.9.2/libtiff/tif_ojpeg.c 2010-06-10 12:57:08.268390489 -0700 +@@ -1909,6 +1909,10 @@ + sp->in_buffer_source=osibsEof; + else + { ++ if (sp->tif->tif_dir.td_stripoffset == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing"); ++ return(0); ++ } + sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_pos!=0) + { +Index: tiff-3.9.2/libtiff/tif_read.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_read.c 2010-06-10 12:56:24.098391246 -0700 ++++ tiff-3.9.2/libtiff/tif_read.c 2010-06-10 12:57:13.248390618 -0700 +@@ -609,7 +609,7 @@ + tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); + tif->tif_flags |= TIFF_MYBUFFER; + } +- if (tif->tif_rawdata == NULL) { ++ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: No space for data buffer at scanline %ld", + tif->tif_name, (long) tif->tif_row); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2011-0192.patch +++ tiff-3.9.2/debian/patches/CVE-2011-0192.patch @@ -0,0 +1,21 @@ +Description: fix denial of service and possible code execution via + buffer overflow in Fax4Decode +Origin: Thanks to Apple and Huzaifa Sidhpurwala + +Index: tiff-3.9.2/libtiff/tif_fax3.h +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_fax3.h 2005-12-12 01:23:11.000000000 -0800 ++++ tiff-3.9.2/libtiff/tif_fax3.h 2011-03-14 10:46:49.748757261 -0700 +@@ -478,6 +478,12 @@ + break; \ + case S_VL: \ + CHECK_b1; \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ + SETVALUE(b1 - a0 - TabEnt->Param); \ + b1 -= *--pb; \ + break; \ only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-4665.patch +++ tiff-3.9.2/debian/patches/CVE-2010-4665.patch @@ -0,0 +1,38 @@ +Description: fix denial of service and possible code execution via tiffdump +Origin: extracted from libtiff 3.9.5 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2218 + +Index: tiff-3.9.4/tools/tiffdump.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2012-04-02 10:54:36.462126292 -0400 +@@ -52,6 +52,11 @@ + # define O_BINARY 0 + #endif + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#ifndef TIFFSafeMultiply ++# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#endif ++ + char* appname; + char* curfile; + int swabflag; +@@ -317,7 +322,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +714,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2067.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2067.patch @@ -0,0 +1,20 @@ +Description: fix SubjectDistance tag processing buffer overflow (CVE-2010-2067) +Author: Frank Warmerdam + +Index: tiff-3.9.2/libtiff/tif_dirread.c +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_dirread.c 2010-06-10 13:30:29.498390970 -0700 ++++ tiff-3.9.2/libtiff/tif_dirread.c 2010-06-10 13:33:40.577518024 -0700 +@@ -1919,6 +1919,12 @@ + float v; + int ok = 0; + ++ if (dir->tdir_count != 1 || dir->tdir_type != TIFF_RATIONAL) { ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "incorrect count or type for SubjectDistance, tag ignored" ); ++ return (0); ++ } ++ + if (TIFFFetchData(tif, dir, (char *)l) + && cvtRational(tif, dir, l[0], l[1], &v)) { + /* only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-3087.patch +++ tiff-3.9.2/debian/patches/CVE-2010-3087.patch @@ -0,0 +1,70 @@ +Description: fix denial of service and possible code execution via + heap corruption in JPEGDecodeRaw +Origin: upstream, r1.50.2.13, r1.19.2.2 in libtiff/tif_strip.c +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2228 + +diff -Nur tiff-3.9.2/libtiff/tif_jpeg.c tiff-3.9.2.new/libtiff/tif_jpeg.c +--- tiff-3.9.2/libtiff/tif_jpeg.c 2011-03-03 13:41:54.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_jpeg.c 2011-03-03 13:42:00.000000000 -0500 +@@ -988,8 +988,15 @@ + tsize_t nrows; + (void) s; + +- /* data is expected to be read in multiples of a scanline */ +- if ( (nrows = sp->cinfo.d.image_height) ) { ++ nrows = cc / sp->bytesperline; ++ if (cc % sp->bytesperline) ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); ++ ++ if( nrows > (int) sp->cinfo.d.image_height ) ++ nrows = sp->cinfo.d.image_height; ++ ++ /* data is expected to be read in multiples of a scanline */ ++ if (nrows) { + /* Cb,Cr both have sampling factors 1, so this is correct */ + JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; + int samples_per_clump = sp->samplesperclump; +@@ -1087,8 +1094,7 @@ + * TODO: resolve this */ + buf += sp->bytesperline; + cc -= sp->bytesperline; +- nrows -= sp->v_sampling; +- } while (nrows > 0); ++ } while (--nrows > 0); + + #ifdef JPEG_LIB_MK1 + _TIFFfree(tmpbuf); +diff -Nur tiff-3.9.2/libtiff/tif_strip.c tiff-3.9.2.new/libtiff/tif_strip.c +--- tiff-3.9.2/libtiff/tif_strip.c 2011-03-03 13:41:54.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_strip.c 2011-03-03 13:42:03.000000000 -0500 +@@ -238,23 +238,19 @@ + ycbcrsubsampling + 0, + ycbcrsubsampling + 1); + +- if (ycbcrsubsampling[0] == 0) { ++ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Invalid YCbCr subsampling"); + return 0; + } + +- scanline = TIFFroundup(td->td_imagewidth, ++ /* number of sample clumps per line */ ++ scanline = TIFFhowmany(td->td_imagewidth, + ycbcrsubsampling[0]); +- scanline = TIFFhowmany8(multiply(tif, scanline, +- td->td_bitspersample, +- "TIFFScanlineSize")); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, +- scanline / ycbcrsubsampling[0], +- "TIFFVStripSize"), +- "TIFFVStripSize")); ++ /* number of samples per line */ ++ scanline = multiply(tif, scanline, ++ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, ++ "TIFFScanlineSize"); + } else { + scanline = multiply(tif, td->td_imagewidth, + td->td_samplesperpixel, only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-2113.patch +++ tiff-3.9.2/debian/patches/CVE-2012-2113.patch @@ -0,0 +1,258 @@ +Description: fix possible arbitrary code execution via integer + overflows in tiff2pdf +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=810551 + +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2012-07-04 11:03:28.007658433 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2012-07-04 11:18:56.251682200 -0400 +@@ -44,6 +44,7 @@ + # include + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef HAVE_GETOPT +@@ -414,6 +415,34 @@ + (void) handle, (void) data, (void) offset; + } + ++static uint64 ++checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) ++{ ++ uint64 bytes = summand1 + summand2; ++ ++ if (bytes - summand1 != summand2) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ ++static uint64 ++checkMultiply64(uint64 first, uint64 second, T2P* t2p) ++{ ++ uint64 bytes = first * second; ++ ++ if (second && bytes / second != first) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ + /* + + This is the main function. +@@ -1828,9 +1857,7 @@ + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +-#ifdef OJPEG_SUPPORT +- tsize_t k = 0; +-#endif ++ uint64 k = 0; + + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT +@@ -1858,19 +1885,25 @@ + } + stripcount=TIFFNumberOfStrips(input); + for(i=0;itiff_dataoffset))){ + if(t2p->tiff_dataoffset != 0){ + if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ + if(t2p->tiff_datasize < k) { +- t2p->pdf_ojpegiflength=t2p->tiff_datasize; +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=6; +- t2p->tiff_datasize+=2*stripcount; + TIFFWarning(TIFF2PDF_MODULE, + "Input file %s has short JPEG interchange file byte count", + TIFFFileName(input)); ++ t2p->pdf_ojpegiflength=t2p->tiff_datasize; ++ k = checkAdd64(k, t2p->tiff_datasize, t2p); ++ k = checkAdd64(k, 6, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + return; +@@ -1883,9 +1916,14 @@ + } + } + } +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=2*stripcount; +- t2p->tiff_datasize+=2048; ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, 2048, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + #endif +@@ -1894,11 +1932,11 @@ + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ + if(count > 4){ +- t2p->tiff_datasize += count; +- t2p->tiff_datasize -= 2; /* don't use EOI of header */ ++ k += count; ++ k -= 2; /* don't use EOI of header */ + } + } else { +- t2p->tiff_datasize = 2; /* SOI for first strip */ ++ k = 2; /* SOI for first strip */ + } + stripcount=TIFFNumberOfStrips(input); + if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ +@@ -1909,17 +1947,32 @@ + return; + } + for(i=0;itiff_datasize += sbc[i]; +- t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ ++ k = checkAdd64(k, sbc[i], t2p); ++ k -=4; /* don't use SOI or EOI of strip */ ++ } ++ k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } +- t2p->tiff_datasize +=2; /* use EOI of last strip */ + } + #endif + (void) 0; + } +- t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFScanlineSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -1937,6 +1990,7 @@ + #ifdef JPEG_SUPPORT + unsigned char* jpt; + #endif ++ uint64 k; + + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); +@@ -1948,14 +2002,17 @@ + #endif + ){ + t2p->tiff_datasize=TIFFTileSize(input); ++ if (t2p->tiff_datasize == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } else { + TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); +- t2p->tiff_datasize=tbc[tile]; ++ k=tbc[tile]; + #ifdef OJPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_OJPEG){ +- t2p->tiff_datasize+=2048; +- return; ++ k = checkAdd64(k, 2048, t2p); + } + #endif + #ifdef JPEG_SUPPORT +@@ -1963,18 +2020,35 @@ + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ + if(count > 4){ +- t2p->tiff_datasize += count; +- t2p->tiff_datasize -= 4; /* don't use EOI of header or SOI of tile */ ++ k = checkAdd64(k, count, t2p); ++ k -= 4; /* don't use EOI of header or SOI of tile */ ++ ++ + } + } + } + #endif ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + } +- t2p->tiff_datasize=TIFFTileSize(input); ++ k = TIFFTileSize(input); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -2067,6 +2141,10 @@ + uint32 max_striplength=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT + if(t2p->pdf_compression == T2P_COMPRESS_G4){ +@@ -2640,6 +2718,10 @@ + uint32 xuint32=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-1960.patch +++ tiff-3.9.2/debian/patches/CVE-2013-1960.patch @@ -0,0 +1,150 @@ +Description: fix denial of service and possible code execution via heap + overflow in tp_process_jpeg_strip() +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=736501 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=952158 + +Index: tiff-3.9.2/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.2.orig/tools/tiff2pdf.c 2013-05-13 11:13:27.271586053 -0400 ++++ tiff-3.9.2/tools/tiff2pdf.c 2013-05-13 11:14:01.099587113 -0400 +@@ -3393,30 +3393,56 @@ + uint32 height){ + + tsize_t i=0; +- uint16 ri =0; +- uint16 v_samp=1; +- uint16 h_samp=1; +- int j=0; +- +- i++; +- +- while(i<(*striplength)){ ++ ++ while (i < *striplength) { ++ tsize_t datalen; ++ uint16 ri; ++ uint16 v_samp; ++ uint16 h_samp; ++ int j; ++ int ncomp; ++ ++ /* marker header: one or more FFs */ ++ if (strip[i] != 0xff) ++ return(0); ++ i++; ++ while (i < *striplength && strip[i] == 0xff) ++ i++; ++ if (i >= *striplength) ++ return(0); ++ /* SOI is the only pre-SOS marker without a length word */ ++ if (strip[i] == 0xd8) ++ datalen = 0; ++ else { ++ if ((*striplength - i) <= 2) ++ return(0); ++ datalen = (strip[i+1] << 8) | strip[i+2]; ++ if (datalen < 2 || datalen >= (*striplength - i)) ++ return(0); ++ } + switch( strip[i] ){ +- case 0xd8: +- i+=2; ++ case 0xd8: /* SOI - start of image */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); ++ *bufferoffset+=2; + break; +- case 0xc0: +- case 0xc1: +- case 0xc3: +- case 0xc9: +- case 0xca: ++ case 0xc0: /* SOF0 */ ++ case 0xc1: /* SOF1 */ ++ case 0xc3: /* SOF3 */ ++ case 0xc9: /* SOF9 */ ++ case 0xca: /* SOF10 */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- for(j=0;j>4) > h_samp) +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ ncomp = buffer[*bufferoffset+9]; ++ if (ncomp < 1 || ncomp > 4) ++ return(0); ++ v_samp=1; ++ h_samp=1; ++ for(j=0;j>4) > h_samp) ++ h_samp = (samp>>4); ++ if( (samp & 0x0f) > v_samp) ++ v_samp = (samp & 0x0f); + } + v_samp*=8; + h_samp*=8; +@@ -3430,45 +3456,43 @@ + (unsigned char) ((height>>8) & 0xff); + buffer[*bufferoffset+6]= + (unsigned char) (height & 0xff); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; +- ++ *bufferoffset+=datalen+2; ++ /* insert a DRI marker */ + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]=0xdd; + buffer[(*bufferoffset)++]=0x00; + buffer[(*bufferoffset)++]=0x04; + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; + buffer[(*bufferoffset)++]= ri & 0xff; +- } else { +- i+=strip[i+2]+2; + } + break; +- case 0xc4: +- case 0xdb: +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ case 0xc4: /* DHT */ ++ case 0xdb: /* DQT */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + break; +- case 0xda: ++ case 0xda: /* SOS */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + } else { + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); +- i+=strip[i+2]+2; + } +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); +- *bufferoffset+=(*striplength)-i-1; ++ i += datalen + 1; ++ /* copy remainder of strip */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ++ *bufferoffset+= *striplength - i; + return(1); + default: +- i+=strip[i+2]+2; ++ /* ignore any other marker */ ++ break; + } ++ i += datalen + 1; + } +- + ++ /* failed to find SOS marker */ + return(0); + } + #endif only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2595.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2595.patch @@ -0,0 +1,30 @@ +Description: fix denial of service via invalid ReferenceBlackWhite values +Origin: upstream, libtiff/tif_color.c r1.12.2.2 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2208 + +diff -Nur tiff-3.9.2/libtiff/tif_color.c tiff-3.9.2.new/libtiff/tif_color.c +--- tiff-3.9.2/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_color.c 2011-03-03 13:38:51.000000000 -0500 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2482.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2482.patch @@ -0,0 +1,50 @@ +Description: fix denial of service via invalid td_stripbytecount field +Origin: upstream, r1.24.2.7, r1.14.2.5 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=1996 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/597246 + +diff -Nur tiff-3.9.2/libtiff/tif_ojpeg.c tiff-3.9.2.new/libtiff/tif_ojpeg.c +--- tiff-3.9.2/libtiff/tif_ojpeg.c 2011-03-03 13:36:06.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_ojpeg.c 2011-03-03 13:36:23.000000000 -0500 +@@ -1918,8 +1918,14 @@ + { + if (sp->in_buffer_file_pos>=sp->file_size) + sp->in_buffer_file_pos=0; ++ else if (sp->tif->tif_dir.td_stripbytecount==NULL) ++ sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; +diff -Nur tiff-3.9.2/tools/tiffsplit.c tiff-3.9.2.new/tools/tiffsplit.c +--- tiff-3.9.2/tools/tiffsplit.c 2009-01-21 11:28:57.000000000 -0500 ++++ tiff-3.9.2.new/tools/tiffsplit.c 2011-03-03 13:36:26.000000000 -0500 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-11.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-11.patch @@ -0,0 +1,94 @@ +Backport of: + +From 147b2698c84004fe2da93c0fc7177a7c3797533d Mon Sep 17 00:00:00 2001 +From: erouault +Date: Mon, 2 Mar 2015 16:16:38 +0000 +Subject: [PATCH] * tools/tiffdither.c: check memory allocations to avoid + writing to NULL pointer. Also check multiplication overflow. Fixes #2501, + CVE-2014-8128. Derived from patch by Petr Gajdos. + +--- + ChangeLog | 6 ++++++ + tools/tiffdither.c | 21 ++++++++++++++++----- + 2 files changed, 22 insertions(+), 5 deletions(-) + +Index: tiff-3.9.5/tools/tiffdither.c +=================================================================== +--- tiff-3.9.5.orig/tools/tiffdither.c 2015-03-30 08:29:12.635045306 -0400 ++++ tiff-3.9.5/tools/tiffdither.c 2015-03-30 08:29:38.667271319 -0400 +@@ -35,6 +35,7 @@ + #endif + + #include "tiffio.h" ++#include "tiffiop.h" + + #define streq(a,b) (strcmp(a,b) == 0) + #define strneq(a,b,n) (strncmp(a,b,n) == 0) +@@ -52,7 +53,7 @@ + * Floyd-Steinberg error propragation with threshold. + * This code is stolen from tiffmedian. + */ +-static void ++static int + fsdither(TIFF* in, TIFF* out) + { + unsigned char *outline, *inputline, *inptr; +@@ -64,20 +65,26 @@ + int lastline, lastpixel; + int bit; + tsize_t outlinesize; ++ int errcode = 0; + + imax = imagelength - 1; + jmax = imagewidth - 1; + inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); +- thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); +- nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); ++ thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short))); ++ nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short))); + outlinesize = TIFFScanlineSize(out); + outline = (unsigned char *) _TIFFmalloc(outlinesize); ++ if (! (inputline && thisline && nextline && outline)) { ++ fprintf(stderr, "Out of memory.\n"); ++ goto skip_on_error; ++ } + + /* + * Get first line + */ + if (TIFFReadScanline(in, inputline, 0, 0) <= 0) +- return; ++ goto skip_on_error; ++ + inptr = inputline; + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) +@@ -88,7 +95,7 @@ + nextline = tmpptr; + lastline = (i == imax); + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ goto skip_on_error; + inptr = inputline; + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) +@@ -126,12 +133,18 @@ + } + } + if (TIFFWriteScanline(out, outline, i-1, 0) < 0) +- break; ++ goto skip_on_error; + } ++ goto exit_label; ++ ++ skip_on_error: ++ errcode = 1; ++ exit_label: + _TIFFfree(inputline); + _TIFFfree(thisline); + _TIFFfree(nextline); + _TIFFfree(outline); ++ return errcode; + } + + static uint16 compression = COMPRESSION_PACKBITS; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-2088.patch +++ tiff-3.9.2/debian/patches/CVE-2012-2088.patch @@ -0,0 +1,133 @@ +Description: fix possible arbitrary code execution via buffer overflow + due to type-conversion flaw +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=832864 + +Index: tiff-3.9.5/libtiff/tif_strip.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_strip.c 2011-01-03 23:31:28.000000000 -0500 ++++ tiff-3.9.5/libtiff/tif_strip.c 2012-07-04 10:08:25.007573859 -0400 +@@ -107,6 +107,7 @@ + TIFFVStripSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; ++ uint32 stripsize; + + if (nrows == (uint32) -1) + nrows = td->td_imagelength; +@@ -122,7 +123,7 @@ + * YCbCr data for the extended image. + */ + uint16 ycbcrsubsampling[2]; +- tsize_t w, scanline, samplingarea; ++ uint32 w, scanline, samplingarea; + + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, + ycbcrsubsampling + 0, +@@ -141,13 +142,27 @@ + nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, scanline / samplingarea, +- "TIFFVStripSize"), "TIFFVStripSize")); ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (scanline > 0) { ++ uint32 extra = ++ multiply(tif, 2, scanline / samplingarea, ++ "TIFFVStripSize"); ++ if (extra > 0) ++ stripsize = summarize(tif, scanline, extra, ++ "TIFFVStripSize"); ++ else ++ stripsize = 0; ++ } else ++ stripsize = 0; + } else +- return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), +- "TIFFVStripSize")); ++ stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), ++ "TIFFVStripSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) stripsize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); ++ stripsize = 0; ++ } ++ return (tsize_t) stripsize; + } + + +Index: tiff-3.9.5/libtiff/tif_tile.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_tile.c 2010-06-08 14:50:43.000000000 -0400 ++++ tiff-3.9.5/libtiff/tif_tile.c 2012-07-04 10:08:25.007573859 -0400 +@@ -174,7 +174,7 @@ + TIFFTileRowSize(TIFF* tif) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t rowsize; ++ uint32 rowsize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0) + return ((tsize_t) 0); +@@ -193,7 +193,7 @@ + TIFFVTileSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t tilesize; ++ uint32 tilesize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0 || + td->td_tiledepth == 0) +@@ -209,12 +209,12 @@ + * horizontal/vertical subsampling area include + * YCbCr data for the extended image. + */ +- tsize_t w = ++ uint32 w = + TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); +- tsize_t rowsize = ++ uint32 rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); +- tsize_t samplingarea = ++ uint32 samplingarea = + td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; + if (samplingarea == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); +@@ -223,15 +223,27 @@ + nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize"); +- tilesize = summarize(tif, tilesize, +- multiply(tif, 2, tilesize / samplingarea, +- "TIFFVTileSize"), ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (tilesize > 0) { ++ uint32 extra = ++ multiply(tif, 2, tilesize / samplingarea, + "TIFFVTileSize"); ++ if (extra > 0) ++ tilesize = summarize(tif, tilesize, extra, ++ "TIFFVTileSize"); ++ else ++ tilesize = 0; ++ } + } else + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); +- return ((tsize_t) +- multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); ++ tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) tilesize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); ++ tilesize = 0; ++ } ++ return (tsize_t) tilesize; + } + + /* only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2013-4231.patch +++ tiff-3.9.2/debian/patches/CVE-2013-4231.patch @@ -0,0 +1,18 @@ +Description: fix denial of service via buffer overflow in gif2tiff +Origin: upstream, cvs diff -u -r 1.12 -r 1.13 tools/gif2tiff.c +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719303 + +Index: tiff-3.9.5/tools/gif2tiff.c +=================================================================== +--- tiff-3.9.5.orig/tools/gif2tiff.c 2014-05-05 15:36:53.936705281 -0400 ++++ tiff-3.9.5/tools/gif2tiff.c 2014-05-05 15:36:53.928705281 -0400 +@@ -329,6 +329,8 @@ + int status = 1; + + datasize = getc(infile); ++ if (datasize > 12) ++ return 0; + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2010-2597.patch +++ tiff-3.9.2/debian/patches/CVE-2010-2597.patch @@ -0,0 +1,47 @@ +Description: fix denial of service via devide-by-zero +Origin: upstream, r1.19.2.3 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2215 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/593067 + +diff -Nur tiff-3.9.2/libtiff/tif_strip.c tiff-3.9.2.new/libtiff/tif_strip.c +--- tiff-3.9.2/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 ++++ tiff-3.9.2.new/libtiff/tif_strip.c 2011-03-03 13:39:49.000000000 -0500 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -308,9 +308,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2012-4564.patch +++ tiff-3.9.2/debian/patches/CVE-2012-4564.patch @@ -0,0 +1,34 @@ +Description: fix denial of service and possible code execution via crafted PPM image +Origin: backport, ppm2tiff.c,v 1.17 + +Index: tiff-3.9.5/tools/ppm2tiff.c +=================================================================== +--- tiff-3.9.5.orig/tools/ppm2tiff.c 2012-11-14 11:38:04.607867919 -0500 ++++ tiff-3.9.5/tools/ppm2tiff.c 2012-11-14 11:38:17.603868253 -0500 +@@ -85,6 +85,7 @@ + int c; + extern int optind; + extern char* optarg; ++ tsize_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -233,8 +234,16 @@ + } + if (TIFFScanlineSize(out) > linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); +- else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size != 0) ++ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ fprintf(stderr, "%s: scanline size overflow\n",infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); only in patch2: unchanged: --- tiff-3.9.2.orig/debian/patches/CVE-2014-81xx-10.patch +++ tiff-3.9.2/debian/patches/CVE-2014-81xx-10.patch @@ -0,0 +1,43 @@ +From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Tue, 23 Dec 2014 10:15:35 +0000 +Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a + uint64 value with <= 0 by casting it to int64 first. This solves crashing bug + on corrupted images generated by afl. + +--- + ChangeLog | 6 ++++++ + libtiff/tif_read.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: tiff-3.9.5/libtiff/tif_read.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_read.c 2015-03-30 07:50:30.550858302 -0400 ++++ tiff-3.9.5/libtiff/tif_read.c 2015-03-30 07:51:56.627609221 -0400 +@@ -243,7 +243,7 @@ + return ((tsize_t) -1); + } + bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%lu: Invalid strip byte count, strip %lu", + (unsigned long) bytecount, (unsigned long) strip); +@@ -273,7 +273,7 @@ + * So we are using uint32 instead of tsize_t here. + */ + uint32 bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid strip byte count %lu, strip %lu", + tif->tif_name, (unsigned long) bytecount, +@@ -508,7 +508,7 @@ + * So we are using uint32 instead of tsize_t here. + */ + uint32 bytecount = td->td_stripbytecount[tile]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%lu: Invalid tile byte count, tile %lu", + (unsigned long) bytecount, (unsigned long) tile);