Bug 127434 - [PATCH]graphics/tiff: various security fixes
Summary: [PATCH]graphics/tiff: various security fixes
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Dirk Meyer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-17 07:00 UTC by bf
Modified: 2008-09-20 14:44 UTC (History)
0 users

See Also:


Attachments
file.diff (41.42 KB, patch)
2008-09-17 07:00 UTC, bf
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description bf 2008-09-17 07:00:06 UTC
Add patches for CVE-2006-2193,2327,2656,3459-3465, and CVE-2008-2327,
some of which were apparently misreported as not affecting 3.8.2.  The
patches are from the Gentoo and Debian repositories, and are copies or
variants of patches originally suggested by Drew Yao and the Google
Security Team, among others.  Some of them, along with some changes from
Red Hat, have been included in tiff 3.9 and 4.0.  Unfortunately tiff 3.9 
nd 4.0 are not completely compatible with 3.8.* (although there is some
discussion among the tiff developers about changing 3.9 so that it is
backwards-compatible), so we cannot now solve these problems by updating
the port to 3.9 or 4.0 without breaking some dependent ports.  The problems
with tiff should probably be documented in vuxml.  tiff developers have
suggested that there are probably further problems, and that the tiff
format is more susceptible to security problems than some other image
formats owing to it's design, so it should be used with caution on
untrusted images.  The developers have said that they do not now have
the resources or the interest in undertaking a comprehensive security
audit of the code, and that it's all Sam Leffler's fault, anyway.  (Okay,
I made up that very last part. ;) )

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer 2008-09-17 07:00:18 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dirk.meyer 2008-09-17 20:27:36 UTC
Please check.
One of your patches introduces a regression.
in tools/tiff2pdf.c:
   snprintf(buffer, "\\%.3o", pdfstr[i]);

is plain wrong; better is:
   snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]);

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
http://people.freebsd.org/~dinoex/errorlogs/

- add Security patches
- fix missign macro in manpages
- add regression test
Security: CVE-2006-2193
Security: CVE-2006-2327
Security: CVE-2006-2656
Security: CVE-2006-3459
Security: CVE-2006-3460
Security: CVE-2006-3461
Security: CVE-2006-3462
Security: CVE-2006-3463
Security: CVE-2006-3464
Security: CVE-2006-3465
Security: CVE-2008-2327
Obtained From:	Gentoo,Debian
Submitted by:	<bf2006a@yahoo.com>

Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/graphics/tiff/Makefile,v
retrieving revision 1.65
diff -u -r1.65 Makefile
--- Makefile	21 Aug 2008 06:17:24 -0000	1.65
+++ Makefile	17 Sep 2008 19:25:41 -0000
@@ -9,7 +9,7 @@
 
 PORTNAME=	tiff
 PORTVERSION=	3.8.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://dl1.maptools.org/dl/libtiff/
@@ -126,4 +126,7 @@
 	${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/
 .endif
 
+regression-test: build
+	@(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check)
+
 .include <bsd.port.mk>
Index: files/patch-TIFFClose.3tiff
===================================================================
RCS file: files/patch-TIFFClose.3tiff
diff -N files/patch-TIFFClose.3tiff
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-TIFFClose.3tiff	17 Sep 2008 19:25:41 -0000
@@ -0,0 +1,11 @@
+--- man/TIFFClose.3tiff.orig	2008-08-17 13:03:49.058994404 -0400
++++ man/TIFFClose.3tiff	2008-08-17 13:03:52.522727821 -0400
+@@ -40,7 +40,7 @@
+ current directory (if modified); and all resources are reclaimed.
+ .SH DIAGNOSTICS
+ All error messages are directed to the
+-.bR TIFFError (3TIFF)
++.BR TIFFError (3TIFF)
+ routine.
+ Likewise, warning messages are directed to the
+ .BR TIFFWarning (3TIFF)
Index: files/patch-fax2ps.1
===================================================================
RCS file: files/patch-fax2ps.1
diff -N files/patch-fax2ps.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-fax2ps.1	17 Sep 2008 19:25:41 -0000
@@ -0,0 +1,74 @@
+--- man/fax2ps.1.orig	2008-08-17 13:03:49.038994710 -0400
++++ man/fax2ps.1	2008-08-17 13:03:52.510994390 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ fax2ps \- convert a
+ .SM TIFF
+-facsimile to compressed \*(Ps\(tm
++facsimile to compressed PostScript\(tm
+ .SH SYNOPSIS
+ .B fax2ps
+ [
+@@ -40,7 +40,7 @@
+ reads one or more
+ .SM TIFF
+ facsimile image files and prints a compressed form of
+-\*(Ps on the standard output that is suitable for printing.
++PostScript on the standard output that is suitable for printing.
+ .PP
+ By default, each page is scaled to reflect the
+ image dimensions and resolutions stored in the file.
+@@ -62,26 +62,26 @@
+ .PP
+ By default
+ .I fax2ps
+-generates \*(Ps for all pages in the file.
++generates PostScript for all pages in the file.
+ The
+ .B \-p
+ option can be used to select one or more pages from
+ a multi-page document.
+ .PP
+ .I fax2ps
+-generates a compressed form of \*(Ps that is
+-optimized for sending pages of text to a \*(Ps
++generates a compressed form of PostScript that is
++optimized for sending pages of text to a PostScript
+ printer attached to a host through a low-speed link (such
+ as a serial line).
+ Each output page is filled with white and then only
+ the black areas are drawn.
+-The \*(Ps specification of the black drawing operations
++The PostScript specification of the black drawing operations
+ is optimized by using a special font that encodes the
+ move-draw operations required to fill
+ the black regions on the page.
+ This compression scheme typically results in a substantially
+-reduced \*(Ps description, relative to the straightforward
+-imaging of the page with a \*(Ps
++reduced PostScript description, relative to the straightforward
++imaging of the page with a PostScript
+ .I image
+ operator.
+ This algorithm can, however, be ineffective
+@@ -138,9 +138,9 @@
+ attempts to recover from such data errors by resynchronizing
+ decoding at the end of the current scanline.
+ This can result in long horizontal black lines in the resultant
+-\*(Ps image.
++PostScript image.
+ .SH NOTES
+-If the destination printer supports \*(Ps Level II then
++If the destination printer supports PostScript Level II then
+ it is always faster to just send the encoded bitmap generated
+ by the
+ .BR tiff2ps (1)
+@@ -149,7 +149,7 @@
+ .I fax2ps
+ should probably figure out when it is doing a poor
+ job of compressing the output and just generate 
+-\*(Ps to image the bitmap raster instead.
++PostScript to image the bitmap raster instead.
+ .SH "SEE ALSO"
+ .BR tiff2ps (1),
+ .BR libtiff (3)
Index: files/patch-raw2tiff.1
===================================================================
RCS file: files/patch-raw2tiff.1
diff -N files/patch-raw2tiff.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-raw2tiff.1	17 Sep 2008 19:25:41 -0000
@@ -0,0 +1,11 @@
+--- man/raw2tiff.1.orig	2008-08-17 13:03:49.042994359 -0400
++++ man/raw2tiff.1	2008-08-17 13:03:52.519034963 -0400
+@@ -184,7 +184,7 @@
+ in some cases. But for most ordinary images guessing method will work fine.
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3)
Index: files/patch-tif_dir.c
===================================================================
RCS file: files/patch-tif_dir.c
diff -N files/patch-tif_dir.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_dir.c	17 Sep 2008 19:25:41 -0000
@@ -0,0 +1,94 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dir.c.orig	2008-08-17 13:03:48.954994295 -0400
++++ libtiff/tif_dir.c	2008-08-17 13:03:52.881994558 -0400
+@@ -122,6 +122,7 @@
+ {
+ 	static const char module[] = "_TIFFVSetField";
+ 	
++	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ 	TIFFDirectory* td = &tif->tif_dir;
+ 	int status = 1;
+ 	uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+ 		break;
+ 	case TIFFTAG_ORIENTATION:
+ 		v = va_arg(ap, uint32);
++		const TIFFFieldInfo* fip;
+ 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++			fip = _TIFFFieldWithTag(tif, tag);
+ 			TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ 			    "Bad value %lu for \"%s\" tag ignored",
+-			    v, _TIFFFieldWithTag(tif, tag)->field_name);
++			    v, fip ? fip->field_name : "Unknown");
+ 		} else
+ 			td->td_orientation = (uint16) v;
+ 		break;
+@@ -387,11 +390,15 @@
+ 	     * happens, for example, when tiffcp is used to convert between
+ 	     * compression schemes and codec-specific tags are blindly copied.
+              */
++	    /* 
++	     * better not dereference fip if it is NULL.
++	     * -- taviso@google.com 15 Jun 2006
++	     */
+             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ 		TIFFErrorExt(tif->tif_clientdata, module,
+ 		    "%s: Invalid %stag \"%s\" (not supported by codec)",
+ 		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+-		    _TIFFFieldWithTag(tif, tag)->field_name);
++		    fip ? fip->field_name : "Unknown");
+ 		status = 0;
+ 		break;
+             }
+@@ -468,7 +475,7 @@
+ 	    if (fip->field_type == TIFF_ASCII)
+ 		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ 	    else {
+-                tv->value = _TIFFmalloc(tv_size * tv->count);
++                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+ 		if (!tv->value) {
+ 		    status = 0;
+ 		    goto end;
+@@ -563,7 +570,7 @@
+           }
+ 	}
+ 	if (status) {
+-		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++		TIFFSetFieldBit(tif, fip->field_bit);
+ 		tif->tif_flags |= TIFF_DIRTYDIRECT;
+ 	}
+ 
+@@ -572,12 +579,12 @@
+ 	return (status);
+ badvalue:
+ 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+-		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++		  tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ 	va_end(ap);
+ 	return (0);
+ badvalue32:
+ 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+-		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++		   tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ 	va_end(ap);
+ 	return (0);
+ }
+@@ -813,12 +820,16 @@
+              * If the client tries to get a tag that is not valid
+              * for the image's codec then we'll arrive here.
+              */
++	    /*
++	     * dont dereference fip if it's NULL.
++	     * -- taviso@google.com 15 Jun 2006
++	     */
+             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+             {
+ 				TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+                           "%s: Invalid %stag \"%s\" (not supported by codec)",
+                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+-                          _TIFFFieldWithTag(tif, tag)->field_name);
++                          fip ? fip->field_name : "Unknown");
+                 ret_val = 0;
+                 break;
+             }
Index: files/patch-tif_dirinfo.c
===================================================================
RCS file: files/patch-tif_dirinfo.c
diff -N files/patch-tif_dirinfo.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_dirinfo.c	17 Sep 2008 19:25:41 -0000
@@ -0,0 +1,24 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dirinfo.c.orig	2008-08-17 13:03:48.958994316 -0400
++++ libtiff/tif_dirinfo.c	2008-08-17 13:03:52.890034927 -0400
+@@ -775,7 +775,8 @@
+ 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ 			  "Internal error, unknown tag 0x%x",
+                           (unsigned int) tag);
+-		assert(fip != NULL);
++		/* assert(fip != NULL); */
++
+ 		/*NOTREACHED*/
+ 	}
+ 	return (fip);
+@@ -789,7 +790,8 @@
+ 	if (!fip) {
+ 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ 			  "Internal error, unknown tag %s", field_name);
+-		assert(fip != NULL);
++		/* assert(fip != NULL); */
++		
+ 		/*NOTREACHED*/
+ 	}
+ 	return (fip);
Index: files/patch-tif_dirread.c
===================================================================
RCS file: files/patch-tif_dirread.c
diff -N files/patch-tif_dirread.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_dirread.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,321 @@
+CVE-2006-3459,3463,3464,3465 
+===================================================================
+--- libtiff/tif_dirread.c.orig	2008-08-17 13:03:48.962994506 -0400
++++ libtiff/tif_dirread.c	2008-08-17 13:03:52.890034927 -0400
+@@ -29,6 +29,9 @@
+  *
+  * Directory Read Support Routines.
+  */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+ 
+ #define	IGNORE	0		/* tag placeholder used below */
+@@ -81,6 +84,7 @@
+ 	uint16 dircount;
+ 	toff_t nextdiroff;
+ 	int diroutoforderwarning = 0;
++	int compressionknown = 0;
+ 	toff_t* new_dirlist;
+ 
+ 	tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+ 	} else {
+ 		toff_t off = tif->tif_diroff;
+ 
+-		if (off + sizeof (uint16) > tif->tif_size) {
+-			TIFFErrorExt(tif->tif_clientdata, module,
+-			    "%s: Can not read TIFF directory count",
+-                            tif->tif_name);
+-			return (0);
++		/*
++		 * Check for integer overflow when validating the dir_off, otherwise
++		 * a very high offset may cause an OOB read and crash the client.
++		 * -- taviso@google.com, 14 Jun 2006.
++		 */
++		if (off + sizeof (uint16) > tif->tif_size || 
++			off > (UINT_MAX - sizeof(uint16))) {
++				TIFFErrorExt(tif->tif_clientdata, module,
++				    "%s: Can not read TIFF directory count",
++				    tif->tif_name);
++				return (0);
+ 		} else
+-			_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++			_TIFFmemcpy(&dircount, tif->tif_base + off,
++					sizeof (uint16));
+ 		off += sizeof (uint16);
+ 		if (tif->tif_flags & TIFF_SWAB)
+ 			TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+ 		while (fix < tif->tif_nfields &&
+ 		       tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ 			fix++;
++
+ 		if (fix >= tif->tif_nfields ||
+ 		    tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+ 
+@@ -264,17 +276,23 @@
+ 						       dp->tdir_tag,
+ 						       dp->tdir_tag,
+ 						       dp->tdir_type);
+-
+-                    TIFFMergeFieldInfo(tif,
+-                                       _TIFFCreateAnonFieldInfo(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-				       1 );
++					/*
++					 * creating anonymous fields prior to knowing the compression
++					 * algorithm (ie, when the field info has been merged) could cause
++					 * crashes with pathological directories.
++					 * -- taviso@google.com 15 Jun 2006
++					 */
++					if (compressionknown)
++			                    TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
++						(TIFFDataType) dp->tdir_type), 1 );
++					else goto ignore;
++		    
+                     fix = 0;
+                     while (fix < tif->tif_nfields &&
+                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ 			fix++;
+ 		}
++		
+ 		/*
+ 		 * Null out old tags that we ignore.
+ 		 */
+@@ -326,6 +344,7 @@
+ 				    dp->tdir_type, dp->tdir_offset);
+ 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ 					goto bad;
++				else compressionknown++;
+ 				break;
+ 			/* XXX: workaround for broken TIFFs */
+ 			} else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+ 	 * Attempt to deal with a missing StripByteCounts tag.
+ 	 */
+ 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ 		/*
+ 		 * Some manufacturers violate the spec by not giving
+ 		 * the size of the strips.  In this case, assume there
+@@ -556,7 +576,7 @@
+ 			"%s: TIFF directory is missing required "
+ 			"\"%s\" field, calculating from imagelength",
+ 			tif->tif_name,
+-		        _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++		        fip ? fip->field_name : "Unknown");
+ 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ 		    goto bad;
+ /* 
+@@ -580,6 +600,7 @@
+ 	} else if (td->td_nstrips == 1 
+                    && td->td_stripoffset[0] != 0 
+                    && BYTECOUNTLOOKSBAD) {
++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ 		/*
+ 		 * XXX: Plexus (and others) sometimes give a value of zero for
+ 		 * a tag when they don't know what the correct value is!  Try
+@@ -589,13 +610,14 @@
+ 		TIFFWarningExt(tif->tif_clientdata, module,
+ 	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+                             tif->tif_name,
+-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++		            fip ? fip->field_name : "Unknown");
+ 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ 		    goto bad;
+ 	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ 		   && td->td_nstrips > 2
+ 		   && td->td_compression == COMPRESSION_NONE
+ 		   && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ 		/*
+ 		 * XXX: Some vendors fill StripByteCount array with absolutely
+ 		 * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+ 		TIFFWarningExt(tif->tif_clientdata, module,
+ 	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+                             tif->tif_name,
+-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++		            fip ? fip->field_name : "Unknown");
+ 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ 		    goto bad;
+ 	}
+@@ -870,7 +892,13 @@
+ 
+ 	register TIFFDirEntry *dp;
+ 	register TIFFDirectory *td = &tif->tif_dir;
+-	uint16 i;
++	
++	/* i is used to iterate over td->td_nstrips, so must be
++	 * at least the same width.
++	 * -- taviso@google.com 15 Jun 2006
++	 */
++
++	uint32 i;
+ 
+ 	if (td->td_stripbytecount)
+ 		_TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+ 	if (count > dir->tdir_count) {
+ 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++		    fip ? fip->field_name : "Unknown",
+ 		    dir->tdir_count, count);
+ 		return (0);
+ 	} else if (count < dir->tdir_count) {
+ 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++		    fip ? fip->field_name : "Unknown",
+ 		    dir->tdir_count, count);
+ 		return (1);
+ 	}
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+ 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 	tsize_t cc = dir->tdir_count * w;
+ 
+ 	/* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+ 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 		     "Error fetching data for field \"%s\"",
+-		     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++		     fip ? fip->field_name : "Unknown");
+ 	return (tsize_t) 0;
+ }
+ 
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++	const TIFFFieldInfo* fip;
+ 	if (denom == 0) {
++		fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 		    "%s: Rational with zero denominator (num = %lu)",
+-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++		    fip ? fip->field_name : "Unknown", num);
+ 		return (0);
+ 	} else {
+ 		if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++	/*
++	 * Prevent overflowing the v stack arrays below by performing a sanity
++	 * check on tdir_count, this should never be greater than two.
++	 * -- taviso@google.com 14 Jun 2006.
++	 */
++	if (dir->tdir_count > 2) {
++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++				"unexpected count for field \"%s\", %lu, expected 2; ignored.",
++				fip ? fip->field_name : "Unknown",
++				dir->tdir_count);
++		return 0;
++	}
++
+ 	switch (dir->tdir_type) {
+ 		case TIFF_BYTE:
+ 		case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+ 	case TIFF_DOUBLE:
+ 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+ 	default:
++		{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 		/* TIFF_NOTYPE */
+ 		/* TIFF_ASCII */
+ 		/* TIFF_UNDEFINED */
+ 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 			     "cannot read TIFF_ANY type %d for field \"%s\"",
+ 			     dir->tdir_type,
+-			     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+-		return (0);
++			     fip ? fip->field_name : "Unknown");
++		return (0); }
+ 	}
+ 	return (1);
+ }
+@@ -1351,6 +1399,9 @@
+ 	int ok = 0;
+ 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ 
++	if (fip == NULL) {
++		return (0);
++	}
+ 	if (dp->tdir_count > 1) {		/* array of values */
+ 		char* cp = NULL;
+ 
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+ 
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+ 
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+ 
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+                 check_count = samples;
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+ 
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+ 
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
Index: files/patch-tif_fax3.c
===================================================================
RCS file: files/patch-tif_fax3.c
diff -N files/patch-tif_fax3.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_fax3.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,27 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_fax3.c.orig	2008-08-17 13:03:48.970994629 -0400
++++ libtiff/tif_fax3.c	2008-08-17 13:03:52.890034927 -0400
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+ 	Fax3BaseState* sp = Fax3State(tif);
++	const TIFFFieldInfo* fip;
+ 
+ 	assert(sp != 0);
+ 	assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+ 	default:
+ 		return (*sp->vsetparent)(tif, tag, ap);
+ 	}
+-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++	
++	if ((fip = _TIFFFieldWithTag(tif, tag))) {
++		TIFFSetFieldBit(tif, fip->field_bit);
++	} else {
++		return (0);
++	}
++
+ 	tif->tif_flags |= TIFF_DIRTYDIRECT;
+ 	return (1);
+ }
Index: files/patch-tif_jpeg.c
===================================================================
RCS file: files/patch-tif_jpeg.c
diff -N files/patch-tif_jpeg.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_jpeg.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,121 @@
+CVE-2006-3460,3464,3465
+===================================================================
+--- libtiff/tif_jpeg.c.orig	2008-08-17 13:03:48.974994391 -0400
++++ libtiff/tif_jpeg.c	2008-08-17 13:03:52.894064968 -0400
+@@ -722,15 +722,31 @@
+ 		segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+ 		segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+ 	}
+-	if (sp->cinfo.d.image_width != segment_width ||
+-	    sp->cinfo.d.image_height != segment_height) {
++	if (sp->cinfo.d.image_width < segment_width ||
++	    sp->cinfo.d.image_height < segment_height) {
+ 		TIFFWarningExt(tif->tif_clientdata, module,
+                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+                           segment_width, 
+                           segment_height,
+                           sp->cinfo.d.image_width, 
+                           sp->cinfo.d.image_height);
++	} 
++	
++	if (sp->cinfo.d.image_width > segment_width ||
++			sp->cinfo.d.image_height > segment_height) {
++		/*
++		 * This case could be dangerous, if the strip or tile size has been
++		 * reported as less than the amount of data jpeg will return, some
++		 * potential security issues arise. Catch this case and error out.
++		 * -- taviso@google.com 14 Jun 2006
++		 */
++		TIFFErrorExt(tif->tif_clientdata, module, 
++			"JPEG strip/tile size exceeds expected dimensions,"
++			"expected %dx%d, got %dx%d", segment_width, segment_height,
++			sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++		return (0);
+ 	}
++
+ 	if (sp->cinfo.d.num_components !=
+ 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+ 	     td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+                                     sp->cinfo.d.comp_info[0].v_samp_factor,
+                                     sp->h_sampling, sp->v_sampling);
+ 
++				/*
++				 * There are potential security issues here for decoders that
++				 * have already allocated buffers based on the expected sampling
++				 * factors. Lets check the sampling factors dont exceed what
++				 * we were expecting.
++				 * -- taviso@google.com 14 June 2006
++				 */
++				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
++					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
++						TIFFErrorExt(tif->tif_clientdata, module,
++							"Cannot honour JPEG sampling factors that"
++							" exceed those specified.");
++						return (0);
++				}
++
++
+ 			    /*
+ 			     * XXX: Files written by the Intergraph software
+ 			     * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+ 	JPEGState *sp = JState(tif);
+ 	
+-	assert(sp != 0);
++	/* assert(sp != 0); */
+ 
+ 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
+ 
+-	if( sp->cinfo_initialized )
+-	    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
+-	if (sp->jpegtables)		/* tag value */
+-		_TIFFfree(sp->jpegtables);
++	if (sp != NULL) {
++		if( sp->cinfo_initialized )
++		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
++		if (sp->jpegtables)		/* tag value */
++			_TIFFfree(sp->jpegtables);
++	}
++
+ 	_TIFFfree(tif->tif_data);	/* release local state */
+ 	tif->tif_data = NULL;
+ 
+@@ -1541,6 +1576,7 @@
+ {
+ 	JPEGState* sp = JState(tif);
+ 	TIFFDirectory* td = &tif->tif_dir;
++	const TIFFFieldInfo* fip;
+ 	uint32 v32;
+ 
+ 	assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+ 	default:
+ 		return (*sp->vsetparent)(tif, tag, ap);
+ 	}
+-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++	if ((fip = _TIFFFieldWithTag(tif, tag))) {
++		TIFFSetFieldBit(tif, fip->field_bit);
++	} else {
++		return (0);
++	}
++
+ 	tif->tif_flags |= TIFF_DIRTYDIRECT;
+ 	return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+ 	JPEGState* sp = JState(tif);
+ 
+-	assert(sp != NULL);
++	/* assert(sp != NULL); */
++	if (sp == NULL) {
++		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
++		return;
++	}
+ 
+ 	(void) flags;
+ 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
Index: files/patch-tif_lzw.c
===================================================================
RCS file: files/patch-tif_lzw.c
diff -N files/patch-tif_lzw.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_lzw.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,60 @@
+CVE-2008-2327
+===================================================================
+--- libtiff/tif_lzw.c.orig	2008-08-17 13:03:49.090994393 -0400
++++ libtiff/tif_lzw.c	2008-08-17 13:03:52.354994400 -0400
+@@ -237,6 +237,13 @@
+                     sp->dec_codetab[code].length = 1;
+                     sp->dec_codetab[code].next = NULL;
+                 } while (code--);
++                /*
++                 * Zero-out the unused entries
++                 */
++                 _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++                 (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
++
+ 	}
+ 	return (1);
+ }
+@@ -408,12 +415,20 @@
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask-1;
+ 			NextCode(tif, sp, bp, code, GetNextCode);
+ 			if (code == CODE_EOI)
+ 				break;
++			 if (code == CODE_CLEAR) {
++				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				 "LZWDecode: Corrupted LZW table at scanline %d",
++				 tif->tif_row);
++				 return (0);
++			 }
++
+ 			*op++ = (char)code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
+@@ -604,12 +619,20 @@
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask;
+ 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ 			if (code == CODE_EOI)
+ 				break;
++			 if (code == CODE_CLEAR) {
++				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				 "LZWDecode: Corrupted LZW table at scanline %d",
++				 tif->tif_row);
++				 return (0);
++			 }
++
+ 			*op++ = code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
Index: files/patch-tif_next.c
===================================================================
RCS file: files/patch-tif_next.c
diff -N files/patch-tif_next.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_next.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,22 @@
+CVE-2006-3462
+===================================================================
+--- libtiff/tif_next.c.orig	2008-08-17 13:03:48.978994352 -0400
++++ libtiff/tif_next.c	2008-08-17 13:03:52.894064968 -0400
+@@ -105,11 +105,16 @@
+ 			 * as codes of the form <color><npixels>
+ 			 * until we've filled the scanline.
+ 			 */
++			/*
++			 * Ensure the run does not exceed the scanline
++			 * bounds, potentially resulting in a security issue.
++			 * -- taviso@google.com 14 Jun 2006.
++			 */
+ 			op = row;
+ 			for (;;) {
+ 				grey = (n>>6) & 0x3;
+ 				n &= 0x3f;
+-				while (n-- > 0)
++				while (n-- > 0 && npixels < imagewidth)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= (int) imagewidth)
+ 					break;
Index: files/patch-tif_pixarlog.c
===================================================================
RCS file: files/patch-tif_pixarlog.c
diff -N files/patch-tif_pixarlog.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_pixarlog.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,25 @@
+CVE-2006-3461
+===================================================================
+--- libtiff/tif_pixarlog.c.orig	2008-08-17 13:03:48.986994374 -0400
++++ libtiff/tif_pixarlog.c	2008-08-17 13:03:52.894064968 -0400
+@@ -768,7 +768,19 @@
+ 	if (tif->tif_flags & TIFF_SWAB)
+ 		TIFFSwabArrayOfShort(up, nsamples);
+ 
+-	for (i = 0; i < nsamples; i += llen, up += llen) {
++	/* 
++	 * if llen is not an exact multiple of nsamples, the decode operation
++	 * may overflow the output buffer, so truncate it enough to prevent that
++	 * but still salvage as much data as possible.
++	 * -- taviso@google.com 14th June 2006
++	 */
++	if (nsamples % llen) 
++		TIFFWarningExt(tif->tif_clientdata, module,
++				"%s: stride %lu is not a multiple of sample count, "
++				"%lu, data truncated.", tif->tif_name, llen, nsamples);
++				
++	
++	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ 		switch (sp->user_datafmt)  {
+ 		case PIXARLOGDATAFMT_FLOAT:
+ 			horizontalAccumulateF(up, llen, sp->stride,
Index: files/patch-tif_print.c
===================================================================
RCS file: files/patch-tif_print.c
diff -N files/patch-tif_print.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_print.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,13 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_print.c.orig	2008-08-17 13:03:49.113994690 -0400
++++ libtiff/tif_print.c	2008-08-17 13:03:52.201994368 -0400
+@@ -491,7 +491,7 @@
+ 		} else
+ 			fprintf(fd, "(present)\n");
+ 	}
+-	if (TIFFFieldSet(tif, FIELD_SUBIFD)) {
++	if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) {
+ 		fprintf(fd, "  SubIFD Offsets:");
+ 		for (i = 0; i < td->td_nsubifd; i++)
+ 			fprintf(fd, " %5lu", (long) td->td_subifd[i]);
Index: files/patch-tif_read.c
===================================================================
RCS file: files/patch-tif_read.c
diff -N files/patch-tif_read.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tif_read.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,43 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_read.c.orig	2008-08-17 13:03:48.990994211 -0400
++++ libtiff/tif_read.c	2008-08-17 13:03:52.898026507 -0400
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
++#include <limits.h>
++
+ 	int TIFFFillStrip(TIFF*, tstrip_t);
+ 	int TIFFFillTile(TIFF*, ttile_t);
+ static	int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+ 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ 			_TIFFfree(tif->tif_rawdata);
+ 		tif->tif_flags &= ~TIFF_MYBUFFER;
+-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++		/*
++		 * This sanity check could potentially overflow, causing an OOB read.
++		 * verify that offset + bytecount is > offset.
++		 * -- taviso@google.com 14 Jun 2006
++		 */
++		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++			bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+ 			/*
+ 			 * This error message might seem strange, but it's
+ 			 * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+ 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ 			_TIFFfree(tif->tif_rawdata);
+ 		tif->tif_flags &= ~TIFF_MYBUFFER;
+-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++		/*
++		 * We must check this calculation doesnt overflow, potentially
++		 * causing an OOB read.
++		 * -- taviso@google.com 15 Jun 2006
++		 */
++		if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++			bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+ 			tif->tif_curtile = NOTILE;
+ 			return (0);
+ 		}
Index: files/patch-tiff2pdf.1
===================================================================
RCS file: files/patch-tiff2pdf.1
diff -N files/patch-tiff2pdf.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiff2pdf.1	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,34 @@
+--- man/tiff2pdf.1.orig	2008-08-17 13:03:49.046994376 -0400
++++ man/tiff2pdf.1	2008-08-17 13:03:52.522727821 -0400
+@@ -207,18 +207,14 @@
+ The following example would generate the file output.pdf from input.tiff.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -o output.pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate PDF output from input.tiff and write it 
+ to standard output.
+ .PP
+ .RS
+-.NF
+-tiff2pdf input.tiff
+-.FI
++\f(CWtiff2pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate the file output.pdf from input.tiff, 
+@@ -227,9 +223,7 @@
+ the "Fit Window" option.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f)
+ .RE
+ .SH BUGS
+ Please report bugs via the web interface at 
Index: files/patch-tiff2pdf.c
===================================================================
RCS file: files/patch-tiff2pdf.c
diff -N files/patch-tiff2pdf.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiff2pdf.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,13 @@
+CVE-2006-2193
+===================================================================
+--- tools/tiff2pdf.c.orig	2006-06-04 18:26:40.000000000 -0700
++++ tools/tiff2pdf.c	2006-06-04 18:27:22.000000000 -0700
+@@ -3668,7 +3668,7 @@
+ 	written += TIFFWriteFile(output, (tdata_t) "(", 1);
+ 	for (i=0;i<len;i++){
+ 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+-			sprintf(buffer, "\\%.3o", pdfstr[i]);
++			snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]);
+ 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+ 		} else {
+ 			switch (pdfstr[i]){
Index: files/patch-tiff2ps.1
===================================================================
RCS file: files/patch-tiff2ps.1
diff -N files/patch-tiff2ps.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiff2ps.1	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,142 @@
+--- man/tiff2ps.1.orig	2008-08-17 13:03:49.050994382 -0400
++++ man/tiff2ps.1	2008-08-17 13:03:52.522727821 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ tiff2ps \- convert a
+ .SM TIFF
+-image to \*(Ps\(tm
++image to PostScript\(tm
+ .SH SYNOPSIS
+ .B tiff2ps
+ [
+@@ -38,17 +38,17 @@
+ .I tiff2ps
+ reads
+ .SM TIFF
+-images and writes \*(Ps or Encapsulated \*(Ps (EPS)
++images and writes PostScript or Encapsulated PostScript (EPS)
+ on the standard output.
+ By default,
+ .I tiff2ps
+-writes Encapsulated \*(Ps for the first image in the specified
++writes Encapsulated PostScript for the first image in the specified
+ .SM TIFF
+ image file.
+ .PP
+ By default,
+ .I tiff2ps
+-will generate \*(Ps that fills a printed area specified
++will generate PostScript that fills a printed area specified
+ by the 
+ .SM TIFF
+ tags in the input file.
+@@ -67,22 +67,22 @@
+ .SM TIFF
+ tags.
+ .PP
+-The \*(Ps generated for
++The PostScript generated for
+ .SM RGB,
+ palette, and
+ .SM CMYK
+ images uses the
+ .I colorimage
+ operator.
+-The \*(Ps generated for
++The PostScript generated for
+ greyscale and bilevel images
+ uses the
+ .I image
+ operator.
+ When the
+ .I colorimage
+-operator is used, \*(Ps code to emulate this operator
+-on older \*(Ps printers is also generated.
++operator is used, PostScript code to emulate this operator
++on older PostScript printers is also generated.
+ Note that this emulation code can be very slow.
+ .PP
+ Color images with associated alpha data are composited over
+@@ -90,13 +90,13 @@
+ .SH OPTIONS
+ .TP
+ .B \-1
+-Generate \*(Ps Level 1 (the default).
++Generate PostScript Level 1 (the default).
+ .TP
+ .B \-2
+-Generate \*(Ps Level 2.
++Generate PostScript Level 2.
+ .TP
+ .B \-3
+-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode
++Generate PostScript Level 3. It basically allows one to use the /flateDecode
+ filter for ZIP compressed TIFF images.
+ .TP
+ .B \-a
+@@ -119,7 +119,7 @@
+ multi-page (e.g. facsimile) file.
+ .TP
+ .B \-e
+-Force the generation of Encapsulated \*(Ps (implies -z).
++Force the generation of Encapsulated PostScript (implies -z).
+ .TP
+ .B \-h
+ Specify the vertical size of the printed area (in inches).
+@@ -148,7 +148,7 @@
+ .B \-m
+ Where possible render using the
+ .B imagemask
+-\*(Ps operator instead of the image operator.  When this option is specified
++PostScript operator instead of the image operator.  When this option is specified
+ .I tiff2ps
+ will use
+ .B imagemask
+@@ -166,7 +166,7 @@
+ like which are hidden using the SubIFD tag.
+ .TP
+ .B \-p
+-Force the generation of (non-Encapsulated) \*(Ps.
++Force the generation of (non-Encapsulated) PostScript.
+ .TP
+ .B \-r
+ Rotate image by 180 degrees.
+@@ -184,15 +184,15 @@
+ Override resolution units specified in the TIFF as inches.
+ .TP
+ .B \-z
+-When generating \*(Ps Level 2, data is scaled so that it does not
++When generating PostScript Level 2, data is scaled so that it does not
+ image into the 
+ .I deadzone
+ on a page (the outer margin that the printing device is unable to mark).
+ This option suppresses this behavior.
+-When \*(Ps Level 1 is generated, data is imaged to the entire printed
++When PostScript Level 1 is generated, data is imaged to the entire printed
+ page and this option has no affect.
+ .SH EXAMPLES
+-The following generates \*(Ps Level 2 for all pages of a facsimile:
++The following generates PostScript Level 2 for all pages of a facsimile:
+ .RS
+ .nf
+ tiff2ps -a2 fax.tif | lpr
+@@ -201,7 +201,7 @@
+ Note also that if you have version 2.6.1 or newer of Ghostscript then you
+ can efficiently preview facsimile generated with the above command.
+ .PP
+-To generate Encapsulated \*(Ps for a the image at directory 2
++To generate Encapsulated PostScript for a the image at directory 2
+ of an image use:
+ .RS
+ .nf
+@@ -228,8 +228,8 @@
+ .B \-L.5
+ option says to repeat a half inch on the next page (to improve readability).
+ .SH BUGS
+-Because \*(Ps does not support the notion of a colormap,
+-8-bit palette images produce 24-bit \*(Ps images.
++Because PostScript does not support the notion of a colormap,
++8-bit palette images produce 24-bit PostScript images.
+ This conversion results in output that is six times
+ bigger than the original image and which takes a long time
+ to send to a printer over a serial line.
Index: files/patch-tiffcmp.1
===================================================================
RCS file: files/patch-tiffcmp.1
diff -N files/patch-tiffcmp.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiffcmp.1	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,11 @@
+--- man/tiffcmp.1.orig	2008-08-17 13:03:49.062994301 -0400
++++ man/tiffcmp.1	2008-08-17 13:03:52.522727821 -0400
+@@ -77,7 +77,7 @@
+ in some exotic cases. 
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3TIFF)
Index: files/patch-tiffsplit.1
===================================================================
RCS file: files/patch-tiffsplit.1
diff -N files/patch-tiffsplit.1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiffsplit.1	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,11 @@
+--- man/tiffsplit.1.orig	2008-08-17 13:03:49.070994233 -0400
++++ man/tiffsplit.1	2008-08-17 13:03:52.522727821 -0400
+@@ -50,7 +50,7 @@
+ (e.g. 
+ .IR xaaa.tif ,
+ .IR xaab.tif ,
+-\...
++.IR ... ,
+ .IR xzzz.tif ).
+ If a prefix is not specified on the command line,
+ the default prefix of
Index: files/patch-tiffsplit.c
===================================================================
RCS file: files/patch-tiffsplit.c
diff -N files/patch-tiffsplit.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-tiffsplit.c	17 Sep 2008 19:25:42 -0000
@@ -0,0 +1,21 @@
+CVE-2006-2656
+===================================================================
+--- tools/tiffsplit.c.orig	2008-08-17 13:03:49.014994263 -0400
++++ tools/tiffsplit.c	2008-08-17 13:03:52.726994578 -0400
+@@ -61,14 +61,13 @@
+ 		return (-3);
+ 	}
+ 	if (argc > 2)
+-		strcpy(fname, argv[2]);
++		snprintf(fname, sizeof(fname), "%s", argv[2]);
+ 	in = TIFFOpen(argv[1], "r");
+ 	if (in != NULL) {
+ 		do {
+ 			char path[1024+1];
+ 			newfilename();
+-			strcpy(path, fname);
+-			strcat(path, ".tif");
++			snprintf(path, sizeof(path), "%s.tif", fname);
+ 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ 			if (out == NULL)
+ 				return (-2);
Comment 3 bf 2008-09-18 04:47:41 UTC
I did not check the entire patch in your message to see if you had made any additional changes from my original patch, but it seems to me that you are right concerning the snprintf arguments: that I should have included a maximum size argument before the format string, and that your suggested argument is appropriate.  I took this patch straight from Gentoo, and just gave it a cursory examination, and overlooked that omission -- I apologize for that mistake.  I've contacted the Gentoo tiff maintainer to ask  him about changing the original patch. 

        Regards,
                    b.


--- On Wed, 9/17/08, Dirk Meyer <dirk.meyer@dinoex.sub.org> wrote:

> From: Dirk Meyer <dirk.meyer@dinoex.sub.org>
> Subject: Re: ports/127434: [PATCH]graphics/tiff: various security fixes
> To: bug-followup@FreeBSD.org, bf2006a@yahoo.com
> Date: Wednesday, September 17, 2008, 3:27 PM
> Please check.
> One of your patches introduces a regression.
> in tools/tiff2pdf.c:
>    snprintf(buffer, "\\%.3o", pdfstr[i]);
> 
> is plain wrong; better is:
>    snprintf(buffer, sizeof(buffer),
> "\\%.3o", pdfstr[i]);
> 
> kind regards Dirk
> 
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
> -
> [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
> http://people.freebsd.org/~dinoex/errorlogs/
> 
> - add Security patches
> - fix missign macro in manpages
> - add regression test
> Security: CVE-2006-2193
> Security: CVE-2006-2327
> Security: CVE-2006-2656
> Security: CVE-2006-3459
> Security: CVE-2006-3460
> Security: CVE-2006-3461
> Security: CVE-2006-3462
> Security: CVE-2006-3463
> Security: CVE-2006-3464
> Security: CVE-2006-3465
> Security: CVE-2008-2327
> Obtained From:	Gentoo,Debian
> Submitted by:	<bf2006a@yahoo.com>
> 
> Index: Makefile
> ===================================================================
> RCS file: /home/pcvs/ports/graphics/tiff/Makefile,v
> retrieving revision 1.65
> diff -u -r1.65 Makefile
> --- Makefile	21 Aug 2008 06:17:24 -0000	1.65
> +++ Makefile	17 Sep 2008 19:25:41 -0000
> @@ -9,7 +9,7 @@
>  
>  PORTNAME=	tiff
>  PORTVERSION=	3.8.2
> -PORTREVISION=	1
> +PORTREVISION=	2
>  CATEGORIES=	graphics
>  MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/
> \
>  		http://dl1.maptools.org/dl/libtiff/
> @@ -126,4 +126,7 @@
>  	${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/
>  .endif
>  
> +regression-test: build
> +	@(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE}
> ${MAKE_ARGS} check)
> +
>  .include <bsd.port.mk>
> Index: files/patch-TIFFClose.3tiff
> ===================================================================
> RCS file: files/patch-TIFFClose.3tiff
> diff -N files/patch-TIFFClose.3tiff
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-TIFFClose.3tiff	17 Sep 2008 19:25:41 -0000
> @@ -0,0 +1,11 @@
> +--- man/TIFFClose.3tiff.orig	2008-08-17 13:03:49.058994404
> -0400
> ++++ man/TIFFClose.3tiff	2008-08-17 13:03:52.522727821
> -0400
> +@@ -40,7 +40,7 @@
> + current directory (if modified); and all resources are
> reclaimed.
> + .SH DIAGNOSTICS
> + All error messages are directed to the
> +-.bR TIFFError (3TIFF)
> ++.BR TIFFError (3TIFF)
> + routine.
> + Likewise, warning messages are directed to the
> + .BR TIFFWarning (3TIFF)
> Index: files/patch-fax2ps.1
> ===================================================================
> RCS file: files/patch-fax2ps.1
> diff -N files/patch-fax2ps.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-fax2ps.1	17 Sep 2008 19:25:41 -0000
> @@ -0,0 +1,74 @@
> +--- man/fax2ps.1.orig	2008-08-17 13:03:49.038994710 -0400
> ++++ man/fax2ps.1	2008-08-17 13:03:52.510994390 -0400
> +@@ -27,7 +27,7 @@
> + .SH NAME
> + fax2ps \- convert a
> + .SM TIFF
> +-facsimile to compressed \*(Ps\(tm
> ++facsimile to compressed PostScript\(tm
> + .SH SYNOPSIS
> + .B fax2ps
> + [
> +@@ -40,7 +40,7 @@
> + reads one or more
> + .SM TIFF
> + facsimile image files and prints a compressed form of
> +-\*(Ps on the standard output that is suitable for
> printing.
> ++PostScript on the standard output that is suitable for
> printing.
> + .PP
> + By default, each page is scaled to reflect the
> + image dimensions and resolutions stored in the file.
> +@@ -62,26 +62,26 @@
> + .PP
> + By default
> + .I fax2ps
> +-generates \*(Ps for all pages in the file.
> ++generates PostScript for all pages in the file.
> + The
> + .B \-p
> + option can be used to select one or more pages from
> + a multi-page document.
> + .PP
> + .I fax2ps
> +-generates a compressed form of \*(Ps that is
> +-optimized for sending pages of text to a \*(Ps
> ++generates a compressed form of PostScript that is
> ++optimized for sending pages of text to a PostScript
> + printer attached to a host through a low-speed link (such
> + as a serial line).
> + Each output page is filled with white and then only
> + the black areas are drawn.
> +-The \*(Ps specification of the black drawing
> operations
> ++The PostScript specification of the black drawing
> operations
> + is optimized by using a special font that encodes the
> + move-draw operations required to fill
> + the black regions on the page.
> + This compression scheme typically results in a
> substantially
> +-reduced \*(Ps description, relative to the
> straightforward
> +-imaging of the page with a \*(Ps
> ++reduced PostScript description, relative to the
> straightforward
> ++imaging of the page with a PostScript
> + .I image
> + operator.
> + This algorithm can, however, be ineffective
> +@@ -138,9 +138,9 @@
> + attempts to recover from such data errors by
> resynchronizing
> + decoding at the end of the current scanline.
> + This can result in long horizontal black lines in the
> resultant
> +-\*(Ps image.
> ++PostScript image.
> + .SH NOTES
> +-If the destination printer supports \*(Ps Level II
> then
> ++If the destination printer supports PostScript Level II
> then
> + it is always faster to just send the encoded bitmap
> generated
> + by the
> + .BR tiff2ps (1)
> +@@ -149,7 +149,7 @@
> + .I fax2ps
> + should probably figure out when it is doing a poor
> + job of compressing the output and just generate 
> +-\*(Ps to image the bitmap raster instead.
> ++PostScript to image the bitmap raster instead.
> + .SH "SEE ALSO"
> + .BR tiff2ps (1),
> + .BR libtiff (3)
> Index: files/patch-raw2tiff.1
> ===================================================================
> RCS file: files/patch-raw2tiff.1
> diff -N files/patch-raw2tiff.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-raw2tiff.1	17 Sep 2008 19:25:41 -0000
> @@ -0,0 +1,11 @@
> +--- man/raw2tiff.1.orig	2008-08-17 13:03:49.042994359
> -0400
> ++++ man/raw2tiff.1	2008-08-17 13:03:52.519034963 -0400
> +@@ -184,7 +184,7 @@
> + in some cases. But for most ordinary images guessing
> method will work fine.
> + .SH "SEE ALSO"
> + .BR pal2rgb (1),
> +-.bR tiffinfo (1),
> ++.BR tiffinfo (1),
> + .BR tiffcp (1),
> + .BR tiffmedian (1),
> + .BR libtiff (3)
> Index: files/patch-tif_dir.c
> ===================================================================
> RCS file: files/patch-tif_dir.c
> diff -N files/patch-tif_dir.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_dir.c	17 Sep 2008 19:25:41 -0000
> @@ -0,0 +1,94 @@
> +CVE-2006-3464,3465
> +===================================================================
> +--- libtiff/tif_dir.c.orig	2008-08-17 13:03:48.954994295
> -0400
> ++++ libtiff/tif_dir.c	2008-08-17 13:03:52.881994558 -0400
> +@@ -122,6 +122,7 @@
> + {
> + 	static const char module[] = "_TIFFVSetField";
> + 	
> ++	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag,
> TIFF_ANY);
> + 	TIFFDirectory* td = &tif->tif_dir;
> + 	int status = 1;
> + 	uint32 v32, i, v;
> +@@ -195,10 +196,12 @@
> + 		break;
> + 	case TIFFTAG_ORIENTATION:
> + 		v = va_arg(ap, uint32);
> ++		const TIFFFieldInfo* fip;
> + 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT
> < v) {
> ++			fip = _TIFFFieldWithTag(tif, tag);
> + 			TIFFWarningExt(tif->tif_clientdata,
> tif->tif_name,
> + 			    "Bad value %lu for \"%s\"
> tag ignored",
> +-			    v, _TIFFFieldWithTag(tif, tag)->field_name);
> ++			    v, fip ? fip->field_name :
> "Unknown");
> + 		} else
> + 			td->td_orientation = (uint16) v;
> + 		break;
> +@@ -387,11 +390,15 @@
> + 	     * happens, for example, when tiffcp is used to
> convert between
> + 	     * compression schemes and codec-specific tags are
> blindly copied.
> +              */
> ++	    /* 
> ++	     * better not dereference fip if it is NULL.
> ++	     * -- taviso@google.com 15 Jun 2006
> ++	     */
> +             if(fip == NULL || fip->field_bit !=
> FIELD_CUSTOM) {
> + 		TIFFErrorExt(tif->tif_clientdata, module,
> + 		    "%s: Invalid %stag \"%s\"
> (not supported by codec)",
> + 		    tif->tif_name, isPseudoTag(tag) ?
> "pseudo-" : "",
> +-		    _TIFFFieldWithTag(tif, tag)->field_name);
> ++		    fip ? fip->field_name : "Unknown");
> + 		status = 0;
> + 		break;
> +             }
> +@@ -468,7 +475,7 @@
> + 	    if (fip->field_type == TIFF_ASCII)
> + 		    _TIFFsetString((char **)&tv->value,
> va_arg(ap, char *));
> + 	    else {
> +-                tv->value = _TIFFmalloc(tv_size *
> tv->count);
> ++                tv->value = _TIFFCheckMalloc(tif,
> tv_size, tv->count, "Tag Value");
> + 		if (!tv->value) {
> + 		    status = 0;
> + 		    goto end;
> +@@ -563,7 +570,7 @@
> +           }
> + 	}
> + 	if (status) {
> +-		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif,
> tag)->field_bit);
> ++		TIFFSetFieldBit(tif, fip->field_bit);
> + 		tif->tif_flags |= TIFF_DIRTYDIRECT;
> + 	}
> + 
> +@@ -572,12 +579,12 @@
> + 	return (status);
> + badvalue:
> + 	TIFFErrorExt(tif->tif_clientdata, module, "%s:
> Bad value %d for \"%s\"",
> +-		  tif->tif_name, v, _TIFFFieldWithTag(tif,
> tag)->field_name);
> ++		  tif->tif_name, v, fip ? fip->field_name :
> "Unknown");
> + 	va_end(ap);
> + 	return (0);
> + badvalue32:
> + 	TIFFErrorExt(tif->tif_clientdata, module, "%s:
> Bad value %ld for \"%s\"",
> +-		   tif->tif_name, v32, _TIFFFieldWithTag(tif,
> tag)->field_name);
> ++		   tif->tif_name, v32, fip ? fip->field_name :
> "Unknown");
> + 	va_end(ap);
> + 	return (0);
> + }
> +@@ -813,12 +820,16 @@
> +              * If the client tries to get a tag that is
> not valid
> +              * for the image's codec then we'll
> arrive here.
> +              */
> ++	    /*
> ++	     * dont dereference fip if it's NULL.
> ++	     * -- taviso@google.com 15 Jun 2006
> ++	     */
> +             if( fip == NULL || fip->field_bit !=
> FIELD_CUSTOM )
> +             {
> + 				TIFFErrorExt(tif->tif_clientdata,
> "_TIFFVGetField",
> +                           "%s: Invalid %stag
> \"%s\" (not supported by codec)",
> +                           tif->tif_name,
> isPseudoTag(tag) ? "pseudo-" : "",
> +-                          _TIFFFieldWithTag(tif,
> tag)->field_name);
> ++                          fip ? fip->field_name :
> "Unknown");
> +                 ret_val = 0;
> +                 break;
> +             }
> Index: files/patch-tif_dirinfo.c
> ===================================================================
> RCS file: files/patch-tif_dirinfo.c
> diff -N files/patch-tif_dirinfo.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_dirinfo.c	17 Sep 2008 19:25:41 -0000
> @@ -0,0 +1,24 @@
> +CVE-2006-3464,3465
> +===================================================================
> +--- libtiff/tif_dirinfo.c.orig	2008-08-17
> 13:03:48.958994316 -0400
> ++++ libtiff/tif_dirinfo.c	2008-08-17 13:03:52.890034927
> -0400
> +@@ -775,7 +775,8 @@
> + 		TIFFErrorExt(tif->tif_clientdata,
> "TIFFFieldWithTag",
> + 			  "Internal error, unknown tag 0x%x",
> +                           (unsigned int) tag);
> +-		assert(fip != NULL);
> ++		/* assert(fip != NULL); */
> ++
> + 		/*NOTREACHED*/
> + 	}
> + 	return (fip);
> +@@ -789,7 +790,8 @@
> + 	if (!fip) {
> + 		TIFFErrorExt(tif->tif_clientdata,
> "TIFFFieldWithName",
> + 			  "Internal error, unknown tag %s",
> field_name);
> +-		assert(fip != NULL);
> ++		/* assert(fip != NULL); */
> ++		
> + 		/*NOTREACHED*/
> + 	}
> + 	return (fip);
> Index: files/patch-tif_dirread.c
> ===================================================================
> RCS file: files/patch-tif_dirread.c
> diff -N files/patch-tif_dirread.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_dirread.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,321 @@
> +CVE-2006-3459,3463,3464,3465 
> +===================================================================
> +--- libtiff/tif_dirread.c.orig	2008-08-17
> 13:03:48.962994506 -0400
> ++++ libtiff/tif_dirread.c	2008-08-17 13:03:52.890034927
> -0400
> +@@ -29,6 +29,9 @@
> +  *
> +  * Directory Read Support Routines.
> +  */
> ++
> ++#include <limits.h>
> ++
> + #include "tiffiop.h"
> + 
> + #define	IGNORE	0		/* tag placeholder used below */
> +@@ -81,6 +84,7 @@
> + 	uint16 dircount;
> + 	toff_t nextdiroff;
> + 	int diroutoforderwarning = 0;
> ++	int compressionknown = 0;
> + 	toff_t* new_dirlist;
> + 
> + 	tif->tif_diroff = tif->tif_nextdiroff;
> +@@ -147,13 +151,20 @@
> + 	} else {
> + 		toff_t off = tif->tif_diroff;
> + 
> +-		if (off + sizeof (uint16) > tif->tif_size) {
> +-			TIFFErrorExt(tif->tif_clientdata, module,
> +-			    "%s: Can not read TIFF directory count",
> +-                            tif->tif_name);
> +-			return (0);
> ++		/*
> ++		 * Check for integer overflow when validating the
> dir_off, otherwise
> ++		 * a very high offset may cause an OOB read and crash
> the client.
> ++		 * -- taviso@google.com, 14 Jun 2006.
> ++		 */
> ++		if (off + sizeof (uint16) > tif->tif_size || 
> ++			off > (UINT_MAX - sizeof(uint16))) {
> ++				TIFFErrorExt(tif->tif_clientdata, module,
> ++				    "%s: Can not read TIFF directory
> count",
> ++				    tif->tif_name);
> ++				return (0);
> + 		} else
> +-			_TIFFmemcpy(&dircount, tif->tif_base + off,
> sizeof (uint16));
> ++			_TIFFmemcpy(&dircount, tif->tif_base + off,
> ++					sizeof (uint16));
> + 		off += sizeof (uint16);
> + 		if (tif->tif_flags & TIFF_SWAB)
> + 			TIFFSwabShort(&dircount);
> +@@ -254,6 +265,7 @@
> + 		while (fix < tif->tif_nfields &&
> + 		       tif->tif_fieldinfo[fix]->field_tag <
> dp->tdir_tag)
> + 			fix++;
> ++
> + 		if (fix >= tif->tif_nfields ||
> + 		    tif->tif_fieldinfo[fix]->field_tag !=
> dp->tdir_tag) {
> + 
> +@@ -264,17 +276,23 @@
> + 						       dp->tdir_tag,
> + 						       dp->tdir_tag,
> + 						       dp->tdir_type);
> +-
> +-                    TIFFMergeFieldInfo(tif,
> +-                                      
> _TIFFCreateAnonFieldInfo(tif,
> +-						dp->tdir_tag,
> +-						(TIFFDataType) dp->tdir_type),
> +-				       1 );
> ++					/*
> ++					 * creating anonymous fields prior to knowing the
> compression
> ++					 * algorithm (ie, when the field info has been
> merged) could cause
> ++					 * crashes with pathological directories.
> ++					 * -- taviso@google.com 15 Jun 2006
> ++					 */
> ++					if (compressionknown)
> ++			                    TIFFMergeFieldInfo(tif,
> _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
> ++						(TIFFDataType) dp->tdir_type), 1 );
> ++					else goto ignore;
> ++		    
> +                     fix = 0;
> +                     while (fix < tif->tif_nfields
> &&
> +                           
> tif->tif_fieldinfo[fix]->field_tag <
> dp->tdir_tag)
> + 			fix++;
> + 		}
> ++		
> + 		/*
> + 		 * Null out old tags that we ignore.
> + 		 */
> +@@ -326,6 +344,7 @@
> + 				    dp->tdir_type, dp->tdir_offset);
> + 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
> + 					goto bad;
> ++				else compressionknown++;
> + 				break;
> + 			/* XXX: workaround for broken TIFFs */
> + 			} else if (dp->tdir_type == TIFF_LONG) {
> +@@ -540,6 +559,7 @@
> + 	 * Attempt to deal with a missing StripByteCounts tag.
> + 	 */
> + 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
> ++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> TIFFTAG_STRIPBYTECOUNTS);
> + 		/*
> + 		 * Some manufacturers violate the spec by not giving
> + 		 * the size of the strips.  In this case, assume there
> +@@ -556,7 +576,7 @@
> + 			"%s: TIFF directory is missing required "
> + 			"\"%s\" field, calculating from
> imagelength",
> + 			tif->tif_name,
> +-		       
> _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
> ++		        fip ? fip->field_name :
> "Unknown");
> + 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
> + 		    goto bad;
> + /* 
> +@@ -580,6 +600,7 @@
> + 	} else if (td->td_nstrips == 1 
> +                    && td->td_stripoffset[0] !=
> 0 
> +                    && BYTECOUNTLOOKSBAD) {
> ++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> TIFFTAG_STRIPBYTECOUNTS);
> + 		/*
> + 		 * XXX: Plexus (and others) sometimes give a value of
> zero for
> + 		 * a tag when they don't know what the correct
> value is!  Try
> +@@ -589,13 +610,14 @@
> + 		TIFFWarningExt(tif->tif_clientdata, module,
> + 	"%s: Bogus \"%s\" field, ignoring
> and calculating from imagelength",
> +                             tif->tif_name,
> +-		           
> _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
> ++		            fip ? fip->field_name :
> "Unknown");
> + 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)
> + 		    goto bad;
> + 	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
> + 		   && td->td_nstrips > 2
> + 		   && td->td_compression == COMPRESSION_NONE
> + 		   && td->td_stripbytecount[0] !=
> td->td_stripbytecount[1]) {
> ++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> TIFFTAG_STRIPBYTECOUNTS);
> + 		/*
> + 		 * XXX: Some vendors fill StripByteCount array with
> absolutely
> + 		 * wrong values (it can be equal to StripOffset array,
> for
> +@@ -604,7 +626,7 @@
> + 		TIFFWarningExt(tif->tif_clientdata, module,
> + 	"%s: Wrong \"%s\" field, ignoring
> and calculating from imagelength",
> +                             tif->tif_name,
> +-		           
> _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
> ++		            fip ? fip->field_name :
> "Unknown");
> + 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
> + 		    goto bad;
> + 	}
> +@@ -870,7 +892,13 @@
> + 
> + 	register TIFFDirEntry *dp;
> + 	register TIFFDirectory *td = &tif->tif_dir;
> +-	uint16 i;
> ++	
> ++	/* i is used to iterate over td->td_nstrips, so must
> be
> ++	 * at least the same width.
> ++	 * -- taviso@google.com 15 Jun 2006
> ++	 */
> ++
> ++	uint32 i;
> + 
> + 	if (td->td_stripbytecount)
> + 		_TIFFfree(td->td_stripbytecount);
> +@@ -947,16 +975,18 @@
> + static int
> + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
> + {
> ++	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> dir->tdir_tag);
> ++
> + 	if (count > dir->tdir_count) {
> + 		TIFFWarningExt(tif->tif_clientdata,
> tif->tif_name,
> + 	"incorrect count for field \"%s\"
> (%lu, expecting %lu); tag ignored",
> +-		    _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name,
> ++		    fip ? fip->field_name : "Unknown",
> + 		    dir->tdir_count, count);
> + 		return (0);
> + 	} else if (count < dir->tdir_count) {
> + 		TIFFWarningExt(tif->tif_clientdata,
> tif->tif_name,
> + 	"incorrect count for field \"%s\"
> (%lu, expecting %lu); tag trimmed",
> +-		    _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name,
> ++		    fip ? fip->field_name : "Unknown",
> + 		    dir->tdir_count, count);
> + 		return (1);
> + 	}
> +@@ -970,6 +1000,7 @@
> + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
> + {
> + 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
> ++	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> dir->tdir_tag);
> + 	tsize_t cc = dir->tdir_count * w;
> + 
> + 	/* Check for overflow. */
> +@@ -1013,7 +1044,7 @@
> + bad:
> + 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
> + 		     "Error fetching data for field
> \"%s\"",
> +-		     _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name);
> ++		     fip ? fip->field_name : "Unknown");
> + 	return (tsize_t) 0;
> + }
> + 
> +@@ -1039,10 +1070,12 @@
> + static int
> + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num,
> uint32 denom, float* rv)
> + {
> ++	const TIFFFieldInfo* fip;
> + 	if (denom == 0) {
> ++		fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
> + 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
> + 		    "%s: Rational with zero denominator (num =
> %lu)",
> +-		    _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name, num);
> ++		    fip ? fip->field_name : "Unknown",
> num);
> + 		return (0);
> + 	} else {
> + 		if (dir->tdir_type == TIFF_RATIONAL)
> +@@ -1159,6 +1192,20 @@
> + static int
> + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
> + {
> ++	/*
> ++	 * Prevent overflowing the v stack arrays below by
> performing a sanity
> ++	 * check on tdir_count, this should never be greater
> than two.
> ++	 * -- taviso@google.com 14 Jun 2006.
> ++	 */
> ++	if (dir->tdir_count > 2) {
> ++		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> dir->tdir_tag);
> ++		TIFFWarningExt(tif->tif_clientdata,
> tif->tif_name,
> ++				"unexpected count for field
> \"%s\", %lu, expected 2; ignored.",
> ++				fip ? fip->field_name : "Unknown",
> ++				dir->tdir_count);
> ++		return 0;
> ++	}
> ++
> + 	switch (dir->tdir_type) {
> + 		case TIFF_BYTE:
> + 		case TIFF_SBYTE:
> +@@ -1329,14 +1376,15 @@
> + 	case TIFF_DOUBLE:
> + 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));
> + 	default:
> ++		{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> dir->tdir_tag);
> + 		/* TIFF_NOTYPE */
> + 		/* TIFF_ASCII */
> + 		/* TIFF_UNDEFINED */
> + 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
> + 			     "cannot read TIFF_ANY type %d for field
> \"%s\"",
> + 			     dir->tdir_type,
> +-			     _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name);
> +-		return (0);
> ++			     fip ? fip->field_name : "Unknown");
> ++		return (0); }
> + 	}
> + 	return (1);
> + }
> +@@ -1351,6 +1399,9 @@
> + 	int ok = 0;
> + 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif,
> dp->tdir_tag);
> + 
> ++	if (fip == NULL) {
> ++		return (0);
> ++	}
> + 	if (dp->tdir_count > 1) {		/* array of values */
> + 		char* cp = NULL;
> + 
> +@@ -1493,6 +1544,7 @@
> + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir,
> uint16* pl)
> + {
> +     uint16 samples = tif->tif_dir.td_samplesperpixel;
> ++    const TIFFFieldInfo* fip;
> +     int status = 0;
> + 
> +     if (CheckDirCount(tif, dir, (uint32) samples)) {
> +@@ -1510,9 +1562,10 @@
> + 
> +             for (i = 1; i < check_count; i++)
> +                 if (v[i] != v[0]) {
> ++				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
> + 					TIFFErrorExt(tif->tif_clientdata,
> tif->tif_name,
> +                               "Cannot handle
> different per-sample values for field
> \"%s\"",
> +-                              _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name);
> ++                              fip ? fip->field_name :
> "Unknown");
> +                     goto bad;
> +                 }
> +             *pl = v[0];
> +@@ -1534,6 +1587,7 @@
> + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir,
> uint32* pl)
> + {
> +     uint16 samples = tif->tif_dir.td_samplesperpixel;
> ++    const TIFFFieldInfo* fip;
> +     int status = 0;
> + 
> +     if (CheckDirCount(tif, dir, (uint32) samples)) {
> +@@ -1551,9 +1605,10 @@
> +                 check_count = samples;
> +             for (i = 1; i < check_count; i++)
> +                 if (v[i] != v[0]) {
> ++				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
> + 					TIFFErrorExt(tif->tif_clientdata,
> tif->tif_name,
> +                               "Cannot handle
> different per-sample values for field
> \"%s\"",
> +-                              _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name);
> ++                              fip ? fip->field_name :
> "Unknown");
> +                     goto bad;
> +                 }
> +             *pl = v[0];
> +@@ -1574,6 +1629,7 @@
> + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir,
> double* pl)
> + {
> +     uint16 samples = tif->tif_dir.td_samplesperpixel;
> ++    const TIFFFieldInfo* fip;
> +     int status = 0;
> + 
> +     if (CheckDirCount(tif, dir, (uint32) samples)) {
> +@@ -1591,9 +1647,10 @@
> + 
> +             for (i = 1; i < check_count; i++)
> +                 if (v[i] != v[0]) {
> ++		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
> +                     TIFFErrorExt(tif->tif_clientdata,
> tif->tif_name,
> +                               "Cannot handle
> different per-sample values for field
> \"%s\"",
> +-                              _TIFFFieldWithTag(tif,
> dir->tdir_tag)->field_name);
> ++                              fip ? fip->field_name :
> "Unknown");
> +                     goto bad;
> +                 }
> +             *pl = v[0];
> Index: files/patch-tif_fax3.c
> ===================================================================
> RCS file: files/patch-tif_fax3.c
> diff -N files/patch-tif_fax3.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_fax3.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,27 @@
> +CVE-2006-3464,3465
> +===================================================================
> +--- libtiff/tif_fax3.c.orig	2008-08-17 13:03:48.970994629
> -0400
> ++++ libtiff/tif_fax3.c	2008-08-17 13:03:52.890034927 -0400
> +@@ -1136,6 +1136,7 @@
> + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
> + {
> + 	Fax3BaseState* sp = Fax3State(tif);
> ++	const TIFFFieldInfo* fip;
> + 
> + 	assert(sp != 0);
> + 	assert(sp->vsetparent != 0);
> +@@ -1181,7 +1182,13 @@
> + 	default:
> + 		return (*sp->vsetparent)(tif, tag, ap);
> + 	}
> +-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif,
> tag)->field_bit);
> ++	
> ++	if ((fip = _TIFFFieldWithTag(tif, tag))) {
> ++		TIFFSetFieldBit(tif, fip->field_bit);
> ++	} else {
> ++		return (0);
> ++	}
> ++
> + 	tif->tif_flags |= TIFF_DIRTYDIRECT;
> + 	return (1);
> + }
> Index: files/patch-tif_jpeg.c
> ===================================================================
> RCS file: files/patch-tif_jpeg.c
> diff -N files/patch-tif_jpeg.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_jpeg.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,121 @@
> +CVE-2006-3460,3464,3465
> +===================================================================
> +--- libtiff/tif_jpeg.c.orig	2008-08-17 13:03:48.974994391
> -0400
> ++++ libtiff/tif_jpeg.c	2008-08-17 13:03:52.894064968 -0400
> +@@ -722,15 +722,31 @@
> + 		segment_width = TIFFhowmany(segment_width,
> sp->h_sampling);
> + 		segment_height = TIFFhowmany(segment_height,
> sp->v_sampling);
> + 	}
> +-	if (sp->cinfo.d.image_width != segment_width ||
> +-	    sp->cinfo.d.image_height != segment_height) {
> ++	if (sp->cinfo.d.image_width < segment_width ||
> ++	    sp->cinfo.d.image_height < segment_height) {
> + 		TIFFWarningExt(tif->tif_clientdata, module,
> +                  "Improper JPEG strip/tile size,
> expected %dx%d, got %dx%d",
> +                           segment_width, 
> +                           segment_height,
> +                           sp->cinfo.d.image_width, 
> +                           sp->cinfo.d.image_height);
> ++	} 
> ++	
> ++	if (sp->cinfo.d.image_width > segment_width ||
> ++			sp->cinfo.d.image_height > segment_height) {
> ++		/*
> ++		 * This case could be dangerous, if the strip or tile
> size has been
> ++		 * reported as less than the amount of data jpeg will
> return, some
> ++		 * potential security issues arise. Catch this case and
> error out.
> ++		 * -- taviso@google.com 14 Jun 2006
> ++		 */
> ++		TIFFErrorExt(tif->tif_clientdata, module, 
> ++			"JPEG strip/tile size exceeds expected
> dimensions,"
> ++			"expected %dx%d, got %dx%d", segment_width,
> segment_height,
> ++			sp->cinfo.d.image_width,
> sp->cinfo.d.image_height);
> ++		return (0);
> + 	}
> ++
> + 	if (sp->cinfo.d.num_components !=
> + 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
> + 	     td->td_samplesperpixel : 1)) {
> +@@ -761,6 +777,22 @@
> +                                    
> sp->cinfo.d.comp_info[0].v_samp_factor,
> +                                     sp->h_sampling,
> sp->v_sampling);
> + 
> ++				/*
> ++				 * There are potential security issues here for
> decoders that
> ++				 * have already allocated buffers based on the
> expected sampling
> ++				 * factors. Lets check the sampling factors dont
> exceed what
> ++				 * we were expecting.
> ++				 * -- taviso@google.com 14 June 2006
> ++				 */
> ++				if (sp->cinfo.d.comp_info[0].h_samp_factor >
> sp->h_sampling ||
> ++					sp->cinfo.d.comp_info[0].v_samp_factor >
> sp->v_sampling) {
> ++						TIFFErrorExt(tif->tif_clientdata, module,
> ++							"Cannot honour JPEG sampling factors
> that"
> ++							" exceed those specified.");
> ++						return (0);
> ++				}
> ++
> ++
> + 			    /*
> + 			     * XXX: Files written by the Intergraph software
> + 			     * has different sampling factors stored in the
> +@@ -1521,15 +1553,18 @@
> + {
> + 	JPEGState *sp = JState(tif);
> + 	
> +-	assert(sp != 0);
> ++	/* assert(sp != 0); */
> + 
> + 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
> + 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
> + 
> +-	if( sp->cinfo_initialized )
> +-	    TIFFjpeg_destroy(sp);	/* release libjpeg resources
> */
> +-	if (sp->jpegtables)		/* tag value */
> +-		_TIFFfree(sp->jpegtables);
> ++	if (sp != NULL) {
> ++		if( sp->cinfo_initialized )
> ++		    TIFFjpeg_destroy(sp);	/* release libjpeg resources
> */
> ++		if (sp->jpegtables)		/* tag value */
> ++			_TIFFfree(sp->jpegtables);
> ++	}
> ++
> + 	_TIFFfree(tif->tif_data);	/* release local state */
> + 	tif->tif_data = NULL;
> + 
> +@@ -1541,6 +1576,7 @@
> + {
> + 	JPEGState* sp = JState(tif);
> + 	TIFFDirectory* td = &tif->tif_dir;
> ++	const TIFFFieldInfo* fip;
> + 	uint32 v32;
> + 
> + 	assert(sp != NULL);
> +@@ -1606,7 +1642,13 @@
> + 	default:
> + 		return (*sp->vsetparent)(tif, tag, ap);
> + 	}
> +-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif,
> tag)->field_bit);
> ++
> ++	if ((fip = _TIFFFieldWithTag(tif, tag))) {
> ++		TIFFSetFieldBit(tif, fip->field_bit);
> ++	} else {
> ++		return (0);
> ++	}
> ++
> + 	tif->tif_flags |= TIFF_DIRTYDIRECT;
> + 	return (1);
> + }
> +@@ -1726,7 +1768,11 @@
> + {
> + 	JPEGState* sp = JState(tif);
> + 
> +-	assert(sp != NULL);
> ++	/* assert(sp != NULL); */
> ++	if (sp == NULL) {
> ++		TIFFWarningExt(tif->tif_clientdata,
> "JPEGPrintDir", "Unknown JPEGState");
> ++		return;
> ++	}
> + 
> + 	(void) flags;
> + 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
> Index: files/patch-tif_lzw.c
> ===================================================================
> RCS file: files/patch-tif_lzw.c
> diff -N files/patch-tif_lzw.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_lzw.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,60 @@
> +CVE-2008-2327
> +===================================================================
> +--- libtiff/tif_lzw.c.orig	2008-08-17 13:03:49.090994393
> -0400
> ++++ libtiff/tif_lzw.c	2008-08-17 13:03:52.354994400 -0400
> +@@ -237,6 +237,13 @@
> +                     sp->dec_codetab[code].length = 1;
> +                     sp->dec_codetab[code].next = NULL;
> +                 } while (code--);
> ++                /*
> ++                 * Zero-out the unused entries
> ++                 */
> ++                
> _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
> ++                 (CODE_FIRST-CODE_CLEAR)*sizeof
> (code_t));
> ++
> ++
> + 	}
> + 	return (1);
> + }
> +@@ -408,12 +415,20 @@
> + 			break;
> + 		if (code == CODE_CLEAR) {
> + 			free_entp = sp->dec_codetab + CODE_FIRST;
> ++			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof
> (code_t));
> + 			nbits = BITS_MIN;
> + 			nbitsmask = MAXCODE(BITS_MIN);
> + 			maxcodep = sp->dec_codetab + nbitsmask-1;
> + 			NextCode(tif, sp, bp, code, GetNextCode);
> + 			if (code == CODE_EOI)
> + 				break;
> ++			 if (code == CODE_CLEAR) {
> ++				 TIFFErrorExt(tif->tif_clientdata,
> tif->tif_name,
> ++				 "LZWDecode: Corrupted LZW table at scanline
> %d",
> ++				 tif->tif_row);
> ++				 return (0);
> ++			 }
> ++
> + 			*op++ = (char)code, occ--;
> + 			oldcodep = sp->dec_codetab + code;
> + 			continue;
> +@@ -604,12 +619,20 @@
> + 			break;
> + 		if (code == CODE_CLEAR) {
> + 			free_entp = sp->dec_codetab + CODE_FIRST;
> ++			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof
> (code_t));
> + 			nbits = BITS_MIN;
> + 			nbitsmask = MAXCODE(BITS_MIN);
> + 			maxcodep = sp->dec_codetab + nbitsmask;
> + 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
> + 			if (code == CODE_EOI)
> + 				break;
> ++			 if (code == CODE_CLEAR) {
> ++				 TIFFErrorExt(tif->tif_clientdata,
> tif->tif_name,
> ++				 "LZWDecode: Corrupted LZW table at scanline
> %d",
> ++				 tif->tif_row);
> ++				 return (0);
> ++			 }
> ++
> + 			*op++ = code, occ--;
> + 			oldcodep = sp->dec_codetab + code;
> + 			continue;
> Index: files/patch-tif_next.c
> ===================================================================
> RCS file: files/patch-tif_next.c
> diff -N files/patch-tif_next.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_next.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,22 @@
> +CVE-2006-3462
> +===================================================================
> +--- libtiff/tif_next.c.orig	2008-08-17 13:03:48.978994352
> -0400
> ++++ libtiff/tif_next.c	2008-08-17 13:03:52.894064968 -0400
> +@@ -105,11 +105,16 @@
> + 			 * as codes of the form <color><npixels>
> + 			 * until we've filled the scanline.
> + 			 */
> ++			/*
> ++			 * Ensure the run does not exceed the scanline
> ++			 * bounds, potentially resulting in a security issue.
> ++			 * -- taviso@google.com 14 Jun 2006.
> ++			 */
> + 			op = row;
> + 			for (;;) {
> + 				grey = (n>>6) & 0x3;
> + 				n &= 0x3f;
> +-				while (n-- > 0)
> ++				while (n-- > 0 && npixels < imagewidth)
> + 					SETPIXEL(op, grey);
> + 				if (npixels >= (int) imagewidth)
> + 					break;
> Index: files/patch-tif_pixarlog.c
> ===================================================================
> RCS file: files/patch-tif_pixarlog.c
> diff -N files/patch-tif_pixarlog.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_pixarlog.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,25 @@
> +CVE-2006-3461
> +===================================================================
> +--- libtiff/tif_pixarlog.c.orig	2008-08-17
> 13:03:48.986994374 -0400
> ++++ libtiff/tif_pixarlog.c	2008-08-17 13:03:52.894064968
> -0400
> +@@ -768,7 +768,19 @@
> + 	if (tif->tif_flags & TIFF_SWAB)
> + 		TIFFSwabArrayOfShort(up, nsamples);
> + 
> +-	for (i = 0; i < nsamples; i += llen, up += llen) {
> ++	/* 
> ++	 * if llen is not an exact multiple of nsamples, the
> decode operation
> ++	 * may overflow the output buffer, so truncate it enough
> to prevent that
> ++	 * but still salvage as much data as possible.
> ++	 * -- taviso@google.com 14th June 2006
> ++	 */
> ++	if (nsamples % llen) 
> ++		TIFFWarningExt(tif->tif_clientdata, module,
> ++				"%s: stride %lu is not a multiple of sample
> count, "
> ++				"%lu, data truncated.", tif->tif_name,
> llen, nsamples);
> ++				
> ++	
> ++	for (i = 0; i < nsamples - (nsamples % llen); i +=
> llen, up += llen) {
> + 		switch (sp->user_datafmt)  {
> + 		case PIXARLOGDATAFMT_FLOAT:
> + 			horizontalAccumulateF(up, llen, sp->stride,
> Index: files/patch-tif_print.c
> ===================================================================
> RCS file: files/patch-tif_print.c
> diff -N files/patch-tif_print.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_print.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,13 @@
> +CVE-2006-3464,3465
> +===================================================================
> +--- libtiff/tif_print.c.orig	2008-08-17 13:03:49.113994690
> -0400
> ++++ libtiff/tif_print.c	2008-08-17 13:03:52.201994368
> -0400
> +@@ -491,7 +491,7 @@
> + 		} else
> + 			fprintf(fd, "(present)\n");
> + 	}
> +-	if (TIFFFieldSet(tif, FIELD_SUBIFD)) {
> ++	if (TIFFFieldSet(tif, FIELD_SUBIFD) &&
> (td->td_subifd)) {
> + 		fprintf(fd, "  SubIFD Offsets:");
> + 		for (i = 0; i < td->td_nsubifd; i++)
> + 			fprintf(fd, " %5lu", (long)
> td->td_subifd[i]);
> Index: files/patch-tif_read.c
> ===================================================================
> RCS file: files/patch-tif_read.c
> diff -N files/patch-tif_read.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tif_read.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,43 @@
> +CVE-2006-3464,3465
> +===================================================================
> +--- libtiff/tif_read.c.orig	2008-08-17 13:03:48.990994211
> -0400
> ++++ libtiff/tif_read.c	2008-08-17 13:03:52.898026507 -0400
> +@@ -31,6 +31,8 @@
> + #include "tiffiop.h"
> + #include <stdio.h>
> + 
> ++#include <limits.h>
> ++
> + 	int TIFFFillStrip(TIFF*, tstrip_t);
> + 	int TIFFFillTile(TIFF*, ttile_t);
> + static	int TIFFStartStrip(TIFF*, tstrip_t);
> +@@ -272,7 +274,13 @@
> + 		if ((tif->tif_flags & TIFF_MYBUFFER) &&
> tif->tif_rawdata)
> + 			_TIFFfree(tif->tif_rawdata);
> + 		tif->tif_flags &= ~TIFF_MYBUFFER;
> +-		if ( td->td_stripoffset[strip] + bytecount >
> tif->tif_size) {
> ++		/*
> ++		 * This sanity check could potentially overflow,
> causing an OOB read.
> ++		 * verify that offset + bytecount is > offset.
> ++		 * -- taviso@google.com 14 Jun 2006
> ++		 */
> ++		if ( td->td_stripoffset[strip] + bytecount >
> tif->tif_size ||
> ++			bytecount > (UINT_MAX -
> td->td_stripoffset[strip])) {
> + 			/*
> + 			 * This error message might seem strange, but it's
> + 			 * what would happen if a read were done instead.
> +@@ -470,7 +478,13 @@
> + 		if ((tif->tif_flags & TIFF_MYBUFFER) &&
> tif->tif_rawdata)
> + 			_TIFFfree(tif->tif_rawdata);
> + 		tif->tif_flags &= ~TIFF_MYBUFFER;
> +-		if ( td->td_stripoffset[tile] + bytecount >
> tif->tif_size) {
> ++		/*
> ++		 * We must check this calculation doesnt overflow,
> potentially
> ++		 * causing an OOB read.
> ++		 * -- taviso@google.com 15 Jun 2006
> ++		 */
> ++		if (td->td_stripoffset[tile] + bytecount >
> tif->tif_size ||
> ++			bytecount > (UINT_MAX -
> td->td_stripoffset[tile])) {
> + 			tif->tif_curtile = NOTILE;
> + 			return (0);
> + 		}
> Index: files/patch-tiff2pdf.1
> ===================================================================
> RCS file: files/patch-tiff2pdf.1
> diff -N files/patch-tiff2pdf.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiff2pdf.1	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,34 @@
> +--- man/tiff2pdf.1.orig	2008-08-17 13:03:49.046994376
> -0400
> ++++ man/tiff2pdf.1	2008-08-17 13:03:52.522727821 -0400
> +@@ -207,18 +207,14 @@
> + The following example would generate the file output.pdf
> from input.tiff.
> + .PP
> + .RS
> +-.NF
> +-tiff2pdf -o output.pdf input.tiff
> +-.FI
> ++\f(CWtiff2pdf -o output.pdf input.tiff\fP
> + .RE
> + .PP
> + The following example would generate PDF output from
> input.tiff and write it 
> + to standard output.
> + .PP
> + .RS
> +-.NF
> +-tiff2pdf input.tiff
> +-.FI
> ++\f(CWtiff2pdf input.tiff\fP
> + .RE
> + .PP
> + The following example would generate the file output.pdf
> from input.tiff, 
> +@@ -227,9 +223,7 @@
> + the "Fit Window" option.
> + .PP
> + .RS
> +-.NF
> +-tiff2pdf -p letter -j -q 75 -t "Document" -f -o
> output.pdf input.tiff
> +-.FI
> ++\f(CWtiff2pdf -p letter -j -q 75 -t
> "Document" -f -o output.pdf input.tiff\f)
> + .RE
> + .SH BUGS
> + Please report bugs via the web interface at 
> Index: files/patch-tiff2pdf.c
> ===================================================================
> RCS file: files/patch-tiff2pdf.c
> diff -N files/patch-tiff2pdf.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiff2pdf.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,13 @@
> +CVE-2006-2193
> +===================================================================
> +--- tools/tiff2pdf.c.orig	2006-06-04 18:26:40.000000000
> -0700
> ++++ tools/tiff2pdf.c	2006-06-04 18:27:22.000000000 -0700
> +@@ -3668,7 +3668,7 @@
> + 	written += TIFFWriteFile(output, (tdata_t)
> "(", 1);
> + 	for (i=0;i<len;i++){
> + 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) ||
> (pdfstr[i]<32)){
> +-			sprintf(buffer, "\\%.3o",
> pdfstr[i]);
> ++			snprintf(buffer, sizeof(buffer),
> "\\%.3o", pdfstr[i]);
> + 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);
> + 		} else {
> + 			switch (pdfstr[i]){
> Index: files/patch-tiff2ps.1
> ===================================================================
> RCS file: files/patch-tiff2ps.1
> diff -N files/patch-tiff2ps.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiff2ps.1	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,142 @@
> +--- man/tiff2ps.1.orig	2008-08-17 13:03:49.050994382 -0400
> ++++ man/tiff2ps.1	2008-08-17 13:03:52.522727821 -0400
> +@@ -27,7 +27,7 @@
> + .SH NAME
> + tiff2ps \- convert a
> + .SM TIFF
> +-image to \*(Ps\(tm
> ++image to PostScript\(tm
> + .SH SYNOPSIS
> + .B tiff2ps
> + [
> +@@ -38,17 +38,17 @@
> + .I tiff2ps
> + reads
> + .SM TIFF
> +-images and writes \*(Ps or Encapsulated \*(Ps
> (EPS)
> ++images and writes PostScript or Encapsulated PostScript
> (EPS)
> + on the standard output.
> + By default,
> + .I tiff2ps
> +-writes Encapsulated \*(Ps for the first image in the
> specified
> ++writes Encapsulated PostScript for the first image in the
> specified
> + .SM TIFF
> + image file.
> + .PP
> + By default,
> + .I tiff2ps
> +-will generate \*(Ps that fills a printed area
> specified
> ++will generate PostScript that fills a printed area
> specified
> + by the 
> + .SM TIFF
> + tags in the input file.
> +@@ -67,22 +67,22 @@
> + .SM TIFF
> + tags.
> + .PP
> +-The \*(Ps generated for
> ++The PostScript generated for
> + .SM RGB,
> + palette, and
> + .SM CMYK
> + images uses the
> + .I colorimage
> + operator.
> +-The \*(Ps generated for
> ++The PostScript generated for
> + greyscale and bilevel images
> + uses the
> + .I image
> + operator.
> + When the
> + .I colorimage
> +-operator is used, \*(Ps code to emulate this operator
> +-on older \*(Ps printers is also generated.
> ++operator is used, PostScript code to emulate this
> operator
> ++on older PostScript printers is also generated.
> + Note that this emulation code can be very slow.
> + .PP
> + Color images with associated alpha data are composited
> over
> +@@ -90,13 +90,13 @@
> + .SH OPTIONS
> + .TP
> + .B \-1
> +-Generate \*(Ps Level 1 (the default).
> ++Generate PostScript Level 1 (the default).
> + .TP
> + .B \-2
> +-Generate \*(Ps Level 2.
> ++Generate PostScript Level 2.
> + .TP
> + .B \-3
> +-Generate \*(Ps Level 3. It basically allows one to
> use the /flateDecode
> ++Generate PostScript Level 3. It basically allows one to
> use the /flateDecode
> + filter for ZIP compressed TIFF images.
> + .TP
> + .B \-a
> +@@ -119,7 +119,7 @@
> + multi-page (e.g. facsimile) file.
> + .TP
> + .B \-e
> +-Force the generation of Encapsulated \*(Ps (implies
> -z).
> ++Force the generation of Encapsulated PostScript (implies
> -z).
> + .TP
> + .B \-h
> + Specify the vertical size of the printed area (in
> inches).
> +@@ -148,7 +148,7 @@
> + .B \-m
> + Where possible render using the
> + .B imagemask
> +-\*(Ps operator instead of the image operator.  When
> this option is specified
> ++PostScript operator instead of the image operator.  When
> this option is specified
> + .I tiff2ps
> + will use
> + .B imagemask
> +@@ -166,7 +166,7 @@
> + like which are hidden using the SubIFD tag.
> + .TP
> + .B \-p
> +-Force the generation of (non-Encapsulated) \*(Ps.
> ++Force the generation of (non-Encapsulated) PostScript.
> + .TP
> + .B \-r
> + Rotate image by 180 degrees.
> +@@ -184,15 +184,15 @@
> + Override resolution units specified in the TIFF as
> inches.
> + .TP
> + .B \-z
> +-When generating \*(Ps Level 2, data is scaled so that
> it does not
> ++When generating PostScript Level 2, data is scaled so
> that it does not
> + image into the 
> + .I deadzone
> + on a page (the outer margin that the printing device is
> unable to mark).
> + This option suppresses this behavior.
> +-When \*(Ps Level 1 is generated, data is imaged to
> the entire printed
> ++When PostScript Level 1 is generated, data is imaged to
> the entire printed
> + page and this option has no affect.
> + .SH EXAMPLES
> +-The following generates \*(Ps Level 2 for all pages
> of a facsimile:
> ++The following generates PostScript Level 2 for all pages
> of a facsimile:
> + .RS
> + .nf
> + tiff2ps -a2 fax.tif | lpr
> +@@ -201,7 +201,7 @@
> + Note also that if you have version 2.6.1 or newer of
> Ghostscript then you
> + can efficiently preview facsimile generated with the
> above command.
> + .PP
> +-To generate Encapsulated \*(Ps for a the image at
> directory 2
> ++To generate Encapsulated PostScript for a the image at
> directory 2
> + of an image use:
> + .RS
> + .nf
> +@@ -228,8 +228,8 @@
> + .B \-L.5
> + option says to repeat a half inch on the next page (to
> improve readability).
> + .SH BUGS
> +-Because \*(Ps does not support the notion of a
> colormap,
> +-8-bit palette images produce 24-bit \*(Ps images.
> ++Because PostScript does not support the notion of a
> colormap,
> ++8-bit palette images produce 24-bit PostScript images.
> + This conversion results in output that is six times
> + bigger than the original image and which takes a long
> time
> + to send to a printer over a serial line.
> Index: files/patch-tiffcmp.1
> ===================================================================
> RCS file: files/patch-tiffcmp.1
> diff -N files/patch-tiffcmp.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiffcmp.1	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,11 @@
> +--- man/tiffcmp.1.orig	2008-08-17 13:03:49.062994301 -0400
> ++++ man/tiffcmp.1	2008-08-17 13:03:52.522727821 -0400
> +@@ -77,7 +77,7 @@
> + in some exotic cases. 
> + .SH "SEE ALSO"
> + .BR pal2rgb (1),
> +-.bR tiffinfo (1),
> ++.BR tiffinfo (1),
> + .BR tiffcp (1),
> + .BR tiffmedian (1),
> + .BR libtiff (3TIFF)
> Index: files/patch-tiffsplit.1
> ===================================================================
> RCS file: files/patch-tiffsplit.1
> diff -N files/patch-tiffsplit.1
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiffsplit.1	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,11 @@
> +--- man/tiffsplit.1.orig	2008-08-17 13:03:49.070994233
> -0400
> ++++ man/tiffsplit.1	2008-08-17 13:03:52.522727821 -0400
> +@@ -50,7 +50,7 @@
> + (e.g. 
> + .IR xaaa.tif ,
> + .IR xaab.tif ,
> +-\...
> ++.IR ... ,
> + .IR xzzz.tif ).
> + If a prefix is not specified on the command line,
> + the default prefix of
> Index: files/patch-tiffsplit.c
> ===================================================================
> RCS file: files/patch-tiffsplit.c
> diff -N files/patch-tiffsplit.c
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ files/patch-tiffsplit.c	17 Sep 2008 19:25:42 -0000
> @@ -0,0 +1,21 @@
> +CVE-2006-2656
> +===================================================================
> +--- tools/tiffsplit.c.orig	2008-08-17 13:03:49.014994263
> -0400
> ++++ tools/tiffsplit.c	2008-08-17 13:03:52.726994578 -0400
> +@@ -61,14 +61,13 @@
> + 		return (-3);
> + 	}
> + 	if (argc > 2)
> +-		strcpy(fname, argv[2]);
> ++		snprintf(fname, sizeof(fname), "%s",
> argv[2]);
> + 	in = TIFFOpen(argv[1], "r");
> + 	if (in != NULL) {
> + 		do {
> + 			char path[1024+1];
> + 			newfilename();
> +-			strcpy(path, fname);
> +-			strcat(path, ".tif");
> ++			snprintf(path, sizeof(path), "%s.tif",
> fname);
> + 			out = TIFFOpen(path,
> TIFFIsBigEndian(in)?"wb":"wl");
> + 			if (out == NULL)
> + 				return (-2);
Comment 4 bf 2008-09-18 05:46:57 UTC
I should also mention that there are changes in other libtiff packages/
ports that you may wish to consider for FreeBSD. Gentoo has a modification
that supports tiffs with jbig2 compression (present in some newer versions
of libtiff), and Debian has backported the tiff2pdf present in tiff 4.0 to
correct some bugs in the version found in 3.8.x. (I see that at least one
person has encountered problems with tiff2pdf and has filed a PR.)

Regards,
          b.
Comment 5 dfilter service freebsd_committer 2008-09-20 08:33:25 UTC
dinoex      2008-09-20 07:33:20 UTC

  FreeBSD ports repository

  Modified files:
    graphics/tiff        Makefile 
  Added files:
    graphics/tiff/files  patch-TIFFClose.3tiff patch-fax2ps.1 
                         patch-raw2tiff.1 patch-tif_dir.c 
                         patch-tif_dirinfo.c patch-tif_dirread.c 
                         patch-tif_fax3.c patch-tif_jpeg.c 
                         patch-tif_lzw.c patch-tif_next.c 
                         patch-tif_pixarlog.c patch-tif_print.c 
                         patch-tif_read.c patch-tiff2pdf.1 
                         patch-tiff2pdf.c patch-tiff2ps.1 
                         patch-tiffcmp.1 patch-tiffsplit.1 
                         patch-tiffsplit.c 
  Log:
  - add Security patches
  - fix missign macro in manpages
  - add regression test
  Security: CVE-2006-2193
  Security: CVE-2006-2327
  Security: CVE-2006-2656
  Security: CVE-2006-3459
  Security: CVE-2006-3460
  Security: CVE-2006-3461
  Security: CVE-2006-3462
  Security: CVE-2006-3463
  Security: CVE-2006-3464
  Security: CVE-2006-3465
  Security: CVE-2008-2327
  PR:             127434
  Submitted by:   <bf2006a@yahoo.com>
  Obtained From:  Gentoo,Debian
  Approved by:    portmgr (marcus)
  
  Revision  Changes    Path
  1.66      +4 -1      ports/graphics/tiff/Makefile
  1.1       +11 -0     ports/graphics/tiff/files/patch-TIFFClose.3tiff (new)
  1.1       +74 -0     ports/graphics/tiff/files/patch-fax2ps.1 (new)
  1.1       +11 -0     ports/graphics/tiff/files/patch-raw2tiff.1 (new)
  1.1       +94 -0     ports/graphics/tiff/files/patch-tif_dir.c (new)
  1.1       +24 -0     ports/graphics/tiff/files/patch-tif_dirinfo.c (new)
  1.1       +321 -0    ports/graphics/tiff/files/patch-tif_dirread.c (new)
  1.1       +27 -0     ports/graphics/tiff/files/patch-tif_fax3.c (new)
  1.1       +121 -0    ports/graphics/tiff/files/patch-tif_jpeg.c (new)
  1.1       +60 -0     ports/graphics/tiff/files/patch-tif_lzw.c (new)
  1.1       +22 -0     ports/graphics/tiff/files/patch-tif_next.c (new)
  1.1       +25 -0     ports/graphics/tiff/files/patch-tif_pixarlog.c (new)
  1.1       +13 -0     ports/graphics/tiff/files/patch-tif_print.c (new)
  1.1       +43 -0     ports/graphics/tiff/files/patch-tif_read.c (new)
  1.1       +34 -0     ports/graphics/tiff/files/patch-tiff2pdf.1 (new)
  1.1       +13 -0     ports/graphics/tiff/files/patch-tiff2pdf.c (new)
  1.1       +142 -0    ports/graphics/tiff/files/patch-tiff2ps.1 (new)
  1.1       +11 -0     ports/graphics/tiff/files/patch-tiffcmp.1 (new)
  1.1       +11 -0     ports/graphics/tiff/files/patch-tiffsplit.1 (new)
  1.1       +21 -0     ports/graphics/tiff/files/patch-tiffsplit.c (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Dirk Meyer freebsd_committer 2008-09-20 14:43:55 UTC
State Changed
From-To: open->closed

committed, thanks.