Attachment #190171 for bug #225544

View | Details | Raw Unified | Return to bug 225544
Collapse All | Expand All





PORTNAME=	tiff
PORTVERSION=	4.0.9
PORTREVISION=	1
CATEGORIES=	graphics
MASTER_SITES=	http://download.osgeo.org/libtiff/



post-install:
	( cd ${STAGEDIR}${PREFIX}/man/man3 && ${__pmlinks3} )

post-install-DOCS-on:
	${MKDIR} ${STAGEDIR}${DOCSDIR}/images ${STAGEDIR}${DOCSDIR}/man
	${INSTALL_DATA} ${WRKSRC}/html/*.html ${STAGEDIR}${DOCSDIR}/
	${INSTALL_DATA} ${WRKSRC}/html/images/*.jpg ${STAGEDIR}${DOCSDIR}/images/
	${INSTALL_DATA} ${WRKSRC}/html/images/*.gif ${STAGEDIR}${DOCSDIR}/images/
	${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${STAGEDIR}${DOCSDIR}/man/
.endif

.include <bsd.port.mk>




--- libtiff/tif_print.c.orig	2016-11-25 17:26:23 UTC
+++ libtiff/tif_print.c
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, 
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
 			    (unsigned long) s,
-			    (unsigned __int64) td->td_stripoffset[s],
-			    (unsigned __int64) td->td_stripbytecount[s]);
+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
 #else
 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
 			    (unsigned long) s,
-			    (unsigned long long) td->td_stripoffset[s],
-			    (unsigned long long) td->td_stripbytecount[s]);
+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
 #endif
 	}
 }




--- libtiff/tif_dir.c.orig	2017-07-17 13:31:36 UTC
+++ libtiff/tif_dir.c
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va
 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
+			} else {
+				*va_arg(ap, uint16**) = NULL;
+				*va_arg(ap, uint16**) = NULL;
 			}
 			break;
 		case TIFFTAG_REFERENCEBLACKWHITE:




--- tools/tiff2pdf.c.orig	2017-10-29 18:50:41 UTC
+++ tools/tiff2pdf.c
@@ -237,7 +237,7 @@ typedef struct {
 	float tiff_whitechromaticities[2];
 	float tiff_primarychromaticities[6];
 	float tiff_referenceblackwhite[2];
-	float* tiff_transferfunction[3];
+	uint16* tiff_transferfunction[3];
 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
 					   1 : interpolate */
 	uint16 tiff_transferfunctioncount;
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* 
 	uint16 pagen=0;
 	uint16 paged=0;
 	uint16 xuint16=0;
+	uint16 tiff_transferfunctioncount=0;
+	uint16* tiff_transferfunction[3];
 
 	directorycount=TIFFNumberOfDirectories(input);
 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* 
                 }
 #endif
 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
-                                 &(t2p->tiff_transferfunction[0]),
-                                 &(t2p->tiff_transferfunction[1]),
-                                 &(t2p->tiff_transferfunction[2]))) {
-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-                           (t2p->tiff_transferfunction[1] !=
-                            t2p->tiff_transferfunction[0])) {
-				t2p->tiff_transferfunctioncount = 3;
-				t2p->tiff_pages[i].page_extra += 4;
-				t2p->pdf_xrefcount += 4;
-			} else {
-				t2p->tiff_transferfunctioncount = 1;
-				t2p->tiff_pages[i].page_extra += 2;
-				t2p->pdf_xrefcount += 2;
-			}
-			if(t2p->pdf_minorversion < 2)
-				t2p->pdf_minorversion = 2;
+                                 &(tiff_transferfunction[0]),
+                                 &(tiff_transferfunction[1]),
+                                 &(tiff_transferfunction[2]))) {
+
+                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
+                           (tiff_transferfunction[2] != (uint16*) NULL)
+                          ) {
+                            tiff_transferfunctioncount=3;
+                        } else {
+                            tiff_transferfunctioncount=1;
+                        }
                 } else {
-			t2p->tiff_transferfunctioncount=0;
+			tiff_transferfunctioncount=0;
 		}
+
+                if (i > 0){
+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+                        TIFFError(
+                            TIFF2PDF_MODULE,
+                            "Different transfer function on page %d",
+                            i);
+                        t2p->t2p_error = T2P_ERR_ERROR;
+                        return;
+                    }
+                }
+
+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+                if(tiff_transferfunctioncount == 3){
+                        t2p->tiff_pages[i].page_extra += 4;
+                        t2p->pdf_xrefcount += 4;
+                        if(t2p->pdf_minorversion < 2)
+                                t2p->pdf_minorversion = 2;
+                } else if (tiff_transferfunctioncount == 1){
+                        t2p->tiff_pages[i].page_extra += 2;
+                        t2p->pdf_xrefcount += 2;
+                        if(t2p->pdf_minorversion < 2)
+                                t2p->pdf_minorversion = 2;
+                }
+
 		if( TIFFGetField(
 			input, 
 			TIFFTAG_ICCPROFILE, 
@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* 
 			 &(t2p->tiff_transferfunction[0]),
 			 &(t2p->tiff_transferfunction[1]),
 			 &(t2p->tiff_transferfunction[2]))) {
-		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-                   (t2p->tiff_transferfunction[1] !=
-                    t2p->tiff_transferfunction[0])) {
+		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+                  ) {
 			t2p->tiff_transferfunctioncount=3;
 		} else {
 			t2p->tiff_transferfunctioncount=1;

Return to bug 225544

Lines 3-8 Link Here

(-)Makefile (-2 / +3 lines)
3		3
4	PORTNAME= tiff	4	PORTNAME= tiff
5	PORTVERSION= 4.0.9	5	PORTVERSION= 4.0.9
		6	PORTREVISION= 1
6	CATEGORIES= graphics	7	CATEGORIES= graphics
7	MASTER_SITES= http://download.osgeo.org/libtiff/	8	MASTER_SITES= http://download.osgeo.org/libtiff/
8		9
Lines 109-120 Link Here
109		110
110	post-install:	111	post-install:
111	( cd ${STAGEDIR}${PREFIX}/man/man3 && ${__pmlinks3} )	112	( cd ${STAGEDIR}${PREFIX}/man/man3 && ${__pmlinks3} )
112	.if ${PORT_OPTIONS:MDOCS}	113
		114	post-install-DOCS-on:
113	${MKDIR} ${STAGEDIR}${DOCSDIR}/images ${STAGEDIR}${DOCSDIR}/man	115	${MKDIR} ${STAGEDIR}${DOCSDIR}/images ${STAGEDIR}${DOCSDIR}/man
114	${INSTALL_DATA} ${WRKSRC}/html/*.html ${STAGEDIR}${DOCSDIR}/	116	${INSTALL_DATA} ${WRKSRC}/html/*.html ${STAGEDIR}${DOCSDIR}/
115	${INSTALL_DATA} ${WRKSRC}/html/images/*.jpg ${STAGEDIR}${DOCSDIR}/images/	117	${INSTALL_DATA} ${WRKSRC}/html/images/*.jpg ${STAGEDIR}${DOCSDIR}/images/
116	${INSTALL_DATA} ${WRKSRC}/html/images/*.gif ${STAGEDIR}${DOCSDIR}/images/	118	${INSTALL_DATA} ${WRKSRC}/html/images/*.gif ${STAGEDIR}${DOCSDIR}/images/
117	${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${STAGEDIR}${DOCSDIR}/man/	119	${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${STAGEDIR}${DOCSDIR}/man/
118	.endif
119		120
120	.include <bsd.port.mk>	121	.include <bsd.port.mk>

Line 0 Link Here

(-)files/patch-CVE-2017-18013 (+20 lines)
	1	--- libtiff/tif_print.c.orig 2016-11-25 17:26:23 UTC
	2	+++ libtiff/tif_print.c
	3	@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd,
	4	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	5	fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
	6	(unsigned long) s,
	7	- (unsigned __int64) td->td_stripoffset[s],
	8	- (unsigned __int64) td->td_stripbytecount[s]);
	9	+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
	10	+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
	11	#else
	12	fprintf(fd, " %3lu: [%8llu, %8llu]\n",
	13	(unsigned long) s,
	14	- (unsigned long long) td->td_stripoffset[s],
	15	- (unsigned long long) td->td_stripbytecount[s]);
	16	+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
	17	+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
	18	#endif
	19	}
	20	}

Line 0 Link Here

(-)files/patch-CVE-2017-9935-1 (+12 lines)
	1	--- libtiff/tif_dir.c.orig 2017-07-17 13:31:36 UTC
	2	+++ libtiff/tif_dir.c
	3	@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va
	4	if (td->td_samplesperpixel - td->td_extrasamples > 1) {
	5	va_arg(ap, uint16*) = td->td_transferfunction[1];
	6	va_arg(ap, uint16*) = td->td_transferfunction[2];
	7	+ } else {
	8	+ va_arg(ap, uint16*) = NULL;
	9	+ va_arg(ap, uint16*) = NULL;
	10	}
	11	break;
	12	case TIFFTAG_REFERENCEBLACKWHITE:

Line 0 Link Here

(-)files/patch-CVE-2017-9935-2 (+101 lines)
		1	--- tools/tiff2pdf.c.orig 2017-10-29 18:50:41 UTC
		2	+++ tools/tiff2pdf.c
		3	@@ -237,7 +237,7 @@ typedef struct {
		4	float tiff_whitechromaticities[2];
		5	float tiff_primarychromaticities[6];
		6	float tiff_referenceblackwhite[2];
		7	- float* tiff_transferfunction[3];
		8	+ uint16* tiff_transferfunction[3];
		9	int pdf_image_interpolate; /* 0 (default) : do not interpolate,
		10	1 : interpolate */
		11	uint16 tiff_transferfunctioncount;
		12	@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
		13	uint16 pagen=0;
		14	uint16 paged=0;
		15	uint16 xuint16=0;
		16	+ uint16 tiff_transferfunctioncount=0;
		17	+ uint16* tiff_transferfunction[3];
		18
		19	directorycount=TIFFNumberOfDirectories(input);
		20	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
		21	@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
		22	}
		23	#endif
		24	if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
		25	- &(t2p->tiff_transferfunction[0]),
		26	- &(t2p->tiff_transferfunction[1]),
		27	- &(t2p->tiff_transferfunction[2]))) {
		28	- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
		29	- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
		30	- (t2p->tiff_transferfunction[1] !=
		31	- t2p->tiff_transferfunction[0])) {
		32	- t2p->tiff_transferfunctioncount = 3;
		33	- t2p->tiff_pages[i].page_extra += 4;
		34	- t2p->pdf_xrefcount += 4;
		35	- } else {
		36	- t2p->tiff_transferfunctioncount = 1;
		37	- t2p->tiff_pages[i].page_extra += 2;
		38	- t2p->pdf_xrefcount += 2;
		39	- }
		40	- if(t2p->pdf_minorversion < 2)
		41	- t2p->pdf_minorversion = 2;
		42	+ &(tiff_transferfunction[0]),
		43	+ &(tiff_transferfunction[1]),
		44	+ &(tiff_transferfunction[2]))) {
		45	+
		46	+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
		47	+ (tiff_transferfunction[2] != (uint16*) NULL)
		48	+ ) {
		49	+ tiff_transferfunctioncount=3;
		50	+ } else {
		51	+ tiff_transferfunctioncount=1;
		52	+ }
		53	} else {
		54	- t2p->tiff_transferfunctioncount=0;
		55	+ tiff_transferfunctioncount=0;
		56	}
		57	+
		58	+ if (i > 0){
		59	+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
		60	+ TIFFError(
		61	+ TIFF2PDF_MODULE,
		62	+ "Different transfer function on page %d",
		63	+ i);
		64	+ t2p->t2p_error = T2P_ERR_ERROR;
65	+ return;
66	+ }
67	+ }
68	+
69	+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
70	+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
71	+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
72	+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
73	+ if(tiff_transferfunctioncount == 3){
74	+ t2p->tiff_pages[i].page_extra += 4;
75	+ t2p->pdf_xrefcount += 4;
76	+ if(t2p->pdf_minorversion < 2)
77	+ t2p->pdf_minorversion = 2;
78	+ } else if (tiff_transferfunctioncount == 1){
79	+ t2p->tiff_pages[i].page_extra += 2;
80	+ t2p->pdf_xrefcount += 2;
81	+ if(t2p->pdf_minorversion < 2)
82	+ t2p->pdf_minorversion = 2;
83	+ }
84	+
85	if( TIFFGetField(
86	input,
87	TIFFTAG_ICCPROFILE,
88	@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF*
89	&(t2p->tiff_transferfunction[0]),
90	&(t2p->tiff_transferfunction[1]),
91	&(t2p->tiff_transferfunction[2]))) {
92	- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
93	- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
94	- (t2p->tiff_transferfunction[1] !=
95	- t2p->tiff_transferfunction[0])) {
96	+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
97	+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
98	+ ) {
99	t2p->tiff_transferfunctioncount=3;
100	} else {
101	t2p->tiff_transferfunctioncount=1;