From f84cc525d63fcc9c8860c0a584663b589408e8d3 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 30 Jan 2018 15:25:23 +0100 Subject: [PATCH 1/3] libssh2: revision bump to fix CVE-2016-0787 - adds patch copied from Debian to address CVE - fixes zlib detection - changes http to https links - updates maintainer's mail address Signed-off-by: Sebastian Kemper --- libs/libssh2/Makefile | 13 ++++++----- libs/libssh2/patches/0004-CVE-2016-0787.patch | 22 +++++++++++++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 libs/libssh2/patches/0004-CVE-2016-0787.patch diff --git a/libs/libssh2/Makefile b/libs/libssh2/Makefile index 7951f63efa..5670d22793 100644 --- a/libs/libssh2/Makefile +++ b/libs/libssh2/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2015 OpenWrt.org +# Copyright (C) 2015 - 2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh2 PKG_VERSION:=1.6.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://www.libssh2.org/download +PKG_SOURCE_URL:=https://www.libssh2.org/download PKG_MD5SUM:=00aabd6e714a5f42a4fb82ace20db1dd PKG_INSTALL:=1 @@ -26,9 +26,9 @@ define Package/libssh2 SECTION:=libs CATEGORY:=Libraries TITLE:=SSH2 library - URL:=http://www.libssh2.org/ + URL:=https://www.libssh2.org/ DEPENDS:=+libopenssl +zlib - MAINTAINER:=Jiri Slachta + MAINTAINER:=Jiri Slachta endef define Package/libssh2/description @@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC) CONFIGURE_ARGS += \ --disable-examples-build \ - --with-libssl-prefix=$(STAGING_DIR)/usr + --with-libssl-prefix=$(STAGING_DIR)/usr \ + --with-libz-prefix=$(STAGING_DIR)/usr define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include diff --git a/libs/libssh2/patches/0004-CVE-2016-0787.patch b/libs/libssh2/patches/0004-CVE-2016-0787.patch new file mode 100644 index 0000000000..ffcc7fc036 --- /dev/null +++ b/libs/libssh2/patches/0004-CVE-2016-0787.patch @@ -0,0 +1,22 @@ +Description: CVE-2016-0787: Truncated Difffie-Hellman secret length + Convert bytes to bits in diffie_hellman_sha1. Otherwise we get far too + small numbers. +Origin: backport, http://www.libssh2.org/CVE-2016-0787.patch +Forwarded: not-needed +Author: Daniel Stenberg +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2016-02-18 +Applied-Upstream: 1.7.0 +--- + +--- a/src/kex.c ++++ b/src/kex.c +@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_S + memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t)); + + /* Generate x and e */ +- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1); ++ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1); + _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p, + exchange_state->ctx); + From 7d2337a17f4a1b765a49d1f0d930b889d5a8a414 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 30 Jan 2018 15:28:33 +0100 Subject: [PATCH 2/3] libxslt: revision bump to address open CVEs - Add patches copied from Debian to address open CVEs - Update mail address of maintainer - Fix a typo - Add --disable-silent-rules for verbose build output Signed-off-by: Sebastian Kemper --- libs/libxslt/Makefile | 9 +- ...places-where-f-printf-parameters-wer.patch | 48 +++++ ...o-random-number-generator-with-curre.patch | 56 ++++++ ...function-str-replace-is-broken-as-is.patch | 38 ++++ ...xlocale-test-program-in-configure.in.patch | 43 +++++ ...onfusion-in-preprocessing-attributes.patch | 29 +++ ...-initialize-EXSLT-month-and-day-to-1.patch | 62 +++++++ ...ee-in-xsltDocumentFunctionLoadDocume.patch | 105 +++++++++++ ...Fix-xsltNumberFormatGetMultipleLevel.patch | 171 ++++++++++++++++++ ...xsl-number-values-to-nearest-integer.patch | 26 +++ ...14-Handle-negative-xsl-number-values.patch | 51 ++++++ .../0015-Lower-bound-for-format-token-a.patch | 75 ++++++++ ...r-and-upper-bound-for-format-token-i.patch | 64 +++++++ ...uble-free-in-libexslt-hash-functions.patch | 62 +++++++ ...x-buffer-overflow-in-exsltDateFormat.patch | 33 ++++ ...read-in-xsltExtModuleRegisterDynamic.patch | 36 ++++ ...erread-in-xsltFormatNumberConversion.patch | 31 ++++ ...nteger-overflow-in-xsltAddTextString.patch | 74 ++++++++ 18 files changed, 1009 insertions(+), 4 deletions(-) create mode 100644 libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch create mode 100644 libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch create mode 100644 libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch create mode 100644 libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch create mode 100644 libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch create mode 100644 libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch create mode 100644 libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch create mode 100644 libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch create mode 100644 libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch create mode 100644 libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch create mode 100644 libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch create mode 100644 libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch create mode 100644 libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch create mode 100644 libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch create mode 100644 libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch create mode 100644 libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch create mode 100644 libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch diff --git a/libs/libxslt/Makefile b/libs/libxslt/Makefile index df80b65b0a..2d867c182d 100644 --- a/libs/libxslt/Makefile +++ b/libs/libxslt/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2014 OpenWrt.org +# Copyright (C) 2014 - 2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libxslt PKG_VERSION:=1.1.28 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -20,7 +20,7 @@ PKG_MD5SUM:=9667bf6f9310b957254fdcf6596600b7 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING -PKG_MAINTAINER:=Jiri Slachta +PKG_MAINTAINER:=Jiri Slachta PKG_FIXUP:=autoreconf PKG_INSTALL:=1 @@ -43,7 +43,7 @@ define Package/libexslt SECTION:=libs CATEGORY:=Libraries DEPENDS:=+libxslt - TITLE:=Gnome XSLT library Extention + TITLE:=Gnome XSLT library Extension URL:=http://xmlsoft.org/XSLT/EXSLT/ endef @@ -64,6 +64,7 @@ define Package/xsltproc/description endef CONFIGURE_ARGS+= \ + --disable-silent-rules \ --enable-shared \ --enable-static \ --without-python \ diff --git a/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch b/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch new file mode 100644 index 0000000000..2313388358 --- /dev/null +++ b/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch @@ -0,0 +1,48 @@ +From: Daniel Veillard +Date: Wed, 30 Jan 2013 16:31:37 +0000 +Subject: Fix a couple of places where (f)printf parameters were broken + +As reported by Thomas Jarosch +--- + python/libxslt.c | 10 +++++----- + xsltproc/xsltproc.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/python/libxslt.c b/python/libxslt.c +index 6a4f1c3..8dd6c78 100644 +--- a/python/libxslt.c ++++ b/python/libxslt.c +@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED, + PyObject *pyobj_element_f; + PyObject *pyobj_precomp_f; + +-#ifdef DEBUG_EXTENSIONS +- printf("libxslt_xsltRegisterExtModuleElement called\n", +- name, ns_uri); +-#endif +- + if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement", + &name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f)) + return(NULL); + ++#ifdef DEBUG_EXTENSIONS ++ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n", ++ name, ns_uri); ++#endif ++ + if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) { + py_retval = libxml_intWrap(-1); + return(py_retval); +diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c +index 9ec4b76..33beddf 100644 +--- a/xsltproc/xsltproc.c ++++ b/xsltproc/xsltproc.c +@@ -319,7 +319,7 @@ static void endTimer(char *format, ...) + va_start(ap, format); + vfprintf(stderr,format,ap); + va_end(ap); +- fprintf(stderr, " was not timed\n", msec); ++ fprintf(stderr, " was not timed\n"); + #else + /* We don't have gettimeofday, time or stdarg.h, what crazy world is + * this ?! diff --git a/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch b/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch new file mode 100644 index 0000000000..2d38ba23a3 --- /dev/null +++ b/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch @@ -0,0 +1,56 @@ +From: Nils Werner +Date: Thu, 24 Jan 2013 18:44:03 +0000 +Subject: Initialize pseudo random number generator with current time or + optional command line parameter + +--- + xsltproc/xsltproc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c +index 33beddf..7d1fe61 100644 +--- a/xsltproc/xsltproc.c ++++ b/xsltproc/xsltproc.c +@@ -514,6 +514,7 @@ static void usage(const char *name) { + printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth); + printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars); + printf("\t--maxparserdepth val : increase the maximum parser depth\n"); ++ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n"); + #ifdef LIBXML_HTML_ENABLED + printf("\t--html: the input document is(are) an HTML file(s)\n"); + #endif +@@ -556,6 +557,7 @@ main(int argc, char **argv) + return (1); + } + ++ srand(time(NULL)); + xmlInitMemory(); + + LIBXML_TEST_VERSION +@@ -750,6 +752,15 @@ main(int argc, char **argv) + if (value > 0) + xmlParserMaxDepth = value; + } ++ } else if ((!strcmp(argv[i], "-seed-rand")) || ++ (!strcmp(argv[i], "--seed-rand"))) { ++ int value; ++ ++ i++; ++ if (sscanf(argv[i], "%d", &value) == 1) { ++ if (value > 0) ++ srand(value); ++ } + } else if ((!strcmp(argv[i],"-dumpextensions"))|| + (!strcmp(argv[i],"--dumpextensions"))) { + dumpextensions++; +@@ -786,6 +797,10 @@ main(int argc, char **argv) + (!strcmp(argv[i], "--maxparserdepth"))) { + i++; + continue; ++ } else if ((!strcmp(argv[i], "-seed-rand")) || ++ (!strcmp(argv[i], "--seed-rand"))) { ++ i++; ++ continue; + } else if ((!strcmp(argv[i], "-o")) || + (!strcmp(argv[i], "-output")) || + (!strcmp(argv[i], "--output"))) { diff --git a/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch b/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch new file mode 100644 index 0000000000..6bb238d3ab --- /dev/null +++ b/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch @@ -0,0 +1,38 @@ +From: Nick Wellnhofer +Date: Mon, 1 Jul 2013 13:10:10 +0000 +Subject: EXSLT function str:replace() is broken as-is + +the str:replace() function is no longer usable without a transform +context. I take it from the bug report that it is not supposed to be used +from plain XPath but only from XSLT according to the EXSLT specification. + +However, the previous implementation used to work in XPath and is still +registered on an xmlXPathContext by the exsltStrXpathCtxtRegister() +function. When called from plain XPath, it results in a memory error in +line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT() +returns NULL as an error indicator due to a NULL transform context being +passed in, which was the return value from xsltXPathGetTransformContext() a +bit further up (and the code doesn't validate that). + +Since fixing the function looks impossible, best is to remove it. +--- + libexslt/strings.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/libexslt/strings.c b/libexslt/strings.c +index 045cc14..c0c7a18 100644 +--- a/libexslt/strings.c ++++ b/libexslt/strings.c +@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix) + && !xmlXPathRegisterFuncNS(ctxt, + (const xmlChar *) "concat", + (const xmlChar *) EXSLT_STRINGS_NAMESPACE, +- exsltStrConcatFunction) +- && !xmlXPathRegisterFuncNS(ctxt, +- (const xmlChar *) "replace", +- (const xmlChar *) EXSLT_STRINGS_NAMESPACE, +- exsltStrReplaceFunction)) { ++ exsltStrConcatFunction)) { + return 0; + } + return -1; diff --git a/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch b/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch new file mode 100644 index 0000000000..f6ba74cb68 --- /dev/null +++ b/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch @@ -0,0 +1,43 @@ +From: Nick Wellnhofer +Date: Tue, 30 Jul 2013 11:57:28 +0000 +Subject: Fix quoting of xlocale test program in configure.in + +Double square brackets aren't needed anymore, probably due to the +changes in commit a2cd8a03. +--- + configure.in | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/configure.in b/configure.in +index 767e980..ac004fe 100644 +--- a/configure.in ++++ b/configure.in +@@ -196,21 +196,21 @@ typedef locale_t xsltLocale; + #endif + ]],[[ + xsltLocale locale; +- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" }; +- char *dst[[2]]; ++ const char *src[2] = { "\xc3\x84rger", "Zeppelin" }; ++ char *dst[2]; + size_t len, r; + int i; + + locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL); + if (locale == NULL) exit(1); + for (i=0; i<2; ++i) { +- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1; +- dst[[i]] = malloc(len); +- if(dst[[i]] == NULL) exit(1); +- r = strxfrm_l(dst[[i]], src[[i]], len, locale); ++ len = strxfrm_l(NULL, src[i], 0, locale) + 1; ++ dst[i] = malloc(len); ++ if(dst[i] == NULL) exit(1); ++ r = strxfrm_l(dst[i], src[i], len, locale); + if(r >= len) exit(1); + } +- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1); ++ if (strcmp(dst[0], dst[1]) >= 0) exit(1); + + exit(0); + return(0); diff --git a/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch b/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch new file mode 100644 index 0000000000..9f2d7ac3f1 --- /dev/null +++ b/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch @@ -0,0 +1,29 @@ +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 29 Oct 2015 19:33:23 +0800 +Subject: [PATCH] Fix for type confusion in preprocessing attributes + +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 +We need to check that the parent node is an element before dereferencing +its namespace +--- + libxslt/preproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/preproc.c b/libxslt/preproc.c +index 0eb80a0..7f69325 100644 +--- a/libxslt/preproc.c ++++ b/libxslt/preproc.c +@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { + } else if (IS_XSLT_NAME(inst, "attribute")) { + xmlNodePtr parent = inst->parent; + +- if ((parent == NULL) || (parent->ns == NULL) || ++ if ((parent == NULL) || ++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || + ((parent->ns != inst->ns) && + (!xmlStrEqual(parent->ns->href, inst->ns->href))) || + (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch b/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch new file mode 100644 index 0000000000..183cabb52d --- /dev/null +++ b/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch @@ -0,0 +1,62 @@ +From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 3 Jan 2016 16:45:24 +0100 +Subject: [PATCH] Always initialize EXSLT month and day to 1 + +Fixes bug #757970 +https://bugzilla.gnome.org/show_bug.cgi?id=757970 +--- + libexslt/date.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/libexslt/date.c b/libexslt/date.c +index 9ca993c..272c61b 100644 +--- a/libexslt/date.c ++++ b/libexslt/date.c +@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type) + } + memset (ret, 0, sizeof(exsltDateVal)); + ++ if (type != XS_DURATION) { ++ ret->value.date.mon = 1; ++ ret->value.date.day = 1; ++ } ++ + if (type != EXSLT_UNKNOWN) + ret->type = type; + +@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type) + } + + if ((type & XS_GDAY) != XS_GDAY) +- dt->value.date.day = 0; ++ dt->value.date.day = 1; + + if ((type & XS_GMONTH) != XS_GMONTH) +- dt->value.date.mon = 0; ++ dt->value.date.mon = 1; + + if ((type & XS_GYEAR) != XS_GYEAR) + dt->value.date.year = 0; +@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur) + d = &(dt->value.date); + u = &(dur->value.dur); + +- /* normalization */ +- if (d->mon == 0) +- d->mon = 1; +- + /* normalize for time zone offset */ + u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */ + d->tzo = 0; + +- /* normalization */ +- if (d->day == 0) +- d->day = 1; +- + /* month */ + carry = d->mon + u->mon; + r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch b/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch new file mode 100644 index 0000000000..aec622fb03 --- /dev/null +++ b/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch @@ -0,0 +1,105 @@ +From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 25 Feb 2016 17:16:06 +0100 +Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument + +Also fixes a memory leak in an unlikely error case. + +Fixes bug #758291 +https://bugzilla.gnome.org/show_bug.cgi?id=758291 +--- + libxslt/functions.c | 3 ++- + tests/docs/bug-185-data.xml | 5 +++++ + tests/docs/bug-185.xml | 2 ++ + tests/general/bug-185.err | 3 +++ + tests/general/bug-185.out | 0 + tests/general/bug-185.xsl | 14 ++++++++++++++ + 6 files changed, 26 insertions(+), 1 deletion(-) + create mode 100644 tests/docs/bug-185-data.xml + create mode 100644 tests/docs/bug-185.xml + create mode 100644 tests/general/bug-185.err + create mode 100644 tests/general/bug-185.out + create mode 100644 tests/general/bug-185.xsl + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index 549649c..a5e7021 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + resObj = xmlXPtrEval(fragment, xptrctxt); + xmlXPathFreeContext(xptrctxt); + #endif +- xmlFree(fragment); + + if (resObj == NULL) + goto out_fragment; +@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + } + + valuePush(ctxt, resObj); ++ xmlFree(fragment); + return; + + out_object: +@@ -211,6 +211,7 @@ out_object: + + out_fragment: + valuePush(ctxt, xmlXPathNewNodeSet(NULL)); ++ xmlFree(fragment); + } + + /** +diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml +new file mode 100644 +index 0000000..166ef17 +--- /dev/null ++++ b/tests/docs/bug-185-data.xml +@@ -0,0 +1,5 @@ ++ ] > ++ ++ ++ ++ +diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml +new file mode 100644 +index 0000000..72bfdc4 +--- /dev/null ++++ b/tests/docs/bug-185.xml +@@ -0,0 +1,2 @@ ++ ++bug-185-data.xml#xpointer(id('X')/range-to(id('Y'))) +diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err +new file mode 100644 +index 0000000..d7bbe92 +--- /dev/null ++++ b/tests/general/bug-185.err +@@ -0,0 +1,3 @@ ++runtime error: file ./bug-185.xsl line 7 element copy-of ++document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y'))) ++no result for ./../docs/bug-185.xml +diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl +new file mode 100644 +index 0000000..1c5c7d1 +--- /dev/null ++++ b/tests/general/bug-185.xsl +@@ -0,0 +1,14 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +-- +2.8.1 + diff --git a/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch b/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch new file mode 100644 index 0000000000..871fcfbc3d --- /dev/null +++ b/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch @@ -0,0 +1,171 @@ +From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 22 Mar 2016 18:20:01 +0100 +Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel + +Namespace nodes are actually an xmlNs, not an xmlNode. They must be +special-cased in xsltNumberFormatGetMultipleLevel to avoid an +out-of-bounds heap access. + +Move the test whether a node matches the "count" pattern to a separate +function to make the code more readable. As a side effect, we also +compare expanded names when walking up the ancestor axis, fixing an +insignificant bug. +--- + libxslt/numbers.c | 82 +++++++++++++++++++++++++++-------------------- + tests/docs/bug-186.xml | 4 +++ + tests/general/bug-186.out | 5 +++ + tests/general/bug-186.xsl | 7 ++++ + 4 files changed, 63 insertions(+), 35 deletions(-) + create mode 100644 tests/docs/bug-186.xml + create mode 100644 tests/general/bug-186.out + create mode 100644 tests/general/bug-186.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index e3209e0..184ee6f 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + } + + static int ++xsltTestCompMatchCount(xsltTransformContextPtr context, ++ xmlNodePtr node, ++ xsltCompMatchPtr countPat, ++ xmlNodePtr cur) ++{ ++ if (countPat != NULL) { ++ return xsltTestCompMatchList(context, node, countPat); ++ } ++ else { ++ /* ++ * 7.7 Numbering ++ * ++ * If count attribute is not specified, then it defaults to the ++ * pattern that matches any node with the same node type as the ++ * current node and, if the current node has an expanded-name, with ++ * the same expanded-name as the current node. ++ */ ++ if (node->type != cur->type) ++ return 0; ++ if (node->type == XML_NAMESPACE_DECL) ++ /* ++ * Namespace nodes have no preceding siblings and no parents ++ * that are namespace nodes. This means that node == cur. ++ */ ++ return 1; ++ /* TODO: Skip node types without expanded names like text nodes. */ ++ if (!xmlStrEqual(node->name, cur->name)) ++ return 0; ++ if (node->ns == cur->ns) ++ return 1; ++ if ((node->ns == NULL) || (cur->ns == NULL)) ++ return 0; ++ return (xmlStrEqual(node->ns->href, cur->ns->href)); ++ } ++} ++ ++static int + xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, + xmlNodePtr node, + xsltCompMatchPtr countPat, +@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, + + while (cur != NULL) { + /* process current node */ +- if (countPat == NULL) { +- if ((node->type == cur->type) && +- /* FIXME: must use expanded-name instead of local name */ +- xmlStrEqual(node->name, cur->name)) { +- if ((node->ns == cur->ns) || +- ((node->ns != NULL) && +- (cur->ns != NULL) && +- (xmlStrEqual(node->ns->href, +- cur->ns->href) ))) +- cnt++; +- } +- } else { +- if (xsltTestCompMatchList(context, cur, countPat)) +- cnt++; +- } ++ if (xsltTestCompMatchCount(context, cur, countPat, node)) ++ cnt++; + if ((fromPat != NULL) && + xsltTestCompMatchList(context, cur, fromPat)) { + break; /* while */ +@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context, + xsltTestCompMatchList(context, ancestor, fromPat)) + break; /* for */ + +- if ((countPat == NULL && node->type == ancestor->type && +- xmlStrEqual(node->name, ancestor->name)) || +- xsltTestCompMatchList(context, ancestor, countPat)) { ++ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) { + /* count(preceding-sibling::*) */ +- cnt = 0; +- for (preceding = ancestor; ++ cnt = 1; ++ for (preceding = ++ xmlXPathNextPrecedingSibling(parser, ancestor); + preceding != NULL; + preceding = + xmlXPathNextPrecedingSibling(parser, preceding)) { +- if (countPat == NULL) { +- if ((preceding->type == ancestor->type) && +- xmlStrEqual(preceding->name, ancestor->name)){ +- if ((preceding->ns == ancestor->ns) || +- ((preceding->ns != NULL) && +- (ancestor->ns != NULL) && +- (xmlStrEqual(preceding->ns->href, +- ancestor->ns->href) ))) +- cnt++; +- } +- } else { +- if (xsltTestCompMatchList(context, preceding, +- countPat)) +- cnt++; +- } ++ ++ if (xsltTestCompMatchCount(context, preceding, countPat, ++ node)) ++ cnt++; + } + array[amount++] = (double)cnt; + if (amount >= max) +diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml +new file mode 100644 +index 0000000..424db6b +--- /dev/null ++++ b/tests/docs/bug-186.xml +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out +new file mode 100644 +index 0000000..01a59f8 +--- /dev/null ++++ b/tests/general/bug-186.out +@@ -0,0 +1,5 @@ ++ ++ ++1111 ++1111 ++ +diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl +new file mode 100644 +index 0000000..9c491dd +--- /dev/null ++++ b/tests/general/bug-186.xsl +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +-- +2.8.1 + diff --git a/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch b/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch new file mode 100644 index 0000000000..bed1b04eeb --- /dev/null +++ b/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch @@ -0,0 +1,26 @@ +From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 12:50:02 +0200 +Subject: [PATCH] Round xsl:number values to nearest integer + +This matches XSLT 2.0 behavior. +--- + libxslt/numbers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 184ee6f..eb087bc 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + for (i = 0; i < numbers_max; i++) { + /* Insert number */ + number = numbers[(numbers_max - 1) - i]; ++ /* Round to nearest like XSLT 2.0 */ ++ number = floor(number + 0.5); + if (i < tokens->nTokens) { + /* + * The "n"th format token will be used to format the "n"th +-- +2.8.1 + diff --git a/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch b/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch new file mode 100644 index 0000000000..d5b54f4a5f --- /dev/null +++ b/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch @@ -0,0 +1,51 @@ +From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 12:51:57 +0200 +Subject: [PATCH] Handle negative xsl:number values + +According to XSLT 2.0, negative values are a non-recoverable dynamic error. +Print an error message and treat negative values as zero. + +Fixes an OOB array access in xsltNumberFormatAlpha. +--- + libxslt/numbers.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index eb087bc..a3cabcf 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer, + number--; + *(--pointer) = alpha_list[((int)fmod(number, alpha_size))]; + number /= alpha_size; +- if (fabs(number) < 1.0) ++ if (number < 1.0) + break; /* for */ + } + xmlBufferCCat(buffer, pointer); +@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + number = numbers[(numbers_max - 1) - i]; + /* Round to nearest like XSLT 2.0 */ + number = floor(number + 0.5); ++ /* ++ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT ++ * 2.0 says: ++ * ++ * It is a non-recoverable dynamic error if any undiscarded item ++ * in the atomized sequence supplied as the value of the value ++ * attribute of xsl:number cannot be converted to an integer, or ++ * if the resulting integer is less than 0 (zero). ++ */ ++ if (number < 0.0) { ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl-number : negative value\n"); ++ /* Recover by treating negative values as zero. */ ++ number = 0.0; ++ } + if (i < tokens->nTokens) { + /* + * The "n"th format token will be used to format the "n"th +-- +2.8.1 + diff --git a/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch b/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch new file mode 100644 index 0000000000..e5149a9ccc --- /dev/null +++ b/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch @@ -0,0 +1,75 @@ +From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 13:11:31 +0200 +Subject: [PATCH] Lower bound for format token "a" + +Handle xsl:number with format "a" and value 0 according to XSLT 2.0. + +Fixes an OOB array access in xsltNumberFormatAlpha. +--- + libxslt/numbers.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index a3cabcf..af52883 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer, + } + + static void +-xsltNumberFormatAlpha(xmlBufferPtr buffer, ++xsltNumberFormatAlpha(xsltNumberDataPtr data, ++ xmlBufferPtr buffer, + double number, + int is_upper) + { +@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer, + char *alpha_list; + double alpha_size = (double)(sizeof(alpha_upper_list) - 1); + ++ /* ++ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says: ++ * ++ * For all format tokens other than the first kind above (one that ++ * consists of decimal digits), there may be implementation-defined ++ * lower and upper bounds on the range of numbers that can be ++ * formatted using this format token; indeed, for some numbering ++ * sequences there may be intrinsic limits. [...] Numbers that fall ++ * outside this range must be formatted using the format token 1. ++ * ++ * The "a" token has an intrinsic lower limit of 1. ++ */ ++ if (number < 1.0) { ++ xsltNumberFormatDecimal(buffer, number, '0', 1, ++ data->digitsPerGroup, ++ data->groupingCharacter, ++ data->groupingCharacterLen); ++ return; ++ } ++ + /* Build buffer from back */ + pointer = &temp_string[sizeof(temp_string)]; + *(--pointer) = 0; +@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + + switch (token->token) { + case 'A': +- xsltNumberFormatAlpha(buffer, +- number, +- TRUE); +- ++ xsltNumberFormatAlpha(data, buffer, number, TRUE); + break; + case 'a': +- xsltNumberFormatAlpha(buffer, +- number, +- FALSE); +- ++ xsltNumberFormatAlpha(data, buffer, number, FALSE); + break; + case 'I': + xsltNumberFormatRoman(buffer, +-- +2.8.1 + diff --git a/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch b/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch new file mode 100644 index 0000000000..d000c45cdf --- /dev/null +++ b/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch @@ -0,0 +1,64 @@ +From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 13:12:28 +0200 +Subject: [PATCH] Lower and upper bound for format token "i" + +Handle xsl:number with format "i" and value 0 according to XSLT 2.0. + +Also introduce an upper bound to fix a denial of service. +--- + libxslt/numbers.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index af52883..e769c42 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data, + } + + static void +-xsltNumberFormatRoman(xmlBufferPtr buffer, ++xsltNumberFormatRoman(xsltNumberDataPtr data, ++ xmlBufferPtr buffer, + double number, + int is_upper) + { + /* ++ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper ++ * bound to avoid denial of service. ++ */ ++ if (number < 1.0 || number > 5000.0) { ++ xsltNumberFormatDecimal(buffer, number, '0', 1, ++ data->digitsPerGroup, ++ data->groupingCharacter, ++ data->groupingCharacterLen); ++ return; ++ } ++ ++ /* + * Based on an example by Jim Walsh + */ + while (number >= 1000.0) { +@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + xsltNumberFormatAlpha(data, buffer, number, FALSE); + break; + case 'I': +- xsltNumberFormatRoman(buffer, +- number, +- TRUE); +- ++ xsltNumberFormatRoman(data, buffer, number, TRUE); + break; + case 'i': +- xsltNumberFormatRoman(buffer, +- number, +- FALSE); +- ++ xsltNumberFormatRoman(data, buffer, number, FALSE); + break; + default: + if (IS_DIGIT_ZERO(token->token)) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch b/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch new file mode 100644 index 0000000000..eafdee1695 --- /dev/null +++ b/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch @@ -0,0 +1,62 @@ +From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 20 Apr 2016 14:35:43 +0200 +Subject: [PATCH] Fix double free in libexslt hash functions + +Thanks to Nicolas Gregoire for the report. + +Fixes bug #765271: + +https://bugzilla.gnome.org/show_bug.cgi?id=765271 +--- + libexslt/crypto.c | 15 +++------------ + tests/exslt/crypto/hash.1.out | 2 ++ + tests/exslt/crypto/hash.1.xml | 5 +++++ + 3 files changed, 10 insertions(+), 12 deletions(-) + +diff --git a/libexslt/crypto.c b/libexslt/crypto.c +index 6aa9dd2..e13db8b 100644 +--- a/libexslt/crypto.c ++++ b/libexslt/crypto.c +@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len, + (char *) hash); +@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len, + (char *) hash); +@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len, + (char *) hash); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch b/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch new file mode 100644 index 0000000000..3125c33280 --- /dev/null +++ b/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch @@ -0,0 +1,33 @@ +From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 28 Apr 2016 17:34:27 +0200 +Subject: [PATCH] Fix buffer overflow in exsltDateFormat + +Long years can overflow a stack-based buffer on 64-bit platforms by +up to four bytes. + +Thanks to Nicolas Gregoire for the report. + +Fixes bug #765380: + +https://bugzilla.gnome.org/show_bug.cgi?id=765380 +--- + libexslt/date.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libexslt/date.c b/libexslt/date.c +index 272c61b..12c9919 100644 +--- a/libexslt/date.c ++++ b/libexslt/date.c +@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt) + } + + if (dt->type & XS_GYEAR) { +- xmlChar buf[20], *cur = buf; ++ xmlChar buf[100], *cur = buf; + + FORMAT_GYEAR(dt->value.date.year, cur); + if (dt->type == XS_GYEARMONTH) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch b/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch new file mode 100644 index 0000000000..cddc2a68c8 --- /dev/null +++ b/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch @@ -0,0 +1,36 @@ +From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 May 2016 15:12:48 +0200 +Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic + +xsltExtModuleRegisterDynamic would read a byte before the start of a +string under certain circumstances. I looks like this piece code was +supposed to strip characters from the end of the extension name, but +it didn't have any effect. Don't read beyond the beginning of the +string and actually strip unwanted characters. + +Found with afl-fuzz and ASan. +--- + libxslt/extensions.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/extensions.c b/libxslt/extensions.c +index 5ad73cb..ae6eef0 100644 +--- a/libxslt/extensions.c ++++ b/libxslt/extensions.c +@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI) + i++; + } + +- if (*(i - 1) == '_') ++ /* Strip underscores from end of string. */ ++ while (i > ext_name && *(i - 1) == '_') { ++ i--; + *i = '\0'; ++ } + + /* determine module directory */ + ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH"); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch b/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch new file mode 100644 index 0000000000..60ead15226 --- /dev/null +++ b/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch @@ -0,0 +1,31 @@ +From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 10 Jun 2016 14:23:58 +0200 +Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion + +An empty decimal-separator could cause a heap overread. This can be +exploited to leak a couple of bytes after the buffer that holds the +pattern string. + +Found with afl-fuzz and ASan. +--- + libxslt/numbers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index d1549b4..e78c46b 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, + } + + /* We have finished the integer part, now work on fraction */ +- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { ++ if ( (*the_format != 0) && ++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { + format_info.add_decimal = TRUE; + the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ + } +-- +2.10.2 + diff --git a/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch b/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch new file mode 100644 index 0000000000..ea941db4ce --- /dev/null +++ b/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch @@ -0,0 +1,74 @@ +From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 12 Jan 2017 15:39:52 +0100 +Subject: [PATCH] Check for integer overflow in xsltAddTextString + +Limit buffer size in xsltAddTextString to INT_MAX. The issue can be +exploited to trigger an out of bounds write on 64-bit systems. + +Originally reported to Chromium: + +https://crbug.com/676623 +--- + libxslt/transform.c | 25 ++++++++++++++++++++++--- + libxslt/xsltInternals.h | 4 ++-- + 2 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 519133fc..02bff34a 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, + return(target); + + if (ctxt->lasttext == target->content) { ++ int minSize; + +- if (ctxt->lasttuse + len >= ctxt->lasttsize) { ++ /* Check for integer overflow accounting for NUL terminator. */ ++ if (len >= INT_MAX - ctxt->lasttuse) { ++ xsltTransformError(ctxt, NULL, target, ++ "xsltCopyText: text allocation failed\n"); ++ return(NULL); ++ } ++ minSize = ctxt->lasttuse + len + 1; ++ ++ if (ctxt->lasttsize < minSize) { + xmlChar *newbuf; + int size; ++ int extra; ++ ++ /* Double buffer size but increase by at least 100 bytes. */ ++ extra = minSize < 100 ? 100 : minSize; ++ ++ /* Check for integer overflow. */ ++ if (extra > INT_MAX - ctxt->lasttsize) { ++ size = INT_MAX; ++ } ++ else { ++ size = ctxt->lasttsize + extra; ++ } + +- size = ctxt->lasttsize + len + 100; +- size *= 2; + newbuf = (xmlChar *) xmlRealloc(target->content,size); + if (newbuf == NULL) { + xsltTransformError(ctxt, NULL, target, +diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h +index 060b1783..5ad17719 100644 +--- a/libxslt/xsltInternals.h ++++ b/libxslt/xsltInternals.h +@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { + * Speed optimization when coalescing text nodes + */ + const xmlChar *lasttext; /* last text node content */ +- unsigned int lasttsize; /* last text node size */ +- unsigned int lasttuse; /* last text node use */ ++ int lasttsize; /* last text node size */ ++ int lasttuse; /* last text node use */ + /* + * Per Context Debugging + */ +-- +2.11.0 + From bdfe75a5cd3e71654a860e6513b3a5d34ca223df Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 30 Jan 2018 15:32:47 +0100 Subject: [PATCH 3/3] tiff: version bump to address open CVEs - Bumps version to 4.0.9. Otherwise about two dozen packages would need to be backported. There were no ABI/API changes between 4.0.3 and 4.0.9, so this is OK. - Adds a patch from Jow that addresses a macro issue (already in master/lede-17.01) - Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935 on top. Signed-off-by: Sebastian Kemper --- libs/tiff/Makefile | 10 +- libs/tiff/patches/001-autoconf-compat.patch | 6 +- libs/tiff/patches/005-fix-ftell-macro.patch | 11 + libs/tiff/patches/010-CVE-2012-4564.patch | 31 - libs/tiff/patches/011-CVE-2013-1960.patch | 146 ---- libs/tiff/patches/012-CVE-2013-1961.patch | 768 -------------------- libs/tiff/patches/013-CVE-2013-4231.patch | 17 - libs/tiff/patches/014-CVE-2013-4232.patch | 18 - libs/tiff/patches/015-CVE-2013-4244.patch | 18 - libs/tiff/patches/016-CVE-2013-4243.patch | 37 - libs/tiff/patches/017-CVE-2014-9330.patch | 45 -- libs/tiff/patches/019-CVE-2017-18013.patch | 34 + libs/tiff/patches/020-CVE-2017-9935.patch | 117 +++ 13 files changed, 170 insertions(+), 1088 deletions(-) create mode 100644 libs/tiff/patches/005-fix-ftell-macro.patch delete mode 100644 libs/tiff/patches/010-CVE-2012-4564.patch delete mode 100644 libs/tiff/patches/011-CVE-2013-1960.patch delete mode 100644 libs/tiff/patches/012-CVE-2013-1961.patch delete mode 100644 libs/tiff/patches/013-CVE-2013-4231.patch delete mode 100644 libs/tiff/patches/014-CVE-2013-4232.patch delete mode 100644 libs/tiff/patches/015-CVE-2013-4244.patch delete mode 100644 libs/tiff/patches/016-CVE-2013-4243.patch delete mode 100644 libs/tiff/patches/017-CVE-2014-9330.patch create mode 100644 libs/tiff/patches/019-CVE-2017-18013.patch create mode 100644 libs/tiff/patches/020-CVE-2017-9935.patch diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile index bccab8bf49..f080b2af22 100644 --- a/libs/tiff/Makefile +++ b/libs/tiff/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2014 OpenWrt.org +# Copyright (C) 2006-2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tiff -PKG_VERSION:=4.0.3 -PKG_RELEASE:=4 +PKG_VERSION:=4.0.9 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://download.osgeo.org/libtiff -PKG_MD5SUM:=051c1068e6a0627f461948c365290410 +PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=autogen.sh aclocal.m4 @@ -31,7 +31,7 @@ include $(INCLUDE_DIR)/package.mk define Package/tiff/Default TITLE:=TIFF URL:=http://www.remotesensing.org/libtiff/ - MAINTAINER:=Jiri Slachta + MAINTAINER:=Jiri Slachta endef define Package/libtiff diff --git a/libs/tiff/patches/001-autoconf-compat.patch b/libs/tiff/patches/001-autoconf-compat.patch index c7c0dfccd2..b10286e06f 100644 --- a/libs/tiff/patches/001-autoconf-compat.patch +++ b/libs/tiff/patches/001-autoconf-compat.patch @@ -9,9 +9,9 @@ ACLOCAL_AMFLAGS = -I m4 docfiles = \ -@@ -48,7 +48,7 @@ EXTRA_DIST = \ - - dist_doc_DATA = $(docfiles) +@@ -61,7 +61,7 @@ distcheck-hook: + rm -rf $(distdir)/_build/cmake + rm -rf $(distdir)/_inst/cmake -SUBDIRS = port libtiff tools build contrib test man html +SUBDIRS = port libtiff tools build contrib diff --git a/libs/tiff/patches/005-fix-ftell-macro.patch b/libs/tiff/patches/005-fix-ftell-macro.patch new file mode 100644 index 0000000000..23e1e039a5 --- /dev/null +++ b/libs/tiff/patches/005-fix-ftell-macro.patch @@ -0,0 +1,11 @@ +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -287,7 +287,7 @@ struct tiff { + */ + #if defined(HAVE_FSEEKO) + # define fseek(stream,offset,whence) fseeko(stream,offset,whence) +-# define ftell(stream,offset,whence) ftello(stream,offset,whence) ++# define ftell(stream) ftello(stream) + #endif + #endif + #if defined(__WIN32__) && \ diff --git a/libs/tiff/patches/010-CVE-2012-4564.patch b/libs/tiff/patches/010-CVE-2012-4564.patch deleted file mode 100644 index 7783353ee4..0000000000 --- a/libs/tiff/patches/010-CVE-2012-4564.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: tiff-4.0.3/tools/ppm2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400 -+++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400 -@@ -89,6 +89,7 @@ - int c; - extern int optind; - extern char* optarg; -+ tmsize_t scanline_size; - - if (argc < 2) { - fprintf(stderr, "%s: Too few arguments\n", argv[0]); -@@ -237,8 +238,16 @@ - } - if (TIFFScanlineSize(out) > linebytes) - buf = (unsigned char *)_TIFFmalloc(linebytes); -- else -- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ else { -+ scanline_size = TIFFScanlineSize(out); -+ if (scanline_size != 0) -+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ else { -+ fprintf(stderr, "%s: scanline size overflow\n",infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ } - if (resolution > 0) { - TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); - TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); diff --git a/libs/tiff/patches/011-CVE-2013-1960.patch b/libs/tiff/patches/011-CVE-2013-1960.patch deleted file mode 100644 index 3bf15f1905..0000000000 --- a/libs/tiff/patches/011-CVE-2013-1960.patch +++ /dev/null @@ -1,146 +0,0 @@ -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400 -@@ -3341,33 +3341,56 @@ - uint32 height){ - - tsize_t i=0; -- uint16 ri =0; -- uint16 v_samp=1; -- uint16 h_samp=1; -- int j=0; -- -- i++; -- -- while(i<(*striplength)){ -+ -+ while (i < *striplength) { -+ tsize_t datalen; -+ uint16 ri; -+ uint16 v_samp; -+ uint16 h_samp; -+ int j; -+ int ncomp; -+ -+ /* marker header: one or more FFs */ -+ if (strip[i] != 0xff) -+ return(0); -+ i++; -+ while (i < *striplength && strip[i] == 0xff) -+ i++; -+ if (i >= *striplength) -+ return(0); -+ /* SOI is the only pre-SOS marker without a length word */ -+ if (strip[i] == 0xd8) -+ datalen = 0; -+ else { -+ if ((*striplength - i) <= 2) -+ return(0); -+ datalen = (strip[i+1] << 8) | strip[i+2]; -+ if (datalen < 2 || datalen >= (*striplength - i)) -+ return(0); -+ } - switch( strip[i] ){ -- case 0xd8: -- /* SOI - start of image */ -+ case 0xd8: /* SOI - start of image */ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); - *bufferoffset+=2; -- i+=2; - break; -- case 0xc0: -- case 0xc1: -- case 0xc3: -- case 0xc9: -- case 0xca: -+ case 0xc0: /* SOF0 */ -+ case 0xc1: /* SOF1 */ -+ case 0xc3: /* SOF3 */ -+ case 0xc9: /* SOF9 */ -+ case 0xca: /* SOF10 */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- for(j=0;j>4) > h_samp) -- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); -- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) -- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ ncomp = buffer[*bufferoffset+9]; -+ if (ncomp < 1 || ncomp > 4) -+ return(0); -+ v_samp=1; -+ h_samp=1; -+ for(j=0;j>4) > h_samp) -+ h_samp = (samp>>4); -+ if( (samp & 0x0f) > v_samp) -+ v_samp = (samp & 0x0f); - } - v_samp*=8; - h_samp*=8; -@@ -3381,45 +3404,43 @@ - (unsigned char) ((height>>8) & 0xff); - buffer[*bufferoffset+6]= - (unsigned char) (height & 0xff); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -- -+ *bufferoffset+=datalen+2; -+ /* insert a DRI marker */ - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]=0xdd; - buffer[(*bufferoffset)++]=0x00; - buffer[(*bufferoffset)++]=0x04; - buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; - buffer[(*bufferoffset)++]= ri & 0xff; -- } else { -- i+=strip[i+2]+2; - } - break; -- case 0xc4: -- case 0xdb: -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ case 0xc4: /* DHT */ -+ case 0xdb: /* DQT */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - break; -- case 0xda: -+ case 0xda: /* SOS */ - if(no==0){ -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); -- *bufferoffset+=strip[i+2]+2; -- i+=strip[i+2]+2; -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); -+ *bufferoffset+=datalen+2; - } else { - buffer[(*bufferoffset)++]=0xff; - buffer[(*bufferoffset)++]= - (unsigned char)(0xd0 | ((no-1)%8)); -- i+=strip[i+2]+2; - } -- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); -- *bufferoffset+=(*striplength)-i-1; -+ i += datalen + 1; -+ /* copy remainder of strip */ -+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); -+ *bufferoffset+= *striplength - i; - return(1); - default: -- i+=strip[i+2]+2; -+ /* ignore any other marker */ -+ break; - } -+ i += datalen + 1; - } -- - -+ /* failed to find SOS marker */ - return(0); - } - #endif diff --git a/libs/tiff/patches/012-CVE-2013-1961.patch b/libs/tiff/patches/012-CVE-2013-1961.patch deleted file mode 100644 index 2d1268ee99..0000000000 --- a/libs/tiff/patches/012-CVE-2013-1961.patch +++ /dev/null @@ -1,768 +0,0 @@ -Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c -=================================================================== ---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400 -@@ -512,9 +512,9 @@ - Arg args[1]; - - if (tfMultiPage) -- sprintf(buffer, "%s - page %d", fileName, tfDirectory); -+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); - else -- strcpy(buffer, fileName); -+ snprintf(buffer, sizeof(buffer), "%s", fileName); - XtSetArg(args[0], XtNlabel, buffer); - XtSetValues(labelWidget, args, 1); - } -Index: tiff-4.0.3/libtiff/tif_dirinfo.c -=================================================================== ---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400 -@@ -711,7 +711,7 @@ - * note that this name is a special sign to TIFFClose() and - * _TIFFSetupFields() to free the field - */ -- sprintf(fld->field_name, "Tag %d", (int) tag); -+ snprintf(fld->field_name, 32, "Tag %d", (int) tag); - - return fld; - } -Index: tiff-4.0.3/libtiff/tif_codec.c -=================================================================== ---- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400 -@@ -108,7 +108,8 @@ - const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); - char compression_code[20]; - -- sprintf( compression_code, "%d", tif->tif_dir.td_compression ); -+ snprintf(compression_code, sizeof(compression_code), "%d", -+ tif->tif_dir.td_compression ); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s compression support is not configured", - c ? c->name : compression_code ); -Index: tiff-4.0.3/tools/tiffdither.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400 -@@ -260,7 +260,7 @@ - TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); - else - CopyField(TIFFTAG_FILLORDER, shortv); -- sprintf(thing, "Dithered B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - CopyField(TIFFTAG_PHOTOMETRIC, shortv); - CopyField(TIFFTAG_ORIENTATION, shortv); -Index: tiff-4.0.3/tools/rgb2ycbcr.c -=================================================================== ---- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400 -@@ -332,7 +332,8 @@ - TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); - { char buf[2048]; - char *cp = strrchr(TIFFFileName(in), '/'); -- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); -+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s", -+ cp ? cp+1 : TIFFFileName(in)); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); - } - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400 -@@ -3630,7 +3630,9 @@ - char buffer[16]; - int buflen=0; - -- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); -+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", -+ t2p->pdf_majorversion&0xff, -+ t2p->pdf_minorversion&0xff); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); - -@@ -3644,10 +3646,10 @@ - tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen ); - written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); - -@@ -3686,13 +3688,13 @@ - written += t2pWriteFile(output, (tdata_t) "/", 1); - for (i=0;i 0x7E){ -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - nextchar=1; -@@ -3700,57 +3702,57 @@ - if (nextchar==0){ - switch (name[i]){ - case 0x23: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x25: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x28: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x29: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x2F: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3C: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x3E: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x5D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7B: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; - case 0x7D: -- sprintf(buffer, "#%.2X", name[i]); -+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); - buffer[sizeof(buffer) - 1] = '\0'; - written += t2pWriteFile(output, (tdata_t) buffer, 3); - break; -@@ -3865,14 +3867,14 @@ - tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/Length ", 8); - if(len!=0){ - written += t2p_write_pdf_stream_length(len, output); - } else { -- buflen=sprintf(buffer, "%lu", (unsigned long)number); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - } -@@ -3913,10 +3915,10 @@ - tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - -- buflen=sprintf(buffer, "%lu", (unsigned long)len); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n", 1); - -@@ -3930,7 +3932,7 @@ - tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) - { - tsize_t written = 0; -- char buffer[16]; -+ char buffer[32]; - int buflen = 0; - - written += t2pWriteFile(output, -@@ -3969,7 +3971,6 @@ - written += t2p_write_pdf_string(t2p->pdf_datetime, output); - } - written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); -- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); - snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); - written += t2p_write_pdf_string(buffer, output); - written += t2pWriteFile(output, (tdata_t) "\n", 1); -@@ -4110,7 +4111,7 @@ - { - tsize_t written=0; - tdir_t i=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - int page=0; -@@ -4118,7 +4119,7 @@ - (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); - page = t2p->pdf_pages+1; - for (i=0;itiff_pagecount;i++){ -- buflen=sprintf(buffer, "%d", page); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", page); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - if ( ((i+1)%8)==0 ) { -@@ -4133,8 +4134,7 @@ - } - } - written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); -+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); - -@@ -4149,28 +4149,28 @@ - - unsigned int i=0; - tsize_t written=0; -- char buffer[16]; -+ char buffer[256]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); -+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "] \n", 3); - written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); -- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); - written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); -@@ -4178,15 +4178,13 @@ - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen = sprintf(buffer, "%u", i+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4198,12 +4196,10 @@ - } else { - written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); - written += t2pWriteFile(output, (tdata_t) "/Im", 3); -- buflen = sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4212,9 +4208,7 @@ - if(t2p->tiff_transferfunctioncount != 0) { - written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); - t2pWriteFile(output, (tdata_t) "/GS1 ", 5); -- buflen = sprintf( -- buffer, -- "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(object + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4587,7 +4581,7 @@ - if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ - for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ - box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4602,7 +4596,7 @@ - } - } else { - box=t2p->pdf_imagebox; -- buflen=sprintf(buffer, -+ buflen=snprintf(buffer, sizeof(buffer), - "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", - t2p->tiff_transferfunctioncount?"/GS1 gs ":"", - box.mat[0], -@@ -4627,59 +4621,48 @@ - TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); - written += t2pWriteFile(output, - (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", - 42); -- buflen=sprintf(buffer, "%u", t2p->pdf_page+1); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - if(tile != 0){ - written += t2pWriteFile(output, (tdata_t) "_", 1); -- buflen=sprintf(buffer, "%lu", (unsigned long)tile); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); - if(tile==0){ -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); - } else { - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - } else { -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - } - } - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); -- _TIFFmemset((tdata_t)buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); - written += t2p_write_pdf_xobject_cs(t2p, output); -@@ -4723,11 +4706,10 @@ - t2p->pdf_colorspace ^= T2P_CS_PALETTE; - written += t2p_write_pdf_xobject_cs(t2p, output); - t2p->pdf_colorspace |= T2P_CS_PALETTE; -- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " ", 1); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); - return(written); -@@ -4761,10 +4743,10 @@ - X_W /= Y_W; - Z_W /= Y_W; - Y_W = 1.0F; -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Range ", 7); -- buflen=sprintf(buffer, "[%d %d %d %d] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", - t2p->pdf_labrange[0], - t2p->pdf_labrange[1], - t2p->pdf_labrange[2], -@@ -4780,26 +4762,26 @@ - tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); - if(t2p->tiff_transferfunctioncount == 1){ -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - } else { - written += t2pWriteFile(output, (tdata_t) "[ ", 2); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 2)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)(t2p->pdf_xrefcount + 3)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); -@@ -4821,7 +4803,7 @@ - written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); - written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); - written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); -- buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); -+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); - written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); -@@ -4848,7 +4830,7 @@ - tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[128]; -+ char buffer[256]; - int buflen=0; - - float X_W=0.0; -@@ -4916,16 +4898,16 @@ - written += t2pWriteFile(output, (tdata_t) "<< \n", 4); - if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); - } - if(t2p->pdf_colorspace & T2P_CS_CALRGB){ - written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); -- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", -+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", - X_R, Y_R, Z_R, - X_G, Y_G, Z_G, - X_B, Y_B, Z_B); -@@ -4944,11 +4926,11 @@ - tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); - -@@ -4958,11 +4940,11 @@ - tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - written += t2pWriteFile(output, (tdata_t) "/N ", 3); -- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); - t2p->pdf_colorspace ^= T2P_CS_ICCBASED; -@@ -5027,7 +5009,7 @@ - tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[16]; -+ char buffer[32]; - int buflen=0; - - if(t2p->pdf_compression==T2P_COMPRESS_NONE){ -@@ -5042,41 +5024,33 @@ - written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); - if(tile==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf(buffer, "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_length); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } - if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } else { - written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); -- buflen=sprintf( -- buffer, -- "%lu", -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - } -@@ -5103,21 +5077,17 @@ - if(t2p->pdf_compressionquality%100){ - written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); -- _TIFFmemset(buffer, 0x00, 16); -- buflen = sprintf(buffer, "%lu", -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", - (unsigned long)t2p->tiff_width); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); -- _TIFFmemset(buffer, 0x00, 16); -- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); -+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) ">>\n", 3); - } -@@ -5137,16 +5107,16 @@ - tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ - - tsize_t written=0; -- char buffer[21]; -+ char buffer[64]; - int buflen=0; - uint32 i=0; - - written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); - written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); - for (i=0;ipdf_xrefcount;i++){ -- sprintf(buffer, "%.10lu 00000 n \n", -+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", - (unsigned long)t2p->pdf_xrefoffsets[i]); - written += t2pWriteFile(output, (tdata_t) buffer, 20); - } -@@ -5170,17 +5140,14 @@ - snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); - - written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); -- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); -+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); -@@ -5188,9 +5155,8 @@ - written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, - sizeof(t2p->pdf_fileid) - 1); - written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); -- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); -+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); - written += t2pWriteFile(output, (tdata_t) buffer, buflen); -- _TIFFmemset(buffer, 0x00, 32); - written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); - - return(written); -Index: tiff-4.0.3/tools/tiff2ps.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400 -@@ -1781,8 +1781,8 @@ - imageOp = "imagemask"; - - (void)strcpy(im_x, "0"); -- (void)sprintf(im_y, "%lu", (long) h); -- (void)sprintf(im_h, "%lu", (long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); -+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); - tile_width = w; - tile_height = h; - if (TIFFIsTiled(tif)) { -@@ -1803,7 +1803,7 @@ - } - if (tile_height < h) { - fputs("/im_y 0 def\n", fd); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } else { - repeat_count = tf_numberstrips; -@@ -1815,7 +1815,7 @@ - fprintf(fd, "/im_h %lu def\n", - (unsigned long) tile_height); - (void)strcpy(im_h, "im_h"); -- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); -+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); - } - } - -Index: tiff-4.0.3/tools/tiffcrop.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400 -@@ -2077,7 +2077,7 @@ - return 1; - } - -- sprintf (filenum, "-%03d%s", findex, export_ext); -+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); - filenum[14] = '\0'; - strncat (exportname, filenum, 15); - } -@@ -2230,8 +2230,8 @@ - - /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", -+ dump.infilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) - { -@@ -2249,8 +2249,8 @@ - - /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes - fewer than PATH_MAX */ -- memset (temp_filename, '\0', PATH_MAX + 1); -- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, -+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", -+ dump.outfilename, dump_images, - (dump.format == DUMP_TEXT) ? "txt" : "raw"); - if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) - { -Index: tiff-4.0.3/tools/tiff2bw.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400 -+++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400 -@@ -205,7 +205,7 @@ - } - } - TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); -- sprintf(thing, "B&W version of %s", argv[optind]); -+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); - TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); - TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); - outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); diff --git a/libs/tiff/patches/013-CVE-2013-4231.patch b/libs/tiff/patches/013-CVE-2013-4231.patch deleted file mode 100644 index c26bd856c3..0000000000 --- a/libs/tiff/patches/013-CVE-2013-4231.patch +++ /dev/null @@ -1,17 +0,0 @@ -Description: Buffer overflow in gif2tiff -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450 -Bug-Debian: http://bugs.debian.org/719303 - -Index: tiff-4.0.3/tools/gif2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400 -+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400 -@@ -333,6 +333,8 @@ - int status = 1; - - datasize = getc(infile); -+ if (datasize > 12) -+ return 0; - clear = 1 << datasize; - eoi = clear + 1; - avail = clear + 2; diff --git a/libs/tiff/patches/014-CVE-2013-4232.patch b/libs/tiff/patches/014-CVE-2013-4232.patch deleted file mode 100644 index 0d80ff3b09..0000000000 --- a/libs/tiff/patches/014-CVE-2013-4232.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: use after free in tiff2pdf -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449 -Bug-Debian: http://bugs.debian.org/719303 - -Index: tiff-4.0.3/tools/tiff2pdf.c -=================================================================== ---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 -+++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400 -@@ -2461,7 +2461,8 @@ - (unsigned long) t2p->tiff_datasize, - TIFFFileName(input)); - t2p->t2p_error = T2P_ERR_ERROR; -- _TIFFfree(buffer); -+ _TIFFfree(buffer); -+ return(0); - } else { - buffer=samplebuffer; - t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/libs/tiff/patches/015-CVE-2013-4244.patch b/libs/tiff/patches/015-CVE-2013-4244.patch deleted file mode 100644 index 0a77a0c4d2..0000000000 --- a/libs/tiff/patches/015-CVE-2013-4244.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: OOB write in gif2tiff -Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468 - -Index: tiff-4.0.3/tools/gif2tiff.c -=================================================================== ---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 -+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400 -@@ -400,6 +400,10 @@ - } - - if (oldcode == -1) { -+ if (code >= clear) { -+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); -+ return 0; -+ } - *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; diff --git a/libs/tiff/patches/016-CVE-2013-4243.patch b/libs/tiff/patches/016-CVE-2013-4243.patch deleted file mode 100644 index 75fae2c3c6..0000000000 --- a/libs/tiff/patches/016-CVE-2013-4243.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: tiff/tools/gif2tiff.c -=================================================================== ---- tiff.orig/tools/gif2tiff.c -+++ tiff/tools/gif2tiff.c -@@ -280,6 +280,10 @@ readgifimage(char* mode) - fprintf(stderr, "no colormap present for image\n"); - return (0); - } -+ if (width == 0 || height == 0) { -+ fprintf(stderr, "Invalid value of width or height\n"); -+ return(0); -+ } - if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { - fprintf(stderr, "not enough memory for image\n"); - return (0); -@@ -404,6 +408,10 @@ process(register int code, unsigned char - fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); - return 0; - } -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } - *(*fill)++ = suffix[code]; - firstchar = oldcode = code; - return 1; -@@ -434,6 +442,10 @@ process(register int code, unsigned char - } - oldcode = incode; - do { -+ if (*fill >= raster + width*height) { -+ fprintf(stderr, "raster full before eoi code\n"); -+ return 0; -+ } - *(*fill)++ = *--stackp; - } while (stackp > stack); - return 1; diff --git a/libs/tiff/patches/017-CVE-2014-9330.patch b/libs/tiff/patches/017-CVE-2014-9330.patch deleted file mode 100644 index acd0a331d0..0000000000 --- a/libs/tiff/patches/017-CVE-2014-9330.patch +++ /dev/null @@ -1,45 +0,0 @@ -Description: CVE-2014-9330 - Integer overflow in bmp2tiff -Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494 -Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494 -Bug-Debian: http://bugs.debian.org/773987 - -Index: tiff/tools/bmp2tiff.c -=================================================================== ---- tiff.orig/tools/bmp2tiff.c -+++ tiff/tools/bmp2tiff.c -@@ -1,4 +1,4 @@ --/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $ -+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $ - * - * Project: libtiff tools - * Purpose: Convert Windows BMP files in TIFF. -@@ -403,6 +403,13 @@ main(int argc, char* argv[]) - - width = info_hdr.iWidth; - length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; -+ if( width <= 0 || length <= 0 ) -+ { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file" ); -+ close(fd); -+ return -1; -+ } - - switch (info_hdr.iBitCount) - { -@@ -593,6 +600,14 @@ main(int argc, char* argv[]) - - compr_size = file_hdr.iSize - file_hdr.iOffBits; - uncompr_size = width * length; -+ /* Detect int overflow */ -+ if( uncompr_size / width != length ) -+ { -+ TIFFError(infilename, -+ "Invalid dimensions of BMP file" ); -+ close(fd); -+ return -1; -+ } - comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); - if (!comprbuf) { - TIFFError(infilename, diff --git a/libs/tiff/patches/019-CVE-2017-18013.patch b/libs/tiff/patches/019-CVE-2017-18013.patch new file mode 100644 index 0000000000..daaf41353c --- /dev/null +++ b/libs/tiff/patches/019-CVE-2017-18013.patch @@ -0,0 +1,34 @@ +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d35..8deceb2 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +libgit2 0.26.0 + diff --git a/libs/tiff/patches/020-CVE-2017-9935.patch b/libs/tiff/patches/020-CVE-2017-9935.patch new file mode 100644 index 0000000000..d1082c09e4 --- /dev/null +++ b/libs/tiff/patches/020-CVE-2017-9935.patch @@ -0,0 +1,117 @@ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf44..cbf2b69 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b09..484776c 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -237,7 +237,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1;