diff options
author | Leo Famulari <leo@famulari.name> | 2017-05-27 11:31:52 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-05-28 14:34:43 -0400 |
commit | 22e6656d259838ae9014c1ed876caa9d819be6df (patch) | |
tree | 9cafcde5a5d845fa138a6f9d9b5d91458df56b41 | |
parent | 3cae15023f4b97554dcc6e914a5ddbc3a3c564d6 (diff) | |
download | guix-22e6656d259838ae9014c1ed876caa9d819be6df.tar guix-22e6656d259838ae9014c1ed876caa9d819be6df.tar.gz |
gnu: libtiff: Update replacement to 4.0.8 [security fixes].
See 'ChangeLog' in the source distribution for more information about
the bugs and security issues fixed in this release.
* gnu/packages/image.scm (libtiff)[replacement]: Replace with libtiff-4.0.8.
(libtiff/fixed): Replace with ...
(libtiff-4.0.8): New variable.
* gnu/packages/patches/libtiff-CVE-2017-7593.patch,
gnu/packages/patches/libtiff-CVE-2017-7594.patch,
gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
-rw-r--r-- | gnu/local.mk | 3 | ||||
-rw-r--r-- | gnu/packages/image.scm | 18 | ||||
-rw-r--r-- | gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 | ||||
-rw-r--r-- | gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 | ||||
-rw-r--r-- | gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch | 449 |
5 files changed, 9 insertions, 628 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 9ef9f95533..2e60585432 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -751,9 +751,6 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ %D%/packages/patches/libtiff-CVE-2017-5225.patch \ - %D%/packages/patches/libtiff-CVE-2017-7593.patch \ - %D%/packages/patches/libtiff-CVE-2017-7594.patch \ - %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 86902d5680..fe9e457f34 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -335,7 +335,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (replacement libtiff/fixed) + (replacement libtiff-4.0.8) (version "4.0.7") (source (origin (method url-fetch) @@ -384,18 +384,18 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) -(define libtiff/fixed +(define libtiff-4.0.8 (package (inherit libtiff) + (version "4.0.8") (source (origin - (inherit (package-source libtiff)) - (patches - (append - (origin-patches (package-source libtiff)) - (search-patches "libtiff-CVE-2017-7593.patch" - "libtiff-CVE-2017-7594.patch" - "libtiff-multiple-UBSAN-crashes.patch"))))))) + (method url-fetch) + (uri (string-append "http://download.osgeo.org/libtiff/tiff-" + version ".tar.gz")) + (sha256 + (base32 + "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr")))))) (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch deleted file mode 100644 index 496efb73b9..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-7593.patch +++ /dev/null @@ -1,113 +0,0 @@ -Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata): - -http://bugzilla.maptools.org/show_bug.cgi?id=2651 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593 -https://security-tracker.debian.org/tracker/CVE-2017-7593 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add - _TIFFcalloc() - - * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero - initialize tif_rawdata. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1208; previous revision: 1.1207 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c -new revision: 1.53; previous revision: 1.52 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c -new revision: 1.28; previous revision: 1.27 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c -new revision: 1.14; previous revision: 1.13 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c -new revision: 1.42; previous revision: 1.41 -/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h -new revision: 1.94; previous revision: 1.93 - -diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h ---- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */ -+/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -293,6 +293,7 @@ - */ - - extern void* _TIFFmalloc(tmsize_t s); -+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); - extern void* _TIFFrealloc(void* p, tmsize_t s); - extern void _TIFFmemset(void* p, int v, tmsize_t c); - extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); -diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c ---- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400 -+++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ -+/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -976,7 +976,9 @@ - "Invalid buffer size"); - return (0); - } -- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); -+ /* Initialize to zero to avoid uninitialized buffers in case of */ -+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ -+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); - tif->tif_flags |= TIFF_MYBUFFER; - } - if (tif->tif_rawdata == NULL) { -diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c ---- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */ -+/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -316,6 +316,14 @@ - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { -diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c ---- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */ -+/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -360,6 +360,14 @@ - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch deleted file mode 100644 index d17997d447..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-7594.patch +++ /dev/null @@ -1,54 +0,0 @@ -Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c): - -http://bugzilla.maptools.org/show_bug.cgi?id=2659 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594 -https://security-tracker.debian.org/tracker/CVE-2017-7594 - -2017-01-12 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable - when read fails. - Patch by Nicolás Peña. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1212; previous revision: 1.1211 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c -new revision: 1.67; previous revision: 1.66 - -Index: libtiff/libtiff/tif_ojpeg.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v -retrieving revision 1.67 -retrieving revision 1.68 -diff -u -r1.67 -r1.68 ---- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67 -+++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68 -@@ -1,4 +1,4 @@ --/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ -+/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */ - - /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 - specification is now totally obsolete and deprecated for new applications and -@@ -1790,7 +1790,10 @@ - TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); - p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); - if (p!=64) -+ { -+ _TIFFfree(ob); - return(0); -+ } - sp->qtable[m]=ob; - sp->sof_tq[m]=m; - } -@@ -1854,7 +1857,10 @@ - rb[sizeof(uint32)+5+n]=o[n]; - p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->dctable[m]=rb; - sp->sos_tda[m]=(m<<4); - } diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch deleted file mode 100644 index 2f4509f386..0000000000 --- a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch +++ /dev/null @@ -1,449 +0,0 @@ -Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various - clampings - of double to other data types to avoid undefined behaviour if the - output range - isn't big enough to hold the input value. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 - http://bugzilla.maptools.org/show_bug.cgi?id=2642 - http://bugzilla.maptools.org/show_bug.cgi?id=2646 - http://bugzilla.maptools.org/show_bug.cgi?id=2647 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1204; previous revision: 1.1203 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c -new revision: 1.129; previous revision: 1.128 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c -new revision: 1.207; previous revision: 1.206 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c -new revision: 1.85; previous revision: 1.84 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dirread.c: avoid division by floating point 0 in - TIFFReadDirEntryCheckedRational() and - TIFFReadDirEntryCheckedSrational(), - and return 0 in that case (instead of infinity as before presumably) - Apparently some sanitizers do not like those divisions by zero. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1203; previous revision: 1.1202 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c -new revision: 1.206; previous revision: 1.205 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to - avoid undefined behaviour caused by invalid shift exponent. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1205; previous revision: 1.1204 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c -new revision: 1.126; previous revision: 1.125 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_read.c: avoid potential undefined behaviour on signed - integer addition in TIFFReadRawStrip1() in isMapped() case. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1206; previous revision: 1.1205 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c -new revision: 1.51; previous revision: 1.50 - -Index: libtiff/libtiff/tif_dir.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v -retrieving revision 1.128 -retrieving revision 1.129 -diff -u -r1.128 -r1.129 ---- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 -+++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129 -@@ -1,4 +1,4 @@ --/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ -+/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -31,6 +31,7 @@ - * (and also some miscellaneous stuff) - */ - #include "tiffiop.h" -+#include <float.h> - - /* - * These are used in the backwards compatibility code... -@@ -154,6 +155,15 @@ - return (0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ - static int - _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - { -@@ -312,13 +322,13 @@ - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_xresolution = (float) dblval; -+ td->td_xresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_yresolution = (float) dblval; -+ td->td_yresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_PLANARCONFIG: - v = (uint16) va_arg(ap, uint16_vap); -@@ -327,10 +337,10 @@ - td->td_planarconfig = (uint16) v; - break; - case TIFFTAG_XPOSITION: -- td->td_xposition = (float) va_arg(ap, double); -+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_YPOSITION: -- td->td_yposition = (float) va_arg(ap, double); -+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_RESOLUTIONUNIT: - v = (uint16) va_arg(ap, uint16_vap); -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.206 -retrieving revision 1.207 -diff -u -r1.206 -r1.207 ---- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 -+++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ -+/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -40,6 +40,7 @@ - */ - - #include "tiffiop.h" -+#include <float.h> - - #define IGNORE 0 /* tag placeholder used below */ - #define FAILED_FII ((uint32) -1) -@@ -2406,7 +2407,14 @@ - ma=(double*)origdata; - mb=data; - for (n=0; n<count; n++) -- *mb++=(float)(*ma++); -+ { -+ double val = *ma++; -+ if( val > FLT_MAX ) -+ val = FLT_MAX; -+ else if( val < -FLT_MAX ) -+ val = -FLT_MAX; -+ *mb++=(float)val; -+ } - } - break; - } -Index: libtiff/libtiff/tif_dirwrite.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v -retrieving revision 1.84 -retrieving revision 1.85 -diff -u -r1.84 -r1.85 ---- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84 -+++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */ -+/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -30,6 +30,7 @@ - * Directory Write Support Routines. - */ - #include "tiffiop.h" -+#include <float.h> - - #ifdef HAVE_IEEEFP - #define TIFFCvtNativeToIEEEFloat(tif, n, fp) -@@ -939,6 +940,69 @@ - return(0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ -+static int8 TIFFClampDoubleToInt8( double val ) -+{ -+ if( val > 127 ) -+ return 127; -+ if( val < -128 || val != val ) -+ return -128; -+ return (int8)val; -+} -+ -+static int16 TIFFClampDoubleToInt16( double val ) -+{ -+ if( val > 32767 ) -+ return 32767; -+ if( val < -32768 || val != val ) -+ return -32768; -+ return (int16)val; -+} -+ -+static int32 TIFFClampDoubleToInt32( double val ) -+{ -+ if( val > 0x7FFFFFFF ) -+ return 0x7FFFFFFF; -+ if( val < -0x7FFFFFFF-1 || val != val ) -+ return -0x7FFFFFFF-1; -+ return (int32)val; -+} -+ -+static uint8 TIFFClampDoubleToUInt8( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 255 || val != val ) -+ return 255; -+ return (uint8)val; -+} -+ -+static uint16 TIFFClampDoubleToUInt16( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 65535 || val != val ) -+ return 65535; -+ return (uint16)val; -+} -+ -+static uint32 TIFFClampDoubleToUInt32( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 0xFFFFFFFFU || val != val ) -+ return 0xFFFFFFFFU; -+ return (uint32)val; -+} -+ - static int - TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) - { -@@ -959,7 +1023,7 @@ - if (tif->tif_dir.td_bitspersample<=32) - { - for (i = 0; i < count; ++i) -- ((float*)conv)[i] = (float)value[i]; -+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); - ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); - } - else -@@ -971,19 +1035,19 @@ - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((int8*)conv)[i] = (int8)value[i]; -+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); - ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((int16*)conv)[i] = (int16)value[i]; -+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); - ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((int32*)conv)[i] = (int32)value[i]; -+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); - ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); - } - break; -@@ -991,19 +1055,19 @@ - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((uint8*)conv)[i] = (uint8)value[i]; -+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); - ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((uint16*)conv)[i] = (uint16)value[i]; -+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); - ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((uint32*)conv)[i] = (uint32)value[i]; -+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); - ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); - } - break; -@@ -2102,7 +2102,7 @@ - m[0]=0; - m[1]=1; - } -- else if (value==(double)(uint32)value) -+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) - { - m[0]=(uint32)value; - m[1]=1; -@@ -2148,12 +2217,13 @@ - } - for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++) - { -- if (*na<=0.0) -+ if (*na<=0.0 || *na != *na) - { - nb[0]=0; - nb[1]=1; - } -- else if (*na==(float)(uint32)(*na)) -+ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU && -+ *na==(float)(uint32)(*na)) - { - nb[0]=(uint32)(*na); - nb[1]=1; -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.205 -retrieving revision 1.206 -diff -u -r1.205 -r1.206 ---- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 -+++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 -@@ -2872,7 +2872,10 @@ - m.l = direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if (m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if (m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)m.i[0]/(double)m.i[1]; -@@ -2900,7 +2903,10 @@ - m.l=direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if ((int32)m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if ((int32)m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)((int32)m.i[0])/(double)m.i[1]; -Index: libtiff/libtiff/tif_jpeg.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v -retrieving revision 1.125 -retrieving revision 1.126 -diff -u -r1.125 -r1.126 ---- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125 -+++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126 -@@ -1,4 +1,4 @@ --/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */ -+/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */ - - /* - * Copyright (c) 1994-1997 Sam Leffler -@@ -1632,6 +1632,13 @@ - "Invalig horizontal/vertical sampling value"); - return (0); - } -+ if( td->td_bitspersample > 16 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "BitsPerSample %d not allowed for JPEG", -+ td->td_bitspersample); -+ return (0); -+ } - - /* - * A ReferenceBlackWhite field *must* be present since the -Index: libtiff/libtiff/tif_read.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v -retrieving revision 1.50 -retrieving revision 1.51 -diff -u -r1.50 -r1.51 ---- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 -+++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51 -@@ -420,16 +420,25 @@ - return ((tmsize_t)(-1)); - } - } else { -- tmsize_t ma,mb; -+ tmsize_t ma; - tmsize_t n; -- ma=(tmsize_t)td->td_stripoffset[strip]; -- mb=ma+size; -- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) -- n=0; -- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) -- n=tif->tif_size-ma; -- else -- n=size; -+ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| -+ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) -+ { -+ n=0; -+ } -+ else if( ma > TIFF_TMSIZE_T_MAX - size ) -+ { -+ n=0; -+ } -+ else -+ { -+ tmsize_t mb=ma+size; -+ if (mb>tif->tif_size) -+ n=tif->tif_size-ma; -+ else -+ n=size; -+ } - if (n!=size) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, |