diff --git a/libtiff-am-version.patch b/0001-Back-off-the-minimum-required-automake-version-to-1..patch similarity index 40% rename from libtiff-am-version.patch rename to 0001-Back-off-the-minimum-required-automake-version-to-1..patch index c94c2e0055b927a7eae8b692db58d112348a94da..404de4cd10930eab98a30849c9d4d4c2f1ea2625 100644 --- a/libtiff-am-version.patch +++ b/0001-Back-off-the-minimum-required-automake-version-to-1..patch @@ -1,13 +1,21 @@ -Back off the minimum required automake version to 1.11. There isn't -anything in libtiff currently that actually requires 1.12, and changing -this allows the package to be built on pre-F18 machines for easier testing. +From b2e3171e935be3c4b79657aebf4175ef3be403b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Mon, 18 Jul 2022 13:40:10 +0200 +Subject: [PATCH] Back off the minimum required automake version to 1.11. + There isn't anything in libtiff currently that actually requires 1.12, and + changing this allows the package to be built on pre-F18 machines for easier + testing. This patch can go away once we no longer care about testing on pre-F18. +--- + Makefile.am | 2 +- + test/Makefile.am | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) - -diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am ---- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 -+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +diff --git a/Makefile.am b/Makefile.am +index aaabf4d1..66e13dd8 100644 +--- a/Makefile.am ++++ b/Makefile.am @@ -25,7 +25,7 @@ docdir = $(LIBTIFF_DOCDIR) @@ -17,9 +25,10 @@ diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am ACLOCAL_AMFLAGS = -I m4 docfiles = \ -diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am ---- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 -+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +diff --git a/test/Makefile.am b/test/Makefile.am +index b5823198..949667ee 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am @@ -23,7 +23,7 @@ # Process this file with automake to produce Makefile.in. diff --git a/libtiff-make-check.patch b/0002-Fix-Makefile.patch similarity index 43% rename from libtiff-make-check.patch rename to 0002-Fix-Makefile.patch index e79dc94d1908e3282641ac5fc14afcaf7052957f..bc895371da0ed5f1d1ca82003cd83dda4340455c 100644 --- a/libtiff-make-check.patch +++ b/0002-Fix-Makefile.patch @@ -1,8 +1,17 @@ +From ab8a25b78922ba0e93fc4264d15c3e796a6f4c34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 5 May 2022 14:42:52 +0200 +Subject: [PATCH] Fix Makefile + +--- + html/man/Makefile.am | 1 - + 1 file changed, 1 deletion(-) + diff --git a/html/man/Makefile.am b/html/man/Makefile.am -index 587296c..696005e 100644 +index 3ed00d44..8a64925a 100644 --- a/html/man/Makefile.am +++ b/html/man/Makefile.am -@@ -92,7 +92,6 @@ docfiles = \ +@@ -90,7 +90,6 @@ docfiles = \ tiffcrop.1.html \ tiffdither.1.html \ tiffdump.1.html \ diff --git a/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch b/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch new file mode 100644 index 0000000000000000000000000000000000000000..f07d7cd76f0106ad3d9f13a12e35486db90d06cc --- /dev/null +++ b/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch @@ -0,0 +1,179 @@ +From eda0ab31e15edbb6ddee96f5c87d52888d68872c Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in + tiffcrop (#415, #427, and #428) + +(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab) +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 140f26c7..5b88c8d0 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32_t _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32_t)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index e3af461d..4e8bdac2 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t); + extern float _TIFFUInt64ToFloat(uint64_t); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32_t _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 1f827b2b..90286a5e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32_t) (crop->corners[i].X1); +- x2 = (uint32_t) (crop->corners[i].X2); +- y1 = (uint32_t) (crop->corners[i].Y1); +- y2 = (uint32_t) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 + * b) Corners are expected to be submitted as top-left to bottom-right. +@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32_t)(crop->margins[0]); +- lmargin = (uint32_t)(crop->margins[1]); +- bmargin = (uint32_t)(crop->margins[2]); +- rmargin = (uint32_t)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32_t)(crop->margins[0] * scale * yres); +- lmargin = (uint32_t)(crop->margins[1] * scale * xres); +- bmargin = (uint32_t)(crop->margins[2] * scale * yres); +- rmargin = (uint32_t)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32_t)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { diff --git a/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch b/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch new file mode 100644 index 0000000000000000000000000000000000000000..568c34c8faff8e3c23c4633139b1c1e69b8cbd5d --- /dev/null +++ b/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch @@ -0,0 +1,90 @@ +From ecd9216e574039b8fba893314bdfc6edbdd6bf20 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521)?= + =?UTF-8?q?=20According=20to=20Richard=20Nolde=20https://gitlab.com/libtif?= + =?UTF-8?q?f/libtiff/-/issues/401#note=5F877637400=20the=20tiffcrop=20opti?= + =?UTF-8?q?on=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually=20exclusive=20?= + =?UTF-8?q?to=20the=20other=20crop=20options=20(-X|-Y),=20-Z=20and=20-z.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 + +(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf) +--- + tools/tiffcrop.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 90286a5e..d9213ecb 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -108,7 +108,7 @@ + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. + * +- * Note: The (-X|-Y), -Z and -z options are mutually exclusive. ++ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. + */ + +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -316,7 +316,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -781,7 +781,7 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" + ; +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ +- char XY, Z, R; ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); + Z = (crop_data->crop_mode & CROP_ZONES); + R = (crop_data->crop_mode & CROP_REGIONS); +- if ((XY && Z) || (XY && R) || (Z && R)) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } + } /* end process_command_opts */ diff --git a/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch b/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch new file mode 100644 index 0000000000000000000000000000000000000000..46cca8cfbc4c5a3dafc11888d4956a85c2520875 --- /dev/null +++ b/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch @@ -0,0 +1,32 @@ +From 670117c3a76bc0f995bfdb6c293ab2ce9af18273 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521) tiffcrop -S + option: Make decision simpler. + +(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba) +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index d9213ecb..0551a01c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } diff --git a/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch b/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ca0a8e184c0466a6e58b9356f24b53247107f2b --- /dev/null +++ b/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch @@ -0,0 +1,100 @@ +From c382116391639603e06aeceb80accf7af4418892 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 25 Aug 2022 16:11:41 +0200 +Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable + incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes + #411 and #413) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. + +Code analysis: + +With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. +In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . + +Execution of the else-clause often leads to buffer-overflows. + +Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. + +The MR solves issues #411 and #413. + +(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62) +--- + tools/tiffcrop.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0551a01c..613ce7f8 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -107,10 +107,12 @@ + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. +- * +- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * ++ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. +- */ ++ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++ */ + + static char tiffcrop_version_id[] = "2.5"; + static char tiffcrop_rev_date[] = "02-09-2022"; +@@ -781,9 +783,12 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" ++"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" ++"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n" ++" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n" ++"\n" + ; + + /* This function could be modified to pass starting sample offset +@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; + if (XY + Z + R + S > 1) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); + exit(EXIT_FAILURE); + } ++ ++ /* Check for not allowed combination: ++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++. */ ++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { ++ TIFFError("tiffcrop input error", ++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); ++ exit(EXIT_FAILURE); ++ } ++ + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2411,6 +2427,7 @@ main(int argc, char* argv[]) + exit (EXIT_FAILURE); + } + ++ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ + if (crop.selections > 0) + { + if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) +@@ -2427,6 +2444,7 @@ main(int argc, char* argv[]) + exit (EXIT_FAILURE); + } + } ++ /* Format and write selected image parts to output file(s). */ + if (page.mode == PAGE_MODE_NONE) + { /* Whole image or sections not based on output page size */ + if (crop.selections > 0) diff --git a/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch b/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..542193e58db189769e89fbdc24f8bf03500729a9 --- /dev/null +++ b/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch @@ -0,0 +1,261 @@ +From 80d781f24346e2ba76e9eedfc943f6013abb2771 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Tue, 30 Aug 2022 16:56:48 +0200 +Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and + related TIFFTAG_NUMBEROFINKS value + +In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: + +Behaviour for writing: + `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. + `NumberOfInks` is automatically set when `InkNames` is set. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +Behaviour for reading: + When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow + +This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. + +It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. + +(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d) +--- + libtiff/tif_dir.c | 119 ++++++++++++++++++++++++----------------- + libtiff/tif_dir.h | 2 + + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirwrite.c | 5 ++ + libtiff/tif_print.c | 4 ++ + 5 files changed, 82 insertions(+), 50 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index e90f14a0..a4295dc9 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v) + } + + /* +- * Confirm we have "samplesperpixel" ink names separated by \0. Returns ++ * Count ink names separated by \0. Returns + * zero if the ink names are not as expected. + */ +-static uint32_t +-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) ++static uint16_t ++countInkNamesString(TIFF *tif, uint32_t slen, const char *s) + { +- TIFFDirectory* td = &tif->tif_dir; +- uint16_t i = td->td_samplesperpixel; ++ uint16_t i = 0; ++ const char *ep = s + slen; ++ const char *cp = s; + + if (slen > 0) { +- const char* ep = s+slen; +- const char* cp = s; +- for (; i > 0; i--) { ++ do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) + goto bad; + cp++; /* skip \0 */ +- } +- return ((uint32_t)(cp - s)); ++ i++; ++ } while (cp < ep); ++ return (i); + } + bad: + TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", +- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, +- tif->tif_name, +- td->td_samplesperpixel, +- (uint16_t)(td->td_samplesperpixel-i)); ++ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", ++ tif->tif_name, slen, i); + return (0); + } + +@@ -475,13 +473,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); + break; + case TIFFTAG_INKNAMES: +- v = (uint16_t) va_arg(ap, uint16_vap); +- s = va_arg(ap, char*); +- v = checkInkNamesString(tif, v, s); +- status = v > 0; +- if( v > 0 ) { +- _TIFFsetNString(&td->td_inknames, s, v); +- td->td_inknameslen = v; ++ { ++ v = (uint16_t) va_arg(ap, uint16_vap); ++ s = va_arg(ap, char*); ++ uint16_t ninksinstring; ++ ninksinstring = countInkNamesString(tif, v, s); ++ status = ninksinstring > 0; ++ if(ninksinstring > 0 ) { ++ _TIFFsetNString(&td->td_inknames, s, v); ++ td->td_inknameslen = v; ++ /* Set NumberOfInks to the value ninksinstring */ ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (td->td_numberofinks != ninksinstring) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); ++ td->td_numberofinks = ninksinstring; ++ } ++ } else { ++ td->td_numberofinks = ninksinstring; ++ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); ++ } ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); ++ } ++ } ++ } ++ } ++ break; ++ case TIFFTAG_NUMBEROFINKS: ++ v = (uint16_t)va_arg(ap, uint16_vap); ++ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ ++ if (TIFFFieldSet(tif, FIELD_INKNAMES)) ++ { ++ if (v != td->td_numberofinks) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", ++ tif->tif_name, fip->field_name, v, td->td_numberofinks); ++ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ ++ status = 0; ++ } ++ } else { ++ td->td_numberofinks = (uint16_t)v; ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); ++ } ++ } + } + break; + case TIFFTAG_PERSAMPLE: +@@ -915,34 +961,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + if (fip->field_bit == FIELD_CUSTOM) { + standard_tag = 0; + } +- +- if( standard_tag == TIFFTAG_NUMBEROFINKS ) +- { +- int i; +- for (i = 0; i < td->td_customValueCount; i++) { +- uint16_t val; +- TIFFTagValue *tv = td->td_customValues + i; +- if (tv->info->field_tag != standard_tag) +- continue; +- if( tv->value == NULL ) +- return 0; +- val = *(uint16_t *)tv->value; +- /* Truncate to SamplesPerPixel, since the */ +- /* setting code for INKNAMES assume that there are SamplesPerPixel */ +- /* inknames. */ +- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ +- if( val > td->td_samplesperpixel ) +- { +- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", +- "Truncating NumberOfInks from %u to %"PRIu16, +- val, td->td_samplesperpixel); +- val = td->td_samplesperpixel; +- } +- *va_arg(ap, uint16_t*) = val; +- return 1; +- } +- return 0; +- } + + switch (standard_tag) { + case TIFFTAG_SUBFILETYPE: +@@ -1124,6 +1142,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + case TIFFTAG_INKNAMES: + *va_arg(ap, const char**) = td->td_inknames; + break; ++ case TIFFTAG_NUMBEROFINKS: ++ *va_arg(ap, uint16_t *) = td->td_numberofinks; ++ break; + default: + { + int i; +diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h +index 09065648..0c251c9e 100644 +--- a/libtiff/tif_dir.h ++++ b/libtiff/tif_dir.h +@@ -117,6 +117,7 @@ typedef struct { + /* CMYK parameters */ + int td_inknameslen; + char* td_inknames; ++ uint16_t td_numberofinks; /* number of inks in InkNames string */ + + int td_customValueCount; + TIFFTagValue *td_customValues; +@@ -174,6 +175,7 @@ typedef struct { + #define FIELD_TRANSFERFUNCTION 44 + #define FIELD_INKNAMES 46 + #define FIELD_SUBIFD 49 ++#define FIELD_NUMBEROFINKS 50 + /* FIELD_CUSTOM (see tiffio.h) 65 */ + /* end of support for well-known tags; codec-private tags follow */ + #define FIELD_CODEC 66 /* base of codec-private tags */ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index c30f569b..a7e78aae 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -114,7 +114,7 @@ tiffFields[] = { + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, + { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, + { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, +- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, ++ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, + { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, + { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 2fef6d82..1a00edbf 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff) + if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) + goto bad; + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) ++ goto bad; ++ } + if (TIFFFieldSet(tif,FIELD_SUBIFD)) + { + if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 80a9d90f..1ed90e28 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + } + fputs("\n", fd); + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { ++ fprintf(fd, " NumberOfInks: %d\n", ++ td->td_numberofinks); ++ } + if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { + fprintf(fd, " Thresholding: "); + switch (td->td_threshholding) { diff --git a/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch b/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch new file mode 100644 index 0000000000000000000000000000000000000000..633f1b5c3766316f1ddfa40285daea9157da56d9 --- /dev/null +++ b/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch @@ -0,0 +1,647 @@ +From aacb1f89c5aa85d513dea8bdb1fd6818519bae2d Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Thu, 13 Oct 2022 14:33:27 +0000 +Subject: [PATCH] (CVE-2022-3570 CVE-2022-3598) tiffcrop subroutines require a + larger buffer (fixes #271, #381, #386, #388, #389, #435) + +(cherry picked from commit afd7086090dafd3949afd172822cbcec4ed17d56) +--- + tools/tiffcrop.c | 205 +++++++++++++++++++++++++++-------------------- + 1 file changed, 116 insertions(+), 89 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 613ce7f8..70d56e55 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + + #define TIFF_DIR_MAX 65534 + ++/* Some conversion subroutines require image buffers, which are at least 3 bytes ++ * larger than the necessary size for the image itself. */ ++#define NUM_BUFF_OVERSIZE_BYTES 3 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32_t tmargin; +@@ -233,7 +237,7 @@ struct offset { + */ + + struct buffinfo { +- uint32_t size; /* size of this buffer */ ++ size_t size; /* size of this buffer */ + unsigned char *buffer; /* address of the allocated buffer */ + }; + +@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + uint32_t dst_rowsize, shift_width; + uint32_t bytes_per_sample, bytes_per_pixel; + uint32_t trailing_bits, prev_trailing_bits; +- uint32_t tile_rowsize = TIFFTileRowSize(in); +- uint32_t src_offset, dst_offset; ++ tmsize_t tile_rowsize = TIFFTileRowSize(in); ++ tmsize_t src_offset, dst_offset; + uint32_t row_offset, col_offset; + uint8_t *bufp = (uint8_t*) buf; + unsigned char *src = NULL; +@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(EXIT_FAILURE); + } +- tilebuf = limitMalloc(tile_buffsize + 3); ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 0; + tilebuf[tile_buffsize] = 0; +@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, + for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) + { + srcbuffs[sample] = NULL; +- tbuff = (unsigned char *)limitMalloc(tilesize + 8); ++ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); + if (!tbuff) + { + TIFFError ("readSeparateTilesIntoBuffer", +@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); + +- obuf = limitMalloc (rowstripsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (obuf == NULL) + return 1; + +@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + + stripsize = TIFFVStripSize(out, nrows); + src = buf + (row * rowsize); +- memset (obuf, '\0', rowstripsize); ++ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) + { + _TIFFfree(obuf); +@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + if ((dump->outfile != NULL) && (dump->level == 1)) + { +- dump_info(dump->outfile, dump->format,"", ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } ++ dump_info(dump->outfile, dump->format,"", + "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", +- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); +- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); ++ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); ++ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); + } + + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) +@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +- uint32_t tile_rowsize = TIFFTileRowSize(out); ++ tmsize_t tile_rowsize = TIFFTileRowSize(out); + uint8_t* bufp = (uint8_t*) buf; + tsize_t tile_buffsize = 0; + tsize_t tilesize = TIFFTileSize(out); +@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + } + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; + +- tilebuf = limitMalloc(tile_buffsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 1; ++ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + for (row = 0; row < imagelength; row += tl) + { + nrow = (row + tl > imagelength) ? imagelength - row : tl; +@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + uint32_t imagewidth, tsample_t spp, + struct dump_opts * dump) + { +- tdata_t obuf = limitMalloc(TIFFTileSize(out)); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + + if (obuf == NULL) + return 1; ++ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || +@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + + *opt_offset = '\0'; + /* convert option to lowercase */ +- end = strlen (opt_ptr); ++ end = (unsigned int)strlen (opt_ptr); + for (i = 0; i < end; i++) + *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); + /* Look for dump format specification */ + if (strncmp(opt_ptr, "for", 3) == 0) + { + /* convert value to lowercase */ +- end = strlen (opt_offset + 1); ++ end = (unsigned int)strlen (opt_offset + 1); + for (i = 1; i <= end; i++) + *(opt_offset + i) = tolower((int) *(opt_offset + i)); + /* check dump format value */ +@@ -2273,6 +2287,8 @@ main(int argc, char* argv[]) + size_t length; + char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ + ++ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); ++ + little_endian = *((unsigned char *)&little_endian) & '1'; + + initImageData(&image); +@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 + static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + { + uint8_t* bufp = buf; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint32_t strip, nstrips = TIFFNumberOfStrips(in); +- uint32_t stripsize = TIFFStripSize(in); +- uint32_t rows = 0; ++ tmsize_t stripsize = TIFFStripSize(in); ++ tmsize_t rows = 0; + uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + tsize_t scanline_size = TIFFScanlineSize(in); + +@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); + rows = bytes_read / scanline_size; + if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) +- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, ++ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, + strip + 1, bytes_read, stripsize); + + if (bytes_read < 0 && !ignore) { +- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", ++ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", + strip, rows); + return 0; + } +@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + { + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32_t j; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint16_t bps = 0, planar; + uint32_t nstrips; + uint32_t strips_per_sample; +@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = limitMalloc(stripsize + 3); ++ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + buff = srcbuffs[s]; + strip = (s * strips_per_sample) + j; + bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); +- rows_this_strip = bytes_read / src_rowsize; ++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); + if (bytes_read < 0 && !ignore) + { + TIFFError(TIFFFileName(in), +@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint16_t input_compression = 0, input_photometric = 0; + uint16_t subsampling_horiz, subsampling_vert; + uint32_t width = 0, length = 0; +- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; ++ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; ++ tmsize_t scanlinesize = 0; + uint32_t tw = 0, tl = 0; /* Tile width and length */ +- uint32_t tile_rowsize = 0; ++ tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; + unsigned char *new_buff = NULL; + int readunit = 0; +- static uint32_t prev_readsize = 0; ++ static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + /* The buffsize_check and the possible adaptation of buffsize + * has to account also for padding of each line to a byte boundary. + * This is assumed by mirrorImage() and rotateImage(). ++ * Furthermore, functions like extractContigSamplesShifted32bits() ++ * need a buffer, which is at least 3 bytes larger than the actual image. + * Otherwise buffer-overflow might occur there. + */ + buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8); +@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { +@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- new_buff = _TIFFrealloc(read_buff, buffsize+3); ++ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (read_buff); +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + read_buff = new_buff; +@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + dump_info (dump->infile, dump->format, "", + "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); + ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } + for (i = 0; i < length; i++) +- dump_buffer(dump->infile, dump->format, 1, scanlinesize, ++ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, + i, read_buff + (i * scanlinesize)); + } + return (0); +@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + + if (!sect_buff) + { +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!sect_buff) + { + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { + if (prev_sectsize < sectsize) + { +- new_buff = _TIFFrealloc(sect_buff, sectsize); ++ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + _TIFFfree (sect_buff); +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + sect_buff = new_buff; +@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[0].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[0].buffer = crop_buff; + seg_buffs[0].size = cropsize; + +@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[i].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[i].buffer = crop_buff; + seg_buffs[i].size = cropsize; + +@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + crop_buff = *crop_buff_ptr; + if (!crop_buff) + { +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!crop_buff) + { + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + prev_cropsize = cropsize; + } + else + { + if (prev_cropsize < cropsize) + { +- new_buff = _TIFFrealloc(crop_buff, cropsize); ++ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = new_buff; +@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + return (-1); + } + +- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) ++ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ ++ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); ++ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } +- _TIFFmemset(rbuff, '\0', buffsize); ++ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); + + ibuff = *ibuff_ptr; + switch (rotation) +@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + case MIRROR_BOTH: + case MIRROR_VERT: +- line_buff = (unsigned char *)limitMalloc(rowsize); ++ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); + if (line_buff == NULL) + { +- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); ++ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + + dst = ibuff + (rowsize * (length - 1)); + for (row = 0; row < length / 2; row++) +@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + } + else + { /* non 8 bit per sample data */ +- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) ++ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) + { + TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; + if (bytes_per_pixel < (bytes_per_sample + 1)) +@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + row_offset = row * rowsize; + src = ibuff + row_offset; +- _TIFFmemset (line_buff, '\0', rowsize); ++ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + switch (shift_width) + { + case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) diff --git a/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch b/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4c3135d51a740cca4ff7a526b3afab02c0cc23b --- /dev/null +++ b/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch @@ -0,0 +1,37 @@ +From b6204fada53418fdf140e039e87052f987770de1 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer + overflow on strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 + +(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be) +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a1b6570b..9a2e0c59 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32_t) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32_t) * tile_xsize ); + } + diff --git a/dist b/dist new file mode 100644 index 0000000000000000000000000000000000000000..89c1faffc18349bb12eee2371e9dc43bf419b95c --- /dev/null +++ b/dist @@ -0,0 +1 @@ +an9 diff --git a/download b/download index b38addc1f81b5cdef2cab5d8f400c825ec8dbf0b..8042a37da5d2ee521a3fe17a41ce6e7768237ab7 100644 --- a/download +++ b/download @@ -1 +1 @@ -54bad211279cc93eb4fca31ba9bfdc79 tiff-4.0.9.tar.gz +376f17f189e9d02280dfe709b2b2bbea tiff-4.4.0.tar.gz diff --git a/libtiff-CVE-2017-18013.patch b/libtiff-CVE-2017-18013.patch deleted file mode 100644 index 77afc48b0768011e6c64d6994d9beccfcf5316ea..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2017-18013.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 31 Dec 2017 15:09:41 +0100 -Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null - pointer dereference on corrupted file. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013 - ---- - libtiff/tif_print.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 10a588e..b9b53a0 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } --- -2.17.0 - diff --git a/libtiff-CVE-2017-9935.patch b/libtiff-CVE-2017-9935.patch deleted file mode 100644 index 39327ffb924a40e70c9c8b410986cf18bec77b84..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2017-9935.patch +++ /dev/null @@ -1,164 +0,0 @@ -From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:46:47 +1100 -Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 - -Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 - -This vulnerability - at least for the supplied test case - is because we -assume that a tiff will only have one transfer function that is the same -for all pages. This is not required by the TIFF standards. - -We than read the transfer function for every page. Depending on the -transfer function, we allocate either 2 or 4 bytes to the XREF buffer. -We allocate this memory after we read in the transfer function for the -page. - -For the first exploit - POC1, this file has 3 pages. For the first page -we allocate 2 extra extra XREF entries. Then for the next page 2 more -entries. Then for the last page the transfer function changes and we -allocate 4 more entries. - -When we read the file into memory, we assume we have 4 bytes extra for -each and every page (as per the last transfer function we read). Which -is not correct, we only have 2 bytes extra for the first 2 pages. As a -result, we end up writing past the end of the buffer. - -There are also some related issues that this also fixes. For example, -TIFFGetField can return uninitalized pointer values, and the logic to -detect a N=3 vs N=1 transfer function seemed rather strange. - -It is also strange that we declare the transfer functions to be of type -float, when the standard says they are unsigned 16 bit values. This is -fixed in another patch. - -This patch will check to ensure that the N value for every transfer -function is the same for every page. If this changes, we abort with an -error. In theory, we should perhaps check that the transfer function -itself is identical for every page, however we don't do that due to the -confusion of the type of the data in the transfer function. ---- - libtiff/tif_dir.c | 3 +++ - tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- - 2 files changed, 49 insertions(+), 23 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index f00f808..c36a5f3 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index bdb9126..bd23c9e 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -239,7 +239,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - if(directorycount > TIFF_DIR_MAX) { -@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; --- -2.17.0 - diff --git a/libtiff-CVE-2018-10963.patch b/libtiff-CVE-2018-10963.patch deleted file mode 100644 index 039b7c1a1613ad298c6f82de8a38c58388e21cf7..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-10963.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 14:24:15 +0200 -Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 - ---- - libtiff/tif_dirwrite.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index c68d6d2..5d0a669 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } --- -2.17.0 - diff --git a/libtiff-CVE-2018-12900.patch b/libtiff-CVE-2018-12900.patch deleted file mode 100644 index c7c3d3088877695d40e85b7f74e1042ecd43278b..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-12900.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Mon, 11 Feb 2019 10:05:33 +0100 -Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow - -fixes bug 2833 ---- - tools/tiffcp.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 489459a..0c66229 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - -@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - int status = 1; - uint32 imagew = TIFFRasterScanlineSize(in); - uint32 tilew = TIFFTileRowSize(in); -- int iskew = imagew - tilew*spp; -+ int iskew; - tsize_t tilesize = TIFFTileSize(in); - tdata_t tilebuf; - uint8* bufp = (uint8*) buf; -@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - uint32 row; - uint16 bps = 0, bytes_per_sample; - -+ if (tilew && spp > (INT_MAX / tilew)) -+ { -+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); -+ return 0; -+ } -+ iskew = imagew - tilew*spp; - tilebuf = _TIFFmalloc(tilesize); - if (tilebuf == 0) - return 0; --- -2.21.0 - diff --git a/libtiff-CVE-2018-17100.patch b/libtiff-CVE-2018-17100.patch deleted file mode 100644 index 8ed6dca0320c1e9d3bfb7e2095a1b87850f34342..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-17100.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001 -From: Young_X -Date: Sat, 8 Sep 2018 14:46:27 +0800 -Subject: [PATCH] avoid potential int32 overflows in multiply_ms() - ---- - tools/ppm2tiff.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c -index 91415e9..81ffa3d 100644 ---- a/tools/ppm2tiff.c -+++ b/tools/ppm2tiff.c -@@ -72,15 +72,16 @@ BadPPM(char* file) - exit(-2); - } - -+ -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- tmsize_t bytes = m1 * m2; -- -- if (m1 && bytes / m1 != m2) -- bytes = 0; -- -- return bytes; -+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -+ return 0; -+ return m1 * m2; - } - - int --- -2.17.2 - diff --git a/libtiff-CVE-2018-18557.patch b/libtiff-CVE-2018-18557.patch deleted file mode 100644 index d2cd3c52ea95aaff67e8b13e5d8fc378b5cb3af2..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-18557.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 14 Oct 2018 16:38:29 +0200 -Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode() - -JBIGDecode doesn't check if the user provided buffer is large enough -to store the JBIG decoded image, which can potentially cause out-of-bounds -write in the buffer. -This issue was reported and analyzed by Thomas Dullien. - -Also fixes a (harmless) potential use of uninitialized memory when -tif->tif_rawsize > tif->tif_rawcc - -And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure -that whole strip data is provided to JBIGDecode() ---- - libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ - libtiff/tif_read.c | 6 ++++++ - 2 files changed, 32 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 7a14dd9..8136c77 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - struct jbg_dec_state decoder; - int decodeStatus = 0; - unsigned char* pImage = NULL; -- (void) size, (void) s; -+ unsigned long decodedSize; -+ (void) s; - - if (isFillOrder(tif, tif->tif_dir.td_fillorder)) - { -- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); -+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); - } - - jbg_dec_init(&decoder); - - #if defined(HAVE_JBG_NEWLEN) -- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); -+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); - /* - * I do not check the return status of jbg_newlen because even if this - * function fails it does not necessarily mean that decoding the image -@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - */ - #endif /* HAVE_JBG_NEWLEN */ - -- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, -- (size_t)tif->tif_rawdatasize, NULL); -+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, -+ (size_t)tif->tif_rawcc, NULL); - if (JBG_EOK != decodeStatus) - { - /* -@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - return 0; - } - -+ decodedSize = jbg_dec_getsize(&decoder); -+ if( (tmsize_t)decodedSize < size ) -+ { -+ TIFFWarningExt(tif->tif_clientdata, "JBIG", -+ "Only decoded %lu bytes, whereas %lu requested", -+ decodedSize, (unsigned long)size); -+ } -+ else if( (tmsize_t)decodedSize > size ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, "JBIG", -+ "Decoded %lu bytes, whereas %lu were requested", -+ decodedSize, (unsigned long)size); -+ jbg_dec_free(&decoder); -+ return 0; -+ } - pImage = jbg_dec_getimage(&decoder, 0); -- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); -+ _TIFFmemcpy(buffer, pImage, decodedSize); - jbg_dec_free(&decoder); -+ -+ tif->tif_rawcp += tif->tif_rawcc; -+ tif->tif_rawcc = 0; -+ - return 1; - } - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 2ba985a..04100f4 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) - return 0; - whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 - || isMapped(tif); -+ if( td->td_compression == COMPRESSION_JBIG ) -+ { -+ /* Ideally plugins should have a way to declare they don't support -+ * chunk strip */ -+ whole_strip = 1; -+ } - #else - whole_strip = 1; - #endif --- -2.17.2 - diff --git a/libtiff-CVE-2018-18661.patch b/libtiff-CVE-2018-18661.patch deleted file mode 100644 index 9a7430bc6d3b714834302ee0904ac64913a1c702..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-18661.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 30 Oct 2018 18:50:27 +0100 -Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of - memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / - CVE-2018-18661 - ---- - libtiff/tiffiop.h | 1 + - tools/tiff2bw.c | 30 ++++++++++++++++++++++++++---- - tools/tiffcrop.c | 5 ----- - 3 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index daa291c..08e5dc4 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...); - #endif - - #define streq(a,b) (strcmp(a,b) == 0) -+#define strneq(a,b,n) (strncmp(a,b,n) == 0) - - #ifndef TRUE - #define TRUE 1 -diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c -index dad54af..1f3bb2c 100644 ---- a/tools/tiff2bw.c -+++ b/tools/tiff2bw.c -@@ -40,9 +40,7 @@ - #endif - - #include "tiffio.h" -- --#define streq(a,b) (strcmp((a),(b)) == 0) --#define strneq(a,b,n) (strncmp(a,b,n) == 0) -+#include "tiffiop.h" - - /* x% weighting -> fraction of full color */ - #define PCT(x) (((x)*256+50)/100) -@@ -223,6 +221,11 @@ main(int argc, char* argv[]) - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); - outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ if( !outbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, - TIFFDefaultStripSize(out, rowsperstrip)); - -@@ -246,6 +249,11 @@ main(int argc, char* argv[]) - #undef CVT - } - inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - if (TIFFReadScanline(in, inbuf, row, 0) < 0) - break; -@@ -256,6 +264,11 @@ main(int argc, char* argv[]) - break; - case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): - inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - if (TIFFReadScanline(in, inbuf, row, 0) < 0) - break; -@@ -265,8 +278,16 @@ main(int argc, char* argv[]) - } - break; - case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): -+ { -+ tmsize_t inbufsize; - rowsize = TIFFScanlineSize(in); -- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); -+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); -+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); -+ if( !inbuf ) -+ { -+ fprintf(stderr, "Out of memory\n"); -+ goto tiff2bw_error; -+ } - for (row = 0; row < h; row++) { - for (s = 0; s < 3; s++) - if (TIFFReadScanline(in, -@@ -278,6 +299,7 @@ main(int argc, char* argv[]) - break; - } - break; -+ } - } - #undef pack - if (inbuf) -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index c60cb38..3862b1c 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - - #define TIFF_UINT32_MAX 0xFFFFFFFFU - --#ifndef streq --#define streq(a,b) (strcmp((a),(b)) == 0) --#endif --#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) -- - #define TRUE 1 - #define FALSE 0 - --- -2.17.2 - diff --git a/libtiff-CVE-2018-5784.patch b/libtiff-CVE-2018-5784.patch deleted file mode 100644 index 5f26e5dee2ba129cec7e98fb58e9fc7887ad9a70..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-5784.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Fri, 23 Mar 2018 15:35:39 +0100 -Subject: [PATCH] Fix for bug 2772 - -It is possible to craft a TIFF document where the IFD list is circular, -leading to an infinite loop while traversing the chain. The libtiff -directory reader has a failsafe that will break out of this loop after -reading 65535 directory entries, but it will continue processing, -consuming time and resources to process what is essentially a bogus TIFF -document. - -This change fixes the above behavior by breaking out of processing when -a TIFF document has >= 65535 directories and terminating with an error. ---- - contrib/addtiffo/tif_overview.c | 14 +++++++++++++- - tools/tiff2pdf.c | 10 ++++++++++ - tools/tiffcrop.c | 13 +++++++++++-- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c -index c61ffbb..03b3573 100644 ---- a/contrib/addtiffo/tif_overview.c -+++ b/contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; - - (void) bUseSubIFDs; - -@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 454befb..bdb9126 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 xuint16=0; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index c69177e..c60cb38 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; --- -2.13.6 - diff --git a/libtiff-CVE-2018-7456.patch b/libtiff-CVE-2018-7456.patch deleted file mode 100644 index 65a894731b23b8d86a12fe70fd07c46b1cc7ff1a..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-7456.patch +++ /dev/null @@ -1,170 +0,0 @@ -From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Tue, 17 Apr 2018 18:42:09 +0200 -Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory - -The TIFFPrintDirectory function relies on the following assumptions, -supposed to be guaranteed by the specification: - -(a) A Transfer Function field is only present if the TIFF file has - photometric type < 3. - -(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field - has count SamplesPerPixel - (Color Channels) and contains - information about supplementary channels. - -While respect of (a) and (b) are essential for the well functioning of -TIFFPrintDirectory, no checks are realized neither by the callee nor -by TIFFPrintDirectory itself. Hence, following scenarios might happen -and trigger the NULL pointer dereference: - -(1) TIFF File of photometric type 4 or more has illegal Transfer - Function field. - -(2) TIFF File has photometric type 3 or less and defines a - SamplesPerPixel field such that SamplesPerPixel > Color Channels - without defining all extra samples in the ExtraSamples fields. - -In this patch, we address both issues with respect of the following -principles: - -(A) In the case of (1), the defined transfer table should be printed - safely even if it isn't 'legal'. This allows us to avoid expensive - checks in TIFFPrintDirectory. Also, it is quite possible that - an alternative photometric type would be developed (not part of the - standard) and would allow definition of Transfer Table. We want - libtiff to be able to handle this scenario out of the box. - -(B) In the case of (2), the transfer table should be printed at its - right size, that is if TIFF file has photometric type Palette - then the transfer table should have one row and not three, even - if two extra samples are declared. - -In order to fulfill (A) we simply add a new 'i < 3' end condition to -the broken TIFFPrintDirectory loop. This makes sure that in any case -where (b) would be respected but not (a), everything stays fine. - -(B) is fulfilled by the loop condition -'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as -long as (b) is respected. - -Naturally, we also make sure (b) is respected. This is done in the -TIFFReadDirectory function by making sure any non-color channel is -counted in ExtraSamples. - -This commit addresses CVE-2018-7456. ---- - libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++ - libtiff/tif_print.c | 2 +- - 2 files changed, 63 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 5e62e81..80aaf8d 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c - } - } - -+/* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ - /* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. -@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 24d4b98..10a588e 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - uint16 i; - fprintf(fd, " %2ld: %5u", - l, td->td_transferfunction[0][l]); -- for (i = 1; i < td->td_samplesperpixel; i++) -+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) - fprintf(fd, " %5u", - td->td_transferfunction[i][l]); - fputc('\n', fd); --- -2.17.0 - diff --git a/libtiff-CVE-2018-8905.patch b/libtiff-CVE-2018-8905.patch deleted file mode 100644 index be6bee4ee5075122d8c645c1c9daa20cc69f6c6b..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2018-8905.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 12 May 2018 15:32:31 +0200 -Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds - write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / - CVE-2018-8905 - -The fix consists in using the similar code LZWDecode() to validate we -don't write outside of the output buffer. ---- - libtiff/tif_lzw.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index bc8f9c8..186ea3c 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; --- -2.17.0 - diff --git a/libtiff-CVE-2019-14973.patch b/libtiff-CVE-2019-14973.patch deleted file mode 100644 index f98ea1e2dcc86e7984f4808ea602d62ed00e6b93..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2019-14973.patch +++ /dev/null @@ -1,424 +0,0 @@ -From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 10 Aug 2019 18:25:03 +0200 -Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other - implementation-defined behaviour (CVE-2019-14973) - -_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow -in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus -signed), which was especially easily triggered on 32-bit builds (with recent -enough compilers that assume that signed multiplication cannot overflow, since -this is undefined behaviour by the C standard). The original issue which lead to -this fix was trigged from tif_fax3.c - -There were also unsafe (implementation defied), and broken in practice on 64bit -builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing -(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known -at that time exploits, but are better to fix in a more bullet-proof way. -Or similarly use of (int64)uint64_var <= 0. ---- - libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- - libtiff/tif_getimage.c | 6 ++---- - libtiff/tif_luv.c | 8 +------ - libtiff/tif_pixarlog.c | 7 +----- - libtiff/tif_read.c | 38 +++++++++----------------------- - libtiff/tif_strip.c | 35 ++++-------------------------- - libtiff/tif_tile.c | 27 +++-------------------- - libtiff/tiffiop.h | 7 +++++- - 8 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c -index 10b8d00..38a98b6 100644 ---- a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) - return bytes; - } - -+tmsize_t -+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) -+{ -+ if( first <= 0 || second <= 0 ) -+ { -+ if( tif != NULL && where != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, where, -+ "Invalid argument to _TIFFMultiplySSize() in %s", where); -+ } -+ return 0; -+ } -+ -+ if( first > TIFF_TMSIZE_T_MAX / second ) -+ { -+ if( tif != NULL && where != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, where, -+ "Integer overflow in %s", where); -+ } -+ return 0; -+ } -+ return first * second; -+} -+ -+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) -+{ -+ if( val > (uint64)TIFF_TMSIZE_T_MAX ) -+ { -+ if( tif != NULL && module != NULL ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -+ } -+ return 0; -+ } -+ return (tmsize_t)val; -+} -+ - void* - _TIFFCheckRealloc(TIFF* tif, void* buffer, - tmsize_t nmemb, tmsize_t elem_size, const char* what) - { - void* cp = NULL; -- tmsize_t bytes = nmemb * elem_size; -- -+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); - /* -- * XXX: Check for integer overflow. -+ * Check for integer overflow. - */ -- if (nmemb && elem_size && bytes / elem_size == nmemb) -- cp = _TIFFrealloc(buffer, bytes); -+ if (count != 0) -+ { -+ cp = _TIFFrealloc(buffer, count); -+ } - - if (cp == NULL) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index fc554cc..ec09fea 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - uint32 leftmost_tw; - - tilesize = TIFFTileSize(tif); -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); -+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); - if (bufsize == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); - return (0); - } - -@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - uint16 colorchannels; - - stripsize = TIFFStripSize(tif); -- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); -+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); - if (bufsize == 0) { -- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); - return (0); - } - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 4b25244..c4cb73a 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) - return (SGILOGDATAFMT_UNKNOWN); - } - -- --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -- return 0; -- return m1 * m2; -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); - } - - static int -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index 979858d..8e9eaa1 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) - return guess; - } - --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -- return 0; -- return m1 * m2; -+ return _TIFFMultiplySSize(NULL, m1, m2, NULL); - } - - static tmsize_t -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 04100f4..9a0e6e9 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -31,9 +31,6 @@ - #include "tiffiop.h" - #include - --#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) --#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -- - int TIFFFillStrip(TIFF* tif, uint32 strip); - int TIFFFillTile(TIFF* tif, uint32 tile); - static int TIFFStartStrip(TIFF* tif, uint32 strip); -@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m - #define THRESHOLD_MULTIPLIER 10 - #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) - -+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) -+ - /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' - * Returns 1 in case of success, 0 otherwise. */ - static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, -@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - return ((tmsize_t)(-1)); - } - bytecount = td->td_stripbytecount[strip]; -- if ((int64)bytecount <= 0) { --#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) -- TIFFErrorExt(tif->tif_clientdata, module, -- "%I64u: Invalid strip byte count, strip %lu", -- (unsigned __int64) bytecount, -- (unsigned long) strip); --#else -- TIFFErrorExt(tif->tif_clientdata, module, -- "%llu: Invalid strip byte count, strip %lu", -- (unsigned long long) bytecount, -- (unsigned long) strip); --#endif -- return ((tmsize_t)(-1)); -- } -- bytecountm = (tmsize_t)bytecount; -- if ((uint64)bytecountm!=bytecount) { -- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); -+ if (bytecountm == 0) { - return ((tmsize_t)(-1)); - } - if (size != (tmsize_t)(-1) && size < bytecountm) -@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) - if ((tif->tif_flags&TIFF_NOREADRAW)==0) - { - uint64 bytecount = td->td_stripbytecount[strip]; -- if ((int64)bytecount <= 0) { -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, - "Invalid strip byte count %I64u, strip %lu", -@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) - (bytecount - 4096) / 10 > (uint64)stripsize ) - { - uint64 newbytecount = (uint64)stripsize * 10 + 4096; -- if( (int64)newbytecount >= 0 ) -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) - { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFWarningExt(tif->tif_clientdata, module, -@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) - bytecount64 = td->td_stripbytecount[tile]; - if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) - bytecount64 = (uint64)size; -- bytecountm = (tmsize_t)bytecount64; -- if ((uint64)bytecountm!=bytecount64) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); -+ if( bytecountm == 0 ) { - return ((tmsize_t)(-1)); - } - return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); -@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) - if ((tif->tif_flags&TIFF_NOREADRAW)==0) - { - uint64 bytecount = td->td_stripbytecount[tile]; -- if ((int64)bytecount <= 0) { -+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, - "%I64u: Invalid tile byte count, tile %lu", -@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) - (bytecount - 4096) / 10 > (uint64)stripsize ) - { - uint64 newbytecount = (uint64)stripsize * 10 + 4096; -- if( (int64)newbytecount >= 0 ) -+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) - { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFWarningExt(tif->tif_clientdata, module, -diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c -index 6e9f2ef..321ad6b 100644 ---- a/libtiff/tif_strip.c -+++ b/libtiff/tif_strip.c -@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) - { - static const char module[] = "TIFFVStripSize"; - uint64 m; -- tmsize_t n; - m=TIFFVStripSize64(tif,nrows); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif) - { - static const char module[] = "TIFFStripSize"; - uint64 m; -- tmsize_t n; - m=TIFFStripSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif) - { - static const char module[] = "TIFFScanlineSize"; - uint64 m; -- tmsize_t n; - m=TIFFScanlineSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif) - { - static const char module[] = "TIFFRasterScanlineSize"; - uint64 m; -- tmsize_t n; - m=TIFFRasterScanlineSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* vim: set ts=8 sts=8 sw=8 noet: */ -diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c -index 388e168..7d05750 100644 ---- a/libtiff/tif_tile.c -+++ b/libtiff/tif_tile.c -@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif) - { - static const char module[] = "TIFFTileRowSize"; - uint64 m; -- tmsize_t n; - m=TIFFTileRowSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) - { - static const char module[] = "TIFFVTileSize"; - uint64 m; -- tmsize_t n; - m=TIFFVTileSize64(tif,nrows); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif) - { - static const char module[] = "TIFFTileSize"; - uint64 m; -- tmsize_t n; - m=TIFFTileSize64(tif); -- n=(tmsize_t)m; -- if ((uint64)n!=m) -- { -- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); -- n=0; -- } -- return(n); -+ return _TIFFCastUInt64ToSSize(tif, m, module); - } - - /* -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index 08e5dc4..d4b8631 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); - #define FALSE 0 - #endif - -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - typedef struct client_info { - struct client_info *next; - void *data; -@@ -260,7 +263,7 @@ struct tiff { - #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) - #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) - --/* Safe multiply which returns zero if there is an integer overflow */ -+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ - #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) - - #define TIFFmax(A,B) ((A)>(B)?(A):(B)) -@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; - - extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); - extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); -+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); -+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); - extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); - extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); - --- -2.21.0 - diff --git a/libtiff-CVE-2019-17546.patch b/libtiff-CVE-2019-17546.patch deleted file mode 100644 index b802ce6b5c47e0ceb7e4a70307ece5803e1569a3..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2019-17546.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 15 Aug 2019 15:05:28 +0200 -Subject: [PATCH] RGBA interface: fix integer overflow potentially causing - write heap buffer overflow, especially on 32 bit builds. Fixes - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS - Fuzz - ---- - libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index ec09fea..c6edd27 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - nrowsub = nrow; - if ((nrowsub%subsamplingver)!=0) - nrowsub+=subsamplingver-nrowsub%subsamplingver; -+ temp = (row + img->row_offset)%rowsperstrip + nrowsub; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); -+ return 0; -+ } - if (_TIFFReadEncodedStripAndAllocBuffer(tif, - TIFFComputeStrip(tif,row+img->row_offset, 0), - (void**)(&buf), - maxstripsize, -- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - offset_row = row + img->row_offset; -+ temp = (row + img->row_offset)%rowsperstrip + nrow; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); -+ return 0; -+ } - if( buf == NULL ) - { - if (_TIFFReadEncodedStripAndAllocBuffer( - tif, TIFFComputeStrip(tif, offset_row, 0), - (void**) &buf, bufsize, -- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - } - else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), -- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ p0, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), -- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p1, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), -- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p2, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - if (alpha) - { - if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), -- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ pa, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; --- -2.21.1 - diff --git a/libtiff-CVE-2020-19131.patch b/libtiff-CVE-2020-19131.patch deleted file mode 100644 index 6db20cce36da6fde8c3a5db41a5f9cbe0ca6dd98..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2020-19131.patch +++ /dev/null @@ -1,89 +0,0 @@ -From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Mon, 11 Feb 2019 23:08:25 +0100 -Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4 - -too much bytes were processed, causing a heap buffer overrun - http://bugzilla.maptools.org/show_bug.cgi?id=2831 -the loop counter must be - for (col = 0; col < width; col += 8 / bps) - -Also the values were not properly calculated. It should be -255-x, 15-x, 3-x for bps 8, 4, 2. - -But anyway it is easyer to invert all bits as 255-x = ~x, etc. -(substracting from a binary number composed of all 1 is like inverting -the bits) ---- - tools/tiffcrop.c | 37 ++++++------------------------------- - 1 file changed, 6 insertions(+), 31 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 3862b1c..a612914 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -9142,7 +9142,6 @@ static int - invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff) - { - uint32 row, col; -- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4; - unsigned char *src; - uint16 *src_uint16; - uint32 *src_uint32; -@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len - for (row = 0; row < length; row++) - for (col = 0; col < width; col++) - { -- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32; -+ *src_uint32 = ~(*src_uint32); - src_uint32++; - } - break; -@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len - for (row = 0; row < length; row++) - for (col = 0; col < width; col++) - { -- *src_uint16 = (uint16)0xFFFF - *src_uint16; -+ *src_uint16 = ~(*src_uint16); - src_uint16++; - } - break; -- case 8: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- *src = (uint8)255 - *src; -- src++; -- } -- break; -- case 4: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- bytebuff1 = 16 - (uint8)(*src & 240 >> 4); -- bytebuff2 = 16 - (*src & 15); -- *src = bytebuff1 << 4 & bytebuff2; -- src++; -- } -- break; -- case 2: for (row = 0; row < length; row++) -- for (col = 0; col < width; col++) -- { -- bytebuff1 = 4 - (uint8)(*src & 192 >> 6); -- bytebuff2 = 4 - (uint8)(*src & 48 >> 4); -- bytebuff3 = 4 - (uint8)(*src & 12 >> 2); -- bytebuff4 = 4 - (uint8)(*src & 3); -- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4; -- src++; -- } -- break; -+ case 8: -+ case 4: -+ case 2: - case 1: for (row = 0; row < length; row++) -- for (col = 0; col < width; col += 8 /(spp * bps)) -+ for (col = 0; col < width; col += 8 / bps) - { - *src = ~(*src); - src++; --- -2.32.0 - diff --git a/libtiff-CVE-2020-35521_CVE-2020-35522.patch b/libtiff-CVE-2020-35521_CVE-2020-35522.patch deleted file mode 100644 index 83c7ae77e18495d9556f9a42d8bd1c6ca8ca6aa3..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2020-35521_CVE-2020-35522.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sun, 15 Nov 2020 17:02:51 +0100 -Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba - -fixes #207 -fixes #209 ---- - tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index 4de96ae..e6de220 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1; - int process_by_block = 0; /* default is whole image at once */ - int no_alpha = 0; - int bigtiff_output = 0; -+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) -+/* malloc size limit (in bytes) -+ * disabled when set to 0 */ -+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; - - - static int tiffcvt(TIFF* in, TIFF* out); -@@ -70,8 +74,11 @@ main(int argc, char* argv[]) - extern char *optarg; - #endif - -- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) -+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1) - switch (c) { -+ case 'M': -+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; -+ break; - case 'b': - process_by_block = 1; - break; -@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) - (unsigned long)width, (unsigned long)height); - return 0; - } -+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { -+ TIFFError(TIFFFileName(in), -+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", -+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); -+ return 0; -+ } - - rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); -@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); - CopyField(TIFFTAG_DOCUMENTNAME, stringv); - -+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) -+ { -+ TIFFError(TIFFFileName(in), -+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", -+ (uint64)TIFFStripSize(in), (uint64)maxMalloc); -+ return 0; -+ } - if( process_by_block && TIFFIsTiled( in ) ) - return( cvt_by_tile( in, out ) ); - else if( process_by_block ) -@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out) - } - - static char* stuff[] = { -- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", -+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", - "where comp is one of the following compression algorithms:", - " jpeg\t\tJPEG encoding", - " zip\t\tZip/Deflate encoding", -@@ -543,6 +563,7 @@ static char* stuff[] = { - " -b (progress by block rather than as a whole image)", - " -n don't emit alpha component.", - " -8 write BigTIFF file instead of ClassicTIFF", -+ " -M set the memory allocation limit in MiB. 0 to disable limit", - NULL - }; - --- -2.31.1 - diff --git a/libtiff-CVE-2020-35523.patch b/libtiff-CVE-2020-35523.patch deleted file mode 100644 index 0f2ca430a59a1e208124af3a55f52da44bde528c..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2020-35523.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Tue, 10 Nov 2020 01:54:30 +0100 -Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow - -fixes #211 ---- - libtiff/tif_getimage.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index c6edd27..b1f7cc9 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -31,6 +31,7 @@ - */ - #include "tiffiop.h" - #include -+#include - - static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); - static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); -@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - - flip = setorientation(img); - if (flip & FLIP_VERTICALLY) { -- y = h - 1; -- toskew = -(int32)(tw + w); -+ if ((tw + w) > INT_MAX) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = h - 1; -+ toskew = -(int32)(tw + w); - } - else { -- y = 0; -- toskew = -(int32)(tw - w); -+ if (tw > (INT_MAX + w)) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = 0; -+ toskew = -(int32)(tw - w); - } - - /* --- -2.31.1 - diff --git a/libtiff-CVE-2020-35524.patch b/libtiff-CVE-2020-35524.patch deleted file mode 100644 index 3dda4e2cc427e088f088038fa33af223e81c2582..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2020-35524.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sat, 14 Nov 2020 12:53:01 +0000 -Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to - JPEG YCbCr - -fixes #220 ---- - tools/tiff2pdf.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index a15a3ef..db380ec 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ - #endif - (void) 0; - } -- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+#ifdef JPEG_SUPPORT -+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG -+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { -+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); -+ } else -+#endif -+ { -+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+ } - } - if (k == 0) { - /* Assume we had overflow inside TIFFScanlineSize */ --- -2.31.1 - diff --git a/libtiff-coverity.patch b/libtiff-coverity.patch deleted file mode 100644 index 04a445a9aee264947ef391e791f689235a4e40c6..0000000000000000000000000000000000000000 --- a/libtiff-coverity.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c -index 81ffa3d..a02e865 100644 ---- a/tools/ppm2tiff.c -+++ b/tools/ppm2tiff.c -@@ -285,6 +285,8 @@ main(int argc, char* argv[]) - if (TIFFWriteScanline(out, buf, row, 0) < 0) - break; - } -+ if (in != stdin) -+ fclose(in); - (void) TIFFClose(out); - if (buf) - _TIFFfree(buf); -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index bd23c9e..a15a3ef 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ - "for t2p_readwrite_pdf_image_tile, %s", - (unsigned long) t2p->tiff_datasize, - TIFFFileName(input)); -+ _TIFFfree(buffer); - t2p->t2p_error = T2P_ERR_ERROR; - return(0); - } -@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount) - { - uint32 i; - -- /* For the 3 first samples, there is overlapping between souce and -- destination, so use memmove(). -- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ -- for(i = 0; i < 3 && i < samplecount; i++) -- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); -+ /* For the 3 first samples, there is overlapping between souce and -+ destination, so use memmove(). -+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ -+ for(i = 0; i < 3 && i < samplecount; i++) -+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); - for(; i < samplecount; i++) - memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3); - diff --git a/libtiff.spec b/libtiff.spec index e23c4d538afd850df62ffdafc537ef7bccabd738..f81a08faedc50ca97d2fa1ce18455da010a14a06 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,38 +1,29 @@ -%define anolis_release .0.1 - Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 4.0.9 -Release: 21%{anolis_release}%{?dist} +Version: 4.4.0 +Release: 7%{?dist} License: libtiff -Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz -Patch0: libtiff-am-version.patch -Patch1: libtiff-make-check.patch -Patch2: libtiff-CVE-2018-5784.patch -Patch3: libtiff-CVE-2018-7456.patch -Patch4: libtiff-CVE-2017-9935.patch -Patch5: libtiff-CVE-2017-18013.patch -Patch6: libtiff-CVE-2018-8905.patch -Patch7: libtiff-CVE-2018-10963.patch -Patch8: libtiff-CVE-2018-17100.patch -Patch9: libtiff-coverity.patch -Patch10: libtiff-CVE-2018-18557.patch -Patch11: libtiff-CVE-2018-18661.patch -Patch12: libtiff-CVE-2018-12900.patch -Patch13: libtiff-CVE-2019-14973.patch -Patch14: libtiff-CVE-2019-17546.patch -Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch -Patch16: libtiff-CVE-2020-35523.patch -Patch17: libtiff-CVE-2020-35524.patch -Patch18: libtiff-CVE-2020-19131.patch +# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/c9s +# Patches were generated by: git format-patch --no-signature -N ... +Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch +Patch0002: 0002-Fix-Makefile.patch +Patch0003: 0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch +Patch0004: 0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch +Patch0005: 0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch +Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch +Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch +Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch +Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch + BuildRequires: gcc, gcc-c++ -BuildRequires: zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel BuildRequires: libtool automake autoconf pkgconfig +BuildRequires: make %description The libtiff package contains a library of functions for manipulating @@ -45,9 +36,8 @@ format image files. %package devel Summary: Development tools for programs which will use the libtiff library -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: pkgconfig%{?_isa} +Requires: pkgconfig %description devel This package contains the header files and documentation necessary for @@ -60,7 +50,6 @@ install the libtiff package. %package static Summary: Static TIFF image format file library -Group: Development/Libraries Requires: %{name}-devel%{?_isa} = %{version}-%{release} %description static @@ -70,43 +59,14 @@ necessary for some boot packages. %package tools Summary: Command-line utility programs for manipulating TIFF files -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} %description tools This package contains command-line programs for manipulating TIFF format image files using the libtiff library. -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep -%setup -q -n tiff-%{version} - -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 +%autosetup -p1 -n tiff-%{version} # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -120,10 +80,10 @@ autoheader %build export CFLAGS="%{optflags} -fno-strict-aliasing" %configure --enable-ld-version-script -make %{?_smp_mflags} +%make_build %install -make DESTDIR=$RPM_BUILD_ROOT install +%make_install # remove what we didn't want installed rm $RPM_BUILD_ROOT%{_libdir}/*.la @@ -190,11 +150,13 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check find html -name 'Makefile*' | xargs rm %files -%doc COPYRIGHT +%license COPYRIGHT +%doc README.md RELEASE-DATE VERSION %{_libdir}/libtiff.so.* %{_libdir}/libtiffxx.so.* %files devel +%doc TODO ChangeLog html %{_includedir}/* %{_libdir}/libtiff.so %{_libdir}/libtiffxx.so @@ -208,55 +170,99 @@ find html -name 'Makefile*' | xargs rm %{_bindir}/* %{_mandir}/man1/* -%files doc -%doc README RELEASE-DATE VERSION TODO ChangeLog html - %changelog -* Tue Jul 19 2022 Zhao Hang - 4.0.9-21.0.1 -- Add doc sub package +* Tue Dec 06 2022 Matej Mužila - 4.4.0-7 +- Fix CVE-2022-3970 +- Resolves: CVE-2022-3970 + +* Mon Dec 05 2022 Matej Mužila - 4.4.0-6 +- Fix CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 CVE-2022-3598 + CVE-2022-3627 +- Resolves: CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 + CVE-2022-3598 CVE-2022-3627 + +* Mon Oct 24 2022 Matej Mužila - 4.4.0-5 +- Bump release +- Resolves: CVE-2022-2953 + +* Tue Oct 11 2022 Matej Mužila - 4.4.0-4 +- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 + +* Mon Jul 18 2022 Matej Mužila 4.4.0-3 +- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 +- Resolves: #2106768 + +* Wed Jun 15 2022 Matej Mužila 4.4.0-2 +- Update to version 4.4.0 +- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865 + CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1354 + CVE-2022-1355 + +* Mon Aug 09 2021 Mohan Boddu - 4.2.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 4.2.0-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Feb 02 2021 Nikola Forró - 4.2.0-1 +- New upstream release 4.2.0 (#1909412) + +* Tue Jan 26 2021 Fedora Release Engineering - 4.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 04 2021 Nikola Forró - 4.1.0-6 +- Build with ZSTD and WEBP support (#1911969) + +* Mon Nov 02 2020 Nikola Forró - 4.1.0-5 +- Remove libtiff-devel dependency on arch-specific pkgconfig + +* Tue Jul 28 2020 Fedora Release Engineering - 4.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 4.1.0-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro -* Wed Sep 29 2021 Nikola Forró - 4.0.9-21 -- Fix CVE-2020-19131 (#2006535) +* Wed Jan 29 2020 Fedora Release Engineering - 4.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild -* Thu Apr 29 2021 Nikola Forró - 4.0.9-20 -- Rebuild for fixed binutils (#1954437) +* Tue Nov 05 2019 Nikola Forró - 4.1.0-1 +- New upstream version libtiff-4.1.0 (#1768276) -* Fri Apr 09 2021 Nikola Forró - 4.0.9-19 -- Fix CVE-2020-35521 (#1945539) -- Fix CVE-2020-35522 (#1945555) -- Fix CVE-2020-35523 (#1945542) -- Fix CVE-2020-35524 (#1945546) +* Thu Jul 25 2019 Fedora Release Engineering - 4.0.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -* Thu Feb 20 2020 Nikola Forró - 4.0.9-18 -- Fix CVE-2019-17546 (#1771372) +* Wed Jun 12 2019 Nikola Forró - 4.0.10-5 +- Fix CVE-2018-19210 (#1649387) -* Thu Nov 28 2019 Nikola Forró - 4.0.9-17 -- Add upstream test suite and enable it in gating +* Fri Feb 15 2019 Nikola Forró - 4.0.10-4 +- Fix CVE-2019-7663 (#1677529) -* Wed Nov 27 2019 Nikola Forró - 4.0.9-16 -- Fix CVE-2019-14973 (#1755705) +* Fri Feb 01 2019 Fedora Release Engineering - 4.0.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Wed Jun 12 2019 Nikola Forró - 4.0.9-15 -- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579) +* Wed Jan 30 2019 Nikola Forró - 4.0.10-2 +- Fix CVE-2019-6128 (#1667124) -* Thu Jun 06 2019 Nikola Forró - 4.0.9-14 -- Fix CVE-2018-12900 (#1595579) +* Wed Nov 14 2018 Nikola Forró - 4.0.10-1 +- New upstream version libtiff-4.0.10 -* Thu Dec 13 2018 Nikola Forró - 4.0.9-13 -- Fix compiler warning introduced by patch for CVE-2018-18661 +* Thu Oct 11 2018 Nikola Forró - 4.0.9-13 +- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079) -* Wed Nov 14 2018 Nikola Forró - 4.0.9-12 -- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452) +* Thu Oct 11 2018 Nikola Forró - 4.0.9-12 +- Fix CVE-2018-10779 (#1577316) -* Mon Oct 15 2018 Nikola Forró - 4.0.9-11 -- Fix important Covscan defects (#1602597) +* Fri Jul 13 2018 Fedora Release Engineering - 4.0.9-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Mon Oct 15 2018 Nikola Forró - 4.0.9-10 -- Fix CVE-2018-17100 (#1631073) +* Wed Jun 06 2018 Nikola Forró - 4.0.9-10 +- Fix CVE-2017-11613 (#1475531) * Wed May 30 2018 Nikola Forró - 4.0.9-9 -- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708) - and CVE-2018-10963 (#1579060) +- Fix CVE-2017-9935, CVE-2017-18013 (#1530441), + CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061) * Tue Apr 17 2018 Nikola Forró - 4.0.9-8 - Fix CVE-2018-7456 (#1556709)