[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
rpms/libtiff/FC-4 libtiff-3.7.1-ormandy.patch, NONE, 1.1 libtiff.spec, 1.31, 1.32
- From: fedora-cvs-commits redhat com
- To: fedora-cvs-commits redhat com
- Subject: rpms/libtiff/FC-4 libtiff-3.7.1-ormandy.patch, NONE, 1.1 libtiff.spec, 1.31, 1.32
- Date: Tue, 1 Aug 2006 17:43:18 -0400
Author: mclasen
Update of /cvs/dist/rpms/libtiff/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv30837
Modified Files:
libtiff.spec
Added Files:
libtiff-3.7.1-ormandy.patch
Log Message:
fix several vulnerabilities
libtiff-3.7.1-ormandy.patch:
tif_aux.c | 19 +++++++++
tif_dir.c | 21 ++++++----
tif_dirinfo.c | 6 ++-
tif_dirread.c | 111 ++++++++++++++++++++++++++++++++++++++++++++-------------
tif_fax3.c | 9 ++++
tif_jpeg.c | 54 ++++++++++++++++++++++++---
tif_next.c | 7 +++
tif_pixarlog.c | 14 ++++++-
tif_read.c | 18 ++++++++-
tiffiop.h | 2 +
10 files changed, 213 insertions(+), 48 deletions(-)
--- NEW FILE libtiff-3.7.1-ormandy.patch ---
--- tiff-3.7.1/libtiff/tiffiop.h.ormandy 2006-08-01 17:37:17.000000000 -0400
+++ tiff-3.7.1/libtiff/tiffiop.h 2006-08-01 17:37:19.000000000 -0400
@@ -257,6 +257,8 @@
GLOBALDATA(TIFFErrorHandler,_TIFFwarningHandler);
GLOBALDATA(TIFFErrorHandler,_TIFFerrorHandler);
+extern tdata_t _TIFFCheckMalloc(TIFF*, size_t, size_t, const char*);
+
extern int TIFFInitDumpMode(TIFF*, int);
#ifdef PACKBITS_SUPPORT
extern int TIFFInitPackBits(TIFF*, int);
--- tiff-3.7.1/libtiff/tif_dir.c.ormandy 2004-12-04 04:27:59.000000000 -0500
+++ tiff-3.7.1/libtiff/tif_dir.c 2006-08-01 17:32:22.000000000 -0400
@@ -122,6 +122,7 @@
{
static const char module[] = "_TIFFVSetField";
+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32;
@@ -216,11 +217,13 @@
_TIFFsetString(&td->td_copyright, va_arg(ap, char*));
break;
case TIFFTAG_ORIENTATION:
- v = va_arg(ap, int);
+ v = va_arg(ap, int);
+ const TIFFFieldInfo* fip;
if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+ fip = _TIFFFieldWithTag(tif, tag);
TIFFWarning(tif->tif_name,
"Bad value %ld for \"%s\" tag ignored",
- v, _TIFFFieldWithTag(tif, tag)->field_name);
+ v, fip ? fip->field_name : "Unknown");
} else
td->td_orientation = (uint16) v;
break;
@@ -503,7 +506,7 @@
TIFFError(module,
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
status = 0;
break;
}
@@ -622,7 +625,7 @@
"%s: Pass by value is not implemented.",
tif->tif_name);
- tv->value = _TIFFmalloc(tv_size * tv->count);
+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag value");
if (!tv->value) {
status = 0;
goto end;
@@ -633,7 +636,7 @@
}
}
if (status) {
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+ TIFFSetFieldBit(tif, fip->field_bit);
tif->tif_flags |= TIFF_DIRTYDIRECT;
}
@@ -642,17 +645,17 @@
return (status);
badvalue:
TIFFError(module, "%s: Bad value %d for \"%s\"",
- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvalue32:
TIFFError(module, "%s: Bad value %ld for \"%s\"",
- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
badvaluedbl:
TIFFError(module, "%s: Bad value %f for \"%s\"",
- tif->tif_name, d, _TIFFFieldWithTag(tif, tag)->field_name);
+ tif->tif_name, d, fip ? fip->field_name : "Unknown");
va_end(ap);
return (0);
}
@@ -988,7 +991,7 @@
TIFFError("_TIFFVGetField",
"%s: Invalid %stag \"%s\" (not supported by codec)",
tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
- _TIFFFieldWithTag(tif, tag)->field_name);
+ fip ? fip->field_name : "Unknown");
ret_val = 0;
break;
}
--- tiff-3.7.1/libtiff/tif_pixarlog.c.ormandy 2006-08-01 17:32:22.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_pixarlog.c 2006-08-01 17:32:22.000000000 -0400
@@ -768,7 +768,19 @@
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso google com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarning(module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,
--- tiff-3.7.1/libtiff/tif_next.c.ormandy 2004-11-07 06:08:36.000000000 -0500
+++ tiff-3.7.1/libtiff/tif_next.c 2006-08-01 17:32:22.000000000 -0400
@@ -105,11 +105,16 @@
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso google com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
--- tiff-3.7.1/libtiff/tif_aux.c.ormandy 2006-08-01 17:35:40.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_aux.c 2006-08-01 17:35:49.000000000 -0400
@@ -33,6 +33,25 @@
#include "tif_predict.h"
#include <math.h>
+tdata_t
+_TIFFCheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what)
+{
+ tdata_t *cp = NULL;
+ tsize_t bytes = nmemb * elem_size;
+
+ /*
+ * XXX: Check for integer overflow.
+ */
+ if (nmemb && elem_size && bytes / elem_size == nmemb)
+ cp = _TIFFmalloc(bytes);
+
+ if (cp == NULL)
+ TIFFError(tif->tif_name, "No space %s", what);
+
+ return (cp);
+}
+
+
static int
TIFFDefaultTransferFunction(TIFFDirectory* td)
{
--- tiff-3.7.1/libtiff/tif_read.c.ormandy 2004-10-02 09:52:29.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_read.c 2006-08-01 17:32:22.000000000 -0400
@@ -31,6 +31,8 @@
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
+
int TIFFFillStrip(TIFF*, tstrip_t);
int TIFFFillTile(TIFF*, ttile_t);
static int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso google com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +478,13 @@
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso google com 15 Jun 2006
+ */
+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
tif->tif_curtile = NOTILE;
return (0);
}
--- tiff-3.7.1/libtiff/tif_dirread.c.ormandy 2006-08-01 17:32:22.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_dirread.c 2006-08-01 17:32:22.000000000 -0400
@@ -29,6 +29,9 @@
*
* Directory Read Support Routines.
*/
+
+#include <limits.h>
+
#include "tiffiop.h"
#define IGNORE 0 /* tag placeholder used below */
@@ -103,6 +106,7 @@
toff_t nextdiroff;
char* cp;
int diroutoforderwarning = 0;
+ int compressionknown = 0;
toff_t* new_dirlist;
tif->tif_diroff = tif->tif_nextdiroff;
@@ -170,13 +174,21 @@
} else {
toff_t off = tif->tif_diroff;
- if (off + sizeof (uint16) > tif->tif_size) {
- TIFFError(module,
- "%s: Can not read TIFF directory count",
- tif->tif_name);
- return (0);
- } else
- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ /*
+ * Check for integer overflow when validating the dir_off, otherwise
+ * a very high offset may cause an OOB read and crash the client.
+ * -- taviso google com, 14 Jun 2006.
+ */
+ if (off + sizeof (uint16) > tif->tif_size ||
+ off > (UINT_MAX - sizeof(uint16))) {
+ TIFFError(module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
+ } else
+ _TIFFmemcpy(&dircount, tif->tif_base + off,
+ sizeof (uint16));
+
off += sizeof (uint16);
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabShort(&dircount);
@@ -276,6 +288,7 @@
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
fix++;
+
if (fix >= tif->tif_nfields ||
tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
@@ -284,11 +297,17 @@
tif->tif_name, dp->tdir_tag, dp->tdir_tag,
dp->tdir_type);
- TIFFMergeFieldInfo( tif,
- _TIFFCreateAnonFieldInfo( tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type ),
- 1 );
+ /*
+ * Creating anonymous fields prior to knowing the compression
+ * algorithm (ie, when the field info has been merged) could cause
+ * crashes with pathological directories.
+ * -- taviso google com 15 Jun 2006
+ */
+ if (compressionknown)
+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
+ (TIFFDataType) dp->tdir_type), 1 );
+ else goto ignore;
+
fix = 0;
while (fix < tif->tif_nfields &&
tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
@@ -345,6 +364,7 @@
dp->tdir_type, dp->tdir_offset);
if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
goto bad;
+ else compressionknown++;
break;
/* XXX: workaround for broken TIFFs */
} else if (dp->tdir_type == TIFF_LONG) {
@@ -555,6 +575,7 @@
* Attempt to deal with a missing StripByteCounts tag.
*/
if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
/*
* Some manufacturers violate the spec by not giving
* the size of the strips. In this case, assume there
@@ -571,7 +592,7 @@
"%s: TIFF directory is missing required "
"\"%s\" field, calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if (EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
/*
@@ -591,7 +612,9 @@
(tif->tif_mode == O_RDONLY && \
td->td_compression == COMPRESSION_NONE && \
td->td_stripbytecount[0] < TIFFScanlineSize(tif) * td->td_imagelength) )
- } else if (td->td_nstrips == 1 && BYTECOUNTLOOKSBAD) {
+ } else if (td->td_nstrips == 1 && BYTECOUNTLOOKSBAD) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+
/*
* Plexus (and others) sometimes give a value
* of zero for a tag when they don't know what
@@ -602,7 +625,7 @@
TIFFWarning(module,
"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
tif->tif_name,
- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+ fip ? fip->field_name : "Unknown");
if(EstimateStripByteCounts(tif, dir, dircount) < 0)
goto bad;
}
@@ -693,7 +716,13 @@
register TIFFDirEntry *dp;
register TIFFDirectory *td = &tif->tif_dir;
- uint16 i;
+
+ /* i is used to iterate over td->td_nstrips, so must be
+ * at least the same width.
+ * -- taviso google com 15 Jun 2006
+ */
+
+ uint32 i;
if (td->td_stripbytecount)
_TIFFfree(td->td_stripbytecount);
@@ -770,16 +799,18 @@
static int
CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
{
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
if (count > dir->tdir_count) {
TIFFWarning(tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (0);
} else if (count < dir->tdir_count) {
TIFFWarning(tif->tif_name,
"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+ fip ? fip->field_name : "Unknown",
dir->tdir_count, count);
return (1);
}
@@ -793,6 +824,7 @@
TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
{
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
tsize_t cc = dir->tdir_count * w;
/* Check for overflow. */
@@ -835,7 +867,7 @@
return (cc);
bad:
TIFFError(tif->tif_name, "Error fetching data for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return ((tsize_t) 0);
}
@@ -861,10 +893,13 @@
static int
cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
{
+ const TIFFFieldInfo* fip;
+
if (denom == 0) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFError(tif->tif_name,
"%s: Rational with zero denominator (num = %lu)",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+ fip ? fip->field_name : "Unknown", num);
return (0);
} else {
if (dir->tdir_type == TIFF_RATIONAL)
@@ -982,6 +1017,20 @@
{
uint16 v[4];
int ok = 0;
+ /*
+ * Prevent overflowing the v stack arrays below by performing a sanity
+ * check on tdir_count, this should never be greater than two.
+ * -- taviso google com 14 Jun 2006.
+ */
+ if (dir->tdir_count > 2) {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFWarning(tif->tif_name,
+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
+ fip ? fip->field_name : "Unknown",
+ dir->tdir_count);
+ return 0;
+ }
+
switch (dir->tdir_type) {
case TIFF_SHORT:
@@ -1148,13 +1197,16 @@
case TIFF_DOUBLE:
return (TIFFFetchDoubleArray(tif, dir, (double*) v));
default:
+ {
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
/* TIFF_NOTYPE */
/* TIFF_ASCII */
/* TIFF_UNDEFINED */
TIFFError(tif->tif_name,
"cannot read TIFF_ANY type %d for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
return (0);
+ }
}
return (1);
}
@@ -1169,6 +1221,9 @@
int ok = 0;
const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+ if (fip == NULL) {
+ return (0);
+ }
if (dp->tdir_count > 1) { /* array of values */
char* cp = NULL;
@@ -1311,6 +1366,7 @@
TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1327,10 +1383,11 @@
check_count = samples;
for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
+ if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1352,6 +1409,7 @@
TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1369,9 +1427,10 @@
check_count = samples;
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
@@ -1393,6 +1452,7 @@
TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
{
uint16 samples = tif->tif_dir.td_samplesperpixel;
+ const TIFFFieldInfo* fip;
int status = 0;
if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1410,9 +1470,10 @@
for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+ fip ? fip->field_name : "Unknown");
goto bad;
}
*pl = v[0];
--- tiff-3.7.1/libtiff/tif_jpeg.c.ormandy 2006-08-01 17:32:22.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_jpeg.c 2006-08-01 17:32:22.000000000 -0400
@@ -691,8 +691,8 @@
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
}
- if (sp->cinfo.d.image_width != segment_width ||
- sp->cinfo.d.image_height != segment_height) {
+ if (sp->cinfo.d.image_width < segment_width ||
+ sp->cinfo.d.image_height < segment_height) {
TIFFWarning(module,
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
segment_width,
@@ -700,6 +700,22 @@
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
}
+ if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
+ /*
+ * This case could be dangerous, if the strip or tile size has been
+ * reported as less than the amount of data jpeg will return, some
+ * potential security issues arise. Catch this case and error out.
+ * -- taviso google com 14 Jun 2006
+ */
+ TIFFError(module,
+ "JPEG strip/tile size exceeds expected dimensions,"
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ return (0);
+ }
+
+
if (sp->cinfo.d.num_components !=
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1)) {
@@ -721,6 +737,22 @@
sp->cinfo.d.comp_info[0].v_samp_factor,
sp->h_sampling, sp->v_sampling);
+ /*
+ * There are potential security issues here for decoders that
+ * have already allocated buffers based on the expected sampling
+ * factors. Lets check the sampling factors dont exceed what
+ * we were expecting.
+ * -- taviso google com 14 June 2006
+ */
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+ TIFFError(module,
+ "Cannot honour JPEG sampling factors that"
+ " exceed those specified.");
+ return (0);
+ }
+
+
/*
* XXX: Files written by the Intergraph software
* has different sampling factors stored in the
@@ -1353,15 +1385,18 @@
{
JPEGState *sp = JState(tif);
- assert(sp != 0);
+ /* assert(sp != 0); */
tif->tif_tagmethods.vgetfield = sp->vgetparent;
tif->tif_tagmethods.vsetfield = sp->vsetparent;
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
+ if (sp != NULL) {
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ }
+
_TIFFfree(tif->tif_data); /* release local state */
tif->tif_data = NULL;
}
@@ -1371,6 +1406,7 @@
{
JPEGState* sp = JState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ const TIFFFieldInfo* fip;
uint32 v32;
switch (tag) {
@@ -1527,6 +1563,10 @@
{
JPEGState* sp = JState(tif);
+ if (sp == NULL) {
+ TIFFWarning("JPEGPrintDir", "Unknown JPEGState");
+ return;
+ }
(void) flags;
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
fprintf(fd, " JPEG Tables: (%lu bytes)\n",
--- tiff-3.7.1/libtiff/tif_fax3.c.ormandy 2006-08-01 17:32:22.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_fax3.c 2006-08-01 17:32:22.000000000 -0400
@@ -1133,6 +1133,7 @@
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@@ -1175,7 +1176,13 @@
default:
return (*sp->vsetparent)(tif, tag, ap);
}
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
+ TIFFSetFieldBit(tif, fip->field_bit);
+ } else {
+ return (0);
+ }
+
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
}
--- tiff-3.7.1/libtiff/tif_dirinfo.c.ormandy 2004-11-12 12:33:53.000000000 -0500
+++ tiff-3.7.1/libtiff/tif_dirinfo.c 2006-08-01 17:32:22.000000000 -0400
@@ -465,7 +465,8 @@
TIFFError("TIFFFieldWithTag",
"Internal error, unknown tag 0x%x",
(unsigned int) tag);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
@@ -479,7 +480,8 @@
if (!fip) {
TIFFError("TIFFFieldWithName",
"Internal error, unknown tag %s", field_name);
- assert(fip != NULL);
+ /* assert(fip != NULL); */
+
/*NOTREACHED*/
}
return (fip);
Index: libtiff.spec
===================================================================
RCS file: /cvs/dist/rpms/libtiff/FC-4/libtiff.spec,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- libtiff.spec 26 May 2006 03:23:16 -0000 1.31
+++ libtiff.spec 1 Aug 2006 21:43:15 -0000 1.32
@@ -1,7 +1,7 @@
Summary: A library of functions for manipulating TIFF format image files.
Name: libtiff
Version: 3.7.1
-Release: 6.fc4.2
+Release: 6.fc4.3
License: distributable
Group: System Environment/Libraries
Source0: http://www.libtiff.org/tiff-%{version}.tar.gz
@@ -15,6 +15,7 @@
Patch5: tiff-3.7.1-multiple.patch
Patch6: tiff-3.6.1-color.patch
Patch7: tiffsplit-overflow.patch
+Patch8: libtiff-3.7.1-ormandy.patch
URL: http://www.libtiff.org/
BuildRoot: %{_tmppath}/%{name}-root
BuildRequires: zlib-devel zlib libjpeg-devel libjpeg
@@ -55,6 +56,7 @@
%patch5 -p1 -b .multiple
%patch6 -p0 -b .color
%patch7 -p1 -b .overflow
+%patch8 -p1 -b .ormandy
%build
@@ -93,6 +95,10 @@
%{_mandir}/man3/*
%changelog
+* Tue Aug 1 2006 Matthias Clasen <mclasen redhat com>
+- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
+ CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
+
* Thu May 25 2006 Matthias Clasen <mclasen redhat com>
- Fix an overflow in tiffsplit (#193167)
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]