Add patches for CVE-2006-2193,2327,2656,3459-3465, and CVE-2008-2327, some of which were apparently misreported as not affecting 3.8.2. The patches are from the Gentoo and Debian repositories, and are copies or variants of patches originally suggested by Drew Yao and the Google Security Team, among others. Some of them, along with some changes from Red Hat, have been included in tiff 3.9 and 4.0. Unfortunately tiff 3.9 nd 4.0 are not completely compatible with 3.8.* (although there is some discussion among the tiff developers about changing 3.9 so that it is backwards-compatible), so we cannot now solve these problems by updating the port to 3.9 or 4.0 without breaking some dependent ports. The problems with tiff should probably be documented in vuxml. tiff developers have suggested that there are probably further problems, and that the tiff format is more susceptible to security problems than some other image formats owing to it's design, so it should be used with caution on untrusted images. The developers have said that they do not now have the resources or the interest in undertaking a comprehensive security audit of the code, and that it's all Sam Leffler's fault, anyway. (Okay, I made up that very last part. ;) ) Fix: Patch attached with submission follows:
Responsible Changed From-To: freebsd-ports-bugs->dinoex Over to maintainer (via the GNATS Auto Assign Tool)
Please check. One of your patches introduces a regression. in tools/tiff2pdf.c: snprintf(buffer, "\\%.3o", pdfstr[i]); is plain wrong; better is: snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]); kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org] http://people.freebsd.org/~dinoex/errorlogs/ - add Security patches - fix missign macro in manpages - add regression test Security: CVE-2006-2193 Security: CVE-2006-2327 Security: CVE-2006-2656 Security: CVE-2006-3459 Security: CVE-2006-3460 Security: CVE-2006-3461 Security: CVE-2006-3462 Security: CVE-2006-3463 Security: CVE-2006-3464 Security: CVE-2006-3465 Security: CVE-2008-2327 Obtained From: Gentoo,Debian Submitted by: <bf2006a@yahoo.com> Index: Makefile =================================================================== RCS file: /home/pcvs/ports/graphics/tiff/Makefile,v retrieving revision 1.65 diff -u -r1.65 Makefile --- Makefile 21 Aug 2008 06:17:24 -0000 1.65 +++ Makefile 17 Sep 2008 19:25:41 -0000 @@ -9,7 +9,7 @@ PORTNAME= tiff PORTVERSION= 3.8.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://dl1.maptools.org/dl/libtiff/ @@ -126,4 +126,7 @@ ${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/ .endif +regression-test: build + @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check) + .include <bsd.port.mk> Index: files/patch-TIFFClose.3tiff =================================================================== RCS file: files/patch-TIFFClose.3tiff diff -N files/patch-TIFFClose.3tiff --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-TIFFClose.3tiff 17 Sep 2008 19:25:41 -0000 @@ -0,0 +1,11 @@ +--- man/TIFFClose.3tiff.orig 2008-08-17 13:03:49.058994404 -0400 ++++ man/TIFFClose.3tiff 2008-08-17 13:03:52.522727821 -0400 +@@ -40,7 +40,7 @@ + current directory (if modified); and all resources are reclaimed. + .SH DIAGNOSTICS + All error messages are directed to the +-.bR TIFFError (3TIFF) ++.BR TIFFError (3TIFF) + routine. + Likewise, warning messages are directed to the + .BR TIFFWarning (3TIFF) Index: files/patch-fax2ps.1 =================================================================== RCS file: files/patch-fax2ps.1 diff -N files/patch-fax2ps.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-fax2ps.1 17 Sep 2008 19:25:41 -0000 @@ -0,0 +1,74 @@ +--- man/fax2ps.1.orig 2008-08-17 13:03:49.038994710 -0400 ++++ man/fax2ps.1 2008-08-17 13:03:52.510994390 -0400 +@@ -27,7 +27,7 @@ + .SH NAME + fax2ps \- convert a + .SM TIFF +-facsimile to compressed \*(Ps\(tm ++facsimile to compressed PostScript\(tm + .SH SYNOPSIS + .B fax2ps + [ +@@ -40,7 +40,7 @@ + reads one or more + .SM TIFF + facsimile image files and prints a compressed form of +-\*(Ps on the standard output that is suitable for printing. ++PostScript on the standard output that is suitable for printing. + .PP + By default, each page is scaled to reflect the + image dimensions and resolutions stored in the file. +@@ -62,26 +62,26 @@ + .PP + By default + .I fax2ps +-generates \*(Ps for all pages in the file. ++generates PostScript for all pages in the file. + The + .B \-p + option can be used to select one or more pages from + a multi-page document. + .PP + .I fax2ps +-generates a compressed form of \*(Ps that is +-optimized for sending pages of text to a \*(Ps ++generates a compressed form of PostScript that is ++optimized for sending pages of text to a PostScript + printer attached to a host through a low-speed link (such + as a serial line). + Each output page is filled with white and then only + the black areas are drawn. +-The \*(Ps specification of the black drawing operations ++The PostScript specification of the black drawing operations + is optimized by using a special font that encodes the + move-draw operations required to fill + the black regions on the page. + This compression scheme typically results in a substantially +-reduced \*(Ps description, relative to the straightforward +-imaging of the page with a \*(Ps ++reduced PostScript description, relative to the straightforward ++imaging of the page with a PostScript + .I image + operator. + This algorithm can, however, be ineffective +@@ -138,9 +138,9 @@ + attempts to recover from such data errors by resynchronizing + decoding at the end of the current scanline. + This can result in long horizontal black lines in the resultant +-\*(Ps image. ++PostScript image. + .SH NOTES +-If the destination printer supports \*(Ps Level II then ++If the destination printer supports PostScript Level II then + it is always faster to just send the encoded bitmap generated + by the + .BR tiff2ps (1) +@@ -149,7 +149,7 @@ + .I fax2ps + should probably figure out when it is doing a poor + job of compressing the output and just generate +-\*(Ps to image the bitmap raster instead. ++PostScript to image the bitmap raster instead. + .SH "SEE ALSO" + .BR tiff2ps (1), + .BR libtiff (3) Index: files/patch-raw2tiff.1 =================================================================== RCS file: files/patch-raw2tiff.1 diff -N files/patch-raw2tiff.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-raw2tiff.1 17 Sep 2008 19:25:41 -0000 @@ -0,0 +1,11 @@ +--- man/raw2tiff.1.orig 2008-08-17 13:03:49.042994359 -0400 ++++ man/raw2tiff.1 2008-08-17 13:03:52.519034963 -0400 +@@ -184,7 +184,7 @@ + in some cases. But for most ordinary images guessing method will work fine. + .SH "SEE ALSO" + .BR pal2rgb (1), +-.bR tiffinfo (1), ++.BR tiffinfo (1), + .BR tiffcp (1), + .BR tiffmedian (1), + .BR libtiff (3) Index: files/patch-tif_dir.c =================================================================== RCS file: files/patch-tif_dir.c diff -N files/patch-tif_dir.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_dir.c 17 Sep 2008 19:25:41 -0000 @@ -0,0 +1,94 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 -0400 ++++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } Index: files/patch-tif_dirinfo.c =================================================================== RCS file: files/patch-tif_dirinfo.c diff -N files/patch-tif_dirinfo.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_dirinfo.c 17 Sep 2008 19:25:41 -0000 @@ -0,0 +1,24 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2008-08-17 13:03:48.958994316 -0400 ++++ libtiff/tif_dirinfo.c 2008-08-17 13:03:52.890034927 -0400 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); Index: files/patch-tif_dirread.c =================================================================== RCS file: files/patch-tif_dirread.c diff -N files/patch-tif_dirread.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_dirread.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,321 @@ +CVE-2006-3459,3463,3464,3465 +=================================================================== +--- libtiff/tif_dirread.c.orig 2008-08-17 13:03:48.962994506 -0400 ++++ libtiff/tif_dirread.c 2008-08-17 13:03:52.890034927 -0400 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include <limits.h> ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; Index: files/patch-tif_fax3.c =================================================================== RCS file: files/patch-tif_fax3.c diff -N files/patch-tif_fax3.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_fax3.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,27 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 -0400 ++++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } Index: files/patch-tif_jpeg.c =================================================================== RCS file: files/patch-tif_jpeg.c diff -N files/patch-tif_jpeg.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_jpeg.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,121 @@ +CVE-2006-3460,3464,3465 +=================================================================== +--- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 -0400 ++++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) Index: files/patch-tif_lzw.c =================================================================== RCS file: files/patch-tif_lzw.c diff -N files/patch-tif_lzw.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_lzw.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,60 @@ +CVE-2008-2327 +=================================================================== +--- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 -0400 ++++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400 +@@ -237,6 +237,13 @@ + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ ++ + } + return (1); + } +@@ -408,12 +415,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +619,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; Index: files/patch-tif_next.c =================================================================== RCS file: files/patch-tif_next.c diff -N files/patch-tif_next.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_next.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,22 @@ +CVE-2006-3462 +=================================================================== +--- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 -0400 ++++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400 +@@ -105,11 +105,16 @@ + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; Index: files/patch-tif_pixarlog.c =================================================================== RCS file: files/patch-tif_pixarlog.c diff -N files/patch-tif_pixarlog.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_pixarlog.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,25 @@ +CVE-2006-3461 +=================================================================== +--- libtiff/tif_pixarlog.c.orig 2008-08-17 13:03:48.986994374 -0400 ++++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 -0400 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, Index: files/patch-tif_print.c =================================================================== RCS file: files/patch-tif_print.c diff -N files/patch-tif_print.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_print.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,13 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 -0400 ++++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 -0400 +@@ -491,7 +491,7 @@ + } else + fprintf(fd, "(present)\n"); + } +- if (TIFFFieldSet(tif, FIELD_SUBIFD)) { ++ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) { + fprintf(fd, " SubIFD Offsets:"); + for (i = 0; i < td->td_nsubifd; i++) + fprintf(fd, " %5lu", (long) td->td_subifd[i]); Index: files/patch-tif_read.c =================================================================== RCS file: files/patch-tif_read.c diff -N files/patch-tif_read.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tif_read.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,43 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400 ++++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#include <limits.h> ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } Index: files/patch-tiff2pdf.1 =================================================================== RCS file: files/patch-tiff2pdf.1 diff -N files/patch-tiff2pdf.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiff2pdf.1 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,34 @@ +--- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 -0400 ++++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400 +@@ -207,18 +207,14 @@ + The following example would generate the file output.pdf from input.tiff. + .PP + .RS +-.NF +-tiff2pdf -o output.pdf input.tiff +-.FI ++\f(CWtiff2pdf -o output.pdf input.tiff\fP + .RE + .PP + The following example would generate PDF output from input.tiff and write it + to standard output. + .PP + .RS +-.NF +-tiff2pdf input.tiff +-.FI ++\f(CWtiff2pdf input.tiff\fP + .RE + .PP + The following example would generate the file output.pdf from input.tiff, +@@ -227,9 +223,7 @@ + the "Fit Window" option. + .PP + .RS +-.NF +-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff +-.FI ++\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f) + .RE + .SH BUGS + Please report bugs via the web interface at Index: files/patch-tiff2pdf.c =================================================================== RCS file: files/patch-tiff2pdf.c diff -N files/patch-tiff2pdf.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiff2pdf.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,13 @@ +CVE-2006-2193 +=================================================================== +--- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 -0700 ++++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i<len;i++){ + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ +- sprintf(buffer, "\\%.3o", pdfstr[i]); ++ snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]); + written += TIFFWriteFile(output, (tdata_t) buffer, 4); + } else { + switch (pdfstr[i]){ Index: files/patch-tiff2ps.1 =================================================================== RCS file: files/patch-tiff2ps.1 diff -N files/patch-tiff2ps.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiff2ps.1 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,142 @@ +--- man/tiff2ps.1.orig 2008-08-17 13:03:49.050994382 -0400 ++++ man/tiff2ps.1 2008-08-17 13:03:52.522727821 -0400 +@@ -27,7 +27,7 @@ + .SH NAME + tiff2ps \- convert a + .SM TIFF +-image to \*(Ps\(tm ++image to PostScript\(tm + .SH SYNOPSIS + .B tiff2ps + [ +@@ -38,17 +38,17 @@ + .I tiff2ps + reads + .SM TIFF +-images and writes \*(Ps or Encapsulated \*(Ps (EPS) ++images and writes PostScript or Encapsulated PostScript (EPS) + on the standard output. + By default, + .I tiff2ps +-writes Encapsulated \*(Ps for the first image in the specified ++writes Encapsulated PostScript for the first image in the specified + .SM TIFF + image file. + .PP + By default, + .I tiff2ps +-will generate \*(Ps that fills a printed area specified ++will generate PostScript that fills a printed area specified + by the + .SM TIFF + tags in the input file. +@@ -67,22 +67,22 @@ + .SM TIFF + tags. + .PP +-The \*(Ps generated for ++The PostScript generated for + .SM RGB, + palette, and + .SM CMYK + images uses the + .I colorimage + operator. +-The \*(Ps generated for ++The PostScript generated for + greyscale and bilevel images + uses the + .I image + operator. + When the + .I colorimage +-operator is used, \*(Ps code to emulate this operator +-on older \*(Ps printers is also generated. ++operator is used, PostScript code to emulate this operator ++on older PostScript printers is also generated. + Note that this emulation code can be very slow. + .PP + Color images with associated alpha data are composited over +@@ -90,13 +90,13 @@ + .SH OPTIONS + .TP + .B \-1 +-Generate \*(Ps Level 1 (the default). ++Generate PostScript Level 1 (the default). + .TP + .B \-2 +-Generate \*(Ps Level 2. ++Generate PostScript Level 2. + .TP + .B \-3 +-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode ++Generate PostScript Level 3. It basically allows one to use the /flateDecode + filter for ZIP compressed TIFF images. + .TP + .B \-a +@@ -119,7 +119,7 @@ + multi-page (e.g. facsimile) file. + .TP + .B \-e +-Force the generation of Encapsulated \*(Ps (implies -z). ++Force the generation of Encapsulated PostScript (implies -z). + .TP + .B \-h + Specify the vertical size of the printed area (in inches). +@@ -148,7 +148,7 @@ + .B \-m + Where possible render using the + .B imagemask +-\*(Ps operator instead of the image operator. When this option is specified ++PostScript operator instead of the image operator. When this option is specified + .I tiff2ps + will use + .B imagemask +@@ -166,7 +166,7 @@ + like which are hidden using the SubIFD tag. + .TP + .B \-p +-Force the generation of (non-Encapsulated) \*(Ps. ++Force the generation of (non-Encapsulated) PostScript. + .TP + .B \-r + Rotate image by 180 degrees. +@@ -184,15 +184,15 @@ + Override resolution units specified in the TIFF as inches. + .TP + .B \-z +-When generating \*(Ps Level 2, data is scaled so that it does not ++When generating PostScript Level 2, data is scaled so that it does not + image into the + .I deadzone + on a page (the outer margin that the printing device is unable to mark). + This option suppresses this behavior. +-When \*(Ps Level 1 is generated, data is imaged to the entire printed ++When PostScript Level 1 is generated, data is imaged to the entire printed + page and this option has no affect. + .SH EXAMPLES +-The following generates \*(Ps Level 2 for all pages of a facsimile: ++The following generates PostScript Level 2 for all pages of a facsimile: + .RS + .nf + tiff2ps -a2 fax.tif | lpr +@@ -201,7 +201,7 @@ + Note also that if you have version 2.6.1 or newer of Ghostscript then you + can efficiently preview facsimile generated with the above command. + .PP +-To generate Encapsulated \*(Ps for a the image at directory 2 ++To generate Encapsulated PostScript for a the image at directory 2 + of an image use: + .RS + .nf +@@ -228,8 +228,8 @@ + .B \-L.5 + option says to repeat a half inch on the next page (to improve readability). + .SH BUGS +-Because \*(Ps does not support the notion of a colormap, +-8-bit palette images produce 24-bit \*(Ps images. ++Because PostScript does not support the notion of a colormap, ++8-bit palette images produce 24-bit PostScript images. + This conversion results in output that is six times + bigger than the original image and which takes a long time + to send to a printer over a serial line. Index: files/patch-tiffcmp.1 =================================================================== RCS file: files/patch-tiffcmp.1 diff -N files/patch-tiffcmp.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiffcmp.1 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,11 @@ +--- man/tiffcmp.1.orig 2008-08-17 13:03:49.062994301 -0400 ++++ man/tiffcmp.1 2008-08-17 13:03:52.522727821 -0400 +@@ -77,7 +77,7 @@ + in some exotic cases. + .SH "SEE ALSO" + .BR pal2rgb (1), +-.bR tiffinfo (1), ++.BR tiffinfo (1), + .BR tiffcp (1), + .BR tiffmedian (1), + .BR libtiff (3TIFF) Index: files/patch-tiffsplit.1 =================================================================== RCS file: files/patch-tiffsplit.1 diff -N files/patch-tiffsplit.1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiffsplit.1 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,11 @@ +--- man/tiffsplit.1.orig 2008-08-17 13:03:49.070994233 -0400 ++++ man/tiffsplit.1 2008-08-17 13:03:52.522727821 -0400 +@@ -50,7 +50,7 @@ + (e.g. + .IR xaaa.tif , + .IR xaab.tif , +-\... ++.IR ... , + .IR xzzz.tif ). + If a prefix is not specified on the command line, + the default prefix of Index: files/patch-tiffsplit.c =================================================================== RCS file: files/patch-tiffsplit.c diff -N files/patch-tiffsplit.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-tiffsplit.c 17 Sep 2008 19:25:42 -0000 @@ -0,0 +1,21 @@ +CVE-2006-2656 +=================================================================== +--- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 -0400 ++++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400 +@@ -61,14 +61,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2);
I did not check the entire patch in your message to see if you had made any additional changes from my original patch, but it seems to me that you are right concerning the snprintf arguments: that I should have included a maximum size argument before the format string, and that your suggested argument is appropriate. I took this patch straight from Gentoo, and just gave it a cursory examination, and overlooked that omission -- I apologize for that mistake. I've contacted the Gentoo tiff maintainer to ask him about changing the original patch. Regards, b. --- On Wed, 9/17/08, Dirk Meyer <dirk.meyer@dinoex.sub.org> wrote: > From: Dirk Meyer <dirk.meyer@dinoex.sub.org> > Subject: Re: ports/127434: [PATCH]graphics/tiff: various security fixes > To: bug-followup@FreeBSD.org, bf2006a@yahoo.com > Date: Wednesday, September 17, 2008, 3:27 PM > Please check. > One of your patches introduces a regression. > in tools/tiff2pdf.c: > snprintf(buffer, "\\%.3o", pdfstr[i]); > > is plain wrong; better is: > snprintf(buffer, sizeof(buffer), > "\\%.3o", pdfstr[i]); > > kind regards Dirk > > - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany > - > [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org] > http://people.freebsd.org/~dinoex/errorlogs/ > > - add Security patches > - fix missign macro in manpages > - add regression test > Security: CVE-2006-2193 > Security: CVE-2006-2327 > Security: CVE-2006-2656 > Security: CVE-2006-3459 > Security: CVE-2006-3460 > Security: CVE-2006-3461 > Security: CVE-2006-3462 > Security: CVE-2006-3463 > Security: CVE-2006-3464 > Security: CVE-2006-3465 > Security: CVE-2008-2327 > Obtained From: Gentoo,Debian > Submitted by: <bf2006a@yahoo.com> > > Index: Makefile > =================================================================== > RCS file: /home/pcvs/ports/graphics/tiff/Makefile,v > retrieving revision 1.65 > diff -u -r1.65 Makefile > --- Makefile 21 Aug 2008 06:17:24 -0000 1.65 > +++ Makefile 17 Sep 2008 19:25:41 -0000 > @@ -9,7 +9,7 @@ > > PORTNAME= tiff > PORTVERSION= 3.8.2 > -PORTREVISION= 1 > +PORTREVISION= 2 > CATEGORIES= graphics > MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ > \ > http://dl1.maptools.org/dl/libtiff/ > @@ -126,4 +126,7 @@ > ${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/ > .endif > > +regression-test: build > + @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} > ${MAKE_ARGS} check) > + > .include <bsd.port.mk> > Index: files/patch-TIFFClose.3tiff > =================================================================== > RCS file: files/patch-TIFFClose.3tiff > diff -N files/patch-TIFFClose.3tiff > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-TIFFClose.3tiff 17 Sep 2008 19:25:41 -0000 > @@ -0,0 +1,11 @@ > +--- man/TIFFClose.3tiff.orig 2008-08-17 13:03:49.058994404 > -0400 > ++++ man/TIFFClose.3tiff 2008-08-17 13:03:52.522727821 > -0400 > +@@ -40,7 +40,7 @@ > + current directory (if modified); and all resources are > reclaimed. > + .SH DIAGNOSTICS > + All error messages are directed to the > +-.bR TIFFError (3TIFF) > ++.BR TIFFError (3TIFF) > + routine. > + Likewise, warning messages are directed to the > + .BR TIFFWarning (3TIFF) > Index: files/patch-fax2ps.1 > =================================================================== > RCS file: files/patch-fax2ps.1 > diff -N files/patch-fax2ps.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-fax2ps.1 17 Sep 2008 19:25:41 -0000 > @@ -0,0 +1,74 @@ > +--- man/fax2ps.1.orig 2008-08-17 13:03:49.038994710 -0400 > ++++ man/fax2ps.1 2008-08-17 13:03:52.510994390 -0400 > +@@ -27,7 +27,7 @@ > + .SH NAME > + fax2ps \- convert a > + .SM TIFF > +-facsimile to compressed \*(Ps\(tm > ++facsimile to compressed PostScript\(tm > + .SH SYNOPSIS > + .B fax2ps > + [ > +@@ -40,7 +40,7 @@ > + reads one or more > + .SM TIFF > + facsimile image files and prints a compressed form of > +-\*(Ps on the standard output that is suitable for > printing. > ++PostScript on the standard output that is suitable for > printing. > + .PP > + By default, each page is scaled to reflect the > + image dimensions and resolutions stored in the file. > +@@ -62,26 +62,26 @@ > + .PP > + By default > + .I fax2ps > +-generates \*(Ps for all pages in the file. > ++generates PostScript for all pages in the file. > + The > + .B \-p > + option can be used to select one or more pages from > + a multi-page document. > + .PP > + .I fax2ps > +-generates a compressed form of \*(Ps that is > +-optimized for sending pages of text to a \*(Ps > ++generates a compressed form of PostScript that is > ++optimized for sending pages of text to a PostScript > + printer attached to a host through a low-speed link (such > + as a serial line). > + Each output page is filled with white and then only > + the black areas are drawn. > +-The \*(Ps specification of the black drawing > operations > ++The PostScript specification of the black drawing > operations > + is optimized by using a special font that encodes the > + move-draw operations required to fill > + the black regions on the page. > + This compression scheme typically results in a > substantially > +-reduced \*(Ps description, relative to the > straightforward > +-imaging of the page with a \*(Ps > ++reduced PostScript description, relative to the > straightforward > ++imaging of the page with a PostScript > + .I image > + operator. > + This algorithm can, however, be ineffective > +@@ -138,9 +138,9 @@ > + attempts to recover from such data errors by > resynchronizing > + decoding at the end of the current scanline. > + This can result in long horizontal black lines in the > resultant > +-\*(Ps image. > ++PostScript image. > + .SH NOTES > +-If the destination printer supports \*(Ps Level II > then > ++If the destination printer supports PostScript Level II > then > + it is always faster to just send the encoded bitmap > generated > + by the > + .BR tiff2ps (1) > +@@ -149,7 +149,7 @@ > + .I fax2ps > + should probably figure out when it is doing a poor > + job of compressing the output and just generate > +-\*(Ps to image the bitmap raster instead. > ++PostScript to image the bitmap raster instead. > + .SH "SEE ALSO" > + .BR tiff2ps (1), > + .BR libtiff (3) > Index: files/patch-raw2tiff.1 > =================================================================== > RCS file: files/patch-raw2tiff.1 > diff -N files/patch-raw2tiff.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-raw2tiff.1 17 Sep 2008 19:25:41 -0000 > @@ -0,0 +1,11 @@ > +--- man/raw2tiff.1.orig 2008-08-17 13:03:49.042994359 > -0400 > ++++ man/raw2tiff.1 2008-08-17 13:03:52.519034963 -0400 > +@@ -184,7 +184,7 @@ > + in some cases. But for most ordinary images guessing > method will work fine. > + .SH "SEE ALSO" > + .BR pal2rgb (1), > +-.bR tiffinfo (1), > ++.BR tiffinfo (1), > + .BR tiffcp (1), > + .BR tiffmedian (1), > + .BR libtiff (3) > Index: files/patch-tif_dir.c > =================================================================== > RCS file: files/patch-tif_dir.c > diff -N files/patch-tif_dir.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_dir.c 17 Sep 2008 19:25:41 -0000 > @@ -0,0 +1,94 @@ > +CVE-2006-3464,3465 > +=================================================================== > +--- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 > -0400 > ++++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400 > +@@ -122,6 +122,7 @@ > + { > + static const char module[] = "_TIFFVSetField"; > + > ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, > TIFF_ANY); > + TIFFDirectory* td = &tif->tif_dir; > + int status = 1; > + uint32 v32, i, v; > +@@ -195,10 +196,12 @@ > + break; > + case TIFFTAG_ORIENTATION: > + v = va_arg(ap, uint32); > ++ const TIFFFieldInfo* fip; > + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT > < v) { > ++ fip = _TIFFFieldWithTag(tif, tag); > + TIFFWarningExt(tif->tif_clientdata, > tif->tif_name, > + "Bad value %lu for \"%s\" > tag ignored", > +- v, _TIFFFieldWithTag(tif, tag)->field_name); > ++ v, fip ? fip->field_name : > "Unknown"); > + } else > + td->td_orientation = (uint16) v; > + break; > +@@ -387,11 +390,15 @@ > + * happens, for example, when tiffcp is used to > convert between > + * compression schemes and codec-specific tags are > blindly copied. > + */ > ++ /* > ++ * better not dereference fip if it is NULL. > ++ * -- taviso@google.com 15 Jun 2006 > ++ */ > + if(fip == NULL || fip->field_bit != > FIELD_CUSTOM) { > + TIFFErrorExt(tif->tif_clientdata, module, > + "%s: Invalid %stag \"%s\" > (not supported by codec)", > + tif->tif_name, isPseudoTag(tag) ? > "pseudo-" : "", > +- _TIFFFieldWithTag(tif, tag)->field_name); > ++ fip ? fip->field_name : "Unknown"); > + status = 0; > + break; > + } > +@@ -468,7 +475,7 @@ > + if (fip->field_type == TIFF_ASCII) > + _TIFFsetString((char **)&tv->value, > va_arg(ap, char *)); > + else { > +- tv->value = _TIFFmalloc(tv_size * > tv->count); > ++ tv->value = _TIFFCheckMalloc(tif, > tv_size, tv->count, "Tag Value"); > + if (!tv->value) { > + status = 0; > + goto end; > +@@ -563,7 +570,7 @@ > + } > + } > + if (status) { > +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, > tag)->field_bit); > ++ TIFFSetFieldBit(tif, fip->field_bit); > + tif->tif_flags |= TIFF_DIRTYDIRECT; > + } > + > +@@ -572,12 +579,12 @@ > + return (status); > + badvalue: > + TIFFErrorExt(tif->tif_clientdata, module, "%s: > Bad value %d for \"%s\"", > +- tif->tif_name, v, _TIFFFieldWithTag(tif, > tag)->field_name); > ++ tif->tif_name, v, fip ? fip->field_name : > "Unknown"); > + va_end(ap); > + return (0); > + badvalue32: > + TIFFErrorExt(tif->tif_clientdata, module, "%s: > Bad value %ld for \"%s\"", > +- tif->tif_name, v32, _TIFFFieldWithTag(tif, > tag)->field_name); > ++ tif->tif_name, v32, fip ? fip->field_name : > "Unknown"); > + va_end(ap); > + return (0); > + } > +@@ -813,12 +820,16 @@ > + * If the client tries to get a tag that is > not valid > + * for the image's codec then we'll > arrive here. > + */ > ++ /* > ++ * dont dereference fip if it's NULL. > ++ * -- taviso@google.com 15 Jun 2006 > ++ */ > + if( fip == NULL || fip->field_bit != > FIELD_CUSTOM ) > + { > + TIFFErrorExt(tif->tif_clientdata, > "_TIFFVGetField", > + "%s: Invalid %stag > \"%s\" (not supported by codec)", > + tif->tif_name, > isPseudoTag(tag) ? "pseudo-" : "", > +- _TIFFFieldWithTag(tif, > tag)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + ret_val = 0; > + break; > + } > Index: files/patch-tif_dirinfo.c > =================================================================== > RCS file: files/patch-tif_dirinfo.c > diff -N files/patch-tif_dirinfo.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_dirinfo.c 17 Sep 2008 19:25:41 -0000 > @@ -0,0 +1,24 @@ > +CVE-2006-3464,3465 > +=================================================================== > +--- libtiff/tif_dirinfo.c.orig 2008-08-17 > 13:03:48.958994316 -0400 > ++++ libtiff/tif_dirinfo.c 2008-08-17 13:03:52.890034927 > -0400 > +@@ -775,7 +775,8 @@ > + TIFFErrorExt(tif->tif_clientdata, > "TIFFFieldWithTag", > + "Internal error, unknown tag 0x%x", > + (unsigned int) tag); > +- assert(fip != NULL); > ++ /* assert(fip != NULL); */ > ++ > + /*NOTREACHED*/ > + } > + return (fip); > +@@ -789,7 +790,8 @@ > + if (!fip) { > + TIFFErrorExt(tif->tif_clientdata, > "TIFFFieldWithName", > + "Internal error, unknown tag %s", > field_name); > +- assert(fip != NULL); > ++ /* assert(fip != NULL); */ > ++ > + /*NOTREACHED*/ > + } > + return (fip); > Index: files/patch-tif_dirread.c > =================================================================== > RCS file: files/patch-tif_dirread.c > diff -N files/patch-tif_dirread.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_dirread.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,321 @@ > +CVE-2006-3459,3463,3464,3465 > +=================================================================== > +--- libtiff/tif_dirread.c.orig 2008-08-17 > 13:03:48.962994506 -0400 > ++++ libtiff/tif_dirread.c 2008-08-17 13:03:52.890034927 > -0400 > +@@ -29,6 +29,9 @@ > + * > + * Directory Read Support Routines. > + */ > ++ > ++#include <limits.h> > ++ > + #include "tiffiop.h" > + > + #define IGNORE 0 /* tag placeholder used below */ > +@@ -81,6 +84,7 @@ > + uint16 dircount; > + toff_t nextdiroff; > + int diroutoforderwarning = 0; > ++ int compressionknown = 0; > + toff_t* new_dirlist; > + > + tif->tif_diroff = tif->tif_nextdiroff; > +@@ -147,13 +151,20 @@ > + } else { > + toff_t off = tif->tif_diroff; > + > +- if (off + sizeof (uint16) > tif->tif_size) { > +- TIFFErrorExt(tif->tif_clientdata, module, > +- "%s: Can not read TIFF directory count", > +- tif->tif_name); > +- return (0); > ++ /* > ++ * Check for integer overflow when validating the > dir_off, otherwise > ++ * a very high offset may cause an OOB read and crash > the client. > ++ * -- taviso@google.com, 14 Jun 2006. > ++ */ > ++ if (off + sizeof (uint16) > tif->tif_size || > ++ off > (UINT_MAX - sizeof(uint16))) { > ++ TIFFErrorExt(tif->tif_clientdata, module, > ++ "%s: Can not read TIFF directory > count", > ++ tif->tif_name); > ++ return (0); > + } else > +- _TIFFmemcpy(&dircount, tif->tif_base + off, > sizeof (uint16)); > ++ _TIFFmemcpy(&dircount, tif->tif_base + off, > ++ sizeof (uint16)); > + off += sizeof (uint16); > + if (tif->tif_flags & TIFF_SWAB) > + TIFFSwabShort(&dircount); > +@@ -254,6 +265,7 @@ > + while (fix < tif->tif_nfields && > + tif->tif_fieldinfo[fix]->field_tag < > dp->tdir_tag) > + fix++; > ++ > + if (fix >= tif->tif_nfields || > + tif->tif_fieldinfo[fix]->field_tag != > dp->tdir_tag) { > + > +@@ -264,17 +276,23 @@ > + dp->tdir_tag, > + dp->tdir_tag, > + dp->tdir_type); > +- > +- TIFFMergeFieldInfo(tif, > +- > _TIFFCreateAnonFieldInfo(tif, > +- dp->tdir_tag, > +- (TIFFDataType) dp->tdir_type), > +- 1 ); > ++ /* > ++ * creating anonymous fields prior to knowing the > compression > ++ * algorithm (ie, when the field info has been > merged) could cause > ++ * crashes with pathological directories. > ++ * -- taviso@google.com 15 Jun 2006 > ++ */ > ++ if (compressionknown) > ++ TIFFMergeFieldInfo(tif, > _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, > ++ (TIFFDataType) dp->tdir_type), 1 ); > ++ else goto ignore; > ++ > + fix = 0; > + while (fix < tif->tif_nfields > && > + > tif->tif_fieldinfo[fix]->field_tag < > dp->tdir_tag) > + fix++; > + } > ++ > + /* > + * Null out old tags that we ignore. > + */ > +@@ -326,6 +344,7 @@ > + dp->tdir_type, dp->tdir_offset); > + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) > + goto bad; > ++ else compressionknown++; > + break; > + /* XXX: workaround for broken TIFFs */ > + } else if (dp->tdir_type == TIFF_LONG) { > +@@ -540,6 +559,7 @@ > + * Attempt to deal with a missing StripByteCounts tag. > + */ > + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > TIFFTAG_STRIPBYTECOUNTS); > + /* > + * Some manufacturers violate the spec by not giving > + * the size of the strips. In this case, assume there > +@@ -556,7 +576,7 @@ > + "%s: TIFF directory is missing required " > + "\"%s\" field, calculating from > imagelength", > + tif->tif_name, > +- > _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + if (EstimateStripByteCounts(tif, dir, dircount) < 0) > + goto bad; > + /* > +@@ -580,6 +600,7 @@ > + } else if (td->td_nstrips == 1 > + && td->td_stripoffset[0] != > 0 > + && BYTECOUNTLOOKSBAD) { > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > TIFFTAG_STRIPBYTECOUNTS); > + /* > + * XXX: Plexus (and others) sometimes give a value of > zero for > + * a tag when they don't know what the correct > value is! Try > +@@ -589,13 +610,14 @@ > + TIFFWarningExt(tif->tif_clientdata, module, > + "%s: Bogus \"%s\" field, ignoring > and calculating from imagelength", > + tif->tif_name, > +- > _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + if(EstimateStripByteCounts(tif, dir, dircount) < 0) > + goto bad; > + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG > + && td->td_nstrips > 2 > + && td->td_compression == COMPRESSION_NONE > + && td->td_stripbytecount[0] != > td->td_stripbytecount[1]) { > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > TIFFTAG_STRIPBYTECOUNTS); > + /* > + * XXX: Some vendors fill StripByteCount array with > absolutely > + * wrong values (it can be equal to StripOffset array, > for > +@@ -604,7 +626,7 @@ > + TIFFWarningExt(tif->tif_clientdata, module, > + "%s: Wrong \"%s\" field, ignoring > and calculating from imagelength", > + tif->tif_name, > +- > _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + if (EstimateStripByteCounts(tif, dir, dircount) < 0) > + goto bad; > + } > +@@ -870,7 +892,13 @@ > + > + register TIFFDirEntry *dp; > + register TIFFDirectory *td = &tif->tif_dir; > +- uint16 i; > ++ > ++ /* i is used to iterate over td->td_nstrips, so must > be > ++ * at least the same width. > ++ * -- taviso@google.com 15 Jun 2006 > ++ */ > ++ > ++ uint32 i; > + > + if (td->td_stripbytecount) > + _TIFFfree(td->td_stripbytecount); > +@@ -947,16 +975,18 @@ > + static int > + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) > + { > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > dir->tdir_tag); > ++ > + if (count > dir->tdir_count) { > + TIFFWarningExt(tif->tif_clientdata, > tif->tif_name, > + "incorrect count for field \"%s\" > (%lu, expecting %lu); tag ignored", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name, > ++ fip ? fip->field_name : "Unknown", > + dir->tdir_count, count); > + return (0); > + } else if (count < dir->tdir_count) { > + TIFFWarningExt(tif->tif_clientdata, > tif->tif_name, > + "incorrect count for field \"%s\" > (%lu, expecting %lu); tag trimmed", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name, > ++ fip ? fip->field_name : "Unknown", > + dir->tdir_count, count); > + return (1); > + } > +@@ -970,6 +1000,7 @@ > + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) > + { > + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > dir->tdir_tag); > + tsize_t cc = dir->tdir_count * w; > + > + /* Check for overflow. */ > +@@ -1013,7 +1044,7 @@ > + bad: > + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > + "Error fetching data for field > \"%s\"", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name); > ++ fip ? fip->field_name : "Unknown"); > + return (tsize_t) 0; > + } > + > +@@ -1039,10 +1070,12 @@ > + static int > + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, > uint32 denom, float* rv) > + { > ++ const TIFFFieldInfo* fip; > + if (denom == 0) { > ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > + "%s: Rational with zero denominator (num = > %lu)", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name, num); > ++ fip ? fip->field_name : "Unknown", > num); > + return (0); > + } else { > + if (dir->tdir_type == TIFF_RATIONAL) > +@@ -1159,6 +1192,20 @@ > + static int > + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) > + { > ++ /* > ++ * Prevent overflowing the v stack arrays below by > performing a sanity > ++ * check on tdir_count, this should never be greater > than two. > ++ * -- taviso@google.com 14 Jun 2006. > ++ */ > ++ if (dir->tdir_count > 2) { > ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > dir->tdir_tag); > ++ TIFFWarningExt(tif->tif_clientdata, > tif->tif_name, > ++ "unexpected count for field > \"%s\", %lu, expected 2; ignored.", > ++ fip ? fip->field_name : "Unknown", > ++ dir->tdir_count); > ++ return 0; > ++ } > ++ > + switch (dir->tdir_type) { > + case TIFF_BYTE: > + case TIFF_SBYTE: > +@@ -1329,14 +1376,15 @@ > + case TIFF_DOUBLE: > + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); > + default: > ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > dir->tdir_tag); > + /* TIFF_NOTYPE */ > + /* TIFF_ASCII */ > + /* TIFF_UNDEFINED */ > + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > + "cannot read TIFF_ANY type %d for field > \"%s\"", > + dir->tdir_type, > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name); > +- return (0); > ++ fip ? fip->field_name : "Unknown"); > ++ return (0); } > + } > + return (1); > + } > +@@ -1351,6 +1399,9 @@ > + int ok = 0; > + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, > dp->tdir_tag); > + > ++ if (fip == NULL) { > ++ return (0); > ++ } > + if (dp->tdir_count > 1) { /* array of values */ > + char* cp = NULL; > + > +@@ -1493,6 +1544,7 @@ > + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, > uint16* pl) > + { > + uint16 samples = tif->tif_dir.td_samplesperpixel; > ++ const TIFFFieldInfo* fip; > + int status = 0; > + > + if (CheckDirCount(tif, dir, (uint32) samples)) { > +@@ -1510,9 +1562,10 @@ > + > + for (i = 1; i < check_count; i++) > + if (v[i] != v[0]) { > ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > + TIFFErrorExt(tif->tif_clientdata, > tif->tif_name, > + "Cannot handle > different per-sample values for field > \"%s\"", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + goto bad; > + } > + *pl = v[0]; > +@@ -1534,6 +1587,7 @@ > + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, > uint32* pl) > + { > + uint16 samples = tif->tif_dir.td_samplesperpixel; > ++ const TIFFFieldInfo* fip; > + int status = 0; > + > + if (CheckDirCount(tif, dir, (uint32) samples)) { > +@@ -1551,9 +1605,10 @@ > + check_count = samples; > + for (i = 1; i < check_count; i++) > + if (v[i] != v[0]) { > ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > + TIFFErrorExt(tif->tif_clientdata, > tif->tif_name, > + "Cannot handle > different per-sample values for field > \"%s\"", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + goto bad; > + } > + *pl = v[0]; > +@@ -1574,6 +1629,7 @@ > + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, > double* pl) > + { > + uint16 samples = tif->tif_dir.td_samplesperpixel; > ++ const TIFFFieldInfo* fip; > + int status = 0; > + > + if (CheckDirCount(tif, dir, (uint32) samples)) { > +@@ -1591,9 +1647,10 @@ > + > + for (i = 1; i < check_count; i++) > + if (v[i] != v[0]) { > ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > + TIFFErrorExt(tif->tif_clientdata, > tif->tif_name, > + "Cannot handle > different per-sample values for field > \"%s\"", > +- _TIFFFieldWithTag(tif, > dir->tdir_tag)->field_name); > ++ fip ? fip->field_name : > "Unknown"); > + goto bad; > + } > + *pl = v[0]; > Index: files/patch-tif_fax3.c > =================================================================== > RCS file: files/patch-tif_fax3.c > diff -N files/patch-tif_fax3.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_fax3.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,27 @@ > +CVE-2006-3464,3465 > +=================================================================== > +--- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 > -0400 > ++++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400 > +@@ -1136,6 +1136,7 @@ > + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) > + { > + Fax3BaseState* sp = Fax3State(tif); > ++ const TIFFFieldInfo* fip; > + > + assert(sp != 0); > + assert(sp->vsetparent != 0); > +@@ -1181,7 +1182,13 @@ > + default: > + return (*sp->vsetparent)(tif, tag, ap); > + } > +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, > tag)->field_bit); > ++ > ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { > ++ TIFFSetFieldBit(tif, fip->field_bit); > ++ } else { > ++ return (0); > ++ } > ++ > + tif->tif_flags |= TIFF_DIRTYDIRECT; > + return (1); > + } > Index: files/patch-tif_jpeg.c > =================================================================== > RCS file: files/patch-tif_jpeg.c > diff -N files/patch-tif_jpeg.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_jpeg.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,121 @@ > +CVE-2006-3460,3464,3465 > +=================================================================== > +--- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 > -0400 > ++++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400 > +@@ -722,15 +722,31 @@ > + segment_width = TIFFhowmany(segment_width, > sp->h_sampling); > + segment_height = TIFFhowmany(segment_height, > sp->v_sampling); > + } > +- if (sp->cinfo.d.image_width != segment_width || > +- sp->cinfo.d.image_height != segment_height) { > ++ if (sp->cinfo.d.image_width < segment_width || > ++ sp->cinfo.d.image_height < segment_height) { > + TIFFWarningExt(tif->tif_clientdata, module, > + "Improper JPEG strip/tile size, > expected %dx%d, got %dx%d", > + segment_width, > + segment_height, > + sp->cinfo.d.image_width, > + sp->cinfo.d.image_height); > ++ } > ++ > ++ if (sp->cinfo.d.image_width > segment_width || > ++ sp->cinfo.d.image_height > segment_height) { > ++ /* > ++ * This case could be dangerous, if the strip or tile > size has been > ++ * reported as less than the amount of data jpeg will > return, some > ++ * potential security issues arise. Catch this case and > error out. > ++ * -- taviso@google.com 14 Jun 2006 > ++ */ > ++ TIFFErrorExt(tif->tif_clientdata, module, > ++ "JPEG strip/tile size exceeds expected > dimensions," > ++ "expected %dx%d, got %dx%d", segment_width, > segment_height, > ++ sp->cinfo.d.image_width, > sp->cinfo.d.image_height); > ++ return (0); > + } > ++ > + if (sp->cinfo.d.num_components != > + (td->td_planarconfig == PLANARCONFIG_CONTIG ? > + td->td_samplesperpixel : 1)) { > +@@ -761,6 +777,22 @@ > + > sp->cinfo.d.comp_info[0].v_samp_factor, > + sp->h_sampling, > sp->v_sampling); > + > ++ /* > ++ * There are potential security issues here for > decoders that > ++ * have already allocated buffers based on the > expected sampling > ++ * factors. Lets check the sampling factors dont > exceed what > ++ * we were expecting. > ++ * -- taviso@google.com 14 June 2006 > ++ */ > ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > > sp->h_sampling || > ++ sp->cinfo.d.comp_info[0].v_samp_factor > > sp->v_sampling) { > ++ TIFFErrorExt(tif->tif_clientdata, module, > ++ "Cannot honour JPEG sampling factors > that" > ++ " exceed those specified."); > ++ return (0); > ++ } > ++ > ++ > + /* > + * XXX: Files written by the Intergraph software > + * has different sampling factors stored in the > +@@ -1521,15 +1553,18 @@ > + { > + JPEGState *sp = JState(tif); > + > +- assert(sp != 0); > ++ /* assert(sp != 0); */ > + > + tif->tif_tagmethods.vgetfield = sp->vgetparent; > + tif->tif_tagmethods.vsetfield = sp->vsetparent; > + > +- if( sp->cinfo_initialized ) > +- TIFFjpeg_destroy(sp); /* release libjpeg resources > */ > +- if (sp->jpegtables) /* tag value */ > +- _TIFFfree(sp->jpegtables); > ++ if (sp != NULL) { > ++ if( sp->cinfo_initialized ) > ++ TIFFjpeg_destroy(sp); /* release libjpeg resources > */ > ++ if (sp->jpegtables) /* tag value */ > ++ _TIFFfree(sp->jpegtables); > ++ } > ++ > + _TIFFfree(tif->tif_data); /* release local state */ > + tif->tif_data = NULL; > + > +@@ -1541,6 +1576,7 @@ > + { > + JPEGState* sp = JState(tif); > + TIFFDirectory* td = &tif->tif_dir; > ++ const TIFFFieldInfo* fip; > + uint32 v32; > + > + assert(sp != NULL); > +@@ -1606,7 +1642,13 @@ > + default: > + return (*sp->vsetparent)(tif, tag, ap); > + } > +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, > tag)->field_bit); > ++ > ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { > ++ TIFFSetFieldBit(tif, fip->field_bit); > ++ } else { > ++ return (0); > ++ } > ++ > + tif->tif_flags |= TIFF_DIRTYDIRECT; > + return (1); > + } > +@@ -1726,7 +1768,11 @@ > + { > + JPEGState* sp = JState(tif); > + > +- assert(sp != NULL); > ++ /* assert(sp != NULL); */ > ++ if (sp == NULL) { > ++ TIFFWarningExt(tif->tif_clientdata, > "JPEGPrintDir", "Unknown JPEGState"); > ++ return; > ++ } > + > + (void) flags; > + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) > Index: files/patch-tif_lzw.c > =================================================================== > RCS file: files/patch-tif_lzw.c > diff -N files/patch-tif_lzw.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_lzw.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,60 @@ > +CVE-2008-2327 > +=================================================================== > +--- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 > -0400 > ++++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400 > +@@ -237,6 +237,13 @@ > + sp->dec_codetab[code].length = 1; > + sp->dec_codetab[code].next = NULL; > + } while (code--); > ++ /* > ++ * Zero-out the unused entries > ++ */ > ++ > _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, > ++ (CODE_FIRST-CODE_CLEAR)*sizeof > (code_t)); > ++ > ++ > + } > + return (1); > + } > +@@ -408,12 +415,20 @@ > + break; > + if (code == CODE_CLEAR) { > + free_entp = sp->dec_codetab + CODE_FIRST; > ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof > (code_t)); > + nbits = BITS_MIN; > + nbitsmask = MAXCODE(BITS_MIN); > + maxcodep = sp->dec_codetab + nbitsmask-1; > + NextCode(tif, sp, bp, code, GetNextCode); > + if (code == CODE_EOI) > + break; > ++ if (code == CODE_CLEAR) { > ++ TIFFErrorExt(tif->tif_clientdata, > tif->tif_name, > ++ "LZWDecode: Corrupted LZW table at scanline > %d", > ++ tif->tif_row); > ++ return (0); > ++ } > ++ > + *op++ = (char)code, occ--; > + oldcodep = sp->dec_codetab + code; > + continue; > +@@ -604,12 +619,20 @@ > + break; > + if (code == CODE_CLEAR) { > + free_entp = sp->dec_codetab + CODE_FIRST; > ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof > (code_t)); > + nbits = BITS_MIN; > + nbitsmask = MAXCODE(BITS_MIN); > + maxcodep = sp->dec_codetab + nbitsmask; > + NextCode(tif, sp, bp, code, GetNextCodeCompat); > + if (code == CODE_EOI) > + break; > ++ if (code == CODE_CLEAR) { > ++ TIFFErrorExt(tif->tif_clientdata, > tif->tif_name, > ++ "LZWDecode: Corrupted LZW table at scanline > %d", > ++ tif->tif_row); > ++ return (0); > ++ } > ++ > + *op++ = code, occ--; > + oldcodep = sp->dec_codetab + code; > + continue; > Index: files/patch-tif_next.c > =================================================================== > RCS file: files/patch-tif_next.c > diff -N files/patch-tif_next.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_next.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,22 @@ > +CVE-2006-3462 > +=================================================================== > +--- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 > -0400 > ++++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400 > +@@ -105,11 +105,16 @@ > + * as codes of the form <color><npixels> > + * until we've filled the scanline. > + */ > ++ /* > ++ * Ensure the run does not exceed the scanline > ++ * bounds, potentially resulting in a security issue. > ++ * -- taviso@google.com 14 Jun 2006. > ++ */ > + op = row; > + for (;;) { > + grey = (n>>6) & 0x3; > + n &= 0x3f; > +- while (n-- > 0) > ++ while (n-- > 0 && npixels < imagewidth) > + SETPIXEL(op, grey); > + if (npixels >= (int) imagewidth) > + break; > Index: files/patch-tif_pixarlog.c > =================================================================== > RCS file: files/patch-tif_pixarlog.c > diff -N files/patch-tif_pixarlog.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_pixarlog.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,25 @@ > +CVE-2006-3461 > +=================================================================== > +--- libtiff/tif_pixarlog.c.orig 2008-08-17 > 13:03:48.986994374 -0400 > ++++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 > -0400 > +@@ -768,7 +768,19 @@ > + if (tif->tif_flags & TIFF_SWAB) > + TIFFSwabArrayOfShort(up, nsamples); > + > +- for (i = 0; i < nsamples; i += llen, up += llen) { > ++ /* > ++ * if llen is not an exact multiple of nsamples, the > decode operation > ++ * may overflow the output buffer, so truncate it enough > to prevent that > ++ * but still salvage as much data as possible. > ++ * -- taviso@google.com 14th June 2006 > ++ */ > ++ if (nsamples % llen) > ++ TIFFWarningExt(tif->tif_clientdata, module, > ++ "%s: stride %lu is not a multiple of sample > count, " > ++ "%lu, data truncated.", tif->tif_name, > llen, nsamples); > ++ > ++ > ++ for (i = 0; i < nsamples - (nsamples % llen); i += > llen, up += llen) { > + switch (sp->user_datafmt) { > + case PIXARLOGDATAFMT_FLOAT: > + horizontalAccumulateF(up, llen, sp->stride, > Index: files/patch-tif_print.c > =================================================================== > RCS file: files/patch-tif_print.c > diff -N files/patch-tif_print.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_print.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,13 @@ > +CVE-2006-3464,3465 > +=================================================================== > +--- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 > -0400 > ++++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 > -0400 > +@@ -491,7 +491,7 @@ > + } else > + fprintf(fd, "(present)\n"); > + } > +- if (TIFFFieldSet(tif, FIELD_SUBIFD)) { > ++ if (TIFFFieldSet(tif, FIELD_SUBIFD) && > (td->td_subifd)) { > + fprintf(fd, " SubIFD Offsets:"); > + for (i = 0; i < td->td_nsubifd; i++) > + fprintf(fd, " %5lu", (long) > td->td_subifd[i]); > Index: files/patch-tif_read.c > =================================================================== > RCS file: files/patch-tif_read.c > diff -N files/patch-tif_read.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tif_read.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,43 @@ > +CVE-2006-3464,3465 > +=================================================================== > +--- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 > -0400 > ++++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400 > +@@ -31,6 +31,8 @@ > + #include "tiffiop.h" > + #include <stdio.h> > + > ++#include <limits.h> > ++ > + int TIFFFillStrip(TIFF*, tstrip_t); > + int TIFFFillTile(TIFF*, ttile_t); > + static int TIFFStartStrip(TIFF*, tstrip_t); > +@@ -272,7 +274,13 @@ > + if ((tif->tif_flags & TIFF_MYBUFFER) && > tif->tif_rawdata) > + _TIFFfree(tif->tif_rawdata); > + tif->tif_flags &= ~TIFF_MYBUFFER; > +- if ( td->td_stripoffset[strip] + bytecount > > tif->tif_size) { > ++ /* > ++ * This sanity check could potentially overflow, > causing an OOB read. > ++ * verify that offset + bytecount is > offset. > ++ * -- taviso@google.com 14 Jun 2006 > ++ */ > ++ if ( td->td_stripoffset[strip] + bytecount > > tif->tif_size || > ++ bytecount > (UINT_MAX - > td->td_stripoffset[strip])) { > + /* > + * This error message might seem strange, but it's > + * what would happen if a read were done instead. > +@@ -470,7 +478,13 @@ > + if ((tif->tif_flags & TIFF_MYBUFFER) && > tif->tif_rawdata) > + _TIFFfree(tif->tif_rawdata); > + tif->tif_flags &= ~TIFF_MYBUFFER; > +- if ( td->td_stripoffset[tile] + bytecount > > tif->tif_size) { > ++ /* > ++ * We must check this calculation doesnt overflow, > potentially > ++ * causing an OOB read. > ++ * -- taviso@google.com 15 Jun 2006 > ++ */ > ++ if (td->td_stripoffset[tile] + bytecount > > tif->tif_size || > ++ bytecount > (UINT_MAX - > td->td_stripoffset[tile])) { > + tif->tif_curtile = NOTILE; > + return (0); > + } > Index: files/patch-tiff2pdf.1 > =================================================================== > RCS file: files/patch-tiff2pdf.1 > diff -N files/patch-tiff2pdf.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiff2pdf.1 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,34 @@ > +--- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 > -0400 > ++++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400 > +@@ -207,18 +207,14 @@ > + The following example would generate the file output.pdf > from input.tiff. > + .PP > + .RS > +-.NF > +-tiff2pdf -o output.pdf input.tiff > +-.FI > ++\f(CWtiff2pdf -o output.pdf input.tiff\fP > + .RE > + .PP > + The following example would generate PDF output from > input.tiff and write it > + to standard output. > + .PP > + .RS > +-.NF > +-tiff2pdf input.tiff > +-.FI > ++\f(CWtiff2pdf input.tiff\fP > + .RE > + .PP > + The following example would generate the file output.pdf > from input.tiff, > +@@ -227,9 +223,7 @@ > + the "Fit Window" option. > + .PP > + .RS > +-.NF > +-tiff2pdf -p letter -j -q 75 -t "Document" -f -o > output.pdf input.tiff > +-.FI > ++\f(CWtiff2pdf -p letter -j -q 75 -t > "Document" -f -o output.pdf input.tiff\f) > + .RE > + .SH BUGS > + Please report bugs via the web interface at > Index: files/patch-tiff2pdf.c > =================================================================== > RCS file: files/patch-tiff2pdf.c > diff -N files/patch-tiff2pdf.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiff2pdf.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,13 @@ > +CVE-2006-2193 > +=================================================================== > +--- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 > -0700 > ++++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700 > +@@ -3668,7 +3668,7 @@ > + written += TIFFWriteFile(output, (tdata_t) > "(", 1); > + for (i=0;i<len;i++){ > + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || > (pdfstr[i]<32)){ > +- sprintf(buffer, "\\%.3o", > pdfstr[i]); > ++ snprintf(buffer, sizeof(buffer), > "\\%.3o", pdfstr[i]); > + written += TIFFWriteFile(output, (tdata_t) buffer, 4); > + } else { > + switch (pdfstr[i]){ > Index: files/patch-tiff2ps.1 > =================================================================== > RCS file: files/patch-tiff2ps.1 > diff -N files/patch-tiff2ps.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiff2ps.1 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,142 @@ > +--- man/tiff2ps.1.orig 2008-08-17 13:03:49.050994382 -0400 > ++++ man/tiff2ps.1 2008-08-17 13:03:52.522727821 -0400 > +@@ -27,7 +27,7 @@ > + .SH NAME > + tiff2ps \- convert a > + .SM TIFF > +-image to \*(Ps\(tm > ++image to PostScript\(tm > + .SH SYNOPSIS > + .B tiff2ps > + [ > +@@ -38,17 +38,17 @@ > + .I tiff2ps > + reads > + .SM TIFF > +-images and writes \*(Ps or Encapsulated \*(Ps > (EPS) > ++images and writes PostScript or Encapsulated PostScript > (EPS) > + on the standard output. > + By default, > + .I tiff2ps > +-writes Encapsulated \*(Ps for the first image in the > specified > ++writes Encapsulated PostScript for the first image in the > specified > + .SM TIFF > + image file. > + .PP > + By default, > + .I tiff2ps > +-will generate \*(Ps that fills a printed area > specified > ++will generate PostScript that fills a printed area > specified > + by the > + .SM TIFF > + tags in the input file. > +@@ -67,22 +67,22 @@ > + .SM TIFF > + tags. > + .PP > +-The \*(Ps generated for > ++The PostScript generated for > + .SM RGB, > + palette, and > + .SM CMYK > + images uses the > + .I colorimage > + operator. > +-The \*(Ps generated for > ++The PostScript generated for > + greyscale and bilevel images > + uses the > + .I image > + operator. > + When the > + .I colorimage > +-operator is used, \*(Ps code to emulate this operator > +-on older \*(Ps printers is also generated. > ++operator is used, PostScript code to emulate this > operator > ++on older PostScript printers is also generated. > + Note that this emulation code can be very slow. > + .PP > + Color images with associated alpha data are composited > over > +@@ -90,13 +90,13 @@ > + .SH OPTIONS > + .TP > + .B \-1 > +-Generate \*(Ps Level 1 (the default). > ++Generate PostScript Level 1 (the default). > + .TP > + .B \-2 > +-Generate \*(Ps Level 2. > ++Generate PostScript Level 2. > + .TP > + .B \-3 > +-Generate \*(Ps Level 3. It basically allows one to > use the /flateDecode > ++Generate PostScript Level 3. It basically allows one to > use the /flateDecode > + filter for ZIP compressed TIFF images. > + .TP > + .B \-a > +@@ -119,7 +119,7 @@ > + multi-page (e.g. facsimile) file. > + .TP > + .B \-e > +-Force the generation of Encapsulated \*(Ps (implies > -z). > ++Force the generation of Encapsulated PostScript (implies > -z). > + .TP > + .B \-h > + Specify the vertical size of the printed area (in > inches). > +@@ -148,7 +148,7 @@ > + .B \-m > + Where possible render using the > + .B imagemask > +-\*(Ps operator instead of the image operator. When > this option is specified > ++PostScript operator instead of the image operator. When > this option is specified > + .I tiff2ps > + will use > + .B imagemask > +@@ -166,7 +166,7 @@ > + like which are hidden using the SubIFD tag. > + .TP > + .B \-p > +-Force the generation of (non-Encapsulated) \*(Ps. > ++Force the generation of (non-Encapsulated) PostScript. > + .TP > + .B \-r > + Rotate image by 180 degrees. > +@@ -184,15 +184,15 @@ > + Override resolution units specified in the TIFF as > inches. > + .TP > + .B \-z > +-When generating \*(Ps Level 2, data is scaled so that > it does not > ++When generating PostScript Level 2, data is scaled so > that it does not > + image into the > + .I deadzone > + on a page (the outer margin that the printing device is > unable to mark). > + This option suppresses this behavior. > +-When \*(Ps Level 1 is generated, data is imaged to > the entire printed > ++When PostScript Level 1 is generated, data is imaged to > the entire printed > + page and this option has no affect. > + .SH EXAMPLES > +-The following generates \*(Ps Level 2 for all pages > of a facsimile: > ++The following generates PostScript Level 2 for all pages > of a facsimile: > + .RS > + .nf > + tiff2ps -a2 fax.tif | lpr > +@@ -201,7 +201,7 @@ > + Note also that if you have version 2.6.1 or newer of > Ghostscript then you > + can efficiently preview facsimile generated with the > above command. > + .PP > +-To generate Encapsulated \*(Ps for a the image at > directory 2 > ++To generate Encapsulated PostScript for a the image at > directory 2 > + of an image use: > + .RS > + .nf > +@@ -228,8 +228,8 @@ > + .B \-L.5 > + option says to repeat a half inch on the next page (to > improve readability). > + .SH BUGS > +-Because \*(Ps does not support the notion of a > colormap, > +-8-bit palette images produce 24-bit \*(Ps images. > ++Because PostScript does not support the notion of a > colormap, > ++8-bit palette images produce 24-bit PostScript images. > + This conversion results in output that is six times > + bigger than the original image and which takes a long > time > + to send to a printer over a serial line. > Index: files/patch-tiffcmp.1 > =================================================================== > RCS file: files/patch-tiffcmp.1 > diff -N files/patch-tiffcmp.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiffcmp.1 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,11 @@ > +--- man/tiffcmp.1.orig 2008-08-17 13:03:49.062994301 -0400 > ++++ man/tiffcmp.1 2008-08-17 13:03:52.522727821 -0400 > +@@ -77,7 +77,7 @@ > + in some exotic cases. > + .SH "SEE ALSO" > + .BR pal2rgb (1), > +-.bR tiffinfo (1), > ++.BR tiffinfo (1), > + .BR tiffcp (1), > + .BR tiffmedian (1), > + .BR libtiff (3TIFF) > Index: files/patch-tiffsplit.1 > =================================================================== > RCS file: files/patch-tiffsplit.1 > diff -N files/patch-tiffsplit.1 > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiffsplit.1 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,11 @@ > +--- man/tiffsplit.1.orig 2008-08-17 13:03:49.070994233 > -0400 > ++++ man/tiffsplit.1 2008-08-17 13:03:52.522727821 -0400 > +@@ -50,7 +50,7 @@ > + (e.g. > + .IR xaaa.tif , > + .IR xaab.tif , > +-\... > ++.IR ... , > + .IR xzzz.tif ). > + If a prefix is not specified on the command line, > + the default prefix of > Index: files/patch-tiffsplit.c > =================================================================== > RCS file: files/patch-tiffsplit.c > diff -N files/patch-tiffsplit.c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ files/patch-tiffsplit.c 17 Sep 2008 19:25:42 -0000 > @@ -0,0 +1,21 @@ > +CVE-2006-2656 > +=================================================================== > +--- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 > -0400 > ++++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400 > +@@ -61,14 +61,13 @@ > + return (-3); > + } > + if (argc > 2) > +- strcpy(fname, argv[2]); > ++ snprintf(fname, sizeof(fname), "%s", > argv[2]); > + in = TIFFOpen(argv[1], "r"); > + if (in != NULL) { > + do { > + char path[1024+1]; > + newfilename(); > +- strcpy(path, fname); > +- strcat(path, ".tif"); > ++ snprintf(path, sizeof(path), "%s.tif", > fname); > + out = TIFFOpen(path, > TIFFIsBigEndian(in)?"wb":"wl"); > + if (out == NULL) > + return (-2);
I should also mention that there are changes in other libtiff packages/ ports that you may wish to consider for FreeBSD. Gentoo has a modification that supports tiffs with jbig2 compression (present in some newer versions of libtiff), and Debian has backported the tiff2pdf present in tiff 4.0 to correct some bugs in the version found in 3.8.x. (I see that at least one person has encountered problems with tiff2pdf and has filed a PR.) Regards, b.
dinoex 2008-09-20 07:33:20 UTC FreeBSD ports repository Modified files: graphics/tiff Makefile Added files: graphics/tiff/files patch-TIFFClose.3tiff patch-fax2ps.1 patch-raw2tiff.1 patch-tif_dir.c patch-tif_dirinfo.c patch-tif_dirread.c patch-tif_fax3.c patch-tif_jpeg.c patch-tif_lzw.c patch-tif_next.c patch-tif_pixarlog.c patch-tif_print.c patch-tif_read.c patch-tiff2pdf.1 patch-tiff2pdf.c patch-tiff2ps.1 patch-tiffcmp.1 patch-tiffsplit.1 patch-tiffsplit.c Log: - add Security patches - fix missign macro in manpages - add regression test Security: CVE-2006-2193 Security: CVE-2006-2327 Security: CVE-2006-2656 Security: CVE-2006-3459 Security: CVE-2006-3460 Security: CVE-2006-3461 Security: CVE-2006-3462 Security: CVE-2006-3463 Security: CVE-2006-3464 Security: CVE-2006-3465 Security: CVE-2008-2327 PR: 127434 Submitted by: <bf2006a@yahoo.com> Obtained From: Gentoo,Debian Approved by: portmgr (marcus) Revision Changes Path 1.66 +4 -1 ports/graphics/tiff/Makefile 1.1 +11 -0 ports/graphics/tiff/files/patch-TIFFClose.3tiff (new) 1.1 +74 -0 ports/graphics/tiff/files/patch-fax2ps.1 (new) 1.1 +11 -0 ports/graphics/tiff/files/patch-raw2tiff.1 (new) 1.1 +94 -0 ports/graphics/tiff/files/patch-tif_dir.c (new) 1.1 +24 -0 ports/graphics/tiff/files/patch-tif_dirinfo.c (new) 1.1 +321 -0 ports/graphics/tiff/files/patch-tif_dirread.c (new) 1.1 +27 -0 ports/graphics/tiff/files/patch-tif_fax3.c (new) 1.1 +121 -0 ports/graphics/tiff/files/patch-tif_jpeg.c (new) 1.1 +60 -0 ports/graphics/tiff/files/patch-tif_lzw.c (new) 1.1 +22 -0 ports/graphics/tiff/files/patch-tif_next.c (new) 1.1 +25 -0 ports/graphics/tiff/files/patch-tif_pixarlog.c (new) 1.1 +13 -0 ports/graphics/tiff/files/patch-tif_print.c (new) 1.1 +43 -0 ports/graphics/tiff/files/patch-tif_read.c (new) 1.1 +34 -0 ports/graphics/tiff/files/patch-tiff2pdf.1 (new) 1.1 +13 -0 ports/graphics/tiff/files/patch-tiff2pdf.c (new) 1.1 +142 -0 ports/graphics/tiff/files/patch-tiff2ps.1 (new) 1.1 +11 -0 ports/graphics/tiff/files/patch-tiffcmp.1 (new) 1.1 +11 -0 ports/graphics/tiff/files/patch-tiffsplit.1 (new) 1.1 +21 -0 ports/graphics/tiff/files/patch-tiffsplit.c (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed committed, thanks.