diff options
Diffstat (limited to 'graphics/tiff/files')
| -rw-r--r-- | graphics/tiff/files/patch-Makefile.in | 21 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-fax2ps.1 | 10 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_dir.c | 94 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_fax3.c | 27 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_jpeg.c | 121 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_lzw.c | 60 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_next.c | 22 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_pixarlog.c | 25 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_print.c | 13 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tif_read.c | 43 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tiff2pdf.1 | 34 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tiff2pdf.c | 20 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tiff2ps.1 | 10 | ||||
| -rw-r--r-- | graphics/tiff/files/patch-tiffsplit.c | 21 |
14 files changed, 21 insertions, 500 deletions
diff --git a/graphics/tiff/files/patch-Makefile.in b/graphics/tiff/files/patch-Makefile.in index 5234a63a9a73..0f33fee7a608 100644 --- a/graphics/tiff/files/patch-Makefile.in +++ b/graphics/tiff/files/patch-Makefile.in @@ -1,15 +1,18 @@ ---- Makefile.in.orig Mon Dec 20 20:41:46 2004 -+++ Makefile.in Wed Dec 22 08:02:37 2004 -@@ -302,13 +302,6 @@ - uninstall-info-am: +--- Makefile.in.orig 2009-08-21 00:25:16.000000000 +0200 ++++ Makefile.in 2009-08-24 22:55:02.000000000 +0200 +@@ -380,16 +380,6 @@ + -rm -f libtool config.lt install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) -- test -z "$(docdir)" || $(mkdir_p) "$(DESTDIR)$(docdir)" -- @list='$(dist_doc_DATA)'; for p in $$list; do \ +- test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" +- @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ +- for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ -- f=$(am__strip_dir) \ -- echo " $(dist_docDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(docdir)/$$f'"; \ -- $(dist_docDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(docdir)/$$f"; \ +- echo "$$d$$p"; \ +- done | $(am__base_list) | \ +- while read files; do \ +- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ +- $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ - done uninstall-dist_docDATA: diff --git a/graphics/tiff/files/patch-fax2ps.1 b/graphics/tiff/files/patch-fax2ps.1 deleted file mode 100644 index 8a2f35bd97d2..000000000000 --- a/graphics/tiff/files/patch-fax2ps.1 +++ /dev/null @@ -1,10 +0,0 @@ ---- man/fax2ps.1.orig Fri Dec 2 17:01:33 2005 -+++ man/fax2ps.1 Fri Oct 24 18:25:45 2008 -@@ -22,6 +22,7 @@ - .\" LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE - .\" OF THIS SOFTWARE. - .\" -+.ds Ps PostScript - .if n .po 0 - .TH FAX2PS 1 "November 2, 2005" "libtiff" - .SH NAME diff --git a/graphics/tiff/files/patch-tif_dir.c b/graphics/tiff/files/patch-tif_dir.c deleted file mode 100644 index 61ab63cefd00..000000000000 --- a/graphics/tiff/files/patch-tif_dir.c +++ /dev/null @@ -1,94 +0,0 @@ -CVE-2006-3464,3465 -=================================================================== ---- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 -0400 -+++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } diff --git a/graphics/tiff/files/patch-tif_fax3.c b/graphics/tiff/files/patch-tif_fax3.c deleted file mode 100644 index 5b9e94d23d47..000000000000 --- a/graphics/tiff/files/patch-tif_fax3.c +++ /dev/null @@ -1,27 +0,0 @@ -CVE-2006-3464,3465 -=================================================================== ---- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 -0400 -+++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } diff --git a/graphics/tiff/files/patch-tif_jpeg.c b/graphics/tiff/files/patch-tif_jpeg.c deleted file mode 100644 index 4ce2999e579f..000000000000 --- a/graphics/tiff/files/patch-tif_jpeg.c +++ /dev/null @@ -1,121 +0,0 @@ -CVE-2006-3460,3464,3465 -=================================================================== ---- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 -0400 -+++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) diff --git a/graphics/tiff/files/patch-tif_lzw.c b/graphics/tiff/files/patch-tif_lzw.c deleted file mode 100644 index e4a36858b4d0..000000000000 --- a/graphics/tiff/files/patch-tif_lzw.c +++ /dev/null @@ -1,60 +0,0 @@ -CVE-2008-2327 -=================================================================== ---- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 -0400 -+++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400 -@@ -237,6 +237,13 @@ - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); -+ -+ - } - return (1); - } -@@ -408,12 +415,20 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } -+ - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +619,20 @@ - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } -+ - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/graphics/tiff/files/patch-tif_next.c b/graphics/tiff/files/patch-tif_next.c deleted file mode 100644 index e02f075eacd2..000000000000 --- a/graphics/tiff/files/patch-tif_next.c +++ /dev/null @@ -1,22 +0,0 @@ -CVE-2006-3462 -=================================================================== ---- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 -0400 -+++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400 -@@ -105,11 +105,16 @@ - * as codes of the form <color><npixels> - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; diff --git a/graphics/tiff/files/patch-tif_pixarlog.c b/graphics/tiff/files/patch-tif_pixarlog.c deleted file mode 100644 index cf99c0c5b368..000000000000 --- a/graphics/tiff/files/patch-tif_pixarlog.c +++ /dev/null @@ -1,25 +0,0 @@ -CVE-2006-3461 -=================================================================== ---- libtiff/tif_pixarlog.c.orig 2008-08-17 13:03:48.986994374 -0400 -+++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 -0400 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, diff --git a/graphics/tiff/files/patch-tif_print.c b/graphics/tiff/files/patch-tif_print.c deleted file mode 100644 index 48699484ca4e..000000000000 --- a/graphics/tiff/files/patch-tif_print.c +++ /dev/null @@ -1,13 +0,0 @@ -CVE-2006-3464,3465 -=================================================================== ---- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 -0400 -+++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 -0400 -@@ -491,7 +491,7 @@ - } else - fprintf(fd, "(present)\n"); - } -- if (TIFFFieldSet(tif, FIELD_SUBIFD)) { -+ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) { - fprintf(fd, " SubIFD Offsets:"); - for (i = 0; i < td->td_nsubifd; i++) - fprintf(fd, " %5lu", (long) td->td_subifd[i]); diff --git a/graphics/tiff/files/patch-tif_read.c b/graphics/tiff/files/patch-tif_read.c deleted file mode 100644 index 67c18ccb5b94..000000000000 --- a/graphics/tiff/files/patch-tif_read.c +++ /dev/null @@ -1,43 +0,0 @@ -CVE-2006-3464,3465 -=================================================================== ---- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400 -+++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include <stdio.h> - -+#include <limits.h> -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/graphics/tiff/files/patch-tiff2pdf.1 b/graphics/tiff/files/patch-tiff2pdf.1 deleted file mode 100644 index 2a081a39e2e8..000000000000 --- a/graphics/tiff/files/patch-tiff2pdf.1 +++ /dev/null @@ -1,34 +0,0 @@ ---- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 -0400 -+++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400 -@@ -207,18 +207,14 @@ - The following example would generate the file output.pdf from input.tiff. - .PP - .RS --.NF --tiff2pdf -o output.pdf input.tiff --.FI -+\f(CWtiff2pdf -o output.pdf input.tiff\fP - .RE - .PP - The following example would generate PDF output from input.tiff and write it - to standard output. - .PP - .RS --.NF --tiff2pdf input.tiff --.FI -+\f(CWtiff2pdf input.tiff\fP - .RE - .PP - The following example would generate the file output.pdf from input.tiff, -@@ -227,9 +223,7 @@ - the "Fit Window" option. - .PP - .RS --.NF --tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff --.FI -+\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f) - .RE - .SH BUGS - Please report bugs via the web interface at diff --git a/graphics/tiff/files/patch-tiff2pdf.c b/graphics/tiff/files/patch-tiff2pdf.c index 6206cce935dc..1e9e88effb4c 100644 --- a/graphics/tiff/files/patch-tiff2pdf.c +++ b/graphics/tiff/files/patch-tiff2pdf.c @@ -1,13 +1,11 @@ -CVE-2006-2193 -=================================================================== ---- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 -0700 -+++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;i<len;i++){ +--- tools/tiff2pdf.c.orig 2009-01-01 01:10:43.000000000 +0100 ++++ tools/tiff2pdf.c 2009-09-14 12:13:39.000000000 +0200 +@@ -3726,7 +3726,7 @@ + written += t2pWriteFile(output, (tdata_t) "(", 1); + for (i=0; i<len; i++) { if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ -- sprintf(buffer, "\\%.3o", pdfstr[i]); -+ snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]); - written += TIFFWriteFile(output, (tdata_t) buffer, 4); +- sprintf(buffer, "\\%.3hho", pdfstr[i]); ++ snprintf(buffer, sizeof(buffer), "\\%.3hho", pdfstr[i]); + buffer[sizeof(buffer) - 1] = '\0'; + written += t2pWriteFile(output, (tdata_t) buffer, 4); } else { - switch (pdfstr[i]){ diff --git a/graphics/tiff/files/patch-tiff2ps.1 b/graphics/tiff/files/patch-tiff2ps.1 deleted file mode 100644 index 92ce970d0cb2..000000000000 --- a/graphics/tiff/files/patch-tiff2ps.1 +++ /dev/null @@ -1,10 +0,0 @@ ---- man/tiff2ps.1.orig Fri Dec 2 17:01:33 2005 -+++ man/tiff2ps.1 Sun Mar 26 12:40:12 2006 -@@ -22,6 +22,7 @@ - .\" LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE - .\" OF THIS SOFTWARE. - .\" -+.ds Ps PostScript - .if n .po 0 - .TH TIFF2PS 1 "November 2, 2005" "libtiff" - .SH NAME diff --git a/graphics/tiff/files/patch-tiffsplit.c b/graphics/tiff/files/patch-tiffsplit.c deleted file mode 100644 index ea75a024ce85..000000000000 --- a/graphics/tiff/files/patch-tiffsplit.c +++ /dev/null @@ -1,21 +0,0 @@ -CVE-2006-2656 -=================================================================== ---- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 -0400 -+++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400 -@@ -61,14 +61,13 @@ - return (-3); - } - if (argc > 2) -- strcpy(fname, argv[2]); -+ snprintf(fname, sizeof(fname), "%s", argv[2]); - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -- strcat(path, ".tif"); -+ snprintf(path, sizeof(path), "%s.tif", fname); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) - return (-2); |