[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/libtiff/FC-5 libtiff-3.7.4-ormandy.patch, NONE, 1.1 libtiff.spec, 1.40, 1.41



Author: mclasen

Update of /cvs/dist/rpms/libtiff/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv23444

Modified Files:
	libtiff.spec 
Added Files:
	libtiff-3.7.4-ormandy.patch 
Log Message:
Fix several vulnerabilities


libtiff-3.7.4-ormandy.patch:
 tif_dir.c      |   19 +++++-----
 tif_dirinfo.c  |    6 ++-
 tif_dirread.c  |  108 ++++++++++++++++++++++++++++++++++++++++++++-------------
 tif_fax3.c     |    9 ++++
 tif_jpeg.c     |   64 +++++++++++++++++++++++++++++----
 tif_next.c     |    7 +++
 tif_pixarlog.c |   14 ++++++-
 tif_read.c     |   18 ++++++++-
 8 files changed, 197 insertions(+), 48 deletions(-)

--- NEW FILE libtiff-3.7.4-ormandy.patch ---
--- tiff-3.7.4/libtiff/tif_dir.c.ormandy	2005-09-08 04:18:41.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_dir.c	2006-08-01 17:11:49.000000000 -0400
@@ -122,6 +122,7 @@
 {
 	static const char module[] = "_TIFFVSetField";
 	
+	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
 	TIFFDirectory* td = &tif->tif_dir;
 	int status = 1;
 	uint32 v32, i, v;
@@ -196,10 +197,12 @@
 		break;
 	case TIFFTAG_ORIENTATION:
 		v = va_arg(ap, uint32);
+		const TIFFFieldInfo* fip;
 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+		        fip = _TIFFFieldWithTag(tif, tag);
 			TIFFWarning(tif->tif_name,
 			    "Bad value %lu for \"%s\" tag ignored",
-			    v, _TIFFFieldWithTag(tif, tag)->field_name);
+				    v, fip ? fip->field_name : "Unknown");
 		} else
 			td->td_orientation = (uint16) v;
 		break;
@@ -440,7 +443,7 @@
 		TIFFError(module,
 		    "%s: Invalid %stag \"%s\" (not supported by codec)",
 		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-		    _TIFFFieldWithTag(tif, tag)->field_name);
+			  fip ? fip->field_name : "Unknown");
 		status = 0;
 		break;
             }
@@ -515,7 +518,7 @@
 	    if (fip->field_type == TIFF_ASCII)
 		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
 	    else {
-                tv->value = _TIFFmalloc(tv_size * tv->count);
+	      tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
 	        if (!tv->value) {
 		    status = 0;
 		    goto end;
@@ -592,7 +595,7 @@
           }
 	}
 	if (status) {
-		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+		TIFFSetFieldBit(tif, fip->field_bit);
 		tif->tif_flags |= TIFF_DIRTYDIRECT;
 	}
 
@@ -601,17 +604,17 @@
 	return (status);
 badvalue:
 	TIFFError(module, "%s: Bad value %d for \"%s\"",
-		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+		  tif->tif_name, v, fip ? fip->field_name : "Unknown");
 	va_end(ap);
 	return (0);
 badvalue32:
 	TIFFError(module, "%s: Bad value %ld for \"%s\"",
-		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+		  tif->tif_name, v32, fip ? fip->field_name : "Unknown");
 	va_end(ap);
 	return (0);
 badvaluedbl:
 	TIFFError(module, "%s: Bad value %f for \"%s\"",
-		  tif->tif_name, d, _TIFFFieldWithTag(tif, tag)->field_name);
+		  tif->tif_name, d, fip ? fip->field_name : "Unknown");
 	va_end(ap);
 	return (0);
 }
@@ -891,7 +894,7 @@
                 TIFFError("_TIFFVGetField",
                           "%s: Invalid %stag \"%s\" (not supported by codec)",
                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-                          _TIFFFieldWithTag(tif, tag)->field_name);
+                          fip ? fip->field_name : "Unknown");
                 ret_val = 0;
                 break;
             }
--- tiff-3.7.4/libtiff/tif_pixarlog.c.ormandy	2006-08-01 17:11:49.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_pixarlog.c	2006-08-01 17:15:24.000000000 -0400
@@ -768,7 +768,19 @@
 	if (tif->tif_flags & TIFF_SWAB)
 		TIFFSwabArrayOfShort(up, nsamples);
 
-	for (i = 0; i < nsamples; i += llen, up += llen) {
+	/* 
+	 * if llen is not an exact multiple of nsamples, the decode operation
+	 * may overflow the output buffer, so truncate it enough to prevent that
+	 * but still salvage as much data as possible.
+	 * -- taviso google com 14th June 2006
+	 */
+	if (nsamples % llen) 
+		TIFFWarning(module,
+				"%s: stride %lu is not a multiple of sample count, "
+				"%lu, data truncated.", tif->tif_name, llen, nsamples);
+				
+	
+	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
 		switch (sp->user_datafmt)  {
 		case PIXARLOGDATAFMT_FLOAT:
 			horizontalAccumulateF(up, llen, sp->stride,
--- tiff-3.7.4/libtiff/tif_next.c.ormandy	2004-11-07 06:08:36.000000000 -0500
+++ tiff-3.7.4/libtiff/tif_next.c	2006-08-01 17:11:49.000000000 -0400
@@ -105,11 +105,16 @@
 			 * as codes of the form <color><npixels>
 			 * until we've filled the scanline.
 			 */
+			/*
+			 * Ensure the run does not exceed the scanline
+			 * bounds, potentially resulting in a security issue.
+			 * -- taviso google com 14 Jun 2006.
+			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				while (n-- > 0 && npixels < imagewidth)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;
--- tiff-3.7.4/libtiff/tif_read.c.ormandy	2005-04-15 13:13:34.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_read.c	2006-08-01 17:11:49.000000000 -0400
@@ -31,6 +31,8 @@
 #include "tiffiop.h"
 #include <stdio.h>
 
+#include <limits.h>
+
 	int TIFFFillStrip(TIFF*, tstrip_t);
 	int TIFFFillTile(TIFF*, ttile_t);
 static	int TIFFStartStrip(TIFF*, tstrip_t);
@@ -272,7 +274,13 @@
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+		/*
+		 * This sanity check could potentially overflow, causing an OOB read.
+		 * verify that offset + bytecount is > offset.
+		 * -- taviso google com 14 Jun 2006
+		 */
+		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+			bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
 			/*
 			 * This error message might seem strange, but it's
 			 * what would happen if a read were done instead.
@@ -470,7 +478,13 @@
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+		/*
+		 * We must check this calculation doesnt overflow, potentially
+		 * causing an OOB read.
+		 * -- taviso google com 15 Jun 2006
+		 */
+		if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+			bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
 			tif->tif_curtile = NOTILE;
 			return (0);
 		}
--- tiff-3.7.4/libtiff/tif_dirread.c.ormandy	2006-08-01 17:11:49.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_dirread.c	2006-08-01 17:11:49.000000000 -0400
@@ -29,6 +29,9 @@
  *
  * Directory Read Support Routines.
  */
+
+#include <limits.h>
+
 #include "tiffiop.h"
 
 #define	IGNORE	0		/* tag placeholder used below */
@@ -84,6 +87,7 @@
 	toff_t nextdiroff;
 	char* cp;
 	int diroutoforderwarning = 0;
+	int compressionknown = 0;
 	toff_t* new_dirlist;
 
 	tif->tif_diroff = tif->tif_nextdiroff;
@@ -151,13 +155,21 @@
 	} else {
 		toff_t off = tif->tif_diroff;
 
-		if (off + sizeof (uint16) > tif->tif_size) {
-			TIFFError(module,
-			    "%s: Can not read TIFF directory count",
-                            tif->tif_name);
-			return (0);
-		} else
-			_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+ 		/*
+ 		 * Check for integer overflow when validating the dir_off, otherwise
+ 		 * a very high offset may cause an OOB read and crash the client.
+ 		 * -- taviso google com, 14 Jun 2006.
+ 		 */
+ 		if (off + sizeof (uint16) > tif->tif_size || 
+ 			off > (UINT_MAX - sizeof(uint16))) {
+ 				TIFFError(module,
+					  "%s: Can not read TIFF directory count",
+					  tif->tif_name);
+ 				return (0);
+  		} else
+ 			_TIFFmemcpy(&dircount, tif->tif_base + off,
+ 					sizeof (uint16));
+
 		off += sizeof (uint16);
 		if (tif->tif_flags & TIFF_SWAB)
 			TIFFSwabShort(&dircount);
@@ -257,6 +269,7 @@
 		while (fix < tif->tif_nfields &&
 		       tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
 			fix++;
+
 		if (fix >= tif->tif_nfields ||
 		    tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
 
@@ -265,11 +278,17 @@
                                 tif->tif_name, dp->tdir_tag, dp->tdir_tag,
                                 dp->tdir_type);
 
-                    TIFFMergeFieldInfo( tif,
-                                        _TIFFCreateAnonFieldInfo( tif,
-                                              dp->tdir_tag,
-					      (TIFFDataType) dp->tdir_type ),
-                                        1 );
+ 					/*
+ 					 * Creating anonymous fields prior to knowing the compression
+ 					 * algorithm (ie, when the field info has been merged) could cause
+ 					 * crashes with pathological directories.
+ 					 * -- taviso google com 15 Jun 2006
+ 					 */
+ 					if (compressionknown)
+ 			                    TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
+ 						(TIFFDataType) dp->tdir_type), 1 );
+ 					else goto ignore;
+ 		    
                     fix = 0;
                     while (fix < tif->tif_nfields &&
                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
@@ -326,6 +345,7 @@
 				    dp->tdir_type, dp->tdir_offset);
 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
 					goto bad;
+				else compressionknown++;
 				break;
 			/* XXX: workaround for broken TIFFs */
 			} else if (dp->tdir_type == TIFF_LONG) {
@@ -533,6 +553,7 @@
 	 * Attempt to deal with a missing StripByteCounts tag.
 	 */
 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
 		/*
 		 * Some manufacturers violate the spec by not giving
 		 * the size of the strips.  In this case, assume there
@@ -549,7 +570,7 @@
 			"%s: TIFF directory is missing required "
 			"\"%s\" field, calculating from imagelength",
 			tif->tif_name,
-		        _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+		        fip ? fip->field_name : "Unknown");
 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
 		    goto bad;
 /* 
@@ -573,6 +594,7 @@
 	} else if (td->td_nstrips == 1 
                    && td->td_stripoffset[0] != 0 
                    && BYTECOUNTLOOKSBAD) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
 		/*
 		 * Plexus (and others) sometimes give a value
 		 * of zero for a tag when they don't know what
@@ -583,7 +605,7 @@
 		TIFFWarning(module,
 	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
                             tif->tif_name,
-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+		            fip ? fip->field_name : "Unknown");
 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)
 		    goto bad;
 	}
@@ -682,7 +704,13 @@
 
 	register TIFFDirEntry *dp;
 	register TIFFDirectory *td = &tif->tif_dir;
-	uint16 i;
+	
+	/* i is used to iterate over td->td_nstrips, so must be
+	 * at least the same width.
+	 * -- taviso google com 15 Jun 2006
+	 */
+
+	uint32 i;
 
 	if (td->td_stripbytecount)
 		_TIFFfree(td->td_stripbytecount);
@@ -759,16 +787,18 @@
 static int
 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
 {
+ 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ 
 	if (count > dir->tdir_count) {
 		TIFFWarning(tif->tif_name,
 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+			    fip ? fip->field_name : "Unknown",
 		    dir->tdir_count, count);
 		return (0);
 	} else if (count < dir->tdir_count) {
 		TIFFWarning(tif->tif_name,
 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+			    fip ? fip->field_name : "Unknown",
 		    dir->tdir_count, count);
 		return (1);
 	}
@@ -782,6 +812,7 @@
 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
 {
 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 	tsize_t cc = dir->tdir_count * w;
 
 	/* Check for overflow. */
@@ -824,7 +855,7 @@
 	return (cc);
 bad:
 	TIFFError(tif->tif_name, "Error fetching data for field \"%s\"",
-	    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+		  fip ? fip->field_name : "Unknown");
 	return ((tsize_t) 0);
 }
 
@@ -850,10 +881,13 @@
 static int
 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
 {
+	const TIFFFieldInfo* fip;
+
 	if (denom == 0) {
+	        fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 		TIFFError(tif->tif_name,
 		    "%s: Rational with zero denominator (num = %lu)",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+			  fip ? fip->field_name : "Unknown", num);
 		return (0);
 	} else {
 		if (dir->tdir_type == TIFF_RATIONAL)
@@ -970,6 +1004,20 @@
 static int
 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
 {
+	/*
+	 * Prevent overflowing the v stack arrays below by performing a sanity
+	 * check on tdir_count, this should never be greater than two.
+	 * -- taviso google com 14 Jun 2006.
+	 */
+	if (dir->tdir_count > 2) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+		TIFFWarning(tif->tif_name,
+				"unexpected count for field \"%s\", %lu, expected 2; ignored.",
+				fip ? fip->field_name : "Unknown",
+				dir->tdir_count);
+		return 0;
+	}
+
 	switch (dir->tdir_type) {
 		case TIFF_BYTE:
 		case TIFF_SBYTE:
@@ -1140,13 +1188,16 @@
 	case TIFF_DOUBLE:
 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));
 	default:
+	        { 
+                const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 		/* TIFF_NOTYPE */
 		/* TIFF_ASCII */
 		/* TIFF_UNDEFINED */
 		TIFFError(tif->tif_name,
 		    "cannot read TIFF_ANY type %d for field \"%s\"",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+			  fip ? fip->field_name : "Unknown");
 		return (0);
+                }
 	}
 	return (1);
 }
@@ -1161,6 +1212,9 @@
 	int ok = 0;
 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
 
+	if (fip == NULL) {
+		return (0);
+	}
 	if (dp->tdir_count > 1) {		/* array of values */
 		char* cp = NULL;
 
@@ -1302,6 +1356,7 @@
 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1318,10 +1373,11 @@
                 check_count = samples;
 
             for (i = 1; i < check_count; i++)
-                if (v[i] != v[0]) {
+                if (v[i] != v[0]) {	
+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
                     TIFFError(tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
@@ -1343,6 +1399,7 @@
 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1360,9 +1417,10 @@
                 check_count = samples;
             for (i = 1; i < check_count; i++)
                 if (v[i] != v[0]) {
+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
                     TIFFError(tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
@@ -1384,6 +1442,7 @@
 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
@@ -1401,9 +1460,10 @@
 
             for (i = 1; i < check_count; i++)
                 if (v[i] != v[0]) {
+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
                     TIFFError(tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
--- tiff-3.7.4/libtiff/tif_jpeg.c.ormandy	2006-08-01 17:11:49.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_jpeg.c	2006-08-01 17:11:49.000000000 -0400
@@ -710,8 +710,8 @@
 		segment_width = TIFFhowmany(segment_width, sp->h_sampling);
 		segment_height = TIFFhowmany(segment_height, sp->v_sampling);
 	}
-	if (sp->cinfo.d.image_width != segment_width ||
-	    sp->cinfo.d.image_height != segment_height) {
+	if (sp->cinfo.d.image_width < segment_width ||
+	    sp->cinfo.d.image_height < segment_height) {
 		TIFFWarning(module, 
                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
                           segment_width, 
@@ -719,6 +719,22 @@
                           sp->cinfo.d.image_width, 
                           sp->cinfo.d.image_height);
 	}
+ 	if (sp->cinfo.d.image_width > segment_width ||
+	    sp->cinfo.d.image_height > segment_height) {
+ 		/*
+ 		 * This case could be dangerous, if the strip or tile size has been
+ 		 * reported as less than the amount of data jpeg will return, some
+ 		 * potential security issues arise. Catch this case and error out.
+ 		 * -- taviso google com 14 Jun 2006
+ 		 */
+ 		TIFFError(module, 
+			  "JPEG strip/tile size exceeds expected dimensions,"
+			  "expected %dx%d, got %dx%d", segment_width, segment_height,
+			  sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ 		return (0);
+  	}
+
+
 	if (sp->cinfo.d.num_components !=
 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
 	     td->td_samplesperpixel : 1)) {
@@ -749,6 +765,22 @@
                                     sp->cinfo.d.comp_info[0].v_samp_factor,
                                     sp->h_sampling, sp->v_sampling);
 
+				/*
+				 * There are potential security issues here for decoders that
+				 * have already allocated buffers based on the expected sampling
+				 * factors. Lets check the sampling factors dont exceed what
+				 * we were expecting.
+				 * -- taviso google com 14 June 2006
+				 */
+				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+						TIFFError(module,
+							"Cannot honour JPEG sampling factors that"
+							" exceed those specified.");
+						return (0);
+				}
+
+
 			    /*
 			     * XXX: Files written by the Intergraph software
 			     * has different sampling factors stored in the
@@ -1502,15 +1534,18 @@
 {
 	JPEGState *sp = JState(tif);
 	
-	assert(sp != 0);
+	/* assert(sp != 0); */
 
 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
 
-	if( sp->cinfo_initialized )
-	    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
-	if (sp->jpegtables)		/* tag value */
-		_TIFFfree(sp->jpegtables);
+	if (sp != NULL) {
+		if( sp->cinfo_initialized )
+		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
+		if (sp->jpegtables)		/* tag value */
+			_TIFFfree(sp->jpegtables);
+	}
+
 	_TIFFfree(tif->tif_data);	/* release local state */
 	tif->tif_data = NULL;
 }
@@ -1520,6 +1555,7 @@
 {
 	JPEGState* sp = JState(tif);
 	TIFFDirectory* td = &tif->tif_dir;
+	const TIFFFieldInfo* fip;
 	uint32 v32;
 
 	assert(sp != NULL);
@@ -1585,7 +1621,13 @@
 	default:
 		return (*sp->vsetparent)(tif, tag, ap);
 	}
-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
+		TIFFSetFieldBit(tif, fip->field_bit);
+	} else {
+		return (0);
+	}
+
 	tif->tif_flags |= TIFF_DIRTYDIRECT;
 	return (1);
 }
@@ -1705,7 +1747,11 @@
 {
 	JPEGState* sp = JState(tif);
 
-	assert(sp != NULL);
+	/* assert(sp != NULL); */
+	if (sp == NULL) {
+		TIFFWarning("JPEGPrintDir", "Unknown JPEGState");
+		return;
+	}
 
 	(void) flags;
 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
--- tiff-3.7.4/libtiff/tif_fax3.c.ormandy	2006-08-01 17:11:49.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_fax3.c	2006-08-01 17:11:49.000000000 -0400
@@ -1122,6 +1122,7 @@
 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
 {
 	Fax3BaseState* sp = Fax3State(tif);
+	const TIFFFieldInfo* fip;
 
 	assert(sp != 0);
 	assert(sp->vsetparent != 0);
@@ -1167,7 +1168,13 @@
 	default:
 		return (*sp->vsetparent)(tif, tag, ap);
 	}
-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+	
+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
+		TIFFSetFieldBit(tif, fip->field_bit);
+	} else {
+		return (0);
+	}
+
 	tif->tif_flags |= TIFF_DIRTYDIRECT;
 	return (1);
 }
--- tiff-3.7.4/libtiff/tif_dirinfo.c.ormandy	2005-07-28 04:49:23.000000000 -0400
+++ tiff-3.7.4/libtiff/tif_dirinfo.c	2006-08-01 17:11:49.000000000 -0400
@@ -636,7 +636,8 @@
 		TIFFError("TIFFFieldWithTag",
 			  "Internal error, unknown tag 0x%x",
                           (unsigned int) tag);
-		assert(fip != NULL);
+		/* assert(fip != NULL); */
+
 		/*NOTREACHED*/
 	}
 	return (fip);
@@ -650,7 +651,8 @@
 	if (!fip) {
 		TIFFError("TIFFFieldWithName",
 			  "Internal error, unknown tag %s", field_name);
-		assert(fip != NULL);
+		/* assert(fip != NULL); */
+		
 		/*NOTREACHED*/
 	}
 	return (fip);


Index: libtiff.spec
===================================================================
RCS file: /cvs/dist/rpms/libtiff/FC-5/libtiff.spec,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- libtiff.spec	28 May 2006 04:09:12 -0000	1.40
+++ libtiff.spec	1 Aug 2006 21:19:12 -0000	1.41
@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 3.7.4
-Release: 7
+Release: 8
 License: distributable
 Group: System Environment/Libraries
 Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
@@ -13,6 +13,7 @@
 Patch0: tiff-3.7.1-multiple.patch
 Patch1: tiff-3.6.1-color.patch
 Patch2: tiffsplit-overflow.patch
+Patch3: libtiff-3.7.4-ormandy.patch
 
 %description
 The libtiff package contains a library of functions for manipulating
@@ -42,6 +43,7 @@
 %patch0 -p1 -b .multiple
 %patch1 -p0 -b .color
 %patch2 -p1 -b .overflow
+%patch3 -p1 -b .ormandy
 
 %build
 %configure
@@ -81,6 +83,10 @@
 %{_mandir}/man3/*
 
 %changelog
+* Mon Jul 24 2006 Matthias Clasen <mclasen redhat com>
+- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
+  CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
+
 * Sun May 28 2006 Matthias Clasen <mclasen redhat com>
 - actually apply the patch
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]