rpms/libtiff/FC-4 tiff-3.6.1-color.patch, NONE, 1.1 tiff-3.7.1-multiple.patch, NONE, 1.1 libtiff.spec, 1.29, 1.30
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Apr 26 18:14:17 UTC 2006
Author: mclasen
Update of /cvs/dist/rpms/libtiff/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv15663
Modified Files:
libtiff.spec
Added Files:
tiff-3.6.1-color.patch tiff-3.7.1-multiple.patch
Log Message:
fix serveral vuln.
tiff-3.6.1-color.patch:
tif_color.c | 5 +++++
1 files changed, 5 insertions(+)
--- NEW FILE tiff-3.6.1-color.patch ---
Index: libtiff/tif_color.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -a -u -r1.11 -r1.12
--- libtiff/tif_color.c 23 Nov 2005 22:20:56 -0000 1.11
+++ libtiff/tif_color.c 9 Feb 2006 15:42:20 -0000 1.12
@@ -92,6 +92,11 @@
Yg = TIFFmax(Yg, cielab->display.d_Y0G);
Yb = TIFFmax(Yb, cielab->display.d_Y0B);
+ /* Avoid overflow in case of wrong input values */
+ Yr = TIFFmin(Yr, cielab->display.d_YCR);
+ Yg = TIFFmin(Yg, cielab->display.d_YCG);
+ Yb = TIFFmin(Yb, cielab->display.d_YCB);
+
/* Turn luminosity to colour value. */
i = (int)((Yr - cielab->display.d_Y0R) / cielab->rstep);
i = TIFFmin(cielab->range, i);
tiff-3.7.1-multiple.patch:
tif_dirread.c | 9 ++++++++-
tif_fax3.c | 32 +++++++++++++++++++-------------
tif_jpeg.c | 22 +++++++++++++---------
tif_lzw.c | 2 ++
tif_pixarlog.c | 39 ++++++++++++++++++++++-----------------
tif_predict.c | 27 ++++++++++++++++++++++++++-
tif_predict.h | 1 +
tif_zip.c | 26 ++++++++++++++++----------
8 files changed, 107 insertions(+), 51 deletions(-)
--- NEW FILE tiff-3.7.1-multiple.patch ---
--- tiff-3.7.1/libtiff/tif_fax3.c.multiple 2004-12-20 14:29:27.000000000 -0500
+++ tiff-3.7.1/libtiff/tif_fax3.c 2006-04-26 14:10:24.000000000 -0400
@@ -1070,19 +1070,22 @@
static void
Fax3Cleanup(TIFF* tif)
{
- if (tif->tif_data) {
- Fax3CodecState* sp = DecoderState(tif);
-
- if (sp->runs)
- _TIFFfree(sp->runs);
- if (sp->refline)
- _TIFFfree(sp->refline);
-
- if (Fax3State(tif)->subaddress)
- _TIFFfree(Fax3State(tif)->subaddress);
- _TIFFfree(tif->tif_data);
- tif->tif_data = NULL;
- }
+ Fax3CodecState* sp = DecoderState(tif);
+
+ assert(sp != 0);
+
+ tif->tif_tagmethods.vgetfield = sp->b.vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->b.vsetparent;
+
+ if (sp->runs)
+ _TIFFfree(sp->runs);
+ if (sp->refline)
+ _TIFFfree(sp->refline);
+
+ if (Fax3State(tif)->subaddress)
+ _TIFFfree(Fax3State(tif)->subaddress);
+ _TIFFfree(tif->tif_data);
+ tif->tif_data = NULL;
}
#define FIELD_BADFAXLINES (FIELD_CODEC+0)
@@ -1131,6 +1134,9 @@
{
Fax3BaseState* sp = Fax3State(tif);
+ assert(sp != 0);
+ assert(sp->vsetparent != 0);
+
switch (tag) {
case TIFFTAG_FAXMODE:
sp->mode = va_arg(ap, int);
--- tiff-3.7.1/libtiff/tif_dirread.c.multiple 2006-04-26 14:10:24.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_dirread.c 2006-04-26 14:10:24.000000000 -0400
@@ -795,13 +795,20 @@
int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
tsize_t cc = dir->tdir_count * w;
+ /* Check for overflow. */
+ if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count)
+ goto bad;
+
if (!isMapped(tif)) {
if (!SeekOK(tif, dir->tdir_offset))
goto bad;
if (!ReadOK(tif, cp, cc))
goto bad;
} else {
- if (dir->tdir_offset + cc > tif->tif_size)
+ /* Check for overflow. */
+ if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset
+ || (tsize_t)dir->tdir_offset + cc < cc
+ || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)
goto bad;
_TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc);
}
--- tiff-3.7.1/libtiff/tif_lzw.c.multiple 2004-10-02 09:52:29.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_lzw.c 2006-04-26 14:11:42.000000000 -0400
@@ -1002,6 +1002,8 @@
static void
LZWCleanup(TIFF* tif)
{
+ (void)TIFFPredictorCleanup(tif);
+
if (tif->tif_data) {
if (DecoderState(tif)->dec_codetab)
_TIFFfree(DecoderState(tif)->dec_codetab);
--- tiff-3.7.1/libtiff/tif_jpeg.c.multiple 2004-12-01 13:26:39.000000000 -0500
+++ tiff-3.7.1/libtiff/tif_jpeg.c 2006-04-26 14:10:24.000000000 -0400
@@ -1351,15 +1351,19 @@
static void
JPEGCleanup(TIFF* tif)
{
- if (tif->tif_data) {
- JPEGState *sp = JState(tif);
- if( sp->cinfo_initialized )
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
- }
+ JPEGState *sp = JState(tif);
+
+ assert(sp != 0);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ if( sp->cinfo_initialized )
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
}
static int
--- tiff-3.7.1/libtiff/tif_predict.c.multiple 2004-10-02 09:52:29.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_predict.c 2006-04-26 14:12:19.000000000 -0400
@@ -9,7 +9,7 @@
* that (i) the above copyright notices and this permission notice appear in
* all copies of the software and related documentation, and (ii) the names of
* Sam Leffler and Silicon Graphics may not be used in any advertising or
- * publicity relating to the software without the specific, prior written
+ * publicity relating t software without the specific, prior written
* permission of Sam Leffler and Silicon Graphics.
*
* THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
@@ -386,6 +386,9 @@
{
TIFFPredictorState *sp = PredictorState(tif);
+ assert(sp != NULL);
+ assert(sp->vsetparent != NULL);
+
switch (tag) {
case TIFFTAG_PREDICTOR:
sp->predictor = (uint16) va_arg(ap, int);
@@ -403,6 +406,9 @@
{
TIFFPredictorState *sp = PredictorState(tif);
+ assert(sp != NULL);
+ assert(sp->vgetparent != NULL);
+
switch (tag) {
case TIFFTAG_PREDICTOR:
*va_arg(ap, uint16*) = sp->predictor;
@@ -436,6 +442,8 @@
{
TIFFPredictorState* sp = PredictorState(tif);
+ assert(sp != 0);
+
/*
* Merge codec-specific tag information and
* override parent get/set field methods.
@@ -461,4 +469,21 @@
return (1);
}
+ int
+ TIFFPredictorCleanup(TIFF* tif)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+
+ assert(sp != 0);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+ tif->tif_tagmethods.printdir = sp->printdir;
+ tif->tif_setupdecode = sp->setupdecode;
+ tif->tif_setupencode = sp->setupencode;
+
+ return 1;
+ }
+
+
/* vim: set ts=8 sts=8 sw=8 noet: */
--- tiff-3.7.1/libtiff/tif_zip.c.multiple 2004-10-02 09:52:29.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_zip.c 2006-04-26 14:10:24.000000000 -0400
@@ -249,17 +249,23 @@
ZIPCleanup(TIFF* tif)
{
ZIPState* sp = ZState(tif);
- if (sp) {
- if (sp->state&ZSTATE_INIT) {
- /* NB: avoid problems in the library */
- if (tif->tif_mode == O_RDONLY)
- inflateEnd(&sp->stream);
- else
- deflateEnd(&sp->stream);
- }
- _TIFFfree(sp);
- tif->tif_data = NULL;
+
+ assert(sp != 0);
+
+ (void)TIFFPredictorCleanup(tif);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ if (sp->state&ZSTATE_INIT) {
+ /* NB: avoid problems in the library */
+ if (tif->tif_mode == O_RDONLY)
+ inflateEnd(&sp->stream);
+ else
+ deflateEnd(&sp->stream);
}
+ _TIFFfree(sp);
+ tif->tif_data = NULL;
}
static int
--- tiff-3.7.1/libtiff/tif_pixarlog.c.multiple 2004-10-14 13:53:27.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_pixarlog.c 2006-04-26 14:10:24.000000000 -0400
@@ -1160,24 +1160,29 @@
{
PixarLogState* sp = (PixarLogState*) tif->tif_data;
- if (sp) {
- if (sp->FromLT2) _TIFFfree(sp->FromLT2);
- if (sp->From14) _TIFFfree(sp->From14);
- if (sp->From8) _TIFFfree(sp->From8);
- if (sp->ToLinearF) _TIFFfree(sp->ToLinearF);
- if (sp->ToLinear16) _TIFFfree(sp->ToLinear16);
- if (sp->ToLinear8) _TIFFfree(sp->ToLinear8);
- if (sp->state&PLSTATE_INIT) {
- if (tif->tif_mode == O_RDONLY)
- inflateEnd(&sp->stream);
- else
- deflateEnd(&sp->stream);
- }
- if (sp->tbuf)
- _TIFFfree(sp->tbuf);
- _TIFFfree(sp);
- tif->tif_data = NULL;
+ assert(sp != 0);
+
+ (void)TIFFPredictorCleanup(tif);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ if (sp->FromLT2) _TIFFfree(sp->FromLT2);
+ if (sp->From14) _TIFFfree(sp->From14);
+ if (sp->From8) _TIFFfree(sp->From8);
+ if (sp->ToLinearF) _TIFFfree(sp->ToLinearF);
+ if (sp->ToLinear16) _TIFFfree(sp->ToLinear16);
+ if (sp->ToLinear8) _TIFFfree(sp->ToLinear8);
+ if (sp->state&PLSTATE_INIT) {
+ if (tif->tif_mode == O_RDONLY)
+ inflateEnd(&sp->stream);
+ else
+ deflateEnd(&sp->stream);
}
+ if (sp->tbuf)
+ _TIFFfree(sp->tbuf);
+ _TIFFfree(sp);
+ tif->tif_data = NULL;
}
static int
--- tiff-3.7.1/libtiff/tif_predict.h.multiple 1999-07-27 17:50:27.000000000 -0400
+++ tiff-3.7.1/libtiff/tif_predict.h 2006-04-26 14:10:24.000000000 -0400
@@ -55,6 +55,7 @@
extern "C" {
#endif
extern int TIFFPredictorInit(TIFF*);
+extern int TIFFPredictorCleanup(TIFF*);
#if defined(__cplusplus)
}
#endif
Index: libtiff.spec
===================================================================
RCS file: /cvs/dist/rpms/libtiff/FC-4/libtiff.spec,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- libtiff.spec 6 May 2005 14:48:39 -0000 1.29
+++ libtiff.spec 26 Apr 2006 18:14:14 -0000 1.30
@@ -1,7 +1,7 @@
Summary: A library of functions for manipulating TIFF format image files.
Name: libtiff
Version: 3.7.1
-Release: 6
+Release: 6.fc4.1
License: distributable
Group: System Environment/Libraries
Source0: http://www.libtiff.org/tiff-%{version}.tar.gz
@@ -12,6 +12,8 @@
Patch3: libtiff-3.7.1-mktemp.patch
# http://bugzilla.remotesensing.org/show_bug.cgi?id=843, fixed in 3.7.3
Patch4: libtiff-3.7.1-persample.patch
+Patch5: tiff-3.7.1-multiple.patch
+Patch6: tiff-3.6.1-color.patch
URL: http://www.libtiff.org/
BuildRoot: %{_tmppath}/%{name}-root
BuildRequires: zlib-devel zlib libjpeg-devel libjpeg
@@ -49,6 +51,8 @@
%patch2 -p1 -b .extrasamples
%patch3 -p1 -b .mktemp
%patch4 -p1 -b .persample
+%patch5 -p1 -b .multiple
+%patch6 -p0 -b .color
%build
@@ -87,6 +91,9 @@
%{_mandir}/man3/*
%changelog
+* Wed Apr 26 2006 Matthias Clasen <mclasen at redhat.com> - 3.7.1-6.fc4.1
+- Fix multiple vulnerabilities (#189933, #189974, CVE-2006-2024)
+
* Fri May 6 2005 Matthias Clasen <mclasen at redhat.com> - 3.7.1-6
- Fix a stack overflow
More information about the fedora-cvs-commits
mailing list