regression-test: build

	@(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check)

CVE-2006-3464,3465

===================================================================

--- libtiff/tif_dir.c.orig	2008-08-17 13:03:48.954994295 -0400

+++ libtiff/tif_dir.c	2008-08-17 13:03:52.881994558 -0400

@@ -122,6 +122,7 @@

 {

 	static const char module[] = "_TIFFVSetField";

+	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);

 	TIFFDirectory* td = &tif->tif_dir;

 	int status = 1;

 	uint32 v32, i, v;

@@ -195,10 +196,12 @@

 		break;

 	case TIFFTAG_ORIENTATION:

 		v = va_arg(ap, uint32);

+		const TIFFFieldInfo* fip;

 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {

+			fip = _TIFFFieldWithTag(tif, tag);

 			TIFFWarningExt(tif->tif_clientdata, tif->tif_name,

 			    "Bad value %lu for \"%s\" tag ignored",

-			    v, _TIFFFieldWithTag(tif, tag)->field_name);

+			    v, fip ? fip->field_name : "Unknown");

 		} else

 			td->td_orientation = (uint16) v;

 		break;

@@ -387,11 +390,15 @@

 	     * happens, for example, when tiffcp is used to convert between

 	     * compression schemes and codec-specific tags are blindly copied.

              */

+	    /* 

+	     * better not dereference fip if it is NULL.

+	     * -- taviso@google.com 15 Jun 2006

+	     */

             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {

 		TIFFErrorExt(tif->tif_clientdata, module,

 		    "%s: Invalid %stag \"%s\" (not supported by codec)",

 		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",

-		    _TIFFFieldWithTag(tif, tag)->field_name);

+		    fip ? fip->field_name : "Unknown");

 		status = 0;

 		break;

             }

@@ -468,7 +475,7 @@

 	    if (fip->field_type == TIFF_ASCII)

 		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));

 	    else {

-                tv->value = _TIFFmalloc(tv_size * tv->count);

+                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");

 		if (!tv->value) {

 		    status = 0;

 		    goto end;

@@ -563,7 +570,7 @@

           }

 	}

 	if (status) {

-		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);

+		TIFFSetFieldBit(tif, fip->field_bit);

 		tif->tif_flags |= TIFF_DIRTYDIRECT;

 	}

@@ -572,12 +579,12 @@

 	return (status);

 badvalue:

 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",

-		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);

+		  tif->tif_name, v, fip ? fip->field_name : "Unknown");

 	va_end(ap);

 	return (0);

 badvalue32:

 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",

-		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);

+		   tif->tif_name, v32, fip ? fip->field_name : "Unknown");

 	va_end(ap);

 	return (0);

 }

@@ -813,12 +820,16 @@

              * If the client tries to get a tag that is not valid

              * for the image's codec then we'll arrive here.

              */

+	    /*

+	     * dont dereference fip if it's NULL.

+	     * -- taviso@google.com 15 Jun 2006

+	     */

             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )

             {

 				TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",

                           "%s: Invalid %stag \"%s\" (not supported by codec)",

                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",

-                          _TIFFFieldWithTag(tif, tag)->field_name);

+                          fip ? fip->field_name : "Unknown");

                 ret_val = 0;

                 break;

             }

Index: tiff-3.8.2/libtiff/tif_dirinfo.c

CVE-2006-3464,3465

===================================================================

--- libtiff/tif_dirinfo.c.orig	2008-08-17 13:03:48.958994316 -0400

+++ libtiff/tif_dirinfo.c	2008-08-17 13:03:52.890034927 -0400

@@ -775,7 +775,8 @@

 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",

 			  "Internal error, unknown tag 0x%x",

                           (unsigned int) tag);

-		assert(fip != NULL);

+		/* assert(fip != NULL); */

+

 		/*NOTREACHED*/

 	}

 	return (fip);

@@ -789,7 +790,8 @@

 	if (!fip) {

 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",

 			  "Internal error, unknown tag %s", field_name);

-		assert(fip != NULL);

+		/* assert(fip != NULL); */

+		

 		/*NOTREACHED*/

 	}

 	return (fip);

Index: tiff-3.8.2/libtiff/tif_dirread.c

CVE-2006-3459,3463,3464,3465 

===================================================================

--- libtiff/tif_dirread.c.orig	2008-08-17 13:03:48.962994506 -0400

+++ libtiff/tif_dirread.c	2008-08-17 13:03:52.890034927 -0400

@@ -29,6 +29,9 @@

  *

  * Directory Read Support Routines.

  */

+

+#include <limits.h>

+

 #include "tiffiop.h"

 #define	IGNORE	0		/* tag placeholder used below */

@@ -81,6 +84,7 @@

 	uint16 dircount;

 	toff_t nextdiroff;

 	int diroutoforderwarning = 0;

+	int compressionknown = 0;

 	toff_t* new_dirlist;

 	tif->tif_diroff = tif->tif_nextdiroff;

@@ -147,13 +151,20 @@

 	} else {

 		toff_t off = tif->tif_diroff;

-		if (off + sizeof (uint16) > tif->tif_size) {

-			TIFFErrorExt(tif->tif_clientdata, module,

-			    "%s: Can not read TIFF directory count",

-                            tif->tif_name);

-			return (0);

+		/*

+		 * Check for integer overflow when validating the dir_off, otherwise

+		 * a very high offset may cause an OOB read and crash the client.

+		 * -- taviso@google.com, 14 Jun 2006.

+		 */

+		if (off + sizeof (uint16) > tif->tif_size || 

+			off > (UINT_MAX - sizeof(uint16))) {

+				TIFFErrorExt(tif->tif_clientdata, module,

+				    "%s: Can not read TIFF directory count",

+				    tif->tif_name);

+				return (0);

 		} else

-			_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));

+			_TIFFmemcpy(&dircount, tif->tif_base + off,

+					sizeof (uint16));

 		off += sizeof (uint16);

 		if (tif->tif_flags & TIFF_SWAB)

 			TIFFSwabShort(&dircount);

@@ -254,6 +265,7 @@

 		while (fix < tif->tif_nfields &&

 		       tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)

 			fix++;

+

 		if (fix >= tif->tif_nfields ||

 		    tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {

@@ -264,17 +276,23 @@

 						       dp->tdir_tag,

 						       dp->tdir_tag,

 						       dp->tdir_type);

-

-                    TIFFMergeFieldInfo(tif,

-                                       _TIFFCreateAnonFieldInfo(tif,

-						dp->tdir_tag,

-						(TIFFDataType) dp->tdir_type),

-				       1 );

+					/*

+					 * creating anonymous fields prior to knowing the compression

+					 * algorithm (ie, when the field info has been merged) could cause

+					 * crashes with pathological directories.

+					 * -- taviso@google.com 15 Jun 2006

+					 */

+					if (compressionknown)

+			                    TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 

+						(TIFFDataType) dp->tdir_type), 1 );

+					else goto ignore;

+		    

                     fix = 0;

                     while (fix < tif->tif_nfields &&

                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)

 			fix++;

 		}

+		

 		/*

 		 * Null out old tags that we ignore.

 		 */

@@ -326,6 +344,7 @@

 				    dp->tdir_type, dp->tdir_offset);

 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))

 					goto bad;

+				else compressionknown++;

 				break;

 			/* XXX: workaround for broken TIFFs */

 			} else if (dp->tdir_type == TIFF_LONG) {

@@ -540,6 +559,7 @@

 	 * Attempt to deal with a missing StripByteCounts tag.

 	 */

 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {

+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);

 		/*

 		 * Some manufacturers violate the spec by not giving

 		 * the size of the strips.  In this case, assume there

@@ -556,7 +576,7 @@

 			"%s: TIFF directory is missing required "

 			"\"%s\" field, calculating from imagelength",

 			tif->tif_name,

-		        _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);

+		        fip ? fip->field_name : "Unknown");

 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)

 		    goto bad;

 /* 

@@ -580,6 +600,7 @@

 	} else if (td->td_nstrips == 1 

                    && td->td_stripoffset[0] != 0 

                    && BYTECOUNTLOOKSBAD) {

+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);

 		/*

 		 * XXX: Plexus (and others) sometimes give a value of zero for

 		 * a tag when they don't know what the correct value is!  Try

@@ -589,13 +610,14 @@

 		TIFFWarningExt(tif->tif_clientdata, module,

 	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",

                             tif->tif_name,

-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);

+		            fip ? fip->field_name : "Unknown");

 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)

 		    goto bad;

 	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG

 		   && td->td_nstrips > 2

 		   && td->td_compression == COMPRESSION_NONE

 		   && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {

+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);

 		/*

 		 * XXX: Some vendors fill StripByteCount array with absolutely

 		 * wrong values (it can be equal to StripOffset array, for

@@ -604,7 +626,7 @@

 		TIFFWarningExt(tif->tif_clientdata, module,

 	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",

                             tif->tif_name,

-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);

+		            fip ? fip->field_name : "Unknown");

 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)

 		    goto bad;

 	}

@@ -870,7 +892,13 @@

 	register TIFFDirEntry *dp;

 	register TIFFDirectory *td = &tif->tif_dir;

-	uint16 i;

+	

+	/* i is used to iterate over td->td_nstrips, so must be

+	 * at least the same width.

+	 * -- taviso@google.com 15 Jun 2006

+	 */

+

+	uint32 i;

 	if (td->td_stripbytecount)

 		_TIFFfree(td->td_stripbytecount);

@@ -947,16 +975,18 @@

 static int

 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)

 {

+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

+

 	if (count > dir->tdir_count) {

 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,

 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",

-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,

+		    fip ? fip->field_name : "Unknown",

 		    dir->tdir_count, count);

 		return (0);

 	} else if (count < dir->tdir_count) {

 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,

 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",

-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,

+		    fip ? fip->field_name : "Unknown",

 		    dir->tdir_count, count);

 		return (1);

 	}

@@ -970,6 +1000,7 @@

 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)

 {

 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);

+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

 	tsize_t cc = dir->tdir_count * w;

 	/* Check for overflow. */

@@ -1013,7 +1044,7 @@

 bad:

 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

 		     "Error fetching data for field \"%s\"",

-		     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);

+		     fip ? fip->field_name : "Unknown");

 	return (tsize_t) 0;

 }

@@ -1039,10 +1070,12 @@

 static int

 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)

 {

+	const TIFFFieldInfo* fip;

 	if (denom == 0) {

+		fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

 		    "%s: Rational with zero denominator (num = %lu)",

-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);

+		    fip ? fip->field_name : "Unknown", num);

 		return (0);

 	} else {

 		if (dir->tdir_type == TIFF_RATIONAL)

@@ -1159,6 +1192,20 @@

 static int

 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)

 {

+	/*

+	 * Prevent overflowing the v stack arrays below by performing a sanity

+	 * check on tdir_count, this should never be greater than two.

+	 * -- taviso@google.com 14 Jun 2006.

+	 */

+	if (dir->tdir_count > 2) {

+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,

+				"unexpected count for field \"%s\", %lu, expected 2; ignored.",

+				fip ? fip->field_name : "Unknown",

+				dir->tdir_count);

+		return 0;

+	}

+

 	switch (dir->tdir_type) {

 		case TIFF_BYTE:

 		case TIFF_SBYTE:

@@ -1329,14 +1376,15 @@

 	case TIFF_DOUBLE:

 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));

 	default:

+		{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

 		/* TIFF_NOTYPE */

 		/* TIFF_ASCII */

 		/* TIFF_UNDEFINED */

 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

 			     "cannot read TIFF_ANY type %d for field \"%s\"",

 			     dir->tdir_type,

-			     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);

-		return (0);

+			     fip ? fip->field_name : "Unknown");

+		return (0); }

 	}

 	return (1);

 }

@@ -1351,6 +1399,9 @@

 	int ok = 0;

 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);

+	if (fip == NULL) {

+		return (0);

+	}

 	if (dp->tdir_count > 1) {		/* array of values */

 		char* cp = NULL;

@@ -1493,6 +1544,7 @@

 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)

 {

     uint16 samples = tif->tif_dir.td_samplesperpixel;

+    const TIFFFieldInfo* fip;

     int status = 0;

     if (CheckDirCount(tif, dir, (uint32) samples)) {

@@ -1510,9 +1562,10 @@

             for (i = 1; i < check_count; i++)

                 if (v[i] != v[0]) {

+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

                               "Cannot handle different per-sample values for field \"%s\"",

-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);

+                              fip ? fip->field_name : "Unknown");

                     goto bad;

                 }

             *pl = v[0];

@@ -1534,6 +1587,7 @@

 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)

 {

     uint16 samples = tif->tif_dir.td_samplesperpixel;

+    const TIFFFieldInfo* fip;

     int status = 0;

     if (CheckDirCount(tif, dir, (uint32) samples)) {

@@ -1551,9 +1605,10 @@

                 check_count = samples;

             for (i = 1; i < check_count; i++)

                 if (v[i] != v[0]) {

+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

                               "Cannot handle different per-sample values for field \"%s\"",

-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);

+                              fip ? fip->field_name : "Unknown");

                     goto bad;

                 }

             *pl = v[0];

@@ -1574,6 +1629,7 @@

 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)

 {

     uint16 samples = tif->tif_dir.td_samplesperpixel;

+    const TIFFFieldInfo* fip;

     int status = 0;

     if (CheckDirCount(tif, dir, (uint32) samples)) {

@@ -1591,9 +1647,10 @@

             for (i = 1; i < check_count; i++)

                 if (v[i] != v[0]) {

+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);

                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

                               "Cannot handle different per-sample values for field \"%s\"",

-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);

+                              fip ? fip->field_name : "Unknown");

                     goto bad;

                 }

             *pl = v[0];

Index: tiff-3.8.2/libtiff/tif_fax3.c

CVE-2006-3464,3465

===================================================================

--- libtiff/tif_fax3.c.orig	2008-08-17 13:03:48.970994629 -0400

+++ libtiff/tif_fax3.c	2008-08-17 13:03:52.890034927 -0400

@@ -1136,6 +1136,7 @@

 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)

 {

 	Fax3BaseState* sp = Fax3State(tif);

+	const TIFFFieldInfo* fip;

 	assert(sp != 0);

 	assert(sp->vsetparent != 0);

@@ -1181,7 +1182,13 @@

 	default:

 		return (*sp->vsetparent)(tif, tag, ap);

 	}

-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);

+	

+	if ((fip = _TIFFFieldWithTag(tif, tag))) {

+		TIFFSetFieldBit(tif, fip->field_bit);

+	} else {

+		return (0);

+	}

+

 	tif->tif_flags |= TIFF_DIRTYDIRECT;

 	return (1);

 }

Index: tiff-3.8.2/libtiff/tif_jpeg.c

CVE-2006-3460,3464,3465

===================================================================

--- libtiff/tif_jpeg.c.orig	2008-08-17 13:03:48.974994391 -0400

+++ libtiff/tif_jpeg.c	2008-08-17 13:03:52.894064968 -0400

@@ -722,15 +722,31 @@

 		segment_width = TIFFhowmany(segment_width, sp->h_sampling);

 		segment_height = TIFFhowmany(segment_height, sp->v_sampling);

 	}

-	if (sp->cinfo.d.image_width != segment_width ||

-	    sp->cinfo.d.image_height != segment_height) {

+	if (sp->cinfo.d.image_width < segment_width ||

+	    sp->cinfo.d.image_height < segment_height) {

 		TIFFWarningExt(tif->tif_clientdata, module,

                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",

                           segment_width, 

                           segment_height,

                           sp->cinfo.d.image_width, 

                           sp->cinfo.d.image_height);

+	} 

+	

+	if (sp->cinfo.d.image_width > segment_width ||

+			sp->cinfo.d.image_height > segment_height) {

+		/*

+		 * This case could be dangerous, if the strip or tile size has been

+		 * reported as less than the amount of data jpeg will return, some

+		 * potential security issues arise. Catch this case and error out.

+		 * -- taviso@google.com 14 Jun 2006

+		 */

+		TIFFErrorExt(tif->tif_clientdata, module, 

+			"JPEG strip/tile size exceeds expected dimensions,"

+			"expected %dx%d, got %dx%d", segment_width, segment_height,

+			sp->cinfo.d.image_width, sp->cinfo.d.image_height);

+		return (0);

 	}

+

 	if (sp->cinfo.d.num_components !=

 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?

 	     td->td_samplesperpixel : 1)) {

@@ -761,6 +777,22 @@

                                     sp->cinfo.d.comp_info[0].v_samp_factor,

                                     sp->h_sampling, sp->v_sampling);

+				/*

+				 * There are potential security issues here for decoders that

+				 * have already allocated buffers based on the expected sampling

+				 * factors. Lets check the sampling factors dont exceed what

+				 * we were expecting.

+				 * -- taviso@google.com 14 June 2006

+				 */

+				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||

+					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {

+						TIFFErrorExt(tif->tif_clientdata, module,

+							"Cannot honour JPEG sampling factors that"

+							" exceed those specified.");

+						return (0);

+				}

+

+

 			    /*

 			     * XXX: Files written by the Intergraph software

 			     * has different sampling factors stored in the

@@ -1521,15 +1553,18 @@

 {

 	JPEGState *sp = JState(tif);

-	assert(sp != 0);

+	/* assert(sp != 0); */

 	tif->tif_tagmethods.vgetfield = sp->vgetparent;

 	tif->tif_tagmethods.vsetfield = sp->vsetparent;

-	if( sp->cinfo_initialized )

-	    TIFFjpeg_destroy(sp);	/* release libjpeg resources */

-	if (sp->jpegtables)		/* tag value */

-		_TIFFfree(sp->jpegtables);

+	if (sp != NULL) {

+		if( sp->cinfo_initialized )

+		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */

+		if (sp->jpegtables)		/* tag value */

+			_TIFFfree(sp->jpegtables);

+	}

+

 	_TIFFfree(tif->tif_data);	/* release local state */

 	tif->tif_data = NULL;

@@ -1541,6 +1576,7 @@

 {

 	JPEGState* sp = JState(tif);

 	TIFFDirectory* td = &tif->tif_dir;

+	const TIFFFieldInfo* fip;

 	uint32 v32;

 	assert(sp != NULL);

@@ -1606,7 +1642,13 @@

 	default:

 		return (*sp->vsetparent)(tif, tag, ap);

 	}

-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);

+

+	if ((fip = _TIFFFieldWithTag(tif, tag))) {

+		TIFFSetFieldBit(tif, fip->field_bit);

+	} else {

+		return (0);

+	}

+

 	tif->tif_flags |= TIFF_DIRTYDIRECT;

 	return (1);

 }

@@ -1726,7 +1768,11 @@

 {

 	JPEGState* sp = JState(tif);

-	assert(sp != NULL);

+	/* assert(sp != NULL); */

+	if (sp == NULL) {

+		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");

+		return;

+	}

 	(void) flags;

 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))

Index: tiff-3.8.2/libtiff/tif_next.c

CVE-2008-2327

===================================================================

--- libtiff/tif_lzw.c.orig	2008-08-17 13:03:49.090994393 -0400

+++ libtiff/tif_lzw.c	2008-08-17 13:03:52.354994400 -0400

@@ -237,6 +237,13 @@

                     sp->dec_codetab[code].length = 1;

                     sp->dec_codetab[code].next = NULL;

                 } while (code--);

+                /*

+                 * Zero-out the unused entries

+                 */

+                 _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,

+                 (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));

+

+

 	}

 	return (1);

 }

@@ -408,12 +415,20 @@

 			break;

 		if (code == CODE_CLEAR) {

 			free_entp = sp->dec_codetab + CODE_FIRST;

+			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));

 			nbits = BITS_MIN;

 			nbitsmask = MAXCODE(BITS_MIN);

 			maxcodep = sp->dec_codetab + nbitsmask-1;

 			NextCode(tif, sp, bp, code, GetNextCode);

 			if (code == CODE_EOI)

 				break;

+			 if (code == CODE_CLEAR) {

+				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

+				 "LZWDecode: Corrupted LZW table at scanline %d",

+				 tif->tif_row);

+				 return (0);

+			 }

+

 			*op++ = (char)code, occ--;

 			oldcodep = sp->dec_codetab + code;

 			continue;

@@ -604,12 +619,20 @@

 			break;

 		if (code == CODE_CLEAR) {

 			free_entp = sp->dec_codetab + CODE_FIRST;

+			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));

 			nbits = BITS_MIN;

 			nbitsmask = MAXCODE(BITS_MIN);

 			maxcodep = sp->dec_codetab + nbitsmask;

 			NextCode(tif, sp, bp, code, GetNextCodeCompat);

 			if (code == CODE_EOI)

 				break;

+			 if (code == CODE_CLEAR) {

+				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

+				 "LZWDecode: Corrupted LZW table at scanline %d",

+				 tif->tif_row);

+				 return (0);

+			 }

+

 			*op++ = code, occ--;

 			oldcodep = sp->dec_codetab + code;

 			continue;

CVE-2006-3462

===================================================================

--- libtiff/tif_next.c.orig	2008-08-17 13:03:48.978994352 -0400

+++ libtiff/tif_next.c	2008-08-17 13:03:52.894064968 -0400

@@ -105,11 +105,16 @@

 			 * as codes of the form <color><npixels>

 			 * until we've filled the scanline.

 			 */

+			/*

+			 * Ensure the run does not exceed the scanline

+			 * bounds, potentially resulting in a security issue.

+			 * -- taviso@google.com 14 Jun 2006.

+			 */

 			op = row;

 			for (;;) {

 				grey = (n>>6) & 0x3;

 				n &= 0x3f;

-				while (n-- > 0)

+				while (n-- > 0 && npixels < imagewidth)

 					SETPIXEL(op, grey);

 				if (npixels >= (int) imagewidth)

 					break;

Index: tiff-3.8.2/libtiff/tif_pixarlog.c

CVE-2006-3461

===================================================================

--- libtiff/tif_pixarlog.c.orig	2008-08-17 13:03:48.986994374 -0400

+++ libtiff/tif_pixarlog.c	2008-08-17 13:03:52.894064968 -0400

@@ -768,7 +768,19 @@

 	if (tif->tif_flags & TIFF_SWAB)

 		TIFFSwabArrayOfShort(up, nsamples);

-	for (i = 0; i < nsamples; i += llen, up += llen) {

+	/* 

+	 * if llen is not an exact multiple of nsamples, the decode operation

+	 * may overflow the output buffer, so truncate it enough to prevent that

+	 * but still salvage as much data as possible.

+	 * -- taviso@google.com 14th June 2006

+	 */

+	if (nsamples % llen) 

+		TIFFWarningExt(tif->tif_clientdata, module,

+				"%s: stride %lu is not a multiple of sample count, "

+				"%lu, data truncated.", tif->tif_name, llen, nsamples);

+				

+	

+	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {

 		switch (sp->user_datafmt)  {

 		case PIXARLOGDATAFMT_FLOAT:

 			horizontalAccumulateF(up, llen, sp->stride,

Index: tiff-3.8.2/libtiff/tif_read.c

CVE-2006-3464,3465

===================================================================

--- libtiff/tif_print.c.orig	2008-08-17 13:03:49.113994690 -0400

+++ libtiff/tif_print.c	2008-08-17 13:03:52.201994368 -0400

@@ -491,7 +491,7 @@

 		} else

 			fprintf(fd, "(present)\n");

 	}

-	if (TIFFFieldSet(tif, FIELD_SUBIFD)) {

+	if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) {

 		fprintf(fd, "  SubIFD Offsets:");

 		for (i = 0; i < td->td_nsubifd; i++)

 			fprintf(fd, " %5lu", (long) td->td_subifd[i]);

CVE-2006-3464,3465

===================================================================

--- libtiff/tif_read.c.orig	2008-08-17 13:03:48.990994211 -0400

+++ libtiff/tif_read.c	2008-08-17 13:03:52.898026507 -0400

@@ -31,6 +31,8 @@

 #include "tiffiop.h"

 #include <stdio.h>

+#include <limits.h>

+

 	int TIFFFillStrip(TIFF*, tstrip_t);

 	int TIFFFillTile(TIFF*, ttile_t);

 static	int TIFFStartStrip(TIFF*, tstrip_t);

@@ -272,7 +274,13 @@

 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)

 			_TIFFfree(tif->tif_rawdata);

 		tif->tif_flags &= ~TIFF_MYBUFFER;

-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {

+		/*

+		 * This sanity check could potentially overflow, causing an OOB read.

+		 * verify that offset + bytecount is > offset.

+		 * -- taviso@google.com 14 Jun 2006

+		 */

+		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||

+			bytecount > (UINT_MAX - td->td_stripoffset[strip])) {

 			/*

 			 * This error message might seem strange, but it's

 			 * what would happen if a read were done instead.

@@ -470,7 +478,13 @@

 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)

 			_TIFFfree(tif->tif_rawdata);

 		tif->tif_flags &= ~TIFF_MYBUFFER;

-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {

+		/*

+		 * We must check this calculation doesnt overflow, potentially

+		 * causing an OOB read.

+		 * -- taviso@google.com 15 Jun 2006

+		 */

+		if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||

+			bytecount > (UINT_MAX - td->td_stripoffset[tile])) {

 			tif->tif_curtile = NOTILE;

 			return (0);

 		}

--- man/TIFFClose.3tiff.orig	2008-08-17 13:03:49.058994404 -0400

+++ man/TIFFClose.3tiff	2008-08-17 13:03:52.522727821 -0400

@@ -40,7 +40,7 @@

 current directory (if modified); and all resources are reclaimed.

 .SH DIAGNOSTICS

 All error messages are directed to the

-.bR TIFFError (3TIFF)

+.BR TIFFError (3TIFF)

 routine.

 Likewise, warning messages are directed to the

 .BR TIFFWarning (3TIFF)

--- man/fax2ps.1.orig	2008-08-17 13:03:49.038994710 -0400

+++ man/fax2ps.1	2008-08-17 13:03:52.510994390 -0400

@@ -27,7 +27,7 @@

 .SH NAME

 fax2ps \- convert a

 .SM TIFF

-facsimile to compressed \*(Ps\(tm

+facsimile to compressed PostScript\(tm

 .SH SYNOPSIS

 .B fax2ps

 [

@@ -40,7 +40,7 @@

 reads one or more

 .SM TIFF

 facsimile image files and prints a compressed form of

-\*(Ps on the standard output that is suitable for printing.

+PostScript on the standard output that is suitable for printing.

 .PP

 By default, each page is scaled to reflect the

 image dimensions and resolutions stored in the file.

@@ -62,26 +62,26 @@

 .PP

 By default

 .I fax2ps

-generates \*(Ps for all pages in the file.

+generates PostScript for all pages in the file.

 The

 .B \-p

 option can be used to select one or more pages from

 a multi-page document.

 .PP

 .I fax2ps

-generates a compressed form of \*(Ps that is

-optimized for sending pages of text to a \*(Ps

+generates a compressed form of PostScript that is

+optimized for sending pages of text to a PostScript

 printer attached to a host through a low-speed link (such

 as a serial line).

 Each output page is filled with white and then only

 the black areas are drawn.

-The \*(Ps specification of the black drawing operations

+The PostScript specification of the black drawing operations

 is optimized by using a special font that encodes the

 move-draw operations required to fill

 the black regions on the page.

 This compression scheme typically results in a substantially

-reduced \*(Ps description, relative to the straightforward

-imaging of the page with a \*(Ps

+reduced PostScript description, relative to the straightforward

+imaging of the page with a PostScript

 .I image

 operator.

 This algorithm can, however, be ineffective

@@ -138,9 +138,9 @@

 attempts to recover from such data errors by resynchronizing

 decoding at the end of the current scanline.

 This can result in long horizontal black lines in the resultant

-\*(Ps image.

+PostScript image.

 .SH NOTES

-If the destination printer supports \*(Ps Level II then

+If the destination printer supports PostScript Level II then

 it is always faster to just send the encoded bitmap generated

 by the

 .BR tiff2ps (1)

@@ -149,7 +149,7 @@

 .I fax2ps

 should probably figure out when it is doing a poor

 job of compressing the output and just generate 

-\*(Ps to image the bitmap raster instead.

+PostScript to image the bitmap raster instead.

 .SH "SEE ALSO"

 .BR tiff2ps (1),

 .BR libtiff (3)

--- man/raw2tiff.1.orig	2008-08-17 13:03:49.042994359 -0400

+++ man/raw2tiff.1	2008-08-17 13:03:52.519034963 -0400

@@ -184,7 +184,7 @@

 in some cases. But for most ordinary images guessing method will work fine.

 .SH "SEE ALSO"

 .BR pal2rgb (1),

-.bR tiffinfo (1),

+.BR tiffinfo (1),

 .BR tiffcp (1),

 .BR tiffmedian (1),

 .BR libtiff (3)

--- man/tiff2pdf.1.orig	2008-08-17 13:03:49.046994376 -0400

+++ man/tiff2pdf.1	2008-08-17 13:03:52.522727821 -0400

@@ -207,18 +207,14 @@

 The following example would generate the file output.pdf from input.tiff.

 .PP

 .RS

-.NF

-tiff2pdf -o output.pdf input.tiff

-.FI

+\f(CWtiff2pdf -o output.pdf input.tiff\fP

 .RE

 .PP

 The following example would generate PDF output from input.tiff and write it 

 to standard output.

 .PP

 .RS

-.NF

-tiff2pdf input.tiff

-.FI

+\f(CWtiff2pdf input.tiff\fP

 .RE

 .PP

 The following example would generate the file output.pdf from input.tiff, 

@@ -227,9 +223,7 @@

 the "Fit Window" option.

 .PP

 .RS

-.NF

-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff

-.FI

+\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f)

 .RE

 .SH BUGS

 Please report bugs via the web interface at 

--- man/tiff2ps.1.orig	2008-08-17 13:03:49.050994382 -0400

+++ man/tiff2ps.1	2008-08-17 13:03:52.522727821 -0400

@@ -27,7 +27,7 @@

 .SH NAME

 tiff2ps \- convert a

 .SM TIFF

-image to \*(Ps\(tm

+image to PostScript\(tm

 .SH SYNOPSIS

 .B tiff2ps

 [

@@ -38,17 +38,17 @@

 .I tiff2ps

 reads

 .SM TIFF

-images and writes \*(Ps or Encapsulated \*(Ps (EPS)

+images and writes PostScript or Encapsulated PostScript (EPS)

 on the standard output.

 By default,

 .I tiff2ps

-writes Encapsulated \*(Ps for the first image in the specified

+writes Encapsulated PostScript for the first image in the specified

 .SM TIFF

 image file.

 .PP

 By default,

 .I tiff2ps

-will generate \*(Ps that fills a printed area specified

+will generate PostScript that fills a printed area specified

 by the 

 .SM TIFF

 tags in the input file.

@@ -67,22 +67,22 @@

 .SM TIFF

 tags.

 .PP

-The \*(Ps generated for

+The PostScript generated for

 .SM RGB,

 palette, and

 .SM CMYK

 images uses the

 .I colorimage

 operator.

-The \*(Ps generated for

+The PostScript generated for

 greyscale and bilevel images

 uses the

 .I image

 operator.

 When the

 .I colorimage

-operator is used, \*(Ps code to emulate this operator

-on older \*(Ps printers is also generated.

+operator is used, PostScript code to emulate this operator

+on older PostScript printers is also generated.

 Note that this emulation code can be very slow.

 .PP

 Color images with associated alpha data are composited over

@@ -90,13 +90,13 @@

 .SH OPTIONS

 .TP

 .B \-1

-Generate \*(Ps Level 1 (the default).

+Generate PostScript Level 1 (the default).

 .TP

 .B \-2

-Generate \*(Ps Level 2.

+Generate PostScript Level 2.

 .TP

 .B \-3

-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode

+Generate PostScript Level 3. It basically allows one to use the /flateDecode

 filter for ZIP compressed TIFF images.

 .TP

 .B \-a

@@ -119,7 +119,7 @@

 multi-page (e.g. facsimile) file.

 .TP

 .B \-e

-Force the generation of Encapsulated \*(Ps (implies -z).

+Force the generation of Encapsulated PostScript (implies -z).

 .TP

 .B \-h

 Specify the vertical size of the printed area (in inches).

@@ -148,7 +148,7 @@

 .B \-m

 Where possible render using the

 .B imagemask

-\*(Ps operator instead of the image operator.  When this option is specified

+PostScript operator instead of the image operator.  When this option is specified

 .I tiff2ps

 will use

 .B imagemask

@@ -166,7 +166,7 @@

 like which are hidden using the SubIFD tag.

 .TP

 .B \-p

-Force the generation of (non-Encapsulated) \*(Ps.

+Force the generation of (non-Encapsulated) PostScript.

 .TP

 .B \-r

 Rotate image by 180 degrees.

@@ -184,15 +184,15 @@

 Override resolution units specified in the TIFF as inches.

 .TP

 .B \-z

-When generating \*(Ps Level 2, data is scaled so that it does not

+When generating PostScript Level 2, data is scaled so that it does not

 image into the 

 .I deadzone

 on a page (the outer margin that the printing device is unable to mark).

 This option suppresses this behavior.

-When \*(Ps Level 1 is generated, data is imaged to the entire printed

+When PostScript Level 1 is generated, data is imaged to the entire printed

 page and this option has no affect.

 .SH EXAMPLES

-The following generates \*(Ps Level 2 for all pages of a facsimile:

+The following generates PostScript Level 2 for all pages of a facsimile:

 .RS

 .nf

 tiff2ps -a2 fax.tif | lpr

@@ -201,7 +201,7 @@

 Note also that if you have version 2.6.1 or newer of Ghostscript then you

 can efficiently preview facsimile generated with the above command.

 .PP

-To generate Encapsulated \*(Ps for a the image at directory 2

+To generate Encapsulated PostScript for a the image at directory 2

 of an image use:

 .RS

 .nf

@@ -228,8 +228,8 @@

 .B \-L.5

 option says to repeat a half inch on the next page (to improve readability).

 .SH BUGS

-Because \*(Ps does not support the notion of a colormap,

-8-bit palette images produce 24-bit \*(Ps images.

+Because PostScript does not support the notion of a colormap,

+8-bit palette images produce 24-bit PostScript images.

 This conversion results in output that is six times

 bigger than the original image and which takes a long time

 to send to a printer over a serial line.

--- man/tiffcmp.1.orig	2008-08-17 13:03:49.062994301 -0400

+++ man/tiffcmp.1	2008-08-17 13:03:52.522727821 -0400

@@ -77,7 +77,7 @@

 in some exotic cases. 

 .SH "SEE ALSO"

 .BR pal2rgb (1),

-.bR tiffinfo (1),

+.BR tiffinfo (1),

 .BR tiffcp (1),

 .BR tiffmedian (1),

 .BR libtiff (3TIFF)

--- man/tiffsplit.1.orig	2008-08-17 13:03:49.070994233 -0400

+++ man/tiffsplit.1	2008-08-17 13:03:52.522727821 -0400

@@ -50,7 +50,7 @@

 (e.g. 

 .IR xaaa.tif ,

 .IR xaab.tif ,

-\...

+.IR ... ,

 .IR xzzz.tif ).

 If a prefix is not specified on the command line,

 the default prefix of

CVE-2006-2193

===================================================================

--- tools/tiff2pdf.c.orig	2006-06-04 18:26:40.000000000 -0700

+++ tools/tiff2pdf.c	2006-06-04 18:27:22.000000000 -0700

@@ -3668,7 +3668,7 @@

 	written += TIFFWriteFile(output, (tdata_t) "(", 1);

 	for (i=0;i<len;i++){

 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){

-			sprintf(buffer, "\\%.3o", pdfstr[i]);

+			snprintf(buffer, "\\%.3o", pdfstr[i]);

 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);

 		} else {

 			switch (pdfstr[i]){

CVE-2006-2656

===================================================================

--- tools/tiffsplit.c.orig	2008-08-17 13:03:49.014994263 -0400

+++ tools/tiffsplit.c	2008-08-17 13:03:52.726994578 -0400

@@ -61,14 +61,13 @@

 		return (-3);

 	}

 	if (argc > 2)

-		strcpy(fname, argv[2]);

+		snprintf(fname, sizeof(fname), "%s", argv[2]);

 	in = TIFFOpen(argv[1], "r");

 	if (in != NULL) {

 		do {

 			char path[1024+1];

 			newfilename();

-			strcpy(path, fname);

-			strcat(path, ".tif");

+			snprintf(path, sizeof(path), "%s.tif", fname);

 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");

 			if (out == NULL)

 				return (-2);