* [PATCH]: libtiff update
@ 2015-09-04 19:49 Andreas Enge
2015-09-04 20:23 ` Mark H Weaver
0 siblings, 1 reply; 3+ messages in thread
From: Andreas Enge @ 2015-09-04 19:49 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 569 bytes --]
The first attached patch updates libtiff to 4.0.5. I think that all security
fixes have been integrated there, since debian dropped all patches.
The second patch builds with libjpeg-9 instead of libjpeg-8.
Comments are welcome.
I would like to create a separate branch for hydra and apply the two patches
one after one, unless you think this poses too much strain on the build farm.
I think the second patch might be problematic, as conflicts could occur in
dependent packages that still use libjpeg-8, so it would be nice to assess
its impact separately.
Andreas
[-- Attachment #2: 0001-gnu-libtiff-Update-to-4.0.5.patch --]
[-- Type: text/plain, Size: 84978 bytes --]
From 48ce123a6857ae518d06d34deefc9b95c7aafb80 Mon Sep 17 00:00:00 2001
From: Andreas Enge <andreas@enge.fr>
Date: Fri, 4 Sep 2015 21:39:59 +0200
Subject: [PATCH 1/2] gnu: libtiff: Update to 4.0.5.
* gnu/packages/patches/libtiff-CVE-2012-4564.patch,
gnu/packages/patches/libtiff-CVE-2013-1960.patch,
gnu/packages/patches/libtiff-CVE-2013-1961.patch,
gnu/packages/patches/libtiff-CVE-2013-4231.patch,
gnu/packages/patches/libtiff-CVE-2013-4232.patch,
gnu/packages/patches/libtiff-CVE-2013-4243.patch,
gnu/packages/patches/libtiff-CVE-2013-4244.patch,
gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch,
gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch,
gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch,
gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch,
gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch,
gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch,
gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch,
gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch,
gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch,
gnu/packages/patches/libtiff-CVE-2014-8129.patch,
gnu/packages/patches/libtiff-CVE-2014-9330.patch,
gnu/packages/patches/libtiff-CVE-2014-9655.patch: Delete files.
* gnu-system.am (dist_patch_DATA): Unregister the patches.
* gnu/packages/image.scm (libtiff): Update to 4.0.5 and drop the patches.
---
gnu-system.am | 19 -
gnu/packages/image.scm | 23 +-
gnu/packages/patches/libtiff-CVE-2012-4564.patch | 33 -
gnu/packages/patches/libtiff-CVE-2013-1960.patch | 148 ----
gnu/packages/patches/libtiff-CVE-2013-1961.patch | 770 ---------------------
gnu/packages/patches/libtiff-CVE-2013-4231.patch | 19 -
gnu/packages/patches/libtiff-CVE-2013-4232.patch | 20 -
gnu/packages/patches/libtiff-CVE-2013-4243.patch | 39 --
gnu/packages/patches/libtiff-CVE-2013-4244.patch | 20 -
.../patches/libtiff-CVE-2014-8127-pt1.patch | 30 -
.../patches/libtiff-CVE-2014-8127-pt2.patch | 42 --
.../patches/libtiff-CVE-2014-8127-pt3.patch | 45 --
.../patches/libtiff-CVE-2014-8127-pt4.patch | 295 --------
.../patches/libtiff-CVE-2014-8128-pt1.patch | 32 -
.../patches/libtiff-CVE-2014-8128-pt2.patch | 83 ---
.../patches/libtiff-CVE-2014-8128-pt3.patch | 34 -
.../patches/libtiff-CVE-2014-8128-pt4.patch | 77 ---
.../patches/libtiff-CVE-2014-8128-pt5.patch | 16 -
gnu/packages/patches/libtiff-CVE-2014-8129.patch | 45 --
gnu/packages/patches/libtiff-CVE-2014-9330.patch | 47 --
gnu/packages/patches/libtiff-CVE-2014-9655.patch | 88 ---
21 files changed, 2 insertions(+), 1923 deletions(-)
delete mode 100644 gnu/packages/patches/libtiff-CVE-2012-4564.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-1960.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-1961.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-4231.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-4232.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-4243.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2013-4244.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-8129.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-9330.patch
delete mode 100644 gnu/packages/patches/libtiff-CVE-2014-9655.patch
diff --git a/gnu-system.am b/gnu-system.am
index 4acbb51..67d9892 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -529,25 +529,6 @@ dist_patch_DATA = \
gnu/packages/patches/libmad-frame-length.patch \
gnu/packages/patches/libmad-mips-newgcc.patch \
gnu/packages/patches/libtheora-config-guess.patch \
- gnu/packages/patches/libtiff-CVE-2012-4564.patch \
- gnu/packages/patches/libtiff-CVE-2013-1960.patch \
- gnu/packages/patches/libtiff-CVE-2013-1961.patch \
- gnu/packages/patches/libtiff-CVE-2013-4231.patch \
- gnu/packages/patches/libtiff-CVE-2013-4232.patch \
- gnu/packages/patches/libtiff-CVE-2013-4243.patch \
- gnu/packages/patches/libtiff-CVE-2013-4244.patch \
- gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch \
- gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch \
- gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch \
- gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch \
- gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch \
- gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch \
- gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch \
- gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch \
- gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch \
- gnu/packages/patches/libtiff-CVE-2014-8129.patch \
- gnu/packages/patches/libtiff-CVE-2014-9330.patch \
- gnu/packages/patches/libtiff-CVE-2014-9655.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
gnu/packages/patches/libssh-CVE-2014-0017.patch \
gnu/packages/patches/libwmf-CVE-2006-3376.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2e27495..63a923e 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -107,32 +107,13 @@ image files in PBMPLUS PPM/PGM, GIF, BMP, and Targa file formats.")
(define-public libtiff
(package
(name "libtiff")
- (version "4.0.3")
+ (version "4.0.5")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
version ".tar.gz"))
(sha256 (base32
- "0wj8d1iwk9vnpax2h29xqc2hwknxg3s0ay2d5pxkg59ihbifn6pa"))
- (patches (map search-patch '("libtiff-CVE-2012-4564.patch"
- "libtiff-CVE-2013-1960.patch"
- "libtiff-CVE-2013-1961.patch"
- "libtiff-CVE-2013-4231.patch"
- "libtiff-CVE-2013-4232.patch"
- "libtiff-CVE-2013-4244.patch"
- "libtiff-CVE-2013-4243.patch"
- "libtiff-CVE-2014-9330.patch"
- "libtiff-CVE-2014-8127-pt1.patch"
- "libtiff-CVE-2014-8127-pt2.patch"
- "libtiff-CVE-2014-8127-pt3.patch"
- "libtiff-CVE-2014-8127-pt4.patch"
- "libtiff-CVE-2014-8128-pt1.patch"
- "libtiff-CVE-2014-8128-pt2.patch"
- "libtiff-CVE-2014-8128-pt3.patch"
- "libtiff-CVE-2014-8129.patch"
- "libtiff-CVE-2014-9655.patch"
- "libtiff-CVE-2014-8128-pt4.patch"
- "libtiff-CVE-2014-8128-pt5.patch")))))
+ "171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
(build-system gnu-build-system)
(inputs `(("zlib" ,zlib)
("libjpeg-8" ,libjpeg-8)))
diff --git a/gnu/packages/patches/libtiff-CVE-2012-4564.patch b/gnu/packages/patches/libtiff-CVE-2012-4564.patch
deleted file mode 100644
index 472f9ca..0000000
--- a/gnu/packages/patches/libtiff-CVE-2012-4564.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/tools/ppm2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/ppm2tiff.c 2013-06-23 10:36:50.779629492 -0400
-+++ tiff-4.0.3/tools/ppm2tiff.c 2013-06-23 10:36:50.775629494 -0400
-@@ -89,6 +89,7 @@
- int c;
- extern int optind;
- extern char* optarg;
-+ tmsize_t scanline_size;
-
- if (argc < 2) {
- fprintf(stderr, "%s: Too few arguments\n", argv[0]);
-@@ -237,8 +238,16 @@
- }
- if (TIFFScanlineSize(out) > linebytes)
- buf = (unsigned char *)_TIFFmalloc(linebytes);
-- else
-- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ else {
-+ scanline_size = TIFFScanlineSize(out);
-+ if (scanline_size != 0)
-+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ else {
-+ fprintf(stderr, "%s: scanline size overflow\n",infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ }
- if (resolution > 0) {
- TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
- TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/gnu/packages/patches/libtiff-CVE-2013-1960.patch b/gnu/packages/patches/libtiff-CVE-2013-1960.patch
deleted file mode 100644
index 341063f..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-1960.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400
-@@ -3341,33 +3341,56 @@
- uint32 height){
-
- tsize_t i=0;
-- uint16 ri =0;
-- uint16 v_samp=1;
-- uint16 h_samp=1;
-- int j=0;
--
-- i++;
--
-- while(i<(*striplength)){
-+
-+ while (i < *striplength) {
-+ tsize_t datalen;
-+ uint16 ri;
-+ uint16 v_samp;
-+ uint16 h_samp;
-+ int j;
-+ int ncomp;
-+
-+ /* marker header: one or more FFs */
-+ if (strip[i] != 0xff)
-+ return(0);
-+ i++;
-+ while (i < *striplength && strip[i] == 0xff)
-+ i++;
-+ if (i >= *striplength)
-+ return(0);
-+ /* SOI is the only pre-SOS marker without a length word */
-+ if (strip[i] == 0xd8)
-+ datalen = 0;
-+ else {
-+ if ((*striplength - i) <= 2)
-+ return(0);
-+ datalen = (strip[i+1] << 8) | strip[i+2];
-+ if (datalen < 2 || datalen >= (*striplength - i))
-+ return(0);
-+ }
- switch( strip[i] ){
-- case 0xd8:
-- /* SOI - start of image */
-+ case 0xd8: /* SOI - start of image */
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- *bufferoffset+=2;
-- i+=2;
- break;
-- case 0xc0:
-- case 0xc1:
-- case 0xc3:
-- case 0xc9:
-- case 0xca:
-+ case 0xc0: /* SOF0 */
-+ case 0xc1: /* SOF1 */
-+ case 0xc3: /* SOF3 */
-+ case 0xc9: /* SOF9 */
-+ case 0xca: /* SOF10 */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- for(j=0;j<buffer[*bufferoffset+9];j++){
-- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
-- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
-- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
-- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ ncomp = buffer[*bufferoffset+9];
-+ if (ncomp < 1 || ncomp > 4)
-+ return(0);
-+ v_samp=1;
-+ h_samp=1;
-+ for(j=0;j<ncomp;j++){
-+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
-+ if( (samp>>4) > h_samp)
-+ h_samp = (samp>>4);
-+ if( (samp & 0x0f) > v_samp)
-+ v_samp = (samp & 0x0f);
- }
- v_samp*=8;
- h_samp*=8;
-@@ -3381,45 +3404,43 @@
- (unsigned char) ((height>>8) & 0xff);
- buffer[*bufferoffset+6]=
- (unsigned char) (height & 0xff);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
--
-+ *bufferoffset+=datalen+2;
-+ /* insert a DRI marker */
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=0xdd;
- buffer[(*bufferoffset)++]=0x00;
- buffer[(*bufferoffset)++]=0x04;
- buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
- buffer[(*bufferoffset)++]= ri & 0xff;
-- } else {
-- i+=strip[i+2]+2;
- }
- break;
-- case 0xc4:
-- case 0xdb:
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ case 0xc4: /* DHT */
-+ case 0xdb: /* DQT */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- break;
-- case 0xda:
-+ case 0xda: /* SOS */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- } else {
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=
- (unsigned char)(0xd0 | ((no-1)%8));
-- i+=strip[i+2]+2;
- }
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
-- *bufferoffset+=(*striplength)-i-1;
-+ i += datalen + 1;
-+ /* copy remainder of strip */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
-+ *bufferoffset+= *striplength - i;
- return(1);
- default:
-- i+=strip[i+2]+2;
-+ /* ignore any other marker */
-+ break;
- }
-+ i += datalen + 1;
- }
--
-
-+ /* failed to find SOS marker */
- return(0);
- }
- #endif
diff --git a/gnu/packages/patches/libtiff-CVE-2013-1961.patch b/gnu/packages/patches/libtiff-CVE-2013-1961.patch
deleted file mode 100644
index 9c2481c..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-1961.patch
+++ /dev/null
@@ -1,770 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
-===================================================================
---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400
-@@ -512,9 +512,9 @@
- Arg args[1];
-
- if (tfMultiPage)
-- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
-+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
- else
-- strcpy(buffer, fileName);
-+ snprintf(buffer, sizeof(buffer), "%s", fileName);
- XtSetArg(args[0], XtNlabel, buffer);
- XtSetValues(labelWidget, args, 1);
- }
-Index: tiff-4.0.3/libtiff/tif_dirinfo.c
-===================================================================
---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400
-@@ -711,7 +711,7 @@
- * note that this name is a special sign to TIFFClose() and
- * _TIFFSetupFields() to free the field
- */
-- sprintf(fld->field_name, "Tag %d", (int) tag);
-+ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
-
- return fld;
- }
-Index: tiff-4.0.3/libtiff/tif_codec.c
-===================================================================
---- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400
-@@ -108,7 +108,8 @@
- const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
- char compression_code[20];
-
-- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
-+ snprintf(compression_code, sizeof(compression_code), "%d",
-+ tif->tif_dir.td_compression );
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s compression support is not configured",
- c ? c->name : compression_code );
-Index: tiff-4.0.3/tools/tiffdither.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400
-@@ -260,7 +260,7 @@
- TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
- else
- CopyField(TIFFTAG_FILLORDER, shortv);
-- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
-+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- CopyField(TIFFTAG_PHOTOMETRIC, shortv);
- CopyField(TIFFTAG_ORIENTATION, shortv);
-Index: tiff-4.0.3/tools/rgb2ycbcr.c
-===================================================================
---- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400
-@@ -332,7 +332,8 @@
- TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
- { char buf[2048];
- char *cp = strrchr(TIFFFileName(in), '/');
-- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
-+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
-+ cp ? cp+1 : TIFFFileName(in));
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
- }
- TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400
-@@ -3630,7 +3630,9 @@
- char buffer[16];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
-+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
-+ t2p->pdf_majorversion&0xff,
-+ t2p->pdf_minorversion&0xff);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
-
-@@ -3644,10 +3646,10 @@
- tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen );
- written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
-
-@@ -3686,13 +3688,13 @@
- written += t2pWriteFile(output, (tdata_t) "/", 1);
- for (i=0;i<namelen;i++){
- if ( ((unsigned char)name[i]) < 0x21){
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- nextchar=1;
- }
- if ( ((unsigned char)name[i]) > 0x7E){
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- nextchar=1;
-@@ -3700,57 +3702,57 @@
- if (nextchar==0){
- switch (name[i]){
- case 0x23:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x25:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x28:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x29:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x2F:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x3C:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x3E:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x5B:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x5D:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x7B:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x7D:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
-@@ -3865,14 +3867,14 @@
- tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
- if(len!=0){
- written += t2p_write_pdf_stream_length(len, output);
- } else {
-- buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- }
-@@ -3913,10 +3915,10 @@
- tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%lu", (unsigned long)len);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n", 1);
-
-@@ -3930,7 +3932,7 @@
- tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
- {
- tsize_t written = 0;
-- char buffer[16];
-+ char buffer[32];
- int buflen = 0;
-
- written += t2pWriteFile(output,
-@@ -3969,7 +3971,6 @@
- written += t2p_write_pdf_string(t2p->pdf_datetime, output);
- }
- written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
-- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
- snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
- written += t2p_write_pdf_string(buffer, output);
- written += t2pWriteFile(output, (tdata_t) "\n", 1);
-@@ -4110,7 +4111,7 @@
- {
- tsize_t written=0;
- tdir_t i=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- int page=0;
-@@ -4118,7 +4119,7 @@
- (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
- page = t2p->pdf_pages+1;
- for (i=0;i<t2p->tiff_pagecount;i++){
-- buflen=sprintf(buffer, "%d", page);
-+ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- if ( ((i+1)%8)==0 ) {
-@@ -4133,8 +4134,7 @@
- }
- }
- written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
-+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
-
-@@ -4149,28 +4149,28 @@
-
- unsigned int i=0;
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[256];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "] \n", 3);
- written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
-- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
-@@ -4178,15 +4178,13 @@
- written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
- written += t2pWriteFile(output, (tdata_t) "/Im", 3);
-- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "_", 1);
-- buflen = sprintf(buffer, "%u", i+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4198,12 +4196,10 @@
- } else {
- written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- written += t2pWriteFile(output, (tdata_t) "/Im", 3);
-- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4212,9 +4208,7 @@
- if(t2p->tiff_transferfunctioncount != 0) {
- written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
- t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object + 3));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4587,7 +4581,7 @@
- if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
- for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
- box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
-- buflen=sprintf(buffer,
-+ buflen=snprintf(buffer, sizeof(buffer),
- "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
- t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- box.mat[0],
-@@ -4602,7 +4596,7 @@
- }
- } else {
- box=t2p->pdf_imagebox;
-- buflen=sprintf(buffer,
-+ buflen=snprintf(buffer, sizeof(buffer),
- "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
- t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- box.mat[0],
-@@ -4627,59 +4621,48 @@
- TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
- written += t2pWriteFile(output,
- (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
- 42);
-- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- if(tile != 0){
- written += t2pWriteFile(output, (tdata_t) "_", 1);
-- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
- written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- if(tile==0){
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
- } else {
- if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- } else {
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- }
- }
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- if(tile==0){
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
- } else {
- if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- } else {
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- }
- }
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
- written += t2p_write_pdf_xobject_cs(t2p, output);
-@@ -4723,11 +4706,10 @@
- t2p->pdf_colorspace ^= T2P_CS_PALETTE;
- written += t2p_write_pdf_xobject_cs(t2p, output);
- t2p->pdf_colorspace |= T2P_CS_PALETTE;
-- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
- return(written);
-@@ -4761,10 +4743,10 @@
- X_W /= Y_W;
- Z_W /= Y_W;
- Y_W = 1.0F;
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
-- buflen=sprintf(buffer, "[%d %d %d %d] \n",
-+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
- t2p->pdf_labrange[0],
- t2p->pdf_labrange[1],
- t2p->pdf_labrange[2],
-@@ -4780,26 +4762,26 @@
- tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
- if(t2p->tiff_transferfunctioncount == 1){
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- } else {
- written += t2pWriteFile(output, (tdata_t) "[ ", 2);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 2));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 3));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4821,7 +4803,7 @@
- written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
- written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
- written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
-- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
-+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
- written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
-@@ -4848,7 +4830,7 @@
- tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[128];
-+ char buffer[256];
- int buflen=0;
-
- float X_W=0.0;
-@@ -4916,16 +4898,16 @@
- written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
- if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
- written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
- }
- if(t2p->pdf_colorspace & T2P_CS_CALRGB){
- written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
- X_R, Y_R, Z_R,
- X_G, Y_G, Z_G,
- X_B, Y_B, Z_B);
-@@ -4944,11 +4926,11 @@
- tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
-
-@@ -4958,11 +4940,11 @@
- tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "/N ", 3);
-- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
- t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
-@@ -5027,7 +5009,7 @@
- tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- if(t2p->pdf_compression==T2P_COMPRESS_NONE){
-@@ -5042,41 +5024,33 @@
- written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
- if(tile==0){
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_width);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_length);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
- if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
-@@ -5103,21 +5077,17 @@
- if(t2p->pdf_compressionquality%100){
- written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
- written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen = sprintf(buffer, "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_width);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
- }
-@@ -5137,16 +5107,16 @@
- tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[21];
-+ char buffer[64];
- int buflen=0;
- uint32 i=0;
-
- written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
-- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
- for (i=0;i<t2p->pdf_xrefcount;i++){
-- sprintf(buffer, "%.10lu 00000 n \n",
-+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
- (unsigned long)t2p->pdf_xrefoffsets[i]);
- written += t2pWriteFile(output, (tdata_t) buffer, 20);
- }
-@@ -5170,17 +5140,14 @@
- snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
-
- written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
-- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
- written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- sizeof(t2p->pdf_fileid) - 1);
-@@ -5188,9 +5155,8 @@
- written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- sizeof(t2p->pdf_fileid) - 1);
- written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
-
- return(written);
-Index: tiff-4.0.3/tools/tiff2ps.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400
-@@ -1781,8 +1781,8 @@
- imageOp = "imagemask";
-
- (void)strcpy(im_x, "0");
-- (void)sprintf(im_y, "%lu", (long) h);
-- (void)sprintf(im_h, "%lu", (long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
-+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
- tile_width = w;
- tile_height = h;
- if (TIFFIsTiled(tif)) {
-@@ -1803,7 +1803,7 @@
- }
- if (tile_height < h) {
- fputs("/im_y 0 def\n", fd);
-- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- }
- } else {
- repeat_count = tf_numberstrips;
-@@ -1815,7 +1815,7 @@
- fprintf(fd, "/im_h %lu def\n",
- (unsigned long) tile_height);
- (void)strcpy(im_h, "im_h");
-- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- }
- }
-
-Index: tiff-4.0.3/tools/tiffcrop.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400
-@@ -2077,7 +2077,7 @@
- return 1;
- }
-
-- sprintf (filenum, "-%03d%s", findex, export_ext);
-+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
- filenum[14] = '\0';
- strncat (exportname, filenum, 15);
- }
-@@ -2230,8 +2230,8 @@
-
- /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
- fewer than PATH_MAX */
-- memset (temp_filename, '\0', PATH_MAX + 1);
-- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
-+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
-+ dump.infilename, dump_images,
- (dump.format == DUMP_TEXT) ? "txt" : "raw");
- if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
- {
-@@ -2249,8 +2249,8 @@
-
- /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
- fewer than PATH_MAX */
-- memset (temp_filename, '\0', PATH_MAX + 1);
-- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
-+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
-+ dump.outfilename, dump_images,
- (dump.format == DUMP_TEXT) ? "txt" : "raw");
- if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
- {
-Index: tiff-4.0.3/tools/tiff2bw.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400
-@@ -205,7 +205,7 @@
- }
- }
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
-- sprintf(thing, "B&W version of %s", argv[optind]);
-+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4231.patch b/gnu/packages/patches/libtiff-CVE-2013-4231.patch
deleted file mode 100644
index c71f7da..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4231.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Copied from Debian
-
-Description: Buffer overflow in gif2tiff
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
-Bug-Debian: http://bugs.debian.org/719303
-
-Index: tiff-4.0.3/tools/gif2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-22 11:46:11.960846910 -0400
-+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-22 11:46:11.956846910 -0400
-@@ -333,6 +333,8 @@
- int status = 1;
-
- datasize = getc(infile);
-+ if (datasize > 12)
-+ return 0;
- clear = 1 << datasize;
- eoi = clear + 1;
- avail = clear + 2;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4232.patch b/gnu/packages/patches/libtiff-CVE-2013-4232.patch
deleted file mode 100644
index 3a92f61..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4232.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Copied from Debian
-
-Description: use after free in tiff2pdf
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
-Bug-Debian: http://bugs.debian.org/719303
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c 2013-08-22 11:46:37.292847242 -0400
-@@ -2461,7 +2461,8 @@
- (unsigned long) t2p->tiff_datasize,
- TIFFFileName(input));
- t2p->t2p_error = T2P_ERR_ERROR;
-- _TIFFfree(buffer);
-+ _TIFFfree(buffer);
-+ return(0);
- } else {
- buffer=samplebuffer;
- t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4243.patch b/gnu/packages/patches/libtiff-CVE-2013-4243.patch
deleted file mode 100644
index a10884c..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4243.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Copied from Debian
-
-Index: tiff/tools/gif2tiff.c
-===================================================================
---- tiff.orig/tools/gif2tiff.c
-+++ tiff/tools/gif2tiff.c
-@@ -280,6 +280,10 @@ readgifimage(char* mode)
- fprintf(stderr, "no colormap present for image\n");
- return (0);
- }
-+ if (width == 0 || height == 0) {
-+ fprintf(stderr, "Invalid value of width or height\n");
-+ return(0);
-+ }
- if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
- fprintf(stderr, "not enough memory for image\n");
- return (0);
-@@ -404,6 +408,10 @@ process(register int code, unsigned char
- fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
- return 0;
- }
-+ if (*fill >= raster + width*height) {
-+ fprintf(stderr, "raster full before eoi code\n");
-+ return 0;
-+ }
- *(*fill)++ = suffix[code];
- firstchar = oldcode = code;
- return 1;
-@@ -434,6 +442,10 @@ process(register int code, unsigned char
- }
- oldcode = incode;
- do {
-+ if (*fill >= raster + width*height) {
-+ fprintf(stderr, "raster full before eoi code\n");
-+ return 0;
-+ }
- *(*fill)++ = *--stackp;
- } while (stackp > stack);
- return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4244.patch b/gnu/packages/patches/libtiff-CVE-2013-4244.patch
deleted file mode 100644
index be9c65c..0000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4244.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Copied from Debian
-
-Description: OOB write in gif2tiff
-Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468
-
-Index: tiff-4.0.3/tools/gif2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400
-+++ tiff-4.0.3/tools/gif2tiff.c 2013-08-24 11:17:13.546447901 -0400
-@@ -400,6 +400,10 @@
- }
-
- if (oldcode == -1) {
-+ if (code >= clear) {
-+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
-+ return 0;
-+ }
- *(*fill)++ = suffix[code];
- firstchar = oldcode = code;
- return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch
deleted file mode 100644
index 7f70edb..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Copied from Debian
-
-From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 20:58:29 +0000
-Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only
- works if SamplesPerPixel = 3. Enforce that
- http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
-
----
- ChangeLog | 6 ++++++
- tools/tiff2bw.c | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
-index 22467cd..94b8e31 100644
---- a/tools/tiff2bw.c
-+++ b/tools/tiff2bw.c
-@@ -171,6 +171,11 @@ main(int argc, char* argv[])
- argv[optind], samplesperpixel);
- return (-1);
- }
-+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
-+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
-+ argv[optind], samplesperpixel);
-+ return (-1);
-+ }
- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
- if (bitspersample != 8) {
- fprintf(stderr,
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch
deleted file mode 100644
index a177ebf..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Copied from Debian
-
-From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 20:04:31 +0000
-Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling
- TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not
- worth the burden for those esoteric utilities.
- http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
-
----
- ChangeLog | 7 +++++++
- tools/pal2rgb.c | 2 +-
- tools/thumbnail.c | 2 +-
- 3 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index bfe7899..3fc3de3 100644
---- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -372,7 +372,7 @@ static struct cpTag {
- { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
- { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
- { TIFFTAG_INKSET, 1, TIFF_SHORT },
-- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
-+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
- { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
- { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
- { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index c50bbff..73f9c34 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -257,7 +257,7 @@ static struct cpTag {
- { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
- { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
- { TIFFTAG_INKSET, 1, TIFF_SHORT },
-- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
-+ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
- { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
- { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
- { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch
deleted file mode 100644
index b8a3703..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Copied from Debian
-
-From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Tue, 23 Dec 2014 10:15:35 +0000
-Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a
- uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
- on corrupted images generated by afl.
-
----
- ChangeLog | 6 ++++++
- libtiff/tif_read.c | 6 +++---
- 2 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 2ba822a..dfc5b07 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- return ((tmsize_t)(-1));
- }
- bytecount = td->td_stripbytecount[strip];
-- if (bytecount <= 0) {
-+ if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "%I64u: Invalid strip byte count, strip %lu",
-@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[strip];
-- if (bytecount <= 0) {
-+ if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "Invalid strip byte count %I64u, strip %lu",
-@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[tile];
-- if (bytecount <= 0) {
-+ if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "%I64u: Invalid tile byte count, tile %lu",
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
deleted file mode 100644
index 62d903c..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-Copied from Debian
-
-From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 15:15:31 +0000
-Subject: [PATCH] Fix various crasher bugs on fuzzed images. *
- libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
- TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
- the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read
- ColorMap or TransferFunction if BitsPerSample has not yet been read,
- otherwise reading it later will cause user code to crash if BitsPerSample > 1
- * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
- SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample
- != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
- instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int
- overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to
- invalid tile count (should likely be checked by libtiff too). Detect invalid
- settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB *
- tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight *
- tools/tiffdump.c: fix crash due to overflow of entry count.
-
----
- ChangeLog | 19 +++++++++++++++++++
- libtiff/tif_dir.c | 21 +++++++++++++++++++--
- libtiff/tif_dirread.c | 17 +++++++++++++++++
- libtiff/tif_getimage.c | 15 +++++++++++++++
- libtiff/tif_next.c | 2 ++
- tools/bmp2tiff.c | 15 +++++++++++++++
- tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++
- tools/tiffcrop.c | 7 ++++---
- tools/tiffdump.c | 9 ++++++---
- 9 files changed, 138 insertions(+), 8 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 98cf66d..ab43a28 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- TIFFDirectory* td = &tif->tif_dir;
- int status = 1;
- uint32 v32, i, v;
-+ double dblval;
- char* s;
- const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
- uint32 standard_tag = tag;
-@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
- break;
- case TIFFTAG_XRESOLUTION:
-- td->td_xresolution = (float) va_arg(ap, double);
-+ dblval = va_arg(ap, double);
-+ if( dblval < 0 )
-+ goto badvaluedouble;
-+ td->td_xresolution = (float) dblval;
- break;
- case TIFFTAG_YRESOLUTION:
-- td->td_yresolution = (float) va_arg(ap, double);
-+ dblval = va_arg(ap, double);
-+ if( dblval < 0 )
-+ goto badvaluedouble;
-+ td->td_yresolution = (float) dblval;
- break;
- case TIFFTAG_PLANARCONFIG:
- v = (uint16) va_arg(ap, uint16_vap);
-@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- va_end(ap);
- }
- return (0);
-+badvaluedouble:
-+ {
-+ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "%s: Bad value %f for \"%s\" tag",
-+ tif->tif_name, dblval,
-+ fip ? fip->field_name : "Unknown");
-+ va_end(ap);
-+ }
-+ return (0);
- }
-
- /*
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 391c823..f66c9a7 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif)
- const TIFFField* fip;
- uint32 fii=FAILED_FII;
- toff_t nextdiroff;
-+ int bitspersample_read = FALSE;
-+
- tif->tif_diroff=tif->tif_nextdiroff;
- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
- return 0; /* last offset or bad offset (IFD looping) */
-@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif)
- }
- if (!TIFFSetField(tif,dp->tdir_tag,value))
- goto bad;
-+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
-+ bitspersample_read = TRUE;
- }
- break;
- case TIFFTAG_SMINSAMPLEVALUE:
-@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif)
- uint32 countrequired;
- uint32 incrementpersample;
- uint16* value=NULL;
-+ /* It would be dangerous to instanciate those tag values */
-+ /* since if td_bitspersample has not yet been read (due to */
-+ /* unordered tags), it could be read afterwards with a */
-+ /* values greater than the default one (1), which may cause */
-+ /* crashes in user code */
-+ if( !bitspersample_read )
-+ {
-+ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
-+ TIFFWarningExt(tif->tif_clientdata,module,
-+ "Ignoring %s since BitsPerSample tag not found",
-+ fip ? fip->field_name : "unknown tagname");
-+ continue;
-+ }
- countpersample=(1L<<tif->tif_dir.td_bitspersample);
- if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
- {
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 074d32a..396ad08 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- "Planarconfiguration", td->td_planarconfig);
- return (0);
- }
-+ if( td->td_samplesperpixel != 3 )
-+ {
-+ sprintf(emsg,
-+ "Sorry, can not handle image with %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel);
-+ return 0;
-+ }
- break;
- case PHOTOMETRIC_CIELAB:
-+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+ {
-+ sprintf(emsg,
-+ "Sorry, can not handle image with %s=%d and %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel,
-+ "Bits/sample", td->td_bitspersample);
-+ return 0;
-+ }
- break;
- default:
- sprintf(emsg, "Sorry, can not handle image with %s=%d",
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index 55e2537..a53c716 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- default: {
- uint32 npixels = 0, grey;
- uint32 imagewidth = tif->tif_dir.td_imagewidth;
-+ if( isTiled(tif) )
-+ imagewidth = tif->tif_dir.td_tilewidth;
-
- /*
- * The scanline is composed of a sequence of constant
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index dfda963..f202b41 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
- && (xuint16 == PLANARCONFIG_SEPARATE ) ){
- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
-+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
-+ {
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Invalid tile count, %s",
-+ TIFFFileName(input));
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
- }
- if( t2p->tiff_tiles[i].tiles_tilecount > 0){
-@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- #endif
- break;
- case PHOTOMETRIC_CIELAB:
-+ if( t2p->tiff_samplesperpixel != 3){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Unsupported samplesperpixel = %d for CIELAB",
-+ t2p->tiff_samplesperpixel);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
-+ if( t2p->tiff_bitspersample != 8){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Invalid bitspersample = %d for CIELAB",
-+ t2p->tiff_bitspersample);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- t2p->pdf_labrange[0]= -127;
- t2p->pdf_labrange[1]= 127;
- t2p->pdf_labrange[2]= -127;
-@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- t2p->pdf_colorspace=T2P_CS_LAB;
- break;
- case PHOTOMETRIC_ITULAB:
-+ if( t2p->tiff_samplesperpixel != 3){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Unsupported samplesperpixel = %d for ITULAB",
-+ t2p->tiff_samplesperpixel);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
-+ if( t2p->tiff_bitspersample != 8){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Invalid bitspersample = %d for ITULAB",
-+ t2p->tiff_bitspersample);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- t2p->pdf_labrange[0]=-85;
- t2p->pdf_labrange[1]=85;
- t2p->pdf_labrange[2]=-75;
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index f5530bb..4088463 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
- tsize_t tilesize = TIFFTileSize(out);
- unsigned char *tilebuf = NULL;
-
-- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
-- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
-- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
-+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
-+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
-+ return 1;
-
- tile_buffsize = tilesize;
- if (tilesize < (tsize_t)(tl * tile_rowsize))
-diff --git a/tools/tiffdump.c b/tools/tiffdump.c
-index cf5d62f..8247765 100644
---- a/tools/tiffdump.c
-+++ b/tools/tiffdump.c
-@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- void* datamem;
- uint64 dataoffset;
- int datatruncated;
-+ int datasizeoverflow;
-+
- tag = *(uint16*)dp;
- if (swabflag)
- TIFFSwabShort(&tag);
-@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- else
- typewidth = datawidth[type];
- datasize = count*typewidth;
-+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
- datafits = 1;
- datamem = dp;
- dataoffset = 0;
- datatruncated = 0;
- if (!bigtiff)
- {
-- if (datasize>4)
-+ if (datasizeoverflow || datasize>4)
- {
- uint32 dataoffset32;
- datafits = 0;
-@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- }
- else
- {
-- if (datasize>8)
-+ if (datasizeoverflow || datasize>8)
- {
- datafits = 0;
- datamem = NULL;
-@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- }
- dp += sizeof(uint64);
- }
-- if (datasize>0x10000)
-+ if (datasizeoverflow || datasize>0x10000)
- {
- datatruncated = 1;
- count = 0x10000/typewidth;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
deleted file mode 100644
index fda018b..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Copied from Debian
-
-From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 19:53:59 +0000
-Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
- http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
-
----
- ChangeLog | 5 +++++
- tools/thumbnail.c | 8 +++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index fab63f6..c50bbff 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
- err -= limit;
- sy++;
- if (err >= limit)
-- rows[nrows++] = br + bpr*sy;
-+ {
-+ /* We should perhaps error loudly, but I can't make sense of that */
-+ /* code... */
-+ if( nrows == 256 )
-+ break;
-+ rows[nrows++] = br + bpr*sy;
-+ }
- }
- setrow(row, nrows, rows);
- row += tnw;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch
deleted file mode 100644
index 6f9ef85..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Copied from Debian
-
-From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 18:52:42 +0000
-Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write
- TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is
- COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
- http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
-
----
- ChangeLog | 7 +++++++
- tools/thumbnail.c | 21 ++++++++++++++++++++-
- tools/tiffcmp.c | 17 +++++++++++++++--
- 3 files changed, 42 insertions(+), 3 deletions(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index a98a881..fab63f6 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out)
- {
- struct cpTag *p;
- for (p = tags; p < &tags[NTAGS]; p++)
-- cpTag(in, out, p->tag, p->count, p->type);
-+ {
-+ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
-+ /* if we request a tag that is defined in a codec, but that codec */
-+ /* isn't used */
-+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
-+ {
-+ uint16 compression;
-+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
-+ compression != COMPRESSION_CCITTFAX3 )
-+ continue;
-+ }
-+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
-+ {
-+ uint16 compression;
-+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
-+ compression != COMPRESSION_CCITTFAX4 )
-+ continue;
-+ }
-+ cpTag(in, out, p->tag, p->count, p->type);
-+ }
- }
- #undef NTAGS
-
-diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c
-index 508a461..d6392af 100644
---- a/tools/tiffcmp.c
-+++ b/tools/tiffcmp.c
-@@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2)
- static int
- cmptags(TIFF* tif1, TIFF* tif2)
- {
-+ uint16 compression1, compression2;
- CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType");
- CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth");
- CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength");
-@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2)
- CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat");
- CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution");
- CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution");
-- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
-- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
-+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
-+ compression1 == COMPRESSION_CCITTFAX3 &&
-+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
-+ compression2 == COMPRESSION_CCITTFAX3 )
-+ {
-+ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
-+ }
-+ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
-+ compression1 == COMPRESSION_CCITTFAX4 &&
-+ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
-+ compression2 == COMPRESSION_CCITTFAX4 )
-+ {
-+ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
-+ }
- CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit");
- CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration");
- CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch
deleted file mode 100644
index 200af0e..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Copied from Debian
-
-From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 17:36:36 +0000
-Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when
- reading TIFFTAG_SAMPLESPERPIXEL
-
----
- ChangeLog | 5 +++++
- tools/tiff2pdf.c | 10 +++++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c
-+++ tiff-4.0.3/tools/tiff2pdf.c
-@@ -1164,7 +1164,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
- t2p->tiff_pages[i].page_tilecount;
- if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
- && (xuint16 == PLANARCONFIG_SEPARATE ) ){
-- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
-+ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
-+ {
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Missing SamplesPerPixel, %s",
-+ TIFFFileName(input));
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
- {
- TIFFError(
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
deleted file mode 100644
index fda4045..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Copied from Debian
-
-Picked from CVE: diff -u -r1.14 -r1.15
-http://bugzilla.maptools.org/show_bug.cgi?id=2501
-
-Author: Even Rouault <even.rouault@spatialys.com>
-
---- tiff-4.0.3.orig/tools/tiffdither.c
-+++ tiff-4.0.3/tools/tiffdither.c
-@@ -39,6 +39,7 @@
- #endif
-
- #include "tiffio.h"
-+#include "tiffiop.h"
-
- #define streq(a,b) (strcmp(a,b) == 0)
- #define strneq(a,b,n) (strncmp(a,b,n) == 0)
-@@ -56,7 +57,7 @@ static void usage(void);
- * Floyd-Steinberg error propragation with threshold.
- * This code is stolen from tiffmedian.
- */
--static void
-+static int
- fsdither(TIFF* in, TIFF* out)
- {
- unsigned char *outline, *inputline, *inptr;
-@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
- int lastline, lastpixel;
- int bit;
- tsize_t outlinesize;
-+ int errcode = 0;
-
- imax = imagelength - 1;
- jmax = imagewidth - 1;
- inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-- thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
-- nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
-+ thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
-+ nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
- outlinesize = TIFFScanlineSize(out);
- outline = (unsigned char *) _TIFFmalloc(outlinesize);
-+ if (! (inputline && thisline && nextline && outline)) {
-+ fprintf(stderr, "Out of memory.\n");
-+ goto skip_on_error;
-+ }
-
- /*
- * Get first line
-@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
- nextline = tmpptr;
- lastline = (i == imax);
- if (TIFFReadScanline(in, inputline, i, 0) <= 0)
-- break;
-+ goto skip_on_error;
- inptr = inputline;
- nextptr = nextline;
- for (j = 0; j < imagewidth; ++j)
-@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
- }
- }
- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
-- break;
-+ goto skip_on_error;
- }
-+ goto exit_label;
-+
- skip_on_error:
-+ errcode = 1;
-+ exit_label:
- _TIFFfree(inputline);
- _TIFFfree(thisline);
- _TIFFfree(nextline);
- _TIFFfree(outline);
-+ return errcode;
- }
-
- static uint16 compression = COMPRESSION_PACKBITS;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch
deleted file mode 100644
index a555a18..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Copied from Debian
-
-Patches by Petr Gajdos (pgajdos@suse.cz) from
-http://bugzilla.maptools.org/show_bug.cgi?id=2499
-
---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c
-+++ tiff-4.0.3/libtiff/tif_dirinfo.c
-@@ -141,6 +141,8 @@ tiffFields[] = {
- { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
- { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
- { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
-+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
-+ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL },
- /* begin DNG tags */
- { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
- { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8129.patch b/gnu/packages/patches/libtiff-CVE-2014-8129.patch
deleted file mode 100644
index 091ec8f..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8129.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Copied from Debian
-
-From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 18:07:48 +0000
-Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
-
----
- ChangeLog | 5 +++++
- libtiff/tif_next.c | 17 +++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index a53c716..d834196 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- return (0);
- }
-
-+static int
-+NeXTPreDecode(TIFF* tif, uint16 s)
-+{
-+ static const char module[] = "NeXTPreDecode";
-+ TIFFDirectory *td = &tif->tif_dir;
-+ (void)s;
-+
-+ if( td->td_bitspersample != 2 )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
-+ td->td_bitspersample);
-+ return (0);
-+ }
-+ return (1);
-+}
-+
- int
- TIFFInitNeXT(TIFF* tif, int scheme)
- {
- (void) scheme;
-+ tif->tif_predecode = NeXTPreDecode;
- tif->tif_decoderow = NeXTDecode;
- tif->tif_decodestrip = NeXTDecode;
- tif->tif_decodetile = NeXTDecode;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-9330.patch b/gnu/packages/patches/libtiff-CVE-2014-9330.patch
deleted file mode 100644
index c3c5fc0..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-9330.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Copied from Debian
-
-Description: CVE-2014-9330
- Integer overflow in bmp2tiff
-Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
-Bug-Debian: http://bugs.debian.org/773987
-
-Index: tiff/tools/bmp2tiff.c
-===================================================================
---- tiff.orig/tools/bmp2tiff.c
-+++ tiff/tools/bmp2tiff.c
-@@ -1,4 +1,4 @@
--/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
-+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
- *
- * Project: libtiff tools
- * Purpose: Convert Windows BMP files in TIFF.
-@@ -403,6 +403,13 @@ main(int argc, char* argv[])
-
- width = info_hdr.iWidth;
- length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
-+ if( width <= 0 || length <= 0 )
-+ {
-+ TIFFError(infilename,
-+ "Invalid dimensions of BMP file" );
-+ close(fd);
-+ return -1;
-+ }
-
- switch (info_hdr.iBitCount)
- {
-@@ -593,6 +600,14 @@ main(int argc, char* argv[])
-
- compr_size = file_hdr.iSize - file_hdr.iOffBits;
- uncompr_size = width * length;
-+ /* Detect int overflow */
-+ if( uncompr_size / width != length )
-+ {
-+ TIFFError(infilename,
-+ "Invalid dimensions of BMP file" );
-+ close(fd);
-+ return -1;
-+ }
- comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
- if (!comprbuf) {
- TIFFError(infilename,
diff --git a/gnu/packages/patches/libtiff-CVE-2014-9655.patch b/gnu/packages/patches/libtiff-CVE-2014-9655.patch
deleted file mode 100644
index 065804d..0000000
--- a/gnu/packages/patches/libtiff-CVE-2014-9655.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Copied from Debian
-
-From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 29 Dec 2014 12:09:11 +0000
-Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
- read outside of the compressed input stream buffer.
-
-* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
----
- ChangeLog | 9 +++++++++
- libtiff/tif_getimage.c | 12 +++++++-----
- libtiff/tif_next.c | 4 +++-
- 3 files changed, 19 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index a4f46d9..3ad8ee7 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
-
- (void) y;
- fromskew = (fromskew * 10) / 4;
-- if ((h & 3) == 0 && (w & 1) == 0) {
-+ if ((w & 3) == 0 && (h & 1) == 0) {
- for (; h >= 2; h -= 2) {
- x = w>>2;
- do {
-@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
- /* XXX adjust fromskew */
- do {
- x = w>>2;
-- do {
-+ while(x>0) {
- int32 Cb = pp[4];
- int32 Cr = pp[5];
-
-@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
-
- cp += 4;
- pp += 6;
-- } while (--x);
-+ x--;
-+ }
-
- if( (w&3) != 0 )
- {
-@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
- fromskew = (fromskew * 4) / 2;
- do {
- x = w>>1;
-- do {
-+ while(x>0) {
- int32 Cb = pp[2];
- int32 Cr = pp[3];
-
-@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
-
- cp += 2;
- pp += 4;
-- } while (--x);
-+ x --;
-+ }
-
- if( (w&1) != 0 )
- {
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index d834196..dd669cc 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
- return (0);
- }
-- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
-+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
- n = *bp++, cc--;
- switch (n) {
- case LITERALROW:
-@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- * The scanline has a literal span that begins at some
- * offset.
- */
-+ if( cc < 4 )
-+ goto bad;
- off = (bp[0] * 256) + bp[1];
- n = (bp[2] * 256) + bp[3];
- if (cc < 4+n || off+n > scanline)
--
2.5.0
[-- Attachment #3: 0002-gnu-libtiff-Build-with-the-current-libjpeg-instead-o.patch --]
[-- Type: text/plain, Size: 1335 bytes --]
From fe51c1498140db9e592fce50d27b876e0c598c12 Mon Sep 17 00:00:00 2001
From: Andreas Enge <andreas@enge.fr>
Date: Fri, 4 Sep 2015 21:43:40 +0200
Subject: [PATCH 2/2] gnu: libtiff: Build with the current libjpeg instead of
libjpeg-8.
* gnu/packages/image.scm (libtiff)[inputs]: Use libjpeg instead of libjpeg-9.
[arguments]: Drop the now unneeded field.
---
gnu/packages/image.scm | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 63a923e..89b2483 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -116,13 +116,7 @@ image files in PBMPLUS PPM/PGM, GIF, BMP, and Targa file formats.")
"171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
(build-system gnu-build-system)
(inputs `(("zlib" ,zlib)
- ("libjpeg-8" ,libjpeg-8)))
- ;; currently does not compile with libjpeg version 9
- (arguments
- `(#:configure-flags
- (list (string-append "--with-jpeg-include-dir="
- (assoc-ref %build-inputs "libjpeg-8")
- "/include"))))
+ ("libjpeg" ,libjpeg)))
(synopsis "Library for handling TIFF files")
(description
"Libtiff provides support for the Tag Image File Format (TIFF), a format
--
2.5.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH]: libtiff update
2015-09-04 19:49 [PATCH]: libtiff update Andreas Enge
@ 2015-09-04 20:23 ` Mark H Weaver
2015-09-05 16:00 ` Andreas Enge
0 siblings, 1 reply; 3+ messages in thread
From: Mark H Weaver @ 2015-09-04 20:23 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
Andreas Enge <andreas@enge.fr> writes:
> The first attached patch updates libtiff to 4.0.5. I think that all security
> fixes have been integrated there, since debian dropped all patches.
Excellent, thanks!
> The second patch builds with libjpeg-9 instead of libjpeg-8.
>
> Comments are welcome.
>
> I would like to create a separate branch for hydra and apply the two patches
> one after one, unless you think this poses too much strain on the build farm.
> I think the second patch might be problematic, as conflicts could occur in
> dependent packages that still use libjpeg-8, so it would be nice to assess
> its impact separately.
I'd really rather avoid this. In my experience, it usually doesn't take
much effort to determine which update caused a problem. Hydra is very
low on all of the important resources: RAM, disk space, disk bandwidth,
etc. Given these facts, we simply cannot afford to give it an extra
3000+ builds just to save ourselves a few minutes of debugging time
later.
Instead of building this out as a dedicated branch, I'd much prefer to
simultaneously push these two commits to core-updates, and then deal
with any problems as they arise, unless there is some reason why these
updates must be deployed ASAP. We already have a lot of other updates
on core-updates, and more that should be added before we build it fully,
such as fontconfig, glib, sqlite, etc. We cannot afford to build them
all out separately.
What do you think?
Mark
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-09-05 16:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-04 19:49 [PATCH]: libtiff update Andreas Enge
2015-09-04 20:23 ` Mark H Weaver
2015-09-05 16:00 ` Andreas Enge
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).