diff options
author | Dirk Meyer <dinoex@FreeBSD.org> | 2008-09-20 07:33:20 +0000 |
---|---|---|
committer | Dirk Meyer <dinoex@FreeBSD.org> | 2008-09-20 07:33:20 +0000 |
commit | f025b838e67c696a3de58d6d7d1b4981cb2ffe43 (patch) | |
tree | a3d4c336b5bc71be7bf030c374a5d83663476eb6 | |
parent | - Update to 2.2.6 (diff) |
- add Security patches
- fix missign macro in manpages
- add regression test
Security: CVE-2006-2193
Security: CVE-2006-2327
Security: CVE-2006-2656
Security: CVE-2006-3459
Security: CVE-2006-3460
Security: CVE-2006-3461
Security: CVE-2006-3462
Security: CVE-2006-3463
Security: CVE-2006-3464
Security: CVE-2006-3465
Security: CVE-2008-2327
PR: 127434
Submitted by: <bf2006a@yahoo.com>
Obtained From: Gentoo,Debian
Approved by: portmgr (marcus)
Notes
Notes:
svn path=/head/; revision=220438
-rw-r--r-- | graphics/tiff/Makefile | 5 | ||||
-rw-r--r-- | graphics/tiff/files/patch-TIFFClose.3tiff | 11 | ||||
-rw-r--r-- | graphics/tiff/files/patch-fax2ps.1 | 74 | ||||
-rw-r--r-- | graphics/tiff/files/patch-raw2tiff.1 | 11 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_dir.c | 94 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_dirinfo.c | 24 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_dirread.c | 321 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_fax3.c | 27 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_jpeg.c | 121 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_lzw.c | 60 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_next.c | 22 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_pixarlog.c | 25 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_print.c | 13 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tif_read.c | 43 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiff2pdf.1 | 34 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiff2pdf.c | 13 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiff2ps.1 | 142 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiffcmp.1 | 11 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiffsplit.1 | 11 | ||||
-rw-r--r-- | graphics/tiff/files/patch-tiffsplit.c | 21 |
20 files changed, 1082 insertions, 1 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 8a009ee25875..49ef6d7b7cda 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -9,7 +9,7 @@ PORTNAME= tiff PORTVERSION= 3.8.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://dl1.maptools.org/dl/libtiff/ @@ -126,4 +126,7 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/ .endif +regression-test: build + @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check) + .include <bsd.port.mk> diff --git a/graphics/tiff/files/patch-TIFFClose.3tiff b/graphics/tiff/files/patch-TIFFClose.3tiff new file mode 100644 index 000000000000..e9a36fae58da --- /dev/null +++ b/graphics/tiff/files/patch-TIFFClose.3tiff @@ -0,0 +1,11 @@ +--- man/TIFFClose.3tiff.orig 2008-08-17 13:03:49.058994404 -0400 ++++ man/TIFFClose.3tiff 2008-08-17 13:03:52.522727821 -0400 +@@ -40,7 +40,7 @@ + current directory (if modified); and all resources are reclaimed. + .SH DIAGNOSTICS + All error messages are directed to the +-.bR TIFFError (3TIFF) ++.BR TIFFError (3TIFF) + routine. + Likewise, warning messages are directed to the + .BR TIFFWarning (3TIFF) diff --git a/graphics/tiff/files/patch-fax2ps.1 b/graphics/tiff/files/patch-fax2ps.1 new file mode 100644 index 000000000000..5fce8e717dae --- /dev/null +++ b/graphics/tiff/files/patch-fax2ps.1 @@ -0,0 +1,74 @@ +--- man/fax2ps.1.orig 2008-08-17 13:03:49.038994710 -0400 ++++ man/fax2ps.1 2008-08-17 13:03:52.510994390 -0400 +@@ -27,7 +27,7 @@ + .SH NAME + fax2ps \- convert a + .SM TIFF +-facsimile to compressed \*(Ps\(tm ++facsimile to compressed PostScript\(tm + .SH SYNOPSIS + .B fax2ps + [ +@@ -40,7 +40,7 @@ + reads one or more + .SM TIFF + facsimile image files and prints a compressed form of +-\*(Ps on the standard output that is suitable for printing. ++PostScript on the standard output that is suitable for printing. + .PP + By default, each page is scaled to reflect the + image dimensions and resolutions stored in the file. +@@ -62,26 +62,26 @@ + .PP + By default + .I fax2ps +-generates \*(Ps for all pages in the file. ++generates PostScript for all pages in the file. + The + .B \-p + option can be used to select one or more pages from + a multi-page document. + .PP + .I fax2ps +-generates a compressed form of \*(Ps that is +-optimized for sending pages of text to a \*(Ps ++generates a compressed form of PostScript that is ++optimized for sending pages of text to a PostScript + printer attached to a host through a low-speed link (such + as a serial line). + Each output page is filled with white and then only + the black areas are drawn. +-The \*(Ps specification of the black drawing operations ++The PostScript specification of the black drawing operations + is optimized by using a special font that encodes the + move-draw operations required to fill + the black regions on the page. + This compression scheme typically results in a substantially +-reduced \*(Ps description, relative to the straightforward +-imaging of the page with a \*(Ps ++reduced PostScript description, relative to the straightforward ++imaging of the page with a PostScript + .I image + operator. + This algorithm can, however, be ineffective +@@ -138,9 +138,9 @@ + attempts to recover from such data errors by resynchronizing + decoding at the end of the current scanline. + This can result in long horizontal black lines in the resultant +-\*(Ps image. ++PostScript image. + .SH NOTES +-If the destination printer supports \*(Ps Level II then ++If the destination printer supports PostScript Level II then + it is always faster to just send the encoded bitmap generated + by the + .BR tiff2ps (1) +@@ -149,7 +149,7 @@ + .I fax2ps + should probably figure out when it is doing a poor + job of compressing the output and just generate +-\*(Ps to image the bitmap raster instead. ++PostScript to image the bitmap raster instead. + .SH "SEE ALSO" + .BR tiff2ps (1), + .BR libtiff (3) diff --git a/graphics/tiff/files/patch-raw2tiff.1 b/graphics/tiff/files/patch-raw2tiff.1 new file mode 100644 index 000000000000..b02ff0d69c1e --- /dev/null +++ b/graphics/tiff/files/patch-raw2tiff.1 @@ -0,0 +1,11 @@ +--- man/raw2tiff.1.orig 2008-08-17 13:03:49.042994359 -0400 ++++ man/raw2tiff.1 2008-08-17 13:03:52.519034963 -0400 +@@ -184,7 +184,7 @@ + in some cases. But for most ordinary images guessing method will work fine. + .SH "SEE ALSO" + .BR pal2rgb (1), +-.bR tiffinfo (1), ++.BR tiffinfo (1), + .BR tiffcp (1), + .BR tiffmedian (1), + .BR libtiff (3) diff --git a/graphics/tiff/files/patch-tif_dir.c b/graphics/tiff/files/patch-tif_dir.c new file mode 100644 index 000000000000..61ab63cefd00 --- /dev/null +++ b/graphics/tiff/files/patch-tif_dir.c @@ -0,0 +1,94 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 -0400 ++++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } diff --git a/graphics/tiff/files/patch-tif_dirinfo.c b/graphics/tiff/files/patch-tif_dirinfo.c new file mode 100644 index 000000000000..921b79aae815 --- /dev/null +++ b/graphics/tiff/files/patch-tif_dirinfo.c @@ -0,0 +1,24 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2008-08-17 13:03:48.958994316 -0400 ++++ libtiff/tif_dirinfo.c 2008-08-17 13:03:52.890034927 -0400 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); diff --git a/graphics/tiff/files/patch-tif_dirread.c b/graphics/tiff/files/patch-tif_dirread.c new file mode 100644 index 000000000000..35ec18463f5d --- /dev/null +++ b/graphics/tiff/files/patch-tif_dirread.c @@ -0,0 +1,321 @@ +CVE-2006-3459,3463,3464,3465 +=================================================================== +--- libtiff/tif_dirread.c.orig 2008-08-17 13:03:48.962994506 -0400 ++++ libtiff/tif_dirread.c 2008-08-17 13:03:52.890034927 -0400 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include <limits.h> ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; diff --git a/graphics/tiff/files/patch-tif_fax3.c b/graphics/tiff/files/patch-tif_fax3.c new file mode 100644 index 000000000000..5b9e94d23d47 --- /dev/null +++ b/graphics/tiff/files/patch-tif_fax3.c @@ -0,0 +1,27 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 -0400 ++++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } diff --git a/graphics/tiff/files/patch-tif_jpeg.c b/graphics/tiff/files/patch-tif_jpeg.c new file mode 100644 index 000000000000..4ce2999e579f --- /dev/null +++ b/graphics/tiff/files/patch-tif_jpeg.c @@ -0,0 +1,121 @@ +CVE-2006-3460,3464,3465 +=================================================================== +--- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 -0400 ++++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) diff --git a/graphics/tiff/files/patch-tif_lzw.c b/graphics/tiff/files/patch-tif_lzw.c new file mode 100644 index 000000000000..e4a36858b4d0 --- /dev/null +++ b/graphics/tiff/files/patch-tif_lzw.c @@ -0,0 +1,60 @@ +CVE-2008-2327 +=================================================================== +--- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 -0400 ++++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400 +@@ -237,6 +237,13 @@ + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ ++ + } + return (1); + } +@@ -408,12 +415,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +619,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/graphics/tiff/files/patch-tif_next.c b/graphics/tiff/files/patch-tif_next.c new file mode 100644 index 000000000000..e02f075eacd2 --- /dev/null +++ b/graphics/tiff/files/patch-tif_next.c @@ -0,0 +1,22 @@ +CVE-2006-3462 +=================================================================== +--- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 -0400 ++++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400 +@@ -105,11 +105,16 @@ + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; diff --git a/graphics/tiff/files/patch-tif_pixarlog.c b/graphics/tiff/files/patch-tif_pixarlog.c new file mode 100644 index 000000000000..cf99c0c5b368 --- /dev/null +++ b/graphics/tiff/files/patch-tif_pixarlog.c @@ -0,0 +1,25 @@ +CVE-2006-3461 +=================================================================== +--- libtiff/tif_pixarlog.c.orig 2008-08-17 13:03:48.986994374 -0400 ++++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 -0400 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, diff --git a/graphics/tiff/files/patch-tif_print.c b/graphics/tiff/files/patch-tif_print.c new file mode 100644 index 000000000000..48699484ca4e --- /dev/null +++ b/graphics/tiff/files/patch-tif_print.c @@ -0,0 +1,13 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 -0400 ++++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 -0400 +@@ -491,7 +491,7 @@ + } else + fprintf(fd, "(present)\n"); + } +- if (TIFFFieldSet(tif, FIELD_SUBIFD)) { ++ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) { + fprintf(fd, " SubIFD Offsets:"); + for (i = 0; i < td->td_nsubifd; i++) + fprintf(fd, " %5lu", (long) td->td_subifd[i]); diff --git a/graphics/tiff/files/patch-tif_read.c b/graphics/tiff/files/patch-tif_read.c new file mode 100644 index 000000000000..67c18ccb5b94 --- /dev/null +++ b/graphics/tiff/files/patch-tif_read.c @@ -0,0 +1,43 @@ +CVE-2006-3464,3465 +=================================================================== +--- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400 ++++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#include <limits.h> ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } diff --git a/graphics/tiff/files/patch-tiff2pdf.1 b/graphics/tiff/files/patch-tiff2pdf.1 new file mode 100644 index 000000000000..2a081a39e2e8 --- /dev/null +++ b/graphics/tiff/files/patch-tiff2pdf.1 @@ -0,0 +1,34 @@ +--- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 -0400 ++++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400 +@@ -207,18 +207,14 @@ + The following example would generate the file output.pdf from input.tiff. + .PP + .RS +-.NF +-tiff2pdf -o output.pdf input.tiff +-.FI ++\f(CWtiff2pdf -o output.pdf input.tiff\fP + .RE + .PP + The following example would generate PDF output from input.tiff and write it + to standard output. + .PP + .RS +-.NF +-tiff2pdf input.tiff +-.FI ++\f(CWtiff2pdf input.tiff\fP + .RE + .PP + The following example would generate the file output.pdf from input.tiff, +@@ -227,9 +223,7 @@ + the "Fit Window" option. + .PP + .RS +-.NF +-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff +-.FI ++\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f) + .RE + .SH BUGS + Please report bugs via the web interface at diff --git a/graphics/tiff/files/patch-tiff2pdf.c b/graphics/tiff/files/patch-tiff2pdf.c new file mode 100644 index 000000000000..6206cce935dc --- /dev/null +++ b/graphics/tiff/files/patch-tiff2pdf.c @@ -0,0 +1,13 @@ +CVE-2006-2193 +=================================================================== +--- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 -0700 ++++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i<len;i++){ + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ +- sprintf(buffer, "\\%.3o", pdfstr[i]); ++ snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]); + written += TIFFWriteFile(output, (tdata_t) buffer, 4); + } else { + switch (pdfstr[i]){ diff --git a/graphics/tiff/files/patch-tiff2ps.1 b/graphics/tiff/files/patch-tiff2ps.1 new file mode 100644 index 000000000000..b9051f53e70a --- /dev/null +++ b/graphics/tiff/files/patch-tiff2ps.1 @@ -0,0 +1,142 @@ +--- man/tiff2ps.1.orig 2008-08-17 13:03:49.050994382 -0400 ++++ man/tiff2ps.1 2008-08-17 13:03:52.522727821 -0400 +@@ -27,7 +27,7 @@ + .SH NAME + tiff2ps \- convert a + .SM TIFF +-image to \*(Ps\(tm ++image to PostScript\(tm + .SH SYNOPSIS + .B tiff2ps + [ +@@ -38,17 +38,17 @@ + .I tiff2ps + reads + .SM TIFF +-images and writes \*(Ps or Encapsulated \*(Ps (EPS) ++images and writes PostScript or Encapsulated PostScript (EPS) + on the standard output. + By default, + .I tiff2ps +-writes Encapsulated \*(Ps for the first image in the specified ++writes Encapsulated PostScript for the first image in the specified + .SM TIFF + image file. + .PP + By default, + .I tiff2ps +-will generate \*(Ps that fills a printed area specified ++will generate PostScript that fills a printed area specified + by the + .SM TIFF + tags in the input file. +@@ -67,22 +67,22 @@ + .SM TIFF + tags. + .PP +-The \*(Ps generated for ++The PostScript generated for + .SM RGB, + palette, and + .SM CMYK + images uses the + .I colorimage + operator. +-The \*(Ps generated for ++The PostScript generated for + greyscale and bilevel images + uses the + .I image + operator. + When the + .I colorimage +-operator is used, \*(Ps code to emulate this operator +-on older \*(Ps printers is also generated. ++operator is used, PostScript code to emulate this operator ++on older PostScript printers is also generated. + Note that this emulation code can be very slow. + .PP + Color images with associated alpha data are composited over +@@ -90,13 +90,13 @@ + .SH OPTIONS + .TP + .B \-1 +-Generate \*(Ps Level 1 (the default). ++Generate PostScript Level 1 (the default). + .TP + .B \-2 +-Generate \*(Ps Level 2. ++Generate PostScript Level 2. + .TP + .B \-3 +-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode ++Generate PostScript Level 3. It basically allows one to use the /flateDecode + filter for ZIP compressed TIFF images. + .TP + .B \-a +@@ -119,7 +119,7 @@ + multi-page (e.g. facsimile) file. + .TP + .B \-e +-Force the generation of Encapsulated \*(Ps (implies -z). ++Force the generation of Encapsulated PostScript (implies -z). + .TP + .B \-h + Specify the vertical size of the printed area (in inches). +@@ -148,7 +148,7 @@ + .B \-m + Where possible render using the + .B imagemask +-\*(Ps operator instead of the image operator. When this option is specified ++PostScript operator instead of the image operator. When this option is specified + .I tiff2ps + will use + .B imagemask +@@ -166,7 +166,7 @@ + like which are hidden using the SubIFD tag. + .TP + .B \-p +-Force the generation of (non-Encapsulated) \*(Ps. ++Force the generation of (non-Encapsulated) PostScript. + .TP + .B \-r + Rotate image by 180 degrees. +@@ -184,15 +184,15 @@ + Override resolution units specified in the TIFF as inches. + .TP + .B \-z +-When generating \*(Ps Level 2, data is scaled so that it does not ++When generating PostScript Level 2, data is scaled so that it does not + image into the + .I deadzone + on a page (the outer margin that the printing device is unable to mark). + This option suppresses this behavior. +-When \*(Ps Level 1 is generated, data is imaged to the entire printed ++When PostScript Level 1 is generated, data is imaged to the entire printed + page and this option has no affect. + .SH EXAMPLES +-The following generates \*(Ps Level 2 for all pages of a facsimile: ++The following generates PostScript Level 2 for all pages of a facsimile: + .RS + .nf + tiff2ps -a2 fax.tif | lpr +@@ -201,7 +201,7 @@ + Note also that if you have version 2.6.1 or newer of Ghostscript then you + can efficiently preview facsimile generated with the above command. + .PP +-To generate Encapsulated \*(Ps for a the image at directory 2 ++To generate Encapsulated PostScript for a the image at directory 2 + of an image use: + .RS + .nf +@@ -228,8 +228,8 @@ + .B \-L.5 + option says to repeat a half inch on the next page (to improve readability). + .SH BUGS +-Because \*(Ps does not support the notion of a colormap, +-8-bit palette images produce 24-bit \*(Ps images. ++Because PostScript does not support the notion of a colormap, ++8-bit palette images produce 24-bit PostScript images. + This conversion results in output that is six times + bigger than the original image and which takes a long time + to send to a printer over a serial line. diff --git a/graphics/tiff/files/patch-tiffcmp.1 b/graphics/tiff/files/patch-tiffcmp.1 new file mode 100644 index 000000000000..df179f116621 --- /dev/null +++ b/graphics/tiff/files/patch-tiffcmp.1 @@ -0,0 +1,11 @@ +--- man/tiffcmp.1.orig 2008-08-17 13:03:49.062994301 -0400 ++++ man/tiffcmp.1 2008-08-17 13:03:52.522727821 -0400 +@@ -77,7 +77,7 @@ + in some exotic cases. + .SH "SEE ALSO" + .BR pal2rgb (1), +-.bR tiffinfo (1), ++.BR tiffinfo (1), + .BR tiffcp (1), + .BR tiffmedian (1), + .BR libtiff (3TIFF) diff --git a/graphics/tiff/files/patch-tiffsplit.1 b/graphics/tiff/files/patch-tiffsplit.1 new file mode 100644 index 000000000000..5bb19b84fdb1 --- /dev/null +++ b/graphics/tiff/files/patch-tiffsplit.1 @@ -0,0 +1,11 @@ +--- man/tiffsplit.1.orig 2008-08-17 13:03:49.070994233 -0400 ++++ man/tiffsplit.1 2008-08-17 13:03:52.522727821 -0400 +@@ -50,7 +50,7 @@ + (e.g. + .IR xaaa.tif , + .IR xaab.tif , +-\... ++.IR ... , + .IR xzzz.tif ). + If a prefix is not specified on the command line, + the default prefix of diff --git a/graphics/tiff/files/patch-tiffsplit.c b/graphics/tiff/files/patch-tiffsplit.c new file mode 100644 index 000000000000..ea75a024ce85 --- /dev/null +++ b/graphics/tiff/files/patch-tiffsplit.c @@ -0,0 +1,21 @@ +CVE-2006-2656 +=================================================================== +--- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 -0400 ++++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400 +@@ -61,14 +61,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); |