diff options
21 files changed, 1922 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index 9aa4bd1fb6..81d87aeec9 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -472,6 +472,25 @@ dist_patch_DATA = \ gnu/packages/patches/liboop-mips64-deplibs-fix.patch \ gnu/packages/patches/libmad-mips-newgcc.patch \ gnu/packages/patches/libtheora-config-guess.patch \ + gnu/packages/patches/libtiff-CVE-2012-4564.patch \ + gnu/packages/patches/libtiff-CVE-2013-1960.patch \ + gnu/packages/patches/libtiff-CVE-2013-1961.patch \ + gnu/packages/patches/libtiff-CVE-2013-4231.patch \ + gnu/packages/patches/libtiff-CVE-2013-4232.patch \ + gnu/packages/patches/libtiff-CVE-2013-4243.patch \ + gnu/packages/patches/libtiff-CVE-2013-4244.patch \ + gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch \ + gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch \ + gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch \ + gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch \ + gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch \ + gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch \ + gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch \ + gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch \ + gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch \ + gnu/packages/patches/libtiff-CVE-2014-8129.patch \ + gnu/packages/patches/libtiff-CVE-2014-9330.patch \ + gnu/packages/patches/libtiff-CVE-2014-9655.patch \ gnu/packages/patches/libtool-skip-tests2.patch \ gnu/packages/patches/libssh-CVE-2014-0017.patch \ gnu/packages/patches/libvpx-fix-armhf-link.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 89590cc5ad..a7483ba94a 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -112,7 +112,26 @@ image files in PBMPLUS PPM/PGM, GIF, BMP, and Targa file formats.") (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-" version ".tar.gz")) (sha256 (base32 - "0wj8d1iwk9vnpax2h29xqc2hwknxg3s0ay2d5pxkg59ihbifn6pa")))) + "0wj8d1iwk9vnpax2h29xqc2hwknxg3s0ay2d5pxkg59ihbifn6pa")) + (patches (map search-patch '("libtiff-CVE-2012-4564.patch" + "libtiff-CVE-2013-1960.patch" + "libtiff-CVE-2013-1961.patch" + "libtiff-CVE-2013-4231.patch" + "libtiff-CVE-2013-4232.patch" + "libtiff-CVE-2013-4244.patch" + "libtiff-CVE-2013-4243.patch" + "libtiff-CVE-2014-9330.patch" + "libtiff-CVE-2014-8127-pt1.patch" + "libtiff-CVE-2014-8127-pt2.patch" + "libtiff-CVE-2014-8127-pt3.patch" + "libtiff-CVE-2014-8127-pt4.patch" + "libtiff-CVE-2014-8128-pt1.patch" + "libtiff-CVE-2014-8128-pt2.patch" + "libtiff-CVE-2014-8128-pt3.patch" + "libtiff-CVE-2014-8129.patch" + "libtiff-CVE-2014-9655.patch" + "libtiff-CVE-2014-8128-pt4.patch" + "libtiff-CVE-2014-8128-pt5.patch"))))) (build-system gnu-build-system) (inputs `(("zlib" ,zlib) ("libjpeg-8" ,libjpeg-8))) diff --git a/gnu/packages/patches/libtiff-CVE-2012-4564.patch b/gnu/packages/patches/libtiff-CVE-2012-4564.patch new file mode 100644 index 0000000000..472f9ca35f --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2012-4564.patch @@ -0,0 +1,33 @@ +Copied from Debian + +Index: tiff-4.0.3/tools/ppm2tiff.c +=================================================================== +--- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400 ++++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400 +@@ -89,6 +89,7 @@ + int c; + extern int optind; + extern char* optarg; ++ tmsize_t scanline_size; + + if (argc < 2) { + fprintf(stderr, "%s: Too few arguments\n", argv[0]); +@@ -237,8 +238,16 @@ + } + if (TIFFScanlineSize(out) > linebytes) + buf = (unsigned char *)_TIFFmalloc(linebytes); +- else +- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ scanline_size = TIFFScanlineSize(out); ++ if (scanline_size != 0) ++ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ else { ++ fprintf(stderr, "%s: scanline size overflow\n",infile); ++ (void) TIFFClose(out); ++ exit(-2); ++ } ++ } + if (resolution > 0) { + TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); + TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/gnu/packages/patches/libtiff-CVE-2013-1960.patch b/gnu/packages/patches/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000000..341063f25d --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-1960.patch @@ -0,0 +1,148 @@ +Copied from Debian + +Index: tiff-4.0.3/tools/tiff2pdf.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400 +@@ -3341,33 +3341,56 @@ + uint32 height){ + + tsize_t i=0; +- uint16 ri =0; +- uint16 v_samp=1; +- uint16 h_samp=1; +- int j=0; +- +- i++; +- +- while(i<(*striplength)){ ++ ++ while (i < *striplength) { ++ tsize_t datalen; ++ uint16 ri; ++ uint16 v_samp; ++ uint16 h_samp; ++ int j; ++ int ncomp; ++ ++ /* marker header: one or more FFs */ ++ if (strip[i] != 0xff) ++ return(0); ++ i++; ++ while (i < *striplength && strip[i] == 0xff) ++ i++; ++ if (i >= *striplength) ++ return(0); ++ /* SOI is the only pre-SOS marker without a length word */ ++ if (strip[i] == 0xd8) ++ datalen = 0; ++ else { ++ if ((*striplength - i) <= 2) ++ return(0); ++ datalen = (strip[i+1] << 8) | strip[i+2]; ++ if (datalen < 2 || datalen >= (*striplength - i)) ++ return(0); ++ } + switch( strip[i] ){ +- case 0xd8: +- /* SOI - start of image */ ++ case 0xd8: /* SOI - start of image */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; +- i+=2; + break; +- case 0xc0: +- case 0xc1: +- case 0xc3: +- case 0xc9: +- case 0xca: ++ case 0xc0: /* SOF0 */ ++ case 0xc1: /* SOF1 */ ++ case 0xc3: /* SOF3 */ ++ case 0xc9: /* SOF9 */ ++ case 0xca: /* SOF10 */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- for(j=0;j<buffer[*bufferoffset+9];j++){ +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ ncomp = buffer[*bufferoffset+9]; ++ if (ncomp < 1 || ncomp > 4) ++ return(0); ++ v_samp=1; ++ h_samp=1; ++ for(j=0;j<ncomp;j++){ ++ uint16 samp = buffer[*bufferoffset+11+(3*j)]; ++ if( (samp>>4) > h_samp) ++ h_samp = (samp>>4); ++ if( (samp & 0x0f) > v_samp) ++ v_samp = (samp & 0x0f); + } + v_samp*=8; + h_samp*=8; +@@ -3381,45 +3404,43 @@ + (unsigned char) ((height>>8) & 0xff); + buffer[*bufferoffset+6]= + (unsigned char) (height & 0xff); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; +- ++ *bufferoffset+=datalen+2; ++ /* insert a DRI marker */ + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]=0xdd; + buffer[(*bufferoffset)++]=0x00; + buffer[(*bufferoffset)++]=0x04; + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; + buffer[(*bufferoffset)++]= ri & 0xff; +- } else { +- i+=strip[i+2]+2; + } + break; +- case 0xc4: +- case 0xdb: +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ case 0xc4: /* DHT */ ++ case 0xdb: /* DQT */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + break; +- case 0xda: ++ case 0xda: /* SOS */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + } else { + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); +- i+=strip[i+2]+2; + } +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); +- *bufferoffset+=(*striplength)-i-1; ++ i += datalen + 1; ++ /* copy remainder of strip */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ++ *bufferoffset+= *striplength - i; + return(1); + default: +- i+=strip[i+2]+2; ++ /* ignore any other marker */ ++ break; + } ++ i += datalen + 1; + } +- + ++ /* failed to find SOS marker */ + return(0); + } + #endif diff --git a/gnu/packages/patches/libtiff-CVE-2013-1961.patch b/gnu/packages/patches/libtiff-CVE-2013-1961.patch new file mode 100644 index 0000000000..9c2481ce83 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-1961.patch @@ -0,0 +1,770 @@ +Copied from Debian + +Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c +=================================================================== +--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400 +@@ -512,9 +512,9 @@ + Arg args[1]; + + if (tfMultiPage) +- sprintf(buffer, "%s - page %d", fileName, tfDirectory); ++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); + else +- strcpy(buffer, fileName); ++ snprintf(buffer, sizeof(buffer), "%s", fileName); + XtSetArg(args[0], XtNlabel, buffer); + XtSetValues(labelWidget, args, 1); + } +Index: tiff-4.0.3/libtiff/tif_dirinfo.c +=================================================================== +--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400 +@@ -711,7 +711,7 @@ + * note that this name is a special sign to TIFFClose() and + * _TIFFSetupFields() to free the field + */ +- sprintf(fld->field_name, "Tag %d", (int) tag); ++ snprintf(fld->field_name, 32, "Tag %d", (int) tag); + + return fld; + } +Index: tiff-4.0.3/libtiff/tif_codec.c +=================================================================== +--- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400 +@@ -108,7 +108,8 @@ + const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); + char compression_code[20]; + +- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); ++ snprintf(compression_code, sizeof(compression_code), "%d", ++ tif->tif_dir.td_compression ); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s compression support is not configured", + c ? c->name : compression_code ); +Index: tiff-4.0.3/tools/tiffdither.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400 +@@ -260,7 +260,7 @@ + TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); + else + CopyField(TIFFTAG_FILLORDER, shortv); +- sprintf(thing, "Dithered B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + CopyField(TIFFTAG_PHOTOMETRIC, shortv); + CopyField(TIFFTAG_ORIENTATION, shortv); +Index: tiff-4.0.3/tools/rgb2ycbcr.c +=================================================================== +--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400 +@@ -332,7 +332,8 @@ + TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); + { char buf[2048]; + char *cp = strrchr(TIFFFileName(in), '/'); +- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); ++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", ++ cp ? cp+1 : TIFFFileName(in)); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); + } + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); +Index: tiff-4.0.3/tools/tiff2pdf.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400 +@@ -3630,7 +3630,9 @@ + char buffer[16]; + int buflen=0; + +- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); ++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", ++ t2p->pdf_majorversion&0xff, ++ t2p->pdf_minorversion&0xff); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); + +@@ -3644,10 +3646,10 @@ + tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen ); + written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); + +@@ -3686,13 +3688,13 @@ + written += t2pWriteFile(output, (tdata_t) "/", 1); + for (i=0;i<namelen;i++){ + if ( ((unsigned char)name[i]) < 0x21){ +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + nextchar=1; + } + if ( ((unsigned char)name[i]) > 0x7E){ +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + nextchar=1; +@@ -3700,57 +3702,57 @@ + if (nextchar==0){ + switch (name[i]){ + case 0x23: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x25: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x28: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x29: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x2F: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3C: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x3E: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x5D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7B: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; + case 0x7D: +- sprintf(buffer, "#%.2X", name[i]); ++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 3); + break; +@@ -3865,14 +3867,14 @@ + tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/Length ", 8); + if(len!=0){ + written += t2p_write_pdf_stream_length(len, output); + } else { +- buflen=sprintf(buffer, "%lu", (unsigned long)number); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + } +@@ -3913,10 +3915,10 @@ + tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + +- buflen=sprintf(buffer, "%lu", (unsigned long)len); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n", 1); + +@@ -3930,7 +3932,7 @@ + tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) + { + tsize_t written = 0; +- char buffer[16]; ++ char buffer[32]; + int buflen = 0; + + written += t2pWriteFile(output, +@@ -3969,7 +3971,6 @@ + written += t2p_write_pdf_string(t2p->pdf_datetime, output); + } + written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); +- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); + snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); + written += t2p_write_pdf_string(buffer, output); + written += t2pWriteFile(output, (tdata_t) "\n", 1); +@@ -4110,7 +4111,7 @@ + { + tsize_t written=0; + tdir_t i=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + int page=0; +@@ -4118,7 +4119,7 @@ + (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); + page = t2p->pdf_pages+1; + for (i=0;i<t2p->tiff_pagecount;i++){ +- buflen=sprintf(buffer, "%d", page); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", page); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + if ( ((i+1)%8)==0 ) { +@@ -4133,8 +4134,7 @@ + } + } + written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); ++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); + +@@ -4149,28 +4149,28 @@ + + unsigned int i=0; + tsize_t written=0; +- char buffer[16]; ++ char buffer[256]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); ++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "] \n", 3); + written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); +- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); + written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); +@@ -4178,15 +4178,13 @@ + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen = sprintf(buffer, "%u", i+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4198,12 +4196,10 @@ + } else { + written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); + written += t2pWriteFile(output, (tdata_t) "/Im", 3); +- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4212,9 +4208,7 @@ + if(t2p->tiff_transferfunctioncount != 0) { + written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); + t2pWriteFile(output, (tdata_t) "/GS1 ", 5); +- buflen = sprintf( +- buffer, +- "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(object + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4587,7 +4581,7 @@ + if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ + for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ + box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4602,7 +4596,7 @@ + } + } else { + box=t2p->pdf_imagebox; +- buflen=sprintf(buffer, ++ buflen=snprintf(buffer, sizeof(buffer), + "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", + t2p->tiff_transferfunctioncount?"/GS1 gs ":"", + box.mat[0], +@@ -4627,59 +4621,48 @@ + TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); + written += t2pWriteFile(output, + (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", + 42); +- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + if(tile != 0){ + written += t2pWriteFile(output, (tdata_t) "_", 1); +- buflen=sprintf(buffer, "%lu", (unsigned long)tile); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); + if(tile==0){ +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); + } else { + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + } else { +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + } + } + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); +- _TIFFmemset((tdata_t)buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); + written += t2p_write_pdf_xobject_cs(t2p, output); +@@ -4723,11 +4706,10 @@ + t2p->pdf_colorspace ^= T2P_CS_PALETTE; + written += t2p_write_pdf_xobject_cs(t2p, output); + t2p->pdf_colorspace |= T2P_CS_PALETTE; +- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " ", 1); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); + return(written); +@@ -4761,10 +4743,10 @@ + X_W /= Y_W; + Z_W /= Y_W; + Y_W = 1.0F; +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Range ", 7); +- buflen=sprintf(buffer, "[%d %d %d %d] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", + t2p->pdf_labrange[0], + t2p->pdf_labrange[1], + t2p->pdf_labrange[2], +@@ -4780,26 +4762,26 @@ + tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); + if(t2p->tiff_transferfunctioncount == 1){ +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); + } else { + written += t2pWriteFile(output, (tdata_t) "[ ", 2); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 2)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)(t2p->pdf_xrefcount + 3)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); +@@ -4821,7 +4803,7 @@ + written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); + written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); + written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); +- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample)); ++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); + written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); +@@ -4848,7 +4830,7 @@ + tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[128]; ++ char buffer[256]; + int buflen=0; + + float X_W=0.0; +@@ -4916,16 +4898,16 @@ + written += t2pWriteFile(output, (tdata_t) "<< \n", 4); + if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); + } + if(t2p->pdf_colorspace & T2P_CS_CALRGB){ + written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); +- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", ++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + X_R, Y_R, Z_R, + X_G, Y_G, Z_G, + X_B, Y_B, Z_B); +@@ -4944,11 +4926,11 @@ + tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); + +@@ -4958,11 +4940,11 @@ + tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + written += t2pWriteFile(output, (tdata_t) "/N ", 3); +- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); + t2p->pdf_colorspace ^= T2P_CS_ICCBASED; +@@ -5027,7 +5009,7 @@ + tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[16]; ++ char buffer[32]; + int buflen=0; + + if(t2p->pdf_compression==T2P_COMPRESS_NONE){ +@@ -5042,41 +5024,33 @@ + written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); + if(tile==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf(buffer, "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_length); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } + if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } else { + written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); +- buflen=sprintf( +- buffer, +- "%lu", ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + } +@@ -5103,21 +5077,17 @@ + if(t2p->pdf_compressionquality%100){ + written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); + written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); +- _TIFFmemset(buffer, 0x00, 16); +- buflen = sprintf(buffer, "%lu", ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", + (unsigned long)t2p->tiff_width); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); +- _TIFFmemset(buffer, 0x00, 16); +- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); ++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) ">>\n", 3); + } +@@ -5137,16 +5107,16 @@ + tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ + + tsize_t written=0; +- char buffer[21]; ++ char buffer[64]; + int buflen=0; + uint32 i=0; + + written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); + written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); + for (i=0;i<t2p->pdf_xrefcount;i++){ +- sprintf(buffer, "%.10lu 00000 n \n", ++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", + (unsigned long)t2p->pdf_xrefoffsets[i]); + written += t2pWriteFile(output, (tdata_t) buffer, 20); + } +@@ -5170,17 +5140,14 @@ + snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); + + written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); +- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); ++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); +@@ -5188,9 +5155,8 @@ + written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, + sizeof(t2p->pdf_fileid) - 1); + written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); +- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); ++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); + written += t2pWriteFile(output, (tdata_t) buffer, buflen); +- _TIFFmemset(buffer, 0x00, 32); + written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); + + return(written); +Index: tiff-4.0.3/tools/tiff2ps.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400 +@@ -1781,8 +1781,8 @@ + imageOp = "imagemask"; + + (void)strcpy(im_x, "0"); +- (void)sprintf(im_y, "%lu", (long) h); +- (void)sprintf(im_h, "%lu", (long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); ++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); + tile_width = w; + tile_height = h; + if (TIFFIsTiled(tif)) { +@@ -1803,7 +1803,7 @@ + } + if (tile_height < h) { + fputs("/im_y 0 def\n", fd); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } else { + repeat_count = tf_numberstrips; +@@ -1815,7 +1815,7 @@ + fprintf(fd, "/im_h %lu def\n", + (unsigned long) tile_height); + (void)strcpy(im_h, "im_h"); +- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); ++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); + } + } + +Index: tiff-4.0.3/tools/tiffcrop.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400 +@@ -2077,7 +2077,7 @@ + return 1; + } + +- sprintf (filenum, "-%03d%s", findex, export_ext); ++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); + filenum[14] = '\0'; + strncat (exportname, filenum, 15); + } +@@ -2230,8 +2230,8 @@ + + /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", ++ dump.infilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) + { +@@ -2249,8 +2249,8 @@ + + /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes + fewer than PATH_MAX */ +- memset (temp_filename, '\0', PATH_MAX + 1); +- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, ++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", ++ dump.outfilename, dump_images, + (dump.format == DUMP_TEXT) ? "txt" : "raw"); + if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) + { +Index: tiff-4.0.3/tools/tiff2bw.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400 ++++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400 +@@ -205,7 +205,7 @@ + } + } + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); +- sprintf(thing, "B&W version of %s", argv[optind]); ++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); diff --git a/gnu/packages/patches/libtiff-CVE-2013-4231.patch b/gnu/packages/patches/libtiff-CVE-2013-4231.patch new file mode 100644 index 0000000000..c71f7dac2e --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-4231.patch @@ -0,0 +1,19 @@ +Copied from Debian + +Description: Buffer overflow in gif2tiff +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450 +Bug-Debian: http://bugs.debian.org/719303 + +Index: tiff-4.0.3/tools/gif2tiff.c +=================================================================== +--- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400 ++++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400 +@@ -333,6 +333,8 @@ + int status = 1; + + datasize = getc(infile); ++ if (datasize > 12) ++ return 0; + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; diff --git a/gnu/packages/patches/libtiff-CVE-2013-4232.patch b/gnu/packages/patches/libtiff-CVE-2013-4232.patch new file mode 100644 index 0000000000..3a92f61fef --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-4232.patch @@ -0,0 +1,20 @@ +Copied from Debian + +Description: use after free in tiff2pdf +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449 +Bug-Debian: http://bugs.debian.org/719303 + +Index: tiff-4.0.3/tools/tiff2pdf.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 ++++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 +@@ -2461,7 +2461,8 @@ + (unsigned long) t2p->tiff_datasize, + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; +- _TIFFfree(buffer); ++ _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/gnu/packages/patches/libtiff-CVE-2013-4243.patch b/gnu/packages/patches/libtiff-CVE-2013-4243.patch new file mode 100644 index 0000000000..a10884cd89 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-4243.patch @@ -0,0 +1,39 @@ +Copied from Debian + +Index: tiff/tools/gif2tiff.c +=================================================================== +--- tiff.orig/tools/gif2tiff.c ++++ tiff/tools/gif2tiff.c +@@ -280,6 +280,10 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -404,6 +408,10 @@ process(register int code, unsigned char + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; +@@ -434,6 +442,10 @@ process(register int code, unsigned char + } + oldcode = incode; + do { ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2013-4244.patch b/gnu/packages/patches/libtiff-CVE-2013-4244.patch new file mode 100644 index 0000000000..be9c65c311 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2013-4244.patch @@ -0,0 +1,20 @@ +Copied from Debian + +Description: OOB write in gif2tiff +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468 + +Index: tiff-4.0.3/tools/gif2tiff.c +=================================================================== +--- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 ++++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 +@@ -400,6 +400,10 @@ + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch new file mode 100644 index 0000000000..7f70edb86f --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch @@ -0,0 +1,30 @@ +Copied from Debian + +From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 20:58:29 +0000 +Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only + works if SamplesPerPixel = 3. Enforce that + http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) + +--- + ChangeLog | 6 ++++++ + tools/tiff2bw.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 22467cd..94b8e31 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -171,6 +171,11 @@ main(int argc, char* argv[]) + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch new file mode 100644 index 0000000000..a177ebfa21 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch @@ -0,0 +1,42 @@ +Copied from Debian + +From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 20:04:31 +0000 +Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling + TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not + worth the burden for those esoteric utilities. + http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + +--- + ChangeLog | 7 +++++++ + tools/pal2rgb.c | 2 +- + tools/thumbnail.c | 2 +- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index bfe7899..3fc3de3 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -372,7 +372,7 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index c50bbff..73f9c34 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -257,7 +257,7 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch new file mode 100644 index 0000000000..b8a3703c4c --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch @@ -0,0 +1,45 @@ +Copied from Debian + +From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Tue, 23 Dec 2014 10:15:35 +0000 +Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a + uint64 value with <= 0 by casting it to int64 first. This solves crashing bug + on corrupted images generated by afl. + +--- + ChangeLog | 6 ++++++ + libtiff/tif_read.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba822a..dfc5b07 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid strip byte count, strip %lu", +@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch new file mode 100644 index 0000000000..62d903c650 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch @@ -0,0 +1,295 @@ +Copied from Debian + +From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 15:15:31 +0000 +Subject: [PATCH] Fix various crasher bugs on fuzzed images. * + libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for + TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing + the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read + ColorMap or TransferFunction if BitsPerSample has not yet been read, + otherwise reading it later will cause user code to crash if BitsPerSample > 1 + * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with + SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample + != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images + instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int + overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to + invalid tile count (should likely be checked by libtiff too). Detect invalid + settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * + tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * + tools/tiffdump.c: fix crash due to overflow of entry count. + +--- + ChangeLog | 19 +++++++++++++++++++ + libtiff/tif_dir.c | 21 +++++++++++++++++++-- + libtiff/tif_dirread.c | 17 +++++++++++++++++ + libtiff/tif_getimage.c | 15 +++++++++++++++ + libtiff/tif_next.c | 2 ++ + tools/bmp2tiff.c | 15 +++++++++++++++ + tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ + tools/tiffcrop.c | 7 ++++--- + tools/tiffdump.c | 9 ++++++--- + 9 files changed, 138 insertions(+), 8 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 98cf66d..ab43a28 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 391c823..f66c9a7 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif) + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int bitspersample_read = FALSE; ++ + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif) + } + if (!TIFFSetField(tif,dp->tdir_tag,value)) + goto bad; ++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) ++ bitspersample_read = TRUE; + } + break; + case TIFFTAG_SMINSAMPLEVALUE: +@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif) + uint32 countrequired; + uint32 incrementpersample; + uint16* value=NULL; ++ /* It would be dangerous to instanciate those tag values */ ++ /* since if td_bitspersample has not yet been read (due to */ ++ /* unordered tags), it could be read afterwards with a */ ++ /* values greater than the default one (1), which may cause */ ++ /* crashes in user code */ ++ if( !bitspersample_read ) ++ { ++ fip = TIFFFieldWithTag(tif,dp->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s since BitsPerSample tag not found", ++ fip ? fip->field_name : "unknown tagname"); ++ continue; ++ } + countpersample=(1L<<tif->tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 074d32a..396ad08 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 55e2537..a53c716 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index dfda963..f202b41 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f5530bb..4088463 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) +diff --git a/tools/tiffdump.c b/tools/tiffdump.c +index cf5d62f..8247765 100644 +--- a/tools/tiffdump.c ++++ b/tools/tiffdump.c +@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + void* datamem; + uint64 dataoffset; + int datatruncated; ++ int datasizeoverflow; ++ + tag = *(uint16*)dp; + if (swabflag) + TIFFSwabShort(&tag); +@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + else + typewidth = datawidth[type]; + datasize = count*typewidth; ++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); + datafits = 1; + datamem = dp; + dataoffset = 0; + datatruncated = 0; + if (!bigtiff) + { +- if (datasize>4) ++ if (datasizeoverflow || datasize>4) + { + uint32 dataoffset32; + datafits = 0; +@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + else + { +- if (datasize>8) ++ if (datasizeoverflow || datasize>8) + { + datafits = 0; + datamem = NULL; +@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + dp += sizeof(uint64); + } +- if (datasize>0x10000) ++ if (datasizeoverflow || datasize>0x10000) + { + datatruncated = 1; + count = 0x10000/typewidth; diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch new file mode 100644 index 0000000000..fda018b7bb --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch @@ -0,0 +1,32 @@ +Copied from Debian + +From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 19:53:59 +0000 +Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write + http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) + +--- + ChangeLog | 5 +++++ + tools/thumbnail.c | 8 +++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fab63f6..c50bbff 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh) + err -= limit; + sy++; + if (err >= limit) +- rows[nrows++] = br + bpr*sy; ++ { ++ /* We should perhaps error loudly, but I can't make sense of that */ ++ /* code... */ ++ if( nrows == 256 ) ++ break; ++ rows[nrows++] = br + bpr*sy; ++ } + } + setrow(row, nrows, rows); + row += tnw; diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch new file mode 100644 index 0000000000..6f9ef85d14 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch @@ -0,0 +1,83 @@ +Copied from Debian + +From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 18:52:42 +0000 +Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write + TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is + COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 + http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) + +--- + ChangeLog | 7 +++++++ + tools/thumbnail.c | 21 ++++++++++++++++++++- + tools/tiffcmp.c | 17 +++++++++++++++-- + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index a98a881..fab63f6 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ ++ /* if we request a tag that is defined in a codec, but that codec */ ++ /* isn't used */ ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c +index 508a461..d6392af 100644 +--- a/tools/tiffcmp.c ++++ b/tools/tiffcmp.c +@@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2) + static int + cmptags(TIFF* tif1, TIFF* tif2) + { ++ uint16 compression1, compression2; + CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); + CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); + CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); +@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2) + CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); + CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); + CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); +- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); +- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX3 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX3 ) ++ { ++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); ++ } ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX4 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX4 ) ++ { ++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ } + CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); + CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); + CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch new file mode 100644 index 0000000000..200af0ef8b --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch @@ -0,0 +1,34 @@ +Copied from Debian + +From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 17:36:36 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when + reading TIFFTAG_SAMPLESPERPIXEL + +--- + ChangeLog | 5 +++++ + tools/tiff2pdf.c | 10 +++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +Index: tiff-4.0.3/tools/tiff2pdf.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2pdf.c ++++ tiff-4.0.3/tools/tiff2pdf.c +@@ -1164,7 +1164,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* + t2p->tiff_pages[i].page_tilecount; + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ +- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Missing SamplesPerPixel, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch new file mode 100644 index 0000000000..fda4045504 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch @@ -0,0 +1,77 @@ +Copied from Debian + +Picked from CVE: diff -u -r1.14 -r1.15 +http://bugzilla.maptools.org/show_bug.cgi?id=2501 + +Author: Even Rouault <even.rouault@spatialys.com> + +--- tiff-4.0.3.orig/tools/tiffdither.c ++++ tiff-4.0.3/tools/tiffdither.c +@@ -39,6 +39,7 @@ + #endif + + #include "tiffio.h" ++#include "tiffiop.h" + + #define streq(a,b) (strcmp(a,b) == 0) + #define strneq(a,b,n) (strncmp(a,b,n) == 0) +@@ -56,7 +57,7 @@ static void usage(void); + * Floyd-Steinberg error propragation with threshold. + * This code is stolen from tiffmedian. + */ +-static void ++static int + fsdither(TIFF* in, TIFF* out) + { + unsigned char *outline, *inputline, *inptr; +@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out) + int lastline, lastpixel; + int bit; + tsize_t outlinesize; ++ int errcode = 0; + + imax = imagelength - 1; + jmax = imagewidth - 1; + inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); +- thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); +- nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); ++ thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); ++ nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); + outlinesize = TIFFScanlineSize(out); + outline = (unsigned char *) _TIFFmalloc(outlinesize); ++ if (! (inputline && thisline && nextline && outline)) { ++ fprintf(stderr, "Out of memory.\n"); ++ goto skip_on_error; ++ } + + /* + * Get first line +@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out) + nextline = tmpptr; + lastline = (i == imax); + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ goto skip_on_error; + inptr = inputline; + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) +@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out) + } + } + if (TIFFWriteScanline(out, outline, i-1, 0) < 0) +- break; ++ goto skip_on_error; + } ++ goto exit_label; ++ + skip_on_error: ++ errcode = 1; ++ exit_label: + _TIFFfree(inputline); + _TIFFfree(thisline); + _TIFFfree(nextline); + _TIFFfree(outline); ++ return errcode; + } + + static uint16 compression = COMPRESSION_PACKBITS; diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch new file mode 100644 index 0000000000..a555a18747 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch @@ -0,0 +1,16 @@ +Copied from Debian + +Patches by Petr Gajdos (pgajdos@suse.cz) from +http://bugzilla.maptools.org/show_bug.cgi?id=2499 + +--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c ++++ tiff-4.0.3/libtiff/tif_dirinfo.c +@@ -141,6 +141,8 @@ tiffFields[] = { + { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, ++ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, ++ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, + { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, diff --git a/gnu/packages/patches/libtiff-CVE-2014-8129.patch b/gnu/packages/patches/libtiff-CVE-2014-8129.patch new file mode 100644 index 0000000000..091ec8f573 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8129.patch @@ -0,0 +1,45 @@ +Copied from Debian + +From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 18:07:48 +0000 +Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) + +--- + ChangeLog | 5 +++++ + libtiff/tif_next.c | 17 +++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index a53c716..d834196 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; diff --git a/gnu/packages/patches/libtiff-CVE-2014-9330.patch b/gnu/packages/patches/libtiff-CVE-2014-9330.patch new file mode 100644 index 0000000000..c3c5fc0367 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-9330.patch @@ -0,0 +1,47 @@ +Copied from Debian + +Description: CVE-2014-9330 + Integer overflow in bmp2tiff +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494 +Bug-Debian: http://bugs.debian.org/773987 + +Index: tiff/tools/bmp2tiff.c +=================================================================== +--- tiff.orig/tools/bmp2tiff.c ++++ tiff/tools/bmp2tiff.c +@@ -1,4 +1,4 @@ +-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $ ++/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $ + * + * Project: libtiff tools + * Purpose: Convert Windows BMP files in TIFF. +@@ -403,6 +403,13 @@ main(int argc, char* argv[]) + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + + switch (info_hdr.iBitCount) + { +@@ -593,6 +600,14 @@ main(int argc, char* argv[]) + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff --git a/gnu/packages/patches/libtiff-CVE-2014-9655.patch b/gnu/packages/patches/libtiff-CVE-2014-9655.patch new file mode 100644 index 0000000000..065804d03a --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-9655.patch @@ -0,0 +1,88 @@ +Copied from Debian + +From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 29 Dec 2014 12:09:11 +0000 +Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't + read outside of the compressed input stream buffer. + +* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height +--- + ChangeLog | 9 +++++++++ + libtiff/tif_getimage.c | 12 +++++++----- + libtiff/tif_next.c | 4 +++- + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a4f46d9..3ad8ee7 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index d834196..dd669cc 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) |