View | Details | Raw Unified | Return to bug 233146
Collapse All | Expand All

(-)b/graphics/tiff/Makefile (-2 / +1 lines)
Lines 2-9 Link Here
2
# $FreeBSD$
2
# $FreeBSD$
3
3
4
PORTNAME=	tiff
4
PORTNAME=	tiff
5
PORTVERSION=	4.0.9
5
PORTVERSION=	4.0.10
6
PORTREVISION=	1
7
CATEGORIES=	graphics
6
CATEGORIES=	graphics
8
MASTER_SITES=	http://download.osgeo.org/libtiff/
7
MASTER_SITES=	http://download.osgeo.org/libtiff/
9
8
(-)b/graphics/tiff/distinfo (-3 / +3 lines)
Lines 1-3 Link Here
1
TIMESTAMP = 1511092936
1
TIMESTAMP = 1541969310
2
SHA256 (tiff-4.0.9.tar.gz) = 6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd
2
SHA256 (tiff-4.0.10.tar.gz) = 2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4
3
SIZE (tiff-4.0.9.tar.gz) = 2305681
3
SIZE (tiff-4.0.10.tar.gz) = 2402867
(-)a/graphics/tiff/files/patch-CVE-2017-18013 (-34 lines)
Removed Link Here
1
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
2
From: Even Rouault <even.rouault@spatialys.com>
3
Date: Sun, 31 Dec 2017 15:09:41 +0100
4
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
5
6
---
7
 libtiff/tif_print.c | 8 ++++----
8
 1 file changed, 4 insertions(+), 4 deletions(-)
9
10
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
11
index 9959d35..8deceb2 100644
12
--- libtiff/tif_print.c
13
+++ libtiff/tif_print.c
14
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
15
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
16
 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
17
 			    (unsigned long) s,
18
-			    (unsigned __int64) td->td_stripoffset[s],
19
-			    (unsigned __int64) td->td_stripbytecount[s]);
20
+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
21
+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
22
 #else
23
 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
24
 			    (unsigned long) s,
25
-			    (unsigned long long) td->td_stripoffset[s],
26
-			    (unsigned long long) td->td_stripbytecount[s]);
27
+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
28
+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
29
 #endif
30
 	}
31
 }
32
--
33
libgit2 0.26.0
34
(-)a/graphics/tiff/files/patch-CVE-2017-9935 (-117 lines)
Removed Link Here
1
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
2
index 2ccaf44..cbf2b69 100644
3
--- libtiff/tif_dir.c
4
+++ libtiff/tif_dir.c
5
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
6
 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
7
 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
8
 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
9
+			} else {
10
+				*va_arg(ap, uint16**) = NULL;
11
+				*va_arg(ap, uint16**) = NULL;
12
 			}
13
 			break;
14
 		case TIFFTAG_REFERENCEBLACKWHITE:
15
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
16
index d1a9b09..484776c 100644
17
--- tools/tiff2pdf.c
18
+++ tools/tiff2pdf.c
19
@@ -237,7 +237,7 @@ typedef struct {
20
 	float tiff_whitechromaticities[2];
21
 	float tiff_primarychromaticities[6];
22
 	float tiff_referenceblackwhite[2];
23
-	float* tiff_transferfunction[3];
24
+	uint16* tiff_transferfunction[3];
25
 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
26
 					   1 : interpolate */
27
 	uint16 tiff_transferfunctioncount;
28
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
29
 	uint16 pagen=0;
30
 	uint16 paged=0;
31
 	uint16 xuint16=0;
32
+	uint16 tiff_transferfunctioncount=0;
33
+	uint16* tiff_transferfunction[3];
34
 
35
 	directorycount=TIFFNumberOfDirectories(input);
36
 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
37
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
38
                 }
39
 #endif
40
 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
41
-                                 &(t2p->tiff_transferfunction[0]),
42
-                                 &(t2p->tiff_transferfunction[1]),
43
-                                 &(t2p->tiff_transferfunction[2]))) {
44
-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
45
-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
46
-                           (t2p->tiff_transferfunction[1] !=
47
-                            t2p->tiff_transferfunction[0])) {
48
-				t2p->tiff_transferfunctioncount = 3;
49
-				t2p->tiff_pages[i].page_extra += 4;
50
-				t2p->pdf_xrefcount += 4;
51
-			} else {
52
-				t2p->tiff_transferfunctioncount = 1;
53
-				t2p->tiff_pages[i].page_extra += 2;
54
-				t2p->pdf_xrefcount += 2;
55
-			}
56
-			if(t2p->pdf_minorversion < 2)
57
-				t2p->pdf_minorversion = 2;
58
+                                 &(tiff_transferfunction[0]),
59
+                                 &(tiff_transferfunction[1]),
60
+                                 &(tiff_transferfunction[2]))) {
61
+
62
+                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
63
+                           (tiff_transferfunction[2] != (uint16*) NULL)
64
+                          ) {
65
+                            tiff_transferfunctioncount=3;
66
+                        } else {
67
+                            tiff_transferfunctioncount=1;
68
+                        }
69
                 } else {
70
-			t2p->tiff_transferfunctioncount=0;
71
+			tiff_transferfunctioncount=0;
72
 		}
73
+
74
+                if (i > 0){
75
+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
76
+                        TIFFError(
77
+                            TIFF2PDF_MODULE,
78
+                            "Different transfer function on page %d",
79
+                            i);
80
+                        t2p->t2p_error = T2P_ERR_ERROR;
81
+                        return;
82
+                    }
83
+                }
84
+
85
+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
86
+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
87
+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
88
+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
89
+                if(tiff_transferfunctioncount == 3){
90
+                        t2p->tiff_pages[i].page_extra += 4;
91
+                        t2p->pdf_xrefcount += 4;
92
+                        if(t2p->pdf_minorversion < 2)
93
+                                t2p->pdf_minorversion = 2;
94
+                } else if (tiff_transferfunctioncount == 1){
95
+                        t2p->tiff_pages[i].page_extra += 2;
96
+                        t2p->pdf_xrefcount += 2;
97
+                        if(t2p->pdf_minorversion < 2)
98
+                                t2p->pdf_minorversion = 2;
99
+                }
100
+
101
 		if( TIFFGetField(
102
 			input, 
103
 			TIFFTAG_ICCPROFILE, 
104
@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
105
 			 &(t2p->tiff_transferfunction[0]),
106
 			 &(t2p->tiff_transferfunction[1]),
107
 			 &(t2p->tiff_transferfunction[2]))) {
108
-		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
109
-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
110
-                   (t2p->tiff_transferfunction[1] !=
111
-                    t2p->tiff_transferfunction[0])) {
112
+		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
113
+                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
114
+                  ) {
115
 			t2p->tiff_transferfunctioncount=3;
116
 		} else {
117
 			t2p->tiff_transferfunctioncount=1;
(-)b/graphics/tiff/pkg-plist (-3 / +2 lines)
Lines 24-34 include/tiffvers.h Link Here
24
lib/libtiff.a
24
lib/libtiff.a
25
lib/libtiff.so
25
lib/libtiff.so
26
lib/libtiff.so.5
26
lib/libtiff.so.5
27
lib/libtiff.so.5.3.0
27
lib/libtiff.so.5.4.0
28
lib/libtiffxx.a
28
lib/libtiffxx.a
29
lib/libtiffxx.so
29
lib/libtiffxx.so
30
lib/libtiffxx.so.5
30
lib/libtiffxx.so.5
31
lib/libtiffxx.so.5.3.0
31
lib/libtiffxx.so.5.4.0
32
libdata/pkgconfig/libtiff-4.pc
32
libdata/pkgconfig/libtiff-4.pc
33
man/man1/fax2ps.1.gz
33
man/man1/fax2ps.1.gz
34
man/man1/fax2tiff.1.gz
34
man/man1/fax2tiff.1.gz
35
- 

Return to bug 233146