mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

Merge pull request #5542 from micmac1/jiri-for-15.05 

libssh2, libxslt, tiff: security bumps (for 15.05)
This commit is contained in:
Jiri Slachta 2018-01-30 20:00:45 +01:00 committed by GitHub
parent 2b8f946204 bdfe75a5cd
commit 8d98c0501a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 1208 additions and 1098 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libs/libssh2/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2015 OpenWrt.org
# Copyright (C) 2015 - 2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libssh2
PKG_VERSION:=1.6.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.libssh2.org/download
PKG_SOURCE_URL:=https://www.libssh2.org/download
PKG_MD5SUM:=00aabd6e714a5f42a4fb82ace20db1dd
PKG_INSTALL:=1
@ -26,9 +26,9 @@ define Package/libssh2
SECTION:=libs
CATEGORY:=Libraries
TITLE:=SSH2 library
URL:=http://www.libssh2.org/
URL:=https://www.libssh2.org/
DEPENDS:=+libopenssl +zlib
MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
endef
define Package/libssh2/description
@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC)
CONFIGURE_ARGS += \
--disable-examples-build \
--with-libssl-prefix=$(STAGING_DIR)/usr
--with-libssl-prefix=$(STAGING_DIR)/usr \
--with-libz-prefix=$(STAGING_DIR)/usr
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include

22
libs/libssh2/patches/0004-CVE-2016-0787.patch Normal file
View File

@ -0,0 +1,22 @@
Description: CVE-2016-0787: Truncated Difffie-Hellman secret length
Convert bytes to bits in diffie_hellman_sha1. Otherwise we get far too
small numbers.
Origin: backport, http://www.libssh2.org/CVE-2016-0787.patch
Forwarded: not-needed
Author: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-02-18
Applied-Upstream: 1.7.0
---
--- a/src/kex.c
+++ b/src/kex.c
@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_S
memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
/* Generate x and e */
- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
+ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
_libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
exchange_state->ctx);

9
libs/libxslt/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2014 OpenWrt.org
# Copyright (C) 2014 - 2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libxslt
PKG_VERSION:=1.1.28
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@ -20,7 +20,7 @@ PKG_MD5SUM:=9667bf6f9310b957254fdcf6596600b7
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING
PKG_MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
@ -43,7 +43,7 @@ define Package/libexslt
SECTION:=libs
CATEGORY:=Libraries
DEPENDS:=+libxslt
TITLE:=Gnome XSLT library Extention
TITLE:=Gnome XSLT library Extension
URL:=http://xmlsoft.org/XSLT/EXSLT/
endef
@ -64,6 +64,7 @@ define Package/xsltproc/description
endef
CONFIGURE_ARGS+= \
--disable-silent-rules \
--enable-shared \
--enable-static \
--without-python \

48
libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch Normal file
View File

@ -0,0 +1,48 @@
From: Daniel Veillard <veillard@redhat.com>
Date: Wed, 30 Jan 2013 16:31:37 +0000
Subject: Fix a couple of places where (f)printf parameters were broken
As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>
---
python/libxslt.c | 10 +++++-----
xsltproc/xsltproc.c | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/libxslt.c b/python/libxslt.c
index 6a4f1c3..8dd6c78 100644
--- a/python/libxslt.c
+++ b/python/libxslt.c
@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
PyObject *pyobj_element_f;
PyObject *pyobj_precomp_f;
-#ifdef DEBUG_EXTENSIONS
- printf("libxslt_xsltRegisterExtModuleElement called\n",
- name, ns_uri);
-#endif
-
if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
&name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
return(NULL);
+#ifdef DEBUG_EXTENSIONS
+ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
+ name, ns_uri);
+#endif
+
if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
py_retval = libxml_intWrap(-1);
return(py_retval);
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 9ec4b76..33beddf 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
va_start(ap, format);
vfprintf(stderr,format,ap);
va_end(ap);
- fprintf(stderr, " was not timed\n", msec);
+ fprintf(stderr, " was not timed\n");
#else
/* We don't have gettimeofday, time or stdarg.h, what crazy world is
* this ?!

56
libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch Normal file
View File

@ -0,0 +1,56 @@
From: Nils Werner <wernerns@iis.fraunhofer.de>
Date: Thu, 24 Jan 2013 18:44:03 +0000
Subject: Initialize pseudo random number generator with current time or
optional command line parameter
---
xsltproc/xsltproc.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 33beddf..7d1fe61 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -514,6 +514,7 @@ static void usage(const char *name) {
printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
printf("\t--maxparserdepth val : increase the maximum parser depth\n");
+ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
#ifdef LIBXML_HTML_ENABLED
printf("\t--html: the input document is(are) an HTML file(s)\n");
#endif
@@ -556,6 +557,7 @@ main(int argc, char **argv)
return (1);
}
+ srand(time(NULL));
xmlInitMemory();
LIBXML_TEST_VERSION
@@ -750,6 +752,15 @@ main(int argc, char **argv)
if (value > 0)
xmlParserMaxDepth = value;
}
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ int value;
+
+ i++;
+ if (sscanf(argv[i], "%d", &value) == 1) {
+ if (value > 0)
+ srand(value);
+ }
} else if ((!strcmp(argv[i],"-dumpextensions"))||
(!strcmp(argv[i],"--dumpextensions"))) {
dumpextensions++;
@@ -786,6 +797,10 @@ main(int argc, char **argv)
(!strcmp(argv[i], "--maxparserdepth"))) {
i++;
continue;
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ i++;
+ continue;
} else if ((!strcmp(argv[i], "-o")) ||
(!strcmp(argv[i], "-output")) ||
(!strcmp(argv[i], "--output"))) {

38
libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch Normal file
View File

@ -0,0 +1,38 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 1 Jul 2013 13:10:10 +0000
Subject: EXSLT function str:replace() is broken as-is
the str:replace() function is no longer usable without a transform
context. I take it from the bug report that it is not supposed to be used
from plain XPath but only from XSLT according to the EXSLT specification.
However, the previous implementation used to work in XPath and is still
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
function. When called from plain XPath, it results in a memory error in
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
returns NULL as an error indicator due to a NULL transform context being
passed in, which was the return value from xsltXPathGetTransformContext() a
bit further up (and the code doesn't validate that).
Since fixing the function looks impossible, best is to remove it.
---
libexslt/strings.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 045cc14..c0c7a18 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
&& !xmlXPathRegisterFuncNS(ctxt,
(const xmlChar *) "concat",
(const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrConcatFunction)
- && !xmlXPathRegisterFuncNS(ctxt,
- (const xmlChar *) "replace",
- (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrReplaceFunction)) {
+ exsltStrConcatFunction)) {
return 0;
}
return -1;

43
libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch Normal file
View File

@ -0,0 +1,43 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 30 Jul 2013 11:57:28 +0000
Subject: Fix quoting of xlocale test program in configure.in
Double square brackets aren't needed anymore, probably due to the
changes in commit a2cd8a03.
---
configure.in | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index 767e980..ac004fe 100644
--- a/configure.in
+++ b/configure.in
@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
#endif
]],[[
xsltLocale locale;
- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
- char *dst[[2]];
+ const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
+ char *dst[2];
size_t len, r;
int i;
locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
if (locale == NULL) exit(1);
for (i=0; i<2; ++i) {
- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
- dst[[i]] = malloc(len);
- if(dst[[i]] == NULL) exit(1);
- r = strxfrm_l(dst[[i]], src[[i]], len, locale);
+ len = strxfrm_l(NULL, src[i], 0, locale) + 1;
+ dst[i] = malloc(len);
+ if(dst[i] == NULL) exit(1);
+ r = strxfrm_l(dst[i], src[i], len, locale);
if(r >= len) exit(1);
}
- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
+ if (strcmp(dst[0], dst[1]) >= 0) exit(1);
exit(0);
return(0);

29
libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch Normal file
View File

@ -0,0 +1,29 @@
From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 29 Oct 2015 19:33:23 +0800
Subject: [PATCH] Fix for type confusion in preprocessing attributes
CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before dereferencing
its namespace
---
libxslt/preproc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/preproc.c b/libxslt/preproc.c
index 0eb80a0..7f69325 100644
--- a/libxslt/preproc.c
+++ b/libxslt/preproc.c
@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
} else if (IS_XSLT_NAME(inst, "attribute")) {
xmlNodePtr parent = inst->parent;
- if ((parent == NULL) || (parent->ns == NULL) ||
+ if ((parent == NULL) ||
+ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
((parent->ns != inst->ns) &&
(!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
--
2.8.1

62
libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch Normal file
View File

@ -0,0 +1,62 @@
From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 3 Jan 2016 16:45:24 +0100
Subject: [PATCH] Always initialize EXSLT month and day to 1
Fixes bug #757970
https://bugzilla.gnome.org/show_bug.cgi?id=757970
---
libexslt/date.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 9ca993c..272c61b 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type)
}
memset (ret, 0, sizeof(exsltDateVal));
+ if (type != XS_DURATION) {
+ ret->value.date.mon = 1;
+ ret->value.date.day = 1;
+ }
+
if (type != EXSLT_UNKNOWN)
ret->type = type;
@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type)
}
if ((type & XS_GDAY) != XS_GDAY)
- dt->value.date.day = 0;
+ dt->value.date.day = 1;
if ((type & XS_GMONTH) != XS_GMONTH)
- dt->value.date.mon = 0;
+ dt->value.date.mon = 1;
if ((type & XS_GYEAR) != XS_GYEAR)
dt->value.date.year = 0;
@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur)
d = &(dt->value.date);
u = &(dur->value.dur);
- /* normalization */
- if (d->mon == 0)
- d->mon = 1;
-
/* normalize for time zone offset */
u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */
d->tzo = 0;
- /* normalization */
- if (d->day == 0)
- d->day = 1;
-
/* month */
carry = d->mon + u->mon;
r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13);
--
2.8.1

105
libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch Normal file
View File

@ -0,0 +1,105 @@
From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 25 Feb 2016 17:16:06 +0100
Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument
Also fixes a memory leak in an unlikely error case.
Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291
---
libxslt/functions.c | 3 ++-
tests/docs/bug-185-data.xml | 5 +++++
tests/docs/bug-185.xml | 2 ++
tests/general/bug-185.err | 3 +++
tests/general/bug-185.out | 0
tests/general/bug-185.xsl | 14 ++++++++++++++
6 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 tests/docs/bug-185-data.xml
create mode 100644 tests/docs/bug-185.xml
create mode 100644 tests/general/bug-185.err
create mode 100644 tests/general/bug-185.out
create mode 100644 tests/general/bug-185.xsl
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 549649c..a5e7021 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
resObj = xmlXPtrEval(fragment, xptrctxt);
xmlXPathFreeContext(xptrctxt);
#endif
- xmlFree(fragment);
if (resObj == NULL)
goto out_fragment;
@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
}
valuePush(ctxt, resObj);
+ xmlFree(fragment);
return;
out_object:
@@ -211,6 +211,7 @@ out_object:
out_fragment:
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
+ xmlFree(fragment);
}
/**
diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml
new file mode 100644
index 0000000..166ef17
--- /dev/null
+++ b/tests/docs/bug-185-data.xml
@@ -0,0 +1,5 @@
+<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
+<test>
+ <A id="X"/>
+ <A id="Y"/>
+</test>
diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml
new file mode 100644
index 0000000..72bfdc4
--- /dev/null
+++ b/tests/docs/bug-185.xml
@@ -0,0 +1,2 @@
+<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
+<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err
new file mode 100644
index 0000000..d7bbe92
--- /dev/null
+++ b/tests/general/bug-185.err
@@ -0,0 +1,3 @@
+runtime error: file ./bug-185.xsl line 7 element copy-of
+document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
+no result for ./../docs/bug-185.xml
diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out
new file mode 100644
index 0000000..e69de29
diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl
new file mode 100644
index 0000000..1c5c7d1
--- /dev/null
+++ b/tests/general/bug-185.xsl
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+ <xsl:template match="in">
+ <annotation>
+ <xsl:copy-of select="."/>
+ <value>
+ <xsl:copy-of select="document(.)"/>
+ </value>
+ </annotation>
+ </xsl:template>
+ <xsl:template match="@*|node()">
+ <xsl:apply-templates/>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

171
libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch Normal file
View File

@ -0,0 +1,171 @@
From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 22 Mar 2016 18:20:01 +0100
Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel
Namespace nodes are actually an xmlNs, not an xmlNode. They must be
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
out-of-bounds heap access.
Move the test whether a node matches the "count" pattern to a separate
function to make the code more readable. As a side effect, we also
compare expanded names when walking up the ancestor axis, fixing an
insignificant bug.
---
libxslt/numbers.c | 82 +++++++++++++++++++++++++++--------------------
tests/docs/bug-186.xml | 4 +++
tests/general/bug-186.out | 5 +++
tests/general/bug-186.xsl | 7 ++++
4 files changed, 63 insertions(+), 35 deletions(-)
create mode 100644 tests/docs/bug-186.xml
create mode 100644 tests/general/bug-186.out
create mode 100644 tests/general/bug-186.xsl
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index e3209e0..184ee6f 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
}
static int
+xsltTestCompMatchCount(xsltTransformContextPtr context,
+ xmlNodePtr node,
+ xsltCompMatchPtr countPat,
+ xmlNodePtr cur)
+{
+ if (countPat != NULL) {
+ return xsltTestCompMatchList(context, node, countPat);
+ }
+ else {
+ /*
+ * 7.7 Numbering
+ *
+ * If count attribute is not specified, then it defaults to the
+ * pattern that matches any node with the same node type as the
+ * current node and, if the current node has an expanded-name, with
+ * the same expanded-name as the current node.
+ */
+ if (node->type != cur->type)
+ return 0;
+ if (node->type == XML_NAMESPACE_DECL)
+ /*
+ * Namespace nodes have no preceding siblings and no parents
+ * that are namespace nodes. This means that node == cur.
+ */
+ return 1;
+ /* TODO: Skip node types without expanded names like text nodes. */
+ if (!xmlStrEqual(node->name, cur->name))
+ return 0;
+ if (node->ns == cur->ns)
+ return 1;
+ if ((node->ns == NULL) || (cur->ns == NULL))
+ return 0;
+ return (xmlStrEqual(node->ns->href, cur->ns->href));
+ }
+}
+
+static int
xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
xmlNodePtr node,
xsltCompMatchPtr countPat,
@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
while (cur != NULL) {
/* process current node */
- if (countPat == NULL) {
- if ((node->type == cur->type) &&
- /* FIXME: must use expanded-name instead of local name */
- xmlStrEqual(node->name, cur->name)) {
- if ((node->ns == cur->ns) ||
- ((node->ns != NULL) &&
- (cur->ns != NULL) &&
- (xmlStrEqual(node->ns->href,
- cur->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, cur, countPat))
- cnt++;
- }
+ if (xsltTestCompMatchCount(context, cur, countPat, node))
+ cnt++;
if ((fromPat != NULL) &&
xsltTestCompMatchList(context, cur, fromPat)) {
break; /* while */
@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context,
xsltTestCompMatchList(context, ancestor, fromPat))
break; /* for */
- if ((countPat == NULL && node->type == ancestor->type &&
- xmlStrEqual(node->name, ancestor->name)) ||
- xsltTestCompMatchList(context, ancestor, countPat)) {
+ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) {
/* count(preceding-sibling::*) */
- cnt = 0;
- for (preceding = ancestor;
+ cnt = 1;
+ for (preceding =
+ xmlXPathNextPrecedingSibling(parser, ancestor);
preceding != NULL;
preceding =
xmlXPathNextPrecedingSibling(parser, preceding)) {
- if (countPat == NULL) {
- if ((preceding->type == ancestor->type) &&
- xmlStrEqual(preceding->name, ancestor->name)){
- if ((preceding->ns == ancestor->ns) ||
- ((preceding->ns != NULL) &&
- (ancestor->ns != NULL) &&
- (xmlStrEqual(preceding->ns->href,
- ancestor->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, preceding,
- countPat))
- cnt++;
- }
+
+ if (xsltTestCompMatchCount(context, preceding, countPat,
+ node))
+ cnt++;
}
array[amount++] = (double)cnt;
if (amount >= max)
diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml
new file mode 100644
index 0000000..424db6b
--- /dev/null
+++ b/tests/docs/bug-186.xml
@@ -0,0 +1,4 @@
+<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
+<foo/>
+<bar/>
+</top>
diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out
new file mode 100644
index 0000000..01a59f8
--- /dev/null
+++ b/tests/general/bug-186.out
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+
+1111
+1111
+
diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl
new file mode 100644
index 0000000..9c491dd
--- /dev/null
+++ b/tests/general/bug-186.xsl
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:template match="*/*">
+ <xsl:for-each select="namespace::*">
+ <xsl:number/>
+ </xsl:for-each>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

26
libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch Normal file
View File

@ -0,0 +1,26 @@
From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:50:02 +0200
Subject: [PATCH] Round xsl:number values to nearest integer
This matches XSLT 2.0 behavior.
---
libxslt/numbers.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 184ee6f..eb087bc 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
for (i = 0; i < numbers_max; i++) {
/* Insert number */
number = numbers[(numbers_max - 1) - i];
+ /* Round to nearest like XSLT 2.0 */
+ number = floor(number + 0.5);
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

51
libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch Normal file
View File

@ -0,0 +1,51 @@
From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:51:57 +0200
Subject: [PATCH] Handle negative xsl:number values
According to XSLT 2.0, negative values are a non-recoverable dynamic error.
Print an error message and treat negative values as zero.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index eb087bc..a3cabcf 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
number--;
*(--pointer) = alpha_list[((int)fmod(number, alpha_size))];
number /= alpha_size;
- if (fabs(number) < 1.0)
+ if (number < 1.0)
break; /* for */
}
xmlBufferCCat(buffer, pointer);
@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
number = numbers[(numbers_max - 1) - i];
/* Round to nearest like XSLT 2.0 */
number = floor(number + 0.5);
+ /*
+ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT
+ * 2.0 says:
+ *
+ * It is a non-recoverable dynamic error if any undiscarded item
+ * in the atomized sequence supplied as the value of the value
+ * attribute of xsl:number cannot be converted to an integer, or
+ * if the resulting integer is less than 0 (zero).
+ */
+ if (number < 0.0) {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl-number : negative value\n");
+ /* Recover by treating negative values as zero. */
+ number = 0.0;
+ }
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

75
libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch Normal file
View File

@ -0,0 +1,75 @@
From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:11:31 +0200
Subject: [PATCH] Lower bound for format token "a"
Handle xsl:number with format "a" and value 0 according to XSLT 2.0.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index a3cabcf..af52883 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
}
static void
-xsltNumberFormatAlpha(xmlBufferPtr buffer,
+xsltNumberFormatAlpha(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
char *alpha_list;
double alpha_size = (double)(sizeof(alpha_upper_list) - 1);
+ /*
+ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says:
+ *
+ * For all format tokens other than the first kind above (one that
+ * consists of decimal digits), there may be implementation-defined
+ * lower and upper bounds on the range of numbers that can be
+ * formatted using this format token; indeed, for some numbering
+ * sequences there may be intrinsic limits. [...] Numbers that fall
+ * outside this range must be formatted using the format token 1.
+ *
+ * The "a" token has an intrinsic lower limit of 1.
+ */
+ if (number < 1.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
/* Build buffer from back */
pointer = &temp_string[sizeof(temp_string)];
*(--pointer) = 0;
@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
switch (token->token) {
case 'A':
- xsltNumberFormatAlpha(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatAlpha(data, buffer, number, TRUE);
break;
case 'a':
- xsltNumberFormatAlpha(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
xsltNumberFormatRoman(buffer,
--
2.8.1

64
libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch Normal file
View File

@ -0,0 +1,64 @@
From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:12:28 +0200
Subject: [PATCH] Lower and upper bound for format token "i"
Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
Also introduce an upper bound to fix a denial of service.
---
libxslt/numbers.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index af52883..e769c42 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
}
static void
-xsltNumberFormatRoman(xmlBufferPtr buffer,
+xsltNumberFormatRoman(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
/*
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
+ * bound to avoid denial of service.
+ */
+ if (number < 1.0 || number > 5000.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
+ /*
* Based on an example by Jim Walsh
*/
while (number >= 1000.0) {
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
- xsltNumberFormatRoman(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
break;
case 'i':
- xsltNumberFormatRoman(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
break;
default:
if (IS_DIGIT_ZERO(token->token)) {
--
2.8.1

62
libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch Normal file
View File

@ -0,0 +1,62 @@
From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 20 Apr 2016 14:35:43 +0200
Subject: [PATCH] Fix double free in libexslt hash functions
Thanks to Nicolas Gregoire for the report.
Fixes bug #765271:
https://bugzilla.gnome.org/show_bug.cgi?id=765271
---
libexslt/crypto.c | 15 +++------------
tests/exslt/crypto/hash.1.out | 2 ++
tests/exslt/crypto/hash.1.xml | 5 +++++
3 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/libexslt/crypto.c b/libexslt/crypto.c
index 6aa9dd2..e13db8b 100644
--- a/libexslt/crypto.c
+++ b/libexslt/crypto.c
@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len,
(char *) hash);
@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len,
(char *) hash);
@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len,
(char *) hash);
--
2.8.1

33
libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch Normal file
View File

@ -0,0 +1,33 @@
From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 28 Apr 2016 17:34:27 +0200
Subject: [PATCH] Fix buffer overflow in exsltDateFormat
Long years can overflow a stack-based buffer on 64-bit platforms by
up to four bytes.
Thanks to Nicolas Gregoire for the report.
Fixes bug #765380:
https://bugzilla.gnome.org/show_bug.cgi?id=765380
---
libexslt/date.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 272c61b..12c9919 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt)
}
if (dt->type & XS_GYEAR) {
- xmlChar buf[20], *cur = buf;
+ xmlChar buf[100], *cur = buf;
FORMAT_GYEAR(dt->value.date.year, cur);
if (dt->type == XS_GYEARMONTH) {
--
2.8.1

36
libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch Normal file
View File

@ -0,0 +1,36 @@
From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 May 2016 15:12:48 +0200
Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic
xsltExtModuleRegisterDynamic would read a byte before the start of a
string under certain circumstances. I looks like this piece code was
supposed to strip characters from the end of the extension name, but
it didn't have any effect. Don't read beyond the beginning of the
string and actually strip unwanted characters.
Found with afl-fuzz and ASan.
---
libxslt/extensions.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb..ae6eef0 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
i++;
}
- if (*(i - 1) == '_')
+ /* Strip underscores from end of string. */
+ while (i > ext_name && *(i - 1) == '_') {
+ i--;
*i = '\0';
+ }
/* determine module directory */
ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
--
2.8.1

31
libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch Normal file
View File

@ -0,0 +1,31 @@
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
2.10.2

74
libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch Normal file
View File

@ -0,0 +1,74 @@
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 12 Jan 2017 15:39:52 +0100
Subject: [PATCH] Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
---
libxslt/transform.c | 25 ++++++++++++++++++++++---
libxslt/xsltInternals.h | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 519133fc..02bff34a 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 060b1783..5ad17719 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
--
2.11.0

10
libs/tiff/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2006-2014 OpenWrt.org
# Copyright (C) 2006-2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=tiff
PKG_VERSION:=4.0.3
PKG_RELEASE:=4
PKG_VERSION:=4.0.9
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
PKG_MD5SUM:=051c1068e6a0627f461948c365290410
PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79
PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=autogen.sh aclocal.m4
@ -31,7 +31,7 @@ include $(INCLUDE_DIR)/package.mk
define Package/tiff/Default
TITLE:=TIFF
URL:=http://www.remotesensing.org/libtiff/
MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
endef
define Package/libtiff

6
libs/tiff/patches/001-autoconf-compat.patch
View File

@ -9,9 +9,9 @@
ACLOCAL_AMFLAGS = -I m4
docfiles = \
@@ -48,7 +48,7 @@ EXTRA_DIST = \
dist_doc_DATA = $(docfiles)
@@ -61,7 +61,7 @@ distcheck-hook:
rm -rf $(distdir)/_build/cmake
rm -rf $(distdir)/_inst/cmake
-SUBDIRS = port libtiff tools build contrib test man html
+SUBDIRS = port libtiff tools build contrib

11
libs/tiff/patches/005-fix-ftell-macro.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -287,7 +287,7 @@ struct tiff {
*/
#if defined(HAVE_FSEEKO)
# define fseek(stream,offset,whence) fseeko(stream,offset,whence)
-# define ftell(stream,offset,whence) ftello(stream,offset,whence)
+# define ftell(stream) ftello(stream)
#endif
#endif
#if defined(__WIN32__) && \

31
libs/tiff/patches/010-CVE-2012-4564.patch
View File

@ -1,31 +0,0 @@
Index: tiff-4.0.3/tools/ppm2tiff.c
===================================================================
--- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400
+++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400
@@ -89,6 +89,7 @@
int c;
extern int optind;
extern char* optarg;
+ tmsize_t scanline_size;
if (argc < 2) {
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@@ -237,8 +238,16 @@
}
if (TIFFScanlineSize(out) > linebytes)
buf = (unsigned char *)_TIFFmalloc(linebytes);
- else
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ else {
+ scanline_size = TIFFScanlineSize(out);
+ if (scanline_size != 0)
+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ else {
+ fprintf(stderr, "%s: scanline size overflow\n",infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ }
if (resolution > 0) {
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);

146
libs/tiff/patches/011-CVE-2013-1960.patch
View File

@ -1,146 +0,0 @@
Index: tiff-4.0.3/tools/tiff2pdf.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400
+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400
@@ -3341,33 +3341,56 @@
uint32 height){
tsize_t i=0;
- uint16 ri =0;
- uint16 v_samp=1;
- uint16 h_samp=1;
- int j=0;
-
- i++;
-
- while(i<(*striplength)){
+
+ while (i < *striplength) {
+ tsize_t datalen;
+ uint16 ri;
+ uint16 v_samp;
+ uint16 h_samp;
+ int j;
+ int ncomp;
+
+ /* marker header: one or more FFs */
+ if (strip[i] != 0xff)
+ return(0);
+ i++;
+ while (i < *striplength && strip[i] == 0xff)
+ i++;
+ if (i >= *striplength)
+ return(0);
+ /* SOI is the only pre-SOS marker without a length word */
+ if (strip[i] == 0xd8)
+ datalen = 0;
+ else {
+ if ((*striplength - i) <= 2)
+ return(0);
+ datalen = (strip[i+1] << 8) | strip[i+2];
+ if (datalen < 2 || datalen >= (*striplength - i))
+ return(0);
+ }
switch( strip[i] ){
- case 0xd8:
- /* SOI - start of image */
+ case 0xd8: /* SOI - start of image */
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
- i+=2;
break;
- case 0xc0:
- case 0xc1:
- case 0xc3:
- case 0xc9:
- case 0xca:
+ case 0xc0: /* SOF0 */
+ case 0xc1: /* SOF1 */
+ case 0xc3: /* SOF3 */
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- for(j=0;j<buffer[*bufferoffset+9];j++){
- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
+ for(j=0;j<ncomp;j++){
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+ h_samp = (samp>>4);
+ if( (samp & 0x0f) > v_samp)
+ v_samp = (samp & 0x0f);
}
v_samp*=8;
h_samp*=8;
@@ -3381,45 +3404,43 @@
(unsigned char) ((height>>8) & 0xff);
buffer[*bufferoffset+6]=
(unsigned char) (height & 0xff);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
-
+ *bufferoffset+=datalen+2;
+ /* insert a DRI marker */
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=0xdd;
buffer[(*bufferoffset)++]=0x00;
buffer[(*bufferoffset)++]=0x04;
buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
buffer[(*bufferoffset)++]= ri & 0xff;
- } else {
- i+=strip[i+2]+2;
}
break;
- case 0xc4:
- case 0xdb:
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
break;
- case 0xda:
+ case 0xda: /* SOS */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
} else {
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
- i+=strip[i+2]+2;
}
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
- *bufferoffset+=(*striplength)-i-1;
+ i += datalen + 1;
+ /* copy remainder of strip */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
return(1);
default:
- i+=strip[i+2]+2;
+ /* ignore any other marker */
+ break;
}
+ i += datalen + 1;
}
-
+ /* failed to find SOS marker */
return(0);
}
#endif

768
libs/tiff/patches/012-CVE-2013-1961.patch
View File

@ -1,768 +0,0 @@
Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
===================================================================
--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400
@@ -512,9 +512,9 @@
Arg args[1];
if (tfMultiPage)
- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
else
- strcpy(buffer, fileName);
+ snprintf(buffer, sizeof(buffer), "%s", fileName);
XtSetArg(args[0], XtNlabel, buffer);
XtSetValues(labelWidget, args, 1);
}
Index: tiff-4.0.3/libtiff/tif_dirinfo.c
===================================================================
--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400
@@ -711,7 +711,7 @@
* note that this name is a special sign to TIFFClose() and
* _TIFFSetupFields() to free the field
*/
- sprintf(fld->field_name, "Tag %d", (int) tag);
+ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
return fld;
}
Index: tiff-4.0.3/libtiff/tif_codec.c
===================================================================
--- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400
@@ -108,7 +108,8 @@
const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
char compression_code[20];
- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
+ snprintf(compression_code, sizeof(compression_code), "%d",
+ tif->tif_dir.td_compression );
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"%s compression support is not configured",
c ? c->name : compression_code );
Index: tiff-4.0.3/tools/tiffdither.c
===================================================================
--- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400
@@ -260,7 +260,7 @@
TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
else
CopyField(TIFFTAG_FILLORDER, shortv);
- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
CopyField(TIFFTAG_PHOTOMETRIC, shortv);
CopyField(TIFFTAG_ORIENTATION, shortv);
Index: tiff-4.0.3/tools/rgb2ycbcr.c
===================================================================
--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400
@@ -332,7 +332,8 @@
TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
{ char buf[2048];
char *cp = strrchr(TIFFFileName(in), '/');
- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
+ cp ? cp+1 : TIFFFileName(in));
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
}
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
Index: tiff-4.0.3/tools/tiff2pdf.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400
@@ -3630,7 +3630,9 @@
char buffer[16];
int buflen=0;
- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
+ t2p->pdf_majorversion&0xff,
+ t2p->pdf_minorversion&0xff);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
@@ -3644,10 +3646,10 @@
tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
- buflen=sprintf(buffer, "%lu", (unsigned long)number);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen );
written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
@@ -3686,13 +3688,13 @@
written += t2pWriteFile(output, (tdata_t) "/", 1);
for (i=0;i<namelen;i++){
if ( ((unsigned char)name[i]) < 0x21){
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
nextchar=1;
}
if ( ((unsigned char)name[i]) > 0x7E){
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
nextchar=1;
@@ -3700,57 +3702,57 @@
if (nextchar==0){
switch (name[i]){
case 0x23:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x25:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x28:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x29:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x2F:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x3C:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x3E:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x5B:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x5D:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x7B:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
case 0x7D:
- sprintf(buffer, "#%.2X", name[i]);
+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
buffer[sizeof(buffer) - 1] = '\0';
written += t2pWriteFile(output, (tdata_t) buffer, 3);
break;
@@ -3865,14 +3867,14 @@
tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
if(len!=0){
written += t2p_write_pdf_stream_length(len, output);
} else {
- buflen=sprintf(buffer, "%lu", (unsigned long)number);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
}
@@ -3913,10 +3915,10 @@
tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
- buflen=sprintf(buffer, "%lu", (unsigned long)len);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n", 1);
@@ -3930,7 +3932,7 @@
tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
{
tsize_t written = 0;
- char buffer[16];
+ char buffer[32];
int buflen = 0;
written += t2pWriteFile(output,
@@ -3969,7 +3971,6 @@
written += t2p_write_pdf_string(t2p->pdf_datetime, output);
}
written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
written += t2p_write_pdf_string(buffer, output);
written += t2pWriteFile(output, (tdata_t) "\n", 1);
@@ -4110,7 +4111,7 @@
{
tsize_t written=0;
tdir_t i=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
int page=0;
@@ -4118,7 +4119,7 @@
(tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
page = t2p->pdf_pages+1;
for (i=0;i<t2p->tiff_pagecount;i++){
- buflen=sprintf(buffer, "%d", page);
+ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
if ( ((i+1)%8)==0 ) {
@@ -4133,8 +4134,7 @@
}
}
written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
@@ -4149,28 +4149,28 @@
unsigned int i=0;
tsize_t written=0;
- char buffer[16];
+ char buffer[256];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "] \n", 3);
written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
@@ -4178,15 +4178,13 @@
written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "_", 1);
- buflen = sprintf(buffer, "%u", i+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4198,12 +4196,10 @@
} else {
written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4212,9 +4208,7 @@
if(t2p->tiff_transferfunctioncount != 0) {
written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
- buflen = sprintf(
- buffer,
- "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object + 3));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4587,7 +4581,7 @@
if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
- buflen=sprintf(buffer,
+ buflen=snprintf(buffer, sizeof(buffer),
"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
box.mat[0],
@@ -4602,7 +4596,7 @@
}
} else {
box=t2p->pdf_imagebox;
- buflen=sprintf(buffer,
+ buflen=snprintf(buffer, sizeof(buffer),
"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
box.mat[0],
@@ -4627,59 +4621,48 @@
TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
written += t2pWriteFile(output,
(tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
42);
- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
if(tile != 0){
written += t2pWriteFile(output, (tdata_t) "_", 1);
- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
if(tile==0){
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
} else {
if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
} else {
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
}
}
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
if(tile==0){
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
} else {
if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
} else {
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
}
}
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
written += t2p_write_pdf_xobject_cs(t2p, output);
@@ -4723,11 +4706,10 @@
t2p->pdf_colorspace ^= T2P_CS_PALETTE;
written += t2p_write_pdf_xobject_cs(t2p, output);
t2p->pdf_colorspace |= T2P_CS_PALETTE;
- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
return(written);
@@ -4761,10 +4743,10 @@
X_W /= Y_W;
Z_W /= Y_W;
Y_W = 1.0F;
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
- buflen=sprintf(buffer, "[%d %d %d %d] \n",
+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
t2p->pdf_labrange[0],
t2p->pdf_labrange[1],
t2p->pdf_labrange[2],
@@ -4780,26 +4762,26 @@
tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
if(t2p->tiff_transferfunctioncount == 1){
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
} else {
written += t2pWriteFile(output, (tdata_t) "[ ", 2);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 2));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 3));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
@@ -4821,7 +4803,7 @@
written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
@@ -4848,7 +4830,7 @@
tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[128];
+ char buffer[256];
int buflen=0;
float X_W=0.0;
@@ -4916,16 +4898,16 @@
written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
}
if(t2p->pdf_colorspace & T2P_CS_CALRGB){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
X_R, Y_R, Z_R,
X_G, Y_G, Z_G,
X_B, Y_B, Z_B);
@@ -4944,11 +4926,11 @@
tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
@@ -4958,11 +4940,11 @@
tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
written += t2pWriteFile(output, (tdata_t) "/N ", 3);
- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
@@ -5027,7 +5009,7 @@
tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[16];
+ char buffer[32];
int buflen=0;
if(t2p->pdf_compression==T2P_COMPRESS_NONE){
@@ -5042,41 +5024,33 @@
written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
if(tile==0){
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(buffer, "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_length);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
- buflen=sprintf(
- buffer,
- "%lu",
+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
@@ -5103,21 +5077,17 @@
if(t2p->pdf_compressionquality%100){
written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
- _TIFFmemset(buffer, 0x00, 16);
- buflen = sprintf(buffer, "%lu",
+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
- _TIFFmemset(buffer, 0x00, 16);
- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
}
@@ -5137,16 +5107,16 @@
tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
tsize_t written=0;
- char buffer[21];
+ char buffer[64];
int buflen=0;
uint32 i=0;
written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
for (i=0;i<t2p->pdf_xrefcount;i++){
- sprintf(buffer, "%.10lu 00000 n \n",
+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
(unsigned long)t2p->pdf_xrefoffsets[i]);
written += t2pWriteFile(output, (tdata_t) buffer, 20);
}
@@ -5170,17 +5140,14 @@
snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
sizeof(t2p->pdf_fileid) - 1);
@@ -5188,9 +5155,8 @@
written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
sizeof(t2p->pdf_fileid) - 1);
written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- _TIFFmemset(buffer, 0x00, 32);
written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
return(written);
Index: tiff-4.0.3/tools/tiff2ps.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400
@@ -1781,8 +1781,8 @@
imageOp = "imagemask";
(void)strcpy(im_x, "0");
- (void)sprintf(im_y, "%lu", (long) h);
- (void)sprintf(im_h, "%lu", (long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
tile_width = w;
tile_height = h;
if (TIFFIsTiled(tif)) {
@@ -1803,7 +1803,7 @@
}
if (tile_height < h) {
fputs("/im_y 0 def\n", fd);
- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
}
} else {
repeat_count = tf_numberstrips;
@@ -1815,7 +1815,7 @@
fprintf(fd, "/im_h %lu def\n",
(unsigned long) tile_height);
(void)strcpy(im_h, "im_h");
- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
}
}
Index: tiff-4.0.3/tools/tiffcrop.c
===================================================================
--- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400
@@ -2077,7 +2077,7 @@
return 1;
}
- sprintf (filenum, "-%03d%s", findex, export_ext);
+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
filenum[14] = '\0';
strncat (exportname, filenum, 15);
}
@@ -2230,8 +2230,8 @@
/* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
fewer than PATH_MAX */
- memset (temp_filename, '\0', PATH_MAX + 1);
- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
+ dump.infilename, dump_images,
(dump.format == DUMP_TEXT) ? "txt" : "raw");
if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
{
@@ -2249,8 +2249,8 @@
/* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
fewer than PATH_MAX */
- memset (temp_filename, '\0', PATH_MAX + 1);
- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
+ dump.outfilename, dump_images,
(dump.format == DUMP_TEXT) ? "txt" : "raw");
if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
{
Index: tiff-4.0.3/tools/tiff2bw.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400
+++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400
@@ -205,7 +205,7 @@
}
}
TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
- sprintf(thing, "B&W version of %s", argv[optind]);
+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));

17
libs/tiff/patches/013-CVE-2013-4231.patch
View File

@ -1,17 +0,0 @@
Description: Buffer overflow in gif2tiff
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
Bug-Debian: http://bugs.debian.org/719303
Index: tiff-4.0.3/tools/gif2tiff.c
===================================================================
--- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400
+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400
@@ -333,6 +333,8 @@
int status = 1;
datasize = getc(infile);
+ if (datasize > 12)
+ return 0;
clear = 1 << datasize;
eoi = clear + 1;
avail = clear + 2;

18
libs/tiff/patches/014-CVE-2013-4232.patch
View File

@ -1,18 +0,0 @@
Description: use after free in tiff2pdf
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
Bug-Debian: http://bugs.debian.org/719303
Index: tiff-4.0.3/tools/tiff2pdf.c
===================================================================
--- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400
+++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400
@@ -2461,7 +2461,8 @@
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
- _TIFFfree(buffer);
+ _TIFFfree(buffer);
+ return(0);
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;

18
libs/tiff/patches/015-CVE-2013-4244.patch
View File

@ -1,18 +0,0 @@
Description: OOB write in gif2tiff
Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468
Index: tiff-4.0.3/tools/gif2tiff.c
===================================================================
--- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400
+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400
@@ -400,6 +400,10 @@
}
if (oldcode == -1) {
+ if (code >= clear) {
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
*(*fill)++ = suffix[code];
firstchar = oldcode = code;
return 1;

37
libs/tiff/patches/016-CVE-2013-4243.patch
View File

@ -1,37 +0,0 @@
Index: tiff/tools/gif2tiff.c
===================================================================
--- tiff.orig/tools/gif2tiff.c
+++ tiff/tools/gif2tiff.c
@@ -280,6 +280,10 @@ readgifimage(char* mode)
fprintf(stderr, "no colormap present for image\n");
return (0);
}
+ if (width == 0 || height == 0) {
+ fprintf(stderr, "Invalid value of width or height\n");
+ return(0);
+ }
if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
fprintf(stderr, "not enough memory for image\n");
return (0);
@@ -404,6 +408,10 @@ process(register int code, unsigned char
fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
return 0;
}
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = suffix[code];
firstchar = oldcode = code;
return 1;
@@ -434,6 +442,10 @@ process(register int code, unsigned char
}
oldcode = incode;
do {
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = *--stackp;
} while (stackp > stack);
return 1;

45
libs/tiff/patches/017-CVE-2014-9330.patch
View File

@ -1,45 +0,0 @@
Description: CVE-2014-9330
Integer overflow in bmp2tiff
Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
Bug-Debian: http://bugs.debian.org/773987
Index: tiff/tools/bmp2tiff.c
===================================================================
--- tiff.orig/tools/bmp2tiff.c
+++ tiff/tools/bmp2tiff.c
@@ -1,4 +1,4 @@
-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
*
* Project: libtiff tools
* Purpose: Convert Windows BMP files in TIFF.
@@ -403,6 +403,13 @@ main(int argc, char* argv[])
width = info_hdr.iWidth;
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
switch (info_hdr.iBitCount)
{
@@ -593,6 +600,14 @@ main(int argc, char* argv[])
compr_size = file_hdr.iSize - file_hdr.iOffBits;
uncompr_size = width * length;
+ /* Detect int overflow */
+ if( uncompr_size / width != length )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
if (!comprbuf) {
TIFFError(infilename,

34
libs/tiff/patches/019-CVE-2017-18013.patch Normal file
View File

@ -0,0 +1,34 @@
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 31 Dec 2017 15:09:41 +0100
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
---
libtiff/tif_print.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 9959d35..8deceb2 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
(unsigned long) s,
- (unsigned __int64) td->td_stripoffset[s],
- (unsigned __int64) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
#else
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
(unsigned long) s,
- (unsigned long long) td->td_stripoffset[s],
- (unsigned long long) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
#endif
}
}
--
libgit2 0.26.0

117
libs/tiff/patches/020-CVE-2017-9935.patch Normal file
View File

@ -0,0 +1,117 @@
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 2ccaf44..cbf2b69 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
+ } else {
+ *va_arg(ap, uint16**) = NULL;
+ *va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index d1a9b09..484776c 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
- t2p->tiff_transferfunctioncount = 3;
- t2p->tiff_pages[i].page_extra += 4;
- t2p->pdf_xrefcount += 4;
- } else {
- t2p->tiff_transferfunctioncount = 1;
- t2p->tiff_pages[i].page_extra += 2;
- t2p->pdf_xrefcount += 2;
- }
- if(t2p->pdf_minorversion < 2)
- t2p->pdf_minorversion = 2;
+ &(tiff_transferfunction[0]),
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+ tiff_transferfunctioncount=1;
+ }
} else {
- t2p->tiff_transferfunctioncount=0;
+ tiff_transferfunctioncount=0;
}
+
+ if (i > 0){
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Different transfer function on page %d",
+ i);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ }
+
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+ if(tiff_transferfunctioncount == 3){
+ t2p->tiff_pages[i].page_extra += 4;
+ t2p->pdf_xrefcount += 4;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ } else if (tiff_transferfunctioncount == 1){
+ t2p->tiff_pages[i].page_extra += 2;
+ t2p->pdf_xrefcount += 2;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ }
+
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;