diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile index bccab8bf4..735184ed1 100644 --- a/libs/tiff/Makefile +++ b/libs/tiff/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2014 OpenWrt.org +# Copyright (C) 2006-2016 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tiff -PKG_VERSION:=4.0.3 -PKG_RELEASE:=4 +PKG_VERSION:=4.0.6 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://download.osgeo.org/libtiff -PKG_MD5SUM:=051c1068e6a0627f461948c365290410 +PKG_MD5SUM:=d1d2e940dea0b5ad435f21f03d96dd72 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=autogen.sh aclocal.m4 diff --git a/libs/tiff/patches/001-autoconf-compat.patch b/libs/tiff/patches/001-autoconf-compat.patch index c7c0dfccd..16a88e3ef 100644 --- a/libs/tiff/patches/001-autoconf-compat.patch +++ b/libs/tiff/patches/001-autoconf-compat.patch @@ -1,5 +1,6 @@ ---- a/Makefile.am -+++ b/Makefile.am +diff -rupN tiff-4.0.6/Makefile.am tiff-new/Makefile.am +--- tiff-4.0.6/Makefile.am 2015-09-06 21:30:46.179705536 +0200 ++++ tiff-new/Makefile.am 2016-04-05 14:26:09.539194844 +0200 @@ -25,7 +25,7 @@ docdir = $(LIBTIFF_DOCDIR) @@ -9,17 +10,18 @@ ACLOCAL_AMFLAGS = -I m4 docfiles = \ -@@ -48,7 +48,7 @@ EXTRA_DIST = \ - - dist_doc_DATA = $(docfiles) +@@ -61,7 +61,7 @@ distcheck-hook: + rm -rf $(distdir)/_build/cmake + rm -rf $(distdir)/_inst/cmake -SUBDIRS = port libtiff tools build contrib test man html +SUBDIRS = port libtiff tools build contrib release: (rm -f $(top_srcdir)/RELEASE-DATE && echo $(LIBTIFF_RELEASE_DATE) > $(top_srcdir)/RELEASE-DATE) ---- a/test/Makefile.am -+++ b/test/Makefile.am +diff -rupN tiff-4.0.6/test/Makefile.am tiff-new/test/Makefile.am +--- tiff-4.0.6/test/Makefile.am 2015-09-01 04:41:07.598381354 +0200 ++++ tiff-new/test/Makefile.am 2016-04-05 14:26:39.763453075 +0200 @@ -23,7 +23,7 @@ # Process this file with automake to produce Makefile.in. diff --git a/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch b/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch new file mode 100644 index 000000000..15807e148 --- /dev/null +++ b/libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch @@ -0,0 +1,136 @@ +From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sat, 26 Dec 2015 17:32:03 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +--- + ChangeLog | 8 ++++++++ + libtiff/tif_getimage.c | 37 +++++++++++++++++++++++-------------- + 2 files changed, 31 insertions(+), 14 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index a7d283a..4beb30b 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-26 Even Rouault ++ ++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage ++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples ++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in ++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and ++ CVE-2015-8683 reported by zzf of Alibaba. ++ + 2015-09-12 Bob Friesenhahn + + * libtiff 4.0.6 released. +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index fd0a4f9..fae1e31 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -1,4 +1,4 @@ +-/* $Id: tif_getimage.c,v 1.90 2015-06-17 01:34:08 bfriesen Exp $ */ ++/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d", +- "Samples/pixel", td->td_samplesperpixel); ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); + return 0; + } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d and %s=%d", ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; diff --git a/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch b/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch new file mode 100644 index 000000000..716ddfd0c --- /dev/null +++ b/libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch @@ -0,0 +1,193 @@ +From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 27 Dec 2015 16:25:11 +0000 +Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in + decode functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). Fix potential out-of-bound reads in case of short + input data. + +--- + ChangeLog | 7 +++++++ + libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------ + 2 files changed, 52 insertions(+), 12 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 4beb30b..b8aa23c 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,10 @@ ++2015-12-27 Even Rouault ++ ++ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode ++ functions in non debug builds by replacing assert()s by regular if ++ checks (bugzilla #2522). ++ Fix potential out-of-bound reads in case of short input data. ++ + 2015-12-26 Even Rouault + + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 4e328ba..60a174d 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ ++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ diff --git a/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch b/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch new file mode 100644 index 000000000..f2b6b311d --- /dev/null +++ b/libs/tiff/patches/004-fix_potential_out-of-bound_write_in_NeXTDecode.patch @@ -0,0 +1,72 @@ +From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 27 Dec 2015 16:55:20 +0000 +Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in + NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif + (bugzilla #2508) + +--- + ChangeLog | 6 ++++++ + libtiff/tif_next.c | 12 +++++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b8aa23c..04926a3 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,11 @@ + 2015-12-27 Even Rouault + ++ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() ++ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif ++ (bugzilla #2508) ++ ++2015-12-27 Even Rouault ++ + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode + functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 17e0311..1248caa 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -1,4 +1,4 @@ +-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ ++/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; ++ tmsize_t op_offset = 0; + + /* + * The scanline is composed of a sequence of constant +@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; diff --git a/libs/tiff/patches/010-CVE-2012-4564.patch b/libs/tiff/patches/010-CVE-2012-4564.patch deleted file mode 100644 index 7783353ee..000000000 --- a/libs/tiff/patches/010-CVE-2012-4564.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: tiff-4.0.3/tools/ppm2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400 -+++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400 -@@ -89,6 +89,7 @@ - int c; - extern int optind; - extern char* optarg; -+ tmsize_t scanline_size; - - if (argc < 2) { - fprintf(stderr, "%s: Too few arguments\n", argv[0]); -@@ -237,8 +238,16 @@ - } - if (TIFFScanlineSize(out) > linebytes) - buf = (unsigned char *)_TIFFmalloc(linebytes); -- else -- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ else { -+ scanline_size = TIFFScanlineSize(out); -+ if (scanline_size != 0) -+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ else { -+ fprintf(stderr, "%s: scanline size overflow\n",infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ } - if (resolution > 0) { - TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); - TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/libs/tiff/patches/011-CVE-2013-1960.patch b/libs/tiff/patches/011-CVE-2013-1960.patch deleted file mode 100644 index 3bf15f190..000000000 --- a/libs/tiff/patches/011-CVE-2013-1960.patch +++ /dev/null @@ -1,146 +0,0 @@ -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400 -@@ -3341,33 +3341,56 @@ - uint32 height){ - - tsize_t i=0; -- uint16 ri =0; -- uint16 v_samp=1; -- uint16 h_samp=1; -- int j=0; -- -- i++; -- -- while(i<(*striplength)){ -+ -+ while (i < *striplength) { -+ tsize_t datalen; -+ uint16 ri; -+ uint16 v_samp; -+ uint16 h_samp; -+ int j; -+ int ncomp; -+ -+ /* marker header: one or more FFs */ -+ if (strip[i] != 0xff) -+ return(0); -+ i++; -+ while (i < *striplength && strip[i] == 0xff) -+ i++; -+ if (i >= *striplength) -+ return(0); -+ /* SOI is the only pre-SOS marker without a length word */ -+ if (strip[i] == 0xd8) -+ datalen = 0; -+ else { -+ if ((*striplength - i) <= 2) -+ return(0); -+ datalen = (strip[i+1] << 8) | strip[i+2]; -+ if (datalen < 2 || datalen >= (*striplength - i)) -+ return(0); -+ } - switch( strip[i] ){ -- case 0xd8: -- /* SOI - start of image */ -+ case 0xd8: /* SOI - start of image */ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); - *bufferoffset+=2; -- i+=2; - break; -- case 0xc0: -- case 0xc1: -- case 0xc3: -- case 0xc9: -- case 0xca: -+ case 0xc0: /* SOF0 */ -+ case 0xc1: /* SOF1 */ -+ case 0xc3: /* SOF3 */ -+ case 0xc9: /* SOF9 */ -+ case 0xca: /* SOF10 */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- for(j=0;j>4) > h_samp) -- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); -- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) -- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ ncomp = buffer[*bufferoffset+9]; -+ if (ncomp < 1 || ncomp > 4) -+ return(0); -+ v_samp=1; -+ h_samp=1; -+ for(j=0;j>4) > h_samp) -+ h_samp = (samp>>4); -+ if( (samp & 0x0f) > v_samp) -+ v_samp = (samp & 0x0f); - } - v_samp*=8; - h_samp*=8; -@@ -3381,45 +3404,43 @@ - (unsigned char) ((height>>8) & 0xff); - buffer[*bufferoffset+6]= - (unsigned char) (height & 0xff); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -- -+ *bufferoffset+=datalen+2; -+ /* insert a DRI marker */ - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]=0xdd; - buffer[(*bufferoffset)++]=0x00; - buffer[(*bufferoffset)++]=0x04; - buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; - buffer[(*bufferoffset)++]= ri & 0xff; -- } else { -- i+=strip[i+2]+2; - } - break; -- case 0xc4: -- case 0xdb: -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ case 0xc4: /* DHT */ -+ case 0xdb: /* DQT */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - break; -- case 0xda: -+ case 0xda: /* SOS */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - } else { - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]= - (unsigned char)(0xd0 | ((no-1)%8)); -- i+=strip[i+2]+2; - } -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); -- *bufferoffset+=(*striplength)-i-1; -+ i += datalen + 1; -+ /* copy remainder of strip */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); -+ *bufferoffset+= *striplength - i; - return(1); - default: -- i+=strip[i+2]+2; -+ /* ignore any other marker */ -+ break; - } -+ i += datalen + 1; - } -- - -+ /* failed to find SOS marker */ - return(0); - } - #endif diff --git a/libs/tiff/patches/012-CVE-2013-1961.patch b/libs/tiff/patches/012-CVE-2013-1961.patch deleted file mode 100644 index 2d1268ee9..000000000 --- a/libs/tiff/patches/012-CVE-2013-1961.patch +++ /dev/null @@ -1,768 +0,0 @@ -Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c -=================================================================== ---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400 -@@ -512,9 +512,9 @@ - Arg args[1]; - - if (tfMultiPage) -- sprintf(buffer, "%s - page %d", fileName, tfDirectory); -+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); - else -- strcpy(buffer, fileName); -+ snprintf(buffer, sizeof(buffer), "%s", fileName); - XtSetArg(args[0], XtNlabel, buffer); - XtSetValues(labelWidget, args, 1); - } -Index: tiff-4.0.3/libtiff/tif_dirinfo.c -=================================================================== ---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400 -@@ -711,7 +711,7 @@ - * note that this name is a special sign to TIFFClose() and - * _TIFFSetupFields() to free the field - */ -- sprintf(fld->field_name, "Tag %d", (int) tag); -+ snprintf(fld->field_name, 32, "Tag %d", (int) tag); - - return fld; - } -Index: tiff-4.0.3/libtiff/tif_codec.c -=================================================================== ---- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400 -@@ -108,7 +108,8 @@ - const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); - char compression_code[20]; - -- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); -+ snprintf(compression_code, sizeof(compression_code), "%d", -+ tif->tif_dir.td_compression ); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s compression support is not configured", - c ? c->name : compression_code ); -Index: tiff-4.0.3/tools/tiffdither.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400 -@@ -260,7 +260,7 @@ - TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); - else - CopyField(TIFFTAG_FILLORDER, shortv); -- sprintf(thing, "Dithered B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - CopyField(TIFFTAG_PHOTOMETRIC, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); -Index: tiff-4.0.3/tools/rgb2ycbcr.c -=================================================================== ---- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400 -@@ -332,7 +332,8 @@ - TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); - { char buf[2048]; - char *cp = strrchr(TIFFFileName(in), '/'); -- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); -+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", -+ cp ? cp+1 : TIFFFileName(in)); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); - } - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400 -@@ -3630,7 +3630,9 @@ - char buffer[16]; - int buflen=0; - -- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); -+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", -+ t2p->pdf_majorversion&0xff, -+ t2p->pdf_minorversion&0xff); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); - -@@ -3644,10 +3646,10 @@ - tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen ); - written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); - -@@ -3686,13 +3688,13 @@ - written += t2pWriteFile(output, (tdata_t) "/", 1); - for (i=0;i 0x7E){ -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - nextchar=1; -@@ -3700,57 +3702,57 @@ - if (nextchar==0){ - switch (name[i]){ - case 0x23: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x25: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x28: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x29: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x2F: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3C: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3E: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; -@@ -3865,14 +3867,14 @@ - tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/Length ", 8); - if(len!=0){ - written += t2p_write_pdf_stream_length(len, output); - } else { -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - } -@@ -3913,10 +3915,10 @@ - tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)len); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n", 1); - -@@ -3930,7 +3932,7 @@ - tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) - { - tsize_t written = 0; -- char buffer[16]; -+ char buffer[32]; - int buflen = 0; - - written += t2pWriteFile(output, -@@ -3969,7 +3971,6 @@ - written += t2p_write_pdf_string(t2p->pdf_datetime, output); - } - written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); -- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); - snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); - written += t2p_write_pdf_string(buffer, output); - written += t2pWriteFile(output, (tdata_t) "\n", 1); -@@ -4110,7 +4111,7 @@ - { - tsize_t written=0; - tdir_t i=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - int page=0; -@@ -4118,7 +4119,7 @@ - (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); - page = t2p->pdf_pages+1; - for (i=0;itiff_pagecount;i++){ -- buflen=sprintf(buffer, "%d", page); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", page); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - if ( ((i+1)%8)==0 ) { -@@ -4133,8 +4134,7 @@ - } - } - written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); - -@@ -4149,28 +4149,28 @@ - - unsigned int i=0; - tsize_t written=0; -- char buffer[16]; -+ char buffer[256]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "] \n", 3); - written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); -- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); -@@ -4178,15 +4178,13 @@ - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen = sprintf(buffer, "%u", i+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4198,12 +4196,10 @@ - } else { - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4212,9 +4208,7 @@ - if(t2p->tiff_transferfunctioncount != 0) { - written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); - t2pWriteFile(output, (tdata_t) "/GS1 ", 5); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4587,7 +4581,7 @@ - if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ - box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4602,7 +4596,7 @@ - } - } else { - box=t2p->pdf_imagebox; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4627,59 +4621,48 @@ - TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); - written += t2pWriteFile(output, - (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", - 42); -- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - if(tile != 0){ - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen=sprintf(buffer, "%lu", (unsigned long)tile); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); - } else { - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); - written += t2p_write_pdf_xobject_cs(t2p, output); -@@ -4723,11 +4706,10 @@ - t2p->pdf_colorspace ^= T2P_CS_PALETTE; - written += t2p_write_pdf_xobject_cs(t2p, output); - t2p->pdf_colorspace |= T2P_CS_PALETTE; -- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); - return(written); -@@ -4761,10 +4743,10 @@ - X_W /= Y_W; - Z_W /= Y_W; - Y_W = 1.0F; -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Range ", 7); -- buflen=sprintf(buffer, "[%d %d %d %d] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", - t2p->pdf_labrange[0], - t2p->pdf_labrange[1], - t2p->pdf_labrange[2], -@@ -4780,26 +4762,26 @@ - tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); - if(t2p->tiff_transferfunctioncount == 1){ -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - } else { - written += t2pWriteFile(output, (tdata_t) "[ ", 2); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 2)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4821,7 +4803,7 @@ - written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); - written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); - written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); -- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); -+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); - written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); -@@ -4848,7 +4830,7 @@ - tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[128]; -+ char buffer[256]; - int buflen=0; - - float X_W=0.0; -@@ -4916,16 +4898,16 @@ - written += t2pWriteFile(output, (tdata_t) "<< \n", 4); - if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); - } - if(t2p->pdf_colorspace & T2P_CS_CALRGB){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", - X_R, Y_R, Z_R, - X_G, Y_G, Z_G, - X_B, Y_B, Z_B); -@@ -4944,11 +4926,11 @@ - tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); - -@@ -4958,11 +4940,11 @@ - tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/N ", 3); -- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); - t2p->pdf_colorspace ^= T2P_CS_ICCBASED; -@@ -5027,7 +5009,7 @@ - tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - if(t2p->pdf_compression==T2P_COMPRESS_NONE){ -@@ -5042,41 +5024,33 @@ - written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); - if(tile==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_length); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } -@@ -5103,21 +5077,17 @@ - if(t2p->pdf_compressionquality%100){ - written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen = sprintf(buffer, "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) ">>\n", 3); - } -@@ -5137,16 +5107,16 @@ - tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[21]; -+ char buffer[64]; - int buflen=0; - uint32 i=0; - - written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); - for (i=0;ipdf_xrefcount;i++){ -- sprintf(buffer, "%.10lu 00000 n \n", -+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", - (unsigned long)t2p->pdf_xrefoffsets[i]); - written += t2pWriteFile(output, (tdata_t) buffer, 20); - } -@@ -5170,17 +5140,14 @@ - snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); - - written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); -- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); -@@ -5188,9 +5155,8 @@ - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); - written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); - - return(written); -Index: tiff-4.0.3/tools/tiff2ps.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400 -@@ -1781,8 +1781,8 @@ - imageOp = "imagemask"; - - (void)strcpy(im_x, "0"); -- (void)sprintf(im_y, "%lu", (long) h); -- (void)sprintf(im_h, "%lu", (long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); -+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); - tile_width = w; - tile_height = h; - if (TIFFIsTiled(tif)) { -@@ -1803,7 +1803,7 @@ - } - if (tile_height < h) { - fputs("/im_y 0 def\n", fd); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } else { - repeat_count = tf_numberstrips; -@@ -1815,7 +1815,7 @@ - fprintf(fd, "/im_h %lu def\n", - (unsigned long) tile_height); - (void)strcpy(im_h, "im_h"); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } - -Index: tiff-4.0.3/tools/tiffcrop.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400 -@@ -2077,7 +2077,7 @@ - return 1; - } - -- sprintf (filenum, "-%03d%s", findex, export_ext); -+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); - filenum[14] = '\0'; - strncat (exportname, filenum, 15); - } -@@ -2230,8 +2230,8 @@ - - /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", -+ dump.infilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) - { -@@ -2249,8 +2249,8 @@ - - /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", -+ dump.outfilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) - { -Index: tiff-4.0.3/tools/tiff2bw.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400 -@@ -205,7 +205,7 @@ - } - } - TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); -- sprintf(thing, "B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); - outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); diff --git a/libs/tiff/patches/013-CVE-2013-4231.patch b/libs/tiff/patches/013-CVE-2013-4231.patch deleted file mode 100644 index c26bd856c..000000000 --- a/libs/tiff/patches/013-CVE-2013-4231.patch +++ /dev/null @@ -1,17 +0,0 @@ -Description: Buffer overflow in gif2tiff -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450 -Bug-Debian: http://bugs.debian.org/719303 - -Index: tiff-4.0.3/tools/gif2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400 -+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400 -@@ -333,6 +333,8 @@ - int status = 1; - - datasize = getc(infile); -+ if (datasize > 12) -+ return 0; - clear = 1 << datasize; - eoi = clear + 1; - avail = clear + 2; diff --git a/libs/tiff/patches/014-CVE-2013-4232.patch b/libs/tiff/patches/014-CVE-2013-4232.patch deleted file mode 100644 index 0d80ff3b0..000000000 --- a/libs/tiff/patches/014-CVE-2013-4232.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: use after free in tiff2pdf -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449 -Bug-Debian: http://bugs.debian.org/719303 - -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 -@@ -2461,7 +2461,8 @@ - (unsigned long) t2p->tiff_datasize, - TIFFFileName(input)); - t2p->t2p_error = T2P_ERR_ERROR; -- _TIFFfree(buffer); -+ _TIFFfree(buffer); -+ return(0); - } else { - buffer=samplebuffer; - t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/libs/tiff/patches/015-CVE-2013-4244.patch b/libs/tiff/patches/015-CVE-2013-4244.patch deleted file mode 100644 index 0a77a0c4d..000000000 --- a/libs/tiff/patches/015-CVE-2013-4244.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: OOB write in gif2tiff -Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468 - -Index: tiff-4.0.3/tools/gif2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 -+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 -@@ -400,6 +400,10 @@ - } - - if (oldcode == -1) { -+ if (code >= clear) { -+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); -+ return 0; -+ } - *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; diff --git a/libs/tiff/patches/016-CVE-2013-4243.patch b/libs/tiff/patches/016-CVE-2013-4243.patch deleted file mode 100644 index 75fae2c3c..000000000 --- a/libs/tiff/patches/016-CVE-2013-4243.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: tiff/tools/gif2tiff.c -=================================================================== ---- tiff.orig/tools/gif2tiff.c -+++ tiff/tools/gif2tiff.c -@@ -280,6 +280,10 @@ readgifimage(char* mode) - fprintf(stderr, "no colormap present for image\n"); - return (0); - } -+ if (width == 0 || height == 0) { -+ fprintf(stderr, "Invalid value of width or height\n"); -+ return(0); -+ } - if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { - fprintf(stderr, "not enough memory for image\n"); - return (0); -@@ -404,6 +408,10 @@ process(register int code, unsigned char - fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); - return 0; - } -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } - *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; -@@ -434,6 +442,10 @@ process(register int code, unsigned char - } - oldcode = incode; - do { -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } - *(*fill)++ = *--stackp; - } while (stackp > stack); - return 1; diff --git a/libs/tiff/patches/017-CVE-2014-9330.patch b/libs/tiff/patches/017-CVE-2014-9330.patch deleted file mode 100644 index acd0a331d..000000000 --- a/libs/tiff/patches/017-CVE-2014-9330.patch +++ /dev/null @@ -1,45 +0,0 @@ -Description: CVE-2014-9330 - Integer overflow in bmp2tiff -Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494 -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494 -Bug-Debian: http://bugs.debian.org/773987 - -Index: tiff/tools/bmp2tiff.c -=================================================================== ---- tiff.orig/tools/bmp2tiff.c -+++ tiff/tools/bmp2tiff.c -@@ -1,4 +1,4 @@ --/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $ -+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $ - * - * Project: libtiff tools - * Purpose: Convert Windows BMP files in TIFF. -@@ -403,6 +403,13 @@ main(int argc, char* argv[]) - - width = info_hdr.iWidth; - length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; -+ if( width <= 0 || length <= 0 ) -+ { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file" ); -+ close(fd); -+ return -1; -+ } - - switch (info_hdr.iBitCount) - { -@@ -593,6 +600,14 @@ main(int argc, char* argv[]) - - compr_size = file_hdr.iSize - file_hdr.iOffBits; - uncompr_size = width * length; -+ /* Detect int overflow */ -+ if( uncompr_size / width != length ) -+ { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file" ); -+ close(fd); -+ return -1; -+ } - comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); - if (!comprbuf) { - TIFFError(infilename,