[package] update tiff to 3.9.2 (#6316)
authorFlorian Fainelli <florian@openwrt.org>
Mon, 7 Dec 2009 23:39:24 +0000 (23:39 +0000)
committerFlorian Fainelli <florian@openwrt.org>
Mon, 7 Dec 2009 23:39:24 +0000 (23:39 +0000)
SVN-Revision: 18686

libs/tiff/Makefile
libs/tiff/patches/901-cve-2006-3459-3465.patch [deleted file]
libs/tiff/patches/902-cve-2008-2327.patch [deleted file]
libs/tiff/patches/903-cve-2009-2285.patch [deleted file]
libs/tiff/patches/904-cve-2009-2347.patch [deleted file]

index 597a7e2..252eb5b 100644 (file)
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
-PKG_VERSION:=3.8.2
-PKG_RELEASE:=3
+PKG_VERSION:=3.9.2
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://libtiff.maptools.org/dl/
-PKG_MD5SUM:=fbb6f446ea4ed18955e2714934e5b698
+PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
+PKG_MD5SUM:=93e56e421679c591de7552db13384cb8
 PKG_FIXUP:=libtool
 
 include $(INCLUDE_DIR)/package.mk
@@ -59,7 +59,7 @@ endef
 
 define Package/tiff-utils/install
        $(INSTALL_DIR) $(1)/usr/bin
-       $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
 endef
 
 $(eval $(call BuildPackage,libtiff))
diff --git a/libs/tiff/patches/901-cve-2006-3459-3465.patch b/libs/tiff/patches/901-cve-2006-3459-3465.patch
deleted file mode 100644 (file)
index be07ed2..0000000
+++ /dev/null
@@ -1,664 +0,0 @@
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
-
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
- {
-       static const char module[] = "_TIFFVSetField";
-       
-+      const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
-       TIFFDirectory* td = &tif->tif_dir;
-       int status = 1;
-       uint32 v32, i, v;
-@@ -195,10 +196,12 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
-               break;
-       case TIFFTAG_ORIENTATION:
-               v = va_arg(ap, uint32);
-+              const TIFFFieldInfo* fip;
-               if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+                      fip = _TIFFFieldWithTag(tif, tag);
-                       TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-                           "Bad value %lu for \"%s\" tag ignored",
--                          v, _TIFFFieldWithTag(tif, tag)->field_name);
-+                          v, fip ? fip->field_name : "Unknown");
-               } else
-                       td->td_orientation = (uint16) v;
-               break;
-@@ -387,11 +390,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
-            * happens, for example, when tiffcp is used to convert between
-            * compression schemes and codec-specific tags are blindly copied.
-              */
-+          /* 
-+           * better not dereference fip if it is NULL.
-+           * -- taviso@google.com 15 Jun 2006
-+           */
-             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
-               TIFFErrorExt(tif->tif_clientdata, module,
-                   "%s: Invalid %stag \"%s\" (not supported by codec)",
-                   tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
--                  _TIFFFieldWithTag(tif, tag)->field_name);
-+                  fip ? fip->field_name : "Unknown");
-               status = 0;
-               break;
-             }
-@@ -468,7 +475,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
-           if (fip->field_type == TIFF_ASCII)
-                   _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
-           else {
--                tv->value = _TIFFmalloc(tv_size * tv->count);
-+                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
-               if (!tv->value) {
-                   status = 0;
-                   goto end;
-@@ -563,7 +570,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
-           }
-       }
-       if (status) {
--              TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+              TIFFSetFieldBit(tif, fip->field_bit);
-               tif->tif_flags |= TIFF_DIRTYDIRECT;
-       }
-@@ -572,12 +579,12 @@ end:
-       return (status);
- badvalue:
-       TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
--                tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+                tif->tif_name, v, fip ? fip->field_name : "Unknown");
-       va_end(ap);
-       return (0);
- badvalue32:
-       TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
--                 tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+                 tif->tif_name, v32, fip ? fip->field_name : "Unknown");
-       va_end(ap);
-       return (0);
- }
-@@ -813,12 +820,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
-              * If the client tries to get a tag that is not valid
-              * for the image's codec then we'll arrive here.
-              */
-+          /*
-+           * dont dereference fip if it's NULL.
-+           * -- taviso@google.com 15 Jun 2006
-+           */
-             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
-             {
-                               TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
-                           "%s: Invalid %stag \"%s\" (not supported by codec)",
-                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
--                          _TIFFFieldWithTag(tif, tag)->field_name);
-+                          fip ? fip->field_name : "Unknown");
-                 ret_val = 0;
-                 break;
-             }
---- a/libtiff/tif_dirinfo.c
-+++ b/libtiff/tif_dirinfo.c
-@@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
-               TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
-                         "Internal error, unknown tag 0x%x",
-                           (unsigned int) tag);
--              assert(fip != NULL);
-+              /* assert(fip != NULL); */
-+
-               /*NOTREACHED*/
-       }
-       return (fip);
-@@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char
-       if (!fip) {
-               TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
-                         "Internal error, unknown tag %s", field_name);
--              assert(fip != NULL);
-+              /* assert(fip != NULL); */
-+              
-               /*NOTREACHED*/
-       }
-       return (fip);
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -29,6 +29,9 @@
-  *
-  * Directory Read Support Routines.
-  */
-+
-+#include <limits.h>
-+
- #include "tiffiop.h"
- #define       IGNORE  0               /* tag placeholder used below */
-@@ -81,6 +84,7 @@ TIFFReadDirectory(TIFF* tif)
-       uint16 dircount;
-       toff_t nextdiroff;
-       int diroutoforderwarning = 0;
-+      int compressionknown = 0;
-       toff_t* new_dirlist;
-       tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@ TIFFReadDirectory(TIFF* tif)
-       } else {
-               toff_t off = tif->tif_diroff;
--              if (off + sizeof (uint16) > tif->tif_size) {
--                      TIFFErrorExt(tif->tif_clientdata, module,
--                          "%s: Can not read TIFF directory count",
--                            tif->tif_name);
--                      return (0);
-+              /*
-+               * Check for integer overflow when validating the dir_off, otherwise
-+               * a very high offset may cause an OOB read and crash the client.
-+               * -- taviso@google.com, 14 Jun 2006.
-+               */
-+              if (off + sizeof (uint16) > tif->tif_size || 
-+                      off > (UINT_MAX - sizeof(uint16))) {
-+                              TIFFErrorExt(tif->tif_clientdata, module,
-+                                  "%s: Can not read TIFF directory count",
-+                                  tif->tif_name);
-+                              return (0);
-               } else
--                      _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
-+                      _TIFFmemcpy(&dircount, tif->tif_base + off,
-+                                      sizeof (uint16));
-               off += sizeof (uint16);
-               if (tif->tif_flags & TIFF_SWAB)
-                       TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@ TIFFReadDirectory(TIFF* tif)
-               while (fix < tif->tif_nfields &&
-                      tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
-                       fix++;
-+
-               if (fix >= tif->tif_nfields ||
-                   tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-@@ -264,17 +276,23 @@ TIFFReadDirectory(TIFF* tif)
-                                                      dp->tdir_tag,
-                                                      dp->tdir_tag,
-                                                      dp->tdir_type);
--
--                    TIFFMergeFieldInfo(tif,
--                                       _TIFFCreateAnonFieldInfo(tif,
--                                              dp->tdir_tag,
--                                              (TIFFDataType) dp->tdir_type),
--                                     1 );
-+                                      /*
-+                                       * creating anonymous fields prior to knowing the compression
-+                                       * algorithm (ie, when the field info has been merged) could cause
-+                                       * crashes with pathological directories.
-+                                       * -- taviso@google.com 15 Jun 2006
-+                                       */
-+                                      if (compressionknown)
-+                                          TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
-+                                              (TIFFDataType) dp->tdir_type), 1 );
-+                                      else goto ignore;
-+                  
-                     fix = 0;
-                     while (fix < tif->tif_nfields &&
-                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
-                       fix++;
-               }
-+              
-               /*
-                * Null out old tags that we ignore.
-                */
-@@ -326,6 +344,7 @@ TIFFReadDirectory(TIFF* tif)
-                                   dp->tdir_type, dp->tdir_offset);
-                               if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
-                                       goto bad;
-+                              else compressionknown++;
-                               break;
-                       /* XXX: workaround for broken TIFFs */
-                       } else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@ TIFFReadDirectory(TIFF* tif)
-        * Attempt to deal with a missing StripByteCounts tag.
-        */
-       if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
-               /*
-                * Some manufacturers violate the spec by not giving
-                * the size of the strips.  In this case, assume there
-@@ -556,7 +576,7 @@ TIFFReadDirectory(TIFF* tif)
-                       "%s: TIFF directory is missing required "
-                       "\"%s\" field, calculating from imagelength",
-                       tif->tif_name,
--                      _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+                      fip ? fip->field_name : "Unknown");
-               if (EstimateStripByteCounts(tif, dir, dircount) < 0)
-                   goto bad;
- /* 
-@@ -580,6 +600,7 @@ TIFFReadDirectory(TIFF* tif)
-       } else if (td->td_nstrips == 1 
-                    && td->td_stripoffset[0] != 0 
-                    && BYTECOUNTLOOKSBAD) {
-+              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
-               /*
-                * XXX: Plexus (and others) sometimes give a value of zero for
-                * a tag when they don't know what the correct value is!  Try
-@@ -589,13 +610,14 @@ TIFFReadDirectory(TIFF* tif)
-               TIFFWarningExt(tif->tif_clientdata, module,
-       "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
-                             tif->tif_name,
--                          _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+                          fip ? fip->field_name : "Unknown");
-               if(EstimateStripByteCounts(tif, dir, dircount) < 0)
-                   goto bad;
-       } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
-                  && td->td_nstrips > 2
-                  && td->td_compression == COMPRESSION_NONE
-                  && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
-               /*
-                * XXX: Some vendors fill StripByteCount array with absolutely
-                * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@ TIFFReadDirectory(TIFF* tif)
-               TIFFWarningExt(tif->tif_clientdata, module,
-       "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
-                             tif->tif_name,
--                          _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+                          fip ? fip->field_name : "Unknown");
-               if (EstimateStripByteCounts(tif, dir, dircount) < 0)
-                   goto bad;
-       }
-@@ -870,7 +892,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
-       register TIFFDirEntry *dp;
-       register TIFFDirectory *td = &tif->tif_dir;
--      uint16 i;
-+      
-+      /* i is used to iterate over td->td_nstrips, so must be
-+       * at least the same width.
-+       * -- taviso@google.com 15 Jun 2006
-+       */
-+
-+      uint32 i;
-       if (td->td_stripbytecount)
-               _TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@ MissingRequired(TIFF* tif, const char* t
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+      const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
-       if (count > dir->tdir_count) {
-               TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-       "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
--                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+                  fip ? fip->field_name : "Unknown",
-                   dir->tdir_count, count);
-               return (0);
-       } else if (count < dir->tdir_count) {
-               TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-       "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
--                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+                  fip ? fip->field_name : "Unknown",
-                   dir->tdir_count, count);
-               return (1);
-       }
-@@ -970,6 +1000,7 @@ static tsize_t
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
-       int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+      const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-       tsize_t cc = dir->tdir_count * w;
-       /* Check for overflow. */
-@@ -1013,7 +1044,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d
- bad:
-       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                    "Error fetching data for field \"%s\"",
--                   _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                   fip ? fip->field_name : "Unknown");
-       return (tsize_t) 0;
- }
-@@ -1039,10 +1070,12 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry*
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+      const TIFFFieldInfo* fip;
-       if (denom == 0) {
-+              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                   "%s: Rational with zero denominator (num = %lu)",
--                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+                  fip ? fip->field_name : "Unknown", num);
-               return (0);
-       } else {
-               if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEn
- static int
- TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
- {
-+      /*
-+       * Prevent overflowing the v stack arrays below by performing a sanity
-+       * check on tdir_count, this should never be greater than two.
-+       * -- taviso@google.com 14 Jun 2006.
-+       */
-+      if (dir->tdir_count > 2) {
-+              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+              TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-+                              "unexpected count for field \"%s\", %lu, expected 2; ignored.",
-+                              fip ? fip->field_name : "Unknown",
-+                              dir->tdir_count);
-+              return 0;
-+      }
-+
-       switch (dir->tdir_type) {
-               case TIFF_BYTE:
-               case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr
-       case TIFF_DOUBLE:
-               return (TIFFFetchDoubleArray(tif, dir, (double*) v));
-       default:
-+              { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-               /* TIFF_NOTYPE */
-               /* TIFF_ASCII */
-               /* TIFF_UNDEFINED */
-               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                            "cannot read TIFF_ANY type %d for field \"%s\"",
-                            dir->tdir_type,
--                           _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
--              return (0);
-+                           fip ? fip->field_name : "Unknown");
-+              return (0); }
-       }
-       return (1);
- }
-@@ -1351,6 +1399,9 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
-       int ok = 0;
-       const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
-+      if (fip == NULL) {
-+              return (0);
-+      }
-       if (dp->tdir_count > 1) {               /* array of values */
-               char* cp = NULL;
-@@ -1493,6 +1544,7 @@ static int
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+                              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-                                       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
-@@ -1534,6 +1587,7 @@ static int
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD
-                 check_count = samples;
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+                              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-                                       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
-@@ -1574,6 +1629,7 @@ static int
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
-     uint16 samples = tif->tif_dir.td_samplesperpixel;
-+    const TIFFFieldInfo* fip;
-     int status = 0;
-     if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi
-             for (i = 1; i < check_count; i++)
-                 if (v[i] != v[0]) {
-+                  fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                               "Cannot handle different per-sample values for field \"%s\"",
--                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+                              fip ? fip->field_name : "Unknown");
-                     goto bad;
-                 }
-             *pl = v[0];
---- a/libtiff/tif_fax3.c
-+++ b/libtiff/tif_fax3.c
-@@ -1136,6 +1136,7 @@ static int
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
-       Fax3BaseState* sp = Fax3State(tif);
-+      const TIFFFieldInfo* fip;
-       assert(sp != 0);
-       assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_
-       default:
-               return (*sp->vsetparent)(tif, tag, ap);
-       }
--      TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+      
-+      if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+              TIFFSetFieldBit(tif, fip->field_bit);
-+      } else {
-+              return (0);
-+      }
-+
-       tif->tif_flags |= TIFF_DIRTYDIRECT;
-       return (1);
- }
---- a/libtiff/tif_jpeg.c
-+++ b/libtiff/tif_jpeg.c
-@@ -722,15 +722,31 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
-               segment_width = TIFFhowmany(segment_width, sp->h_sampling);
-               segment_height = TIFFhowmany(segment_height, sp->v_sampling);
-       }
--      if (sp->cinfo.d.image_width != segment_width ||
--          sp->cinfo.d.image_height != segment_height) {
-+      if (sp->cinfo.d.image_width < segment_width ||
-+          sp->cinfo.d.image_height < segment_height) {
-               TIFFWarningExt(tif->tif_clientdata, module,
-                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
-                           segment_width, 
-                           segment_height,
-                           sp->cinfo.d.image_width, 
-                           sp->cinfo.d.image_height);
-+      } 
-+      
-+      if (sp->cinfo.d.image_width > segment_width ||
-+                      sp->cinfo.d.image_height > segment_height) {
-+              /*
-+               * This case could be dangerous, if the strip or tile size has been
-+               * reported as less than the amount of data jpeg will return, some
-+               * potential security issues arise. Catch this case and error out.
-+               * -- taviso@google.com 14 Jun 2006
-+               */
-+              TIFFErrorExt(tif->tif_clientdata, module, 
-+                      "JPEG strip/tile size exceeds expected dimensions,"
-+                      "expected %dx%d, got %dx%d", segment_width, segment_height,
-+                      sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+              return (0);
-       }
-+
-       if (sp->cinfo.d.num_components !=
-           (td->td_planarconfig == PLANARCONFIG_CONTIG ?
-            td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
-                                     sp->cinfo.d.comp_info[0].v_samp_factor,
-                                     sp->h_sampling, sp->v_sampling);
-+                              /*
-+                               * There are potential security issues here for decoders that
-+                               * have already allocated buffers based on the expected sampling
-+                               * factors. Lets check the sampling factors dont exceed what
-+                               * we were expecting.
-+                               * -- taviso@google.com 14 June 2006
-+                               */
-+                              if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
-+                                      sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
-+                                              TIFFErrorExt(tif->tif_clientdata, module,
-+                                                      "Cannot honour JPEG sampling factors that"
-+                                                      " exceed those specified.");
-+                                              return (0);
-+                              }
-+
-+
-                           /*
-                            * XXX: Files written by the Intergraph software
-                            * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif)
- {
-       JPEGState *sp = JState(tif);
-       
--      assert(sp != 0);
-+      /* assert(sp != 0); */
-       tif->tif_tagmethods.vgetfield = sp->vgetparent;
-       tif->tif_tagmethods.vsetfield = sp->vsetparent;
--      if( sp->cinfo_initialized )
--          TIFFjpeg_destroy(sp);       /* release libjpeg resources */
--      if (sp->jpegtables)             /* tag value */
--              _TIFFfree(sp->jpegtables);
-+      if (sp != NULL) {
-+              if( sp->cinfo_initialized )
-+                  TIFFjpeg_destroy(sp);       /* release libjpeg resources */
-+              if (sp->jpegtables)             /* tag value */
-+                      _TIFFfree(sp->jpegtables);
-+      }
-+
-       _TIFFfree(tif->tif_data);       /* release local state */
-       tif->tif_data = NULL;
-@@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
- {
-       JPEGState* sp = JState(tif);
-       TIFFDirectory* td = &tif->tif_dir;
-+      const TIFFFieldInfo* fip;
-       uint32 v32;
-       assert(sp != NULL);
-@@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
-       default:
-               return (*sp->vsetparent)(tif, tag, ap);
-       }
--      TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+      if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+              TIFFSetFieldBit(tif, fip->field_bit);
-+      } else {
-+              return (0);
-+      }
-+
-       tif->tif_flags |= TIFF_DIRTYDIRECT;
-       return (1);
- }
-@@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long f
- {
-       JPEGState* sp = JState(tif);
--      assert(sp != NULL);
-+      /* assert(sp != NULL); */
-+      if (sp == NULL) {
-+              TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
-+              return;
-+      }
-       (void) flags;
-       if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
-                        * as codes of the form <color><npixels>
-                        * until we've filled the scanline.
-                        */
-+                      /*
-+                       * Ensure the run does not exceed the scanline
-+                       * bounds, potentially resulting in a security issue.
-+                       * -- taviso@google.com 14 Jun 2006.
-+                       */
-                       op = row;
-                       for (;;) {
-                               grey = (n>>6) & 0x3;
-                               n &= 0x3f;
--                              while (n-- > 0)
-+                              while (n-- > 0 && npixels < imagewidth)
-                                       SETPIXEL(op, grey);
-                               if (npixels >= (int) imagewidth)
-                                       break;
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
-       if (tif->tif_flags & TIFF_SWAB)
-               TIFFSwabArrayOfShort(up, nsamples);
--      for (i = 0; i < nsamples; i += llen, up += llen) {
-+      /* 
-+       * if llen is not an exact multiple of nsamples, the decode operation
-+       * may overflow the output buffer, so truncate it enough to prevent that
-+       * but still salvage as much data as possible.
-+       * -- taviso@google.com 14th June 2006
-+       */
-+      if (nsamples % llen) 
-+              TIFFWarningExt(tif->tif_clientdata, module,
-+                              "%s: stride %lu is not a multiple of sample count, "
-+                              "%lu, data truncated.", tif->tif_name, llen, nsamples);
-+                              
-+      
-+      for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
-               switch (sp->user_datafmt)  {
-               case PIXARLOGDATAFMT_FLOAT:
-                       horizontalAccumulateF(up, llen, sp->stride,
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
-+#include <limits.h>
-+
-       int TIFFFillStrip(TIFF*, tstrip_t);
-       int TIFFFillTile(TIFF*, ttile_t);
- static        int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
-               if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
-                       _TIFFfree(tif->tif_rawdata);
-               tif->tif_flags &= ~TIFF_MYBUFFER;
--              if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+              /*
-+               * This sanity check could potentially overflow, causing an OOB read.
-+               * verify that offset + bytecount is > offset.
-+               * -- taviso@google.com 14 Jun 2006
-+               */
-+              if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+                      bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
-                       /*
-                        * This error message might seem strange, but it's
-                        * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
-               if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
-                       _TIFFfree(tif->tif_rawdata);
-               tif->tif_flags &= ~TIFF_MYBUFFER;
--              if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+              /*
-+               * We must check this calculation doesnt overflow, potentially
-+               * causing an OOB read.
-+               * -- taviso@google.com 15 Jun 2006
-+               */
-+              if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+                      bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
-                       tif->tif_curtile = NOTILE;
-                       return (0);
-               }
diff --git a/libs/tiff/patches/902-cve-2008-2327.patch b/libs/tiff/patches/902-cve-2008-2327.patch
deleted file mode 100644 (file)
index 6705b73..0000000
+++ /dev/null
@@ -1,60 +0,0 @@
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327
-
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif)
-                     sp->dec_codetab[code].length = 1;
-                     sp->dec_codetab[code].next = NULL;
-                 } while (code--);
-+                /*
-+                 * Zero-out the unused entries
-+                 */
-+                 _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
-+                 (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
-+
-+
-       }
-       return (1);
- }
-@@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
-                       break;
-               if (code == CODE_CLEAR) {
-                       free_entp = sp->dec_codetab + CODE_FIRST;
-+                       _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
-                       nbits = BITS_MIN;
-                       nbitsmask = MAXCODE(BITS_MIN);
-                       maxcodep = sp->dec_codetab + nbitsmask-1;
-                       NextCode(tif, sp, bp, code, GetNextCode);
-                       if (code == CODE_EOI)
-                               break;
-+                       if (code == CODE_CLEAR) {
-+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+                               "LZWDecode: Corrupted LZW table at scanline %d",
-+                               tif->tif_row);
-+                               return (0);
-+                       }
-+
-                       *op++ = (char)code, occ--;
-                       oldcodep = sp->dec_codetab + code;
-                       continue;
-@@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
-                       break;
-               if (code == CODE_CLEAR) {
-                       free_entp = sp->dec_codetab + CODE_FIRST;
-+                       _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
-                       nbits = BITS_MIN;
-                       nbitsmask = MAXCODE(BITS_MIN);
-                       maxcodep = sp->dec_codetab + nbitsmask;
-                       NextCode(tif, sp, bp, code, GetNextCodeCompat);
-                       if (code == CODE_EOI)
-                               break;
-+                       if (code == CODE_CLEAR) {
-+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+                               "LZWDecode: Corrupted LZW table at scanline %d",
-+                               tif->tif_row);
-+                               return (0);
-+                       }
-+
-                       *op++ = code, occ--;
-                       oldcodep = sp->dec_codetab + code;
-                       continue;
diff --git a/libs/tiff/patches/903-cve-2009-2285.patch b/libs/tiff/patches/903-cve-2009-2285.patch
deleted file mode 100644 (file)
index cb917fb..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2285
-
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -422,7 +422,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
-                       NextCode(tif, sp, bp, code, GetNextCode);
-                       if (code == CODE_EOI)
-                               break;
--                       if (code == CODE_CLEAR) {
-+                       if (code >= CODE_CLEAR) {
-                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                                "LZWDecode: Corrupted LZW table at scanline %d",
-                                tif->tif_row);
-@@ -626,7 +626,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
-                       NextCode(tif, sp, bp, code, GetNextCodeCompat);
-                       if (code == CODE_EOI)
-                               break;
--                       if (code == CODE_CLEAR) {
-+                       if (code >= CODE_CLEAR) {
-                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                                "LZWDecode: Corrupted LZW table at scanline %d",
-                                tif->tif_row);
diff --git a/libs/tiff/patches/904-cve-2009-2347.patch b/libs/tiff/patches/904-cve-2009-2347.patch
deleted file mode 100644 (file)
index 2ac9fbf..0000000
+++ /dev/null
@@ -1,163 +0,0 @@
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2347
-
---- a/tools/rgb2ycbcr.c
-+++ b/tools/rgb2ycbcr.c
-@@ -202,6 +202,17 @@ cvtClump(unsigned char* op, uint32* rast
- #undef LumaBlue
- #undef V2Code
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;             /* overflow */
-+
-+    return prod;
-+}
-+
- /*
-  * Convert a strip of RGB data to YCbCr and
-  * sample to generate the output data.
-@@ -278,10 +289,19 @@ tiffcvt(TIFF* in, TIFF* out)
-       float floatv;
-       char *stringv;
-       uint32 longv;
-+      tsize_t raster_size;
-       TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-       TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
--      raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+
-+      raster_size = multiply(multiply(width, height), sizeof (uint32));
-+      if (!raster_size) {
-+              TIFFError(TIFFFileName(in),
-+                        "Can't allocate buffer for raster of size %lux%lu",
-+                        (unsigned long) width, (unsigned long) height);
-+              return (0);
-+      }
-+      raster = (uint32*)_TIFFmalloc(raster_size);
-       if (raster == 0) {
-               TIFFError(TIFFFileName(in), "No space for raster buffer");
-               return (0);
---- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -124,6 +124,17 @@ main(int argc, char* argv[])
-     return (0);
- }
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;             /* overflow */
-+
-+    return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
-@@ -133,6 +144,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     uint32  tile_width, tile_height;
-     uint32  row, col;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int           ok = 1;
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -150,7 +162,14 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
-+    if (!raster_size) {
-+      TIFFError(TIFFFileName(in),
-+                "Can't allocate buffer for raster of size %lux%lu",
-+                (unsigned long) tile_width, (unsigned long) tile_height);
-+      return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -158,7 +177,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -226,6 +245,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     uint32  width, height;            /* image width & height */
-     uint32  row;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int           ok = 1;
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -241,7 +261,14 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+    if (!raster_size) {
-+      TIFFError(TIFFFileName(in),
-+                "Can't allocate buffer for raster of size %lux%lu",
-+                (unsigned long) width, (unsigned long) rowsperstrip);
-+      return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -249,7 +276,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -328,14 +355,22 @@ cvt_whole_image( TIFF *in, TIFF *out )
-     uint32* raster;                   /* retrieve RGBA image */
-     uint32  width, height;            /* image width & height */
-     uint32  row;
--        
-+    tsize_t raster_size;
-+
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
-     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
--    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
-+    raster_size = multiply(multiply(width, height), sizeof (uint32));
-+    if (!raster_size) {
-+      TIFFError(TIFFFileName(in),
-+                "Can't allocate buffer for raster of size %lux%lu",
-+                (unsigned long) width, (unsigned long) height);
-+      return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -353,7 +388,7 @@ cvt_whole_image( TIFF *in, TIFF *out )
-     */
-     if( no_alpha )
-     {
--        int   pixel_count = width * height;
-+        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
-         unsigned char *src, *dst;
-         src = (unsigned char *) raster;