From 2fc470936877bdcc03f91f5b45a542b5efd5026c Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 30 Nov 2017 16:33:24 -0500 Subject: [PATCH] gnu: libtiff: Update to 4.0.9. * gnu/packages/image.scm (libtiff): Update to 4.0.9. [source]: Remove obsolete patches. * gnu/packages/patches/libtiff-CVE-2016-10688.patch, gnu/packages/patches/libtiff-CVE-2017-9936.patch, gnu/packages/patches/libtiff-tiffgetfield-bugs.patch, gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch, gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 5 - gnu/packages/image.scm | 10 +- .../patches/libtiff-CVE-2016-10688.patch | 92 -------- .../patches/libtiff-CVE-2017-9936.patch | 47 ---- .../patches/libtiff-tiffgetfield-bugs.patch | 201 ------------------ ...tiff-tiffycbcrtorgb-integer-overflow.patch | 57 ----- ...-tiffycbcrtorgbinit-integer-overflow.patch | 43 ---- 7 files changed, 2 insertions(+), 453 deletions(-) delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-10688.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2017-9936.patch delete mode 100644 gnu/packages/patches/libtiff-tiffgetfield-bugs.patch delete mode 100644 gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch delete mode 100644 gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch diff --git a/gnu/local.mk b/gnu/local.mk index 15f673c046..5a701075ff 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -809,11 +809,6 @@ dist_patch_DATA = \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ %D%/packages/patches/libtheora-config-guess.patch \ - %D%/packages/patches/libtiff-CVE-2016-10688.patch \ - %D%/packages/patches/libtiff-CVE-2017-9936.patch \ - %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \ - %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \ - %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \ %D%/packages/patches/libtirpc-CVE-2017-8779.patch \ %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index bc1ad88c65..5b73be9f8d 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -386,21 +386,15 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (version "4.0.8") + (version "4.0.9") (source (origin (method url-fetch) (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" version ".tar.gz")) - (patches - (search-patches "libtiff-tiffgetfield-bugs.patch" - "libtiff-CVE-2016-10688.patch" - "libtiff-CVE-2017-9936.patch" - "libtiff-tiffycbcrtorgb-integer-overflow.patch" - "libtiff-tiffycbcrtorgbinit-integer-overflow.patch")) (sha256 (base32 - "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr")))) + "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.3 MiB of HTML documentation diff --git a/gnu/packages/patches/libtiff-CVE-2016-10688.patch b/gnu/packages/patches/libtiff-CVE-2016-10688.patch deleted file mode 100644 index 1630274c61..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-10688.patch +++ /dev/null @@ -1,92 +0,0 @@ -Fix CVE-2017-10688: - -http://bugzilla.maptools.org/show_bug.cgi?id=2712 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688 -https://security-tracker.debian.org/tracker/CVE-2017-10688 - -Patch lifted from upstream source repository (the changes to 'ChangeLog' -don't apply to the libtiff 4.0.8 release tarball). - -3rd party Git reference: - -https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 - -2017-06-30 Even Rouault - - * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() - functions associated with LONG8/SLONG8 data type, replace assertion -that - the file is BigTIFF, by a non-fatal error. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 - Reported by team OWL337 - - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1259; previous revision: 1.1258 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- -libtiff/tif_dirwrite.c -new revision: 1.86; previous revision: 1.85 - -Index: libtiff/libtiff/tif_dirwrite.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v -retrieving revision 1.85 -retrieving revision 1.86 -diff -u -r1.85 -r1.86 ---- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85 -+++ libtiff/libtiff/tif_dirwrite.c 30 Jun 2017 17:29:44 -0000 1.86 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ -+/* $Id: tif_dirwrite.c,v 1.86 2017-06-30 17:29:44 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -2111,7 +2111,10 @@ - { - uint64 m; - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8(&m); -@@ -2124,7 +2127,10 @@ - { - assert(count<0x20000000); - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8(value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); -@@ -2136,7 +2142,10 @@ - { - int64 m; - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8((uint64*)(&m)); -@@ -2149,7 +2158,10 @@ - { - assert(count<0x20000000); - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8((uint64*)value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/packages/patches/libtiff-CVE-2017-9936.patch deleted file mode 100644 index fbdbcd0f0b..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-9936.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-9936: - -http://bugzilla.maptools.org/show_bug.cgi?id=2706 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936 -https://security-tracker.debian.org/tracker/CVE-2017-9936 - -Patch lifted from upstream source repository (the changes to 'ChangeLog' -don't apply to the libtiff 4.0.8 release tarball). - -3rd party Git reference: - -https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a - -2017-06-26 Even Rouault - - * libtiff/tif_jbig.c: fix memory leak in error code path of -JBIGDecode() - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 - Reported by team OWL337 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1254; previous revision: 1.1253 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v <-- libtiff/tif_jbig.c -new revision: 1.16; previous revision: 1.15 - -Index: libtiff/libtiff/tif_jbig.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v -retrieving revision 1.15 -retrieving revision 1.16 -diff -u -r1.15 -r1.16 ---- libtiff/libtiff/tif_jbig.c 10 Mar 2010 18:56:48 -0000 1.15 -+++ libtiff/libtiff/tif_jbig.c 26 Jun 2017 15:20:00 -0000 1.16 -@@ -1,4 +1,4 @@ --/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */ -+/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -94,6 +94,7 @@ - jbg_strerror(decodeStatus) - #endif - ); -+ jbg_dec_free(&decoder); - return 0; - } - diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch deleted file mode 100644 index 84566ca23e..0000000000 --- a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch +++ /dev/null @@ -1,201 +0,0 @@ -Fix several bugs in libtiff related to use of TIFFGetField(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2580 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095 - -Patch copied from upstream CVS. 3rd-party Git reference: -https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 - -2017-06-01 Even Rouault - -* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -to behave differently depending on whether the codec is enabled or not, and -thus can avoid stack based buffer overflows in a number of TIFF utilities -such as tiffsplit, tiffcmp, thumbnail, etc. -Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaƫl Hertzog. -Fixes: -http://bugzilla.maptools.org/show_bug.cgi?id=2580 -http://bugzilla.maptools.org/show_bug.cgi?id=2693 -http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -http://bugzilla.maptools.org/show_bug.cgi?id=2441 -http://bugzilla.maptools.org/show_bug.cgi?id=2433 -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.208 -retrieving revision 1.209 -diff -u -r1.208 -r1.209 ---- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208 -+++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */ -+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -3580,6 +3580,10 @@ - goto bad; - dp->tdir_tag=IGNORE; - break; -+ default: -+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) -+ dp->tdir_tag=IGNORE; -+ break; - } - } - } -Index: libtiff/libtiff/tif_dirinfo.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v -retrieving revision 1.126 -retrieving revision 1.127 -diff -u -r1.126 -r1.127 ---- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126 -+++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */ -+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -956,6 +956,109 @@ - return 0; - } - -+int -+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) -+{ -+ /* Filter out non-codec specific tags */ -+ switch (tag) { -+ /* Shared tags */ -+ case TIFFTAG_PREDICTOR: -+ /* JPEG tags */ -+ case TIFFTAG_JPEGTABLES: -+ /* OJPEG tags */ -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ /* CCITT* */ -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ case TIFFTAG_GROUP3OPTIONS: -+ case TIFFTAG_GROUP4OPTIONS: -+ break; -+ default: -+ return 1; -+ } -+ /* Check if codec specific tags are allowed for the current -+ * compression scheme (codec) */ -+ switch (tif->tif_dir.td_compression) { -+ case COMPRESSION_LZW: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PACKBITS: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_THUNDERSCAN: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_NEXT: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_JPEG: -+ if (tag == TIFFTAG_JPEGTABLES) -+ return 1; -+ break; -+ case COMPRESSION_OJPEG: -+ switch (tag) { -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ return 1; -+ } -+ break; -+ case COMPRESSION_CCITTRLE: -+ case COMPRESSION_CCITTRLEW: -+ case COMPRESSION_CCITTFAX3: -+ case COMPRESSION_CCITTFAX4: -+ switch (tag) { -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ return 1; -+ case TIFFTAG_GROUP3OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) -+ return 1; -+ break; -+ case TIFFTAG_GROUP4OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) -+ return 1; -+ break; -+ } -+ break; -+ case COMPRESSION_JBIG: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_DEFLATE: -+ case COMPRESSION_ADOBE_DEFLATE: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PIXARLOG: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_SGILOG: -+ case COMPRESSION_SGILOG24: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_LZMA: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ -+ } -+ return 0; -+} -+ - /* vim: set ts=8 sts=8 sw=8 noet: */ - - /* -Index: libtiff/libtiff/tif_dir.h -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v -retrieving revision 1.54 -retrieving revision 1.55 -diff -u -r1.54 -r1.55 ---- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54 -+++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55 -@@ -1,4 +1,4 @@ --/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */ -+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -291,6 +291,7 @@ - extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); - extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); - extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); -+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); - - #if defined(__cplusplus) - } diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch deleted file mode 100644 index 060740d953..0000000000 --- a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch +++ /dev/null @@ -1,57 +0,0 @@ -Fix an integer overflow TIFFYCbCrtoRGB(): - -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 - -3rd party Git reference: - -https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717 - -2017-05-29 Even Rouault - - * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid - int32 overflow in TIFFYCbCrtoRGB(). - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 - Credit to OSS Fuzz - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1241; previous revision: 1.1240 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v <-- libtiff/tif_color.c -new revision: 1.24; previous revision: 1.23 - -Index: libtiff/libtiff/tif_color.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v -retrieving revision 1.23 -retrieving revision 1.24 -diff -u -r1.23 -r1.24 ---- libtiff/libtiff/tif_color.c 13 May 2017 18:17:34 -0000 1.23 -+++ libtiff/libtiff/tif_color.c 29 May 2017 10:12:54 -0000 1.24 -@@ -1,4 +1,4 @@ --/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */ -+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -275,10 +275,10 @@ - for (i = 0, x = -128; i < 256; i++, x++) { - int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F, - refBlackWhite[5] - 128.0F, 127), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F, - refBlackWhite[3] - 128.0F, 127), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - - ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT); - ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT); -@@ -286,7 +286,7 @@ - ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF; - ycbcr->Y_tab[i] = - (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255), -- -128.0F * 64, 128.0F * 64); -+ -128.0F * 32, 128.0F * 32); - } - } - diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch deleted file mode 100644 index a990641a49..0000000000 --- a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch +++ /dev/null @@ -1,43 +0,0 @@ -Fix an integer overflow in initYCbCrConversion(): - -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 - -3rd party Git reference - -https://github.com/vadz/libtiff/commit/468988860e0dae62ebbf991627c74bcbb4bd256f - - * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for - refBlackWhite coefficients values. To avoid invalid float->int32 conversion - (when refBlackWhite[0] == 2147483648.f) - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 - Credit to OSS Fuzz - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1243; previous revision: 1.1242 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v <-- libtiff/tif_getimage.c -new revision: 1.107; previous revision: 1.106 - -Index: libtiff/libtiff/tif_getimage.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v -retrieving revision 1.106 -retrieving revision 1.107 -diff -u -r1.106 -r1.107 ---- libtiff/libtiff/tif_getimage.c 20 May 2017 11:29:02 -0000 1.106 -+++ libtiff/libtiff/tif_getimage.c 29 May 2017 11:29:06 -0000 1.107 -@@ -1,4 +1,4 @@ --/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */ -+/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */ - - /* - * Copyright (c) 1991-1997 Sam Leffler -@@ -2241,7 +2241,7 @@ - - static int isInRefBlackWhiteRange(float f) - { -- return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF; -+ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF; - } - - static int