diff options
| -rw-r--r-- | graphics/tiff/Makefile | 11 | ||||
| -rw-r--r-- | graphics/tiff/PLIST | 7 | ||||
| -rw-r--r-- | graphics/tiff/distinfo | 23 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-aa | 17 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ab | 26 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ac | 77 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-at | 122 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-au | 15 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-av | 103 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-aw | 26 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ax | 308 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ay | 29 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-az | 119 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ba | 24 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-bb | 27 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-bc | 37 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-ca | 47 | ||||
| -rw-r--r-- | graphics/tiff/patches/patch-cb | 126 |
18 files changed, 18 insertions, 1126 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 027e56627d3..f91d2f698d2 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.88 2009/07/19 11:45:09 tron Exp $ +# $NetBSD: Makefile,v 1.89 2009/08/24 08:50:33 wiz Exp $ -DISTNAME= tiff-3.8.2 -PKGREVISION= 6 +DISTNAME= tiff-3.9.0 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://libtiff.maptools.org/dl/ @@ -26,6 +25,12 @@ CONFIGURE_ARGS+= --without-x # just in case detects gl to build tiffgt TEST_TARGET= check +post-install: + cd ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man3 && for file in *.3tiff; do\ + target=`echo $$file | sed "s/3tiff/3/"`; \ + ${MV} $$file $$target; \ + done + .include "options.mk" .include "../../devel/zlib/buildlink3.mk" diff --git a/graphics/tiff/PLIST b/graphics/tiff/PLIST index 2c841115703..8ae2f875e0f 100644 --- a/graphics/tiff/PLIST +++ b/graphics/tiff/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.11 2009/06/14 17:59:29 joerg Exp $ +@comment $NetBSD: PLIST,v 1.12 2009/08/24 08:50:33 wiz Exp $ bin/bmp2tiff bin/fax2ps bin/fax2tiff @@ -15,6 +15,7 @@ bin/tiff2ps bin/tiff2rgba bin/tiffcmp bin/tiffcp +bin/tiffcrop bin/tiffdither bin/tiffdump bin/tiffinfo @@ -45,6 +46,7 @@ man/man1/tiff2ps.1 man/man1/tiff2rgba.1 man/man1/tiffcmp.1 man/man1/tiffcp.1 +man/man1/tiffcrop.1 man/man1/tiffdither.1 man/man1/tiffdump.1 man/man1/tiffgt.1 @@ -94,6 +96,7 @@ man/man3/libtiff.3 share/doc/tiff/COPYRIGHT share/doc/tiff/ChangeLog share/doc/tiff/README +share/doc/tiff/README.vms share/doc/tiff/RELEASE-DATE share/doc/tiff/TODO share/doc/tiff/VERSION @@ -179,6 +182,7 @@ share/doc/tiff/html/man/tiff2ps.1.html share/doc/tiff/html/man/tiff2rgba.1.html share/doc/tiff/html/man/tiffcmp.1.html share/doc/tiff/html/man/tiffcp.1.html +share/doc/tiff/html/man/tiffcrop.1.html share/doc/tiff/html/man/tiffdither.1.html share/doc/tiff/html/man/tiffdump.1.html share/doc/tiff/html/man/tiffgt.1.html @@ -222,3 +226,4 @@ share/doc/tiff/html/v3.7.4.html share/doc/tiff/html/v3.8.0.html share/doc/tiff/html/v3.8.1.html share/doc/tiff/html/v3.8.2.html +share/doc/tiff/html/v3.9.0beta.html diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index c16a1ffa02a..73a65d7e057 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,20 +1,5 @@ -$NetBSD: distinfo,v 1.43 2009/07/19 11:45:09 tron Exp $ +$NetBSD: distinfo,v 1.44 2009/08/24 08:50:33 wiz Exp $ -SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb -RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d -Size (tiff-3.8.2.tar.gz) = 1336295 bytes -SHA1 (patch-aa) = edac79a6f3b61e9fc787fe14f750d88023a29bfa -SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72 -SHA1 (patch-ac) = 24bb2d78d63df7f02d128c7dc6a4c8db50fac891 -SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347 -SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff -SHA1 (patch-av) = 38852ef5028f6c0ad7a3e5497248f264f0cb7366 -SHA1 (patch-aw) = 8df07a9bc23092cfde2b364a1965efcfdc848b1e -SHA1 (patch-ax) = 1a111d7a80bf98a650d147c035cd719d34aafc8a -SHA1 (patch-ay) = db50f1d97b5d3b94e4d470b49642fe105977e0b7 -SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8 -SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae -SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08 -SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc -SHA1 (patch-ca) = 3c90d9735f0586632db05ceb50b336cbfdf279b6 -SHA1 (patch-cb) = 349c8764091d69f5eca84588837022d218b2165c +SHA1 (tiff-3.9.0.tar.gz) = e525879da8416e00ccd58617b2850341a429e23c +RMD160 (tiff-3.9.0.tar.gz) = be5bdb33c30a23fd0969981bfda1fe8e79f8879f +Size (tiff-3.9.0.tar.gz) = 1399851 bytes diff --git a/graphics/tiff/patches/patch-aa b/graphics/tiff/patches/patch-aa deleted file mode 100644 index 1b8aa556da9..00000000000 --- a/graphics/tiff/patches/patch-aa +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-aa,v 1.17 2005/07/14 13:43:28 wiz Exp $ - ---- man/Makefile.in.orig 2005-07-05 16:38:13.000000000 +0000 -+++ man/Makefile.in -@@ -380,11 +380,7 @@ install-man3: $(man3_MANS) $(man_MANS) - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ -- ext=`echo $$i | sed -e 's/^.*\\.//'`; \ -- case "$$ext" in \ -- 3*) ;; \ -- *) ext='3' ;; \ -- esac; \ -+ ext='3'; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ diff --git a/graphics/tiff/patches/patch-ab b/graphics/tiff/patches/patch-ab deleted file mode 100644 index 3b9d080ad5b..00000000000 --- a/graphics/tiff/patches/patch-ab +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-ab,v 1.18 2006/02/20 17:56:36 joerg Exp $ - ---- libtiff/tiffio.h.orig 2006-02-20 17:43:42.000000000 +0000 -+++ libtiff/tiffio.h -@@ -30,6 +30,10 @@ - /* - * TIFF I/O Library Definitions. - */ -+ -+/* NULL */ -+#include <stddef.h> -+ - #include "tiff.h" - #include "tiffvers.h" - -@@ -97,10 +101,6 @@ typedef HFILE thandle_t; /* client data - typedef void* thandle_t; /* client data handle */ - #endif /* USE_WIN32_FILEIO */ - --#ifndef NULL --# define NULL (void *)0 --#endif -- - /* - * Flags to pass to TIFFPrintDirectory to control - * printing of data structures that are potentially diff --git a/graphics/tiff/patches/patch-ac b/graphics/tiff/patches/patch-ac deleted file mode 100644 index cfaf3baa152..00000000000 --- a/graphics/tiff/patches/patch-ac +++ /dev/null @@ -1,77 +0,0 @@ -$NetBSD: patch-ac,v 1.20 2009/06/22 14:54:44 drochner Exp $ - ---- libtiff/tif_lzw.c.orig 2006-03-21 17:42:50.000000000 +0100 -+++ libtiff/tif_lzw.c -@@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif) - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); -+ -+ - } - return (1); - } -@@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } -+ - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } -+ - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -647,6 +670,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - } - oldcodep = codep; - if (code >= 256) { -+ char *op_orig = op; - /* - * Code maps to a string, copy string - * value to output (written in reverse). -@@ -681,7 +705,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - tp = op; - do { - *--tp = codep->value; -- } while( (codep = codep->next) != NULL); -+ } while( (codep = codep->next) != NULL && tp > op_orig); - } else - *op++ = code, occ--; - } diff --git a/graphics/tiff/patches/patch-at b/graphics/tiff/patches/patch-at deleted file mode 100644 index a624b9b3ad8..00000000000 --- a/graphics/tiff/patches/patch-at +++ /dev/null @@ -1,122 +0,0 @@ -$NetBSD: patch-at,v 1.6 2006/03/14 14:08:30 drochner Exp $ - ---- configure.orig 2006-03-13 15:58:42.000000000 +0100 -+++ configure -@@ -12439,6 +12439,117 @@ done - - - -+for ac_func in lfind -+do -+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -+echo "$as_me:$LINENO: checking for $ac_func" >&5 -+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -+if eval "test \"\${$as_ac_var+set}\" = set"; then -+ echo $ECHO_N "(cached) $ECHO_C" >&6 -+else -+ cat >conftest.$ac_ext <<_ACEOF -+/* confdefs.h. */ -+_ACEOF -+cat confdefs.h >>conftest.$ac_ext -+cat >>conftest.$ac_ext <<_ACEOF -+/* end confdefs.h. */ -+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func. -+ For example, HP-UX 11i <limits.h> declares gettimeofday. */ -+#define $ac_func innocuous_$ac_func -+ -+/* System header to define __stub macros and hopefully few prototypes, -+ which can conflict with char $ac_func (); below. -+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since -+ <limits.h> exists even on freestanding compilers. */ -+ -+#ifdef __STDC__ -+# include <limits.h> -+#else -+# include <assert.h> -+#endif -+ -+#undef $ac_func -+ -+/* Override any gcc2 internal prototype to avoid an error. */ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+/* We use char because int might match the return type of a gcc2 -+ builtin and then its argument prototype would still apply. */ -+char $ac_func (); -+/* The GNU C library defines this for functions which it implements -+ to always fail with ENOSYS. Some functions are actually named -+ something starting with __ and the normal name is an alias. */ -+#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -+choke me -+#else -+char (*f) () = $ac_func; -+#endif -+#ifdef __cplusplus -+} -+#endif -+ -+int -+main () -+{ -+return f != $ac_func; -+ ; -+ return 0; -+} -+_ACEOF -+rm -f conftest.$ac_objext conftest$ac_exeext -+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 -+ (eval $ac_link) 2>conftest.er1 -+ ac_status=$? -+ grep -v '^ *+' conftest.er1 >conftest.err -+ rm -f conftest.er1 -+ cat conftest.err >&5 -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); } && -+ { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -+ (eval $ac_try) 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; } && -+ { ac_try='test -s conftest$ac_exeext' -+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -+ (eval $ac_try) 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; }; then -+ eval "$as_ac_var=yes" -+else -+ echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+eval "$as_ac_var=no" -+fi -+rm -f conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+fi -+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 -+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -+if test `eval echo '${'$as_ac_var'}'` = yes; then -+ cat >>confdefs.h <<_ACEOF -+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -+_ACEOF -+ -+else -+ case $LIBOBJS in -+ "$ac_func.$ac_objext" | \ -+ *" $ac_func.$ac_objext" | \ -+ "$ac_func.$ac_objext "* | \ -+ *" $ac_func.$ac_objext "* ) ;; -+ *) LIBOBJS="$LIBOBJS $ac_func.$ac_objext" ;; -+esac -+ -+fi -+done -+ -+ -+ - echo "$as_me:$LINENO: checking native cpu bit order" >&5 - echo $ECHO_N "checking native cpu bit order... $ECHO_C" >&6 - case "$target_cpu" in diff --git a/graphics/tiff/patches/patch-au b/graphics/tiff/patches/patch-au deleted file mode 100644 index 822d33121a3..00000000000 --- a/graphics/tiff/patches/patch-au +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-au,v 1.5 2006/06/08 11:05:14 salo Exp $ - -Security fix for CVE-2006-2193, from Ubuntu. - ---- tools/tiff2pdf.c.orig 2006-03-21 17:42:51.000000000 +0100 -+++ tools/tiff2pdf.c 2006-06-08 12:39:11.000000000 +0200 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;i<len;i++){ - if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ -- sprintf(buffer, "\\%.3o", pdfstr[i]); -+ sprintf(buffer, "\\%.3hho", pdfstr[i]); - written += TIFFWriteFile(output, (tdata_t) buffer, 4); - } else { - switch (pdfstr[i]){ diff --git a/graphics/tiff/patches/patch-av b/graphics/tiff/patches/patch-av deleted file mode 100644 index 3ddb3c59ff5..00000000000 --- a/graphics/tiff/patches/patch-av +++ /dev/null @@ -1,103 +0,0 @@ -$NetBSD: patch-av,v 1.6 2006/08/03 15:17:49 taca Exp $ - -Security fix for SA21304. - ---- libtiff/tif_dir.c.orig Wed Mar 22 01:42:50 2006 -+++ libtiff/tif_dir.c -@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -193,15 +194,18 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va - td->td_fillorder = (uint16) v; - break; - break; -- case TIFFTAG_ORIENTATION: -+ case TIFFTAG_ORIENTATION: { -+ const TIFFFieldInfo* fip; - v = va_arg(ap, uint32); - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -+ } - case TIFFTAG_SAMPLESPERPIXEL: - /* XXX should cross check -- e.g. if pallette, then 1 */ - v = va_arg(ap, uint32); -@@ -387,11 +391,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +476,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +571,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +580,12 @@ end: - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +821,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } diff --git a/graphics/tiff/patches/patch-aw b/graphics/tiff/patches/patch-aw deleted file mode 100644 index 06a32f949b9..00000000000 --- a/graphics/tiff/patches/patch-aw +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-aw,v 1.5 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_dirinfo.c.orig 2006-02-07 14:51:03.000000000 +0100 -+++ libtiff/tif_dirinfo.c 2006-08-02 17:18:41.000000000 +0200 -@@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag) - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); diff --git a/graphics/tiff/patches/patch-ax b/graphics/tiff/patches/patch-ax deleted file mode 100644 index 314c70fc336..00000000000 --- a/graphics/tiff/patches/patch-ax +++ /dev/null @@ -1,308 +0,0 @@ -$NetBSD: patch-ax,v 1.5 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_dirread.c.orig 2006-03-21 17:42:50.000000000 +0100 -+++ libtiff/tif_dirread.c 2006-08-02 17:18:41.000000000 +0200 -@@ -81,6 +81,7 @@ TIFFReadDirectory(TIFF* tif) - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +148,20 @@ TIFFReadDirectory(TIFF* tif) - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off + sizeof (uint16) < off) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Can not read TIFF directory count", - tif->tif_name); - return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +262,7 @@ TIFFReadDirectory(TIFF* tif) - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +273,23 @@ TIFFReadDirectory(TIFF* tif) - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; - -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +341,7 @@ TIFFReadDirectory(TIFF* tif) - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +556,7 @@ TIFFReadDirectory(TIFF* tif) - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +573,7 @@ TIFFReadDirectory(TIFF* tif) - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +597,7 @@ TIFFReadDirectory(TIFF* tif) - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +607,14 @@ TIFFReadDirectory(TIFF* tif) - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +623,7 @@ TIFFReadDirectory(TIFF* tif) - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +889,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +972,18 @@ MissingRequired(TIFF* tif, const char* t - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +997,7 @@ static tsize_t - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1041,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1067,12 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry* - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1189,20 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEn - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1373,15 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1396,9 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1541,7 @@ static int - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1559,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1584,7 @@ static int - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1602,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1626,7 @@ static int - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1644,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; diff --git a/graphics/tiff/patches/patch-ay b/graphics/tiff/patches/patch-ay deleted file mode 100644 index 67f3f662e35..00000000000 --- a/graphics/tiff/patches/patch-ay +++ /dev/null @@ -1,29 +0,0 @@ -$NetBSD: patch-ay,v 1.3 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_fax3.c.orig 2006-03-21 17:42:50.000000000 +0100 -+++ libtiff/tif_fax3.c 2006-08-02 17:18:41.000000000 +0200 -@@ -1136,6 +1136,7 @@ static int - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } diff --git a/graphics/tiff/patches/patch-az b/graphics/tiff/patches/patch-az deleted file mode 100644 index 8face0b7944..00000000000 --- a/graphics/tiff/patches/patch-az +++ /dev/null @@ -1,119 +0,0 @@ -$NetBSD: patch-az,v 1.1 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_jpeg.c.orig 2006-03-21 17:42:50.000000000 +0100 -+++ libtiff/tif_jpeg.c 2006-08-02 17:18:41.000000000 +0200 -@@ -722,8 +722,8 @@ JPEGPreDecode(TIFF* tif, tsample_t s) - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, -@@ -731,6 +731,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s) - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); - } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); -+ } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -762,6 +778,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s) - sp->h_sampling, sp->v_sampling); - - /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ -+ /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the - * TIFF tags and in the JPEG structures. We will -@@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif) - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -+ if (sp != NULL) { - if( sp->cinfo_initialized ) - TIFFjpeg_destroy(sp); /* release libjpeg resources */ - if (sp->jpegtables) /* tag value */ - _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long f - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) diff --git a/graphics/tiff/patches/patch-ba b/graphics/tiff/patches/patch-ba deleted file mode 100644 index a7959582c7e..00000000000 --- a/graphics/tiff/patches/patch-ba +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100 -+++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200 -@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz - * as codes of the form <color><npixels> - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < scanline) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; diff --git a/graphics/tiff/patches/patch-bb b/graphics/tiff/patches/patch-bb deleted file mode 100644 index 51e920f1f78..00000000000 --- a/graphics/tiff/patches/patch-bb +++ /dev/null @@ -1,27 +0,0 @@ -$NetBSD: patch-bb,v 1.1 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_pixarlog.c.orig 2006-03-21 17:42:50.000000000 +0100 -+++ libtiff/tif_pixarlog.c 2006-08-02 17:18:41.000000000 +0200 -@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, diff --git a/graphics/tiff/patches/patch-bc b/graphics/tiff/patches/patch-bc deleted file mode 100644 index 64998563e4f..00000000000 --- a/graphics/tiff/patches/patch-bc +++ /dev/null @@ -1,37 +0,0 @@ -$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $ - -Security fix for SA21304. - ---- libtiff/tif_read.c.orig 2005-12-21 13:33:56.000000000 +0100 -+++ libtiff/tif_read.c 2006-08-02 17:18:41.000000000 +0200 -@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip) - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ (td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile) - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if ( td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ (td->td_stripoffset[tile] + bytecount) < -+ td->td_stripoffset[tile]) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/graphics/tiff/patches/patch-ca b/graphics/tiff/patches/patch-ca deleted file mode 100644 index c56310fffaf..00000000000 --- a/graphics/tiff/patches/patch-ca +++ /dev/null @@ -1,47 +0,0 @@ -$NetBSD: patch-ca,v 1.1 2009/07/19 11:45:09 tron Exp $ - -Patch for CVE-2009-2347, taken from here: - -http://bugzilla.maptools.org/show_bug.cgi?id=2079 - ---- tools/rgb2ycbcr.c.orig 2004-09-03 08:57:13.000000000 +0100 -+++ tools/rgb2ycbcr.c 2009-07-19 12:39:06.000000000 +0100 -@@ -202,6 +202,17 @@ - #undef LumaBlue - #undef V2Code - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - /* - * Convert a strip of RGB data to YCbCr and - * sample to generate the output data. -@@ -278,10 +289,19 @@ - float floatv; - char *stringv; - uint32 longv; -+ tsize_t raster_size; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); diff --git a/graphics/tiff/patches/patch-cb b/graphics/tiff/patches/patch-cb deleted file mode 100644 index 1a9db26dd2d..00000000000 --- a/graphics/tiff/patches/patch-cb +++ /dev/null @@ -1,126 +0,0 @@ -$NetBSD: patch-cb,v 1.1 2009/07/19 11:45:09 tron Exp $ - -Patch for CVE-2009-2347, taken from here: - -http://bugzilla.maptools.org/show_bug.cgi?id=2079 - ---- tools/tiff2rgba.c.orig 2004-11-07 11:08:37.000000000 +0000 -+++ tools/tiff2rgba.c 2009-07-19 12:39:06.000000000 +0100 -@@ -124,6 +124,17 @@ - return (0); - } - -+static tsize_t -+multiply(tsize_t m1, tsize_t m2) -+{ -+ tsize_t prod = m1 * m2; -+ -+ if (m1 && prod / m1 != m2) -+ prod = 0; /* overflow */ -+ -+ return prod; -+} -+ - static int - cvt_by_tile( TIFF *in, TIFF *out ) - -@@ -133,6 +144,7 @@ - uint32 tile_width, tile_height; - uint32 row, col; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -150,7 +162,14 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) tile_width, (unsigned long) tile_height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -158,7 +177,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); - if (!wrk_line) { -@@ -226,6 +245,7 @@ - uint32 width, height; /* image width & height */ - uint32 row; - uint32 *wrk_line; -+ tsize_t raster_size; - int ok = 1; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); -@@ -241,7 +261,14 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) rowsperstrip); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -249,7 +276,7 @@ - - /* - * Allocate a scanline buffer for swapping during the vertical -- * mirroring pass. -+ * mirroring pass. (Request can't overflow given prior checks.) - */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); - if (!wrk_line) { -@@ -328,14 +355,22 @@ - uint32* raster; /* retrieve RGBA image */ - uint32 width, height; /* image width & height */ - uint32 row; -- -+ tsize_t raster_size; -+ - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); - - rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - -- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); -+ raster_size = multiply(multiply(width, height), sizeof (uint32)); -+ if (!raster_size) { -+ TIFFError(TIFFFileName(in), -+ "Can't allocate buffer for raster of size %lux%lu", -+ (unsigned long) width, (unsigned long) height); -+ return (0); -+ } -+ raster = (uint32*)_TIFFmalloc(raster_size); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -353,7 +388,7 @@ - */ - if( no_alpha ) - { -- int pixel_count = width * height; -+ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; - unsigned char *src, *dst; - - src = (unsigned char *) raster; |