diff --git a/libtiff-CVE-2022-0561.patch b/libtiff-CVE-2022-0561.patch deleted file mode 100644 index 7bda47c46eb0627c2605a331326f0303dce18cc6..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0561.patch +++ /dev/null @@ -1,29 +0,0 @@ -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 6 Feb 2022 13:08:38 +0100 -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 23194ced..50ebf8ac 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); -+ if( dir->tdir_count ) -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); - _TIFFfree(data); - data=resizeddata; - } --- -GitLab - diff --git a/libtiff-CVE-2022-0562.patch b/libtiff-CVE-2022-0562.patch deleted file mode 100644 index 906b641aac055b119e53c2c24d4c14489d6b2c36..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0562.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 5 Feb 2022 20:36:41 +0100 -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 2bbc4585..23194ced 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - } - -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); -+ if (old_extrasamples > 0) -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); - _TIFFfree(new_sampleinfo); - } --- -GitLab - diff --git a/libtiff-CVE-2022-0865.patch b/libtiff-CVE-2022-0865.patch deleted file mode 100644 index 031d37a1df2a4a9b2ae6420d80edcd2235d117d5..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0865.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 26be9b079af5eda5c4b90ee6632adf25750cb38a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 24 Feb 2022 22:26:02 +0100 -Subject: [PATCH 2/3] tif_jbig.c: fix crash when reading a file with multiple - IFD in memory-mapped mode and when bit reversal is needed (fixes #385) - ---- - libtiff/tif_jbig.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 7408633..8bfa4ce 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) - */ - tif->tif_flags |= TIFF_NOBITREV; - tif->tif_flags &= ~TIFF_MAPPED; -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial -+ * value to be consistent with the state of a non-memory mapped file. -+ */ -+ if (tif->tif_flags&TIFF_BUFFERMMAP) { -+ tif->tif_rawdata = NULL; -+ tif->tif_rawdatasize = 0; -+ tif->tif_flags &= ~TIFF_BUFFERMMAP; -+ tif->tif_flags |= TIFF_MYBUFFER; -+ } - - /* Setup the function pointers for encode, decode, and cleanup. */ - tif->tif_setupdecode = JBIGSetupDecode; --- -2.35.1 - diff --git a/libtiff-CVE-2022-0891.patch b/libtiff-CVE-2022-0891.patch deleted file mode 100644 index e4a9b28bda5228d9ebf5118d6bfd63e9fa59aa00..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0891.patch +++ /dev/null @@ -1,214 +0,0 @@ -From 8a4097911df4e1a3d577ccdfa13a35984b0e5b2b Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH 1/3] tiffcrop: fix issue #380 and #382 heap buffer overflow in - extractImageSection - ---- - tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- - 1 file changed, 36 insertions(+), 56 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index b85c2ce..302a7e9 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -105,8 +105,8 @@ - * of messages to monitor progress without enabling dump logs. - */ - --static char tiffcrop_version_id[] = "2.4"; --static char tiffcrop_rev_date[] = "12-13-2010"; -+static char tiffcrop_version_id[] = "2.4.1"; -+static char tiffcrop_rev_date[] = "03-03-2010"; - - #include "tif_config.h" - #include "libport.h" -@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - uint32_t img_length; - #endif -- uint32_t j, shift1, shift2, trailing_bits; -+ uint32_t j, shift1, trailing_bits; - uint32_t row, first_row, last_row, first_col, last_col; - uint32_t src_offset, dst_offset, row_offset, col_offset; -- uint32_t offset1, offset2, full_bytes; -+ uint32_t offset1, full_bytes; - uint32_t sect_width; - #ifdef DEVELMODE - uint32_t sect_length; -@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - int k; - unsigned char bitset; -- static char *bitarray = NULL; - #endif - - img_width = image->width; -@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - dst_offset = 0; - - #ifdef DEVELMODE -- if (bitarray == NULL) -- { -- if ((bitarray = (char *)malloc(img_width)) == NULL) -- { -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); -- return (-1); -- } -- } -+ char bitarray[39]; - #endif - -- /* rows, columns, width, length are expressed in pixels */ -+ /* rows, columns, width, length are expressed in pixels -+ * first_row, last_row, .. are index into image array starting at 0 to width-1, -+ * last_col shall be also extracted. */ - first_row = section->y1; - last_row = section->y2; - first_col = section->x1; -@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - sect_length = last_row - first_row + 1; - #endif -- img_rowsize = ((img_width * bps + 7) / 8) * spp; -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = (sect_width * bps) % 8; -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved -+ * samples rather than separate planes so the same logic works to extract regions -+ * regardless of the way the data are organized in the input file. -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 -+ */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", -@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if ((bps % 8) == 0) - { -- col_offset = first_col * spp * bps / 8; -+ col_offset = (first_col * spp * bps) / 8; - for (row = first_row; row <= last_row; row++) - { -- /* row_offset = row * img_width * spp * bps / 8; */ - row_offset = row * img_rowsize; - src_offset = row_offset + col_offset; - -@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - } - else - { /* bps != 8 */ -- shift1 = spp * ((first_col * bps) % 8); -- shift2 = spp * ((last_col * bps) % 8); -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + (first_col * bps / 8); -- offset2 = row_offset + (last_col * bps / 8); -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ - - #ifdef DEVELMODE - for (j = 0, k = 7; j < 8; j++, k--) -@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - sprintf(&bitarray[9], " "); - for (j = 10, k = 7; j < 18; j++, k--) - { -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; - sprintf(&bitarray[j], (bitset) ? "1" : "0"); - } - bitarray[18] = '\0'; -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", -- row, offset1, shift1, offset2, shift2); -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", -+ row, offset1, shift1, offset1+full_bytes, trailing_bits); - #endif - - bytebuff1 = bytebuff2 = 0; -@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if (trailing_bits != 0) - { -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); - sect_buff[dst_offset] = bytebuff2; - #ifdef DEVELMODE - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", -- offset2, dst_offset); -+ offset1 + full_bytes, dst_offset); - for (j = 30, k = 7; j < 38; j++, k--) - { - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; -@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - for (j = 0; j <= full_bytes; j++) - { -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); - } - #ifdef DEVELMODE -@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - dst_offset += full_bytes; - -+ /* Copy the trailing_bits for the last byte in the destination buffer. -+ Could come from one ore two bytes of the source buffer. */ - if (trailing_bits != 0) - { - #ifdef DEVELMODE -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); --#endif -- if (shift2 > shift1) -- { -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); -- sect_buff[dst_offset] = bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 > Shift1\n"); -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); - #endif -+ /* More than necessary bits are already copied into last destination buffer, -+ * only masking of last byte in destination buffer is necessary.*/ -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); - } -- else -- { -- if (shift2 < shift1) -- { -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); -- sect_buff[dst_offset] &= bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 < Shift1\n"); --#endif -- } --#ifdef DEVELMODE -- else -- TIFFError ("", " Shift2 == Shift1\n"); --#endif -- } -- } - #ifdef DEVELMODE - sprintf(&bitarray[28], " "); - sprintf(&bitarray[29], " "); -@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, - width = sections[i].x2 - sections[i].x1 + 1; - length = sections[i].y2 - sections[i].y1 + 1; - sectsize = (uint32_t) -- ceil((width * image->bps + 7) / (double)8) * image->spp * length; -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; - /* allocate a buffer if we don't have one already */ - if (createImageSection(sectsize, sect_buff_ptr)) - { --- -2.35.1 - diff --git a/libtiff-CVE-2022-0907.patch b/libtiff-CVE-2022-0907.patch deleted file mode 100644 index ce1af73aa5ba0ffe44ebcf25bcbef9af19186241..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0907.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001 -From: Augustus -Date: Mon, 7 Mar 2022 18:21:49 +0800 -Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) - ---- - tools/tiffcrop.c | 33 +++++++++++++++++++++------------ - 1 file changed, 21 insertions(+), 12 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 302a7e9..e407bf5 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - if (!sect_buff) - { - sect_buff = (unsigned char *)limitMalloc(sectsize); -- *sect_buff_ptr = sect_buff; -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - else -@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - else - sect_buff = new_buff; - -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - } - -- if (!sect_buff) -- { -- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -- return (-1); -- } - prev_sectsize = sectsize; - *sect_buff_ptr = sect_buff; - -@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - if (!crop_buff) - { - crop_buff = (unsigned char *)limitMalloc(cropsize); -- *crop_buff_ptr = crop_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - prev_cropsize = cropsize; - } -@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - } - else - crop_buff = new_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - } - } - -- if (!crop_buff) -- { -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -- return (-1); -- } - *crop_buff_ptr = crop_buff; - - if (crop->crop_mode & CROP_INVERT) -@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui - * fill-column: 78 - * End: - */ -+ --- -2.35.1 - diff --git a/libtiff-CVE-2022-0908.patch b/libtiff-CVE-2022-0908.patch deleted file mode 100644 index 17f7e36436ed7b7a2d39df7736b1c483cdf24c69..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0908.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 2fac3f6f3178bd2fee777bced88cccef71873b2b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Feb 2022 15:28:43 +0100 -Subject: [PATCH 2/3] TIFFFetchNormalTag(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #383) - ---- - libtiff/tif_dirread.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index d654a1c..a31109a 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ if (dp->tdir_count > 0 ) -+ { -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ } - o[(uint32_t)dp->tdir_count]=0; - if (data!=0) - _TIFFfree(data); --- -2.35.1 - diff --git a/libtiff-CVE-2022-0909.patch b/libtiff-CVE-2022-0909.patch deleted file mode 100644 index 2bd803ec976ad91049e80407b218af637010d0b4..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0909.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 802070f1c2e2064a4df3d7e0aa63316677845ec0 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 8 Mar 2022 16:22:04 +0000 -Subject: [PATCH 3/3] fix the FPE in tiffcrop (#393) - ---- - libtiff/tif_dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index a6c254f..77da6ea 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) - break; - case TIFFTAG_XRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); - break; --- -2.35.1 - diff --git a/libtiff-CVE-2022-0924.patch b/libtiff-CVE-2022-0924.patch deleted file mode 100644 index 5d7792d142aada385a0d581a00b5b57927f070e2..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-0924.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 224a9353b95896fcff787734a85352aa82eb7db5 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH 3/3] fix heap buffer overflow in tiffcp (#278) - ---- - tools/tiffcp.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 1f88951..552d8fa 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - tdata_t obuf; - tstrip_t strip = 0; - tsample_t s; -+ uint16_t bps = 0, bytes_per_sample; - - obuf = limitMalloc(stripsize); - if (obuf == NULL) - return (0); - _TIFFmemset(obuf, 0, stripsize); - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ bytes_per_sample = bps/8; - for (s = 0; s < spp; s++) { - uint32_t row; - for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - - cpContigBufToSeparateBuf( - obuf, (uint8_t*) buf + row * rowsize + s, -- nrows, imagewidth, 0, 0, spp, 1); -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { - TIFFError(TIFFFileName(out), - "Error, can't write strip %"PRIu32, --- -2.35.1 - diff --git a/libtiff-CVE-2022-2056_2057_2058.patch b/libtiff-CVE-2022-2056_2057_2058.patch new file mode 100644 index 0000000000000000000000000000000000000000..f62a41ad7471ca145c46dd8d979095296651db97 --- /dev/null +++ b/libtiff-CVE-2022-2056_2057_2058.patch @@ -0,0 +1,180 @@ +From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) + +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 140f26c7..5b88c8d0 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32_t _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32_t)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index e3af461d..4e8bdac2 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t); + extern float _TIFFUInt64ToFloat(uint64_t); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32_t _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 1f827b2b..90286a5e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32_t) (crop->corners[i].X1); +- x2 = (uint32_t) (crop->corners[i].X2); +- y1 = (uint32_t) (crop->corners[i].Y1); +- y2 = (uint32_t) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 + * b) Corners are expected to be submitted as top-left to bottom-right. +@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32_t)(crop->margins[0]); +- lmargin = (uint32_t)(crop->margins[1]); +- bmargin = (uint32_t)(crop->margins[2]); +- rmargin = (uint32_t)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32_t)(crop->margins[0] * scale * yres); +- lmargin = (uint32_t)(crop->margins[1] * scale * xres); +- bmargin = (uint32_t)(crop->margins[2] * scale * yres); +- rmargin = (uint32_t)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32_t)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { +-- +GitLab + diff --git a/libtiff-CVE-2022-22844.patch b/libtiff-CVE-2022-22844.patch deleted file mode 100644 index 71c81c048b1cc1c170dbccb007e177a8c742274d..0000000000000000000000000000000000000000 --- a/libtiff-CVE-2022-22844.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 4 Jan 2022 11:01:37 +0000 -Subject: [PATCH] fixing global-buffer-overflow in tiffset - ---- - tools/tiffset.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/tools/tiffset.c b/tools/tiffset.c -index 8c9e23c5..b7badd93 100644 ---- a/tools/tiffset.c -+++ b/tools/tiffset.c -@@ -146,9 +146,19 @@ main(int argc, char* argv[]) - - arg_index++; - if (TIFFFieldDataType(fip) == TIFF_ASCII) { -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) -- fprintf( stderr, "Failed to set %s=%s\n", -- TIFFFieldName(fip), argv[arg_index] ); -+ if(TIFFFieldPassCount( fip )) { -+ size_t len; -+ len = (uint32_t)(strlen(argv[arg_index] + 1)); -+ if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ (uint16_t)len, argv[arg_index]) != 1) -+ fprintf( stderr, "Failed to set %s=%s", -+ TIFFFieldName(fip), argv[arg_index] ); -+ } else { -+ if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ argv[arg_index]) != 1) -+ fprintf( stderr, "Failed to set %s=%s", -+ TIFFFieldName(fip), argv[arg_index] ); -+ } - } else if (TIFFFieldWriteCount(fip) > 0 - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { - int ret = 1; --- -GitLab - diff --git a/libtiff-CVE-2022-34526.patch b/libtiff-CVE-2022-34526.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb3a4d3c77e2c9f1952f4c840827533abffcf530 --- /dev/null +++ b/libtiff-CVE-2022-34526.patch @@ -0,0 +1,28 @@ +From 275735d0354e39c0ac1dc3c0db2120d6f31d1990 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 27 Jun 2022 16:09:43 +0200 +Subject: [PATCH] _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a + codec-specific tag and the codec is not configured (fixes #433) + +This avoids crashes when querying such tags +--- + libtiff/tif_dirinfo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index c30f569b..3371cb5c 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -1191,6 +1191,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) + default: + return 1; + } ++ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) { ++ return 0; ++ } + /* Check if codec specific tags are allowed for the current + * compression scheme (codec) */ + switch (tif->tif_dir.td_compression) { +-- +GitLab + diff --git a/libtiff.spec b/libtiff.spec index 1db6a1021db10a989b41bb0aaae8c75fc1b9c102..bdbaec64cf448b80be9d7afc6405fda0f7f81334 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ -%define anolis_release 2 +%define anolis_release 1 Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 4.3.0 +Version: 4.4.0 Release: %{anolis_release}%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -10,23 +10,8 @@ Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Patch0: libtiff-am-version.patch Patch1: libtiff-make-check.patch -# Fix the global-buffer-overflow in tiffset -Patch2: libtiff-CVE-2022-22844.patch -# fix undefined-behavior tif_dirread.c:4176:40 in TIFFReadDirectory function -Patch3: libtiff-CVE-2022-0561.patch -Patch4: libtiff-CVE-2022-0562.patch -# fix crash when reading a file with multiple IFD in memory-mapped -Patch5: libtiff-CVE-2022-0865.patch -# fix issue #380 and #382 heap buffer overflow in extractImageSection -Patch6: libtiff-CVE-2022-0891.patch -# fix heap buffer overflow in tiffcp (#278) -Patch7: libtiff-CVE-2022-0924.patch -# add checks for return value of limitMalloc (#392) -Patch8: libtiff-CVE-2022-0907.patch -# avoid calling memcpy() with a null source pointer and size of zero (fixes #383) -Patch9: libtiff-CVE-2022-0908.patch -# fix the FPE in tiffcrop (#393) -Patch10: libtiff-CVE-2022-0909.patch +Patch2: libtiff-CVE-2022-2056_2057_2058.patch +Patch3: libtiff-CVE-2022-34526.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -42,9 +27,16 @@ used file format for bitmapped images. TIFF files usually end in the The libtiff package should be installed if you need to manipulate TIFF format image files. +%package doc +Summary: Documentation files for %{name} +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains documentation files for %{name}. + %package devel Summary: Development tools for programs which will use the libtiff library -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} Requires: pkgconfig %description devel @@ -58,7 +50,7 @@ install the libtiff package. %package static Summary: Static TIFF image format file library -Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-devel = %{version}-%{release} %description static The libtiff-static package contains the statically linkable version of libtiff. @@ -67,7 +59,7 @@ necessary for some boot packages. %package tools Summary: Command-line utility programs for manipulating TIFF files -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} %description tools This package contains command-line programs for manipulating TIFF format @@ -80,13 +72,6 @@ image files using the libtiff library. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -134,10 +119,13 @@ find html -name 'Makefile*' | xargs rm %files %license COPYRIGHT -%doc README.md RELEASE-DATE VERSION +%doc RELEASE-DATE VERSION %{_libdir}/libtiff.so.* %{_libdir}/libtiffxx.so.* +%files doc +%doc README.md + %files devel %doc TODO ChangeLog html %{_includedir}/* @@ -154,6 +142,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Mon Sep 5 2022 mgb01105731 - 4.4.0-1 +- update to 4.4.0 + * Tue Apr 19 2022 mgb01105731 - 4.3.0-2 - fix tiffconf.h error diff --git a/tiff-4.3.0.tar.gz b/tiff-4.4.0.tar.gz similarity index 30% rename from tiff-4.3.0.tar.gz rename to tiff-4.4.0.tar.gz index e0468fa586413309ce6cf733dfe0ae081f17f912..22df21a1fd95da532edf8b61387a21ec3b9fb438 100644 Binary files a/tiff-4.3.0.tar.gz and b/tiff-4.4.0.tar.gz differ