Sophie

Sophie

distrib > Mageia > 6 > armv7hl > media > core-updates-src > by-pkgid > 0017615c1996fa5693dbc8656c3cc525 > files > 12

libtiff-4.0.9-1.7.mga6.src.rpm

From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:36:12 +0800
Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or
 TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
 COMPRESSION_CCITTFAX4

---
 tools/pal2rgb.c | 18 +++++++++++++++++-
 tools/tiff2bw.c | 18 +++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 01fcf941..01d8502e 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
 {
     struct cpTag *p;
     for (p = tags; p < &tags[NTAGS]; p++)
-	cpTag(in, out, p->tag, p->count, p->type);
+    {
+        if( p->tag == TIFFTAG_GROUP3OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX3 )
+                continue;
+        }
+        if( p->tag == TIFFTAG_GROUP4OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX4 )
+                continue;
+        }
+        cpTag(in, out, p->tag, p->count, p->type);
+    }
 }
 #undef NTAGS
 
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index 05faba87..5bef3142 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
 {
     struct cpTag *p;
     for (p = tags; p < &tags[NTAGS]; p++)
-	cpTag(in, out, p->tag, p->count, p->type);
+    {
+        if( p->tag == TIFFTAG_GROUP3OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX3 )
+                continue;
+        }
+        if( p->tag == TIFFTAG_GROUP4OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX4 )
+                continue;
+        }
+        cpTag(in, out, p->tag, p->count, p->type);
+    }
 }
 #undef NTAGS
 
-- 
2.18.1


From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:46:27 +0800
Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms()

---
 tools/ppm2tiff.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index af6e4124..c2d59257 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -70,15 +70,16 @@ BadPPM(char* file)
 	exit(-2);
 }
 
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
 static tmsize_t
 multiply_ms(tmsize_t m1, tmsize_t m2)
 {
-	tmsize_t bytes = m1 * m2;
-
-	if (m1 && bytes / m1 != m2)
-		bytes = 0;
-
-	return bytes;
+        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+            return 0;
+        return m1 * m2;
 }
 
 int
-- 
2.18.1


From 97c95667f615b2ce793d162fd26c05c3901a9043 Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 15:07:53 +0800
Subject: [PATCH 3/3] fix out-of-bound read on some tiled images.

---
 tools/tiffinfoce.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/tools/tiffinfoce.c b/tools/tiffinfoce.c
index 1822a550..b90f0382 100644
--- a/tools/tiffinfoce.c
+++ b/tools/tiffinfoce.c
@@ -290,17 +290,24 @@ void
 TIFFReadContigTileData(TIFF* tif)
 {
 	unsigned char *buf;
-	tsize_t rowsize = TIFFTileRowSize(tif);
+        tmsize_t rowsize = TIFFTileRowSize(tif);
+        tmsize_t tilesize = TIFFTileSize(tif);
 
-	buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
+        buf = (unsigned char *)_TIFFmalloc(tilesize);
 	if (buf) {
-		uint32 tw, th, w, h;
+		uint32 tw=0, th=0, w=0, h=0;
 		uint32 row, col;
 
 		TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
 		TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
 		TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
 		TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
+                if( rowsize == 0 || th > tilesize / rowsize )
+                {
+                        fprintf(stderr, "Cannot display data: th * rowsize > tilesize\n");
+                        _TIFFfree(buf);
+                        return;
+                }
 		for (row = 0; row < h; row += th) {
 			for (col = 0; col < w; col += tw) {
 				if (TIFFReadTile(tif, buf, col, row, 0, 0) < 0) {
@@ -318,11 +325,12 @@ void
 TIFFReadSeparateTileData(TIFF* tif)
 {
 	unsigned char *buf;
-	tsize_t rowsize = TIFFTileRowSize(tif);
+	tmsize_t rowsize = TIFFTileRowSize(tif);
+	tmsize_t tilesize = TIFFTileSize(tif);
 
-	buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
+	buf = (unsigned char *)_TIFFmalloc(tilesize);
 	if (buf) {
-		uint32 tw, th, w, h;
+		uint32 tw=0, th=0, w=0, h=0;
 		uint32 row, col;
 		tsample_t s, samplesperpixel;
 
@@ -331,6 +339,12 @@ TIFFReadSeparateTileData(TIFF* tif)
 		TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
 		TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
 		TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
+		if( rowsize == 0 || th > tilesize / rowsize )
+		{
+			fprintf(stderr, "Cannot display data: th * rowsize > tilesize\n");
+			_TIFFfree(buf);
+			return;
+		}
 		for (row = 0; row < h; row += th) {
 			for (col = 0; col < w; col += tw) {
 				for (s = 0; s < samplesperpixel; s++) {
-- 
2.18.1

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional