debian/0000755000000000000000000000000013441511056007166 5ustar debian/libtiff5.symbols0000644000000000000000000002164112256047746012325 0ustar libtiff.so.5 libtiff5 #MINVER# LIBTIFF_4.0@LIBTIFF_4.0 4.0.3 LogL10fromY@LIBTIFF_4.0 4.0.3 LogL10toY@LIBTIFF_4.0 4.0.3 LogL16fromY@LIBTIFF_4.0 4.0.3 LogL16toY@LIBTIFF_4.0 4.0.3 LogLuv24fromXYZ@LIBTIFF_4.0 4.0.3 LogLuv24toXYZ@LIBTIFF_4.0 4.0.3 LogLuv32fromXYZ@LIBTIFF_4.0 4.0.3 LogLuv32toXYZ@LIBTIFF_4.0 4.0.3 TIFFAccessTagMethods@LIBTIFF_4.0 4.0.3 TIFFCIELabToRGBInit@LIBTIFF_4.0 4.0.3 TIFFCIELabToXYZ@LIBTIFF_4.0 4.0.3 TIFFCheckTile@LIBTIFF_4.0 4.0.3 TIFFCheckpointDirectory@LIBTIFF_4.0 4.0.3 TIFFCleanup@LIBTIFF_4.0 4.0.3 TIFFClientOpen@LIBTIFF_4.0 4.0.3 TIFFClientdata@LIBTIFF_4.0 4.0.3 TIFFClose@LIBTIFF_4.0 4.0.3 TIFFComputeStrip@LIBTIFF_4.0 4.0.3 TIFFComputeTile@LIBTIFF_4.0 4.0.3 TIFFCreateCustomDirectory@LIBTIFF_4.0 4.0.3 TIFFCreateDirectory@LIBTIFF_4.0 4.0.3 TIFFCreateEXIFDirectory@LIBTIFF_4.0 4.0.3 TIFFCurrentDirOffset@LIBTIFF_4.0 4.0.3 TIFFCurrentDirectory@LIBTIFF_4.0 4.0.3 TIFFCurrentRow@LIBTIFF_4.0 4.0.3 TIFFCurrentStrip@LIBTIFF_4.0 4.0.3 TIFFCurrentTile@LIBTIFF_4.0 4.0.3 TIFFDataWidth@LIBTIFF_4.0 4.0.3 TIFFDefaultDirectory@LIBTIFF_4.0 4.0.3 TIFFDefaultStripSize@LIBTIFF_4.0 4.0.3 TIFFDefaultTileSize@LIBTIFF_4.0 4.0.3 TIFFError@LIBTIFF_4.0 4.0.3 TIFFErrorExt@LIBTIFF_4.0 4.0.3 TIFFFaxBlackCodes@LIBTIFF_4.0 4.0.3 TIFFFaxBlackTable@LIBTIFF_4.0 4.0.3 TIFFFaxMainTable@LIBTIFF_4.0 4.0.3 TIFFFaxWhiteCodes@LIBTIFF_4.0 4.0.3 TIFFFaxWhiteTable@LIBTIFF_4.0 4.0.3 TIFFFdOpen@LIBTIFF_4.0 4.0.3 TIFFFieldDataType@LIBTIFF_4.0 4.0.3 TIFFFieldName@LIBTIFF_4.0 4.0.3 TIFFFieldPassCount@LIBTIFF_4.0 4.0.3 TIFFFieldReadCount@LIBTIFF_4.0 4.0.3 TIFFFieldTag@LIBTIFF_4.0 4.0.3 TIFFFieldWithName@LIBTIFF_4.0 4.0.3 TIFFFieldWithTag@LIBTIFF_4.0 4.0.3 TIFFFieldWriteCount@LIBTIFF_4.0 4.0.3 TIFFFileName@LIBTIFF_4.0 4.0.3 TIFFFileno@LIBTIFF_4.0 4.0.3 TIFFFillStrip@LIBTIFF_4.0 4.0.3 TIFFFillTile@LIBTIFF_4.0 4.0.3 TIFFFindCODEC@LIBTIFF_4.0 4.0.3 TIFFFindField@LIBTIFF_4.0 4.0.3 TIFFFlush@LIBTIFF_4.0 4.0.3 TIFFFlushData1@LIBTIFF_4.0 4.0.3 TIFFFlushData@LIBTIFF_4.0 4.0.3 TIFFFreeDirectory@LIBTIFF_4.0 4.0.3 TIFFGetBitRevTable@LIBTIFF_4.0 4.0.3 TIFFGetClientInfo@LIBTIFF_4.0 4.0.3 TIFFGetCloseProc@LIBTIFF_4.0 4.0.3 TIFFGetConfiguredCODECs@LIBTIFF_4.0 4.0.3 TIFFGetField@LIBTIFF_4.0 4.0.3 TIFFGetFieldDefaulted@LIBTIFF_4.0 4.0.3 TIFFGetMapFileProc@LIBTIFF_4.0 4.0.3 TIFFGetMode@LIBTIFF_4.0 4.0.3 TIFFGetReadProc@LIBTIFF_4.0 4.0.3 TIFFGetSeekProc@LIBTIFF_4.0 4.0.3 TIFFGetSizeProc@LIBTIFF_4.0 4.0.3 TIFFGetTagListCount@LIBTIFF_4.0 4.0.3 TIFFGetTagListEntry@LIBTIFF_4.0 4.0.3 TIFFGetUnmapFileProc@LIBTIFF_4.0 4.0.3 TIFFGetVersion@LIBTIFF_4.0 4.0.3 TIFFGetWriteProc@LIBTIFF_4.0 4.0.3 TIFFInitCCITTFax3@LIBTIFF_4.0 4.0.3 TIFFInitCCITTFax4@LIBTIFF_4.0 4.0.3 TIFFInitCCITTRLE@LIBTIFF_4.0 4.0.3 TIFFInitCCITTRLEW@LIBTIFF_4.0 4.0.3 TIFFInitDumpMode@LIBTIFF_4.0 4.0.3 TIFFInitJBIG@LIBTIFF_4.0 4.0.3 TIFFInitJPEG@LIBTIFF_4.0 4.0.3 TIFFInitLZMA@LIBTIFF_4.0 4.0.3 TIFFInitLZW@LIBTIFF_4.0 4.0.3 TIFFInitNeXT@LIBTIFF_4.0 4.0.3 TIFFInitOJPEG@LIBTIFF_4.0 4.0.3 TIFFInitPackBits@LIBTIFF_4.0 4.0.3 TIFFInitPixarLog@LIBTIFF_4.0 4.0.3 TIFFInitSGILog@LIBTIFF_4.0 4.0.3 TIFFInitThunderScan@LIBTIFF_4.0 4.0.3 TIFFInitZIP@LIBTIFF_4.0 4.0.3 TIFFIsBigEndian@LIBTIFF_4.0 4.0.3 TIFFIsByteSwapped@LIBTIFF_4.0 4.0.3 TIFFIsCODECConfigured@LIBTIFF_4.0 4.0.3 TIFFIsMSB2LSB@LIBTIFF_4.0 4.0.3 TIFFIsTiled@LIBTIFF_4.0 4.0.3 TIFFIsUpSampled@LIBTIFF_4.0 4.0.3 TIFFLastDirectory@LIBTIFF_4.0 4.0.3 TIFFMergeFieldInfo@LIBTIFF_4.0 4.0.3 TIFFNumberOfDirectories@LIBTIFF_4.0 4.0.3 TIFFNumberOfStrips@LIBTIFF_4.0 4.0.3 TIFFNumberOfTiles@LIBTIFF_4.0 4.0.3 TIFFOpen@LIBTIFF_4.0 4.0.3 TIFFPredictorCleanup@LIBTIFF_4.0 4.0.3 TIFFPredictorInit@LIBTIFF_4.0 4.0.3 TIFFPrintDirectory@LIBTIFF_4.0 4.0.3 TIFFRGBAImageBegin@LIBTIFF_4.0 4.0.3 TIFFRGBAImageEnd@LIBTIFF_4.0 4.0.3 TIFFRGBAImageGet@LIBTIFF_4.0 4.0.3 TIFFRGBAImageOK@LIBTIFF_4.0 4.0.3 TIFFRasterScanlineSize64@LIBTIFF_4.0 4.0.3 TIFFRasterScanlineSize@LIBTIFF_4.0 4.0.3 TIFFRawStripSize64@LIBTIFF_4.0 4.0.3 TIFFRawStripSize@LIBTIFF_4.0 4.0.3 TIFFReadBufferSetup@LIBTIFF_4.0 4.0.3 TIFFReadCustomDirectory@LIBTIFF_4.0 4.0.3 TIFFReadDirectory@LIBTIFF_4.0 4.0.3 TIFFReadEXIFDirectory@LIBTIFF_4.0 4.0.3 TIFFReadEncodedStrip@LIBTIFF_4.0 4.0.3 TIFFReadEncodedTile@LIBTIFF_4.0 4.0.3 TIFFReadRGBAImage@LIBTIFF_4.0 4.0.3 TIFFReadRGBAImageOriented@LIBTIFF_4.0 4.0.3 TIFFReadRGBAStrip@LIBTIFF_4.0 4.0.3 TIFFReadRGBATile@LIBTIFF_4.0 4.0.3 TIFFReadRawStrip@LIBTIFF_4.0 4.0.3 TIFFReadRawTile@LIBTIFF_4.0 4.0.3 TIFFReadScanline@LIBTIFF_4.0 4.0.3 TIFFReadTile@LIBTIFF_4.0 4.0.3 TIFFRegisterCODEC@LIBTIFF_4.0 4.0.3 TIFFReverseBits@LIBTIFF_4.0 4.0.3 TIFFRewriteDirectory@LIBTIFF_4.0 4.0.3 TIFFScanlineSize64@LIBTIFF_4.0 4.0.3 TIFFScanlineSize@LIBTIFF_4.0 4.0.3 TIFFSetClientInfo@LIBTIFF_4.0 4.0.3 TIFFSetClientdata@LIBTIFF_4.0 4.0.3 TIFFSetCompressionScheme@LIBTIFF_4.0 4.0.3 TIFFSetDirectory@LIBTIFF_4.0 4.0.3 TIFFSetErrorHandler@LIBTIFF_4.0 4.0.3 TIFFSetErrorHandlerExt@LIBTIFF_4.0 4.0.3 TIFFSetField@LIBTIFF_4.0 4.0.3 TIFFSetFileName@LIBTIFF_4.0 4.0.3 TIFFSetFileno@LIBTIFF_4.0 4.0.3 TIFFSetMode@LIBTIFF_4.0 4.0.3 TIFFSetSubDirectory@LIBTIFF_4.0 4.0.3 TIFFSetTagExtender@LIBTIFF_4.0 4.0.3 TIFFSetWarningHandler@LIBTIFF_4.0 4.0.3 TIFFSetWarningHandlerExt@LIBTIFF_4.0 4.0.3 TIFFSetWriteOffset@LIBTIFF_4.0 4.0.3 TIFFSetupStrips@LIBTIFF_4.0 4.0.3 TIFFStripSize64@LIBTIFF_4.0 4.0.3 TIFFStripSize@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfDouble@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfFloat@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfLong8@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfLong@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfShort@LIBTIFF_4.0 4.0.3 TIFFSwabArrayOfTriples@LIBTIFF_4.0 4.0.3 TIFFSwabDouble@LIBTIFF_4.0 4.0.3 TIFFSwabFloat@LIBTIFF_4.0 4.0.3 TIFFSwabLong8@LIBTIFF_4.0 4.0.3 TIFFSwabLong@LIBTIFF_4.0 4.0.3 TIFFSwabShort@LIBTIFF_4.0 4.0.3 TIFFTileRowSize64@LIBTIFF_4.0 4.0.3 TIFFTileRowSize@LIBTIFF_4.0 4.0.3 TIFFTileSize64@LIBTIFF_4.0 4.0.3 TIFFTileSize@LIBTIFF_4.0 4.0.3 TIFFUnRegisterCODEC@LIBTIFF_4.0 4.0.3 TIFFUnlinkDirectory@LIBTIFF_4.0 4.0.3 TIFFUnsetField@LIBTIFF_4.0 4.0.3 TIFFVGetField@LIBTIFF_4.0 4.0.3 TIFFVGetFieldDefaulted@LIBTIFF_4.0 4.0.3 TIFFVSetField@LIBTIFF_4.0 4.0.3 TIFFVStripSize64@LIBTIFF_4.0 4.0.3 TIFFVStripSize@LIBTIFF_4.0 4.0.3 TIFFVTileSize64@LIBTIFF_4.0 4.0.3 TIFFVTileSize@LIBTIFF_4.0 4.0.3 TIFFWarning@LIBTIFF_4.0 4.0.3 TIFFWarningExt@LIBTIFF_4.0 4.0.3 TIFFWriteBufferSetup@LIBTIFF_4.0 4.0.3 TIFFWriteCheck@LIBTIFF_4.0 4.0.3 TIFFWriteCustomDirectory@LIBTIFF_4.0 4.0.3 TIFFWriteDirectory@LIBTIFF_4.0 4.0.3 TIFFWriteEncodedStrip@LIBTIFF_4.0 4.0.3 TIFFWriteEncodedTile@LIBTIFF_4.0 4.0.3 TIFFWriteRawStrip@LIBTIFF_4.0 4.0.3 TIFFWriteRawTile@LIBTIFF_4.0 4.0.3 TIFFWriteScanline@LIBTIFF_4.0 4.0.3 TIFFWriteTile@LIBTIFF_4.0 4.0.3 TIFFXYZToRGB@LIBTIFF_4.0 4.0.3 TIFFYCbCrToRGBInit@LIBTIFF_4.0 4.0.3 TIFFYCbCrtoRGB@LIBTIFF_4.0 4.0.3 XYZtoRGB24@LIBTIFF_4.0 4.0.3 _TIFFBuiltinCODECS@LIBTIFF_4.0 4.0.3 _TIFFCheckMalloc@LIBTIFF_4.0 4.0.3 _TIFFCheckRealloc@LIBTIFF_4.0 4.0.3 _TIFFCreateAnonField@LIBTIFF_4.0 4.0.3 _TIFFDataSize@LIBTIFF_4.0 4.0.3 _TIFFDefaultStripSize@LIBTIFF_4.0 4.0.3 _TIFFDefaultTileSize@LIBTIFF_4.0 4.0.3 _TIFFFax3fillruns@LIBTIFF_4.0 4.0.3 _TIFFFillStriles@LIBTIFF_4.0 4.0.3 _TIFFFindFieldByName@LIBTIFF_4.0 4.0.3 _TIFFFindOrRegisterField@LIBTIFF_4.0 4.0.3 _TIFFGetExifFields@LIBTIFF_4.0 4.0.3 _TIFFGetFields@LIBTIFF_4.0 4.0.3 _TIFFMergeFields@LIBTIFF_4.0 4.0.3 _TIFFMultiply32@LIBTIFF_4.0 4.0.3 _TIFFMultiply64@LIBTIFF_4.0 4.0.3 _TIFFNoFixupTags@LIBTIFF_4.0 4.0.3 _TIFFNoPostDecode@LIBTIFF_4.0 4.0.3 _TIFFNoPreCode@LIBTIFF_4.0 4.0.3 _TIFFNoRowDecode@LIBTIFF_4.0 4.0.3 _TIFFNoRowEncode@LIBTIFF_4.0 4.0.3 _TIFFNoSeek@LIBTIFF_4.0 4.0.3 _TIFFNoStripDecode@LIBTIFF_4.0 4.0.3 _TIFFNoStripEncode@LIBTIFF_4.0 4.0.3 _TIFFNoTileDecode@LIBTIFF_4.0 4.0.3 _TIFFNoTileEncode@LIBTIFF_4.0 4.0.3 _TIFFPrintFieldInfo@LIBTIFF_4.0 4.0.3 _TIFFRewriteField@LIBTIFF_4.0 4.0.3 _TIFFSetDefaultCompressionState@LIBTIFF_4.0 4.0.3 _TIFFSetupFields@LIBTIFF_4.0 4.0.3 _TIFFSwab16BitData@LIBTIFF_4.0 4.0.3 _TIFFSwab24BitData@LIBTIFF_4.0 4.0.3 _TIFFSwab32BitData@LIBTIFF_4.0 4.0.3 _TIFFSwab64BitData@LIBTIFF_4.0 4.0.3 _TIFFUInt64ToDouble@LIBTIFF_4.0 4.0.3 _TIFFUInt64ToFloat@LIBTIFF_4.0 4.0.3 _TIFFerrorHandler@LIBTIFF_4.0 4.0.3 _TIFFerrorHandlerExt@LIBTIFF_4.0 4.0.3 _TIFFfree@LIBTIFF_4.0 4.0.3 _TIFFgetMode@LIBTIFF_4.0 4.0.3 _TIFFmalloc@LIBTIFF_4.0 4.0.3 _TIFFmemcmp@LIBTIFF_4.0 4.0.3 _TIFFmemcpy@LIBTIFF_4.0 4.0.3 _TIFFmemset@LIBTIFF_4.0 4.0.3 _TIFFprintAscii@LIBTIFF_4.0 4.0.3 _TIFFprintAsciiTag@LIBTIFF_4.0 4.0.3 _TIFFrealloc@LIBTIFF_4.0 4.0.3 _TIFFsetByteArray@LIBTIFF_4.0 4.0.3 _TIFFsetDoubleArray@LIBTIFF_4.0 4.0.3 _TIFFsetFloatArray@LIBTIFF_4.0 4.0.3 _TIFFsetLong8Array@LIBTIFF_4.0 4.0.3 _TIFFsetLongArray@LIBTIFF_4.0 4.0.3 _TIFFsetNString@LIBTIFF_4.0 4.0.3 _TIFFsetShortArray@LIBTIFF_4.0 4.0.3 _TIFFsetString@LIBTIFF_4.0 4.0.3 _TIFFwarningHandler@LIBTIFF_4.0 4.0.3 _TIFFwarningHandlerExt@LIBTIFF_4.0 4.0.3 libport_dummy_function@LIBTIFF_4.0 4.0.3 uv_decode@LIBTIFF_4.0 4.0.3 uv_encode@LIBTIFF_4.0 4.0.3 debian/all-preinst0000644000000000000000000000012212256047746011353 0ustar #!/bin/sh set -e if [ -h /usr/share/doc/PKG ]; then rm -f /usr/share/doc/PKG fi debian/README.Debian0000644000000000000000000000307312256047746011247 0ustar Note that tiff 4.x packages libtiff5, while tiff 3.x packaged libtiff4. During the libtiff4 -> libtiff5 transition, the tiff source package is providing transitional packages for libtiff4-dev and libtiff5-alt-dev. If you have a package with a build dependency on libtiff-dev, you don't have to care about any of this. Otherwise, the notes below describe what you should do to make sure your package is ready for the transition. * If your package build-depends on libtiff-dev already, no action required; the release team will automatically schedule a rebuild of your package at the appropriate time. * If your package depends on libtiff4-dev but can work fine with tiff 4.x (most packages), replace your dependency on libtiff4-dev with a new dependency on libtiff-dev. * If your package build-depends on libtiff5-dev or libtiff5-alt-dev and is known to work with both tiff 3.x and tiff 4.x (i.e., it does not use the BIGTIFF extensions in tiff 4.x), you can just change the build dependency to an unversioned libtiff-dev. You can also remove any special code that you may have added to your package to get it to find tiff in the non-standard location. If you were finding tiff with pkg-config, you shouldn't have to make any changes to your package other than the build dependency. * If your package build-depends on libtiff5-dev, you don't HAVE to do anything, but you may be helping yourself in the future if you change the build dependency to libtiff-dev (>> 4.0.3-6~). -- Jay Berkenbilt , Thu, 5 Dec 2013 12:55:17 -0500 debian/libtiffxx5.shlibs0000644000000000000000000000004512256047746012474 0ustar libtiffxx 5 libtiffxx5 (>> 4.0.0-1~) debian/rules0000755000000000000000000000236212256047746010266 0ustar #!/usr/bin/make -f # Enable all hardening options. export DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk # Variables used by cdbs DEB_COMPRESS_EXCLUDE = html CPPFLAGS += -D_REENTRANT export CPPFLAGS # Include cdbs rules files. include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk include /usr/share/cdbs/1/rules/autoreconf.mk DEB_CONFIGURE_USER_FLAGS = --with-docdir="\$${prefix}/share/doc/libtiff-doc" \ --libdir="\$${prefix}/lib/$(DEB_HOST_MULTIARCH)" \ --includedir="\$${prefix}/include/$(DEB_HOST_MULTIARCH)" \ --enable-ld-version-script clean:: $(RM) *.cdbs-config_list $(RM) debian/*.preinst # tiffgt is in libtiff-opengl so libtiff-tools doesn't have to have # all the X and opengl dependencies. binary-post-install/libtiff-tools:: $(RM) debian/libtiff-tools/usr/bin/tiffgt $(RM) debian/libtiff-tools/usr/share/man/man1/tiffgt.1* # Empty dependency_libs from all .la files binary-post-install/libtiff5-dev:: sed -i "s,^dependency_libs=.*,dependency_libs=''," \ debian/libtiff5-dev/usr/lib/*/*.la # Create preinst binary-post-install/%:: if [ "$*" != "libtiff5" ]; then \ sed -e s/PKG/$*/g < debian/all-preinst > debian/$*.preinst; \ fi debian/libtiff-tools.install0000644000000000000000000000006112256047746013345 0ustar debian/tmp/usr/bin debian/tmp/usr/share/man/man1 debian/control0000644000000000000000000000756512331760457010616 0ustar Source: tiff Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Jay Berkenbilt Build-Depends: cdbs (>= 0.4.106~), debhelper (>> 9), dh-autoreconf, dpkg-dev (>= 1.16.1~), autotools-dev, zlib1g-dev, libjpeg-dev, libxmu-dev, libglu1-mesa-dev, freeglut3-dev, libxi-dev, libjbig-dev, liblzma-dev Standards-Version: 3.9.5 Homepage: http://libtiff.maptools.org Package: libtiff5 Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Description: Tag Image File Format (TIFF) library libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package includes the shared library. Package: libtiffxx5 Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Description: Tag Image File Format (TIFF) library -- C++ interface libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package includes the shared library for the experimental C++ interfaces. Package: libtiff5-dev Section: libdevel Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, libtiff5 (= ${binary:Version}), libtiffxx5 (= ${binary:Version}), libc6-dev | libc-dev, zlib1g-dev, libjpeg-dev, libjbig-dev, liblzma-dev Replaces: libtiff5-alt-dev (<< 4.0.3-6~), libtiff4-dev (<< 4.0.3-6~) Conflicts: libtiff5-alt-dev (<< 4.0.3-6~), libtiff4-dev (<< 4.0.3-6~) Provides: libtiff-dev Description: Tag Image File Format library (TIFF), development files libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package includes the development files, static library, and header files. Package: libtiff-tools Section: graphics Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: libtiff-opengl Description: TIFF manipulation and conversion tools libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package includes tools for converting TIFF images to and from other formats and tools for doing simple manipulations of TIFF images. See also libtiff-opengl. Package: libtiff-opengl Section: graphics Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Description: TIFF manipulation and conversion tools libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package contains libtiff tools that depend upon opengl. It complements the libtiff-tools package, which contains the libtiff tools that don't depend upon opengl. Package: libtiff-doc Section: doc Depends: ${misc:Depends} Architecture: all Description: TIFF manipulation and conversion documentation libtiff is a library providing support for the Tag Image File Format (TIFF), a widely used format for storing image data. This package contains documentation. Package: libtiff5-alt-dev Section: oldlibs Priority: extra Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, libtiff5-dev (>> 4.0.3-6~) Description: Tag Image File Format library (TIFF), transitional package This is a transitional package that can be safely removed. Build dependencies on libtiff5-alt-dev should be replaced with build dependencies on libtiff-dev. Package: libtiff4-dev Section: oldlibs Priority: extra Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, libtiff5-dev (>> 4.0.3-6~) Description: Tag Image File Format library (TIFF), transitional package This is a transitional package that can be safely removed. Build dependencies on libtiff4-dev should be replaced with build dependencies on libtiff-dev. debian/libtiff-opengl.install0000644000000000000000000000010112256047746013464 0ustar debian/tmp/usr/bin/tiffgt debian/tmp/usr/share/man/man1/tiffgt.1 debian/libtiff5-dev.install0000644000000000000000000000025212256047746013052 0ustar debian/tmp/usr/lib/*/lib*.so debian/tmp/usr/lib/*/lib*.a debian/tmp/usr/lib/*/lib*.la debian/tmp/usr/lib/*/pkgconfig debian/tmp/usr/include debian/tmp/usr/share/man/man3 debian/watch0000644000000000000000000000010212256047746010225 0ustar version=3 http://download.osgeo.org/libtiff/tiff-([\d\.]+).tar.gz debian/libtiff-doc.install0000644000000000000000000000005212256047746012752 0ustar debian/tmp/usr/share/doc/libtiff-doc/html debian/patches/0000755000000000000000000000000013441511054010613 5ustar debian/patches/CVE-2016-9540.patch0000644000000000000000000000356313054072705013252 0ustar From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 8 Oct 2016 15:54:56 +0000 Subject: [PATCH] * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd tile width vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 7 +++++++ tools/tiffcp.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 8b57d1b..d38f3a5 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,12 @@ # 2016-10-08 Even Rouault # #+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd #+ tile width vs image width. Reported as MSVR 35103 #+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & #+ Mitigations team. #+ #+2016-10-08 Even Rouault #+ # * tools/tiff2pdf.c: fix read -largely- outsize of buffer in # t2p_readwrite_pdf_image_tile(), causing crash, when reading a # JPEG compressed image with TIFFTAG_JPEGTABLES length being one. Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2017-02-24 13:04:51.613111479 -0500 +++ tiff-4.0.3/tools/tiffcp.c 2017-02-24 13:04:51.613111479 -0500 @@ -1332,7 +1332,7 @@ uint32 colb = 0; uint32 col; - for (col = 0; col < imagewidth; col += tw) { + for (col = 0; col < imagewidth && colb < imagew; col += tw) { if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0 && !ignore) { TIFFError(TIFFFileName(in), @@ -1517,7 +1517,7 @@ uint32 colb = 0; uint32 col; - for (col = 0; col < imagewidth; col += tw) { + for (col = 0; col < imagewidth && colb < imagew; col += tw) { /* * Tile is clipped horizontally. Calculate * visible portion and skewing factors. debian/patches/CVE-2015-7554.patch0000644000000000000000000000250213054071063013240 0ustar Description: fix DoS via crafted field data in an extension tag Origin: vendor, https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2564 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809066 diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c --- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200 +++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100 @@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out) TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); } } + uint32 count = 0; CopyField(TIFFTAG_PHOTOMETRIC, shortv); - CopyField(TIFFTAG_PREDICTOR, shortv); + CopyField2(TIFFTAG_PREDICTOR, count, shortv); CopyField(TIFFTAG_THRESHHOLDING, shortv); CopyField(TIFFTAG_FILLORDER, shortv); CopyField(TIFFTAG_ORIENTATION, shortv); @@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out) CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); CopyField(TIFFTAG_XRESOLUTION, floatv); CopyField(TIFFTAG_YRESOLUTION, floatv); - CopyField(TIFFTAG_GROUP3OPTIONS, longv); + CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); CopyField(TIFFTAG_GROUP4OPTIONS, longv); CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); CopyField(TIFFTAG_PLANARCONFIG, shortv); debian/patches/CVE-2016-5652.patch0000644000000000000000000000462513054071402013243 0ustar From b5d6803f0898e931cf772d3d0755704ab8488e63 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 9 Oct 2016 11:03:36 +0000 Subject: [PATCH] * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG compressed images. Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 / CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the file stream. --- ChangeLog | 7 +++++++ tools/tiff2pdf.c | 17 ++++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index d38f3a5..d6e718d 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2016-10-09 Even Rouault #+ #+ * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG #+ compressed images. Reported by Tyler Bohan of Cisco Talos as #+ TALOS-CAN-0187 / CVE-2016-5652. #+ Also prevents writing 2 extra uninitialized bytes to the file stream. #+ # 2016-10-08 Even Rouault # # * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2017-02-24 12:53:03.308167665 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2017-02-24 12:53:03.304167659 -0500 @@ -2833,21 +2833,24 @@ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count >= 2) { - _TIFFmemcpy(buffer, jpt, count); + if (count >= 4) { + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); bufferoffset += count - 2; + /* Store last 2 bytes of the JpegTables */ table_end[0] = buffer[bufferoffset-2]; table_end[1] = buffer[bufferoffset-1]; - } - if (count >= 2) { xuint32 = bufferoffset; + bufferoffset -= 2; bufferoffset += TIFFReadRawTile( input, tile, - (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), -1); - buffer[xuint32-2]=table_end[0]; - buffer[xuint32-1]=table_end[1]; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; } else { bufferoffset += TIFFReadRawTile( input, debian/patches/CVE-2016-10092.patch0000644000000000000000000000312413054072767013325 0ustar Backport of: From 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 3 Dec 2016 11:35:56 +0000 Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so that the output buffer is correctly incremented to avoid write outside bounds. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 --- ChangeLog | 7 +++++++ tools/tiffcrop.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 5b23665..d6a416b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,12 @@ # 2016-12-03 Even Rouault # #+ * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so #+ that the output buffer is correctly incremented to avoid write outside bounds. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 #+ #+2016-12-03 Even Rouault #+ # * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in # OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. # Reported by Agostino Sarubbo. Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2017-02-24 13:05:01.321181782 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2017-02-24 13:05:21.901479078 -0500 @@ -3683,7 +3683,7 @@ (unsigned long) strip, (unsigned long)rows); return 0; } - bufp += bytes_read; + bufp += stripsize; } return 1; debian/patches/CVE-2016-9535-1.patch0000644000000000000000000002567713054072541013424 0ustar Backport of: From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 31 Oct 2016 17:24:26 +0000 Subject: [PATCH] * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 9 +++ libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++--------------- libtiff/tif_predict.h | 6 +- 3 files changed, 121 insertions(+), 47 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index d33b472..0379c3b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,12 @@ #+2016-10-31 Even Rouault #+ #+ * libtiff/tif_predict.h, libtiff/tif_predict.c: #+ Replace assertions by runtime checks to avoid assertions in debug mode, #+ or buffer overflows in release mode. Can happen when dealing with #+ unusual tile size like YCbCr with subsampling. Reported as MSVR 35105 #+ by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations #+ team. #+ # 2016-10-26 Even Rouault # # * tools/fax2tiff.c: fix segfault when specifying -r without Index: tiff-4.0.3/libtiff/tif_predict.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_predict.c 2017-02-24 12:56:48.123069183 -0500 +++ tiff-4.0.3/libtiff/tif_predict.c 2017-02-24 13:02:50.363949840 -0500 @@ -34,16 +34,16 @@ #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data) -static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); -static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); -static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); -static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); -static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); -static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); -static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); -static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); -static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); -static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); +static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc); +static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc); +static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc); +static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc); +static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc); static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s); static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s); @@ -248,13 +248,19 @@ case 0: ; \ } -static void +static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; char* cp = (char*) cp0; - assert((cc%stride)==0); + if((cc%stride)!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horAcc8", + "%s", "(cc%stride)!=0"); + return 0; + } + if (cc > stride) { /* * Pipeline the most common cases. @@ -296,16 +302,22 @@ } while (cc>0); } } + return 1; } -static void +static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; uint16* wp = (uint16*) cp0; tmsize_t wc = cc / 2; - assert((cc%(2*stride))==0); + if((cc%(2*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horAcc16", + "%s", "cc%(2*stride))!=0"); + return 0; + } if (wc > stride) { TIFFSwabArrayOfShort(wp, wc); @@ -315,16 +327,22 @@ wc -= stride; } while (wc > 0); } + return 1; } -static void +static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; uint16* wp = (uint16*) cp0; tmsize_t wc = cc / 2; - assert((cc%(2*stride))==0); + if((cc%(2*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horAcc16", + "%s", "cc%(2*stride))!=0"); + return 0; + } if (wc > stride) { wc -= stride; @@ -333,16 +351,22 @@ wc -= stride; } while (wc > 0); } + return 1; } -static void +static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; uint32* wp = (uint32*) cp0; tmsize_t wc = cc / 4; - assert((cc%(4*stride))==0); + if((cc%(4*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horAcc32", + "%s", "cc%(4*stride))!=0"); + return 0; + } if (wc > stride) { TIFFSwabArrayOfLong(wp, wc); @@ -352,16 +376,22 @@ wc -= stride; } while (wc > 0); } + return 1; } -static void +static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; uint32* wp = (uint32*) cp0; tmsize_t wc = cc / 4; - assert((cc%(4*stride))==0); + if((cc%(4*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horAcc32", + "%s", "cc%(4*stride))!=0"); + return 0; + } if (wc > stride) { wc -= stride; @@ -370,12 +400,13 @@ wc -= stride; } while (wc > 0); } + return 1; } /* * Floating point predictor accumulation routine. */ -static void +static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; @@ -385,10 +416,15 @@ uint8 *cp = (uint8 *) cp0; uint8 *tmp = (uint8 *)_TIFFmalloc(cc); - assert((cc%(bps*stride))==0); + if(cc%(bps*stride)!=0) + { + TIFFErrorExt(tif->tif_clientdata, "fpAcc", + "%s", "cc%(bps*stride))!=0"); + return 0; + } if (!tmp) - return; + return 0; while (count > stride) { REPEAT4(stride, cp[stride] += cp[0]; cp++) @@ -409,6 +445,7 @@ } } _TIFFfree(tmp); + return 1; } /* @@ -424,8 +461,7 @@ assert(sp->decodepfunc != NULL); if ((*sp->decoderow)(tif, op0, occ0, s)) { - (*sp->decodepfunc)(tif, op0, occ0); - return 1; + return (*sp->decodepfunc)(tif, op0, occ0); } else return 0; } @@ -448,10 +484,16 @@ if ((*sp->decodetile)(tif, op0, occ0, s)) { tmsize_t rowsize = sp->rowsize; assert(rowsize > 0); - assert((occ0%rowsize)==0); + if((occ0%rowsize) !=0) + { + TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile", + "%s", "occ0%rowsize != 0"); + return 0; + } assert(sp->decodepfunc != NULL); while (occ0 > 0) { - (*sp->decodepfunc)(tif, op0, rowsize); + if( !(*sp->decodepfunc)(tif, op0, rowsize) ) + return 0; occ0 -= rowsize; op0 += rowsize; } @@ -460,14 +502,19 @@ return 0; } -static void +static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) { TIFFPredictorState* sp = PredictorState(tif); tmsize_t stride = sp->stride; char* cp = (char*) cp0; - assert((cc%stride)==0); + if((cc%stride)!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horDiff8", + "%s", "(cc%stride)!=0"); + return 0; + } if (cc > stride) { cc -= stride; @@ -505,9 +552,10 @@ } while ((cc -= stride) > 0); } } + return 1; } -static void +static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) { TIFFPredictorState* sp = PredictorState(tif); @@ -515,7 +563,12 @@ int16 *wp = (int16*) cp0; tmsize_t wc = cc/2; - assert((cc%(2*stride))==0); + if((cc%(2*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horDiff8", + "%s", "(cc%(2*stride))!=0"); + return 0; + } if (wc > stride) { wc -= stride; @@ -525,9 +578,10 @@ wc -= stride; } while (wc > 0); } + return 1; } -static void +static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) { TIFFPredictorState* sp = PredictorState(tif); @@ -535,7 +589,12 @@ int32 *wp = (int32*) cp0; tmsize_t wc = cc/4; - assert((cc%(4*stride))==0); + if((cc%(4*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "horDiff32", + "%s", "(cc%(4*stride))!=0"); + return 0; + } if (wc > stride) { wc -= stride; @@ -545,12 +604,13 @@ wc -= stride; } while (wc > 0); } + return 1; } /* * Floating point predictor differencing routine. */ -static void +static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) { tmsize_t stride = PredictorState(tif)->stride; @@ -560,10 +620,14 @@ uint8 *cp = (uint8 *) cp0; uint8 *tmp = (uint8 *)_TIFFmalloc(cc); - assert((cc%(bps*stride))==0); - + if((cc%(bps*stride))!=0) + { + TIFFErrorExt(tif->tif_clientdata, "fpDiff", + "%s", "(cc%(bps*stride))!=0"); + return 0; + } if (!tmp) - return; + return 0; _TIFFmemcpy(tmp, cp0, cc); for (count = 0; count < wc; count++) { @@ -583,6 +647,7 @@ cp += cc - stride - 1; for (count = cc; count > stride; count -= stride) REPEAT4(stride, cp[stride] -= cp[0]; cp--) + return 1; } static int @@ -595,7 +660,8 @@ assert(sp->encoderow != NULL); /* XXX horizontal differencing alters user's data XXX */ - (*sp->encodepfunc)(tif, bp, cc); + if( !(*sp->encodepfunc)(tif, bp, cc) ) + return 0; return (*sp->encoderow)(tif, bp, cc, s); } @@ -630,7 +696,12 @@ rowsize = sp->rowsize; assert(rowsize > 0); - assert((cc0%rowsize)==0); + if((cc0%rowsize)!=0) + { + TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", + "%s", "(cc0%rowsize)!=0"); + return 0; + } while (cc > 0) { (*sp->encodepfunc)(tif, bp, rowsize); cc -= rowsize; Index: tiff-4.0.3/libtiff/tif_predict.h =================================================================== --- tiff-4.0.3.orig/libtiff/tif_predict.h 2017-02-24 12:56:48.123069183 -0500 +++ tiff-4.0.3/libtiff/tif_predict.h 2017-02-24 12:56:48.123069183 -0500 @@ -30,6 +30,8 @@ * ``Library-private'' Support for the Predictor Tag */ +typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size); + /* * Codecs that want to support the Predictor tag must place * this structure first in their private state block so that @@ -43,12 +45,12 @@ TIFFCodeMethod encoderow; /* parent codec encode/decode row */ TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */ TIFFCodeMethod encodetile; /* parent codec encode/decode tile */ - TIFFPostMethod encodepfunc; /* horizontal differencer */ + TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */ TIFFCodeMethod decoderow; /* parent codec encode/decode row */ TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */ TIFFCodeMethod decodetile; /* parent codec encode/decode tile */ - TIFFPostMethod decodepfunc; /* horizontal accumulator */ + TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */ TIFFVGetMethod vgetparent; /* super-class method */ TIFFVSetMethod vsetparent; /* super-class method */ debian/patches/CVE-2017-9935-1.patch0000644000000000000000000001456613254740730013430 0ustar Backport of: From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 From: Brian May Date: Thu, 7 Dec 2017 07:46:47 +1100 Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 This vulnerability - at least for the supplied test case - is because we assume that a tiff will only have one transfer function that is the same for all pages. This is not required by the TIFF standards. We than read the transfer function for every page. Depending on the transfer function, we allocate either 2 or 4 bytes to the XREF buffer. We allocate this memory after we read in the transfer function for the page. For the first exploit - POC1, this file has 3 pages. For the first page we allocate 2 extra extra XREF entries. Then for the next page 2 more entries. Then for the last page the transfer function changes and we allocate 4 more entries. When we read the file into memory, we assume we have 4 bytes extra for each and every page (as per the last transfer function we read). Which is not correct, we only have 2 bytes extra for the first 2 pages. As a result, we end up writing past the end of the buffer. There are also some related issues that this also fixes. For example, TIFFGetField can return uninitalized pointer values, and the logic to detect a N=3 vs N=1 transfer function seemed rather strange. It is also strange that we declare the transfer functions to be of type float, when the standard says they are unsigned 16 bit values. This is fixed in another patch. This patch will check to ensure that the N value for every transfer function is the same for every page. If this changes, we abort with an error. In theory, we should perhaps check that the transfer function itself is identical for every page, however we don't do that due to the confusion of the type of the data in the transfer function. --- libtiff/tif_dir.c | 3 +++ tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 47 insertions(+), 21 deletions(-) Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2018-03-22 10:43:06.858775164 -0400 +++ tiff-4.0.3/libtiff/tif_dir.c 2018-03-22 10:43:06.854775160 -0400 @@ -1034,6 +1034,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va if (td->td_samplesperpixel - td->td_extrasamples > 1) { *va_arg(ap, uint16**) = td->td_transferfunction[1]; *va_arg(ap, uint16**) = td->td_transferfunction[2]; + } else { + *va_arg(ap, uint16**) = NULL; + *va_arg(ap, uint16**) = NULL; } break; case TIFFTAG_REFERENCEBLACKWHITE: Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2018-03-22 10:43:06.858775164 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2018-03-22 10:46:25.011035270 -0400 @@ -1035,6 +1035,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* uint16 pagen=0; uint16 paged=0; uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; + float* tiff_transferfunction[3]; directorycount=TIFFNumberOfDirectories(input); if(directorycount > TIFF_DIR_MAX) { @@ -1143,24 +1145,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* } #endif if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { - if(t2p->tiff_transferfunction[1] != - t2p->tiff_transferfunction[0]) { - t2p->tiff_transferfunctioncount = 3; - t2p->tiff_pages[i].page_extra += 4; - t2p->pdf_xrefcount += 4; - } else { - t2p->tiff_transferfunctioncount = 1; - t2p->tiff_pages[i].page_extra += 2; - t2p->pdf_xrefcount += 2; - } - if(t2p->pdf_minorversion < 2) - t2p->pdf_minorversion = 2; + &(tiff_transferfunction[0]), + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + + if((tiff_transferfunction[1] != (float*) NULL) && + (tiff_transferfunction[2] != (float*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { + tiff_transferfunctioncount=1; + } } else { - t2p->tiff_transferfunctioncount=0; + tiff_transferfunctioncount=0; } + + if (i > 0){ + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ + TIFFError( + TIFF2PDF_MODULE, + "Different transfer function on page %d", + i); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + } + + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; + if(tiff_transferfunctioncount == 3){ + t2p->tiff_pages[i].page_extra += 4; + t2p->pdf_xrefcount += 4; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } else if (tiff_transferfunctioncount == 1){ + t2p->tiff_pages[i].page_extra += 2; + t2p->pdf_xrefcount += 2; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } + if( TIFFGetField( input, TIFFTAG_ICCPROFILE, @@ -1796,8 +1822,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* &(t2p->tiff_transferfunction[0]), &(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[2]))) { - if(t2p->tiff_transferfunction[1] != - t2p->tiff_transferfunction[0]) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && + (t2p->tiff_transferfunction[2] != (float*) NULL) + ) { t2p->tiff_transferfunctioncount=3; } else { t2p->tiff_transferfunctioncount=1; debian/patches/CVE-2014-81xx-1.patch0000644000000000000000000002775612505326571013632 0ustar From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 15:15:31 +0000 Subject: [PATCH] Fix various crasher bugs on fuzzed images. * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count. --- ChangeLog | 19 +++++++++++++++++++ libtiff/tif_dir.c | 21 +++++++++++++++++++-- libtiff/tif_dirread.c | 17 +++++++++++++++++ libtiff/tif_getimage.c | 15 +++++++++++++++ libtiff/tif_next.c | 2 ++ tools/bmp2tiff.c | 15 +++++++++++++++ tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ tools/tiffcrop.c | 7 ++++--- tools/tiffdump.c | 9 ++++++--- 9 files changed, 138 insertions(+), 8 deletions(-) Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/libtiff/tif_dir.c 2015-01-29 09:35:19.945064976 -0500 @@ -160,6 +160,7 @@ TIFFDirectory* td = &tif->tif_dir; int status = 1; uint32 v32, i, v; + double dblval; char* s; const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); uint32 standard_tag = tag; @@ -283,10 +284,16 @@ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); break; case TIFFTAG_XRESOLUTION: - td->td_xresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = (float) dblval; break; case TIFFTAG_YRESOLUTION: - td->td_yresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = (float) dblval; break; case TIFFTAG_PLANARCONFIG: v = (uint16) va_arg(ap, uint16_vap); @@ -693,6 +700,16 @@ va_end(ap); } return (0); +badvaluedouble: + { + const TIFFField* fip=TIFFFieldWithTag(tif,tag); + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %f for \"%s\" tag", + tif->tif_name, dblval, + fip ? fip->field_name : "Unknown"); + va_end(ap); + } + return (0); } /* Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/libtiff/tif_dirread.c 2015-01-29 09:35:19.945064976 -0500 @@ -3430,6 +3430,8 @@ const TIFFField* fip; uint32 fii=FAILED_FII; toff_t nextdiroff; + int bitspersample_read = FALSE; + tif->tif_diroff=tif->tif_nextdiroff; if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) return 0; /* last offset or bad offset (IFD looping) */ @@ -3706,6 +3708,8 @@ } if (!TIFFSetField(tif,dp->tdir_tag,value)) goto bad; + if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) + bitspersample_read = TRUE; } break; case TIFFTAG_SMINSAMPLEVALUE: @@ -3763,6 +3767,19 @@ uint32 countrequired; uint32 incrementpersample; uint16* value=NULL; + /* It would be dangerous to instanciate those tag values */ + /* since if td_bitspersample has not yet been read (due to */ + /* unordered tags), it could be read afterwards with a */ + /* values greater than the default one (1), which may cause */ + /* crashes in user code */ + if( !bitspersample_read ) + { + fip = TIFFFieldWithTag(tif,dp->tdir_tag); + TIFFWarningExt(tif->tif_clientdata,module, + "Ignoring %s since BitsPerSample tag not found", + fip ? fip->field_name : "unknown tagname"); + continue; + } countpersample=(1L<tif_dir.td_bitspersample); if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) { Index: tiff-4.0.3/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_getimage.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/libtiff/tif_getimage.c 2015-01-29 09:35:19.949065010 -0500 @@ -182,8 +182,23 @@ "Planarconfiguration", td->td_planarconfig); return (0); } + if( td->td_samplesperpixel != 3 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } break; case PHOTOMETRIC_CIELAB: + if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "Bits/sample", td->td_bitspersample); + return 0; + } break; default: sprintf(emsg, "Sorry, can not handle image with %s=%d", Index: tiff-4.0.3/libtiff/tif_next.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_next.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/libtiff/tif_next.c 2015-01-29 09:35:19.949065010 -0500 @@ -102,6 +102,8 @@ default: { uint32 npixels = 0, grey; uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; /* * The scanline is composed of a sequence of constant Index: tiff-4.0.3/tools/bmp2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/bmp2tiff.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/tools/bmp2tiff.c 2015-01-29 09:35:19.949065010 -0500 @@ -403,6 +403,13 @@ width = info_hdr.iWidth; length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; + if( width <= 0 || length <= 0 ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } switch (info_hdr.iBitCount) { @@ -593,6 +600,14 @@ compr_size = file_hdr.iSize - file_hdr.iOffBits; uncompr_size = width * length; + /* Detect int overflow */ + if( uncompr_size / width != length ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); if (!comprbuf) { TIFFError(infilename, Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2015-01-29 09:35:19.949065010 -0500 @@ -1165,6 +1165,15 @@ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( + TIFF2PDF_MODULE, + "Invalid tile count, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->tiff_tiles[i].tiles_tilecount/= xuint16; } if( t2p->tiff_tiles[i].tiles_tilecount > 0){ @@ -1545,6 +1554,22 @@ #endif break; case PHOTOMETRIC_CIELAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for CIELAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for CIELAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]= -127; t2p->pdf_labrange[1]= 127; t2p->pdf_labrange[2]= -127; @@ -1560,6 +1585,22 @@ t2p->pdf_colorspace=T2P_CS_LAB; break; case PHOTOMETRIC_ITULAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for ITULAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for ITULAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]=-85; t2p->pdf_labrange[1]=85; t2p->pdf_labrange[2]=-75; Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2015-01-29 09:35:19.953065043 -0500 @@ -1205,9 +1205,10 @@ tsize_t tilesize = TIFFTileSize(out); unsigned char *tilebuf = NULL; - TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); - TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); - TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) Index: tiff-4.0.3/tools/tiffdump.c =================================================================== --- tiff-4.0.3.orig/tools/tiffdump.c 2015-01-29 09:35:19.957065077 -0500 +++ tiff-4.0.3/tools/tiffdump.c 2015-01-29 09:35:19.953065043 -0500 @@ -355,6 +355,8 @@ void* datamem; uint64 dataoffset; int datatruncated; + int datasizeoverflow; + tag = *(uint16*)dp; if (swabflag) TIFFSwabShort(&tag); @@ -393,13 +395,14 @@ else typewidth = datawidth[type]; datasize = count*typewidth; + datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); datafits = 1; datamem = dp; dataoffset = 0; datatruncated = 0; if (!bigtiff) { - if (datasize>4) + if (datasizeoverflow || datasize>4) { uint32 dataoffset32; datafits = 0; @@ -413,7 +416,7 @@ } else { - if (datasize>8) + if (datasizeoverflow || datasize>8) { datafits = 0; datamem = NULL; @@ -423,7 +426,7 @@ } dp += sizeof(uint64); } - if (datasize>0x10000) + if (datasizeoverflow || datasize>0x10000) { datatruncated = 1; count = 0x10000/typewidth; debian/patches/CVE-2014-81xx-2.patch0000644000000000000000000000376412505326574013627 0ustar From a42c3be7780cc90beef9ffd14255059baef7413a Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 16:28:37 +0000 Subject: [PATCH] * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) Description: fix for Debian bug #741451 tiffcp crashes when converting JPEG-encoded TIFF to a different encoding (like none or lzw). For example this will probably fail: tiffcp -c none jpeg_encoded_file.tif output.tif The reason is that when the input file contains JPEG data, the tiffcp code forces conversion to RGB space. However, the output normally inherits YCbCr subsampling parameters from the input, which leads to a smaller working buffer than necessary. The buffer is subsequently overrun inside cpStripToTile() (called from writeBufferToContigTiles). Note that the resulting TIFF file would be scrambled even if tiffcp wouldn't crash, since the output file would contain RGB data intepreted as subsampled YCbCr values. This patch fixes the problem by forcing RGB space on the output TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. Author: Tomasz Buchert --- ChangeLog | 21 +++++++++++++++++++++ tools/tiffcp.c | 6 ++++++ 2 files changed, 27 insertions(+) Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2015-01-29 09:35:31.797162827 -0500 +++ tiff-4.0.3/tools/tiffcp.c 2015-01-29 09:35:31.793162794 -0500 @@ -629,6 +629,12 @@ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, samplesperpixel == 1 ? PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); + else if (input_compression == COMPRESSION_JPEG && + samplesperpixel == 3 ) { + /* RGB conversion was forced above + hence the output will be of the same type */ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); + } else CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); if (fillorder != 0) debian/patches/series0000644000000000000000000000426013441511050012026 0ustar opengl.patch CVE-2012-4564.patch CVE-2013-1960.patch CVE-2013-1961.patch CVE-2013-4231.patch CVE-2013-4232.patch CVE-2013-4244.patch CVE-2013-4243.patch CVE-2014-81xx-1.patch CVE-2014-81xx-2.patch CVE-2014-81xx-3.patch CVE-2014-81xx-4.patch CVE-2014-81xx-5.patch CVE-2014-81xx-6.patch CVE-2014-81xx-7.patch CVE-2014-81xx-8.patch CVE-2014-81xx-9.patch CVE-2014-81xx-10.patch CVE-2014-81xx-11.patch CVE-2014-9655-1.patch CVE-2014-9655-2.patch CVE-2014-9655-3.patch #CVE-2014-8128-5.patch read_overrun.patch estimatestripbytecounts_return_code.patch CVE-2014-8130.patch CVE-2015-8665-8683.patch CVE-2015-8781-8782-8783.patch CVE-2015-8784.patch CVE-2016-5314.patch CVE-2016-6223.patch CVE-2016-5321.patch CVE-2016-5323.patch CVE-2015-7554.patch CVE-2015-8668.patch CVE-2016-3622.patch CVE-2016-3623.patch CVE-2016-3632.patch CVE-2016-3658.patch CVE-2016-3945.patch CVE-2016-3990.patch CVE-2016-3991.patch CVE-2016-9453.patch CVE-2016-5652.patch CVE-2016-9273.patch CVE-2016-9532.patch CVE-2016-9533.patch CVE-2016-9535-1.patch CVE-2016-9535-2.patch CVE-2016-9538.patch CVE-2016-9539.patch CVE-2016-9540.patch CVE-2016-10092.patch CVE-2016-10093.patch CVE-2016-10094.patch CVE-2017-5225.patch CVE-2016-9297_and_CVE-2016-9448_correct.patch CVE-2016-10266.patch CVE-2016-10267.patch CVE-2016-10268.patch CVE-2016-10269.patch CVE-2016-10371.patch CVE-2017-7592.patch CVE-2017-7593.patch CVE-2017-7594-1.patch CVE-2017-7594-2.patch CVE-2017-7595.patch CVE-2017-7596_7597_7599_7600.patch CVE-2017-7598.patch CVE-2017-7601.patch CVE-2017-7602.patch CVE-2017-9403_9815.patch CVE-2017-9404.patch CVE-2017-9936.patch CVE-2017-10688.patch CVE-2017-11335.patch CVE-2017-12944.patch CVE-2017-13726.patch CVE-2017-13727.patch CVE-2017-18013.patch CVE-2018-5784.patch CVE-2016-3186.patch CVE-2016-5102.patch CVE-2016-5318.patch CVE-2017-5563_9117.patch CVE-2017-9935-1.patch CVE-2017-9935-2.patch CVE-2017-11613-1.patch CVE-2017-11613-2.patch CVE-2017-17095.patch CVE-2018-7456.patch CVE-2018-8905.patch CVE-2018-10963.patch CVE-2018-1710x.patch CVE-2018-18557.patch CVE-2018-18661.patch CVE-2018-10779.patch CVE-2018-12900-1.patch CVE-2018-12900-2.patch CVE-2018-17000.patch CVE-2018-19210-1.patch CVE-2018-19210-2.patch CVE-2019-6128.patch debian/patches/CVE-2018-18661.patch0000644000000000000000000000542613420115002013321 0ustar Backport of: From 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Tue, 30 Oct 2018 18:50:27 +0100 Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 --- tools/tiff2bw.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/tiff2bw.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2bw.c 2019-01-17 10:06:38.931478263 -0500 +++ tiff-4.0.3/tools/tiff2bw.c 2019-01-17 10:06:38.931478263 -0500 @@ -40,6 +40,7 @@ #endif #include "tiffio.h" +#include "tiffiop.h" #define streq(a,b) (strcmp((a),(b)) == 0) #define strneq(a,b,n) (strncmp(a,b,n) == 0) @@ -214,6 +215,11 @@ main(int argc, char* argv[]) TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + if( !outbuf ) + { + fprintf(stderr, "Out of memory\n"); + return (-1); + } TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); @@ -237,6 +243,11 @@ main(int argc, char* argv[]) #undef CVT } inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); + if( !inbuf ) + { + fprintf(stderr, "Out of memory\n"); + return (-1); + } for (row = 0; row < h; row++) { if (TIFFReadScanline(in, inbuf, row, 0) < 0) break; @@ -247,6 +258,11 @@ main(int argc, char* argv[]) break; case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); + if( !inbuf ) + { + fprintf(stderr, "Out of memory\n"); + return (-1); + } for (row = 0; row < h; row++) { if (TIFFReadScanline(in, inbuf, row, 0) < 0) break; @@ -256,8 +272,16 @@ main(int argc, char* argv[]) } break; case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): + { + tmsize_t inbufsize; rowsize = TIFFScanlineSize(in); - inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); + inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); + inbuf = (unsigned char *)_TIFFmalloc(inbufsize); + if( !inbuf ) + { + fprintf(stderr, "Out of memory\n"); + return (-1); + } for (row = 0; row < h; row++) { for (s = 0; s < 3; s++) if (TIFFReadScanline(in, @@ -269,6 +293,7 @@ main(int argc, char* argv[]) break; } break; + } } #undef pack TIFFClose(out); debian/patches/CVE-2015-8665-8683.patch0000644000000000000000000001013112674524043013657 0ustar From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 26 Dec 2015 17:32:03 +0000 Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of Alibaba. --- ChangeLog | 8 ++++++++ libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- 2 files changed, 30 insertions(+), 13 deletions(-) Index: tiff-4.0.3/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_getimage.c 2016-03-23 10:13:42.728371661 -0400 +++ tiff-4.0.3/libtiff/tif_getimage.c 2016-03-23 10:13:42.724371614 -0400 @@ -182,20 +182,22 @@ "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d", - "Samples/pixel", td->td_samplesperpixel); + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); return 0; } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d and %s=%d", + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, "Bits/sample", td->td_bitspersample); return 0; } @@ -255,6 +257,9 @@ int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; + + if( !TIFFRGBAImageOK(tif, emsg) ) + return 0; /* Initialize to normal values */ img->row_offset = 0; @@ -2470,29 +2475,33 @@ case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >= 4) img->put.contig = putRGBAAcontig8bittile; - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >= 4) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } - else + else if( img->samplesperpixel >= 3 ) img->put.contig = putRGBcontig8bittile; break; case 16: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } - else + else if( img->samplesperpixel >=3 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; @@ -2501,7 +2510,7 @@ } break; case PHOTOMETRIC_SEPARATED: - if (buildMap(img)) { + if (img->samplesperpixel >=4 && buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile; @@ -2597,7 +2606,7 @@ } break; case PHOTOMETRIC_CIELAB: - if (buildMap(img)) { + if (img->samplesperpixel == 3 && buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; debian/patches/CVE-2016-5323.patch0000644000000000000000000000640513054071051013234 0ustar From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 11 Jul 2016 21:38:31 +0000 Subject: [PATCH] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) --- ChangeLog | 2 +- tools/tiffcrop.c | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 4e0302f..62dc1b5 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -3,7 +3,7 @@ # * tools/tiffcrop.c: Avoid access outside of stack allocated array # on a tiled separate TIFF with more than 8 samples per pixel. # Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 #- (CVE-2016-5321, bugzilla #2558) #+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) # # 2016-07-10 Even Rouault # Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2017-02-24 12:49:27.622697661 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2017-02-24 12:49:27.618695600 -0500 @@ -3724,7 +3724,7 @@ matchbits = maskbits << (8 - src_bit - bps); /* load up next sample from each plane */ - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; buff1 = ((*src) & matchbits) << (src_bit); @@ -3823,7 +3823,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (16 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) @@ -3933,7 +3933,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (32 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) @@ -4059,7 +4059,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (64 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) @@ -4249,7 +4249,7 @@ matchbits = maskbits << (8 - src_bit - bps); /* load up next sample from each plane */ - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; buff1 = ((*src) & matchbits) << (src_bit); @@ -4348,7 +4348,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (16 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) @@ -4457,7 +4457,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (32 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) @@ -4583,7 +4583,7 @@ src_bit = bit_offset % 8; matchbits = maskbits << (64 - src_bit - bps); - for (s = 0; s < spp; s++) + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { src = in[s] + src_offset + src_byte; if (little_endian) debian/patches/CVE-2014-81xx-7.patch0000644000000000000000000000330612505326621013615 0ustar From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 20:04:31 +0000 Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not worth the burden for those esoteric utilities. http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) --- ChangeLog | 7 +++++++ tools/pal2rgb.c | 2 +- tools/thumbnail.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c index bfe7899..3fc3de3 100644 --- a/tools/pal2rgb.c +++ b/tools/pal2rgb.c @@ -372,7 +372,7 @@ static struct cpTag { { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff --git a/tools/thumbnail.c b/tools/thumbnail.c index c50bbff..73f9c34 100644 --- a/tools/thumbnail.c +++ b/tools/thumbnail.c @@ -257,7 +257,7 @@ static struct cpTag { { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, debian/patches/CVE-2013-4244.patch0000644000000000000000000000116012256047746013244 0ustar Description: OOB write in gif2tiff Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468 Index: tiff-4.0.3/tools/gif2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 +++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 @@ -400,6 +400,10 @@ } if (oldcode == -1) { + if (code >= clear) { + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } *(*fill)++ = suffix[code]; firstchar = oldcode = code; return 1; debian/patches/CVE-2014-8130.patch0000644000000000000000000000242412505326712013235 0ustar From 3c5eb8b1be544e41d2c336191bc4936300ad7543 Mon Sep 17 00:00:00 2001 From: bfriesen Date: Sun, 18 Nov 2012 17:51:52 +0000 Subject: [PATCH] * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require malloc() to return NULL pointer if requested allocation size is zero. Assure that _TIFFmalloc does. --- ChangeLog | 6 ++++++ libtiff/tif_unix.c | 3 +++ libtiff/tif_vms.c | 3 +++ libtiff/tif_win32.c | 3 +++ 4 files changed, 15 insertions(+) Index: tiff-4.0.3/libtiff/tif_unix.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_unix.c 2015-03-27 14:47:11.002353413 -0400 +++ tiff-4.0.3/libtiff/tif_unix.c 2015-03-27 14:47:10.998353377 -0400 @@ -257,6 +257,9 @@ void* _TIFFmalloc(tmsize_t s) { + if (s == 0) + return ((void *) NULL); + return (malloc((size_t) s)); } Index: tiff-4.0.3/libtiff/tif_win32.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_win32.c 2015-03-27 14:47:11.002353413 -0400 +++ tiff-4.0.3/libtiff/tif_win32.c 2015-03-27 14:47:10.998353377 -0400 @@ -329,6 +329,9 @@ void* _TIFFmalloc(tmsize_t s) { + if (s == 0) + return ((void *) NULL); + return (malloc((size_t) s)); } debian/patches/CVE-2018-12900-2.patch0000644000000000000000000000167513441511017013461 0ustar From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Mon, 11 Feb 2019 21:42:03 +0100 Subject: [PATCH] tiffcp.c: use INT_MAX --- tools/tiffcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2019-03-11 12:51:26.165035859 -0400 +++ tiff-4.0.3/tools/tiffcp.c 2019-03-11 12:51:26.153035809 -0400 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include @@ -1394,7 +1395,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf uint32 row; uint16 bps, bytes_per_sample; - if (spp > (0x7fffffff / tilew)) + if (spp > (INT_MAX / tilew)) { TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); return 0; debian/patches/CVE-2018-18557.patch0000644000000000000000000000721613420114770013337 0ustar Backport of: From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 14 Oct 2018 16:38:29 +0200 Subject: [PATCH] JBIG: fix potential out-of-bounds write in JBIGDecode() JBIGDecode doesn't check if the user provided buffer is large enough to store the JBIG decoded image, which can potentially cause out-of-bounds write in the buffer. This issue was reported and analyzed by Thomas Dullien. Also fixes a (harmless) potential use of uninitialized memory when tif->tif_rawsize > tif->tif_rawcc And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure that whole strip data is provided to JBIGDecode() --- libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ libtiff/tif_read.c | 3 ++- 2 files changed, 28 insertions(+), 7 deletions(-) Index: tiff-4.0.6/libtiff/tif_jbig.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_jbig.c 2019-01-17 09:20:32.708435002 -0500 +++ tiff-4.0.6/libtiff/tif_jbig.c 2019-01-17 09:20:32.708435002 -0500 @@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* struct jbg_dec_state decoder; int decodeStatus = 0; unsigned char* pImage = NULL; - (void) size, (void) s; + unsigned long decodedSize; + (void) s; if (isFillOrder(tif, tif->tif_dir.td_fillorder)) { - TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); + TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); } jbg_dec_init(&decoder); #if defined(HAVE_JBG_NEWLEN) - jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); + jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); /* * I do not check the return status of jbg_newlen because even if this * function fails it does not necessarily mean that decoding the image @@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* */ #endif /* HAVE_JBG_NEWLEN */ - decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, - (size_t)tif->tif_rawdatasize, NULL); + decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, + (size_t)tif->tif_rawcc, NULL); if (JBG_EOK != decodeStatus) { /* @@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* return 0; } + decodedSize = jbg_dec_getsize(&decoder); + if( (tmsize_t)decodedSize < size ) + { + TIFFWarningExt(tif->tif_clientdata, "JBIG", + "Only decoded %lu bytes, whereas %lu requested", + decodedSize, (unsigned long)size); + } + else if( (tmsize_t)decodedSize > size ) + { + TIFFErrorExt(tif->tif_clientdata, "JBIG", + "Decoded %lu bytes, whereas %lu were requested", + decodedSize, (unsigned long)size); + jbg_dec_free(&decoder); + return 0; + } pImage = jbg_dec_getimage(&decoder, 0); - _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); + _TIFFmemcpy(buffer, pImage, decodedSize); jbg_dec_free(&decoder); + + tif->tif_rawcp += tif->tif_rawcc; + tif->tif_rawcc = 0; + return 1; } Index: tiff-4.0.6/libtiff/tif_read.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_read.c 2019-01-17 09:20:32.708435002 -0500 +++ tiff-4.0.6/libtiff/tif_read.c 2019-01-17 09:20:32.708435002 -0500 @@ -211,6 +211,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s return 0; whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 || isMapped(tif); + if( td->td_compression == COMPRESSION_JBIG ) + { + /* Ideally plugins should have a way to declare they don't support + * chunk strip */ + whole_strip = 1; + } #else whole_strip = 1; #endif debian/patches/CVE-2017-7598.patch0000644000000000000000000000472413254204032013256 0ustar From 3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 13:28:01 +0000 Subject: [PATCH] * libtiff/tif_dirread.c: avoid division by floating point 0 in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), and return 0 in that case (instead of infinity as before presumably) Apparently some sanitizers do not like those divisions by zero. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 --- ChangeLog | 8 ++++++++ libtiff/tif_dirread.c | 10 ++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 6a752cd5..722a405e 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_dirread.c: avoid division by floating point 0 in #+ TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), #+ and return 0 in that case (instead of infinity as before presumably) #+ Apparently some sanitizers do not like those divisions by zero. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-20 09:09:44.807090516 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-20 09:09:44.803090507 -0400 @@ -2898,7 +2898,10 @@ static enum TIFFReadDirEntryErr TIFFRead m.l = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if (m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if (m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)m.i[0]/(double)m.i[1]; @@ -2926,7 +2929,10 @@ static enum TIFFReadDirEntryErr TIFFRead m.l=direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if ((int32)m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if ((int32)m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)((int32)m.i[0])/(double)m.i[1]; debian/patches/CVE-2016-10093.patch0000644000000000000000000000363513054073005013317 0ustar From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 3 Dec 2016 16:40:01 +0000 Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 --- ChangeLog | 7 +++++++ tools/tiffcp.c | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 94be038..8ee76c0 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,12 @@ # 2016-12-03 Even Rouault # #+ * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based #+ buffer overflow. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 #+ #+2016-12-03 Even Rouault #+ # * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is # missing. # Reported by Agostino Sarubbo. Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2017-02-24 13:05:52.337458791 -0500 +++ tiff-4.0.3/tools/tiffcp.c 2017-02-24 13:05:52.337458791 -0500 @@ -1157,7 +1157,7 @@ static void cpStripToTile(uint8* out, uint8* in, - uint32 rows, uint32 cols, int outskew, int inskew) + uint32 rows, uint32 cols, int outskew, int64 inskew) { while (rows-- > 0) { uint32 j = cols; @@ -1314,7 +1314,7 @@ tdata_t tilebuf; uint32 imagew = TIFFScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); - int iskew = imagew - tilew; + int64 iskew = (int64)imagew - (int64)tilew; uint8* bufp = (uint8*) buf; uint32 tw, tl; uint32 row; @@ -1342,7 +1342,7 @@ status = 0; goto done; } - if (colb + tilew > imagew) { + if (colb > iskew) { uint32 width = imagew - colb; uint32 oskew = tilew - width; cpStripToTile(bufp + colb, debian/patches/CVE-2014-81xx-6.patch0000644000000000000000000000156312505326615013622 0ustar From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 19:53:59 +0000 Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) --- ChangeLog | 5 +++++ tools/thumbnail.c | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/thumbnail.c b/tools/thumbnail.c index fab63f6..c50bbff 100644 --- a/tools/thumbnail.c +++ b/tools/thumbnail.c @@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh) err -= limit; sy++; if (err >= limit) - rows[nrows++] = br + bpr*sy; + { + /* We should perhaps error loudly, but I can't make sense of that */ + /* code... */ + if( nrows == 256 ) + break; + rows[nrows++] = br + bpr*sy; + } } setrow(row, nrows, rows); row += tnw; debian/patches/CVE-2016-9538.patch0000644000000000000000000000577313054072665013273 0ustar Backport of: From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 8 Oct 2016 15:04:31 +0000 Subject: [PATCH] * tools/tiffcp.c: fix read of undefined variable in case of missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. Probably not a security issue but I can be wrong. Reported as MSVR 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 9 +++++++++ tools/tiffcp.c | 4 ++-- tools/tiffcrop.c | 9 ++++++--- 3 files changed, 17 insertions(+), 5 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index c76f832..8f54f28 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,12 @@ #+2016-10-08 Even Rouault #+ #+ * tools/tiffcp.c: fix read of undefined variable in case of missing #+ required tags. Found on test case of MSVR 35100. #+ * tools/tiffcrop.c: fix read of undefined buffer in #+ readContigStripsIntoBuffer() due to uint16 overflow. Probably not a #+ security issue but I can be wrong. Reported as MSVR 35100 by Axel #+ Souchet from the MSRC Vulnerabilities & Mitigations team. #+ # 2016-09-25 Bob Friesenhahn # # * html: Change as many remotesensing.org broken links to a working Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2017-02-24 13:03:58.213006760 -0500 +++ tiff-4.0.3/tools/tiffcp.c 2017-02-24 13:03:58.209006879 -0500 @@ -586,8 +586,8 @@ static int tiffcp(TIFF* in, TIFF* out) { - uint16 bitspersample, samplesperpixel; - uint16 input_compression, input_photometric; + uint16 bitspersample, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; copyFunc cf; uint32 width, length; struct cpTag* p; Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2017-02-24 13:03:58.213006760 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2017-02-24 13:04:19.001050999 -0500 @@ -3654,7 +3654,7 @@ { uint8* bufp = buf; int32 bytes_read = 0; - uint16 strip, nstrips = TIFFNumberOfStrips(in); + uint32 strip, nstrips = TIFFNumberOfStrips(in); uint32 stripsize = TIFFStripSize(in); uint32 rows = 0; uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); @@ -4733,9 +4733,12 @@ uint32 width, uint16 spp, struct dump_opts *dump) { - int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; int32 bytes_read = 0; - uint16 bps, nstrips, planar, strips_per_sample; + uint16 bps, planar; + uint32 nstrips; + uint32 strips_per_sample; uint32 src_rowsize, dst_rowsize, rows_processed, rps; uint32 rows_this_strip = 0; tsample_t s; debian/patches/CVE-2018-5784.patch0000644000000000000000000001053513254204255013256 0ustar backport of: From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 From: Nathan Baker Date: Tue, 6 Feb 2018 10:13:57 -0500 Subject: [PATCH] Fix for bug 2772 It is possible to craft a TIFF document where the IFD list is circular, leading to an infinite loop while traversing the chain. The libtiff directory reader has a failsafe that will break out of this loop after reading 65535 directory entries, but it will continue processing, consuming time and resources to process what is essentially a bogus TIFF document. This change fixes the above behavior by breaking out of processing when a TIFF document has >= 65535 directories and terminating with an error. --- contrib/addtiffo/tif_overview.c | 14 +++++++++++++- tools/tiff2pdf.c | 10 ++++++++++ tools/tiffcrop.c | 13 +++++++++++-- 3 files changed, 34 insertions(+), 3 deletions(-) Index: tiff-4.0.3/contrib/addtiffo/tif_overview.c =================================================================== --- tiff-4.0.3.orig/contrib/addtiffo/tif_overview.c 2018-03-20 09:11:05.451262002 -0400 +++ tiff-4.0.3/contrib/addtiffo/tif_overview.c 2018-03-20 09:11:05.447261992 -0400 @@ -65,6 +65,8 @@ # define MAX(a,b) ((a>b) ? a : b) #endif +#define TIFF_DIR_MAX 65534 + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, int (*)(double,void*), void * ); @@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, { toff_t nBaseDirOffset; toff_t nOffset; + tdir_t iNumDir; (void) bUseSubIFDs; @@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, return 0; TIFFWriteDirectory( hTIFF ); - TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); + iNumDir = TIFFNumberOfDirectories(hTIFF); + if( iNumDir > TIFF_DIR_MAX ) + { + TIFFErrorExt( TIFFClientdata(hTIFF), + "TIFF_WriteOverview", + "File `%s' has too many directories.\n", + TIFFFileName(hTIFF) ); + exit(-1); + } + TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); nOffset = TIFFCurrentDirOffset( hTIFF ); Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2018-03-20 09:11:05.451262002 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2018-03-20 09:11:43.051339982 -0400 @@ -67,6 +67,8 @@ extern int getopt(int, char**, char*); #define PS_UNIT_SIZE 72.0F +#define TIFF_DIR_MAX 65534 + /* This type is of PDF color spaces. */ typedef enum { T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ @@ -1035,6 +1037,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* uint16 xuint16=0; directorycount=TIFFNumberOfDirectories(input); + if(directorycount > TIFF_DIR_MAX) { + TIFFError( + TIFF2PDF_MODULE, + "TIFF contains too many directories, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(directorycount * sizeof(T2P_PAGE)); if(t2p->tiff_pages==NULL){ TIFFError( Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2018-03-20 09:11:05.451262002 -0400 +++ tiff-4.0.3/tools/tiffcrop.c 2018-03-20 09:11:05.451262002 -0400 @@ -217,6 +217,8 @@ extern int getopt(int, char**, char*); #define DUMP_TEXT 1 #define DUMP_RAW 2 +#define TIFF_DIR_MAX 65534 + /* Offsets into buffer for margins and fixed width and length segments */ struct offset { uint32 tmargin; @@ -2223,7 +2225,7 @@ main(int argc, char* argv[]) pageNum = -1; else total_images = 0; - /* read multiple input files and write to output file(s) */ + /* Read multiple input files and write to output file(s) */ while (optind < argc - 1) { in = TIFFOpen (argv[optind], "r"); @@ -2231,7 +2233,14 @@ main(int argc, char* argv[]) return (-3); /* If only one input file is specified, we can use directory count */ - total_images = TIFFNumberOfDirectories(in); + total_images = TIFFNumberOfDirectories(in); + if (total_images > TIFF_DIR_MAX) + { + TIFFError (TIFFFileName(in), "File contains too many directories"); + if (out != NULL) + (void) TIFFClose(out); + return (1); + } if (image_count == 0) { dirnum = 0; debian/patches/CVE-2016-9533.patch0000644000000000000000000002567313054071723013261 0ustar Backport of: From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 23 Sep 2016 22:12:18 +0000 Subject: [PATCH] * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093, MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. * libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if that could happen in practice outside of the odd behaviour of t2p_seekproc() of tiff2pdf). The report points that a better fix could be to check the return value of TIFFFlushData1() in places where it isn't done currently, but it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 23 +++++++++++++++++++++ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++----------------------------- libtiff/tif_write.c | 7 +++++++ tools/tiff2pdf.c | 22 ++++++++++++++++++-- tools/tiffcrop.c | 20 +++++++++++++++++- 5 files changed, 92 insertions(+), 35 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 8e7dea3..26d6f47 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,26 @@ #+2016-09-23 Even Rouault #+ #+ * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities #+ in heap or stack allocated buffers. Reported as MSVR 35093, #+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal #+ Chauhan from the MSRC Vulnerabilities & Mitigations team. #+ * tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in #+ heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR #+ 35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC #+ Vulnerabilities & Mitigations team. #+ * libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities #+ in heap allocated buffers. Reported as MSVR 35094. Discovered by #+ Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & #+ Mitigations team. #+ * libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() #+ that didn't reset the tif_rawcc and tif_rawcp members. I'm not #+ completely sure if that could happen in practice outside of the odd #+ behaviour of t2p_seekproc() of tiff2pdf). The report points that a #+ better fix could be to check the return value of TIFFFlushData1() in #+ places where it isn't done currently, but it seems this patch is enough. #+ Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan & #+ Suha Can from the MSRC Vulnerabilities & Mitigations team. #+ # 2016-09-20 Bob Friesenhahn # # * html/man/index.html: Comment out links to documentation for Index: tiff-4.0.3/libtiff/tif_pixarlog.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2017-02-24 12:53:44.740419858 -0500 +++ tiff-4.0.3/libtiff/tif_pixarlog.c 2017-02-24 12:53:44.736419821 -0500 @@ -965,17 +965,14 @@ a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; } } else { - ip += n - 1; /* point to last one */ - wp += n - 1; /* point to last one */ - n -= stride; - while (n > 0) { - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) - n -= stride; - } - REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--) + REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { + REPEAT(stride, + wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask); + wp++; ip++) + n -= stride; + } } } } @@ -1018,17 +1015,14 @@ a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1; } } else { - ip += n - 1; /* point to last one */ - wp += n - 1; /* point to last one */ + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) n -= stride; while (n > 0) { - REPEAT(stride, wp[0] = CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) - n -= stride; - } - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) + REPEAT(stride, + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); + wp++; ip++) + n -= stride; + } } } } @@ -1071,18 +1065,15 @@ ip += 4; } } else { - wp += n + stride - 1; /* point to last one */ - ip += n + stride - 1; /* point to last one */ - n -= stride; - while (n > 0) { - REPEAT(stride, wp[0] = CLAMP(ip[0]); - wp[stride] -= wp[0]; - wp[stride] &= mask; - wp--; ip--) - n -= stride; - } - REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--) - } + REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++) + n -= stride; + while (n > 0) { + REPEAT(stride, + wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask); + wp++; ip++) + n -= stride; + } + } } } Index: tiff-4.0.3/libtiff/tif_write.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_write.c 2017-02-24 12:53:44.740419858 -0500 +++ tiff-4.0.3/libtiff/tif_write.c 2017-02-24 12:53:44.736419821 -0500 @@ -742,7 +742,14 @@ if (!TIFFAppendToStrip(tif, isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip, tif->tif_rawdata, tif->tif_rawcc)) + { + /* We update those variables even in case of error since there's */ + /* code that doesn't really check the return code of this */ + /* function */ + tif->tif_rawcc = 0; + tif->tif_rawcp = tif->tif_rawdata; return (0); + } tif->tif_rawcc = 0; tif->tif_rawcp = tif->tif_rawdata; } Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2017-02-24 12:53:44.740419858 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2017-02-24 12:53:44.736419821 -0500 @@ -285,7 +285,7 @@ int t2p_process_ojpeg_tables(T2P*, TIFF*); #endif #ifdef JPEG_SUPPORT -int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32); +int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32); #endif void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32); void t2p_write_advance_directory(T2P*, TIFF*); @@ -2356,7 +2356,8 @@ if(!t2p_process_jpeg_strip( stripbuffer, &striplength, - buffer, + buffer, + t2p->tiff_datasize, &bufferoffset, i, t2p->tiff_length)){ @@ -3389,6 +3390,7 @@ unsigned char* strip, tsize_t* striplength, unsigned char* buffer, + tsize_t buffersize, tsize_t* bufferoffset, tstrip_t no, uint32 height){ @@ -3423,6 +3425,8 @@ } switch( strip[i] ){ case 0xd8: /* SOI - start of image */ + if( *bufferoffset + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; break; @@ -3432,12 +3436,18 @@ case 0xc9: /* SOF9 */ case 0xca: /* SOF10 */ if(no==0){ + if( *bufferoffset + datalen + 2 + 6 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + if( *bufferoffset + 9 >= buffersize ) + return(0); ncomp = buffer[*bufferoffset+9]; if (ncomp < 1 || ncomp > 4) return(0); v_samp=1; h_samp=1; + if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize ) + return(0); for(j=0;j>4) > h_samp) @@ -3469,20 +3479,28 @@ break; case 0xc4: /* DHT */ case 0xdb: /* DQT */ + if( *bufferoffset + datalen + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); *bufferoffset+=datalen+2; break; case 0xda: /* SOS */ if(no==0){ + if( *bufferoffset + datalen + 2 > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); *bufferoffset+=datalen+2; } else { + if( *bufferoffset + 2 > buffersize ) + return(0); buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); } i += datalen + 1; /* copy remainder of strip */ + if( *bufferoffset + *striplength - i > buffersize ) + return(0); _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); *bufferoffset+= *striplength - i; return(1); Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2017-02-24 12:53:44.740419858 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2017-02-24 12:55:09.813626248 -0500 @@ -5780,7 +5780,8 @@ { uint32 i; float xres = 0.0, yres = 0.0; - uint16 nstrips = 0, ntiles = 0, planar = 0; + uint32 nstrips = 0, ntiles = 0; + uint16 planar = 0; uint16 bps = 0, spp = 0, res_unit = 0; uint16 orientation = 0; uint16 input_compression = 0, input_photometric = 0; @@ -6088,11 +6089,23 @@ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ /* outside buffer */ if (!read_buff) + { + if( buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + } else { if (prev_readsize < buffsize) + { + if( buffsize > 0xFFFFFFFFU - 3 ) { + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } new_buff = _TIFFrealloc(read_buff, buffsize); if (!new_buff) { @@ -8918,6 +8931,11 @@ } bytes_per_pixel = ((bps * spp) + 7) / 8; + if( bytes_per_pixel > sizeof(swapbuff) ) + { + TIFFError("reverseSamplesBytes","bytes_per_pixel too large"); + return (1); + } switch (bps / 8) { case 8: /* Use memcpy for multiple bytes per sample data */ debian/patches/CVE-2017-13726.patch0000644000000000000000000000334013254204130013314 0ustar From f91ca83a21a6a583050e5a5755ce1441b2bf1d7e Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Wed, 23 Aug 2017 13:21:41 +0000 Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not finding the SubIFD tag by runtime check. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 --- ChangeLog | 7 +++++++ libtiff/tif_dirwrite.c | 7 ++++++- 2 files changed, 13 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 3da2b704..87554768 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-08-23 Even Rouault #+ #+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the #+ SubIFD tag by runtime check. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 #+ Reported by team OWL337 #+ # 2017-07-24 Even Rouault # # * libtiff/tif_luv.c: further reduce memory requirements for temporary Index: tiff-4.0.6/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2018-03-20 07:59:56.128690279 -0400 +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2018-03-20 07:59:56.128690279 -0400 @@ -819,7 +819,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isi TIFFDirEntry* nb; for (na=0, nb=dir; ; na++, nb++) { - assert(natif_clientdata,module, + "Cannot find SubIFD tag"); + goto bad; + } if (nb->tdir_tag==TIFFTAG_SUBIFD) break; } debian/patches/CVE-2016-5314.patch0000644000000000000000000000407313055045754013247 0ustar Backport of: From 391e77fcd217e78b2c51342ac3ddb7100ecacdd2 Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 28 Jun 2016 15:12:19 +0000 Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) --- ChangeLog | 5 +++++ libtiff/tif_pixarlog.c | 8 ++++++++ 2 files changed, 13 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 1b0e599..dee1881 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,8 @@ #+2016-06-28 Even Rouault #+ #+ * libtiff/tif_pixarlog.c: fix potential buffer write overrun in #+ PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) #+ # 2016-06-15 Bob Friesenhahn # # * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 Index: tiff-4.0.3/libtiff/tif_pixarlog.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2017-02-27 10:53:22.049396151 -0500 +++ tiff-4.0.3/libtiff/tif_pixarlog.c 2017-02-27 10:55:10.106610334 -0500 @@ -457,6 +457,7 @@ typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -676,6 +677,7 @@ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -765,6 +767,12 @@ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if (sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { debian/patches/CVE-2016-10371.patch0000644000000000000000000000514513254203622013316 0ustar From 0abd094b6e5079c4d8be733829240491cb230f3d Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 12:51:59 +0000 Subject: [PATCH] * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to error out if passed value is strictly negative. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that caused double free. Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 --- ChangeLog | 11 +++++++++++ libtiff/tif_dirwrite.c | 9 +++++++-- tools/tiffcrop.c | 1 - 3 files changed, 18 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index a7208f5e..6a752cd5 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,14 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace #+ assertion by runtime check to error out if passed value is strictly #+ negative. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 #+ #+ * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that #+ caused double free. #+ Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_jpeg.c: avoid integer division by zero in Index: tiff-4.0.3/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirwrite.c 2018-03-20 09:07:28.610785389 -0400 +++ tiff-4.0.3/libtiff/tif_dirwrite.c 2018-03-20 09:07:28.606785379 -0400 @@ -2092,10 +2092,15 @@ TIFFWriteDirectoryTagCheckedSlong8Array( static int TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value) { + static const char module[] = "TIFFWriteDirectoryTagCheckedRational"; uint32 m[2]; - assert(value>=0.0); assert(sizeof(uint32)==4); - if (value<=0.0) + if( value < 0 ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); + return 0; + } + else if (value==0.0) { m[0]=0; m[1]=1; Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2018-03-20 09:07:28.610785389 -0400 +++ tiff-4.0.3/tools/tiffcrop.c 2018-03-20 09:07:28.610785389 -0400 @@ -7955,7 +7955,6 @@ writeCroppedImage(TIFF *in, TIFF *out, s if (!TIFFWriteDirectory(out)) { TIFFError("","Failed to write IFD for page number %d", pagenum); - TIFFClose(out); return (-1); } debian/patches/CVE-2015-8668.patch0000644000000000000000000000371713054071167013265 0ustar Description: fix DoS and possible code execution via large width field in a BMP image Origin: partly based on https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2563 Index: tiff-4.0.3/tools/bmp2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/bmp2tiff.c 2017-02-24 12:49:48.695633312 -0500 +++ tiff-4.0.3/tools/bmp2tiff.c 2017-02-24 12:50:39.780394896 -0500 @@ -595,19 +595,33 @@ || info_hdr.iCompression == BMPC_RLE4 ) { uint32 i, j, k, runlength; uint32 compr_size, uncompr_size; + uint32 bits = 0; unsigned char *comprbuf; unsigned char *uncomprbuf; compr_size = file_hdr.iSize - file_hdr.iOffBits; - uncompr_size = width * length; - /* Detect int overflow */ - if( uncompr_size / width != length ) - { - TIFFError(infilename, - "Invalid dimensions of BMP file" ); - close(fd); - return -1; - } + bits = info_hdr.iBitCount; + + if (bits > 8) // bit depth is > 8bit, adjust size + { + uncompr_size = width * length * (bits / 8); + /* Detect int overflow */ + if (uncompr_size / width / (bits / 8) != length) { + TIFFError(infilename, + "Invalid dimensions of BMP file"); + close(fd); + return -1; + } + } else { + uncompr_size = width * length; + /* Detect int overflow */ + if( uncompr_size / width != length ) { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } + } comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); if (!comprbuf) { TIFFError(infilename, debian/patches/CVE-2014-81xx-8.patch0000644000000000000000000000166212505326624013624 0ustar From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 20:58:29 +0000 Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) --- ChangeLog | 6 ++++++ tools/tiff2bw.c | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c index 22467cd..94b8e31 100644 --- a/tools/tiff2bw.c +++ b/tools/tiff2bw.c @@ -171,6 +171,11 @@ main(int argc, char* argv[]) argv[optind], samplesperpixel); return (-1); } + if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", + argv[optind], samplesperpixel); + return (-1); + } TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); if (bitspersample != 8) { fprintf(stderr, debian/patches/CVE-2018-10963.patch0000644000000000000000000000213413420114440013314 0ustar From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 12 May 2018 14:24:15 +0200 Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 --- libtiff/tif_dirwrite.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) Index: tiff-4.0.9/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.9.orig/libtiff/tif_dirwrite.c 2019-01-17 09:13:14.551371632 -0500 +++ tiff-4.0.9/libtiff/tif_dirwrite.c 2019-01-17 09:13:14.551371632 -0500 @@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi } break; default: - assert(0); /* we should never get here */ - break; + TIFFErrorExt(tif->tif_clientdata,module, + "Cannot write tag %d (%s)", + TIFFFieldTag(o), + o->field_name ? o->field_name : "unknown"); + goto bad; } } } debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch0000644000000000000000000000352713113003536017307 0ustar From 30c9234c7fd0dd5e8b1e83ad44370c875a0270ed Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 11 Nov 2016 20:22:01 +0000 Subject: [PATCH] * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null terminated, to avoid potential read outside buffer in _TIFFPrintField(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590 --- Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2017-05-29 07:34:52.255008238 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2017-05-29 07:34:52.215007751 -0400 @@ -5000,6 +5000,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt if (err==TIFFReadDirEntryErrOk) { int m; + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) + { + TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); + data[dp->tdir_count-1] = '\0'; + } m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); if (data!=0) _TIFFfree(data); @@ -5172,6 +5177,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt if (err==TIFFReadDirEntryErrOk) { int m; + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) + { + TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); + data[dp->tdir_count-1] = '\0'; + } m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); if (data!=0) _TIFFfree(data); debian/patches/CVE-2016-9532.patch0000644000000000000000000000763113054071436013253 0ustar From 21d39de1002a5e69caa0574b2cc05d795d6fbfad Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 11 Nov 2016 19:33:06 +0000 Subject: [PATCH] * tools/tiffcrop.c: fix multiple uint32 overflows in writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported by Henri Salo from Nixu Corporation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 --- ChangeLog | 8 ++++++++ tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 48 insertions(+), 4 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 4ff5281..b642c7c 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2016-11-11 Even Rouault #+ #+ * tools/tiffcrop.c: fix multiple uint32 overflows in #+ writeBufferToSeparateStrips(), writeBufferToContigTiles() and #+ writeBufferToSeparateTiles() that could cause heap buffer overflows. #+ Reported by Henri Salo from Nixu Corporation. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 #+ # 2016-11-10 Even Rouault # # * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips Index: tiff-4.0.6/tools/tiffcrop.c =================================================================== --- tiff-4.0.6.orig/tools/tiffcrop.c 2017-02-24 10:17:07.023969135 -0500 +++ tiff-4.0.6/tools/tiffcrop.c 2017-02-24 10:17:07.019969085 -0500 @@ -148,6 +148,8 @@ #define PATH_MAX 1024 #endif +#define TIFF_UINT32_MAX 0xFFFFFFFFU + #ifndef streq #define streq(a,b) (strcmp((a),(b)) == 0) #endif @@ -1155,7 +1157,24 @@ (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); bytes_per_sample = (bps + 7) / 8; - rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */ + if( width == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || + bps * spp * width > TIFF_UINT32_MAX - 7U ) + { + TIFFError(TIFFFileName(out), + "Error, uint32 overflow when computing (bps * spp * width) + 7"); + return 1; + } + rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */ + if( bytes_per_sample == 0 || + rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample || + rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) ) + { + TIFFError(TIFFFileName(out), + "Error, uint32 overflow when computing rowsperstrip * " + "bytes_per_sample * (width + 1)"); + return 1; + } rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); obuf = _TIFFmalloc (rowstripsize); @@ -1242,11 +1261,19 @@ } } + if( imagewidth == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || + bps * spp * imagewidth > TIFF_UINT32_MAX - 7U ) + { + TIFFError(TIFFFileName(out), + "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7"); + return 1; + } + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; + tilebuf = _TIFFmalloc(tile_buffsize); if (tilebuf == 0) return 1; - - src_rowsize = ((imagewidth * spp * bps) + 7) / 8; for (row = 0; row < imagelength; row += tl) { nrow = (row + tl > imagelength) ? imagelength - row : tl; @@ -1306,7 +1333,16 @@ TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); - src_rowsize = ((imagewidth * spp * bps) + 7) / 8; + + if( imagewidth == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || + bps * spp * imagewidth > TIFF_UINT32_MAX - 7 ) + { + TIFFError(TIFFFileName(out), + "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7"); + return 1; + } + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; for (row = 0; row < imagelength; row += tl) { debian/patches/CVE-2017-7595.patch0000644000000000000000000000334413254204015013251 0ustar From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 12:15:01 +0000 Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 --- ChangeLog | 6 ++++++ libtiff/tif_jpeg.c | 7 +++++++ 2 files changed, 13 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index c82bc76e..a7208f5e 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,9 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_jpeg.c: avoid integer division by zero in #+ JPEGSetupEncode() when horizontal or vertical sampling is set to 0. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 #+ # 2017-01-03 Even Rouault # # * libtiff/tif_jpeg.c: increase libjpeg max memory usable to Index: tiff-4.0.3/libtiff/tif_jpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_jpeg.c 2018-03-20 09:09:31.815062301 -0400 +++ tiff-4.0.3/libtiff/tif_jpeg.c 2018-03-20 09:09:31.811062292 -0400 @@ -1525,6 +1525,13 @@ JPEGSetupEncode(TIFF* tif) case PHOTOMETRIC_YCBCR: sp->h_sampling = td->td_ycbcrsubsampling[0]; sp->v_sampling = td->td_ycbcrsubsampling[1]; + if( sp->h_sampling == 0 || sp->v_sampling == 0 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Invalig horizontal/vertical sampling value"); + return (0); + } + /* * A ReferenceBlackWhite field *must* be present since the * default value is inappropriate for YCbCr. Fill in the debian/patches/CVE-2016-9273.patch0000644000000000000000000000427713054071407013256 0ustar From d651abc097d91fac57f33b5f9447d0a9183f58e7 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 9 Nov 2016 23:00:49 +0000 Subject: [PATCH] * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips value when it is non-zero, instead of recomputing it. This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of array in tiffsplit (or other utilities using TIFFNumberOfStrips()). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 --- ChangeLog | 8 ++++++++ libtiff/tif_strip.c | 9 +++++++++ 2 files changed, 17 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 48fb75d..4ff5281 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2016-11-10 Even Rouault #+ #+ * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips #+ value when it is non-zero, instead of recomputing it. This is needed in #+ TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of #+ array in tiffsplit (or other utilities using TIFFNumberOfStrips()). #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 #+ # 2016-11-04 Even Rouault # # * libtiff/tif_predic.c: fix memory leaks in error code paths added in Index: tiff-4.0.6/libtiff/tif_strip.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_strip.c 2017-02-24 10:39:18.892558676 -0500 +++ tiff-4.0.6/libtiff/tif_strip.c 2017-02-24 10:40:08.913181724 -0500 @@ -63,6 +63,15 @@ TIFFDirectory *td = &tif->tif_dir; uint32 nstrips; + /* If the value was already computed and store in td_nstrips, then return it, + since ChopUpSingleUncompressedStrip might have altered and resized the + since the td_stripbytecount and td_stripoffset arrays to the new value + after the initial affectation of td_nstrips = TIFFNumberOfStrips() in + tif_dirread.c ~line 3612. + See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ + if( td->td_nstrips ) + return td->td_nstrips; + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); if (td->td_planarconfig == PLANARCONFIG_SEPARATE) debian/patches/CVE-2018-10779.patch0000644000000000000000000000254213441511004013324 0ustar From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Wed, 15 Aug 2018 16:34:40 +0200 Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 --- libtiff/tif_write.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: tiff-4.0.3/libtiff/tif_write.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_write.c 2019-03-11 12:51:13.924984941 -0400 +++ tiff-4.0.3/libtiff/tif_write.c 2019-03-11 12:51:13.920984925 -0400 @@ -484,9 +484,11 @@ TIFFSetupStrips(TIFF* tif) if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; td->td_stripoffset = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripOffsets\" array"); td->td_stripbytecount = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripByteCounts\" array"); if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) return (0); /* debian/patches/CVE-2016-3186.patch0000644000000000000000000000220313254741643013246 0ustar Description: fix buffer overflow in the readextension function Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1319666 Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2536 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819972 Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1319666#c6 Index: tiff-4.0.3/tools/gif2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/gif2tiff.c 2018-03-22 10:53:06.279773299 -0400 +++ tiff-4.0.3/tools/gif2tiff.c 2018-03-22 10:54:22.380184779 -0400 @@ -38,6 +38,7 @@ #include #include #include +#include #include #ifdef HAVE_UNISTD_H @@ -316,8 +317,12 @@ readextension(void) char buf[255]; (void) getc(infile); - while ((count = getc(infile))) - fread(buf, 1, count, infile); + while ((count = getc(infile)) && count >= 0 && count <= 255) + if (fread(buf, 1, count, infile) != (size_t) count) { + fprintf(stderr, "short read from file %s (%s)\n", + filename, strerror(errno)); + break; + } } /* debian/patches/CVE-2013-1960.patch0000644000000000000000000001011712256047746013250 0ustar Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400 @@ -3341,33 +3341,56 @@ uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; @@ -3381,45 +3404,43 @@ (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; - + *bufferoffset+=datalen+2; + /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; - case 0xc4: - case 0xdb: - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; break; - case 0xda: + case 0xda: /* SOS */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); - *bufferoffset+=(*striplength)-i-1; + i += datalen + 1; + /* copy remainder of strip */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; return(1); default: - i+=strip[i+2]+2; + /* ignore any other marker */ + break; } + i += datalen + 1; } - + /* failed to find SOS marker */ return(0); } #endif debian/patches/CVE-2017-7596_7597_7599_7600.patch0000644000000000000000000002213413254204024015114 0ustar From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 16:09:02 +0000 Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings of double to other data types to avoid undefined behaviour if the output range isn't big enough to hold the input value. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 http://bugzilla.maptools.org/show_bug.cgi?id=2642 http://bugzilla.maptools.org/show_bug.cgi?id=2646 http://bugzilla.maptools.org/show_bug.cgi?id=2647 --- ChangeLog | 10 ++++++ libtiff/tif_dir.c | 18 +++++++--- libtiff/tif_dirread.c | 10 +++++- libtiff/tif_dirwrite.c | 90 ++++++++++++++++++++++++++++++++++++++++++++------ 4 files changed, 113 insertions(+), 15 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 722a405e..65176404 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,13 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings #+ of double to other data types to avoid undefined behaviour if the output range #+ isn't big enough to hold the input value. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2642 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2646 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2647 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_dirread.c: avoid division by floating point 0 in Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2018-03-20 09:09:38.167076118 -0400 +++ tiff-4.0.3/libtiff/tif_dir.c 2018-03-20 09:09:38.163076109 -0400 @@ -31,6 +31,7 @@ * (and also some miscellaneous stuff) */ #include "tiffiop.h" +#include /* * These are used in the backwards compatibility code... @@ -152,6 +153,15 @@ bad: return (0); } +static float TIFFClampDoubleToFloat( double val ) +{ + if( val > FLT_MAX ) + return FLT_MAX; + if( val < -FLT_MAX ) + return -FLT_MAX; + return (float)val; +} + static int _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) { @@ -309,13 +319,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va dblval = va_arg(ap, double); if( dblval < 0 ) goto badvaluedouble; - td->td_xresolution = (float) dblval; + td->td_xresolution = TIFFClampDoubleToFloat( dblval ); break; case TIFFTAG_YRESOLUTION: dblval = va_arg(ap, double); if( dblval < 0 ) goto badvaluedouble; - td->td_yresolution = (float) dblval; + td->td_yresolution = TIFFClampDoubleToFloat( dblval ); break; case TIFFTAG_PLANARCONFIG: v = (uint16) va_arg(ap, uint16_vap); @@ -324,10 +334,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va td->td_planarconfig = (uint16) v; break; case TIFFTAG_XPOSITION: - td->td_xposition = (float) va_arg(ap, double); + td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); break; case TIFFTAG_YPOSITION: - td->td_yposition = (float) va_arg(ap, double); + td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); break; case TIFFTAG_RESOLUTIONUNIT: v = (uint16) va_arg(ap, uint16_vap); Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-20 09:09:38.167076118 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-20 09:09:38.163076109 -0400 @@ -40,6 +40,7 @@ */ #include "tiffiop.h" +#include #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -2409,7 +2410,14 @@ static enum TIFFReadDirEntryErr TIFFRead ma=(double*)origdata; mb=data; for (n=0; n FLT_MAX ) + val = FLT_MAX; + else if( val < -FLT_MAX ) + val = -FLT_MAX; + *mb++=(float)val; + } } break; } Index: tiff-4.0.3/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirwrite.c 2018-03-20 09:09:38.167076118 -0400 +++ tiff-4.0.3/libtiff/tif_dirwrite.c 2018-03-20 09:09:38.163076109 -0400 @@ -30,6 +30,7 @@ * Directory Write Support Routines. */ #include "tiffiop.h" +#include #ifdef HAVE_IEEEFP #define TIFFCvtNativeToIEEEFloat(tif, n, fp) @@ -937,6 +938,69 @@ bad: return(0); } +static float TIFFClampDoubleToFloat( double val ) +{ + if( val > FLT_MAX ) + return FLT_MAX; + if( val < -FLT_MAX ) + return -FLT_MAX; + return (float)val; +} + +static int8 TIFFClampDoubleToInt8( double val ) +{ + if( val > 127 ) + return 127; + if( val < -128 || val != val ) + return -128; + return (int8)val; +} + +static int16 TIFFClampDoubleToInt16( double val ) +{ + if( val > 32767 ) + return 32767; + if( val < -32768 || val != val ) + return -32768; + return (int16)val; +} + +static int32 TIFFClampDoubleToInt32( double val ) +{ + if( val > 0x7FFFFFFF ) + return 0x7FFFFFFF; + if( val < -0x7FFFFFFF-1 || val != val ) + return -0x7FFFFFFF-1; + return (int32)val; +} + +static uint8 TIFFClampDoubleToUInt8( double val ) +{ + if( val < 0 ) + return 0; + if( val > 255 || val != val ) + return 255; + return (uint8)val; +} + +static uint16 TIFFClampDoubleToUInt16( double val ) +{ + if( val < 0 ) + return 0; + if( val > 65535 || val != val ) + return 65535; + return (uint16)val; +} + +static uint32 TIFFClampDoubleToUInt32( double val ) +{ + if( val < 0 ) + return 0; + if( val > 0xFFFFFFFFU || val != val ) + return 0xFFFFFFFFU; + return (uint32)val; +} + static int TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) { @@ -957,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(T if (tif->tif_dir.td_bitspersample<=32) { for (i = 0; i < count; ++i) - ((float*)conv)[i] = (float)value[i]; + ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); } else @@ -969,19 +1033,19 @@ TIFFWriteDirectoryTagSampleformatArray(T if (tif->tif_dir.td_bitspersample<=8) { for (i = 0; i < count; ++i) - ((int8*)conv)[i] = (int8)value[i]; + ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); } else if (tif->tif_dir.td_bitspersample<=16) { for (i = 0; i < count; ++i) - ((int16*)conv)[i] = (int16)value[i]; + ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); } else { for (i = 0; i < count; ++i) - ((int32*)conv)[i] = (int32)value[i]; + ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); } break; @@ -989,19 +1053,19 @@ TIFFWriteDirectoryTagSampleformatArray(T if (tif->tif_dir.td_bitspersample<=8) { for (i = 0; i < count; ++i) - ((uint8*)conv)[i] = (uint8)value[i]; + ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); } else if (tif->tif_dir.td_bitspersample<=16) { for (i = 0; i < count; ++i) - ((uint16*)conv)[i] = (uint16)value[i]; + ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); } else { for (i = 0; i < count; ++i) - ((uint32*)conv)[i] = (uint32)value[i]; + ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); } break; @@ -2100,12 +2164,17 @@ TIFFWriteDirectoryTagCheckedRational(TIF TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); return 0; } + else if( value != value ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal"); + return 0; + } else if (value==0.0) { m[0]=0; m[1]=1; } - else if (value==(double)(uint32)value) + else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) { m[0]=(uint32)value; m[1]=1; @@ -2146,12 +2215,13 @@ TIFFWriteDirectoryTagCheckedRationalArra } for (na=value, nb=m, nc=0; nc= 0 && *na <= (float)0xFFFFFFFFU && + *na==(float)(uint32)(*na)) { nb[0]=(uint32)(*na); nb[1]=1; debian/patches/CVE-2018-1710x.patch0000644000000000000000000000724513420114744013431 0ustar Backport of: From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001 From: Young_X Date: Sat, 8 Sep 2018 14:36:12 +0800 Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 and From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001 From: Young_X Date: Sat, 8 Sep 2018 14:46:27 +0800 Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms() Index: tiff-4.0.3/tools/pal2rgb.c =================================================================== --- tiff-4.0.3.orig/tools/pal2rgb.c 2019-01-17 10:03:06.026532418 -0500 +++ tiff-4.0.3/tools/pal2rgb.c 2019-01-17 10:03:06.022532407 -0500 @@ -401,7 +401,23 @@ cpTags(TIFF* in, TIFF* out) { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS Index: tiff-4.0.3/tools/tiff2bw.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2bw.c 2019-01-17 10:03:06.026532418 -0500 +++ tiff-4.0.3/tools/tiff2bw.c 2019-01-17 10:03:06.022532407 -0500 @@ -427,7 +427,23 @@ cpTags(TIFF* in, TIFF* out) { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS Index: tiff-4.0.3/tools/ppm2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/ppm2tiff.c 2019-01-17 10:03:06.026532418 -0500 +++ tiff-4.0.3/tools/ppm2tiff.c 2019-01-17 10:05:50.103164836 -0500 @@ -72,6 +72,18 @@ BadPPM(char* file) exit(-2); } + +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + +static tmsize_t +multiply_ms(tmsize_t m1, tmsize_t m2) +{ + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; +} + int main(int argc, char* argv[]) { @@ -222,7 +234,8 @@ main(int argc, char* argv[]) } switch (bpp) { case 1: - linebytes = (spp * w + (8 - 1)) / 8; + /* if round-up overflows, result will be zero, OK */ + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; if (rowsperstrip == (uint32) -1) { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); } else { @@ -231,7 +244,7 @@ main(int argc, char* argv[]) } break; case 8: - linebytes = spp * w; + linebytes = multiply_ms(spp, w); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); break; debian/patches/CVE-2016-10094.patch0000644000000000000000000000271613054073014013317 0ustar From c7153361a4041260719b340f73f2f76b0969235c Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 20 Dec 2016 17:28:17 +0000 Subject: [PATCH] * tools/tiff2pdf.c: avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 --- ChangeLog | 6 ++++++ tools/tiff2pdf.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 6be3602..91ba4e6 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,11 @@ # 2016-12-20 Even Rouault # #+ * tools/tiff2pdf.c: avoid potential heap-based overflow in #+ t2p_readwrite_pdf_image_tile(). #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 #+ #+2016-12-20 Even Rouault #+ # * tools/tiff2pdf.c: avoid potential invalid memory read in # t2p_writeproc. # Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2017-02-24 13:06:01.901569509 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2017-02-24 13:06:01.897569463 -0500 @@ -2834,7 +2834,7 @@ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count >= 4) { + if (count > 4) { /* Ignore EOI marker of JpegTables */ _TIFFmemcpy(buffer, jpt, count - 2); bufferoffset += count - 2; debian/patches/CVE-2015-8781-8782-8783.patch0000644000000000000000000001207612674524052014277 0ustar From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 27 Dec 2015 16:25:11 +0000 Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in decode functions in non debug builds by replacing assert()s by regular if checks (bugzilla #2522). Fix potential out-of-bound reads in case of short input data. --- ChangeLog | 7 +++++++ libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 51 insertions(+), 11 deletions(-) Index: tiff-4.0.3/libtiff/tif_luv.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_luv.c 2016-03-23 10:13:56.868540963 -0400 +++ tiff-4.0.3/libtiff/tif_luv.c 2016-03-23 10:13:56.864540914 -0400 @@ -202,7 +202,11 @@ if (sp->user_datafmt == SGILOGDATAFMT_16BIT) tp = (int16*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (int16*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -211,9 +215,11 @@ cc = tif->tif_rawcc; /* get each byte string */ for (shft = 2*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + if( cc < 2 ) + break; + rc = *bp++ + (2-128); b = (int16)(*bp++ << shft); cc -= 2; while (rc-- && i < npixels) @@ -223,6 +229,7 @@ while (--cc && rc-- && i < npixels) tp[i++] |= (int16)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -268,13 +275,17 @@ if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32 *)op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32 *) sp->tbuf; } /* copy to array of uint32 */ bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; - for (i = 0; i < npixels && cc > 0; i++) { + for (i = 0; i < npixels && cc >= 3; i++) { tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; bp += 3; cc -= 3; @@ -325,7 +336,11 @@ if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -334,11 +349,13 @@ cc = tif->tif_rawcc; /* get each byte string */ for (shft = 4*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ + if( cc < 2 ) + break; rc = *bp++ + (2-128); b = (uint32)*bp++ << shft; - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + cc -= 2; while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ @@ -346,6 +363,7 @@ while (--cc && rc-- && i < npixels) tp[i++] |= (uint32)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -407,6 +425,7 @@ static int LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogL16Encode"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -427,7 +446,11 @@ tp = (int16*) bp; else { tp = (int16*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ @@ -500,6 +523,7 @@ static int LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode24"; LogLuvState* sp = EncoderState(tif); tmsize_t i; tmsize_t npixels; @@ -515,7 +539,11 @@ tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* write out encoded pixels */ @@ -547,6 +575,7 @@ static int LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode32"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -568,7 +597,11 @@ tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ debian/patches/CVE-2018-17000.patch0000644000000000000000000000256313441511025013312 0ustar From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Tue, 29 Jan 2019 11:21:47 +0100 Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing http://bugzilla.maptools.org/show_bug.cgi?id=2833 we must check the pointer is not NULL before memcmp() the memory --- libtiff/tif_dirwrite.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: tiff-4.0.6/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2019-03-11 12:49:35.936577166 -0400 +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2019-03-11 12:49:35.932577150 -0400 @@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TI n=3; if (n==3) { - if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + if (tif->tif_dir.td_transferfunction[2] == NULL || + !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) n=2; } if (n==2) { - if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + if (tif->tif_dir.td_transferfunction[1] == NULL || + !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) n=1; } if (n==0) debian/patches/CVE-2017-9936.patch0000644000000000000000000000313713254204072013255 0ustar From fe8d7165956b88df4837034a9161dc5fd20cf67a Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Mon, 26 Jun 2017 15:19:59 +0000 Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported by team OWL337 * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg --- ChangeLog | 8 +++++++- libtiff/tif_jbig.c | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index bc5096e7..ecd70534 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,6 +1,12 @@ #+2017-06-26 Even Rouault #+ #+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 #+ Reported by team OWL337 #+ # 2017-06-24 Even Rouault # #- * libjpeg/tif_jpeg.c: error out at decoding time if anticipated libjpeg #+ * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg # memory allocation is above 100 MB. libjpeg in case of multiple scans, # which is allowed even in baseline JPEG, if components are spread over several # scans and not interleavedin a single one, needs to allocate memory (or diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c index 5f5f75e2..c75f31d9 100644 --- a/libtiff/tif_jbig.c +++ b/libtiff/tif_jbig.c @@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) jbg_strerror(decodeStatus) #endif ); + jbg_dec_free(&decoder); return 0; } debian/patches/CVE-2014-9655-2.patch0000644000000000000000000000462112505326654013417 0ustar From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 29 Dec 2014 12:09:11 +0000 Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't read outside of the compressed input stream buffer. * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height --- ChangeLog | 9 +++++++++ libtiff/tif_getimage.c | 12 +++++++----- libtiff/tif_next.c | 4 +++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index a4f46d9..3ad8ee7 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) (void) y; fromskew = (fromskew * 10) / 4; - if ((h & 3) == 0 && (w & 1) == 0) { + if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; do { @@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) /* XXX adjust fromskew */ do { x = w>>2; - do { + while(x>0) { int32 Cb = pp[4]; int32 Cr = pp[5]; @@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) cp += 4; pp += 6; - } while (--x); + x--; + } if( (w&3) != 0 ) { @@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) fromskew = (fromskew * 4) / 2; do { x = w>>1; - do { + while(x>0) { int32 Cb = pp[2]; int32 Cr = pp[3]; @@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) cp += 2; pp += 4; - } while (--x); + x --; + } if( (w&1) != 0 ) { diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c index d834196..dd669cc 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); return (0); } - for (row = buf; occ > 0; occ -= scanline, row += scanline) { + for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) * The scanline has a literal span that begins at some * offset. */ + if( cc < 4 ) + goto bad; off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; if (cc < 4+n || off+n > scanline) debian/patches/CVE-2016-9539.patch0000644000000000000000000000344113054072675013263 0ustar From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 14 Oct 2016 19:13:20 +0000 Subject: [PATCH] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 6 ++++++ tools/tiffcrop.c | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index d6e718d..84d016d 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,9 @@ #+2016-10-14 Even Rouault #+ #+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in #+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet #+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. #+ # 2016-10-09 Even Rouault # # * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG Index: tiff-4.0.6/tools/tiffcrop.c =================================================================== --- tiff-4.0.6.orig/tools/tiffcrop.c 2017-02-24 10:18:15.064816640 -0500 +++ tiff-4.0.6/tools/tiffcrop.c 2017-02-24 10:18:15.064816640 -0500 @@ -821,9 +821,18 @@ } } - tilebuf = _TIFFmalloc(tile_buffsize); + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if( tile_buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } + tilebuf = _TIFFmalloc(tile_buffsize + 3); if (tilebuf == 0) return 0; + tilebuf[tile_buffsize] = 0; + tilebuf[tile_buffsize+1] = 0; + tilebuf[tile_buffsize+2] = 0; dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; for (row = 0; row < imagelength; row += tl) debian/patches/opengl.patch0000644000000000000000000000113312256047746013135 0ustar Description: call glFlush() in tiffgt Author: Micksa (micksa-launchpad) Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2401 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166 Index: tiff-4.0.3/tools/tiffgt.c =================================================================== --- tiff-4.0.3.orig/tools/tiffgt.c 2013-06-23 10:36:50.575629499 -0400 +++ tiff-4.0.3/tools/tiffgt.c 2013-06-23 10:36:50.571629497 -0400 @@ -287,6 +287,7 @@ raster_draw(void) { glDrawPixels(img.width, img.height, GL_RGBA, GL_UNSIGNED_BYTE, (const GLvoid *) raster); + glFlush(); } static void debian/patches/CVE-2016-9453.patch0000644000000000000000000000371513054071273013253 0ustar From d2955714a4a0b8ca10941550cfbf64c7e111fbf1 Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 8 Oct 2016 15:14:42 +0000 Subject: [PATCH] * tools/tiff2pdf.c: fix read -largely- outsize of buffer in t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. --- ChangeLog | 8 ++++++++ tools/tiff2pdf.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 8f54f28..8b57d1b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,13 @@ # 2016-10-08 Even Rouault # #+ * tools/tiff2pdf.c: fix read -largely- outsize of buffer in #+ t2p_readwrite_pdf_image_tile(), causing crash, when reading a #+ JPEG compressed image with TIFFTAG_JPEGTABLES length being one. #+ Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from #+ the MSRC Vulnerabilities & Mitigations team. #+ #+2016-10-08 Even Rouault #+ # * tools/tiffcp.c: fix read of undefined variable in case of missing # required tags. Found on test case of MSVR 35100. # * tools/tiffcrop.c: fix read of undefined buffer in Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2017-02-24 12:51:50.717414514 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2017-02-24 12:51:50.717414514 -0500 @@ -2833,13 +2833,13 @@ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count > 0) { + if (count >= 2) { _TIFFmemcpy(buffer, jpt, count); bufferoffset += count - 2; table_end[0] = buffer[bufferoffset-2]; table_end[1] = buffer[bufferoffset-1]; } - if (count > 0) { + if (count >= 2) { xuint32 = bufferoffset; bufferoffset += TIFFReadRawTile( input, debian/patches/CVE-2017-7592.patch0000644000000000000000000000335513254203632013254 0ustar From 48780b4fcc425cddc4ef8ffdf536f96a0d1b313b Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 16:38:26 +0000 Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fgetimage.c:=20add=20explicit?= =?UTF-8?q?=20uint32=20cast=20in=20putagreytile=20to=20avoid=20UndefinedBe?= =?UTF-8?q?haviorSanitizer=20warning.=20Patch=20by=20Nicol=C3=A1s=20Pe?= =?UTF-8?q?=C3=B1a.=20Fixes=20http://bugzilla.maptools.org/show=5Fbug.cgi?= =?UTF-8?q?=3Fid=3D2658?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 7 +++++++ libtiff/tif_getimage.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 3e314644..6a342e5e 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to #+ avoid UndefinedBehaviorSanitizer warning. #+ Patch by Nicolás Peña. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer Index: tiff-4.0.3/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_getimage.c 2018-03-20 09:07:36.822804417 -0400 +++ tiff-4.0.3/libtiff/tif_getimage.c 2018-03-20 09:07:36.822804417 -0400 @@ -1248,7 +1248,7 @@ DECLAREContigPutFunc(putagreytile) while (h-- > 0) { for (x = w; x-- > 0;) { - *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1); + *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1); pp += samplesperpixel; } cp += toskew; debian/patches/CVE-2016-10268.patch0000644000000000000000000000316413254203605013323 0ustar From 5397a417e61258c69209904e652a1f409ec3b9df Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 2 Dec 2016 22:13:32 +0000 Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that can cause various issues, such as buffer overflows in the library. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 --- ChangeLog | 7 +++++++ tools/tiffcp.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 668b66ad..0f154d66 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2016-12-02 Even Rouault #+ #+ * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that #+ can cause various issues, such as buffer overflows in the library. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 #+ # 2016-12-02 Even Rouault # # * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2018-03-20 09:07:15.486754792 -0400 +++ tiff-4.0.3/tools/tiffcp.c 2018-03-20 09:07:15.486754792 -0400 @@ -979,7 +979,7 @@ DECLAREcpFunc(cpDecodedStrips) tstrip_t s, ns = TIFFNumberOfStrips(in); uint32 row = 0; _TIFFmemset(buf, 0, stripsize); - for (s = 0; s < ns; s++) { + for (s = 0; s < ns && row < imagelength; s++) { tsize_t cc = (row + rowsperstrip > imagelength) ? TIFFVStripSize(in, imagelength - row) : stripsize; if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 debian/patches/CVE-2017-7594-2.patch0000644000000000000000000000325713254204005013411 0ustar From 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001 From: erouault Date: Thu, 12 Jan 2017 17:43:25 +0000 Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fojpeg.c:=20fix=20leak=20in=20?= =?UTF-8?q?OJPEGReadHeaderInfoSecTablesAcTable=20when=20read=20fails.=20Pa?= =?UTF-8?q?tch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes=20http://bugzilla.?= =?UTF-8?q?maptools.org/show=5Fbug.cgi=3Fid=3D2659?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 7 +++++++ libtiff/tif_ojpeg.c | 3 +++ 2 files changed, 10 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 6e6f3b07..12e0370b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-01-12 Even Rouault #+ #+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable #+ when read fails. #+ Patch by Nicolás Peña. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode Index: tiff-4.0.3/libtiff/tif_ojpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_ojpeg.c 2018-03-20 09:09:19.235034815 -0400 +++ tiff-4.0.3/libtiff/tif_ojpeg.c 2018-03-20 09:09:19.235034815 -0400 @@ -1913,7 +1913,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF rb[sizeof(uint32)+5+n]=o[n]; p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) + { + _TIFFfree(rb); return(0); + } sp->actable[m]=rb; sp->sos_tda[m]=(sp->sos_tda[m]|m); } debian/patches/CVE-2018-19210-1.patch0000644000000000000000000000631613441511037013460 0ustar From d0a842c5dbad2609aed43c701a12ed12461d3405 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre Date: Wed, 21 Nov 2018 18:50:34 +0100 Subject: [PATCH] tif_dir: unset transferfunction field if necessary The number of entries in the transfer table is determined as following: (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1 This means that whenever td->td_samplesperpixel or td->td_extrasamples are modified we also need to make sure that the number of required entries in the transfer table didn't change. If it changed and the number of entries is higher than before we should invalidate the transfer table field and free previously allocated values. In the other case there's nothing to do, additional tf entries won't harm and properly written code will just ignore them since spp - es < 1. For instance this situation might happen when reading an OJPEG compressed image with missing SamplesPerPixel tag. In this case the SamplesPerPixel field might be updated after setting the transfer table. see http://bugzilla.maptools.org/show_bug.cgi?id=2500 This commit addresses CVE-2018-19210. --- libtiff/tif_dir.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2019-03-11 12:51:41.889101264 -0400 +++ tiff-4.0.3/libtiff/tif_dir.c 2019-03-11 12:51:41.885101248 -0400 @@ -284,6 +284,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va _TIFFfree(td->td_smaxsamplevalue); td->td_smaxsamplevalue = NULL; } + /* Test if 3 transfer functions instead of just one are now needed + See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ + if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && + !(td->td_samplesperpixel - td->td_extrasamples > 1)) + { + TIFFWarningExt(tif->tif_clientdata,module, + "SamplesPerPixel tag value is changing, " + "but TransferFunction was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); + _TIFFfree(td->td_transferfunction[0]); + td->td_transferfunction[0] = NULL; + } } td->td_samplesperpixel = (uint16) v; break; @@ -360,6 +372,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); break; case TIFFTAG_EXTRASAMPLES: + if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && + !(td->td_samplesperpixel - td->td_extrasamples > 1)) + { + TIFFWarningExt(tif->tif_clientdata,module, + "ExtraSamples tag value is changing, " + "but TransferFunction was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); + _TIFFfree(td->td_transferfunction[0]); + td->td_transferfunction[0] = NULL; + } if (!setExtraSamples(td, ap, &v)) goto badvalue; break; debian/patches/CVE-2017-11613-2.patch0000644000000000000000000000254613254741073013467 0ustar Backport of: From 7a092f8af2568d61993a8cc2e7a35a998d7d37be Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 17 Mar 2018 09:36:29 +0100 Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613) Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. Credit to OSS Fuzz Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 --- libtiff/tif_dirread.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-22 10:48:25.599197009 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-22 10:48:25.599197009 -0400 @@ -5660,9 +5660,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif) /* file is as big as needed */ if( tif->tif_mode == O_RDONLY && nstrips32 > 1000000 && - (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || - tif->tif_dir.td_stripbytecount[0] > - TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) + (offset >= TIFFGetFileSize(tif) || + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips32 - 1)) ) { return; } debian/patches/CVE-2017-10688.patch0000644000000000000000000000620513254204103013323 0ustar From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 30 Jun 2017 17:29:44 +0000 Subject: [PATCH] * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 data type, replace assertion that the file is BigTIFF, by a non-fatal error. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team OWL337 --- ChangeLog | 8 ++++++++ libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 6f085e09..77a64385 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2017-06-30 Even Rouault #+ #+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() #+ functions associated with LONG8/SLONG8 data type, replace assertion that #+ the file is BigTIFF, by a non-fatal error. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 #+ Reported by team OWL337 #+ # 2017-06-30 Even Rouault # # * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() Index: tiff-4.0.6/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2018-03-20 07:53:49.344541689 -0400 +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2018-03-20 07:53:49.340541687 -0400 @@ -2109,7 +2109,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* { uint64 m; assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&m); @@ -2122,7 +2125,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(T { assert(count<0x20000000); assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8(value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); @@ -2134,7 +2140,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* { int64 m; assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8((uint64*)(&m)); @@ -2147,7 +2156,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array( { assert(count<0x20000000); assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8((uint64*)value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); debian/patches/CVE-2013-4243.patch0000644000000000000000000000313512331760411013230 0ustar Description: fix denial of service and possible code execution in gif2tiff tool Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2451 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742917 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4243 Origin: other, http://bugzilla.maptools.org/show_bug.cgi?id=2451#c10 Index: tiff-4.0.3/tools/gif2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/gif2tiff.c 2014-05-05 14:57:36.000000000 -0400 +++ tiff-4.0.3/tools/gif2tiff.c 2014-05-05 15:02:37.316671940 -0400 @@ -280,6 +280,10 @@ fprintf(stderr, "no colormap present for image\n"); return (0); } + if (width == 0 || height == 0) { + fprintf(stderr, "Invalid value of width or height\n"); + return(0); + } if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { fprintf(stderr, "not enough memory for image\n"); return (0); @@ -404,6 +408,10 @@ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); return 0; } + if (*fill >= raster + width*height) { + fprintf(stderr, "raster full before eoi code\n"); + return 0; + } *(*fill)++ = suffix[code]; firstchar = oldcode = code; return 1; @@ -434,6 +442,10 @@ } oldcode = incode; do { + if (*fill >= raster + width*height) { + fprintf(stderr, "raster full before eoi code\n"); + return 0; + } *(*fill)++ = *--stackp; } while (stackp > stack); return 1; debian/patches/CVE-2017-9935-2.patch0000644000000000000000000000464313254741046013425 0ustar Backport of: From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001 From: Brian May Date: Thu, 7 Dec 2017 07:49:20 +1100 Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table The standard says the transfer table contains unsigned 16 bit values, I have no idea why we refer to them as floats. --- tools/tiff2pdf.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2018-03-22 10:47:05.531089370 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2018-03-22 10:47:45.975143625 -0400 @@ -238,7 +238,7 @@ typedef struct { float tiff_whitechromaticities[2]; float tiff_primarychromaticities[6]; float tiff_referenceblackwhite[2]; - float* tiff_transferfunction[3]; + uint16* tiff_transferfunction[3]; int pdf_image_interpolate; /* 0 (default) : do not interpolate, 1 : interpolate */ uint16 tiff_transferfunctioncount; @@ -1036,7 +1036,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* uint16 paged=0; uint16 xuint16=0; uint16 tiff_transferfunctioncount=0; - float* tiff_transferfunction[3]; + uint16* tiff_transferfunction[3]; directorycount=TIFFNumberOfDirectories(input); if(directorycount > TIFF_DIR_MAX) { @@ -1149,8 +1149,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* &(tiff_transferfunction[1]), &(tiff_transferfunction[2]))) { - if((tiff_transferfunction[1] != (float*) NULL) && - (tiff_transferfunction[2] != (float*) NULL) + if((tiff_transferfunction[1] != (uint16*) NULL) && + (tiff_transferfunction[2] != (uint16*) NULL) ) { tiff_transferfunctioncount=3; } else { @@ -1822,8 +1822,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* &(t2p->tiff_transferfunction[0]), &(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && - (t2p->tiff_transferfunction[2] != (float*) NULL) + if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && + (t2p->tiff_transferfunction[2] != (uint16*) NULL) ) { t2p->tiff_transferfunctioncount=3; } else { debian/patches/CVE-2015-8784.patch0000644000000000000000000000335712674524057013274 0ustar From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 27 Dec 2015 16:55:20 +0000 Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #2508) --- ChangeLog | 6 ++++++ libtiff/tif_next.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c index dd669cc..0a5b635 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -37,7 +37,7 @@ case 0: op[0] = (unsigned char) ((v) << 6); break; \ case 1: op[0] |= (v) << 4; break; \ case 2: op[0] |= (v) << 2; break; \ - case 3: *op++ |= (v); break; \ + case 3: *op++ |= (v); op_offset++; break; \ } \ } @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) uint32 imagewidth = tif->tif_dir.td_imagewidth; if( isTiled(tif) ) imagewidth = tif->tif_dir.td_tilewidth; + tmsize_t op_offset = 0; /* * The scanline is composed of a sequence of constant @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) * bounds, potentially resulting in a security * issue. */ - while (n-- > 0 && npixels < imagewidth) + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) SETPIXEL(op, grey); if (npixels >= imagewidth) break; + if (op_offset >= scanline ) { + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", + (long) tif->tif_row); + return (0); + } if (cc == 0) goto bad; n = *bp++, cc--; debian/patches/CVE-2017-7594-1.patch0000644000000000000000000000351713254203773013422 0ustar From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001 From: erouault Date: Thu, 12 Jan 2017 19:23:20 +0000 Subject: [PATCH] * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable --- ChangeLog | 3 ++- libtiff/tif_ojpeg.c | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 12e0370b..cd2fa171 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,6 +1,7 @@ # 2017-01-12 Even Rouault # #- * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable #+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, #+ OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable # when read fails. # Patch by Nicolás Peña. # Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 Index: tiff-4.0.3/libtiff/tif_ojpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_ojpeg.c 2018-03-20 09:09:13.563022367 -0400 +++ tiff-4.0.3/libtiff/tif_ojpeg.c 2018-03-20 09:09:13.563022367 -0400 @@ -1779,7 +1779,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); p=TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); if (p!=64) + { + _TIFFfree(ob); return(0); + } sp->qtable[m]=ob; sp->sof_tq[m]=m; } @@ -1843,7 +1846,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF rb[sizeof(uint32)+5+n]=o[n]; p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) + { + _TIFFfree(rb); return(0); + } sp->dctable[m]=rb; sp->sos_tda[m]=(m<<4); } debian/patches/CVE-2017-5563_9117.patch0000644000000000000000000000157113254740360013733 0ustar Description: fix heap overread in bmp2tiff Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2664 Origin: other, http://bugzilla.maptools.org/show_bug.cgi?id=2664 Index: tiff-4.0.3/tools/bmp2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/bmp2tiff.c 2018-03-22 10:42:54.946759806 -0400 +++ tiff-4.0.3/tools/bmp2tiff.c 2018-03-22 10:42:54.946759806 -0400 @@ -717,6 +717,14 @@ main(int argc, char* argv[]) _TIFFfree(comprbuf); + /* Check whether we are not going to read past the uncompressed data */ + if ( length > j || width > j || length * width > j) { + TIFFError(infilename, + "Premature end of file"); + _TIFFfree(uncomprbuf); + goto bad3; + } + for (row = 0; row < length; row++) { if (TIFFWriteScanline(out, uncomprbuf + (length - row - 1) * width, debian/patches/CVE-2016-3945.patch0000644000000000000000000001011513054071242013237 0ustar From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 15 Aug 2016 20:06:40 +0000 Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when -b mode is enabled, that could result in out-of-bounds write. Based initially on patch tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid tests that rejected valid files. --- ChangeLog | 8 ++++++++ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 62dc1b5..9c0ab29 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2016-08-15 Even Rouault #+ #+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated #+ buffer, when -b mode is enabled, that could result in out-of-bounds #+ write. Based initially on patch tiff-CVE-2016-3945.patch from #+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for #+ invalid tests that rejected valid files. #+ # 2016-07-11 Even Rouault # # * tools/tiffcrop.c: Avoid access outside of stack allocated array Index: tiff-4.0.3/tools/tiff2rgba.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2rgba.c 2017-02-24 12:51:28.389097558 -0500 +++ tiff-4.0.3/tools/tiff2rgba.c 2017-02-24 12:51:28.385097502 -0500 @@ -145,6 +145,7 @@ uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -161,7 +162,13 @@ /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -171,7 +178,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; @@ -247,6 +260,7 @@ uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -261,7 +275,13 @@ /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -271,7 +291,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; debian/patches/CVE-2016-3990.patch0000644000000000000000000000442113054071251013242 0ustar From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 15 Aug 2016 20:49:48 +0000 Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode if more input samples are provided than expected by PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and simpler check. (bugzilla #2544) invalid tests that rejected valid files. (bugzilla #2545) --- ChangeLog | 10 +++++++++- libtiff/tif_pixarlog.c | 7 +++++++ 2 files changed, 16 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 9c0ab29..db4ea18 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,10 +1,18 @@ # 2016-08-15 Even Rouault # #+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode #+ if more input samples are provided than expected by PixarLogSetupEncode. #+ Idea based on libtiff-CVE-2016-3990.patch from #+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and #+ simpler check. (bugzilla #2544) #+ #+2016-08-15 Even Rouault #+ # * tools/tiff2rgba.c: Fix integer overflow in size of allocated # buffer, when -b mode is enabled, that could result in out-of-bounds # write. Based initially on patch tiff-CVE-2016-3945.patch from # libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for #- invalid tests that rejected valid files. #+ invalid tests that rejected valid files. (bugzilla #2545) # # 2016-07-11 Even Rouault # Index: tiff-4.0.3/libtiff/tif_pixarlog.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2017-02-24 12:51:35.805203209 -0500 +++ tiff-4.0.3/libtiff/tif_pixarlog.c 2017-02-24 12:51:35.801203151 -0500 @@ -1123,6 +1123,13 @@ } llen = sp->stride * td->td_imagewidth; + /* Check against the number of elements (of size uint16) of sp->tbuf */ + if( n > td->td_rowsperstrip * llen ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Too many input bytes provided"); + return 0; + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) { debian/patches/CVE-2016-5102.patch0000644000000000000000000000113213254740330013224 0ustar Description: fix overflow by make warning fatal Author: Marc Deslauriers Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2552 Index: tiff-4.0.3/tools/gif2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/gif2tiff.c 2018-03-22 10:42:29.906727638 -0400 +++ tiff-4.0.3/tools/gif2tiff.c 2018-03-22 10:42:29.906727638 -0400 @@ -383,6 +383,7 @@ exitloop: (long) (fill-raster)); fprintf(stderr, " instead of %ld bytes\n", (long) width*height); + return 0; } return status; } debian/patches/CVE-2013-4231.patch0000644000000000000000000000106612256047746013245 0ustar Description: Buffer overflow in gif2tiff Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450 Bug-Debian: http://bugs.debian.org/719303 Index: tiff-4.0.3/tools/gif2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400 +++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400 @@ -333,6 +333,8 @@ int status = 1; datasize = getc(infile); + if (datasize > 12) + return 0; clear = 1 << datasize; eoi = clear + 1; avail = clear + 2; debian/patches/CVE-2016-9535-2.patch0000644000000000000000000000361013054072603013403 0ustar From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 4 Nov 2016 09:19:13 +0000 Subject: [PATCH] * libtiff/tif_predic.c: fix memory leaks in error code paths added in previous commit (fix for MSVR 35105) --- ChangeLog | 5 +++++ libtiff/tif_predict.c | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 0379c3b..48fb75d 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,8 @@ #+2016-11-04 Even Rouault #+ #+ * libtiff/tif_predic.c: fix memory leaks in error code paths added in #+ previous commit (fix for MSVR 35105) #+ # 2016-10-31 Even Rouault # # * libtiff/tif_predict.h, libtiff/tif_predict.c: Index: tiff-4.0.3/libtiff/tif_predict.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_predict.c 2017-02-24 13:03:45.460467833 -0500 +++ tiff-4.0.3/libtiff/tif_predict.c 2017-02-24 13:03:45.460467833 -0500 @@ -414,7 +414,7 @@ tmsize_t wc = cc / bps; tmsize_t count = cc; uint8 *cp = (uint8 *) cp0; - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); + uint8 *tmp; if(cc%(bps*stride)!=0) { @@ -423,6 +423,7 @@ return 0; } + tmp = (uint8 *)_TIFFmalloc(cc); if (!tmp) return 0; @@ -618,7 +619,7 @@ tmsize_t wc = cc / bps; tmsize_t count; uint8 *cp = (uint8 *) cp0; - uint8 *tmp = (uint8 *)_TIFFmalloc(cc); + uint8 *tmp; if((cc%(bps*stride))!=0) { @@ -626,6 +627,8 @@ "%s", "(cc%(bps*stride))!=0"); return 0; } + + tmp = (uint8 *)_TIFFmalloc(cc); if (!tmp) return 0; @@ -700,6 +703,7 @@ { TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile", "%s", "(cc0%rowsize)!=0"); + _TIFFfree( working_copy ); return 0; } while (cc > 0) { debian/patches/CVE-2017-7601.patch0000644000000000000000000000336213254204041013234 0ustar From 0a76a8c765c7b8327c59646284fa78c3c27e5490 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 16:13:50 +0000 Subject: [PATCH] * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 --- ChangeLog | 6 ++++++ libtiff/tif_jpeg.c | 7 +++++++ 2 files changed, 13 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 65176404..8e202a2c 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,9 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid #+ undefined behaviour caused by invalid shift exponent. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings Index: tiff-4.0.3/libtiff/tif_jpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_jpeg.c 2018-03-20 09:09:51.155104239 -0400 +++ tiff-4.0.3/libtiff/tif_jpeg.c 2018-03-20 09:09:51.151104232 -0400 @@ -1531,6 +1531,13 @@ JPEGSetupEncode(TIFF* tif) "Invalig horizontal/vertical sampling value"); return (0); } + if( td->td_bitspersample > 16 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "BitsPerSample %d not allowed for JPEG", + td->td_bitspersample); + return (0); + } /* * A ReferenceBlackWhite field *must* be present since the debian/patches/CVE-2014-81xx-9.patch0000644000000000000000000000202412505326631013614 0ustar Backport of: From 77837423c3a125a3b39ddae246ff904f437cf845 Mon Sep 17 00:00:00 2001 From: bfriesen Date: Mon, 22 Dec 2014 02:52:38 +0000 Subject: [PATCH] * tools/tiffdump.c: Guard against arithmetic overflow when calculating allocation buffer sizes. --- ChangeLog | 5 +++++ tools/tiffdump.c | 21 ++++++++++++++++++--- 2 files changed, 23 insertions(+), 3 deletions(-) Index: tiff-4.0.3/tools/tiffdump.c =================================================================== --- tiff-4.0.3.orig/tools/tiffdump.c 2015-01-29 09:36:19.521556646 -0500 +++ tiff-4.0.3/tools/tiffdump.c 2015-01-29 09:36:19.521556646 -0500 @@ -34,6 +34,8 @@ # include #endif +#include "tiffiop.h" + #ifdef HAVE_FCNTL_H # include #endif @@ -303,7 +305,7 @@ dircount = (uint16)dircount64; direntrysize = 20; } - dirmem = _TIFFmalloc(dircount * direntrysize); + dirmem = _TIFFmalloc(TIFFSafeMultiply(tmsize_t,dircount,direntrysize)); if (dirmem == NULL) { Fatal("No space for TIFF directory"); goto done; debian/patches/CVE-2016-10266.patch0000644000000000000000000000515713254203571013327 0ustar From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 2 Dec 2016 21:56:56 +0000 Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 --- ChangeLog | 7 +++++++ libtiff/tif_read.c | 2 +- libtiff/tiffiop.h | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 46a5d7c5..668b66ad 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2016-12-02 Even Rouault #+ #+ * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in #+ TIFFReadEncodedStrip() that caused an integer division by zero. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 #+ # 2016-11-20 Even Rouault # # * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to Index: tiff-4.0.3/libtiff/tif_read.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_read.c 2018-03-20 09:07:03.286726141 -0400 +++ tiff-4.0.3/libtiff/tif_read.c 2018-03-20 09:07:03.286726141 -0400 @@ -344,7 +344,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s rowsperstrip=td->td_rowsperstrip; if (rowsperstrip>td->td_imagelength) rowsperstrip=td->td_imagelength; - stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); + stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); stripinplane=(strip%stripsperplane); plane=(strip/stripsperplane); rows=td->td_imagelength-stripinplane*rowsperstrip; Index: tiff-4.0.3/libtiff/tiffiop.h =================================================================== --- tiff-4.0.3.orig/libtiff/tiffiop.h 2018-03-20 09:07:03.286726141 -0400 +++ tiff-4.0.3/libtiff/tiffiop.h 2018-03-20 09:07:03.286726141 -0400 @@ -244,6 +244,10 @@ struct tiff { #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ 0U) +/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ +/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ +#define TIFFhowmany_32_maxuint_compat(x, y) \ + (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) debian/patches/CVE-2017-7593.patch0000644000000000000000000000712613254203735013261 0ustar Backport of: From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 19:02:49 +0000 Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero initialize tif_rawdata. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 --- ChangeLog | 8 ++++++++ libtiff/tif_read.c | 4 +++- libtiff/tif_unix.c | 8 ++++++++ libtiff/tif_vms.c | 8 ++++++++ libtiff/tif_win32.c | 8 ++++++++ libtiff/tiffio.h | 1 + 6 files changed, 36 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 6a342e5e..abd75d75 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() #+ #+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero #+ initialize tif_rawdata. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to Index: tiff-4.0.3/libtiff/tif_read.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_read.c 2018-03-20 09:07:45.762825034 -0400 +++ tiff-4.0.3/libtiff/tif_read.c 2018-03-20 09:08:36.094939256 -0400 @@ -935,7 +935,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64)size, 1024); if (tif->tif_rawdatasize==0) tif->tif_rawdatasize=(tmsize_t)(-1); - tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); + /* Initialize to zero to avoid uninitialized buffers in case of */ + /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ + tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } if (tif->tif_rawdata == NULL) { Index: tiff-4.0.3/libtiff/tif_unix.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_unix.c 2018-03-20 09:07:45.762825034 -0400 +++ tiff-4.0.3/libtiff/tif_unix.c 2018-03-20 09:07:45.762825034 -0400 @@ -263,6 +263,14 @@ _TIFFmalloc(tmsize_t s) return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) { Index: tiff-4.0.3/libtiff/tif_win32.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_win32.c 2018-03-20 09:07:45.762825034 -0400 +++ tiff-4.0.3/libtiff/tif_win32.c 2018-03-20 09:07:45.762825034 -0400 @@ -335,6 +335,14 @@ _TIFFmalloc(tmsize_t s) return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) { Index: tiff-4.0.3/libtiff/tiffio.h =================================================================== --- tiff-4.0.3.orig/libtiff/tiffio.h 2018-03-20 09:07:45.762825034 -0400 +++ tiff-4.0.3/libtiff/tiffio.h 2018-03-20 09:07:45.762825034 -0400 @@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODEC */ extern void* _TIFFmalloc(tmsize_t s); +extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); extern void* _TIFFrealloc(void* p, tmsize_t s); extern void _TIFFmemset(void* p, int v, tmsize_t c); extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); debian/patches/CVE-2016-3623.patch0000644000000000000000000000312613054071211013230 0ustar From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 15 Aug 2016 21:26:56 +0000 Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) --- ChangeLog | 5 +++++ tools/rgb2ycbcr.c | 4 ++++ 2 files changed, 9 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 5d60608..3e6642a 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,10 @@ # 2016-08-15 Even Rouault # #+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to #+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569) #+ #+2016-08-15 Even Rouault #+ # * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). # From patch libtiff-CVE-2016-3991.patch from # libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) Index: tiff-4.0.3/tools/rgb2ycbcr.c =================================================================== --- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2017-02-24 12:51:03.788744250 -0500 +++ tiff-4.0.3/tools/rgb2ycbcr.c 2017-02-24 12:51:03.784744192 -0500 @@ -93,9 +93,13 @@ break; case 'h': horizSubSampling = atoi(optarg); + if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) + usage(-1); break; case 'v': vertSubSampling = atoi(optarg); + if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) + usage(-1); break; case 'r': rowsperstrip = atoi(optarg); debian/patches/CVE-2016-10269.patch0000644000000000000000000001165313254203612013324 0ustar Backport of: From 1044b43637fa7f70fb19b93593777b78bd20da86 Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 2 Dec 2016 23:05:51 +0000 Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 --- ChangeLog | 10 ++++++++++ libtiff/tif_luv.c | 18 ++++++++++++++---- libtiff/tif_pixarlog.c | 17 +++++++++++++++-- 3 files changed, 39 insertions(+), 6 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 0f154d66..93c01f80 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,13 @@ #+2016-12-03 Even Rouault #+ #+ * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer #+ overflow on generation of PixarLog / LUV compressed files, with #+ ColorMap, TransferFunction attached and nasty plays with bitspersample. #+ The fix for LUV has not been tested, but suffers from the same kind #+ of issue of PixarLog. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 #+ # 2016-12-02 Even Rouault # # * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that Index: tiff-4.0.3/libtiff/tif_luv.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_luv.c 2018-03-20 09:07:21.290768351 -0400 +++ tiff-4.0.3/libtiff/tif_luv.c 2018-03-20 09:07:21.286768342 -0400 @@ -158,6 +158,7 @@ typedef struct logLuvState LogLuvState; struct logLuvState { + int encoder_state; /* 1 if encoder correctly initialized */ int user_datafmt; /* user data format */ int encode_meth; /* encoding method */ int pixel_size; /* bytes per pixel */ @@ -1522,6 +1523,7 @@ LogLuvSetupEncode(TIFF* tif) td->td_photometric, "must be either LogLUV or LogL"); break; } + sp->encoder_state = 1; return (1); notsupported: TIFFErrorExt(tif->tif_clientdata, module, @@ -1533,19 +1535,27 @@ notsupported: static void LogLuvClose(TIFF* tif) { + LogLuvState* sp = (LogLuvState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* * For consistency, we always want to write out the same * bitspersample and sampleformat for our TIFF file, * regardless of the data format being used by the application. * Since this routine is called after tags have been set but * before they have been recorded in the file, we reset them here. + * Note: this is really a nasty approach. See PixarLogClose */ - td->td_samplesperpixel = - (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; - td->td_bitspersample = 16; - td->td_sampleformat = SAMPLEFORMAT_INT; + if( sp->encoder_state ) + { + /* See PixarLogClose. Might avoid issues with tags whose size depends + * on those below, but not completely sure this is enough. */ + td->td_samplesperpixel = + (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; + td->td_bitspersample = 16; + td->td_sampleformat = SAMPLEFORMAT_INT; + } } static void Index: tiff-4.0.3/libtiff/tif_pixarlog.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2018-03-20 09:07:21.290768351 -0400 +++ tiff-4.0.3/libtiff/tif_pixarlog.c 2018-03-20 09:07:21.286768342 -0400 @@ -1215,8 +1215,10 @@ PixarLogPostEncode(TIFF* tif) static void PixarLogClose(TIFF* tif) { + PixarLogState* sp = (PixarLogState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* In a really sneaky (and really incorrect, and untruthfull, and * troublesome, and error-prone) maneuver that completely goes against * the spirit of TIFF, and breaks TIFF, on close, we covertly @@ -1225,8 +1227,19 @@ PixarLogClose(TIFF* tif) * readers that don't know about PixarLog, or how to set * the PIXARLOGDATFMT pseudo-tag. */ - td->td_bitspersample = 8; - td->td_sampleformat = SAMPLEFORMAT_UINT; + + if (sp->state&PLSTATE_INIT) { + /* We test the state to avoid an issue such as in + * http://bugzilla.maptools.org/show_bug.cgi?id=2604 + * What appends in that case is that the bitspersample is 1 and + * a TransferFunction is set. The size of the TransferFunction + * depends on 1<td_bitspersample = 8; + td->td_sampleformat = SAMPLEFORMAT_UINT; + } } static void debian/patches/CVE-2014-81xx-4.patch0000644000000000000000000000222512505326605013613 0ustar From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 18:07:48 +0000 Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) --- ChangeLog | 5 +++++ libtiff/tif_next.c | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c index a53c716..d834196 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) return (0); } +static int +NeXTPreDecode(TIFF* tif, uint16 s) +{ + static const char module[] = "NeXTPreDecode"; + TIFFDirectory *td = &tif->tif_dir; + (void)s; + + if( td->td_bitspersample != 2 ) + { + TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", + td->td_bitspersample); + return (0); + } + return (1); +} + int TIFFInitNeXT(TIFF* tif, int scheme) { (void) scheme; + tif->tif_predecode = NeXTPreDecode; tif->tif_decoderow = NeXTDecode; tif->tif_decodestrip = NeXTDecode; tif->tif_decodetile = NeXTDecode; debian/patches/CVE-2014-8128-5.patch0000644000000000000000000000240312505326670013406 0ustar Description: fix out-of-bounds write in thumbnail and tiffcmp tools Author: Petr Gajdos (pgajdos@suse.cz) Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2499 --- tiff-4.0.3.orig/libtiff/tif_dirinfo.c +++ tiff-4.0.3/libtiff/tif_dirinfo.c @@ -141,6 +141,8 @@ tiffFields[] = { { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, /* begin DNG tags */ { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, debian/patches/CVE-2017-9404.patch0000644000000000000000000000470113254204067013245 0ustar From e9bd1b06fe25219cf0873fca70e46f01843fd9f4 Mon Sep 17 00:00:00 2001 From: erouault Date: Thu, 27 Apr 2017 17:29:26 +0000 Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fojpeg.c:=20fix=20potential=20?= =?UTF-8?q?memory=20leak=20in=20OJPEGReadHeaderInfoSecTablesQTable,=20OJPE?= =?UTF-8?q?GReadHeaderInfoSecTablesDcTable=20and=20OJPEGReadHeaderInfoSecT?= =?UTF-8?q?ablesAcTable=20Patch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes?= =?UTF-8?q?=20http://bugzilla.maptools.org/show=5Fbug.cgi=3Fid=3D2670?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 11 ++++++++++- libtiff/tif_ojpeg.c | 6 ++++++ 2 files changed, 16 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index 11639b98..cb25b006 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,4 +1,13 @@ #-2017-04-27 #+2017-04-27 Even Rouault #+ #+ * libtiff/tif_ojpeg.c: fix potential memory leak in #+ OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable #+ and OJPEGReadHeaderInfoSecTablesAcTable #+ Patch by Nicolás Peña. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 #+ #+2017-04-27 Even Rouault #+ # * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD # mode (ie default) when there is both a StripOffsets and # TileOffsets tag, or a StripByteCounts and TileByteCounts Index: tiff-4.0.3/libtiff/tif_ojpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_ojpeg.c 2018-03-20 09:10:13.579152400 -0400 +++ tiff-4.0.3/libtiff/tif_ojpeg.c 2018-03-20 09:10:13.575152391 -0400 @@ -1783,6 +1783,8 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* _TIFFfree(ob); return(0); } + if (sp->qtable[m]!=0) + _TIFFfree(sp->qtable[m]); sp->qtable[m]=ob; sp->sof_tq[m]=m; } @@ -1850,6 +1852,8 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF _TIFFfree(rb); return(0); } + if (sp->dctable[m]!=0) + _TIFFfree(sp->dctable[m]); sp->dctable[m]=rb; sp->sos_tda[m]=(m<<4); } @@ -1917,6 +1921,8 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF _TIFFfree(rb); return(0); } + if (sp->actable[m]!=0) + _TIFFfree(sp->actable[m]); sp->actable[m]=rb; sp->sos_tda[m]=(sp->sos_tda[m]|m); } debian/patches/CVE-2017-7602.patch0000644000000000000000000000452713254204045013245 0ustar Backport of: From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 16:33:34 +0000 Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 --- ChangeLog | 6 ++++++ libtiff/tif_read.c | 27 ++++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 8e202a2c..3e314644 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,9 @@ #+2017-01-11 Even Rouault #+ #+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer #+ addition in TIFFReadRawStrip1() in isMapped() case. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 #+ # 2017-01-11 Even Rouault # # * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid Index: tiff-4.0.6/libtiff/tif_read.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_read.c 2018-03-20 07:49:58.232376024 -0400 +++ tiff-4.0.6/libtiff/tif_read.c 2018-03-20 07:49:58.232376024 -0400 @@ -400,16 +400,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 stri return ((tmsize_t)(-1)); } } else { - tmsize_t ma,mb; + tmsize_t ma = 0; tmsize_t n; - ma=(tmsize_t)td->td_stripoffset[strip]; - mb=ma+size; - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) - n=0; - else if ((mbtif->tif_size)) - n=tif->tif_size-ma; - else - n=size; + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) + { + n=0; + } + else if( ma > TIFF_TMSIZE_T_MAX - size ) + { + n=0; + } + else + { + tmsize_t mb=ma+size; + if (mb>tif->tif_size) + n=tif->tif_size-ma; + else + n=size; + } if (n!=size) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, debian/patches/CVE-2018-7456.patch0000644000000000000000000001514113420116013013237 0ustar Backport of: From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre Date: Sun, 8 Apr 2018 14:07:08 -0400 Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory The TIFFPrintDirectory function relies on the following assumptions, supposed to be guaranteed by the specification: (a) A Transfer Function field is only present if the TIFF file has photometric type < 3. (b) If SamplesPerPixel > Color Channels, then the ExtraSamples field has count SamplesPerPixel - (Color Channels) and contains information about supplementary channels. While respect of (a) and (b) are essential for the well functioning of TIFFPrintDirectory, no checks are realized neither by the callee nor by TIFFPrintDirectory itself. Hence, following scenarios might happen and trigger the NULL pointer dereference: (1) TIFF File of photometric type 4 or more has illegal Transfer Function field. (2) TIFF File has photometric type 3 or less and defines a SamplesPerPixel field such that SamplesPerPixel > Color Channels without defining all extra samples in the ExtraSamples fields. In this patch, we address both issues with respect of the following principles: (A) In the case of (1), the defined transfer table should be printed safely even if it isn't 'legal'. This allows us to avoid expensive checks in TIFFPrintDirectory. Also, it is quite possible that an alternative photometric type would be developed (not part of the standard) and would allow definition of Transfer Table. We want libtiff to be able to handle this scenario out of the box. (B) In the case of (2), the transfer table should be printed at its right size, that is if TIFF file has photometric type Palette then the transfer table should have one row and not three, even if two extra samples are declared. In order to fulfill (A) we simply add a new 'i < 3' end condition to the broken TIFFPrintDirectory loop. This makes sure that in any case where (b) would be respected but not (a), everything stays fine. (B) is fulfilled by the loop condition 'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as long as (b) is respected. Naturally, we also make sure (b) is respected. This is done in the TIFFReadDirectory function by making sure any non-color channel is counted in ExtraSamples. This commit addresses CVE-2018-7456. --- libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++ libtiff/tif_print.c | 2 +- 2 files changed, 63 insertions(+), 1 deletion(-) Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2019-01-17 10:14:57.470035110 -0500 +++ tiff-4.0.3/libtiff/tif_dirread.c 2019-01-17 10:15:09.818088110 -0500 @@ -166,6 +166,7 @@ static int TIFFFetchStripThing(TIFF* tif static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); static void ChopUpSingleUncompressedStrip(TIFF*); static uint64 TIFFReadUInt64(const uint8 *value); +static int _TIFFGetMaxColorChannels(uint16 photometric); typedef union _UInt64Aligned_t { @@ -3509,6 +3510,34 @@ static void TIFFReadDirEntryOutputErr(TI } /* + * Return the maximum number of color channels specified for a given photometric + * type. 0 is returned if photometric type isn't supported or no default value + * is defined by the specification. + */ +static int _TIFFGetMaxColorChannels( uint16 photometric ) +{ + switch (photometric) { + case PHOTOMETRIC_PALETTE: + case PHOTOMETRIC_MINISWHITE: + case PHOTOMETRIC_MINISBLACK: + return 1; + case PHOTOMETRIC_YCBCR: + case PHOTOMETRIC_RGB: + case PHOTOMETRIC_CIELAB: + return 3; + case PHOTOMETRIC_SEPARATED: + case PHOTOMETRIC_MASK: + return 4; + case PHOTOMETRIC_LOGL: + case PHOTOMETRIC_LOGLUV: + case PHOTOMETRIC_ITULAB: + case PHOTOMETRIC_ICCLAB: + default: + return 0; + } +} + +/* * Read the next TIFF directory from a file and convert it to the internal * format. We read directories sequentially. */ @@ -3524,6 +3553,7 @@ TIFFReadDirectory(TIFF* tif) uint32 fii=FAILED_FII; toff_t nextdiroff; int bitspersample_read = FALSE; + int color_channels; tif->tif_diroff=tif->tif_nextdiroff; if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) @@ -4013,6 +4043,37 @@ TIFFReadDirectory(TIFF* tif) } } } + + /* + * Make sure all non-color channels are extrasamples. + * If it's not the case, define them as such. + */ + color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); + if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { + uint16 old_extrasamples; + uint16 *new_sampleinfo; + + TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " + "color channels and ExtraSamples doesn't match SamplesPerPixel. " + "Defining non-color channels as ExtraSamples."); + + old_extrasamples = tif->tif_dir.td_extrasamples; + tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); + + // sampleinfo should contain information relative to these new extra samples + new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); + if (!new_sampleinfo) { + TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " + "temporary new sampleinfo array (%d 16 bit elements)", + tif->tif_dir.td_extrasamples); + goto bad; + } + + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } + /* * Verify Palette image has a Colormap. */ Index: tiff-4.0.3/libtiff/tif_print.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_print.c 2019-01-17 10:14:57.470035110 -0500 +++ tiff-4.0.3/libtiff/tif_print.c 2019-01-17 10:14:57.470035110 -0500 @@ -541,7 +541,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, for (l = 0; l < n; l++) { fprintf(fd, " %2lu: %5u", l, td->td_transferfunction[0][l]); - for (i = 1; i < td->td_samplesperpixel; i++) + for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) fprintf(fd, " %5u", td->td_transferfunction[i][l]); fputc('\n', fd); debian/patches/CVE-2018-12900-1.patch0000644000000000000000000000232713441511012013446 0ustar From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Mon, 11 Feb 2019 10:05:33 +0100 Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow fixes bug 2833 --- tools/tiffcp.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2019-03-11 12:51:20.601012714 -0400 +++ tiff-4.0.3/tools/tiffcp.c 2019-03-11 12:51:20.601012714 -0400 @@ -1386,7 +1386,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf int status = 1; uint32 imagew = TIFFRasterScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); - int iskew = imagew - tilew*spp; + int iskew; tsize_t tilesize = TIFFTileSize(in); tdata_t tilebuf; uint8* bufp = (uint8*) buf; @@ -1394,6 +1394,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf uint32 row; uint16 bps, bytes_per_sample; + if (spp > (0x7fffffff / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } + iskew = imagew - tilew*spp; tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) return 0; debian/patches/CVE-2014-81xx-5.patch0000644000000000000000000000561212505326611013614 0ustar From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 18:52:42 +0000 Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) --- ChangeLog | 7 +++++++ tools/thumbnail.c | 21 ++++++++++++++++++++- tools/tiffcmp.c | 17 +++++++++++++++-- 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/tools/thumbnail.c b/tools/thumbnail.c index a98a881..fab63f6 100644 --- a/tools/thumbnail.c +++ b/tools/thumbnail.c @@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out) { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ + /* if we request a tag that is defined in a codec, but that codec */ + /* isn't used */ + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c index 508a461..d6392af 100644 --- a/tools/tiffcmp.c +++ b/tools/tiffcmp.c @@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2) static int cmptags(TIFF* tif1, TIFF* tif2) { + uint16 compression1, compression2; CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); @@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2) CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); - CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); - CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX3 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX3 ) + { + CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); + } + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX4 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX4 ) + { + CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + } CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); debian/patches/CVE-2016-3658.patch0000644000000000000000000001244713054071232013251 0ustar From 45c68450bef8ad876f310b495165c513cad8b67d Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 25 Oct 2016 21:35:15 +0000 Subject: [PATCH] * libtiff/tif_dir.c: discard values of SMinSampleValue and SMaxSampleValue when they have been read and the value of SamplesPerPixel is changed afterwards (like when reading a OJPEG compressed image with a missing SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when rewriting the directory (for example with tiffset, we will expect 3 values whereas the array had been allocated with just one), thus causing a out of bound read access. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127, duplicate: CVE-2016-3658) * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset when writing directory, if FIELD_STRIPOFFSETS was artificially set for a hack case in OJPEG case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127, duplicate: CVE-2016-3658) --- ChangeLog | 19 +++++++++++++++++++ libtiff/tif_dir.c | 22 ++++++++++++++++++++++ libtiff/tif_dirwrite.c | 16 ++++++++++++++-- 3 files changed, 55 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index ae09b64..29941fc 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,24 @@ # 2016-10-25 Even Rouault # #+ * libtiff/tif_dir.c: discard values of SMinSampleValue and #+ SMaxSampleValue when they have been read and the value of #+ SamplesPerPixel is changed afterwards (like when reading a #+ OJPEG compressed image with a missing SamplesPerPixel tag, #+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel #+ being 3). Otherwise when rewriting the directory (for example #+ with tiffset, we will expect 3 values whereas the array had been #+ allocated with just one), thus causing a out of bound read access. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 #+ (CVE-2014-8127, duplicate: CVE-2016-3658) #+ #+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset #+ when writing directory, if FIELD_STRIPOFFSETS was artificially set #+ for a hack case in OJPEG case. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 #+ (CVE-2014-8127, duplicate: CVE-2016-3658) #+ #+2016-10-25 Even Rouault #+ # * tools/tiffinfo.c: fix out-of-bound read on some tiled images. # (http://bugzilla.maptools.org/show_bug.cgi?id=2517) # Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2017-02-24 12:51:19.900976159 -0500 +++ tiff-4.0.3/libtiff/tif_dir.c 2017-02-24 12:51:19.896976102 -0500 @@ -253,6 +253,28 @@ v = (uint16) va_arg(ap, uint16_vap); if (v == 0) goto badvalue; + if( v != td->td_samplesperpixel ) + { + /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ + if( td->td_sminsamplevalue != NULL ) + { + TIFFWarningExt(tif->tif_clientdata,module, + "SamplesPerPixel tag value is changing, " + "but SMinSampleValue tag was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); + _TIFFfree(td->td_sminsamplevalue); + td->td_sminsamplevalue = NULL; + } + if( td->td_smaxsamplevalue != NULL ) + { + TIFFWarningExt(tif->tif_clientdata,module, + "SamplesPerPixel tag value is changing, " + "but SMaxSampleValue tag was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } + } td->td_samplesperpixel = (uint16) v; break; case TIFFTAG_ROWSPERSTRIP: Index: tiff-4.0.3/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirwrite.c 2017-02-24 12:51:19.900976159 -0500 +++ tiff-4.0.3/libtiff/tif_dirwrite.c 2017-02-24 12:51:19.896976102 -0500 @@ -542,8 +542,20 @@ { if (!isTiled(tif)) { - if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; + /* td_stripoffset might be NULL in an odd OJPEG case. See + * tif_dirread.c around line 3634. + * XXX: OJPEG hack. + * If a) compression is OJPEG, b) it's not a tiled TIFF, + * and c) the number of strips is 1, + * then we tolerate the absence of stripoffsets tag, + * because, presumably, all required data is in the + * JpegInterchangeFormat stream. + * We can get here when using tiffset on such a file. + * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 + */ + if (tif->tif_dir.td_stripoffset != NULL && + !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) + goto bad; } else { debian/patches/CVE-2012-4564.patch0000644000000000000000000000175212256047746013257 0ustar Index: tiff-4.0.3/tools/ppm2tiff.c =================================================================== --- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400 +++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400 @@ -89,6 +89,7 @@ int c; extern int optind; extern char* optarg; + tmsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -237,8 +238,16 @@ } if (TIFFScanlineSize(out) > linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); - else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + scanline_size = TIFFScanlineSize(out); + if (scanline_size != 0) + buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + fprintf(stderr, "%s: scanline size overflow\n",infile); + (void) TIFFClose(out); + exit(-2); + } + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); debian/patches/CVE-2014-81xx-10.patch0000644000000000000000000000330012505326636013667 0ustar From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 23 Dec 2014 10:15:35 +0000 Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with <= 0 by casting it to int64 first. This solves crashing bug on corrupted images generated by afl. --- ChangeLog | 6 ++++++ libtiff/tif_read.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 2ba822a..dfc5b07 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) return ((tmsize_t)(-1)); } bytecount = td->td_stripbytecount[strip]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "%I64u: Invalid strip byte count, strip %lu", @@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) if ((tif->tif_flags&TIFF_NOREADRAW)==0) { uint64 bytecount = td->td_stripbytecount[strip]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "Invalid strip byte count %I64u, strip %lu", @@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) if ((tif->tif_flags&TIFF_NOREADRAW)==0) { uint64 bytecount = td->td_stripbytecount[tile]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "%I64u: Invalid tile byte count, tile %lu", debian/patches/CVE-2014-81xx-11.patch0000644000000000000000000000465112505326642013677 0ustar From 147b2698c84004fe2da93c0fc7177a7c3797533d Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 2 Mar 2015 16:16:38 +0000 Subject: [PATCH] * tools/tiffdither.c: check memory allocations to avoid writing to NULL pointer. Also check multiplication overflow. Fixes #2501, CVE-2014-8128. Derived from patch by Petr Gajdos. --- ChangeLog | 6 ++++++ tools/tiffdither.c | 21 ++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/tools/tiffdither.c b/tools/tiffdither.c index 1ca5729..8f862b6 100644 --- a/tools/tiffdither.c +++ b/tools/tiffdither.c @@ -39,6 +39,7 @@ #endif #include "tiffio.h" +#include "tiffiop.h" #define streq(a,b) (strcmp(a,b) == 0) #define strneq(a,b,n) (strncmp(a,b,n) == 0) @@ -56,7 +57,7 @@ static void usage(void); * Floyd-Steinberg error propragation with threshold. * This code is stolen from tiffmedian. */ -static void +static int fsdither(TIFF* in, TIFF* out) { unsigned char *outline, *inputline, *inptr; @@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out) int lastline, lastpixel; int bit; tsize_t outlinesize; + int errcode = 0; imax = imagelength - 1; jmax = imagewidth - 1; inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); - thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); - nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); + thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); + nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); + if (! (inputline && thisline && nextline && outline)) { + fprintf(stderr, "Out of memory.\n"); + goto skip_on_error; + } /* * Get first line @@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out) nextline = tmpptr; lastline = (i == imax); if (TIFFReadScanline(in, inputline, i, 0) <= 0) - break; + goto skip_on_error; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j) @@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out) } } if (TIFFWriteScanline(out, outline, i-1, 0) < 0) - break; + goto skip_on_error; } + goto exit_label; + skip_on_error: + errcode = 1; + exit_label: _TIFFfree(inputline); _TIFFfree(thisline); _TIFFfree(nextline); _TIFFfree(outline); + return errcode; } static uint16 compression = COMPRESSION_PACKBITS; debian/patches/CVE-2016-5318.patch0000644000000000000000000001704513254740344013254 0ustar From 4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 Mon Sep 17 00:00:00 2001 From: erouault Date: Thu, 1 Jun 2017 12:44:04 +0000 Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fdirinfo.c,=20tif=5Fdirread.c:?= =?UTF-8?q?=20add=20=5FTIFFCheckFieldIsValidForCodec(),=20and=20use=20it?= =?UTF-8?q?=20in=20TIFFReadDirectory()=20so=20as=20to=20ignore=20fields=20?= =?UTF-8?q?whose=20tag=20is=20a=20codec-specified=20tag=20but=20this=20cod?= =?UTF-8?q?ec=20is=20not=20enabled.=20This=20avoids=20TIFFGetField()=20to?= =?UTF-8?q?=20behave=20differently=20depending=20on=20whether=20the=20code?= =?UTF-8?q?c=20is=20enabled=20or=20not,=20and=20thus=20can=20avoid=20stack?= =?UTF-8?q?=20based=20buffer=20overflows=20in=20a=20number=20of=20TIFF=20u?= =?UTF-8?q?tilities=20such=20as=20tiffsplit,=20tiffcmp,=20thumbnail,=20etc?= =?UTF-8?q?.=20Patch=20derived=20from=200063-Handle-properly-CODEC-specifi?= =?UTF-8?q?c-tags.patch=20(http://bugzilla.maptools.org/show=5Fbug.cgi=3Fi?= =?UTF-8?q?d=3D2580)=20by=20Rapha=C3=ABl=20Hertzog.=20Fixes:=20http://bugz?= =?UTF-8?q?illa.maptools.org/show=5Fbug.cgi=3Fid=3D2580=20http://bugzilla.?= =?UTF-8?q?maptools.org/show=5Fbug.cgi=3Fid=3D2693=20http://bugzilla.mapto?= =?UTF-8?q?ols.org/show=5Fbug.cgi=3Fid=3D2625=20(CVE-2016-10095)=20http://?= =?UTF-8?q?bugzilla.maptools.org/show=5Fbug.cgi=3Fid=3D2564=20(CVE-2015-75?= =?UTF-8?q?54)=20http://bugzilla.maptools.org/show=5Fbug.cgi=3Fid=3D2561?= =?UTF-8?q?=20(CVE-2016-5318)=20http://bugzilla.maptools.org/show=5Fbug.cg?= =?UTF-8?q?i=3Fid=3D2499=20(CVE-2014-8128)=20http://bugzilla.maptools.org/?= =?UTF-8?q?show=5Fbug.cgi=3Fid=3D2441=20http://bugzilla.maptools.org/show?= =?UTF-8?q?=5Fbug.cgi=3Fid=3D2433?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 20 ++++++++++ libtiff/tif_dir.h | 1 + libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ libtiff/tif_dirread.c | 4 ++ 4 files changed, 128 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 04881ba7..ebd1a3c0 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,23 @@ #+2017-06-01 Even Rouault #+ #+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), #+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a #+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField() #+ to behave differently depending on whether the codec is enabled or not, and #+ thus can avoid stack based buffer overflows in a number of TIFF utilities #+ such as tiffsplit, tiffcmp, thumbnail, etc. #+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch #+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. #+ Fixes: #+ http://bugzilla.maptools.org/show_bug.cgi?id=2580 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2693 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) #+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) #+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) #+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) #+ http://bugzilla.maptools.org/show_bug.cgi?id=2441 #+ http://bugzilla.maptools.org/show_bug.cgi?id=2433 #+ # 2017-05-29 Even Rouault # # * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for Index: tiff-4.0.3/libtiff/tif_dir.h =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.h 2018-03-22 10:42:41.922743055 -0400 +++ tiff-4.0.3/libtiff/tif_dir.h 2018-03-22 10:42:41.918743049 -0400 @@ -291,6 +291,7 @@ struct _TIFFField { extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); +extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); #if defined(__cplusplus) } Index: tiff-4.0.3/libtiff/tif_dirinfo.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2018-03-22 10:42:41.922743055 -0400 +++ tiff-4.0.3/libtiff/tif_dirinfo.c 2018-03-22 10:42:41.918743049 -0400 @@ -946,6 +946,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFF return 0; } +int +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) +{ + /* Filter out non-codec specific tags */ + switch (tag) { + /* Shared tags */ + case TIFFTAG_PREDICTOR: + /* JPEG tags */ + case TIFFTAG_JPEGTABLES: + /* OJPEG tags */ + case TIFFTAG_JPEGIFOFFSET: + case TIFFTAG_JPEGIFBYTECOUNT: + case TIFFTAG_JPEGQTABLES: + case TIFFTAG_JPEGDCTABLES: + case TIFFTAG_JPEGACTABLES: + case TIFFTAG_JPEGPROC: + case TIFFTAG_JPEGRESTARTINTERVAL: + /* CCITT* */ + case TIFFTAG_BADFAXLINES: + case TIFFTAG_CLEANFAXDATA: + case TIFFTAG_CONSECUTIVEBADFAXLINES: + case TIFFTAG_GROUP3OPTIONS: + case TIFFTAG_GROUP4OPTIONS: + break; + default: + return 1; + } + /* Check if codec specific tags are allowed for the current + * compression scheme (codec) */ + switch (tif->tif_dir.td_compression) { + case COMPRESSION_LZW: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_PACKBITS: + /* No codec-specific tags */ + break; + case COMPRESSION_THUNDERSCAN: + /* No codec-specific tags */ + break; + case COMPRESSION_NEXT: + /* No codec-specific tags */ + break; + case COMPRESSION_JPEG: + if (tag == TIFFTAG_JPEGTABLES) + return 1; + break; + case COMPRESSION_OJPEG: + switch (tag) { + case TIFFTAG_JPEGIFOFFSET: + case TIFFTAG_JPEGIFBYTECOUNT: + case TIFFTAG_JPEGQTABLES: + case TIFFTAG_JPEGDCTABLES: + case TIFFTAG_JPEGACTABLES: + case TIFFTAG_JPEGPROC: + case TIFFTAG_JPEGRESTARTINTERVAL: + return 1; + } + break; + case COMPRESSION_CCITTRLE: + case COMPRESSION_CCITTRLEW: + case COMPRESSION_CCITTFAX3: + case COMPRESSION_CCITTFAX4: + switch (tag) { + case TIFFTAG_BADFAXLINES: + case TIFFTAG_CLEANFAXDATA: + case TIFFTAG_CONSECUTIVEBADFAXLINES: + return 1; + case TIFFTAG_GROUP3OPTIONS: + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) + return 1; + break; + case TIFFTAG_GROUP4OPTIONS: + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) + return 1; + break; + } + break; + case COMPRESSION_JBIG: + /* No codec-specific tags */ + break; + case COMPRESSION_DEFLATE: + case COMPRESSION_ADOBE_DEFLATE: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_PIXARLOG: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_SGILOG: + case COMPRESSION_SGILOG24: + /* No codec-specific tags */ + break; + case COMPRESSION_LZMA: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + + } + return 0; +} + /* vim: set ts=8 sts=8 sw=8 noet: */ /* Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-22 10:42:41.922743055 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-22 10:42:41.922743055 -0400 @@ -3683,6 +3683,10 @@ TIFFReadDirectory(TIFF* tif) goto bad; dp->tdir_tag=IGNORE; break; + default: + if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) + dp->tdir_tag=IGNORE; + break; } } } debian/patches/CVE-2016-5321.patch0000644000000000000000000000307213054071040013225 0ustar From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 11 Jul 2016 21:26:03 +0000 Subject: [PATCH] * tools/tiffcrop.c: Avoid access outside of stack allocated array on a tiled separate TIFF with more than 8 samples per pixel. Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321, bugzilla #2558) --- ChangeLog | 7 +++++++ tools/tiffcrop.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index e98d54d..4e0302f 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2016-07-11 Even Rouault #+ #+ * tools/tiffcrop.c: Avoid access outside of stack allocated array #+ on a tiled separate TIFF with more than 8 samples per pixel. #+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 #+ (CVE-2016-5321, bugzilla #2558) #+ # 2016-07-10 Even Rouault # # * libtiff/tif_read.c: Fix out-of-bounds read on diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index d959ae3..6fc8fc1 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, nrow = (row + tl > imagelength) ? imagelength - row : tl; for (col = 0; col < imagewidth; col += tw) { - for (s = 0; s < spp; s++) + for (s = 0; s < spp && s < MAX_SAMPLES; s++) { /* Read each plane of a tile set into srcbuffs[s] */ tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); if (tbytes < 0 && !ignore) debian/patches/CVE-2017-18013.patch0000644000000000000000000000273013254204141013312 0ustar From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 31 Dec 2017 15:09:41 +0100 Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 --- libtiff/tif_print.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Index: tiff-4.0.6/libtiff/tif_print.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_print.c 2018-03-20 08:00:20.716696938 -0400 +++ tiff-4.0.6/libtiff/tif_print.c 2018-03-20 08:00:20.716696938 -0400 @@ -661,13 +661,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", (unsigned long) s, - (unsigned __int64) td->td_stripoffset[s], - (unsigned __int64) td->td_stripbytecount[s]); + td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, + td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); #else fprintf(fd, " %3lu: [%8llu, %8llu]\n", (unsigned long) s, - (unsigned long long) td->td_stripoffset[s], - (unsigned long long) td->td_stripbytecount[s]); + td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, + td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); #endif } } debian/patches/CVE-2017-11613-1.patch0000644000000000000000000000324213254741065013461 0ustar Backport of: From 3719385a3fac5cfb20b487619a5f08abbf967cf8 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 11 Mar 2018 11:14:01 +0100 Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613) In ChopUpSingleUncompressedStrip(), if the computed number of strips is big enough and we are in read only mode, validate that the file size is consistent with that number of strips to avoid useless attempts at allocating a lot of memory for the td_stripbytecount and td_stripoffset arrays. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 --- libtiff/tif_dirread.c | 11 +++++++++++ 1 file changed, 11 insertions(+) Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-22 10:48:19.611188927 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-22 10:48:19.611188927 -0400 @@ -5656,6 +5656,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) return; nstrips32 = (uint32)nstrips64; + /* If we are going to allocate a lot of memory, make sure that the */ + /* file is as big as needed */ + if( tif->tif_mode == O_RDONLY && + nstrips32 > 1000000 && + (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || + tif->tif_dir.td_stripbytecount[0] > + TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) + { + return; + } + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), debian/patches/CVE-2013-1961.patch0000644000000000000000000007757712256047746013300 0ustar Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c =================================================================== --- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400 @@ -512,9 +512,9 @@ Arg args[1]; if (tfMultiPage) - sprintf(buffer, "%s - page %d", fileName, tfDirectory); + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); else - strcpy(buffer, fileName); + snprintf(buffer, sizeof(buffer), "%s", fileName); XtSetArg(args[0], XtNlabel, buffer); XtSetValues(labelWidget, args, 1); } Index: tiff-4.0.3/libtiff/tif_dirinfo.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400 @@ -711,7 +711,7 @@ * note that this name is a special sign to TIFFClose() and * _TIFFSetupFields() to free the field */ - sprintf(fld->field_name, "Tag %d", (int) tag); + snprintf(fld->field_name, 32, "Tag %d", (int) tag); return fld; } Index: tiff-4.0.3/libtiff/tif_codec.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400 @@ -108,7 +108,8 @@ const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); char compression_code[20]; - sprintf( compression_code, "%d", tif->tif_dir.td_compression ); + snprintf(compression_code, sizeof(compression_code), "%d", + tif->tif_dir.td_compression ); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "%s compression support is not configured", c ? c->name : compression_code ); Index: tiff-4.0.3/tools/tiffdither.c =================================================================== --- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400 @@ -260,7 +260,7 @@ TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); else CopyField(TIFFTAG_FILLORDER, shortv); - sprintf(thing, "Dithered B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); CopyField(TIFFTAG_PHOTOMETRIC, shortv); CopyField(TIFFTAG_ORIENTATION, shortv); Index: tiff-4.0.3/tools/rgb2ycbcr.c =================================================================== --- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400 @@ -332,7 +332,8 @@ TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); { char buf[2048]; char *cp = strrchr(TIFFFileName(in), '/'); - sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); + snprintf(buf, sizeof(buf), "YCbCr conversion of %s", + cp ? cp+1 : TIFFFileName(in)); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); } TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400 @@ -3630,7 +3630,9 @@ char buffer[16]; int buflen=0; - buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); + buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", + t2p->pdf_majorversion&0xff, + t2p->pdf_minorversion&0xff); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); @@ -3644,10 +3646,10 @@ tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; - buflen=sprintf(buffer, "%lu", (unsigned long)number); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); written += t2pWriteFile(output, (tdata_t) buffer, buflen ); written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); @@ -3686,13 +3688,13 @@ written += t2pWriteFile(output, (tdata_t) "/", 1); for (i=0;i 0x7E){ - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); nextchar=1; @@ -3700,57 +3702,57 @@ if (nextchar==0){ switch (name[i]){ case 0x23: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x25: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x28: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x29: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x2F: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x3C: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x3E: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x5B: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x5D: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x7B: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x7D: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; @@ -3865,14 +3867,14 @@ tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "/Length ", 8); if(len!=0){ written += t2p_write_pdf_stream_length(len, output); } else { - buflen=sprintf(buffer, "%lu", (unsigned long)number); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); } @@ -3913,10 +3915,10 @@ tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; - buflen=sprintf(buffer, "%lu", (unsigned long)len); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n", 1); @@ -3930,7 +3932,7 @@ tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) { tsize_t written = 0; - char buffer[16]; + char buffer[32]; int buflen = 0; written += t2pWriteFile(output, @@ -3969,7 +3971,6 @@ written += t2p_write_pdf_string(t2p->pdf_datetime, output); } written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); - _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); written += t2p_write_pdf_string(buffer, output); written += t2pWriteFile(output, (tdata_t) "\n", 1); @@ -4110,7 +4111,7 @@ { tsize_t written=0; tdir_t i=0; - char buffer[16]; + char buffer[32]; int buflen=0; int page=0; @@ -4118,7 +4119,7 @@ (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); page = t2p->pdf_pages+1; for (i=0;itiff_pagecount;i++){ - buflen=sprintf(buffer, "%d", page); + buflen=snprintf(buffer, sizeof(buffer), "%d", page); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); if ( ((i+1)%8)==0 ) { @@ -4133,8 +4134,7 @@ } } written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); + buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); @@ -4149,28 +4149,28 @@ unsigned int i=0; tsize_t written=0; - char buffer[16]; + char buffer[256]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "] \n", 3); written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); - buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); @@ -4178,15 +4178,13 @@ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ written += t2pWriteFile(output, (tdata_t) "/Im", 3); - buflen = sprintf(buffer, "%u", t2p->pdf_page+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "_", 1); - buflen = sprintf(buffer, "%u", i+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4198,12 +4196,10 @@ } else { written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); written += t2pWriteFile(output, (tdata_t) "/Im", 3); - buflen = sprintf(buffer, "%u", t2p->pdf_page+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4212,9 +4208,7 @@ if(t2p->tiff_transferfunctioncount != 0) { written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); t2pWriteFile(output, (tdata_t) "/GS1 ", 5); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 3)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4587,7 +4581,7 @@ if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; - buflen=sprintf(buffer, + buflen=snprintf(buffer, sizeof(buffer), "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", t2p->tiff_transferfunctioncount?"/GS1 gs ":"", box.mat[0], @@ -4602,7 +4596,7 @@ } } else { box=t2p->pdf_imagebox; - buflen=sprintf(buffer, + buflen=snprintf(buffer, sizeof(buffer), "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", t2p->tiff_transferfunctioncount?"/GS1 gs ":"", box.mat[0], @@ -4627,59 +4621,48 @@ TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); written += t2pWriteFile(output, (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", 42); - buflen=sprintf(buffer, "%u", t2p->pdf_page+1); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); if(tile != 0){ written += t2pWriteFile(output, (tdata_t) "_", 1); - buflen=sprintf(buffer, "%lu", (unsigned long)tile); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); - _TIFFmemset((tdata_t)buffer, 0x00, 16); if(tile==0){ - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); } else { if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); } else { - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); } } written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); - _TIFFmemset((tdata_t)buffer, 0x00, 16); if(tile==0){ - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); } else { if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); } else { - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); } } written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); - _TIFFmemset((tdata_t)buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); written += t2p_write_pdf_xobject_cs(t2p, output); @@ -4723,11 +4706,10 @@ t2p->pdf_colorspace ^= T2P_CS_PALETTE; written += t2p_write_pdf_xobject_cs(t2p, output); t2p->pdf_colorspace |= T2P_CS_PALETTE; - buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); return(written); @@ -4761,10 +4743,10 @@ X_W /= Y_W; Z_W /= Y_W; Y_W = 1.0F; - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Range ", 7); - buflen=sprintf(buffer, "[%d %d %d %d] \n", + buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", t2p->pdf_labrange[0], t2p->pdf_labrange[1], t2p->pdf_labrange[2], @@ -4780,26 +4762,26 @@ tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); if(t2p->tiff_transferfunctioncount == 1){ - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); } else { written += t2pWriteFile(output, (tdata_t) "[ ", 2); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 2)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 3)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4821,7 +4803,7 @@ written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); - buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); + buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); @@ -4848,7 +4830,7 @@ tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[128]; + char buffer[256]; int buflen=0; float X_W=0.0; @@ -4916,16 +4898,16 @@ written += t2pWriteFile(output, (tdata_t) "<< \n", 4); if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); } if(t2p->pdf_colorspace & T2P_CS_CALRGB){ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); - buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", X_R, Y_R, Z_R, X_G, Y_G, Z_G, X_B, Y_B, Z_B); @@ -4944,11 +4926,11 @@ tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); @@ -4958,11 +4940,11 @@ tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "/N ", 3); - buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); + buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); t2p->pdf_colorspace ^= T2P_CS_ICCBASED; @@ -5027,7 +5009,7 @@ tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; if(t2p->pdf_compression==T2P_COMPRESS_NONE){ @@ -5042,41 +5024,33 @@ written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); if(tile==0){ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } @@ -5103,21 +5077,17 @@ if(t2p->pdf_compressionquality%100){ written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); - _TIFFmemset(buffer, 0x00, 16); - buflen = sprintf(buffer, "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) ">>\n", 3); } @@ -5137,16 +5107,16 @@ tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[21]; + char buffer[64]; int buflen=0; uint32 i=0; written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); - buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); for (i=0;ipdf_xrefcount;i++){ - sprintf(buffer, "%.10lu 00000 n \n", + snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", (unsigned long)t2p->pdf_xrefoffsets[i]); written += t2pWriteFile(output, (tdata_t) buffer, 20); } @@ -5170,17 +5140,14 @@ snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); - buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, sizeof(t2p->pdf_fileid) - 1); @@ -5188,9 +5155,8 @@ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, sizeof(t2p->pdf_fileid) - 1); written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); return(written); Index: tiff-4.0.3/tools/tiff2ps.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400 @@ -1781,8 +1781,8 @@ imageOp = "imagemask"; (void)strcpy(im_x, "0"); - (void)sprintf(im_y, "%lu", (long) h); - (void)sprintf(im_h, "%lu", (long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); + (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); tile_width = w; tile_height = h; if (TIFFIsTiled(tif)) { @@ -1803,7 +1803,7 @@ } if (tile_height < h) { fputs("/im_y 0 def\n", fd); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } else { repeat_count = tf_numberstrips; @@ -1815,7 +1815,7 @@ fprintf(fd, "/im_h %lu def\n", (unsigned long) tile_height); (void)strcpy(im_h, "im_h"); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400 @@ -2077,7 +2077,7 @@ return 1; } - sprintf (filenum, "-%03d%s", findex, export_ext); + snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); filenum[14] = '\0'; strncat (exportname, filenum, 15); } @@ -2230,8 +2230,8 @@ /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", + dump.infilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) { @@ -2249,8 +2249,8 @@ /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", + dump.outfilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) { Index: tiff-4.0.3/tools/tiff2bw.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400 +++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400 @@ -205,7 +205,7 @@ } } TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); - sprintf(thing, "B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); debian/patches/CVE-2019-6128.patch0000644000000000000000000000305313441511054013241 0ustar From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 From: Scott Gayou Date: Wed, 23 Jan 2019 15:03:53 -0500 Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. pal2rgb failed to free memory on a few errors. This was reported here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. --- tools/pal2rgb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/pal2rgb.c =================================================================== --- tiff-4.0.3.orig/tools/pal2rgb.c 2019-03-11 12:51:54.245152654 -0400 +++ tiff-4.0.3/tools/pal2rgb.c 2019-03-11 12:51:54.241152638 -0400 @@ -117,12 +117,14 @@ main(int argc, char* argv[]) shortv != PHOTOMETRIC_PALETTE) { fprintf(stderr, "%s: Expecting a palette image.\n", argv[optind]); + (void) TIFFClose(in); return (-1); } if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { fprintf(stderr, "%s: No colormap (not a valid palette image).\n", argv[optind]); + (void) TIFFClose(in); return (-1); } bitspersample = 0; @@ -130,11 +132,14 @@ main(int argc, char* argv[]) if (bitspersample != 8) { fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", argv[optind]); + (void) TIFFClose(in); return (-1); } out = TIFFOpen(argv[optind+1], "w"); - if (out == NULL) + if (out == NULL) { + (void) TIFFClose(in); return (-2); + } cpTags(in, out); TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); debian/patches/CVE-2017-17095.patch0000644000000000000000000000306113254741102013324 0ustar From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001 From: Nathan Baker Date: Thu, 25 Jan 2018 21:28:15 +0000 Subject: [PATCH] Add workaround to pal2rgb buffer overflow. --- tools/pal2rgb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) Index: tiff-4.0.3/tools/pal2rgb.c =================================================================== --- tiff-4.0.3.orig/tools/pal2rgb.c 2018-03-22 10:48:32.579206435 -0400 +++ tiff-4.0.3/tools/pal2rgb.c 2018-03-22 10:48:32.575206430 -0400 @@ -181,8 +181,21 @@ main(int argc, char* argv[]) { unsigned char *ibuf, *obuf; register unsigned char* pp; register uint32 x; - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); + tmsize_t tss_in = TIFFScanlineSize(in); + tmsize_t tss_out = TIFFScanlineSize(out); + if (tss_out / tss_in < 3) { + /* + * BUG 2750: The following code does not know about chroma + * subsampling of JPEG data. It assumes that the output buffer is 3x + * the length of the input buffer due to exploding the palette into + * RGB tuples. If this assumption is incorrect, it could lead to a + * buffer overflow. Go ahead and fail now to prevent that. + */ + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); + return -1; + } + ibuf = (unsigned char*)_TIFFmalloc(tss_in); + obuf = (unsigned char*)_TIFFmalloc(tss_out); switch (config) { case PLANARCONFIG_CONTIG: for (row = 0; row < imagelength; row++) { debian/patches/CVE-2016-3991.patch0000644000000000000000000001063113054071260013243 0ustar From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 15 Aug 2016 21:05:40 +0000 Subject: [PATCH] * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From patch libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) --- ChangeLog | 6 ++++++ tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 62 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index db4ea18..5d60608 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,11 @@ # 2016-08-15 Even Rouault # #+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). #+ From patch libtiff-CVE-2016-3991.patch from #+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) #+ #+2016-08-15 Even Rouault #+ # * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode # if more input samples are provided than expected by PixarLogSetupEncode. # Idea based on libtiff-CVE-2016-3990.patch from Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2017-02-24 12:51:42.085292378 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2017-02-24 12:51:42.085292378 -0500 @@ -798,6 +798,11 @@ } tile_buffsize = tilesize; + if (tilesize == 0 || tile_rowsize == 0) + { + TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); + exit(-1); + } if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -807,7 +812,12 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; - } + if (tl != (tile_buffsize / tile_rowsize)) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } + } tilebuf = _TIFFmalloc(tile_buffsize); if (tilebuf == 0) @@ -1210,6 +1220,12 @@ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) return 1; + if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) + { + TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); + exit(-1); + } + tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -1219,6 +1235,11 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; + if (tl != tile_buffsize / tile_rowsize) + { + TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); + exit(-1); + } } tilebuf = _TIFFmalloc(tile_buffsize); @@ -5931,12 +5952,27 @@ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); + if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) + { + TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); + exit(-1); + } buffsize = tlsize * ntiles; + if (tlsize != (buffsize / ntiles)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) { buffsize = ntiles * tl * tile_rowsize; + if (ntiles != (buffsize / tl / tile_rowsize)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", @@ -5955,8 +5991,25 @@ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); + if (nstrips == 0 || stsize == 0) + { + TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); + exit(-1); + } + buffsize = stsize * nstrips; - + if (stsize != (buffsize / nstrips)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + uint32 buffsize_check; + buffsize_check = ((length * width * spp * bps) + 7); + if (length != ((buffsize_check - 7) / width / spp / bps)) + { + TIFFError("loadImage", "Integer overflow detected."); + exit(-1); + } if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8; debian/patches/CVE-2016-3632.patch0000644000000000000000000000174413054071221013235 0ustar From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 11 Jul 2016 16:04:34 +0200 Subject: [PATCH 4/8] Fix CVE-2016-3632 --- tools/thumbnail.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/thumbnail.c =================================================================== --- tiff-4.0.3.orig/tools/thumbnail.c 2017-02-24 12:51:11.764859298 -0500 +++ tiff-4.0.3/tools/thumbnail.c 2017-02-24 12:51:11.764859298 -0500 @@ -253,7 +253,8 @@ { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL }, { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL }, { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT }, - { TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, + // disable BADFAXLINES, CVE-2016-3632 + //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, debian/patches/CVE-2013-4232.patch0000644000000000000000000000123612256047746013245 0ustar Description: use after free in tiff2pdf Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449 Bug-Debian: http://bugs.debian.org/719303 Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 @@ -2461,7 +2461,8 @@ (unsigned long) t2p->tiff_datasize, TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; - _TIFFfree(buffer); + _TIFFfree(buffer); + return(0); } else { buffer=samplebuffer; t2p->tiff_datasize *= t2p->tiff_samplesperpixel; debian/patches/CVE-2014-81xx-3.patch0000644000000000000000000000242112505326600013603 0ustar From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 17:36:36 +0000 Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL --- ChangeLog | 5 +++++ tools/tiff2pdf.c | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2015-01-29 09:35:42.605252041 -0500 +++ tiff-4.0.3/tools/tiff2pdf.c 2015-01-29 09:35:42.601252008 -0500 @@ -1164,7 +1164,15 @@ t2p->tiff_pages[i].page_tilecount; if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ - TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) + { + TIFFError( + TIFF2PDF_MODULE, + "Missing SamplesPerPixel, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) { TIFFError( debian/patches/CVE-2016-6223.patch0000644000000000000000000000425313054071032013232 0ustar From 0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 10 Jul 2016 18:00:20 +0000 Subject: [PATCH] * libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value (reported by Mathias Svensson) --- ChangeLog | 7 +++++++ libtiff/tif_read.c | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 6f6e7c6..e98d54d 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,12 @@ # 2016-07-10 Even Rouault # #+ * libtiff/tif_read.c: Fix out-of-bounds read on #+ memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() #+ when stripoffset is beyond tmsize_t max value (reported by #+ Mathias Svensson) #+ #+2016-07-10 Even Rouault #+ # * tools/tiffdump.c: fix a few misaligned 64-bit reads warned # by -fsanitize # Index: tiff-4.0.6/libtiff/tif_read.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_read.c 2017-02-24 10:44:46.344637366 -0500 +++ tiff-4.0.6/libtiff/tif_read.c 2017-02-24 10:44:46.340637316 -0500 @@ -31,6 +31,9 @@ #include "tiffiop.h" #include +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + int TIFFFillStrip(TIFF* tif, uint32 strip); int TIFFFillTile(TIFF* tif, uint32 tile); static int TIFFStartStrip(TIFF* tif, uint32 strip); @@ -401,7 +404,7 @@ tmsize_t n; ma=(tmsize_t)td->td_stripoffset[strip]; mb=ma+size; - if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size)) + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) n=0; else if ((mbtif->tif_size)) n=tif->tif_size-ma; @@ -717,7 +720,7 @@ tmsize_t n; ma=(tmsize_t)td->td_stripoffset[tile]; mb=ma+size; - if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size)) + if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) n=0; else if ((mbtif->tif_size)) n=tif->tif_size-ma; debian/patches/CVE-2016-3622.patch0000644000000000000000000001314213054071202013226 0ustar From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 From: bfriesen Date: Sat, 24 Sep 2016 23:11:55 +0000 Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to read floating point images. * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample requirements of floating point predictor (3). Fixes CVE-2016-3622 "Divide By Zero in the tiff2rgba tool." places where it isn't done currently, but it seems this patch is enough. --- ChangeLog | 11 ++++++++++- libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ libtiff/tif_predict.c | 11 ++++++++++- 3 files changed, 40 insertions(+), 20 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 26d6f47..a628277 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,12 @@ #+2016-09-24 Bob Friesenhahn #+ #+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to #+ read floating point images. #+ #+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample #+ requirements of floating point predictor (3). Fixes CVE-2016-3622 #+ "Divide By Zero in the tiff2rgba tool." #+ # 2016-09-23 Even Rouault # # * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities #@@ -17,7 +26,7 @@ # completely sure if that could happen in practice outside of the odd # behaviour of t2p_seekproc() of tiff2pdf). The report points that a # better fix could be to check the return value of TIFFFlushData1() in #- places where it isn't done currently, but it seems this patch is enough. #+ places where it isn't done currently, but it seems this patch is enough. # Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan & # Suha Can from the MSRC Vulnerabilities & Mitigations team. # Index: tiff-4.0.3/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_getimage.c 2017-02-24 12:50:56.156633701 -0500 +++ tiff-4.0.3/libtiff/tif_getimage.c 2017-02-24 12:50:56.152633643 -0500 @@ -95,6 +95,10 @@ td->td_bitspersample); return (0); } + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { + sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); + return (0); + } colorchannels = td->td_samplesperpixel - td->td_extrasamples; if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { switch (colorchannels) { @@ -182,27 +186,25 @@ "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, - "Sorry, can not handle image with %s=%d, %s=%d", - "Samples/pixel", td->td_samplesperpixel, - "colorchannels", colorchannels); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { + sprintf(emsg, + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); + return 0; + } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, - "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, - "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { + sprintf(emsg, + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } break; - default: + default: sprintf(emsg, "Sorry, can not handle image with %s=%d", photoTag, photometric); return (0); Index: tiff-4.0.3/libtiff/tif_predict.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_predict.c 2017-02-24 12:50:56.156633701 -0500 +++ tiff-4.0.3/libtiff/tif_predict.c 2017-02-24 12:50:56.152633643 -0500 @@ -78,6 +78,15 @@ td->td_sampleformat); return 0; } + if (td->td_bitspersample != 16 + && td->td_bitspersample != 24 + && td->td_bitspersample != 32 + && td->td_bitspersample != 64) { /* Should 64 be allowed? */ + TIFFErrorExt(tif->tif_clientdata, module, + "Floating point \"Predictor\" not supported with %d-bit samples", + td->td_bitspersample); + return 0; + } break; default: TIFFErrorExt(tif->tif_clientdata, module, @@ -172,7 +181,7 @@ } /* * Allocate buffer to keep the decoded bytes before - * rearranging in the ight order + * rearranging in the right order */ } debian/patches/CVE-2017-12944.patch0000644000000000000000000001323313254204120013316 0ustar Backport of: From dc02f9050311a90b3c0655147cee09bfa7081cfc Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 15 Jul 2017 13:23:09 +0000 Subject: [PATCH] * libtiff/tif_read.c: add protection against excessive memory allocation attempts in TIFFReadDirEntryArray() on short files. Effective for mmap'ed case. And non-mmap'ed case, but restricted to 64bit builds. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 --- ChangeLog | 8 +++++ libtiff/tif_dirread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 92 insertions(+), 5 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 932ddee5..e8a2be5b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,11 @@ #+2017-07-15 Even Rouault #+ #+ * libtiff/tif_read.c: add protection against excessive memory #+ allocation attempts in TIFFReadDirEntryArray() on short files. #+ Effective for mmap'ed case. And non-mmap'ed case, but restricted #+ to 64bit builds. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 #+ # 2017-07-15 Even Rouault # # * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the Index: tiff-4.0.6/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_dirread.c 2018-03-20 07:57:55.692652629 -0400 +++ tiff-4.0.6/libtiff/tif_dirread.c 2018-03-20 07:59:13.052677815 -0400 @@ -763,6 +763,66 @@ static enum TIFFReadDirEntryErr TIFFRead } } + +#define INITIAL_THRESHOLD (1024 * 1024) +#define THRESHOLD_MULTIPLIER 10 +#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + +static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc( + TIFF* tif, uint64 offset, tmsize_t size, void** pdest) +{ +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + tmsize_t threshold = INITIAL_THRESHOLD; +#endif + tmsize_t already_read = 0; + + assert( !isMapped(tif) ); + + if (!SeekOK(tif,offset)) + return(TIFFReadDirEntryErrIo); + + /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ + /* so as to avoid allocating too much memory in case the file is too */ + /* short. We could ask for the file size, but this might be */ + /* expensive with some I/O layers (think of reading a gzipped file) */ + /* Restrict to 64 bit processes, so as to avoid reallocs() */ + /* on 32 bit processes where virtual memory is scarce. */ + while( already_read < size ) + { + void* new_dest; + tmsize_t bytes_read; + tmsize_t to_read = size - already_read; +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + if( to_read >= threshold && threshold < MAX_THRESHOLD ) + { + to_read = threshold; + threshold *= THRESHOLD_MULTIPLIER; + } +#endif + + new_dest = (uint8*) _TIFFrealloc( + *pdest, already_read + to_read); + if( new_dest == NULL ) + { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Failed to allocate memory for %s " + "(%ld elements of %ld bytes each)", + "TIFFReadDirEntryArray", + (long) 1, (long) already_read + to_read); + return TIFFReadDirEntryErrAlloc; + } + *pdest = new_dest; + + bytes_read = TIFFReadFile(tif, + (char*)*pdest + already_read, to_read); + already_read += bytes_read; + if (bytes_read != to_read) { + return TIFFReadDirEntryErrIo; + } + } + return TIFFReadDirEntryErrOk; +} + static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value) { int typesize; @@ -789,9 +849,22 @@ static enum TIFFReadDirEntryErr TIFFRead *count=(uint32)direntry->tdir_count; datasize=(*count)*typesize; assert((tmsize_t)datasize>0); - data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); - if (data==0) - return(TIFFReadDirEntryErrAlloc); + + if( isMapped(tif) && datasize > tif->tif_size ) + return TIFFReadDirEntryErrIo; + + if( !isMapped(tif) && + (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || + (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) ) + { + data = NULL; + } + else + { + data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); + if (data==0) + return(TIFFReadDirEntryErrAlloc); + } if (!(tif->tif_flags&TIFF_BIGTIFF)) { if (datasize<=4) @@ -802,7 +875,10 @@ static enum TIFFReadDirEntryErr TIFFRead uint32 offset = direntry->tdir_offset.toff_long; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong(&offset); - err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); @@ -820,7 +896,10 @@ static enum TIFFReadDirEntryErr TIFFRead uint64 offset = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&offset); - err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); debian/patches/CVE-2017-5225.patch0000644000000000000000000000571013054073023013235 0ustar From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 19:25:44 +0000 Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and http://bugzilla.maptools.org/show_bug.cgi?id=2657 --- ChangeLog | 7 +++++++ tools/tiffcp.c | 24 ++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index f78cad0..064f25b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,12 @@ # 2017-01-11 Even Rouault # #+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and #+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and #+ http://bugzilla.maptools.org/show_bug.cgi?id=2657 #+ #+2017-01-11 Even Rouault #+ # * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() # # * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero Index: tiff-4.0.3/tools/tiffcp.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcp.c 2017-02-24 13:06:09.073652740 -0500 +++ tiff-4.0.3/tools/tiffcp.c 2017-02-24 13:06:09.069652694 -0500 @@ -586,7 +586,7 @@ static int tiffcp(TIFF* in, TIFF* out) { - uint16 bitspersample, samplesperpixel = 1; + uint16 bitspersample = 1, samplesperpixel = 1; uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; copyFunc cf; uint32 width, length; @@ -1062,6 +1062,16 @@ register uint32 n; uint32 row; tsample_t s; + uint16 bps = 0; + + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); + if( bps != 8 ) + { + TIFFError(TIFFFileName(in), + "Error, can only handle BitsPerSample=8 in %s", + "cpContig2SeparateByRow"); + return 0; + } inbuf = _TIFFmalloc(scanlinesizein); outbuf = _TIFFmalloc(scanlinesizeout); @@ -1115,6 +1125,16 @@ register uint32 n; uint32 row; tsample_t s; + uint16 bps = 0; + + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); + if( bps != 8 ) + { + TIFFError(TIFFFileName(in), + "Error, can only handle BitsPerSample=8 in %s", + "cpSeparate2ContigByRow"); + return 0; + } inbuf = _TIFFmalloc(scanlinesizein); outbuf = _TIFFmalloc(scanlinesizeout); @@ -1757,7 +1777,7 @@ uint32 w, l, tw, tl; int bychunk; - (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); + (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { fprintf(stderr, "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", debian/patches/estimatestripbytecounts_return_code.patch0000644000000000000000000000156012505326702021250 0ustar From 8bf2ef81c053562177eba5b34006da3823a2e440 Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 23 Dec 2014 11:06:54 +0000 Subject: [PATCH] * libtiff/tif_dirread.c: In EstimateStripByteCounts(), check return code of _TIFFFillStriles(). This solves crashing bug on corrupted images generated by afl. --- ChangeLog | 6 ++++++ libtiff/tif_dirread.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index f66c9a7..0a9fa90 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -4295,7 +4295,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount) TIFFDirectory *td = &tif->tif_dir; uint32 strip; - _TIFFFillStriles( tif ); + if( !_TIFFFillStriles( tif ) ) + return -1; if (td->td_stripbytecount) _TIFFfree(td->td_stripbytecount); debian/patches/CVE-2017-9403_9815.patch0000644000000000000000000001023413254204060013721 0ustar From fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b Mon Sep 17 00:00:00 2001 From: erouault Date: Thu, 27 Apr 2017 15:46:22 +0000 Subject: [PATCH] * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD mode (ie default) when there is both a StripOffsets and TileOffsets tag, or a StripByteCounts and TileByteCounts Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 * tools/tiff2ps.c: call TIFFClose() in error code paths. --- ChangeLog | 7 +++++++ libtiff/tif_dirread.c | 18 +++++++++++++++++- tools/tiff2ps.c | 6 ++++++ 3 files changed, 30 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index d5c1efca..11639b98 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-04-27 #+ * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD #+ mode (ie default) when there is both a StripOffsets and #+ TileOffsets tag, or a StripByteCounts and TileByteCounts #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 #+ * tools/tiff2ps.c: call TIFFClose() in error code paths. #+ # 2017-02-25 Even Rouault # # * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 Index: tiff-4.0.3/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dirread.c 2018-03-20 09:10:06.239136690 -0400 +++ tiff-4.0.3/libtiff/tif_dirread.c 2018-03-20 09:10:06.235136681 -0400 @@ -3759,6 +3759,14 @@ TIFFReadDirectory(TIFF* tif) _TIFFmemcpy( &(tif->tif_dir.td_stripoffset_entry), dp, sizeof(TIFFDirEntry) ); #else + if( tif->tif_dir.td_stripoffset != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "tif->tif_dir.td_stripoffset is " + "already allocated. Likely duplicated " + "StripOffsets/TileOffsets tag"); + goto bad; + } if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripoffset)) goto bad; #endif @@ -3769,7 +3777,15 @@ TIFFReadDirectory(TIFF* tif) _TIFFmemcpy( &(tif->tif_dir.td_stripbytecount_entry), dp, sizeof(TIFFDirEntry) ); #else - if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount)) + if( tif->tif_dir.td_stripbytecount != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "tif->tif_dir.td_stripbytecount is " + "already allocated. Likely duplicated " + "StripByteCounts/TileByteCounts tag"); + goto bad; + } + if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount)) goto bad; #endif break; Index: tiff-4.0.3/tools/tiff2ps.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2ps.c 2018-03-20 09:10:06.239136690 -0400 +++ tiff-4.0.3/tools/tiff2ps.c 2018-03-20 09:10:06.235136681 -0400 @@ -464,10 +464,16 @@ main(int argc, char* argv[]) if (tif != NULL) { if (dirnum != -1 && !TIFFSetDirectory(tif, (tdir_t)dirnum)) + { + TIFFClose(tif); return (-1); + } else if (diroff != 0 && !TIFFSetSubDirectory(tif, diroff)) + { + TIFFClose(tif); return (-1); + } np = TIFF2PS(output, tif, pageWidth, pageHeight, leftmargin, bottommargin, centered); if (np < 0) debian/patches/CVE-2018-8905.patch0000644000000000000000000000300013420114434013233 0ustar Backport of: From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 12 May 2018 15:32:31 +0200 Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 The fix consists in using the similar code LZWDecode() to validate we don't write outside of the output buffer. --- libtiff/tif_lzw.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) Index: tiff-4.0.3/libtiff/tif_lzw.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_lzw.c 2019-01-17 10:02:50.538491939 -0500 +++ tiff-4.0.3/libtiff/tif_lzw.c 2019-01-17 10:02:50.534491929 -0500 @@ -589,6 +589,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t char *tp; unsigned char *bp; int code, nbits; + int len; long nextbits, nextdata, nbitsmask; code_t *codep, *free_entp, *maxcodep, *oldcodep; @@ -733,12 +734,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t } while (--occ); break; } - assert(occ >= codep->length); - op += codep->length, occ -= codep->length; - tp = op; + len = codep->length; + tp = op + len; do { - *--tp = codep->value; - } while( (codep = codep->next) != NULL ); + int t; + --tp; + t = codep->value; + codep = codep->next; + *tp = (char)t; + } while (codep && tp > op); + assert(occ >= len); + op += len; + occ -= len; } else *op++ = code, occ--; } debian/patches/CVE-2016-10267.patch0000644000000000000000000000410613254203577013327 0ustar From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 3 Dec 2016 11:15:18 +0000 Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 --- ChangeLog | 7 +++++++ libtiff/tif_ojpeg.c | 8 ++++++++ 2 files changed, 15 insertions(+) #diff --git a/ChangeLog b/ChangeLog #index 9dbc7a0c..5b23665b 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2016-12-03 Even Rouault #+ #+ * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in #+ OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. #+ Reported by Agostino Sarubbo. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 #+ # 2016-12-03 Even Rouault # # * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to Index: tiff-4.0.3/libtiff/tif_ojpeg.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_ojpeg.c 2018-03-20 09:07:09.906741712 -0400 +++ tiff-4.0.3/libtiff/tif_ojpeg.c 2018-03-20 09:07:09.906741712 -0400 @@ -244,6 +244,7 @@ typedef enum { typedef struct { TIFF* tif; + int decoder_ok; #ifndef LIBJPEG_ENCAP_EXTERNAL JMP_BUF exit_jmpbuf; #endif @@ -717,6 +718,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) } sp->write_curstrile++; } + sp->decoder_ok = 1; return(1); } @@ -779,8 +781,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) static int OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) { + static const char module[]="OJPEGDecode"; OJPEGState* sp=(OJPEGState*)tif->tif_data; (void)s; + if( !sp->decoder_ok ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); + return 0; + } if (sp->libjpeg_jpeg_query_style==0) { if (OJPEGDecodeRaw(tif,buf,cc)==0) debian/patches/CVE-2017-11335.patch0000644000000000000000000000361613254204114013316 0ustar From 69bfeec247899776b1b396651adb47436e5f1556 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 15 Jul 2017 11:13:46 +0000 Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" mode on PlanarConfig=Contig input images. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 --- ChangeLog | 7 +++++++ tools/tiff2pdf.c | 7 ++++++- 2 files changed, 13 insertions(+), 1 deletion(-) #diff --git a/ChangeLog b/ChangeLog #index b4771234..1b5490f3 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-07-15 Even Rouault #+ #+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" #+ mode on PlanarConfig=Contig input images. #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 #+ Reported by team OWL337 #+ # 2017-07-11 Even Rouault # # * libtiff/tif_dir.c: avoid potential null pointer dereference in Index: tiff-4.0.3/tools/tiff2pdf.c =================================================================== --- tiff-4.0.3.orig/tools/tiff2pdf.c 2018-03-20 09:10:33.799195415 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2018-03-20 09:10:33.799195415 -0400 @@ -1696,7 +1696,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* t2p_compose_pdf_page(t2p); t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; - if(t2p->pdf_nopassthrough==0){ + /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ + /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ + /* do not take into account the number of samples, and thus */ + /* that can cause heap buffer overflows such as in */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ + if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ #ifdef CCITT_SUPPORT if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 ){ debian/patches/CVE-2018-19210-2.patch0000644000000000000000000000557213441511045013463 0ustar From 38ede78b13810ff0fa8e61f86ef9aa0ab2964668 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 2 Feb 2019 15:30:14 +0100 Subject: [PATCH] Fix warning (use of uninitialized value) added per d0a842c5dbad2609aed43c701a12ed12461d3405 (fixes https://gitlab.com/libtiff/libtiff/merge_requests/54#note_137742985) --- libtiff/tif_dir.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) Index: tiff-4.0.3/libtiff/tif_dir.c =================================================================== --- tiff-4.0.3.orig/libtiff/tif_dir.c 2019-03-11 12:51:47.525124706 -0400 +++ tiff-4.0.3/libtiff/tif_dir.c 2019-03-11 12:51:47.513124656 -0400 @@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, dou * Install extra samples information. */ static int -setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) +setExtraSamples(TIFF* tif, va_list ap, uint32* v) { /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ #define EXTRASAMPLE_COREL_UNASSALPHA 999 uint16* va; uint32 i; + TIFFDirectory* td = &tif->tif_dir; + static const char module[] = "setExtraSamples"; *v = (uint16) va_arg(ap, uint16_vap); if ((uint16) *v > td->td_samplesperpixel) @@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_li return 0; } } + + if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && + !(td->td_samplesperpixel - td->td_extrasamples > 1)) + { + TIFFWarningExt(tif->tif_clientdata,module, + "ExtraSamples tag value is changing, " + "but TransferFunction was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); + _TIFFfree(td->td_transferfunction[0]); + td->td_transferfunction[0] = NULL; + } + td->td_extrasamples = (uint16) *v; _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); return 1; @@ -372,17 +386,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); break; case TIFFTAG_EXTRASAMPLES: - if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && - !(td->td_samplesperpixel - td->td_extrasamples > 1)) - { - TIFFWarningExt(tif->tif_clientdata,module, - "ExtraSamples tag value is changing, " - "but TransferFunction was read with a different value. Cancelling it"); - TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); - _TIFFfree(td->td_transferfunction[0]); - td->td_transferfunction[0] = NULL; - } - if (!setExtraSamples(td, ap, &v)) + if (!setExtraSamples(tif, ap, &v)) goto badvalue; break; case TIFFTAG_MATTEING: debian/patches/CVE-2014-9655-1.patch0000644000000000000000000000204012505326651013404 0ustar From 24a2eee78bb057acb2c3992acd002654c1747718 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 24 Dec 2014 16:57:18 +0000 Subject: [PATCH] * libtiff/tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling. http://bugzilla.maptools.org/show_bug.cgi?id=2235 --- ChangeLog | 5 +++++ libtiff/tif_getimage.c | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 396ad08..417ac7b 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -875,6 +875,10 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); + if( subsamplingver == 0 ) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); + return (0); + } scanline = TIFFScanlineSize(tif); fromskew = (w < imagewidth ? imagewidth - w : 0); for (row = 0; row < h; row += nrow) debian/patches/CVE-2017-13727.patch0000644000000000000000000000450313254204134013323 0ustar From b6af137bf9ef852f1a48a50a5afb88f9e9da01cc Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Wed, 23 Aug 2017 13:33:42 +0000 Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting on uint32 when selecting the value of SubIFD tag by runtime check (in TIFFWriteDirectoryTagSubifd()). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 SubIFD tag by runtime check (in TIFFWriteDirectorySec()) --- ChangeLog | 10 +++++++++- libtiff/tif_dirwrite.c | 9 ++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 87554768..58d5e0cc 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,7 +1,15 @@ #+2017-08-23 Even Rouault #+ #+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting #+ on uint32 when selecting the value of SubIFD tag by runtime check #+ (in TIFFWriteDirectoryTagSubifd()). #+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 #+ Reported by team OWL337 #+ # 2017-08-23 Even Rouault # # * libtiff/tif_dirwrite.c: replace assertion related to not finding the #- SubIFD tag by runtime check. #+ SubIFD tag by runtime check (in TIFFWriteDirectorySec()) # Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 # Reported by team OWL337 # Index: tiff-4.0.6/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2018-03-20 08:00:02.376692002 -0400 +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2018-03-20 08:00:02.376692002 -0400 @@ -1947,7 +1947,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, u for (p=0; p < tif->tif_dir.td_nsubifd; p++) { assert(pa != 0); - assert(*pa <= 0xFFFFFFFFUL); + + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ + if( *pa > 0xFFFFFFFFUL) + { + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); + _TIFFfree(o); + return(0); + } *pb++=(uint32)(*pa++); } n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); debian/patches/read_overrun.patch0000644000000000000000000000441712505326676014353 0ustar From 5ef99cbffd5d5042fbd11f5e36d1b602e58c578d Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 7 Dec 2014 22:33:06 +0000 Subject: [PATCH] tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run found with Valgrind and Address Sanitizer on test suite --- ChangeLog | 5 +++++ tools/thumbnail.c | 7 ++++++- tools/tiffcrop.c | 9 +++++++-- 3 files changed, 18 insertions(+), 3 deletions(-) Index: tiff-4.0.3/tools/thumbnail.c =================================================================== --- tiff-4.0.3.orig/tools/thumbnail.c 2015-03-27 13:02:15.686967377 -0400 +++ tiff-4.0.3/tools/thumbnail.c 2015-03-27 13:02:15.686967377 -0400 @@ -610,12 +610,17 @@ rowsize = TIFFScanlineSize(in); rastersize = sh * rowsize; fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); - raster = (unsigned char*)_TIFFmalloc(rastersize); + /* +3 : add a few guard bytes since setrow() can read a bit */ + /* outside buffer */ + raster = (unsigned char*)_TIFFmalloc(rastersize+3); if (!raster) { TIFFError(TIFFFileName(in), "Can't allocate space for raster buffer."); return 0; } + raster[rastersize] = 0; + raster[rastersize+1] = 0; + raster[rastersize+2] = 0; rp = raster; for (s = 0; s < ns; s++) { (void) TIFFReadEncodedStrip(in, s, rp, -1); Index: tiff-4.0.3/tools/tiffcrop.c =================================================================== --- tiff-4.0.3.orig/tools/tiffcrop.c 2015-03-27 13:02:15.686967377 -0400 +++ tiff-4.0.3/tools/tiffcrop.c 2015-03-27 13:02:15.686967377 -0400 @@ -5996,8 +5996,10 @@ } read_buff = *read_ptr; + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ + /* outside buffer */ if (!read_buff) - read_buff = (unsigned char *)_TIFFmalloc(buffsize); + read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); else { if (prev_readsize < buffsize) @@ -6006,12 +6008,15 @@ if (!new_buff) { free (read_buff); - read_buff = (unsigned char *)_TIFFmalloc(buffsize); + read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); } else read_buff = new_buff; } } + read_buff[buffsize] = 0; + read_buff[buffsize+1] = 0; + read_buff[buffsize+2] = 0; if (!read_buff) { debian/patches/CVE-2014-9655-3.patch0000644000000000000000000000315112505326661013413 0ustar From feed76c99f132f02a938de3b566442bff61388ef Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 29 Dec 2014 18:28:46 +0000 Subject: [PATCH] * libtiff/tif_getimage.c: move test on vertical value of YCbCr subsampling. to avoid buffer leak (fix previous fix, found by Coverity scan) --- ChangeLog | 5 +++-- libtiff/tif_getimage.c | 12 +++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 3ad8ee7..1a53c8b 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -857,6 +857,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) int32 fromskew, toskew; int ret = 1, flip; + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); + if( subsamplingver == 0 ) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); + return (0); + } + buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); @@ -874,11 +880,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) } TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); - if( subsamplingver == 0 ) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); - return (0); - } + scanline = TIFFScanlineSize(tif); fromskew = (w < imagewidth ? imagewidth - w : 0); for (row = 0; row < h; row += nrow) debian/README.source0000644000000000000000000000251412256047746011364 0ustar INFORMATION SPECIFIC TO THE TIFF PACKAGE ======================================== The tiff upstream maintainers have a tendency to make mistakes that introduce binary incompatibility between one version of tiff and another. In order to verify binary compatibility, it is strongly recommended to build a new library and install the new library without installing the new tools. Then test the tools with the test images provided by upstream. Additionally, when checking the sources to look for ABI changes, you must check both the public header files (tiff.h and tiffio.h) and the source file libtiff/tif_dirinfo.c which maps tag names to types. Changes in the tag name to type mapping also result in binary incompatibility because of the field setting and getting functions using variable arguments. The tiff packages get a fair number of security-related bug reports. In the interest of keeping the quality of the tiff software as high as possible, it's good for the debian and Red Hat maintainers to be in touch. As of this writing, the Red Hat maintaner, Tom Lane, agrees. The latest Red Hat package can be found here: http://download.fedora.redhat.com/pub/fedora/linux/development/source/SRPMS/ You can also see their CVS: http://cvs.fedoraproject.org/viewvc/rpms/libtiff/ -- Jay Berkenbilt , Wed, 10 Feb 2010 19:21:26 -0500 debian/libtiff-doc.doc-base0000644000000000000000000000041612256047746012765 0ustar Document: libtiff-doc Title: TIFF Software Author: Sam Leffler Abstract: Support for the Tag Image File Format (TIFF) for storing image data. Section: Graphics Format: HTML Index: /usr/share/doc/libtiff-doc/html/index.html Files: /usr/share/doc/libtiff-doc/html/*.html debian/libtiff4-dev.lintian-overrides0000644000000000000000000000027012256047746015041 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff4-dev: description-synopsis-starts-with-a-capital-letter debian/compat0000644000000000000000000000000212256047746010401 0ustar 9 debian/copyright0000644000000000000000000000357212256047746011145 0ustar libtiff was originally debianized by Guy Maor and later maintained by Josip Rodin . Jay Berkenbilt repackaged it in conjunction with the 3.7.0 release and is now the primary maintainer. Original source can be found at: http://www.remotesensing.org/libtiff/ Copyright (C) 1988-1997 Sam Leffler Copyright (C) 1991-1997 Silicon Graphics, Inc. Portions Copyright (C) 1985-1987, 1990 Regents of the University of California Portions Copyright (C) 1990, 1991 Digital Equipment Corporation Portions Copyright (C) 1990 Sun Microsystems, Inc. Portions Copyright (C) 1990, 1995 Frank D. Cringle Portions Copyright (C) 1996 BancTec AB Portions Copyright (C) 1996 Mike Johnson Portions Copyright (C) 1996 Pixar Portions Copyright (C) 1997 Greg Ward Larson Portions Copyright (C) 2000 Frank Warmerdam Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that (i) the above copyright notices and this permission notice appear in all copies of the software and related documentation, and (ii) the names of Sam Leffler and Silicon Graphics may not be used in any advertising or publicity relating to the software without the specific, prior written permission of Sam Leffler and Silicon Graphics. THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. debian/libtiff5.lintian-overrides0000644000000000000000000000026412256047746014271 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff5: description-synopsis-starts-with-a-capital-letter debian/libtiff-tools.lintian-overrides0000644000000000000000000000027112256047746015340 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff-tools: description-synopsis-starts-with-a-capital-letter debian/source/0000755000000000000000000000000012256047746010503 5ustar debian/source/format0000644000000000000000000000001412256047746011711 0ustar 3.0 (quilt) debian/libtiffxx5.lintian-overrides0000644000000000000000000000026612256047746014653 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiffxx5: description-synopsis-starts-with-a-capital-letter debian/libtiff5-dev.lintian-overrides0000644000000000000000000000027012256047746015042 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff5-dev: description-synopsis-starts-with-a-capital-letter debian/libtiffxx5.install0000644000000000000000000000004412256047746012655 0ustar debian/tmp/usr/lib/*/libtiffxx.so.* debian/libtiff5-alt-dev.lintian-overrides0000644000000000000000000000027412256047746015624 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff5-alt-dev: description-synopsis-starts-with-a-capital-letter debian/changelog0000644000000000000000000013737313441511056011056 0ustar tiff (4.0.3-7ubuntu0.11) trusty-security; urgency=medium * SECURITY UPDATE: heap over-read in TIFFWriteScanline - debian/patches/CVE-2018-10779.patch: fix overflow in libtiff/tif_write.c. - CVE-2018-10779 * SECURITY UPDATE: heap over-read in cpSeparateBufToContigBuf - debian/patches/CVE-2018-12900-1.patch: check for overflow in tools/tiffcp.c. - debian/patches/CVE-2018-12900-2.patch: use INT_MAX in tools/tiffcp.c. - CVE-2018-12900 - CVE-2019-7663 * SECURITY UPDATE: NULL pointer dereference in _TIFFmemcmp - debian/patches/CVE-2018-17000.patch: add NULL check in libtiff/tif_dirwrite.c. - CVE-2018-17000 * SECURITY UPDATE: NULL pointer dereference in TIFFWriteDirectorySec - debian/patches/CVE-2018-19210-1.patch: unset transferfunction field if necessary in libtiff/tif_dir.c. - debian/patches/CVE-2018-19210-2.patch: fix warning in libtiff/tif_dir.c. - CVE-2018-19210 * SECURITY UPDATE: memory leak in TIFFFdOpen - debian/patches/CVE-2019-6128.patch: properly handle errors in tools/pal2rgb.c. - CVE-2019-6128 -- Marc Deslauriers Mon, 11 Mar 2019 12:51:58 -0400 tiff (4.0.3-7ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: NULL dereference in TIFFPrintDirectory - debian/patches/CVE-2018-7456.patch: properly handle color channels in libtiff/tif_dirread.c, libtiff/tif_print.c. - CVE-2018-7456 * SECURITY UPDATE: buffer overflow in LZWDecodeCompat - debian/patches/CVE-2018-8905.patch: fix logic in libtiff/tif_lzw.c. - CVE-2018-8905 * SECURITY UPDATE: DoS in TIFFWriteDirectorySec() - debian/patches/CVE-2018-10963.patch: avoid assertion in libtiff/tif_dirwrite.c. - CVE-2018-10963 * SECURITY UPDATE: multiple overflows - debian/patches/CVE-2018-1710x.patch: Avoid overflows in tools/pal2rgb.c, tools/tiff2bw.c, tools/ppm2tiff.c. - CVE-2018-17100 - CVE-2018-17101 * SECURITY UPDATE: JBIGDecode out-of-bounds write - debian/patches/CVE-2018-18557.patch: fix issue in libtiff/tif_jbig.c, libtiff/tif_read.c. - CVE-2018-18557 * SECURITY UPDATE: NULL pointer dereference in LZWDecode - debian/patches/CVE-2018-18661.patch: add checks to tools/tiff2bw.c. - CVE-2018-18661 -- Marc Deslauriers Thu, 17 Jan 2019 10:06:44 -0500 tiff (4.0.3-7ubuntu0.9) trusty-security; urgency=medium * SECURITY UPDATE: buffer overflow in gif2tiff - debian/patches/CVE-2016-3186.patch: check return code in tools/gif2tiff.c. - CVE-2016-3186 * SECURITY UPDATE: buffer overflow in gif2tiff - debian/patches/CVE-2016-5102.patch: make warning fatal in tools/gif2tiff.c. - CVE-2016-5102 * SECURITY UPDATE: multiple overflows - debian/patches/CVE-2016-5318.patch: ignore certain fields in libtiff/tif_dir.h, libtiff/tif_dirinfo.c, libtiff/tif_dirread.c. - CVE-2016-5318 - CVE-2017-9147 * SECURITY UPDATE: bmp2tiff issues - debian/patches/CVE-2017-5563_9117.patch: add check to tools/bmp2tiff.c. - CVE-2017-5563 - CVE-2017-9117 * SECURITY UPDATE: heap-based buffer overflow in t2p_write_pdf - debian/patches/CVE-2017-9935-1.patch: fix transfer function handling in libtiff/tif_dir.c, tools/tiff2pdf.c. - debian/patches/CVE-2017-9935-2.patch: fix incorrect type for transfer table in tools/tiff2pdf.c. - CVE-2017-9935 * SECURITY UPDATE: DoS in TIFFOpen - debian/patches/CVE-2017-11613-1.patch: avoid memory exhaustion in libtiff/tif_dirread.c. - debian/patches/CVE-2017-11613-2.patch: rework fix in libtiff/tif_dirread.c. - CVE-2017-11613 * SECURITY UPDATE: TIFFSetupStrips heap overflow in pal2rgb - debian/patches/CVE-2017-17095.patch: add workaround to tools/pal2rgb.c. - CVE-2017-17095 -- Marc Deslauriers Thu, 22 Mar 2018 10:38:02 -0400 tiff (4.0.3-7ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: DoS in tif_read.c - debian/patches/CVE-2016-10266.patch: fix uint32 overflow in libtiff/tif_read.c, libtiff/tiffiop.h. - CVE-2016-10266 * SECURITY UPDATE: DoS in tif_ojpeg.c - debian/patches/CVE-2016-10267.patch: make OJPEGDecode() early exit in case of failure in libtiff/tif_ojpeg.c. - CVE-2016-10267 * SECURITY UPDATE: DoS in tif_unix.c - debian/patches/CVE-2016-10268.patch: avoid uint32 underflow in cpDecodedStrips in tools/tiffcp.c. - CVE-2016-10268 * SECURITY UPDATE: DoS in tif_unix.c - debian/patches/CVE-2016-10269.patch: fix heap-based buffer overflow in libtiff/tif_luv.c, libtiff/tif_pixarlog.c. - CVE-2016-10269 * SECURITY UPDATE: DoS in TIFFWriteDirectoryTagCheckedRational - debian/patches/CVE-2016-10371.patch: replace assertion by runtime check in libtiff/tif_dirwrite.c, tools/tiffcrop.c. - CVE-2016-10371 * SECURITY UPDATE: DoS in putagreytile function - debian/patches/CVE-2017-7592.patch: add explicit uint32 cast in libtiff/tif_getimage.c. - CVE-2017-7592 * SECURITY UPDATE: information disclosure in tif_read.c - debian/patches/CVE-2017-7593.patch: use _TIFFcalloc() to zero in libtiff/tif_read.c, libtiff/tif_unix.c, libtiff/tif_vms.c, libtiff/tif_win32.c, libtiff/tiffio.h. - CVE-2017-7593 * SECURITY UPDATE: DoS in OJPEGReadHeaderInfoSecTablesDcTable - debian/patches/CVE-2017-7594-1.patch: fix leak in libtiff/tif_ojpeg.c. - debian/patches/CVE-2017-7594-2.patch: fix another leak in libtiff/tif_ojpeg.c. - CVE-2017-7594 * SECURITY UPDATE: DoS in JPEGSetupEncode - debian/patches/CVE-2017-7595.patch: avoid integer division by zero in libtiff/tif_jpeg.c. - CVE-2017-7595 * SECURITY UPDATE: DoS via undefined behaviour - debian/patches/CVE-2017-7596_7597_7599_7600.patch: avoir undefined behaviour in libtiff/tif_dir.c, libtiff/tif_dirread.c, libtiff/tif_dirwrite.c. - CVE-2017-7596 - CVE-2017-7597 - CVE-2017-7599 - CVE-2017-7600 * SECURITY UPDATE: DoS via divide-by-zero - debian/patches/CVE-2017-7598.patch: avoid division by floating point 0 in libtiff/tif_dirread.c. - CVE-2017-7598 * SECURITY UPDATE: DoS via undefined behaviour - debian/patches/CVE-2017-7601.patch: validate BitsPerSample in libtiff/tif_jpeg.c. - CVE-2017-7601 * SECURITY UPDATE: signed integer overflow - debian/patches/CVE-2017-7602.patch: avoid potential undefined behaviour in libtiff/tif_read.c. - CVE-2017-7602 * SECURITY UPDATE: DoS via memory leak - debian/patches/CVE-2017-9403_9815.patch: fix memory leak in libtiff/tif_dirread.c, tools/tiff2ps.c. - CVE-2017-9403 - CVE-2017-9815 * SECURITY UPDATE: DoS via memory leak - debian/patches/CVE-2017-9404.patch: fix potential memory leak in libtiff/tif_ojpeg.c. - CVE-2017-9404 * SECURITY UPDATE: DoS via memory leak - debian/patches/CVE-2017-9936.patch: fix memory leak in libtiff/tif_jbig.c. - CVE-2017-9936 * SECURITY UPDATE: DoS via assertion - debian/patches/CVE-2017-10688.patch: replace assertion in libtiff/tif_dirwrite.c. - CVE-2017-10688 * SECURITY UPDATE: heap overflow in tiff2pdf.c - debian/patches/CVE-2017-11335.patch: prevent heap buffer overflow write in tools/tiff2pdf.c. - CVE-2017-11335 * SECURITY UPDATE: DoS in TIFFReadDirEntryArray - debian/patches/CVE-2017-12944.patch: add protection against excessive memory allocation attempts in libtiff/tif_dirread.c. - CVE-2017-12944 * SECURITY UPDATE: DoS via assertion - debian/patches/CVE-2017-13726.patch: replace assertion in libtiff/tif_dirwrite.c. - CVE-2017-13726 * SECURITY UPDATE: DoS via assertion - debian/patches/CVE-2017-13727.patch: replace assertion in libtiff/tif_dirwrite.c. - CVE-2017-13727 * SECURITY UPDATE: null pointer dereference - debian/patches/CVE-2017-18013.patch: fix null pointer dereference in libtiff/tif_print.c. - CVE-2017-18013 * SECURITY UPDATE: DoS via resource consumption - debian/patches/CVE-2018-5784.patch: fix infinite loop in contrib/addtiffo/tif_overview.c, tools/tiff2pdf.c, tools/tiffcrop.c. - CVE-2018-5784 -- Marc Deslauriers Tue, 20 Mar 2018 09:12:24 -0400 tiff (4.0.3-7ubuntu0.7) trusty-security; urgency=medium * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied patches (LP: #1670036) - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace two previous patches with one that applies fix to correct location. - Thanks to John Cupitt and Even Rouault -- Marc Deslauriers Mon, 29 May 2017 07:35:17 -0400 tiff (4.0.3-7ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: DoS via crafted field data in an extension tag - debian/patches/CVE-2015-7554.patch: add count to tools/tiffsplit.c. - CVE-2015-7554 * SECURITY UPDATE: DoS and possible code execution via large width field in a BMP image - debian/patches/CVE-2015-8668.patch: properly calculate size in tools/bmp2tiff.c. - CVE-2015-8668 * SECURITY UPDATE: heap-buffer-overflow in tiffcrop - debian/patches/CVE-2016-10092.patch: properly increment buffer in tools/tiffcrop.c. - CVE-2016-10092 * SECURITY UPDATE: heap-based buffer overflow in tiffcp - debian/patches/CVE-2016-10093.patch: fix uint32 underflow/overflow in tools/tiffcp.c. - CVE-2016-10093 * SECURITY UPDATE: off-by-one error in tiff2pdf - debian/patches/CVE-2016-10094.patch: fix count in tools/tiff2pdf.c. - CVE-2016-10094 * SECURITY UPDATE: DoS in tiff2rgba tool - debian/patches/CVE-2016-3622.patch: enforce bits-per-sample in libtiff/tif_getimage.c, libtiff/tif_predict.c. - CVE-2016-3622 * SECURITY UPDATE: DoS in rgb2ycbcr tool - debian/patches/CVE-2016-3623.patch: validate parameters in tools/rgb2ycbcr.c. - CVE-2016-3623 - CVE-2016-3624 * SECURITY UPDATE: DoS and possible code execution via crafted TIFF image - debian/patches/CVE-2016-3632.patch: disable BADFAXLINES in tools/thumbnail.c. - CVE-2016-3632 - CVE-2016-8331 * SECURITY UPDATE: DoS via out-of-bounds read - debian/patches/CVE-2016-3658.patch: properly handle SamplesPerPixel change in libtiff/tif_dir.c, avoid null pointer dereference in libtiff/tif_dirwrite.c - CVE-2016-3658 * SECURITY UPDATE: DoS and possible code execution in tiff2rgba tool - debian/patches/CVE-2016-3945.patch: fix integer overflow in tools/tiff2rgba.c. - CVE-2016-3945 * SECURITY UPDATE: DoS and possible code execution via overflow in horizontalDifference8 function - debian/patches/CVE-2016-3990.patch: add check to libtiff/tif_pixarlog.c. - CVE-2016-3990 * SECURITY UPDATE: DoS and possible code execution in tiffcrop - debian/patches/CVE-2016-3991.patch: add checks to tools/tiffcrop.c. - CVE-2016-3991 - CVE-2016-5322 * SECURITY UPDATE: PixarLogDecode() out-of-bound writes - debian/patches/CVE-2016-5314.patch: check size in libtiff/tif_pixarlog.c. - CVE-2016-5314 - CVE-2016-5315 - CVE-2016-5316 - CVE-2016-5317 - CVE-2016-5320 - CVE-2016-5875 * SECURITY UPDATE: DoS in DumpModeDecode function - debian/patches/CVE-2016-5321.patch: limit number of samples in tools/tiffcrop.c. - CVE-2016-5321 * SECURITY UPDATE: DoS in _TIFFFax3fillruns function - debian/patches/CVE-2016-5323.patch: limit number of samples in tools/tiffcrop.c. - CVE-2016-5323 * SECURITY UPDATE: DoS and possible code execution in tiff2pdf - debian/patches/CVE-2016-5652.patch: properly handle markers in tools/tiff2pdf.c. - CVE-2016-5652 * SECURITY UPDATE: DoS and info disclosure via negative index - debian/patches/CVE-2016-6223.patch: properly handle stripoffset in libtiff/tif_read.c. - CVE-2016-6223 * SECURITY UPDATE: DoS in tiffsplit - debian/patches/CVE-2016-9273.patch: don't recompute value in libtiff/tif_strip.c. - CVE-2016-9273 * SECURITY UPDATE: DoS via crafted tag values - debian/patches/CVE-2016-9297.patch: NULL-terminate values in libtiff/tif_dirread.c. - CVE-2016-9297 * SECURITY UPDATE: DoS caused by CVE-2016-9297 - debian/patches/CVE-2016-9448.patch: check for NULL in libtiff/tif_dirread.c. - CVE-2016-9448 * SECURITY UPDATE: DoS and possibe code execution via TIFFTAG_JPEGTABLES of length one - debian/patches/CVE-2016-9453.patch: fix counts in tools/tiff2pdf.c. - CVE-2016-9453 * SECURITY UPDATE: integer overflow in writeBufferToSeparateStrips - debian/patches/CVE-2016-9532.patch: check for overflows in tools/tiffcrop.c. - CVE-2016-9532 * SECURITY UPDATE: multiple out-of-bounds writes issues - debian/patches/CVE-2016-9533.patch: fix out-of-bounds writes in libtiff/tif_pixarlog.c, libtiff/tif_write.c, tools/tiff2pdf.c, tools/tiffcrop.c. - CVE-2016-9533 - CVE-2016-9534 - CVE-2016-9536 - CVE-2016-9537 * SECURITY UPDATE: assertion failure via unusual tile size - debian/patches/CVE-2016-9535-1.patch: replace assertions with runtime checks in libtiff/tif_predict.c, libtiff/tif_predict.h. - debian/patches/CVE-2016-9535-2.patch: fix memory leaks in libtiff/tif_predict.c. - CVE-2016-9535 * SECURITY UPDATE: integer overflow in tiffcrop - debian/patches/CVE-2016-9538.patch: fix undefined variable reads in tools/tiffcp.c, tools/tiffcrop.c. - CVE-2016-9538 * SECURITY UPDATE: out-of-bounds read in tiffcrop - debian/patches/CVE-2016-9539.patch: check size in tools/tiffcrop.c. - CVE-2016-9539 * SECURITY UPDATE: out-of-bounds write via odd tile width versus image width - debian/patches/CVE-2016-9540.patch: check bounds in tools/tiffcp.c. - CVE-2016-9540 * SECURITY UPDATE: DoS or code execution via crafted BitsPerSample value - debian/patches/CVE-2017-5225.patch: check bps in tools/tiffcp.c. - CVE-2017-5225 -- Marc Deslauriers Mon, 27 Feb 2017 10:55:30 -0500 tiff (4.0.3-7ubuntu0.4) trusty-security; urgency=medium * SECURITY UPDATE: out-of-bounds reads in TIFFRGBAImage - debian/patches/CVE-2015-8665-8683.patch: fix out-of-bounds reads in libtiff/tif_getimage.c. - CVE-2015-8665 - CVE-2015-8683 * SECURITY UPDATE: out-of-bounds writes in decode function - debian/patches/CVE-2015-8781-8782-8783.patch: fix out-of-bounds writes and an out-of-bounds read in libtiff/tif_luv.c. - CVE-2015-8781 - CVE-2015-8782 - CVE-2015-8783 * SECURITY UPDATE: out-of-bounds write in NeXTDecode() - debian/patches/CVE-2015-8784.patch: fix out-of-bounds write in libtiff/tif_next.c. - CVE-2015-8784 -- Marc Deslauriers Wed, 23 Mar 2016 10:29:08 -0400 tiff (4.0.3-7ubuntu0.3) trusty-security; urgency=medium * SECURITY REGRESSION: regression when saving TIFF files with compression predictor (LP: #1439186) - debian/patches/CVE-2014-8128-5.patch: disable until proper upstream fix is available. -- Marc Deslauriers Wed, 01 Apr 2015 14:07:34 -0400 tiff (4.0.3-7ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: Fix multiple security issues - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch - debian/patches/CVE-2014-8128-5.patch - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch - debian/patches/read_overrun.patch - debian/patches/estimatestripbytecounts_return_code.patch - debian/patches/CVE-2014-8130.patch - CVE-2014-8127 (partially) - CVE-2014-8128 - CVE-2014-8129 - CVE-2014-8130 - CVE-2014-9330 - CVE-2014-9655 -- Marc Deslauriers Fri, 27 Mar 2015 15:21:50 -0400 tiff (4.0.3-7ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution in gif2tiff tool - debian/patches/CVE-2013-4243.patch: check width and height in tools/gif2tiff.c. - CVE-2013-4243 -- Marc Deslauriers Mon, 05 May 2014 15:05:53 -0400 tiff (4.0.3-7) unstable; urgency=medium * Use dh-autoreconf to support new architectures in Ubuntu. -- Jay Berkenbilt Mon, 23 Dec 2013 09:58:47 -0500 tiff (4.0.3-6) unstable; urgency=low * Update standards to 3.9.5. No changes required. * libtiff4 -> libtiff5 transition. libtiff5-dev now provides libtiff-dev. libtiff5-alt-dev and libtiff4-dev are transitional packages that depend on libtiff5-dev. They will both be removed before jessie. -- Jay Berkenbilt Wed, 04 Dec 2013 14:36:36 -0500 tiff (4.0.3-5) unstable; urgency=low * Replace shlibs file with symbols file * Update standards to 3.9.4 -- Jay Berkenbilt Sun, 15 Sep 2013 08:31:41 -0400 tiff (4.0.3-4) unstable; urgency=low * Complete Multi-Arch conversion for dev packages. (Closes: #689085) -- Jay Berkenbilt Sat, 24 Aug 2013 11:50:20 -0400 tiff (4.0.3-3) unstable; urgency=high * Incorporated fixes to security issues CVE-2013-4244. -- Jay Berkenbilt Sat, 24 Aug 2013 11:20:00 -0400 tiff (4.0.3-2) unstable; urgency=high * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232. (Closes: #719303) -- Jay Berkenbilt Thu, 22 Aug 2013 11:52:58 -0400 tiff (4.0.3-1) unstable; urgency=low * Acknowledge/incorporate NMU. Thanks! * New upstream version. Patches incorporated: CVE-2012-3401.patch CVE-2012-4447.patch * Add build dependency on autotools-dev to help porters. -- Jay Berkenbilt Sun, 23 Jun 2013 10:39:04 -0400 tiff (4.0.2-6+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf (closes: #706675). * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf (closes: #706674). -- Michael Gilbert Mon, 17 Jun 2013 01:27:17 +0000 tiff (4.0.2-6) unstable; urgency=high * Fix /usr/share/doc symlink to directory transition. When upgrading from very old versions (pre 3.8.2-8), /usr/share/doc may contain symbolic links that should be removed. (Closes: #687645) -- Jay Berkenbilt Sat, 26 Jan 2013 12:28:19 -0500 tiff (4.0.2-5) unstable; urgency=high * Add fix for CVE-2012-4564, a heap-buffer overflow. Thanks Adrian La Duca for doing all the work to prepare this upload. (Closes: #692345) -- Jay Berkenbilt Sat, 17 Nov 2012 12:40:25 -0500 tiff (4.0.2-4) unstable; urgency=high * Previous change was uploaded with the wrong CVE number. I updated the last changelog entry. The correct CVE number is CVE-2012-4447. -- Jay Berkenbilt Fri, 05 Oct 2012 17:33:44 -0400 tiff (4.0.2-3) unstable; urgency=high * Add fix for CVE-2012-4447, a buffer overrun. (Closes: #688944) -- Jay Berkenbilt Fri, 05 Oct 2012 17:04:38 -0400 tiff (4.0.2-2) unstable; urgency=high * SECURITY UPDATE: possible arbitrary code execution via heap overflow in tiff2pdf. (Closes: #682115) - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in tools/tiff2pdf.c. - CVE-2012-3401 Changes prepared by Marc Deslauriers for Ubuntu. Thanks! -- Jay Berkenbilt Sat, 21 Jul 2012 21:27:34 -0400 tiff (4.0.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 24 Jun 2012 13:45:42 -0400 tiff (4.0.1-8) unstable; urgency=low * Call glFlush() in tiffgt to fix display problems. From https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166. -- Jay Berkenbilt Sat, 16 Jun 2012 21:20:04 -0400 tiff (4.0.1-7) unstable; urgency=low * Add new temporary package libtiff5-alt-dev, which provides libtiff5 development files in a location that doesn't conflict with libtiff4-dev. See README.Debian for details. -- Jay Berkenbilt Thu, 24 May 2012 15:24:36 -0400 tiff (4.0.1-6) unstable; urgency=low * Include pkg-config files -- Jay Berkenbilt Sun, 13 May 2012 12:53:38 -0400 tiff (4.0.1-5) unstable; urgency=low * Fix shlibs again. -- Jay Berkenbilt Sun, 22 Apr 2012 11:41:44 -0400 tiff (4.0.1-4) unstable; urgency=low * Use >= instead of > in shlibs file. -- Jay Berkenbilt Sun, 22 Apr 2012 10:57:02 -0400 tiff (4.0.1-3) unstable; urgency=low * Support JBIG now that patents have expired. (Closes: #667835) * Support LZMA. -- Jay Berkenbilt Sat, 14 Apr 2012 19:03:04 -0400 tiff (4.0.1-2) unstable; urgency=high * Incorporated fix to CVE-2012-1173, a problem in the parsing of the TileSize entry, which could result in the execution of arbitrary code if a malformed image is opened. * Updated standards to 3.9.3 -- Jay Berkenbilt Fri, 06 Apr 2012 10:10:48 -0400 tiff (4.0.1-1) unstable; urgency=low * New upstream release * Point watch file to new download location -- Jay Berkenbilt Mon, 20 Feb 2012 09:43:54 -0500 tiff (4.0.0-2) experimental; urgency=low * Rename libtiff-dev -> libtiff5-dev to avoid premature transition for packages that explicitly depend on libtiff-dev. At some future time, libtiff5-dev will provide or be renamed back to libtiff-dev. -- Jay Berkenbilt Sat, 04 Feb 2012 09:41:19 -0500 tiff (4.0.0-1) experimental; urgency=low * New upstream release * Enable versioned symbols -- Jay Berkenbilt Sat, 28 Jan 2012 10:56:23 -0500 tiff (4.0.0~beta7-2) experimental; urgency=low * Incorporated changes from 3.9.5-2: security hardening and multiarch -- Jay Berkenbilt Sat, 17 Sep 2011 10:28:53 -0400 tiff (4.0.0~beta7-1) experimental; urgency=low * New upstream release including many security fixes and other improvements * Updated changelog with changes from 3.x series. * Updated standards version to 3.9.2. No changes required. -- Jay Berkenbilt Sat, 16 Apr 2011 13:45:33 -0400 tiff (4.0.0~beta6-3) experimental; urgency=low * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in putcontig8bitYCbCr11tile", from 3.9.4-4. -- Jay Berkenbilt Sat, 02 Oct 2010 13:31:41 -0400 tiff (4.0.0~beta6-2) experimental; urgency=low * Incorporate changes from 3.9.4-{2,3} including updating standards version to 3.9.1 along with associated fixes. (CVE-2010-2233 was already fixed in this version.) -- Jay Berkenbilt Sat, 14 Aug 2010 16:36:44 -0400 tiff (4.0.0~beta6-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Fri, 18 Jun 2010 21:42:57 -0400 tiff (4.0.0~beta5-2) experimental; urgency=low * Depend on libjpeg-dev instead of libjpeg62-dev. * Change source format to '3.0 (quilt)' * Update standards version to 3.8.4. No changes required. -- Jay Berkenbilt Wed, 10 Feb 2010 19:36:43 -0500 tiff (4.0.0~beta5-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Fri, 06 Nov 2009 22:58:07 -0500 tiff (4.0.0~beta4-1) experimental; urgency=low * New upstream release. All debian patches incorporated among many other fixes and enhancements. -- Jay Berkenbilt Fri, 28 Aug 2009 11:30:09 -0400 tiff (4.0.0~beta3-2) experimental; urgency=low * Fixed previously incorrect patch to lzw problem. -- Jay Berkenbilt Mon, 24 Aug 2009 14:45:10 -0400 tiff (4.0.0~beta3-1) experimental; urgency=low * New upstream release. This version is not binary compatible with the 3.x series, nor is it entirely source compatible, but most applications should port easily. -- Jay Berkenbilt Fri, 21 Aug 2009 13:39:37 -0400 tiff (3.9.5-2) unstable; urgency=low * Implemented mulitarch and and PIE build for security hardening by integrating the changes from the Ubuntu tiff packages. Thanks to Marc Deslauriers and anyone else who did the actual work. -- Jay Berkenbilt Sat, 17 Sep 2011 10:15:39 -0400 tiff (3.9.5-1) unstable; urgency=low * New upstream release. All security patches are fully incorporated into this version, as are many other bug fixes. * Updated standards version to 3.9.2. No changes needed. -- Jay Berkenbilt Sat, 16 Apr 2011 13:15:51 -0400 tiff (3.9.4-9) unstable; urgency=high * CVE-2011-1167: correct potential buffer overflow with thunder encoded files with wrong bitspersample set. (Closes: #619614) -- Jay Berkenbilt Sat, 02 Apr 2011 10:59:38 -0400 tiff (3.9.4-8) unstable; urgency=low * Enable PIE (position independent executable) build for security hardening. Patch from Ubuntu. (Closes: #613759) -- Jay Berkenbilt Sat, 19 Mar 2011 10:22:32 -0400 tiff (3.9.4-7) unstable; urgency=high * Incorporate revised fix to CVE-2011-0192. -- Jay Berkenbilt Sun, 13 Mar 2011 14:33:38 -0400 tiff (3.9.4-6) unstable; urgency=high * Incorporated fix to CVE-2011-0192, "Buffer overflow in Fax4Decode". -- Jay Berkenbilt Sat, 26 Feb 2011 18:44:23 -0500 tiff (3.9.4-5) unstable; urgency=high * Incorporated fix to CVE-2010-3087, a potential denial of service exploitable with a specially crafted TIFF file. (Closes: #600188) -- Jay Berkenbilt Sun, 17 Oct 2010 16:44:08 -0400 tiff (3.9.4-4) unstable; urgency=high * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in putcontig8bitYCbCr11tile". (Closes: #595064) -- Jay Berkenbilt Sat, 02 Oct 2010 13:17:12 -0400 tiff (3.9.4-3) unstable; urgency=low * Updated control file to remove obsolete Conflicts/Replaces for ancient packages. * Empty dependency_libs in all .la files as part of the .la file. This also resolves the problem of having hard-coded paths in the .la file. (Closes: #509016) * Updated standards version to 3.9.1. -- Jay Berkenbilt Sat, 14 Aug 2010 16:28:49 -0400 tiff (3.9.4-2) unstable; urgency=high * Incorporated patch to fix CVE-2010-2233, which fixes a specific failure of tif_getimage on 64-bit platforms. -- Jay Berkenbilt Fri, 13 Aug 2010 20:16:29 -0400 tiff (3.9.4-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 18 Jun 2010 21:28:11 -0400 tiff (3.9.2-3) unstable; urgency=low * Depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #569242) * Change source format to '3.0 (quilt)' * Update standards version to 3.8.4. No changes required. -- Jay Berkenbilt Wed, 10 Feb 2010 19:20:20 -0500 tiff (3.9.2-2) unstable; urgency=low * Include patch from upstream to fix problems with TIFFReadScanline() and ycbcr-encoded JPEG images. (Closes: #510792) * Fix some manual page spelling errors found by lintian. -- Jay Berkenbilt Sun, 10 Jan 2010 10:56:32 -0500 tiff (3.9.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 06 Nov 2009 22:52:06 -0500 tiff (3.9.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 28 Aug 2009 15:44:23 -0400 tiff (3.9.0-2) unstable; urgency=low * Fix critical bug that could cause corrupt files to be written in some cases. (Closes: #543079) -- Jay Berkenbilt Fri, 28 Aug 2009 13:38:03 -0400 tiff (3.9.0-1) unstable; urgency=low * New upstream release. All previous security patches have been integrated. -- Jay Berkenbilt Fri, 21 Aug 2009 11:40:49 -0400 tiff (3.9.0beta+deb1-1) experimental; urgency=low * New upstream release (binary compatible with 3.8.2) -- release based on 3.9 branch from upstream CVS; see README.Debian for details. (Closes: #537118) * Updated standards to 3.8.3; no changes required. * Stopped using tarball in tarball packaging. (Closes: #538565) -- Jay Berkenbilt Wed, 19 Aug 2009 20:33:10 -0400 tiff (3.8.2-13) unstable; urgency=high * Apply patches to fix CVE-2009-2347, which covers two integer overflow conditions. * LZW patch from last update addressed CVE-2009-2285. Renamed the patch to make this clearer. -- Jay Berkenbilt Sun, 12 Jul 2009 18:03:33 -0400 tiff (3.8.2-12) unstable; urgency=low * Apply patch to fix crash in lzw decoder that can be caused by certain invalid image files. (Closes: #534137) * No longer ignore errors in preinst * Fixed new lintian warnings; updated standards version to 3.8.2. -- Jay Berkenbilt Sun, 28 Jun 2009 13:17:44 -0400 tiff (3.8.2-11) unstable; urgency=high * Apply security patches (CVE-2008-2327) * Convert patch system to quilt * Create README.source * Set standards version to 3.8.0 -- Jay Berkenbilt Sun, 17 Aug 2008 13:16:37 -0400 tiff (3.8.2-10+lenny1) testing-security; urgency=high * Apply patches from Drew Yao of Apple Product Security to fix CVE-2008-2327, a potential buffer underflow in the LZW decoder (tif_lzw.c). -- Jay Berkenbilt Sun, 17 Aug 2008 11:56:01 -0400 tiff (3.8.2-10) unstable; urgency=low * Fix segmentation fault on subsequent parts of a file with an invalid directory tag. (Closes: #475489) -- Jay Berkenbilt Mon, 09 Jun 2008 11:02:53 -0400 tiff (3.8.2-9) unstable; urgency=low * Backported tiff2pdf from 4.0.0 beta 2. This fixes many tiff2pdf bugs, though unfortunately none of the ones opened in the debian bug database! * Added upstream homepage to debian control file. -- Jay Berkenbilt Sat, 07 Jun 2008 22:52:27 -0400 tiff (3.8.2-8) unstable; urgency=low * Accepted tmpfile patch tiff2pdf to fix bug that has been fixed upstream since upstream release appears stalled. Thanks Jesse Long. (Closes: #419773) * Update standards version to 3.7.3; no changes required. * ${Source-Version} -> ${binary:Version} in control * Split documentation into separate libtiff-doc package. (Closes: #472189) -- Jay Berkenbilt Sat, 22 Mar 2008 12:30:38 -0400 tiff (3.8.2-7+etch1) stable-security; urgency=high * Apply patches from Drew Yao of Apple Product Security to fix CVE-2008-2327, a potential buffer underflow in the LZW decoder (tif_lzw.c). -- Jay Berkenbilt Sun, 17 Aug 2008 11:56:01 -0400 tiff (3.8.2-7) unstable; urgency=high * Replace empty directories in /usr/share/doc with links during package upgrade. (Closes: #404631) -- Jay Berkenbilt Tue, 2 Jan 2007 15:50:50 -0500 tiff (3.8.2-6) unstable; urgency=high * Add watch file * Tavis Ormandy of the Google Security Team discovered several problems in the TIFF library. The Common Vulnerabilities and Exposures project identifies the following issues: - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in tif_dirread.c - CVE-2006-3460: A heap overflow vulnerability was discovered in the jpeg decoder - CVE-2006-3461: A heap overflow exists in the PixarLog decoder - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap overflow - CVE-2006-3463: An infinite loop was discovered in EstimateStripByteCounts() - CVE-2006-3464: Multiple unchecked arithmetic operations were uncovered, including a number of the range checking operations deisgned to ensure the offsets specified in tiff directories are legitimate. - A number of codepaths were uncovered where assertions did not hold true, resulting in the client application calling abort() - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag support -- Jay Berkenbilt Mon, 31 Jul 2006 18:14:59 -0400 tiff (3.8.2-5) unstable; urgency=low * Fix logic error that caused -q flag to be ignored when doing jpeg compression with tiff2pdf. (Closes: #373102) -- Jay Berkenbilt Mon, 19 Jun 2006 18:55:38 -0400 tiff (3.8.2-4) unstable; urgency=high * SECURITY UPDATE: Arbitrary command execution with crafted TIF files. Thanks to Martin Pitt. (Closes: #371064) * Add debian/patches/tiff2pdf-octal-printf.patch: - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal signed char (it printed a signed integer, which overflew the buffer and was wrong anyway). - CVE-2006-2193 -- Jay Berkenbilt Wed, 7 Jun 2006 17:52:12 -0400 tiff (3.8.2-3) unstable; urgency=high * SECURITY UPDATE: Arbitrary command execution with crafted long file names. Thanks to Martin Pitt for forwarding this. Add debian/patches/tiffsplit-fname-overflow.patch: - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the user-specified file name into a statically sized buffer. CVE-2006-2656. (Closes: #369819) * Update standards version to 3.7.2. No changes required. * Moved doc-base information to libtiff4 instead of libtiff4-dev. -- Jay Berkenbilt Thu, 1 Jun 2006 21:24:21 -0400 tiff (3.8.2-2) unstable; urgency=low * Fix build dependencies to get OpenGL utility libraries after new Xorg packaging. (Closes: #365722) * Updated standards version to 3.7.0; no changes required to package. -- Jay Berkenbilt Tue, 2 May 2006 10:10:45 -0400 tiff (3.8.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Tue, 28 Mar 2006 21:42:33 -0500 tiff (3.8.0-3) unstable; urgency=low * Switched build dependency from xlibmesa-gl-dev to libgl1-mesa-dev (incorporating Ubunutu patch) * Incorporated patch from upstream to fix handling of RGBA tiffs in tiff2pdf. (Closes: #352849) -- Jay Berkenbilt Sun, 26 Feb 2006 13:21:17 -0500 tiff (3.8.0-2) unstable; urgency=low * Applied fixes from upstream to address a memory access violation [CVE-2006-0405]. (Closes: #350715, #351223) -- Jay Berkenbilt Fri, 3 Feb 2006 21:48:39 -0500 tiff (3.8.0-1) unstable; urgency=low * New upstream release. (Closes: #349921) * NOTE: The debian version of 3.8.0 includes a patch to correct a binary incompatibility in the original 3.8.0 release. This libtiff package is binary compatible with 3.7.4 and will be binary compatible with the upcoming 3.8.1 release. -- Jay Berkenbilt Fri, 27 Jan 2006 21:38:58 -0500 tiff (3.7.4-1) unstable; urgency=low * New upstream release * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924) -- Jay Berkenbilt Fri, 7 Oct 2005 10:25:49 -0400 tiff (3.7.3-1) unstable; urgency=low * New upstream release * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2. -- Jay Berkenbilt Sat, 9 Jul 2005 12:00:44 -0400 tiff (3.7.2-3) unstable; urgency=high * Fix for exploitable segmentation fault on files with bad BitsPerSample values. (Closes: #309739) [libtiff/tif_dirread.c, CAN-2005-1544] Thanks to Martin Pitt for the report. -- Jay Berkenbilt Thu, 19 May 2005 05:41:28 -0400 tiff (3.7.2-2) unstable; urgency=high * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3. Thanks to Patrice Fournier for the patch. (Closes: #303583) * Note: uploading with urgency=high since this very small fix impacts tools only (not the library), and we don't want to block tiff's many reverse dependencies from transitioning to sarge. -- Jay Berkenbilt Sun, 10 Apr 2005 10:12:37 -0400 tiff (3.7.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sat, 19 Mar 2005 14:51:06 -0500 tiff (3.7.1-4) unstable; urgency=low * Fix from upstream: include a better workaround for tiff files with invalid strip byte counts. (Closes: #183268) -- Jay Berkenbilt Tue, 22 Feb 2005 19:20:14 -0500 tiff (3.7.1-3) unstable; urgency=low * Disable C++ new experimental interfaces for now; will reappear in a future version in the separate libtiffxx0 package. -- Jay Berkenbilt Sat, 29 Jan 2005 13:32:37 -0500 tiff (3.7.1+pre3.7.2-1) experimental; urgency=low * New upstream release * Separate experimental C++ interface into separate libtiffxx library. -- Jay Berkenbilt Sat, 29 Jan 2005 13:03:19 -0500 tiff (3.7.1-2) unstable; urgency=low * Make -dev package depend upon other -dev packages referenced in the .la file created by libtool. (Closes: #291136) * tiff2ps: Allow one of -w and -h without the other. (Closes: #244247) -- Jay Berkenbilt Wed, 19 Jan 2005 10:45:00 -0500 tiff (3.7.1-1) unstable; urgency=low * New upstream release * Correct error in doc-base file (Closes: #285652) -- Jay Berkenbilt Wed, 5 Jan 2005 16:54:12 -0500 tiff (3.7.0-2) experimental; urgency=low * Replace hard-coded libc6-dev dependency with something friendlier to porters (libc6-dev | libc-dev). (Closes: #179727) * Fixed upstream: proper netbsdelf*-gnu support in configure. Actually fixed in 3.7.0-1 but left out of changelog. (Closes: #179728) * Include opengl support; adds new libtiff-opengl package. (Closes: #219456) * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251) -- Jay Berkenbilt Sat, 11 Dec 2004 09:51:52 -0500 tiff (3.7.0-1) experimental; urgency=low * New upstream release (Closes: #276996) * New maintainer (Thanks Joy!) * Repackage using cdbs and simple-patchsys to fix some errors and simplify patch management * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682) * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657) -- Jay Berkenbilt Fri, 26 Nov 2004 13:50:13 -0500 tiff (3.6.1-5) unstable; urgency=high * New maintainer (thanks Joy!) * Applied patch by Dmitry V. Levin to fix a segmentation fault [tools/tiffdump.c, CAN-2004-1183] Thanks to Martin Schulze for forwarding the patch. * Fixed section of -dev package (devel -> libdevel) -- Jay Berkenbilt Wed, 5 Jan 2005 16:27:26 -0500 tiff (3.6.1-4) unstable; urgency=high * Fix heap overflow security bug [CAN-2004-1308]. (Closes: #286815) -- Jay Berkenbilt Wed, 22 Dec 2004 10:20:52 -0500 tiff (3.6.1-3) unstable; urgency=medium * Patches from upstream to fix zero-size tile and integer overflow problems created by previous security patches, closes: #276783. * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him help and eventually take over maintenance of these packages! -- Josip Rodin Mon, 01 Nov 2004 12:28:27 +0100 tiff (3.6.1-2) unstable; urgency=low * Included security fixes for: + CAN-2004-0803 - libtiff/tif_luv.c - libtiff/tif_next.c - libtiff/tif_thunder.c + CAN-2004-0804 (but this one is already applied upstream, it seems) - libtiff/tif_dirread.c + CAN-2004-0886 - libtiff/tif_aux.c - libtiff/tif_compress.c - libtiff/tif_dir.c - libtiff/tif_dirinfo.c - libtiff/tif_dirread.c - libtiff/tif_dirwrite.c - libtiff/tif_extension.c - libtiff/tif_fax3.c - libtiff/tiffiop.h - libtiff/tif_getimage.c - libtiff/tif_luv.c - libtiff/tif_pixarlog.c - libtiff/tif_strip.c - libtiff/tif_tile.c - libtiff/tif_write.c Thanks to Martin Schulze for forwarding the patches. -- Josip Rodin Thu, 14 Oct 2004 16:13:11 +0200 tiff (3.6.1-1.1) unstable; urgency=medium * Non-maintainer upload; thanks to Jay Berkenbilt for preparing the patches * Rename shared library and development packages to resolve accidental upstream ABI change. Closes: #236247 * Include patch from upstream to fix multistrip g3 fax bug. Closes: #243405 * Include LZW support. Closes: #260242, #248490 * Fix URL in copyright file. Closes: #261357 * Install missing documentation files. Closes: #261356 -- Steve Langasek Sun, 25 Jul 2004 10:28:06 -0400 tiff (3.6.1-1) unstable; urgency=low * New upstream version, closes: #231977. * Slightly fixed up the static lib build rules so that the build process does the normal stuff for the dynamic lib and then does the static with the same tiffvers.h. -- Josip Rodin Mon, 23 Feb 2004 18:23:34 +0100 tiff (3.5.7-2) unstable; urgency=high * Added back the patch that used -src static/libtiff.a in the install rule. Wonder how that disappeared... closes: #170914. * Fake it's a GNU system in order for the configure script to use our toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636. -- Josip Rodin Tue, 10 Dec 2002 17:18:28 +0100 tiff (3.5.7-1) unstable; urgency=low * New upstream version, closes: #144940. * A whole new set of patches for the breakage in the build system :) -- Josip Rodin Sun, 6 Oct 2002 22:54:08 +0200 tiff (3.5.5-6) unstable; urgency=low * It appears that the general 64-bit detection code, isn't. We have to include all of those three conditions, feh. This really closes: #106706. -- Josip Rodin Wed, 8 Aug 2001 23:09:55 +0200 tiff (3.5.5-5) unstable; urgency=low * Changed two Alpha/Mips-isms into general 64-bit detection code, patch from John Daily , closes: #106706. * Patched man/Makefile.in to generate a manual page file for TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577. * Used /usr/share/doc in the doc-base file, closes: #74122. * Changed libtiff3g-dev's section back to devel, since graphics was, according to elmo, "hysterical raisins". :)) -- Josip Rodin Fri, 27 Jul 2001 01:43:04 +0200 tiff (3.5.5-4) unstable; urgency=low * Updated config.* files, closes: #94696. * Fixed libtiff3g-dev's section, closes: #85533. -- Josip Rodin Wed, 20 Jun 2001 18:29:24 +0200 tiff (3.5.5-3) unstable; urgency=low * Build shared library on Hurd, too, closes: #72482. * Upped Standards-Version to 3.5.0. -- Josip Rodin Sat, 30 Sep 2000 17:42:13 +0200 tiff (3.5.5-2) unstable; urgency=low * Make `dynamic shared object' on Linux unconditionally, fixes the problem with libc.so.6.1 on alpha, thanks Chris C. Chimelis. -- Josip Rodin Wed, 13 Sep 2000 21:44:00 +0200 tiff (3.5.5-1) unstable; urgency=low * New upstream version. * The upstream build system sucks. There, I said it. Back to work now. :) * Added a build dependencies on make (>= 3.77) (closes: #67747) and debhelper. * Standards-Version: 3.2.1: + added DEB_BUILD_OPTIONS checks in debian/rules -- Josip Rodin Tue, 29 Aug 2000 14:06:02 +0200 tiff (3.5.4-5) frozen unstable; urgency=low * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that also breaks printing from hylafax, using provided oneliner patch from Bernd Herd (accepted upstream), closes: #49232 and probably #62235. -- Josip Rodin Mon, 27 Mar 2000 17:12:10 +0200 tiff (3.5.4-4) frozen unstable; urgency=low * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time with libz.so, making the packages depend on zlib1 (instead of zlib1g). Closes: #56134, #56137, #56140, #56155. -- Josip Rodin Tue, 25 Jan 2000 18:05:28 +0100 tiff (3.5.4-3) frozen unstable; urgency=low * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts, a lot, but this was easy to fix, thank goodness :) (closes: #55814). This bugfix deserves to get into frozen because the bug cripples libtiff3g-dev, a lot. -- Josip Rodin Fri, 21 Jan 2000 19:02:22 +0100 tiff (3.5.4-2) unstable; urgency=low * Fixed upstream build system to use ${DESTDIR}, and with that working, created install: rule in debian/rules and used it. * Fixed the way rules file gets the version from upstream sources, and fixed dist/tiff.alpha, it didn't work. * Removed README file from libtiff3g binary package, useless. * Fixed configure script not to emit the wrong warning about zlib/jpeg dirs not specified (they're in /usr/include, stupid :). -- Josip Rodin Thu, 30 Dec 1999 01:17:32 +0100 tiff (3.5.4-1) unstable; urgency=low * New upstream version, closes: #50338. * Disabled libc5 build, it wouldn't compile. :( -- Josip Rodin Fri, 3 Dec 1999 20:49:25 +0100 tiff (3.5.2-4) unstable; urgency=low * Castrated the rules file, to make it actually work on !(i386 m68k). Closes: #49316. -- Josip Rodin Sat, 6 Nov 1999 13:22:54 +0100 tiff (3.5.2-3) unstable; urgency=low * Removed sparc from the libtiff3 arches list, as BenC advised. -- Josip Rodin Fri, 29 Oct 1999 23:29:23 +0200 tiff (3.5.2-2) unstable; urgency=low * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc" as it is actually only built on those. Changed description a little bit. * Minor fixes to the rules file. -- Josip Rodin Thu, 28 Oct 1999 14:00:02 +0200 tiff (3.5.2-1) unstable; urgency=low * New upstream version. * Renamed source package to just "tiff", like upstream tarball name. * New maintainer (thanks Guy!). Renewed packaging, with debhelper, using Joey's nifty multi2 example, with several adjustments. * Ditched libtiff3-altdev, nobody's using that and nobody should be using that. Packaging for it still exists, it's just commented out. * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space saved is pointless when you can't use any links between documents. -- Josip Rodin Tue, 26 Oct 1999 16:20:46 +0200 libtiff3 (3.4beta037-8) unstable; urgency=low * Argh, same bug in the prerm, closes: #36990, #36850, #36855, #36866, #36988. -- Guy Maor Sat, 1 May 1999 10:12:23 -0700 libtiff3 (3.4beta037-7) unstable; urgency=low * Don't error when dhelp is not installed, closes: #36879, #36922. -- Guy Maor Thu, 29 Apr 1999 19:17:55 -0700 libtiff3 (3.4beta037-6) unstable; urgency=low * Only build libc5 packages on appropriate archs, closes: #27083, #32007. * Apply NMU patch, closes: #26413, #26887. * Add dhelp support, closes: #35154. * Recompile removes invalid dependency, closes: #30961. -- Guy Maor Sat, 24 Apr 1999 15:17:51 -0700 libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low * NMU to not use install -s to strip static .a libraries. Fixes: #26413 * Build with recent libjpeg. Fixes: #26887 * Add Section: and Priority: headers to debian/control. -- Ben Gertzfield Mon, 26 Oct 1998 22:44:33 -0800 libtiff3 (3.4beta037-5) unstable; urgency=low * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180. -- Guy Maor Tue, 11 Aug 1998 22:27:56 -0700 libtiff3 (3.4beta037-4) unstable; urgency=low * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107). -- Guy Maor Sun, 11 Jan 1998 13:09:28 -0800 libtiff3 (3.4beta037-3) unstable; urgency=low * New libjpegg contains shlibs file, so don't need shlibs.local. * Compile with -D_REENTRANT. * Add shlibs for libtiff3g (13423). -- Guy Maor Sat, 27 Sep 1997 13:17:45 -0500 libtiff3 (3.4beta037-2) unstable; urgency=low * Add libjpegg6a to shlibs.local to correct for broken dependency. -- Guy Maor Fri, 26 Sep 1997 11:23:55 -0500 libtiff3 (3.4beta037-1) unstable; urgency=low * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166 8312, 9479, 9492, 9531, 11700, 11702). * Fix check for shared lib support (10805). -- Guy Maor Tue, 23 Sep 1997 16:55:56 -0500 debian/libtiff-opengl.lintian-overrides0000644000000000000000000000027212256047746015465 0ustar # # The synopsis line starts with a capital letter because of the TIFF # acronym, not because it contains a sentence. # libtiff-opengl: description-synopsis-starts-with-a-capital-letter debian/libtiff5.install0000644000000000000000000000004212256047746012273 0ustar debian/tmp/usr/lib/*/libtiff.so.*