ports/127434: [PATCH]graphics/tiff: various security fixes
bf
bf2006a at yahoo.com
Wed Sep 17 06:00:07 UTC 2008
>Number: 127434
>Category: ports
>Synopsis: [PATCH]graphics/tiff: various security fixes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 17 06:00:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: bf
>Release: 7-STABLE i386
>Organization:
-
>Environment:
>Description:
Add patches for CVE-2006-2193,2327,2656,3459-3465, and CVE-2008-2327, some of which were apparently misreported as not affecting 3.8.2. The patches are from the Gentoo and Debian repositories, and are copies or variants of patches originally suggested by Drew Yao and the Google Security Team, among others. Some of them, along with some changes from Red Hat, have been included in tiff 3.9 and 4.0. Unfortunately tiff 3.9 and 4.0 are not completely compatible with 3.8.* (although there is some discussion among the tiff developers about changing 3.9 so that it is backwards-compatible), so we cannot now solve these problems by updating the port to 3.9 or 4.0 without breaking some dependent ports. The problems with tiff should probably be documented in vuxml. tiff developers have suggested that there are probably further problems, and that the tiff format is more susceptible to security problems than some other image formats owing to it's design, so it should be used with caut
ion on untrusted images. The developers have said that they do not now have the resources or the interest in undertaking a comprehensive security audit of the code, and that it's all Sam Leffler's fault, anyway. (Okay, I made up that very last part. ;) )
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -ruN tiff.orig/Makefile tiff/Makefile
--- tiff.orig/Makefile 2008-08-21 02:17:24.000000000 -0400
+++ tiff/Makefile 2008-09-17 01:52:30.302415991 -0400
@@ -9,7 +9,7 @@
PORTNAME= tiff
PORTVERSION= 3.8.2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://dl1.maptools.org/dl/libtiff/
@@ -126,4 +126,7 @@
${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/
.endif
+regression-test: build
+ @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check)
+
.include <bsd.port.mk>
diff -ruN tiff.orig/files/patch-libtiff+tif_dir.c tiff/files/patch-libtiff+tif_dir.c
--- tiff.orig/files/patch-libtiff+tif_dir.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_dir.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,95 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 -0400
++++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400
+@@ -122,6 +122,7 @@
+ {
+ static const char module[] = "_TIFFVSetField";
+
++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+ break;
+ case TIFFTAG_ORIENTATION:
+ v = va_arg(ap, uint32);
++ const TIFFFieldInfo* fip;
+ if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++ fip = _TIFFFieldWithTag(tif, tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "Bad value %lu for \"%s\" tag ignored",
+- v, _TIFFFieldWithTag(tif, tag)->field_name);
++ v, fip ? fip->field_name : "Unknown");
+ } else
+ td->td_orientation = (uint16) v;
+ break;
+@@ -387,11 +390,15 @@
+ * happens, for example, when tiffcp is used to convert between
+ * compression schemes and codec-specific tags are blindly copied.
+ */
++ /*
++ * better not dereference fip if it is NULL.
++ * -- taviso at google.com 15 Jun 2006
++ */
+ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ status = 0;
+ break;
+ }
+@@ -468,7 +475,7 @@
+ if (fip->field_type == TIFF_ASCII)
+ _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ else {
+- tv->value = _TIFFmalloc(tv_size * tv->count);
++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+ if (!tv->value) {
+ status = 0;
+ goto end;
+@@ -563,7 +570,7 @@
+ }
+ }
+ if (status) {
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++ TIFFSetFieldBit(tif, fip->field_bit);
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ }
+
+@@ -572,12 +579,12 @@
+ return (status);
+ badvalue:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ badvalue32:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ }
+@@ -813,12 +820,16 @@
+ * If the client tries to get a tag that is not valid
+ * for the image's codec then we'll arrive here.
+ */
++ /*
++ * dont dereference fip if it's NULL.
++ * -- taviso at google.com 15 Jun 2006
++ */
+ if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+ {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ ret_val = 0;
+ break;
+ }
+Index: tiff-3.8.2/libtiff/tif_dirinfo.c
diff -ruN tiff.orig/files/patch-libtiff+tif_dirinfo.c tiff/files/patch-libtiff+tif_dirinfo.c
--- tiff.orig/files/patch-libtiff+tif_dirinfo.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_dirinfo.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,25 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dirinfo.c.orig 2008-08-17 13:03:48.958994316 -0400
++++ libtiff/tif_dirinfo.c 2008-08-17 13:03:52.890034927 -0400
+@@ -775,7 +775,8 @@
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ "Internal error, unknown tag 0x%x",
+ (unsigned int) tag);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+@@ -789,7 +790,8 @@
+ if (!fip) {
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ "Internal error, unknown tag %s", field_name);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+Index: tiff-3.8.2/libtiff/tif_dirread.c
diff -ruN tiff.orig/files/patch-libtiff+tif_dirread.c tiff/files/patch-libtiff+tif_dirread.c
--- tiff.orig/files/patch-libtiff+tif_dirread.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_dirread.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,322 @@
+CVE-2006-3459,3463,3464,3465
+===================================================================
+--- libtiff/tif_dirread.c.orig 2008-08-17 13:03:48.962994506 -0400
++++ libtiff/tif_dirread.c 2008-08-17 13:03:52.890034927 -0400
+@@ -29,6 +29,9 @@
+ *
+ * Directory Read Support Routines.
+ */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+
+ #define IGNORE 0 /* tag placeholder used below */
+@@ -81,6 +84,7 @@
+ uint16 dircount;
+ toff_t nextdiroff;
+ int diroutoforderwarning = 0;
++ int compressionknown = 0;
+ toff_t* new_dirlist;
+
+ tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+ } else {
+ toff_t off = tif->tif_diroff;
+
+- if (off + sizeof (uint16) > tif->tif_size) {
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%s: Can not read TIFF directory count",
+- tif->tif_name);
+- return (0);
++ /*
++ * Check for integer overflow when validating the dir_off, otherwise
++ * a very high offset may cause an OOB read and crash the client.
++ * -- taviso at google.com, 14 Jun 2006.
++ */
++ if (off + sizeof (uint16) > tif->tif_size ||
++ off > (UINT_MAX - sizeof(uint16))) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Can not read TIFF directory count",
++ tif->tif_name);
++ return (0);
+ } else
+- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++ _TIFFmemcpy(&dircount, tif->tif_base + off,
++ sizeof (uint16));
+ off += sizeof (uint16);
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
++
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+
+@@ -264,17 +276,23 @@
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
+-
+- TIFFMergeFieldInfo(tif,
+- _TIFFCreateAnonFieldInfo(tif,
+- dp->tdir_tag,
+- (TIFFDataType) dp->tdir_type),
+- 1 );
++ /*
++ * creating anonymous fields prior to knowing the compression
++ * algorithm (ie, when the field info has been merged) could cause
++ * crashes with pathological directories.
++ * -- taviso at google.com 15 Jun 2006
++ */
++ if (compressionknown)
++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
++ (TIFFDataType) dp->tdir_type), 1 );
++ else goto ignore;
++
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ }
++
+ /*
+ * Null out old tags that we ignore.
+ */
+@@ -326,6 +344,7 @@
+ dp->tdir_type, dp->tdir_offset);
+ if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ goto bad;
++ else compressionknown++;
+ break;
+ /* XXX: workaround for broken TIFFs */
+ } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+ * Attempt to deal with a missing StripByteCounts tag.
+ */
+ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * Some manufacturers violate the spec by not giving
+ * the size of the strips. In this case, assume there
+@@ -556,7 +576,7 @@
+ "%s: TIFF directory is missing required "
+ "\"%s\" field, calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ /*
+@@ -580,6 +600,7 @@
+ } else if (td->td_nstrips == 1
+ && td->td_stripoffset[0] != 0
+ && BYTECOUNTLOOKSBAD) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Plexus (and others) sometimes give a value of zero for
+ * a tag when they don't know what the correct value is! Try
+@@ -589,13 +610,14 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ && td->td_nstrips > 2
+ && td->td_compression == COMPRESSION_NONE
+ && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Some vendors fill StripByteCount array with absolutely
+ * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ }
+@@ -870,7 +892,13 @@
+
+ register TIFFDirEntry *dp;
+ register TIFFDirectory *td = &tif->tif_dir;
+- uint16 i;
++
++ /* i is used to iterate over td->td_nstrips, so must be
++ * at least the same width.
++ * -- taviso at google.com 15 Jun 2006
++ */
++
++ uint32 i;
+
+ if (td->td_stripbytecount)
+ _TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+ if (count > dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (0);
+ } else if (count < dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (1);
+ }
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+ int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ tsize_t cc = dir->tdir_count * w;
+
+ /* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Error fetching data for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ return (tsize_t) 0;
+ }
+
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++ const TIFFFieldInfo* fip;
+ if (denom == 0) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s: Rational with zero denominator (num = %lu)",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++ fip ? fip->field_name : "Unknown", num);
+ return (0);
+ } else {
+ if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++ /*
++ * Prevent overflowing the v stack arrays below by performing a sanity
++ * check on tdir_count, this should never be greater than two.
++ * -- taviso at google.com 14 Jun 2006.
++ */
++ if (dir->tdir_count > 2) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
++ fip ? fip->field_name : "Unknown",
++ dir->tdir_count);
++ return 0;
++ }
++
+ switch (dir->tdir_type) {
+ case TIFF_BYTE:
+ case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+ case TIFF_DOUBLE:
+ return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+ default:
++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ /* TIFF_NOTYPE */
+ /* TIFF_ASCII */
+ /* TIFF_UNDEFINED */
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "cannot read TIFF_ANY type %d for field \"%s\"",
+ dir->tdir_type,
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+- return (0);
++ fip ? fip->field_name : "Unknown");
++ return (0); }
+ }
+ return (1);
+ }
+@@ -1351,6 +1399,9 @@
+ int ok = 0;
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+
++ if (fip == NULL) {
++ return (0);
++ }
+ if (dp->tdir_count > 1) { /* array of values */
+ char* cp = NULL;
+
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+ check_count = samples;
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+Index: tiff-3.8.2/libtiff/tif_fax3.c
diff -ruN tiff.orig/files/patch-libtiff+tif_fax3.c tiff/files/patch-libtiff+tif_fax3.c
--- tiff.orig/files/patch-libtiff+tif_fax3.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_fax3.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,28 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 -0400
++++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+ Fax3BaseState* sp = Fax3State(tif);
++ const TIFFFieldInfo* fip;
+
+ assert(sp != 0);
+ assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+Index: tiff-3.8.2/libtiff/tif_jpeg.c
diff -ruN tiff.orig/files/patch-libtiff+tif_jpeg.c tiff/files/patch-libtiff+tif_jpeg.c
--- tiff.orig/files/patch-libtiff+tif_jpeg.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_jpeg.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,122 @@
+CVE-2006-3460,3464,3465
+===================================================================
+--- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 -0400
++++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400
+@@ -722,15 +722,31 @@
+ segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+ segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+ }
+- if (sp->cinfo.d.image_width != segment_width ||
+- sp->cinfo.d.image_height != segment_height) {
++ if (sp->cinfo.d.image_width < segment_width ||
++ sp->cinfo.d.image_height < segment_height) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+ segment_width,
+ segment_height,
+ sp->cinfo.d.image_width,
+ sp->cinfo.d.image_height);
++ }
++
++ if (sp->cinfo.d.image_width > segment_width ||
++ sp->cinfo.d.image_height > segment_height) {
++ /*
++ * This case could be dangerous, if the strip or tile size has been
++ * reported as less than the amount of data jpeg will return, some
++ * potential security issues arise. Catch this case and error out.
++ * -- taviso at google.com 14 Jun 2006
++ */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "JPEG strip/tile size exceeds expected dimensions,"
++ "expected %dx%d, got %dx%d", segment_width, segment_height,
++ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++ return (0);
+ }
++
+ if (sp->cinfo.d.num_components !=
+ (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+ td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+ sp->cinfo.d.comp_info[0].v_samp_factor,
+ sp->h_sampling, sp->v_sampling);
+
++ /*
++ * There are potential security issues here for decoders that
++ * have already allocated buffers based on the expected sampling
++ * factors. Lets check the sampling factors dont exceed what
++ * we were expecting.
++ * -- taviso at google.com 14 June 2006
++ */
++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot honour JPEG sampling factors that"
++ " exceed those specified.");
++ return (0);
++ }
++
++
+ /*
+ * XXX: Files written by the Intergraph software
+ * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+ JPEGState *sp = JState(tif);
+
+- assert(sp != 0);
++ /* assert(sp != 0); */
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+- if( sp->cinfo_initialized )
+- TIFFjpeg_destroy(sp); /* release libjpeg resources */
+- if (sp->jpegtables) /* tag value */
+- _TIFFfree(sp->jpegtables);
++ if (sp != NULL) {
++ if( sp->cinfo_initialized )
++ TIFFjpeg_destroy(sp); /* release libjpeg resources */
++ if (sp->jpegtables) /* tag value */
++ _TIFFfree(sp->jpegtables);
++ }
++
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
+
+@@ -1541,6 +1576,7 @@
+ {
+ JPEGState* sp = JState(tif);
+ TIFFDirectory* td = &tif->tif_dir;
++ const TIFFFieldInfo* fip;
+ uint32 v32;
+
+ assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+ JPEGState* sp = JState(tif);
+
+- assert(sp != NULL);
++ /* assert(sp != NULL); */
++ if (sp == NULL) {
++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
++ return;
++ }
+
+ (void) flags;
+ if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
+Index: tiff-3.8.2/libtiff/tif_next.c
diff -ruN tiff.orig/files/patch-libtiff+tif_lzw.c tiff/files/patch-libtiff+tif_lzw.c
--- tiff.orig/files/patch-libtiff+tif_lzw.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_lzw.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,60 @@
+CVE-2008-2327
+===================================================================
+--- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 -0400
++++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400
+@@ -237,6 +237,13 @@
+ sp->dec_codetab[code].length = 1;
+ sp->dec_codetab[code].next = NULL;
+ } while (code--);
++ /*
++ * Zero-out the unused entries
++ */
++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
++
+ }
+ return (1);
+ }
+@@ -408,12 +415,20 @@
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask-1;
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
++
+ *op++ = (char)code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
+@@ -604,12 +619,20 @@
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask;
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
++
+ *op++ = code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
diff -ruN tiff.orig/files/patch-libtiff+tif_next.c tiff/files/patch-libtiff+tif_next.c
--- tiff.orig/files/patch-libtiff+tif_next.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_next.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,23 @@
+CVE-2006-3462
+===================================================================
+--- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 -0400
++++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400
+@@ -105,11 +105,16 @@
+ * as codes of the form <color><npixels>
+ * until we've filled the scanline.
+ */
++ /*
++ * Ensure the run does not exceed the scanline
++ * bounds, potentially resulting in a security issue.
++ * -- taviso at google.com 14 Jun 2006.
++ */
+ op = row;
+ for (;;) {
+ grey = (n>>6) & 0x3;
+ n &= 0x3f;
+- while (n-- > 0)
++ while (n-- > 0 && npixels < imagewidth)
+ SETPIXEL(op, grey);
+ if (npixels >= (int) imagewidth)
+ break;
+Index: tiff-3.8.2/libtiff/tif_pixarlog.c
diff -ruN tiff.orig/files/patch-libtiff+tif_pixarlog.c tiff/files/patch-libtiff+tif_pixarlog.c
--- tiff.orig/files/patch-libtiff+tif_pixarlog.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_pixarlog.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,26 @@
+CVE-2006-3461
+===================================================================
+--- libtiff/tif_pixarlog.c.orig 2008-08-17 13:03:48.986994374 -0400
++++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 -0400
+@@ -768,7 +768,19 @@
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabArrayOfShort(up, nsamples);
+
+- for (i = 0; i < nsamples; i += llen, up += llen) {
++ /*
++ * if llen is not an exact multiple of nsamples, the decode operation
++ * may overflow the output buffer, so truncate it enough to prevent that
++ * but still salvage as much data as possible.
++ * -- taviso at google.com 14th June 2006
++ */
++ if (nsamples % llen)
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "%s: stride %lu is not a multiple of sample count, "
++ "%lu, data truncated.", tif->tif_name, llen, nsamples);
++
++
++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalAccumulateF(up, llen, sp->stride,
+Index: tiff-3.8.2/libtiff/tif_read.c
diff -ruN tiff.orig/files/patch-libtiff+tif_print.c tiff/files/patch-libtiff+tif_print.c
--- tiff.orig/files/patch-libtiff+tif_print.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_print.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,13 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 -0400
++++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 -0400
+@@ -491,7 +491,7 @@
+ } else
+ fprintf(fd, "(present)\n");
+ }
+- if (TIFFFieldSet(tif, FIELD_SUBIFD)) {
++ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) {
+ fprintf(fd, " SubIFD Offsets:");
+ for (i = 0; i < td->td_nsubifd; i++)
+ fprintf(fd, " %5lu", (long) td->td_subifd[i]);
diff -ruN tiff.orig/files/patch-libtiff+tif_read.c tiff/files/patch-libtiff+tif_read.c
--- tiff.orig/files/patch-libtiff+tif_read.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-libtiff+tif_read.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,43 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400
++++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+
++#include <limits.h>
++
+ int TIFFFillStrip(TIFF*, tstrip_t);
+ int TIFFFillTile(TIFF*, ttile_t);
+ static int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++ /*
++ * This sanity check could potentially overflow, causing an OOB read.
++ * verify that offset + bytecount is > offset.
++ * -- taviso at google.com 14 Jun 2006
++ */
++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+ /*
+ * This error message might seem strange, but it's
+ * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++ /*
++ * We must check this calculation doesnt overflow, potentially
++ * causing an OOB read.
++ * -- taviso at google.com 15 Jun 2006
++ */
++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
diff -ruN tiff.orig/files/patch-man+TIFFClose.3tiff tiff/files/patch-man+TIFFClose.3tiff
--- tiff.orig/files/patch-man+TIFFClose.3tiff 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+TIFFClose.3tiff 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,11 @@
+--- man/TIFFClose.3tiff.orig 2008-08-17 13:03:49.058994404 -0400
++++ man/TIFFClose.3tiff 2008-08-17 13:03:52.522727821 -0400
+@@ -40,7 +40,7 @@
+ current directory (if modified); and all resources are reclaimed.
+ .SH DIAGNOSTICS
+ All error messages are directed to the
+-.bR TIFFError (3TIFF)
++.BR TIFFError (3TIFF)
+ routine.
+ Likewise, warning messages are directed to the
+ .BR TIFFWarning (3TIFF)
diff -ruN tiff.orig/files/patch-man+fax2ps.1 tiff/files/patch-man+fax2ps.1
--- tiff.orig/files/patch-man+fax2ps.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+fax2ps.1 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,74 @@
+--- man/fax2ps.1.orig 2008-08-17 13:03:49.038994710 -0400
++++ man/fax2ps.1 2008-08-17 13:03:52.510994390 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ fax2ps \- convert a
+ .SM TIFF
+-facsimile to compressed \*(Ps\(tm
++facsimile to compressed PostScript\(tm
+ .SH SYNOPSIS
+ .B fax2ps
+ [
+@@ -40,7 +40,7 @@
+ reads one or more
+ .SM TIFF
+ facsimile image files and prints a compressed form of
+-\*(Ps on the standard output that is suitable for printing.
++PostScript on the standard output that is suitable for printing.
+ .PP
+ By default, each page is scaled to reflect the
+ image dimensions and resolutions stored in the file.
+@@ -62,26 +62,26 @@
+ .PP
+ By default
+ .I fax2ps
+-generates \*(Ps for all pages in the file.
++generates PostScript for all pages in the file.
+ The
+ .B \-p
+ option can be used to select one or more pages from
+ a multi-page document.
+ .PP
+ .I fax2ps
+-generates a compressed form of \*(Ps that is
+-optimized for sending pages of text to a \*(Ps
++generates a compressed form of PostScript that is
++optimized for sending pages of text to a PostScript
+ printer attached to a host through a low-speed link (such
+ as a serial line).
+ Each output page is filled with white and then only
+ the black areas are drawn.
+-The \*(Ps specification of the black drawing operations
++The PostScript specification of the black drawing operations
+ is optimized by using a special font that encodes the
+ move-draw operations required to fill
+ the black regions on the page.
+ This compression scheme typically results in a substantially
+-reduced \*(Ps description, relative to the straightforward
+-imaging of the page with a \*(Ps
++reduced PostScript description, relative to the straightforward
++imaging of the page with a PostScript
+ .I image
+ operator.
+ This algorithm can, however, be ineffective
+@@ -138,9 +138,9 @@
+ attempts to recover from such data errors by resynchronizing
+ decoding at the end of the current scanline.
+ This can result in long horizontal black lines in the resultant
+-\*(Ps image.
++PostScript image.
+ .SH NOTES
+-If the destination printer supports \*(Ps Level II then
++If the destination printer supports PostScript Level II then
+ it is always faster to just send the encoded bitmap generated
+ by the
+ .BR tiff2ps (1)
+@@ -149,7 +149,7 @@
+ .I fax2ps
+ should probably figure out when it is doing a poor
+ job of compressing the output and just generate
+-\*(Ps to image the bitmap raster instead.
++PostScript to image the bitmap raster instead.
+ .SH "SEE ALSO"
+ .BR tiff2ps (1),
+ .BR libtiff (3)
diff -ruN tiff.orig/files/patch-man+raw2tiff.1 tiff/files/patch-man+raw2tiff.1
--- tiff.orig/files/patch-man+raw2tiff.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+raw2tiff.1 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,11 @@
+--- man/raw2tiff.1.orig 2008-08-17 13:03:49.042994359 -0400
++++ man/raw2tiff.1 2008-08-17 13:03:52.519034963 -0400
+@@ -184,7 +184,7 @@
+ in some cases. But for most ordinary images guessing method will work fine.
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3)
diff -ruN tiff.orig/files/patch-man+tiff2pdf.1 tiff/files/patch-man+tiff2pdf.1
--- tiff.orig/files/patch-man+tiff2pdf.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+tiff2pdf.1 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,34 @@
+--- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 -0400
++++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400
+@@ -207,18 +207,14 @@
+ The following example would generate the file output.pdf from input.tiff.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -o output.pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate PDF output from input.tiff and write it
+ to standard output.
+ .PP
+ .RS
+-.NF
+-tiff2pdf input.tiff
+-.FI
++\f(CWtiff2pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate the file output.pdf from input.tiff,
+@@ -227,9 +223,7 @@
+ the "Fit Window" option.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f)
+ .RE
+ .SH BUGS
+ Please report bugs via the web interface at
diff -ruN tiff.orig/files/patch-man+tiff2ps.1 tiff/files/patch-man+tiff2ps.1
--- tiff.orig/files/patch-man+tiff2ps.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+tiff2ps.1 2008-09-17 01:52:30.302415991 -0400
@@ -0,0 +1,142 @@
+--- man/tiff2ps.1.orig 2008-08-17 13:03:49.050994382 -0400
++++ man/tiff2ps.1 2008-08-17 13:03:52.522727821 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ tiff2ps \- convert a
+ .SM TIFF
+-image to \*(Ps\(tm
++image to PostScript\(tm
+ .SH SYNOPSIS
+ .B tiff2ps
+ [
+@@ -38,17 +38,17 @@
+ .I tiff2ps
+ reads
+ .SM TIFF
+-images and writes \*(Ps or Encapsulated \*(Ps (EPS)
++images and writes PostScript or Encapsulated PostScript (EPS)
+ on the standard output.
+ By default,
+ .I tiff2ps
+-writes Encapsulated \*(Ps for the first image in the specified
++writes Encapsulated PostScript for the first image in the specified
+ .SM TIFF
+ image file.
+ .PP
+ By default,
+ .I tiff2ps
+-will generate \*(Ps that fills a printed area specified
++will generate PostScript that fills a printed area specified
+ by the
+ .SM TIFF
+ tags in the input file.
+@@ -67,22 +67,22 @@
+ .SM TIFF
+ tags.
+ .PP
+-The \*(Ps generated for
++The PostScript generated for
+ .SM RGB,
+ palette, and
+ .SM CMYK
+ images uses the
+ .I colorimage
+ operator.
+-The \*(Ps generated for
++The PostScript generated for
+ greyscale and bilevel images
+ uses the
+ .I image
+ operator.
+ When the
+ .I colorimage
+-operator is used, \*(Ps code to emulate this operator
+-on older \*(Ps printers is also generated.
++operator is used, PostScript code to emulate this operator
++on older PostScript printers is also generated.
+ Note that this emulation code can be very slow.
+ .PP
+ Color images with associated alpha data are composited over
+@@ -90,13 +90,13 @@
+ .SH OPTIONS
+ .TP
+ .B \-1
+-Generate \*(Ps Level 1 (the default).
++Generate PostScript Level 1 (the default).
+ .TP
+ .B \-2
+-Generate \*(Ps Level 2.
++Generate PostScript Level 2.
+ .TP
+ .B \-3
+-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode
++Generate PostScript Level 3. It basically allows one to use the /flateDecode
+ filter for ZIP compressed TIFF images.
+ .TP
+ .B \-a
+@@ -119,7 +119,7 @@
+ multi-page (e.g. facsimile) file.
+ .TP
+ .B \-e
+-Force the generation of Encapsulated \*(Ps (implies -z).
++Force the generation of Encapsulated PostScript (implies -z).
+ .TP
+ .B \-h
+ Specify the vertical size of the printed area (in inches).
+@@ -148,7 +148,7 @@
+ .B \-m
+ Where possible render using the
+ .B imagemask
+-\*(Ps operator instead of the image operator. When this option is specified
++PostScript operator instead of the image operator. When this option is specified
+ .I tiff2ps
+ will use
+ .B imagemask
+@@ -166,7 +166,7 @@
+ like which are hidden using the SubIFD tag.
+ .TP
+ .B \-p
+-Force the generation of (non-Encapsulated) \*(Ps.
++Force the generation of (non-Encapsulated) PostScript.
+ .TP
+ .B \-r
+ Rotate image by 180 degrees.
+@@ -184,15 +184,15 @@
+ Override resolution units specified in the TIFF as inches.
+ .TP
+ .B \-z
+-When generating \*(Ps Level 2, data is scaled so that it does not
++When generating PostScript Level 2, data is scaled so that it does not
+ image into the
+ .I deadzone
+ on a page (the outer margin that the printing device is unable to mark).
+ This option suppresses this behavior.
+-When \*(Ps Level 1 is generated, data is imaged to the entire printed
++When PostScript Level 1 is generated, data is imaged to the entire printed
+ page and this option has no affect.
+ .SH EXAMPLES
+-The following generates \*(Ps Level 2 for all pages of a facsimile:
++The following generates PostScript Level 2 for all pages of a facsimile:
+ .RS
+ .nf
+ tiff2ps -a2 fax.tif | lpr
+@@ -201,7 +201,7 @@
+ Note also that if you have version 2.6.1 or newer of Ghostscript then you
+ can efficiently preview facsimile generated with the above command.
+ .PP
+-To generate Encapsulated \*(Ps for a the image at directory 2
++To generate Encapsulated PostScript for a the image at directory 2
+ of an image use:
+ .RS
+ .nf
+@@ -228,8 +228,8 @@
+ .B \-L.5
+ option says to repeat a half inch on the next page (to improve readability).
+ .SH BUGS
+-Because \*(Ps does not support the notion of a colormap,
+-8-bit palette images produce 24-bit \*(Ps images.
++Because PostScript does not support the notion of a colormap,
++8-bit palette images produce 24-bit PostScript images.
+ This conversion results in output that is six times
+ bigger than the original image and which takes a long time
+ to send to a printer over a serial line.
diff -ruN tiff.orig/files/patch-man+tiffcmp.1 tiff/files/patch-man+tiffcmp.1
--- tiff.orig/files/patch-man+tiffcmp.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+tiffcmp.1 2008-09-17 01:52:30.302415991 -0400
@@ -0,0 +1,11 @@
+--- man/tiffcmp.1.orig 2008-08-17 13:03:49.062994301 -0400
++++ man/tiffcmp.1 2008-08-17 13:03:52.522727821 -0400
+@@ -77,7 +77,7 @@
+ in some exotic cases.
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3TIFF)
diff -ruN tiff.orig/files/patch-man+tiffsplit.1 tiff/files/patch-man+tiffsplit.1
--- tiff.orig/files/patch-man+tiffsplit.1 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-man+tiffsplit.1 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,11 @@
+--- man/tiffsplit.1.orig 2008-08-17 13:03:49.070994233 -0400
++++ man/tiffsplit.1 2008-08-17 13:03:52.522727821 -0400
+@@ -50,7 +50,7 @@
+ (e.g.
+ .IR xaaa.tif ,
+ .IR xaab.tif ,
+-\...
++.IR ... ,
+ .IR xzzz.tif ).
+ If a prefix is not specified on the command line,
+ the default prefix of
diff -ruN tiff.orig/files/patch-tools+tiff2pdf.c tiff/files/patch-tools+tiff2pdf.c
--- tiff.orig/files/patch-tools+tiff2pdf.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-tools+tiff2pdf.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,13 @@
+CVE-2006-2193
+===================================================================
+--- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 -0700
++++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700
+@@ -3668,7 +3668,7 @@
+ written += TIFFWriteFile(output, (tdata_t) "(", 1);
+ for (i=0;i<len;i++){
+ if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+- sprintf(buffer, "\\%.3o", pdfstr[i]);
++ snprintf(buffer, "\\%.3o", pdfstr[i]);
+ written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+ } else {
+ switch (pdfstr[i]){
diff -ruN tiff.orig/files/patch-tools+tiffsplit.c tiff/files/patch-tools+tiffsplit.c
--- tiff.orig/files/patch-tools+tiffsplit.c 1969-12-31 19:00:00.000000000 -0500
+++ tiff/files/patch-tools+tiffsplit.c 2008-09-17 01:52:30.292411647 -0400
@@ -0,0 +1,21 @@
+CVE-2006-2656
+===================================================================
+--- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 -0400
++++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400
+@@ -61,14 +61,13 @@
+ return (-3);
+ }
+ if (argc > 2)
+- strcpy(fname, argv[2]);
++ snprintf(fname, sizeof(fname), "%s", argv[2]);
+ in = TIFFOpen(argv[1], "r");
+ if (in != NULL) {
+ do {
+ char path[1024+1];
+ newfilename();
+- strcpy(path, fname);
+- strcat(path, ".tif");
++ snprintf(path, sizeof(path), "%s.tif", fname);
+ out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ if (out == NULL)
+ return (-2);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list