* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2019-04-20 1:29 Aaron Bauman
0 siblings, 0 replies; 6+ messages in thread
From: Aaron Bauman @ 2019-04-20 1:29 UTC (permalink / raw
To: gentoo-commits
commit: 6d9c2b4589629519d5d6e01349ed4770356dfa4c
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Fri Apr 19 18:03:11 2019 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Sat Apr 20 01:27:13 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d9c2b45
media-libs/tiff: remove unused patches
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/11744
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>
.../tiff/files/tiff-4.0.9-CVE-2017-18013.patch | 39 ------
...ff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch | 58 --------
.../tiff/files/tiff-4.0.9-CVE-2017-9935.patch | 153 ---------------------
.../tiff/files/tiff-4.0.9-CVE-2018-5784.patch | 128 -----------------
4 files changed, 378 deletions(-)
diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch
deleted file mode 100644
index 2db890aef90..00000000000
--- a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-https://bugs.gentoo.org/645982
-https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
-
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
- dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 9959d353b1f9..8deceb2b054d 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
- (unsigned long) s,
-- (unsigned __int64) td->td_stripoffset[s],
-- (unsigned __int64) td->td_stripbytecount[s]);
-+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- fprintf(fd, " %3lu: [%8llu, %8llu]\n",
- (unsigned long) s,
-- (unsigned long long) td->td_stripoffset[s],
-- (unsigned long long) td->td_stripbytecount[s]);
-+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- }
- }
---
-2.16.1
-
diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch
deleted file mode 100644
index 101618ee7d5..00000000000
--- a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:49:20 +1100
-Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table
-
-The standard says the transfer table contains unsigned 16 bit values,
-I have no idea why we refer to them as floats.
----
- tools/tiff2pdf.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index c3ec074..484776c 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -237,7 +237,7 @@ typedef struct {
- float tiff_whitechromaticities[2];
- float tiff_primarychromaticities[6];
- float tiff_referenceblackwhite[2];
-- float* tiff_transferfunction[3];
-+ uint16* tiff_transferfunction[3];
- int pdf_image_interpolate; /* 0 (default) : do not interpolate,
- 1 : interpolate */
- uint16 tiff_transferfunctioncount;
-@@ -1048,7 +1048,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- uint16 paged=0;
- uint16 xuint16=0;
- uint16 tiff_transferfunctioncount=0;
-- float* tiff_transferfunction[3];
-+ uint16* tiff_transferfunction[3];
-
- directorycount=TIFFNumberOfDirectories(input);
- t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
-@@ -1153,8 +1153,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- &(tiff_transferfunction[1]),
- &(tiff_transferfunction[2]))) {
-
-- if((tiff_transferfunction[1] != (float*) NULL) &&
-- (tiff_transferfunction[2] != (float*) NULL)
-+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
-+ (tiff_transferfunction[2] != (uint16*) NULL)
- ) {
- tiff_transferfunctioncount=3;
- } else {
-@@ -1851,8 +1851,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
-- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[2] != (float*) NULL)
-+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
-+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
- ) {
- t2p->tiff_transferfunctioncount=3;
- } else {
---
-libgit2 0.26.0
-
diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch
deleted file mode 100644
index 96a10aa9b37..00000000000
--- a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page. Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c | 3 +++
- tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
- 2 files changed, 47 insertions(+), 21 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 2ccaf448fc40..cbf2b6933a40 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- *va_arg(ap, uint16**) = td->td_transferfunction[1];
- *va_arg(ap, uint16**) = td->td_transferfunction[2];
-+ } else {
-+ *va_arg(ap, uint16**) = NULL;
-+ *va_arg(ap, uint16**) = NULL;
- }
- break;
- case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index d1a9b0959f84..c3ec07465e5a 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- uint16 pagen=0;
- uint16 paged=0;
- uint16 xuint16=0;
-+ uint16 tiff_transferfunctioncount=0;
-+ float* tiff_transferfunction[3];
-
- directorycount=TIFFNumberOfDirectories(input);
- t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- }
- #endif
- if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
-- &(t2p->tiff_transferfunction[0]),
-- &(t2p->tiff_transferfunction[1]),
-- &(t2p->tiff_transferfunction[2]))) {
-- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[1] !=
-- t2p->tiff_transferfunction[0])) {
-- t2p->tiff_transferfunctioncount = 3;
-- t2p->tiff_pages[i].page_extra += 4;
-- t2p->pdf_xrefcount += 4;
-- } else {
-- t2p->tiff_transferfunctioncount = 1;
-- t2p->tiff_pages[i].page_extra += 2;
-- t2p->pdf_xrefcount += 2;
-- }
-- if(t2p->pdf_minorversion < 2)
-- t2p->pdf_minorversion = 2;
-+ &(tiff_transferfunction[0]),
-+ &(tiff_transferfunction[1]),
-+ &(tiff_transferfunction[2]))) {
-+
-+ if((tiff_transferfunction[1] != (float*) NULL) &&
-+ (tiff_transferfunction[2] != (float*) NULL)
-+ ) {
-+ tiff_transferfunctioncount=3;
-+ } else {
-+ tiff_transferfunctioncount=1;
-+ }
- } else {
-- t2p->tiff_transferfunctioncount=0;
-+ tiff_transferfunctioncount=0;
- }
-+
-+ if (i > 0){
-+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Different transfer function on page %d",
-+ i);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
-+ }
-+
-+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+ if(tiff_transferfunctioncount == 3){
-+ t2p->tiff_pages[i].page_extra += 4;
-+ t2p->pdf_xrefcount += 4;
-+ if(t2p->pdf_minorversion < 2)
-+ t2p->pdf_minorversion = 2;
-+ } else if (tiff_transferfunctioncount == 1){
-+ t2p->tiff_pages[i].page_extra += 2;
-+ t2p->pdf_xrefcount += 2;
-+ if(t2p->pdf_minorversion < 2)
-+ t2p->pdf_minorversion = 2;
-+ }
-+
- if( TIFFGetField(
- input,
- TIFFTAG_ICCPROFILE,
-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[1] !=
-- t2p->tiff_transferfunction[0])) {
-+ (t2p->tiff_transferfunction[2] != (float*) NULL)
-+ ) {
- t2p->tiff_transferfunctioncount=3;
- } else {
- t2p->tiff_transferfunctioncount=1;
---
-2.15.1
-
diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch
deleted file mode 100644
index 56d0f4b0687..00000000000
--- a/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001
-From: Nathan Baker <nathanb@lenovo-chrome.com>
-Date: Tue, 6 Feb 2018 10:13:57 -0500
-Subject: [PATCH] Fix for bug 2772
-
-It is possible to craft a TIFF document where the IFD list is circular,
-leading to an infinite loop while traversing the chain. The libtiff
-directory reader has a failsafe that will break out of this loop after
-reading 65535 directory entries, but it will continue processing,
-consuming time and resources to process what is essentially a bogus TIFF
-document.
-
-This change fixes the above behavior by breaking out of processing when
-a TIFF document has >= 65535 directories and terminating with an error.
----
- contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
- tools/tiff2pdf.c | 10 ++++++++++
- tools/tiffcrop.c | 13 +++++++++++--
- 3 files changed, 34 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
-index c61ffbb..03b3573 100644
---- a/contrib/addtiffo/tif_overview.c
-+++ b/contrib/addtiffo/tif_overview.c
-@@ -65,6 +65,8 @@
- # define MAX(a,b) ((a>b) ? a : b)
- #endif
-
-+#define TIFF_DIR_MAX 65534
-+
- void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
- int (*)(double,void*), void * );
-
-@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- {
- toff_t nBaseDirOffset;
- toff_t nOffset;
-+ tdir_t iNumDir;
-
- (void) bUseSubIFDs;
-
-@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- return 0;
-
- TIFFWriteDirectory( hTIFF );
-- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
-+ iNumDir = TIFFNumberOfDirectories(hTIFF);
-+ if( iNumDir > TIFF_DIR_MAX )
-+ {
-+ TIFFErrorExt( TIFFClientdata(hTIFF),
-+ "TIFF_WriteOverview",
-+ "File `%s' has too many directories.\n",
-+ TIFFFileName(hTIFF) );
-+ exit(-1);
-+ }
-+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
-
- nOffset = TIFFCurrentDirOffset( hTIFF );
-
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index 984ef65..832a247 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
-
- #define PS_UNIT_SIZE 72.0F
-
-+#define TIFF_DIR_MAX 65534
-+
- /* This type is of PDF color spaces. */
- typedef enum {
- T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
-@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- uint16* tiff_transferfunction[3];
-
- directorycount=TIFFNumberOfDirectories(input);
-+ if(directorycount > TIFF_DIR_MAX) {
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "TIFF contains too many directories, %s",
-+ TIFFFileName(input));
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
- if(t2p->tiff_pages==NULL){
- TIFFError(
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 91a38f6..e466dae 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
- #define DUMP_TEXT 1
- #define DUMP_RAW 2
-
-+#define TIFF_DIR_MAX 65534
-+
- /* Offsets into buffer for margins and fixed width and length segments */
- struct offset {
- uint32 tmargin;
-@@ -2232,7 +2234,7 @@ main(int argc, char* argv[])
- pageNum = -1;
- else
- total_images = 0;
-- /* read multiple input files and write to output file(s) */
-+ /* Read multiple input files and write to output file(s) */
- while (optind < argc - 1)
- {
- in = TIFFOpen (argv[optind], "r");
-@@ -2240,7 +2242,14 @@ main(int argc, char* argv[])
- return (-3);
-
- /* If only one input file is specified, we can use directory count */
-- total_images = TIFFNumberOfDirectories(in);
-+ total_images = TIFFNumberOfDirectories(in);
-+ if (total_images > TIFF_DIR_MAX)
-+ {
-+ TIFFError (TIFFFileName(in), "File contains too many directories");
-+ if (out != NULL)
-+ (void) TIFFClose(out);
-+ return (1);
-+ }
- if (image_count == 0)
- {
- dirnum = 0;
---
-libgit2 0.26.0
-
^ permalink raw reply related [flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2023-02-07 4:30 Sam James
0 siblings, 0 replies; 6+ messages in thread
From: Sam James @ 2023-02-07 4:30 UTC (permalink / raw
To: gentoo-commits
commit: 847c95bdb5624d743c7e99bf10b1749580ace225
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 7 04:04:56 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Feb 7 04:29:51 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=847c95bd
media-libs/tiff: scrub patch, add upstream refs
Signed-off-by: Sam James <sam <AT> gentoo.org>
media-libs/tiff/files/tiff-4.5.0-CVE-2022-48281.patch | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/media-libs/tiff/files/tiff-4.5.0-CVE-2022-48281.patch b/media-libs/tiff/files/tiff-4.5.0-CVE-2022-48281.patch
index 070f642da454..e38d17df9cc2 100644
--- a/media-libs/tiff/files/tiff-4.5.0-CVE-2022-48281.patch
+++ b/media-libs/tiff/files/tiff-4.5.0-CVE-2022-48281.patch
@@ -1,7 +1,7 @@
-Index: tiff-4.5.0/tools/tiffcrop.c
-===================================================================
---- tiff-4.5.0.orig/tools/tiffcrop.c
-+++ tiff-4.5.0/tools/tiffcrop.c
+https://gitlab.com/libtiff/libtiff/-/issues/488
+https://bugs.gentoo.org/891839
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct
cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
^ permalink raw reply related [flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2019-03-27 23:56 Patrice Clement
0 siblings, 0 replies; 6+ messages in thread
From: Patrice Clement @ 2019-03-27 23:56 UTC (permalink / raw
To: gentoo-commits
commit: 4e4c0bfa02e7fbf53df4c328d1b4af80ed974f5e
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Wed Mar 27 06:03:39 2019 +0000
Commit: Patrice Clement <monsieurp <AT> gentoo <DOT> org>
CommitDate: Wed Mar 27 23:56:01 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e4c0bfa
media-libs/tiff: remove unused patches.
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/11513
Signed-off-by: Patrice Clement <monsieurp <AT> gentoo.org>
.../tiff/files/tiff-3.9.7-CVE-2012-4447.patch | 191 ----------------
.../tiff/files/tiff-3.9.7-CVE-2012-4564.patch | 77 -------
.../tiff/files/tiff-3.9.7-CVE-2012-5581.patch | 245 ---------------------
.../tiff/files/tiff-3.9.7-printdir-width.patch | 36 ---
.../tiff/files/tiff-3.9.7-tiffinfo-exif.patch | 59 -----
5 files changed, 608 deletions(-)
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
deleted file mode 100644
index 6c28dc6ec9a..00000000000
--- a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
-possibility in the same file, which wasn't given a separate CVE.
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
---- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
-@@ -117,9 +117,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- t0 = ToLinearF[cr = wp[0]];
-- t1 = ToLinearF[cg = wp[1]];
-- t2 = ToLinearF[cb = wp[2]];
-+ t0 = ToLinearF[cr = (wp[0] & mask)];
-+ t1 = ToLinearF[cg = (wp[1] & mask)];
-+ t2 = ToLinearF[cb = (wp[2] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -136,10 +136,10 @@
- op[2] = t2;
- }
- } else if (stride == 4) {
-- t0 = ToLinearF[cr = wp[0]];
-- t1 = ToLinearF[cg = wp[1]];
-- t2 = ToLinearF[cb = wp[2]];
-- t3 = ToLinearF[ca = wp[3]];
-+ t0 = ToLinearF[cr = (wp[0] & mask)];
-+ t1 = ToLinearF[cg = (wp[1] & mask)];
-+ t2 = ToLinearF[cb = (wp[2] & mask)];
-+ t3 = ToLinearF[ca = (wp[3] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -183,9 +183,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- t0 = ToLinearF[cr = wp[0]] * SCALE12;
-- t1 = ToLinearF[cg = wp[1]] * SCALE12;
-- t2 = ToLinearF[cb = wp[2]] * SCALE12;
-+ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
-+ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
-+ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
- op[0] = CLAMP12(t0);
- op[1] = CLAMP12(t1);
- op[2] = CLAMP12(t2);
-@@ -202,10 +202,10 @@
- op[2] = CLAMP12(t2);
- }
- } else if (stride == 4) {
-- t0 = ToLinearF[cr = wp[0]] * SCALE12;
-- t1 = ToLinearF[cg = wp[1]] * SCALE12;
-- t2 = ToLinearF[cb = wp[2]] * SCALE12;
-- t3 = ToLinearF[ca = wp[3]] * SCALE12;
-+ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
-+ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
-+ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
-+ t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12;
- op[0] = CLAMP12(t0);
- op[1] = CLAMP12(t1);
- op[2] = CLAMP12(t2);
-@@ -247,9 +247,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- op[0] = ToLinear16[cr = wp[0]];
-- op[1] = ToLinear16[cg = wp[1]];
-- op[2] = ToLinear16[cb = wp[2]];
-+ op[0] = ToLinear16[cr = (wp[0] & mask)];
-+ op[1] = ToLinear16[cg = (wp[1] & mask)];
-+ op[2] = ToLinear16[cb = (wp[2] & mask)];
- n -= 3;
- while (n > 0) {
- wp += 3;
-@@ -260,10 +260,10 @@
- op[2] = ToLinear16[(cb += wp[2]) & mask];
- }
- } else if (stride == 4) {
-- op[0] = ToLinear16[cr = wp[0]];
-- op[1] = ToLinear16[cg = wp[1]];
-- op[2] = ToLinear16[cb = wp[2]];
-- op[3] = ToLinear16[ca = wp[3]];
-+ op[0] = ToLinear16[cr = (wp[0] & mask)];
-+ op[1] = ToLinear16[cg = (wp[1] & mask)];
-+ op[2] = ToLinear16[cb = (wp[2] & mask)];
-+ op[3] = ToLinear16[ca = (wp[3] & mask)];
- n -= 4;
- while (n > 0) {
- wp += 4;
-@@ -342,9 +342,9 @@
- if (n >= stride) {
- mask = CODE_MASK;
- if (stride == 3) {
-- op[0] = ToLinear8[cr = wp[0]];
-- op[1] = ToLinear8[cg = wp[1]];
-- op[2] = ToLinear8[cb = wp[2]];
-+ op[0] = ToLinear8[cr = (wp[0] & mask)];
-+ op[1] = ToLinear8[cg = (wp[1] & mask)];
-+ op[2] = ToLinear8[cb = (wp[2] & mask)];
- n -= 3;
- while (n > 0) {
- n -= 3;
-@@ -355,10 +355,10 @@
- op[2] = ToLinear8[(cb += wp[2]) & mask];
- }
- } else if (stride == 4) {
-- op[0] = ToLinear8[cr = wp[0]];
-- op[1] = ToLinear8[cg = wp[1]];
-- op[2] = ToLinear8[cb = wp[2]];
-- op[3] = ToLinear8[ca = wp[3]];
-+ op[0] = ToLinear8[cr = (wp[0] & mask)];
-+ op[1] = ToLinear8[cg = (wp[1] & mask)];
-+ op[2] = ToLinear8[cb = (wp[2] & mask)];
-+ op[3] = ToLinear8[ca = (wp[3] & mask)];
- n -= 4;
- while (n > 0) {
- n -= 4;
-@@ -393,9 +393,9 @@
- mask = CODE_MASK;
- if (stride == 3) {
- op[0] = 0;
-- t1 = ToLinear8[cb = wp[2]];
-- t2 = ToLinear8[cg = wp[1]];
-- t3 = ToLinear8[cr = wp[0]];
-+ t1 = ToLinear8[cb = (wp[2] & mask)];
-+ t2 = ToLinear8[cg = (wp[1] & mask)];
-+ t3 = ToLinear8[cr = (wp[0] & mask)];
- op[1] = t1;
- op[2] = t2;
- op[3] = t3;
-@@ -413,10 +413,10 @@
- op[3] = t3;
- }
- } else if (stride == 4) {
-- t0 = ToLinear8[ca = wp[3]];
-- t1 = ToLinear8[cb = wp[2]];
-- t2 = ToLinear8[cg = wp[1]];
-- t3 = ToLinear8[cr = wp[0]];
-+ t0 = ToLinear8[ca = (wp[3] & mask)];
-+ t1 = ToLinear8[cb = (wp[2] & mask)];
-+ t2 = ToLinear8[cg = (wp[1] & mask)];
-+ t3 = ToLinear8[cr = (wp[0] & mask)];
- op[0] = t0;
- op[1] = t1;
- op[2] = t2;
-@@ -630,10 +630,10 @@
- return guess;
- }
-
--static uint32
--multiply(size_t m1, size_t m2)
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
- {
-- uint32 bytes = m1 * m2;
-+ tsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-@@ -641,6 +641,20 @@
- return bytes;
- }
-
-+static tsize_t
-+add_ms(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t bytes = m1 + m2;
-+
-+ /* if either input is zero, assume overflow already occurred */
-+ if (m1 == 0 || m2 == 0)
-+ bytes = 0;
-+ else if (bytes <= m1 || bytes <= m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- static int
- PixarLogSetupDecode(TIFF* tif)
- {
-@@ -661,6 +675,8 @@
- td->td_samplesperpixel : 1);
- tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
-+ /* add one more stride in case input ends mid-stride */
-+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
- if (tbuf_size == 0)
- return (0);
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
deleted file mode 100644
index 98a6e6c4409..00000000000
--- a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Upstream patch for CVE-2012-4564.
-
-
-diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
---- tiff-3.9.4.orig/tools/ppm2tiff.c 2010-06-08 14:50:44.000000000 -0400
-+++ tiff-3.9.4/tools/ppm2tiff.c 2012-12-10 16:16:05.154045877 -0500
-@@ -68,6 +68,17 @@
- exit(-2);
- }
-
-+static tsize_t
-+multiply_ms(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t bytes = m1 * m2;
-+
-+ if (m1 && bytes / m1 != m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- int
- main(int argc, char* argv[])
- {
-@@ -85,6 +96,7 @@
- int c;
- extern int optind;
- extern char* optarg;
-+ tsize_t scanline_size;
-
- if (argc < 2) {
- fprintf(stderr, "%s: Too few arguments\n", argv[0]);
-@@ -217,7 +229,8 @@
- }
- switch (bpp) {
- case 1:
-- linebytes = (spp * w + (8 - 1)) / 8;
-+ /* if round-up overflows, result will be zero, OK */
-+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
- if (rowsperstrip == (uint32) -1) {
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
- } else {
-@@ -226,15 +239,31 @@
- }
- break;
- case 8:
-- linebytes = spp * w;
-+ linebytes = multiply_ms(spp, w);
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
- TIFFDefaultStripSize(out, rowsperstrip));
- break;
- }
-- if (TIFFScanlineSize(out) > linebytes)
-+ if (linebytes == 0) {
-+ fprintf(stderr, "%s: scanline size overflow\n", infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ scanline_size = TIFFScanlineSize(out);
-+ if (scanline_size == 0) {
-+ /* overflow - TIFFScanlineSize already printed a message */
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ if (scanline_size < linebytes)
- buf = (unsigned char *)_TIFFmalloc(linebytes);
- else
-- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
-+ if (buf == NULL) {
-+ fprintf(stderr, "%s: Not enough memory\n", infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
- if (resolution > 0) {
- TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
- TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
deleted file mode 100644
index a6bdca13702..00000000000
--- a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-Fix unsafe handling of DotRange and related tags. Back-port of upstream
-patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS
-for the 3.9 branch, because I'm not entirely convinced that it won't create
-application compatibility issues --- tgl)
-
-
-diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
---- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400
-+++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500
-@@ -494,32 +494,28 @@
- goto end;
- }
-
-- if ((fip->field_passcount
-+ if (fip->field_tag == TIFFTAG_DOTRANGE
-+ && strcmp(fip->field_name,"DotRange") == 0) {
-+ /* TODO: This is an evil exception and should not have been
-+ handled this way ... likely best if we move it into
-+ the directory structure with an explicit field in
-+ libtiff 4.1 and assign it a FIELD_ value */
-+ uint16 v[2];
-+ v[0] = (uint16)va_arg(ap, int);
-+ v[1] = (uint16)va_arg(ap, int);
-+ _TIFFmemcpy(tv->value, v, 4);
-+ }
-+ else if (fip->field_passcount
- || fip->field_writecount == TIFF_VARIABLE
- || fip->field_writecount == TIFF_VARIABLE2
- || fip->field_writecount == TIFF_SPP
-- || tv->count > 1)
-- && fip->field_tag != TIFFTAG_PAGENUMBER
-- && fip->field_tag != TIFFTAG_HALFTONEHINTS
-- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
-- && fip->field_tag != TIFFTAG_DOTRANGE
-- && fip->field_tag != TIFFTAG_WHITELEVEL) {
-+ || tv->count > 1) {
- _TIFFmemcpy(tv->value, va_arg(ap, void *),
- tv->count * tv_size);
- } else {
-- /*
-- * XXX: The following loop required to handle
-- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
-- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
-- * These tags are actually arrays and should be passed as
-- * array pointers to TIFFSetField() function, but actually
-- * passed as a list of separate values. This behaviour
-- * must be changed in the future!
-- */
-- int i;
- char *val = (char *)tv->value;
-
-- for (i = 0; i < tv->count; i++, val += tv_size) {
-+ assert( tv->count == 1 );
- switch (fip->field_type) {
- case TIFF_BYTE:
- case TIFF_UNDEFINED:
-@@ -578,7 +574,6 @@
- status = 0;
- break;
- }
-- }
- }
- }
- }
-@@ -869,24 +864,27 @@
- *va_arg(ap, uint16*) = (uint16)tv->count;
- *va_arg(ap, void **) = tv->value;
- ret_val = 1;
-- } else {
-- if ((fip->field_type == TIFF_ASCII
-+ } else if (fip->field_tag == TIFFTAG_DOTRANGE
-+ && strcmp(fip->field_name,"DotRange") == 0) {
-+ /* TODO: This is an evil exception and should not have been
-+ handled this way ... likely best if we move it into
-+ the directory structure with an explicit field in
-+ libtiff 4.1 and assign it a FIELD_ value */
-+ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
-+ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
-+ ret_val = 1;
-+ } else {
-+ if (fip->field_type == TIFF_ASCII
- || fip->field_readcount == TIFF_VARIABLE
- || fip->field_readcount == TIFF_VARIABLE2
- || fip->field_readcount == TIFF_SPP
-- || tv->count > 1)
-- && fip->field_tag != TIFFTAG_PAGENUMBER
-- && fip->field_tag != TIFFTAG_HALFTONEHINTS
-- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
-- && fip->field_tag != TIFFTAG_DOTRANGE) {
-+ || tv->count > 1) {
- *va_arg(ap, void **) = tv->value;
- ret_val = 1;
- } else {
-- int j;
- char *val = (char *)tv->value;
-
-- for (j = 0; j < tv->count;
-- j++, val += _TIFFDataSize(tv->info->field_type)) {
-+ assert( tv->count == 1 );
- switch (fip->field_type) {
- case TIFF_BYTE:
- case TIFF_UNDEFINED:
-@@ -936,7 +934,6 @@
- ret_val = 0;
- break;
- }
-- }
- }
- }
- break;
-diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
---- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
-+++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500
-@@ -112,16 +112,22 @@
- }
-
- static int
--_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
-+_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
- uint32 value_count, void *raw_data)
- {
- TIFFDirectory *td = &tif->tif_dir;
-
-+ /* do not try to pretty print auto-defined fields */
-+ if (strncmp(fip->field_name,"Tag ", 4) == 0) {
-+ return 0;
-+ }
-+
- switch (tag)
- {
- case TIFFTAG_INKSET:
-- fprintf(fd, " Ink Set: ");
-- switch (*((uint16*)raw_data)) {
-+ if (value_count == 2 && fip->field_type == TIFF_SHORT) {
-+ fprintf(fd, " Ink Set: ");
-+ switch (*((uint16*)raw_data)) {
- case INKSET_CMYK:
- fprintf(fd, "CMYK\n");
- break;
-@@ -130,11 +136,18 @@
- *((uint16*)raw_data),
- *((uint16*)raw_data));
- break;
-+ }
-+ return 1;
- }
-- return 1;
-+ return 0;
-+
- case TIFFTAG_WHITEPOINT:
-- fprintf(fd, " White Point: %g-%g\n",
-- ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
-+ if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
-+ fprintf(fd, " White Point: %g-%g\n",
-+ ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
-+ }
-+ return 0;
-+
- case TIFFTAG_REFERENCEBLACKWHITE:
- {
- uint16 i;
-@@ -174,10 +187,13 @@
- (unsigned long) value_count);
- return 1;
- case TIFFTAG_STONITS:
-- fprintf(fd,
-- " Sample to Nits conversion factor: %.4e\n",
-- *((double*)raw_data));
-- return 1;
-+ if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
-+ fprintf(fd,
-+ " Sample to Nits conversion factor: %.4e\n",
-+ *((double*)raw_data));
-+ return 1;
-+ }
-+ return 0;
- }
-
- return 0;
-@@ -524,44 +540,28 @@
- value_count = td->td_samplesperpixel;
- else
- value_count = fip->field_readcount;
-- if ((fip->field_type == TIFF_ASCII
-+ if (fip->field_tag == TIFFTAG_DOTRANGE
-+ && strcmp(fip->field_name,"DotRange") == 0) {
-+ /* TODO: This is an evil exception and should not have been
-+ handled this way ... likely best if we move it into
-+ the directory structure with an explicit field in
-+ libtiff 4.1 and assign it a FIELD_ value */
-+ static uint16 dotrange[2];
-+ raw_data = dotrange;
-+ TIFFGetField(tif, tag, dotrange+0, dotrange+1);
-+ } else if (fip->field_type == TIFF_ASCII
- || fip->field_readcount == TIFF_VARIABLE
- || fip->field_readcount == TIFF_VARIABLE2
- || fip->field_readcount == TIFF_SPP
-- || value_count > 1)
-- && fip->field_tag != TIFFTAG_PAGENUMBER
-- && fip->field_tag != TIFFTAG_HALFTONEHINTS
-- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
-- && fip->field_tag != TIFFTAG_DOTRANGE) {
-+ || value_count > 1) {
- if(TIFFGetField(tif, tag, &raw_data) != 1)
- continue;
-- } else if (fip->field_tag != TIFFTAG_PAGENUMBER
-- && fip->field_tag != TIFFTAG_HALFTONEHINTS
-- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
-- && fip->field_tag != TIFFTAG_DOTRANGE) {
-- raw_data = _TIFFmalloc(
-- _TIFFDataSize(fip->field_type)
-- * value_count);
-- mem_alloc = 1;
-- if(TIFFGetField(tif, tag, raw_data) != 1) {
-- _TIFFfree(raw_data);
-- continue;
-- }
- } else {
-- /*
-- * XXX: Should be fixed and removed, see the
-- * notes related to TIFFTAG_PAGENUMBER,
-- * TIFFTAG_HALFTONEHINTS,
-- * TIFFTAG_YCBCRSUBSAMPLING and
-- * TIFFTAG_DOTRANGE tags in tif_dir.c. */
-- char *tmp;
- raw_data = _TIFFmalloc(
- _TIFFDataSize(fip->field_type)
- * value_count);
-- tmp = raw_data;
- mem_alloc = 1;
-- if(TIFFGetField(tif, tag, tmp,
-- tmp + _TIFFDataSize(fip->field_type)) != 1) {
-+ if(TIFFGetField(tif, tag, raw_data) != 1) {
- _TIFFfree(raw_data);
- continue;
- }
-@@ -574,7 +574,7 @@
- * _TIFFPrettyPrintField() fall down and print it as any other
- * tag.
- */
-- if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
-+ if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
- if(mem_alloc)
- _TIFFfree(raw_data);
- continue;
diff --git a/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
deleted file mode 100644
index 6ad7534ac6f..00000000000
--- a/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
-conventions for field_passcount fields, ie, either 16- or 32-bit counts.
-This patch is taken from upstream commits dated 2012-05-23 ("fix crash
-with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
-TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
-
-This doesn't qualify as a security issue in itself, mainly because
-TIFFPrintDirectory is unlikely to be used in any security-exposed
-scenarios; but we need to fix it so that our test case for CVE-2012-5581
-works on all platforms.
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
---- tiff-3.9.4.orig/libtiff/tif_print.c 2010-06-08 14:50:42.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_print.c 2012-12-13 12:17:33.726765771 -0500
-@@ -518,8 +518,19 @@
- continue;
-
- if(fip->field_passcount) {
-- if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
-+ if (fip->field_readcount == TIFF_VARIABLE2 ) {
-+ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
-+ continue;
-+ } else if (fip->field_readcount == TIFF_VARIABLE ) {
-+ uint16 small_value_count;
-+ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
-+ continue;
-+ value_count = small_value_count;
-+ } else {
-+ assert (fip->field_readcount == TIFF_VARIABLE
-+ || fip->field_readcount == TIFF_VARIABLE2);
- continue;
-+ }
- } else {
- if (fip->field_readcount == TIFF_VARIABLE
- || fip->field_readcount == TIFF_VARIABLE2)
diff --git a/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
deleted file mode 100644
index a326e21e298..00000000000
--- a/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
-because there isn't any. Back-patched from an upstream 4.0.2 fix.
-
-This is not a security issue in itself (it crashes, but with a simple NULL
-pointer dereference). However, our test case for CVE-2012-5581 tickles this
-bug, so it seems easier to fix this than make a new test case.
-
-
-diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
---- tiff-3.9.4.orig/tools/tiffinfo.c 2010-06-08 14:50:44.000000000 -0400
-+++ tiff-3.9.4/tools/tiffinfo.c 2012-12-11 16:33:17.062228558 -0500
-@@ -49,7 +49,7 @@
- int stoponerr = 1; /* stop on first read error */
-
- static void usage(void);
--static void tiffinfo(TIFF*, uint16, long);
-+static void tiffinfo(TIFF*, uint16, long, int);
-
- int
- main(int argc, char* argv[])
-@@ -124,19 +124,20 @@
- if (tif != NULL) {
- if (dirnum != -1) {
- if (TIFFSetDirectory(tif, (tdir_t) dirnum))
-- tiffinfo(tif, order, flags);
-+ tiffinfo(tif, order, flags, 1);
- } else if (diroff != 0) {
- if (TIFFSetSubDirectory(tif, diroff))
-- tiffinfo(tif, order, flags);
-+ tiffinfo(tif, order, flags, 1);
- } else {
- do {
- uint32 offset;
-
-- tiffinfo(tif, order, flags);
-+ tiffinfo(tif, order, flags, 1);
- if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
- &offset)) {
-- if (TIFFReadEXIFDirectory(tif, offset))
-- tiffinfo(tif, order, flags);
-+ if (TIFFReadEXIFDirectory(tif, offset)) {
-+ tiffinfo(tif, order, flags, 0);
-+ }
- }
- } while (TIFFReadDirectory(tif));
- }
-@@ -426,10 +427,10 @@
- }
-
- static void
--tiffinfo(TIFF* tif, uint16 order, long flags)
-+tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
- {
- TIFFPrintDirectory(tif, stdout, flags);
-- if (!readdata)
-+ if (!readdata || !is_image)
- return;
- if (rawdata) {
- if (order) {
^ permalink raw reply related [flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2018-06-13 21:18 Aaron Bauman
0 siblings, 0 replies; 6+ messages in thread
From: Aaron Bauman @ 2018-06-13 21:18 UTC (permalink / raw
To: gentoo-commits
commit: 175a59fe9690b508515215aecb652e9e9f53729e
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Wed Jun 13 18:01:33 2018 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Wed Jun 13 21:15:30 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=175a59fe
media-libs/tiff: remove unused patches
....0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch | 20 -----
...iff-4.0.7-pdfium-0007-uninitialized-value.patch | 26 ------
...-4.0.7-pdfium-0013-validate-refblackwhite.patch | 42 ----------
....7-pdfium-0017-safe_skews_in_gtTileContig.patch | 97 ----------------------
...ium-0018-fix-leak-in-PredictorSetupDecode.patch | 27 ------
.../tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch | 29 -------
6 files changed, 241 deletions(-)
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch
deleted file mode 100644
index afb0151f963..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-https://codereview.chromium.org/2204793002
-https://crbug.com/633387
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: thestig <thestig@chromium.org>
-Date: Mon Aug 1 19:36:27 2016 -0700
-
-Fix a memory leak in libtiff.
-
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
- static const char module[] = "TIFFFetchStripThing";
- enum TIFFReadDirEntryErr err;
- uint64* data;
-+ _TIFFfree(*lpp);
-+ *lpp = 0;
- err=TIFFReadDirEntryLong8Array(tif,dir,&data);
- if (err!=TIFFReadDirEntryErrOk)
- {
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch
deleted file mode 100644
index ab5627f5c16..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-https://codereview.chromium.org/2389993002
-https://crbug.com/651632
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: dsinclair <dsinclair@chromium.org>
-Date: Mon Oct 3 13:59:57 2016 -0700
-
-Fix potentially uninitialized value.
-
-Depending on what ReadOK does it's possible for |dircount16| to be used without
-being initialized. The read code calls back into PDFium specific code which then
-calls into the stream reading code.
-
-Initialize the value to be sure it is set.
-
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir,
- static const char module[] = "TIFFFetchDirectory";
-
- void* origdir;
-- uint16 dircount16;
-+ uint16 dircount16 = 0;
- uint32 dirsize;
- TIFFDirEntry* dir;
- uint8* ma;
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch
deleted file mode 100644
index d98ff9d0f25..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-https://pdfium-review.googlesource.com/2151
-https://crbug.com/632883
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: Dan Sinclair <dsinclair@chromium.org>
-Date: Mon Jan 9 09:50:50 2017 -0500
-
-[libtiff] Validate refblackwhite values
-
-The td_refblackwhite value is currently assigned without validation. This
-may pose an issue as the image can specify the value as nan. This will cause
-problems later when we use the nan in calcluations.
-
-This CL validates each of the float values are not nan and if they are sets
-them to the default provided by the TIFF spec v6.
-
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -31,6 +31,7 @@
- * (and also some miscellaneous stuff)
- */
- #include "tiffiop.h"
-+#include <math.h>
- #include <float.h>
-
- /*
-@@ -426,6 +426,15 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- case TIFFTAG_REFERENCEBLACKWHITE:
- /* XXX should check for null range */
- _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
-+ int i;
-+ for (i = 0; i < 6; i++) {
-+ if (isnan(td->td_refblackwhite[i])) {
-+ if (i % 2 == 0)
-+ td->td_refblackwhite[i] = 0;
-+ else
-+ td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1;
-+ }
-+ }
- break;
- case TIFFTAG_INKNAMES:
- v = (uint16) va_arg(ap, uint16_vap);
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
deleted file mode 100644
index 7914743393f..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-https://pdfium-review.googlesource.com/2355
-https://crbug.com/681300
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: Nicolas Pena <npm@chromium.org>
-Date: Wed Jan 25 10:41:06 2017 -0500
-
-Prevent skew overflows in gtTileContig
-
-Using int64 to check whether uint32 operations have overflowed.
-
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -31,6 +31,7 @@
- */
- #include "tiffiop.h"
- #include <stdio.h>
-+#include <limits.h>
-
- static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
- static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
-@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint32 tw, th;
- unsigned char* buf;
- int32 fromskew, toskew;
-+ int64 safeskew;
- uint32 nrow;
- int ret = 1, flip;
- uint32 this_tw, tocol;
-@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- flip = setorientation(img);
- if (flip & FLIP_VERTICALLY) {
- y = h - 1;
-- toskew = -(int32)(tw + w);
-+ safeskew = 0;
-+ safeskew -= tw;
-+ safeskew -= w;
- }
- else {
- y = 0;
-- toskew = -(int32)(tw - w);
-+ safeskew = 0;
-+ safeskew -= tw;
-+ safeskew +=w;
- }
-
-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
-+ _TIFFfree(buf);
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
-+ return (0);
-+ }
-+ toskew = safeskew;
-+
- /*
- * Leftmost tile is clipped on left side if col_offset > 0.
- */
- leftmost_fromskew = img->col_offset % tw;
- leftmost_tw = tw - leftmost_fromskew;
-- leftmost_toskew = toskew + leftmost_fromskew;
-+ safeskew = toskew;
-+ safeskew += leftmost_fromskew;
-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
-+ _TIFFfree(buf);
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
-+ return (0);
-+ }
-+ leftmost_toskew = safeskew;
- for (row = 0; row < h; row += nrow)
- {
- rowstoread = th - (row + img->row_offset) % th;
-@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- /*
- * Rightmost tile is clipped on right side.
- */
-- fromskew = tw - (w - tocol);
-+ safeskew = tw;
-+ safeskew -= w;
-+ safeskew += tocol;
-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
-+ _TIFFfree(buf);
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
-+ return (0);
-+ }
-+ fromskew = safeskew;
- this_tw = tw - fromskew;
-- this_toskew = toskew + fromskew;
-+ safeskew = toskew;
-+ safeskew += fromskew;
-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
-+ _TIFFfree(buf);
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
-+ return (0);
-+ }
-+ this_toskew = safeskew;
- }
- (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
- tocol += this_tw;
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch
deleted file mode 100644
index b74ddc5c499..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-https://pdfium-review.googlesource.com/2432
-https://crbug.com/683834
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: Nicolas Pena <npm@chromium.org>
-Date: Thu Jan 26 15:45:02 2017 -0500
-
-Fix leak in PredictorSetupDecode by calling tif_cleanup on failure
-
-tif_data and tif_cleanup are both set on the TIFFInit methods, see for
-instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was
-filled on tif_data should be cleaned up. The previous leak fix from
-PixarLogSetupDecode is no longer necessary.
-
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -118,7 +118,10 @@ PredictorSetupDecode(TIFF* tif)
- TIFFDirectory* td = &tif->tif_dir;
-
- if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
-+ {
-+ (*tif->tif_cleanup)(tif);
- return 0;
-+ }
-
- if (sp->predictor == 2) {
- switch (td->td_bitspersample) {
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
deleted file mode 100644
index 11975cf38ac..00000000000
--- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://pdfium-review.googlesource.com/3811
-https://crbug.com/707431
-https://pdfium.googlesource.com/pdfium/+/master/libtiff/
-
-Author: Nicolas Pena <npm@chromium.org>
-Date: Wed Apr 5 15:50:53 2017 -0400
-
-Libtiff: Prevent OOM in TIFFFillStrip
-
-In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of
-memory. In this CL we do sanity checks on the claimed size of the raw strip
-data before that happens, to prevent out-of-memory.
-
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- return(0);
- }
-+ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
-+ if (bytecountm > size) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Requested read strip size %lu is too large",
-+ (unsigned long) strip);
-+ return (0);
-+ }
- if (bytecountm > tif->tif_rawdatasize) {
- tif->tif_curstrip = NOSTRIP;
- if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
^ permalink raw reply related [flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2016-12-29 13:14 David Seifert
0 siblings, 0 replies; 6+ messages in thread
From: David Seifert @ 2016-12-29 13:14 UTC (permalink / raw
To: gentoo-commits
commit: 6e971341437f10cadb7e1103f65fcb85f965c268
Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Fri Dec 23 16:12:51 2016 +0000
Commit: David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Thu Dec 29 13:11:48 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e971341
media-libs/tiff: remove unused patches
Closes: https://github.com/gentoo/gentoo/pull/3224
.../tiff/files/tiff-4.0.3-CVE-2012-4447.patch | 40 --
.../tiff/files/tiff-4.0.3-CVE-2012-4564.patch | 86 ---
.../tiff/files/tiff-4.0.3-CVE-2013-1960.patch | 145 ----
.../tiff/files/tiff-4.0.3-CVE-2013-1961.patch | 759 ---------------------
.../tiff/files/tiff-4.0.3-CVE-2013-4231.patch | 16 -
.../tiff/files/tiff-4.0.3-CVE-2013-4232.patch | 13 -
.../tiff/files/tiff-4.0.3-CVE-2013-4244.patch | 15 -
.../tiff/files/tiff-4.0.3-libjpeg-turbo.patch | 122 ----
.../tiff/files/tiff-4.0.3-tiff2pdf-colors.patch | 15 -
9 files changed, 1211 deletions(-)
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch
deleted file mode 100644
index ebf9a00..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Upstream patch for CVE-2012-4447.
-
-
-diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
---- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
-+++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
-@@ -644,6 +644,20 @@
- return bytes;
- }
-
-+static tmsize_t
-+add_ms(tmsize_t m1, tmsize_t m2)
-+{
-+ tmsize_t bytes = m1 + m2;
-+
-+ /* if either input is zero, assume overflow already occurred */
-+ if (m1 == 0 || m2 == 0)
-+ bytes = 0;
-+ else if (bytes <= m1 || bytes <= m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- static int
- PixarLogFixupTags(TIFF* tif)
- {
-@@ -671,9 +685,11 @@
- td->td_samplesperpixel : 1);
- tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
-+ /* add one more stride in case input ends mid-stride */
-+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
- if (tbuf_size == 0)
- return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
-- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
-+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
- if (sp->tbuf == NULL)
- return (0);
- if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch
deleted file mode 100644
index 3d7946c..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-Upstream patch for CVE-2012-4564.
-
-
-diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
---- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
-+++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
-@@ -72,6 +72,17 @@
- exit(-2);
- }
-
-+static tmsize_t
-+multiply_ms(tmsize_t m1, tmsize_t m2)
-+{
-+ tmsize_t bytes = m1 * m2;
-+
-+ if (m1 && bytes / m1 != m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- int
- main(int argc, char* argv[])
- {
-@@ -79,7 +90,7 @@
- uint32 rowsperstrip = (uint32) -1;
- double resolution = -1;
- unsigned char *buf = NULL;
-- tsize_t linebytes = 0;
-+ tmsize_t linebytes = 0;
- uint16 spp = 1;
- uint16 bpp = 8;
- TIFF *out;
-@@ -89,6 +100,7 @@
- int c;
- extern int optind;
- extern char* optarg;
-+ tmsize_t scanline_size;
-
- if (argc < 2) {
- fprintf(stderr, "%s: Too few arguments\n", argv[0]);
-@@ -221,7 +233,8 @@
- }
- switch (bpp) {
- case 1:
-- linebytes = (spp * w + (8 - 1)) / 8;
-+ /* if round-up overflows, result will be zero, OK */
-+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
- if (rowsperstrip == (uint32) -1) {
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
- } else {
-@@ -230,15 +243,31 @@
- }
- break;
- case 8:
-- linebytes = spp * w;
-+ linebytes = multiply_ms(spp, w);
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
- TIFFDefaultStripSize(out, rowsperstrip));
- break;
- }
-- if (TIFFScanlineSize(out) > linebytes)
-+ if (linebytes == 0) {
-+ fprintf(stderr, "%s: scanline size overflow\n", infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ scanline_size = TIFFScanlineSize(out);
-+ if (scanline_size == 0) {
-+ /* overflow - TIFFScanlineSize already printed a message */
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ if (scanline_size < linebytes)
- buf = (unsigned char *)_TIFFmalloc(linebytes);
- else
-- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
-+ if (buf == NULL) {
-+ fprintf(stderr, "%s: Not enough memory\n", infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
- if (resolution > 0) {
- TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
- TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch
deleted file mode 100644
index 1c8dfb7..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
---- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
-@@ -3341,33 +3341,56 @@
- uint32 height){
-
- tsize_t i=0;
-- uint16 ri =0;
-- uint16 v_samp=1;
-- uint16 h_samp=1;
-- int j=0;
--
-- i++;
--
-- while(i<(*striplength)){
-+
-+ while (i < *striplength) {
-+ tsize_t datalen;
-+ uint16 ri;
-+ uint16 v_samp;
-+ uint16 h_samp;
-+ int j;
-+ int ncomp;
-+
-+ /* marker header: one or more FFs */
-+ if (strip[i] != 0xff)
-+ return(0);
-+ i++;
-+ while (i < *striplength && strip[i] == 0xff)
-+ i++;
-+ if (i >= *striplength)
-+ return(0);
-+ /* SOI is the only pre-SOS marker without a length word */
-+ if (strip[i] == 0xd8)
-+ datalen = 0;
-+ else {
-+ if ((*striplength - i) <= 2)
-+ return(0);
-+ datalen = (strip[i+1] << 8) | strip[i+2];
-+ if (datalen < 2 || datalen >= (*striplength - i))
-+ return(0);
-+ }
- switch( strip[i] ){
-- case 0xd8:
-- /* SOI - start of image */
-+ case 0xd8: /* SOI - start of image */
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- *bufferoffset+=2;
-- i+=2;
- break;
-- case 0xc0:
-- case 0xc1:
-- case 0xc3:
-- case 0xc9:
-- case 0xca:
-+ case 0xc0: /* SOF0 */
-+ case 0xc1: /* SOF1 */
-+ case 0xc3: /* SOF3 */
-+ case 0xc9: /* SOF9 */
-+ case 0xca: /* SOF10 */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- for(j=0;j<buffer[*bufferoffset+9];j++){
-- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
-- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
-- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
-- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ ncomp = buffer[*bufferoffset+9];
-+ if (ncomp < 1 || ncomp > 4)
-+ return(0);
-+ v_samp=1;
-+ h_samp=1;
-+ for(j=0;j<ncomp;j++){
-+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
-+ if( (samp>>4) > h_samp)
-+ h_samp = (samp>>4);
-+ if( (samp & 0x0f) > v_samp)
-+ v_samp = (samp & 0x0f);
- }
- v_samp*=8;
- h_samp*=8;
-@@ -3381,45 +3404,43 @@
- (unsigned char) ((height>>8) & 0xff);
- buffer[*bufferoffset+6]=
- (unsigned char) (height & 0xff);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
--
-+ *bufferoffset+=datalen+2;
-+ /* insert a DRI marker */
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=0xdd;
- buffer[(*bufferoffset)++]=0x00;
- buffer[(*bufferoffset)++]=0x04;
- buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
- buffer[(*bufferoffset)++]= ri & 0xff;
-- } else {
-- i+=strip[i+2]+2;
- }
- break;
-- case 0xc4:
-- case 0xdb:
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ case 0xc4: /* DHT */
-+ case 0xdb: /* DQT */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- break;
-- case 0xda:
-+ case 0xda: /* SOS */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- } else {
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=
- (unsigned char)(0xd0 | ((no-1)%8));
-- i+=strip[i+2]+2;
- }
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
-- *bufferoffset+=(*striplength)-i-1;
-+ i += datalen + 1;
-+ /* copy remainder of strip */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
-+ *bufferoffset+= *striplength - i;
- return(1);
- default:
-- i+=strip[i+2]+2;
-+ /* ignore any other marker */
-+ break;
- }
-+ i += datalen + 1;
- }
--
-
-+ /* failed to find SOS marker */
- return(0);
- }
- #endif
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch
deleted file mode 100644
index 0ea9b52..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch
+++ /dev/null
@@ -1,759 +0,0 @@
-diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400
-+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400
-@@ -512,9 +512,9 @@
- Arg args[1];
-
- if (tfMultiPage)
-- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
-+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
- else
-- strcpy(buffer, fileName);
-+ snprintf(buffer, sizeof(buffer), "%s", fileName);
- XtSetArg(args[0], XtNlabel, buffer);
- XtSetValues(labelWidget, args, 1);
- }
-diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c
---- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500
-+++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400
-@@ -108,7 +108,8 @@
- const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
- char compression_code[20];
-
-- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
-+ snprintf(compression_code, sizeof(compression_code), "%d",
-+ tif->tif_dir.td_compression );
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s compression support is not configured",
- c ? c->name : compression_code );
-diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c
---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400
-+++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400
-@@ -711,7 +711,7 @@
- * note that this name is a special sign to TIFFClose() and
- * _TIFFSetupFields() to free the field
- */
-- sprintf(fld->field_name, "Tag %d", (int) tag);
-+ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
-
- return fld;
- }
-diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c
---- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400
-+++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400
-@@ -332,7 +332,8 @@
- TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
- { char buf[2048];
- char *cp = strrchr(TIFFFileName(in), '/');
-- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
-+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
-+ cp ? cp+1 : TIFFFileName(in));
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
- }
- TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
-diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c
---- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400
-+++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400
-@@ -205,7 +205,7 @@
- }
- }
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
-- sprintf(thing, "B&W version of %s", argv[optind]);
-+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
---- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400
-@@ -3609,7 +3609,9 @@
- char buffer[16];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
-+ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
-+ t2p->pdf_majorversion&0xff,
-+ t2p->pdf_minorversion&0xff);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
-
-@@ -3623,10 +3625,10 @@
- tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen );
- written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
-
-@@ -3665,13 +3667,13 @@
- written += t2pWriteFile(output, (tdata_t) "/", 1);
- for (i=0;i<namelen;i++){
- if ( ((unsigned char)name[i]) < 0x21){
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- nextchar=1;
- }
- if ( ((unsigned char)name[i]) > 0x7E){
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- nextchar=1;
-@@ -3679,57 +3681,57 @@
- if (nextchar==0){
- switch (name[i]){
- case 0x23:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x25:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x28:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x29:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x2F:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x3C:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x3E:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x5B:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x5D:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x7B:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
- case 0x7D:
-- sprintf(buffer, "#%.2X", name[i]);
-+ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- buffer[sizeof(buffer) - 1] = '\0';
- written += t2pWriteFile(output, (tdata_t) buffer, 3);
- break;
-@@ -3844,14 +3846,14 @@
- tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
- if(len!=0){
- written += t2p_write_pdf_stream_length(len, output);
- } else {
-- buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- }
-@@ -3892,10 +3894,10 @@
- tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
-- buflen=sprintf(buffer, "%lu", (unsigned long)len);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n", 1);
-
-@@ -3909,7 +3911,7 @@
- tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
- {
- tsize_t written = 0;
-- char buffer[16];
-+ char buffer[32];
- int buflen = 0;
-
- written += t2pWriteFile(output,
-@@ -3948,7 +3950,6 @@
- written += t2p_write_pdf_string(t2p->pdf_datetime, output);
- }
- written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
-- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
- snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
- written += t2p_write_pdf_string(buffer, output);
- written += t2pWriteFile(output, (tdata_t) "\n", 1);
-@@ -4089,7 +4090,7 @@
- {
- tsize_t written=0;
- tdir_t i=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- int page=0;
-@@ -4097,7 +4098,7 @@
- (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
- page = t2p->pdf_pages+1;
- for (i=0;i<t2p->tiff_pagecount;i++){
-- buflen=sprintf(buffer, "%d", page);
-+ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- if ( ((i+1)%8)==0 ) {
-@@ -4112,8 +4113,7 @@
- }
- }
- written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
-+ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
-
-@@ -4128,28 +4128,28 @@
-
- unsigned int i=0;
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[256];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
-+ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "] \n", 3);
- written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
-- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
-@@ -4157,15 +4157,13 @@
- written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
- written += t2pWriteFile(output, (tdata_t) "/Im", 3);
-- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "_", 1);
-- buflen = sprintf(buffer, "%u", i+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4177,12 +4175,10 @@
- } else {
- written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- written += t2pWriteFile(output, (tdata_t) "/Im", 3);
-- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4191,9 +4187,7 @@
- if(t2p->tiff_transferfunctioncount != 0) {
- written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
- t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
-- buflen = sprintf(
-- buffer,
-- "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(object + 3));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4566,7 +4560,7 @@
- if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
- for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
- box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
-- buflen=sprintf(buffer,
-+ buflen=snprintf(buffer, sizeof(buffer),
- "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
- t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- box.mat[0],
-@@ -4581,7 +4575,7 @@
- }
- } else {
- box=t2p->pdf_imagebox;
-- buflen=sprintf(buffer,
-+ buflen=snprintf(buffer, sizeof(buffer),
- "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
- t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- box.mat[0],
-@@ -4606,59 +4600,48 @@
- TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
- written += t2pWriteFile(output,
- (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
- 42);
-- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- if(tile != 0){
- written += t2pWriteFile(output, (tdata_t) "_", 1);
-- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
- written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- if(tile==0){
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
- } else {
- if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- } else {
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- }
- }
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
- if(tile==0){
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
- } else {
- if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- } else {
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- }
- }
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
-- _TIFFmemset((tdata_t)buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
- written += t2p_write_pdf_xobject_cs(t2p, output);
-@@ -4702,11 +4685,10 @@
- t2p->pdf_colorspace ^= T2P_CS_PALETTE;
- written += t2p_write_pdf_xobject_cs(t2p, output);
- t2p->pdf_colorspace |= T2P_CS_PALETTE;
-- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " ", 1);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
- return(written);
-@@ -4740,10 +4722,10 @@
- X_W /= Y_W;
- Z_W /= Y_W;
- Y_W = 1.0F;
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
-- buflen=sprintf(buffer, "[%d %d %d %d] \n",
-+ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
- t2p->pdf_labrange[0],
- t2p->pdf_labrange[1],
- t2p->pdf_labrange[2],
-@@ -4759,26 +4741,26 @@
- tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
- if(t2p->tiff_transferfunctioncount == 1){
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- } else {
- written += t2pWriteFile(output, (tdata_t) "[ ", 2);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 2));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)(t2p->pdf_xrefcount + 3));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4800,7 +4782,7 @@
- written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
- written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
- written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
-- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
-+ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
- written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
-@@ -4827,7 +4809,7 @@
- tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[128];
-+ char buffer[256];
- int buflen=0;
-
- float X_W=0.0;
-@@ -4895,16 +4877,16 @@
- written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
- if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
- written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
- }
- if(t2p->pdf_colorspace & T2P_CS_CALRGB){
- written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
-- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
-+ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
- X_R, Y_R, Z_R,
- X_G, Y_G, Z_G,
- X_B, Y_B, Z_B);
-@@ -4923,11 +4905,11 @@
- tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
-
-@@ -4937,11 +4919,11 @@
- tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- written += t2pWriteFile(output, (tdata_t) "/N ", 3);
-- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
- t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
-@@ -5006,7 +4988,7 @@
- tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[16];
-+ char buffer[32];
- int buflen=0;
-
- if(t2p->pdf_compression==T2P_COMPRESS_NONE){
-@@ -5021,41 +5003,33 @@
- written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
- if(tile==0){
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_width);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(buffer, "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_length);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
- if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- } else {
- written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
-- buflen=sprintf(
-- buffer,
-- "%lu",
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- }
-@@ -5082,21 +5056,17 @@
- if(t2p->pdf_compressionquality%100){
- written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
- written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen = sprintf(buffer, "%lu",
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu",
- (unsigned long)t2p->tiff_width);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
-- _TIFFmemset(buffer, 0x00, 16);
-- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
- }
-@@ -5116,16 +5086,16 @@
- tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
-
- tsize_t written=0;
-- char buffer[21];
-+ char buffer[64];
- int buflen=0;
- uint32 i=0;
-
- written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
-- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
- for (i=0;i<t2p->pdf_xrefcount;i++){
-- sprintf(buffer, "%.10lu 00000 n \n",
-+ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
- (unsigned long)t2p->pdf_xrefoffsets[i]);
- written += t2pWriteFile(output, (tdata_t) buffer, 20);
- }
-@@ -5149,17 +5119,14 @@
- snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
-
- written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
-- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
-+ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
- written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- sizeof(t2p->pdf_fileid) - 1);
-@@ -5167,9 +5134,8 @@
- written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- sizeof(t2p->pdf_fileid) - 1);
- written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
-- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
-+ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
- written += t2pWriteFile(output, (tdata_t) buffer, buflen);
-- _TIFFmemset(buffer, 0x00, 32);
- written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
-
- return(written);
-diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c
---- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400
-+++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400
-@@ -1781,8 +1781,8 @@
- imageOp = "imagemask";
-
- (void)strcpy(im_x, "0");
-- (void)sprintf(im_y, "%lu", (long) h);
-- (void)sprintf(im_h, "%lu", (long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
-+ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
- tile_width = w;
- tile_height = h;
- if (TIFFIsTiled(tif)) {
-@@ -1803,7 +1803,7 @@
- }
- if (tile_height < h) {
- fputs("/im_y 0 def\n", fd);
-- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- }
- } else {
- repeat_count = tf_numberstrips;
-@@ -1815,7 +1815,7 @@
- fprintf(fd, "/im_h %lu def\n",
- (unsigned long) tile_height);
- (void)strcpy(im_h, "im_h");
-- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- }
- }
-
-diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c
---- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500
-+++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400
-@@ -2077,7 +2077,7 @@
- return 1;
- }
-
-- sprintf (filenum, "-%03d%s", findex, export_ext);
-+ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
- filenum[14] = '\0';
- strncat (exportname, filenum, 15);
- }
-@@ -2230,8 +2230,8 @@
-
- /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
- fewer than PATH_MAX */
-- memset (temp_filename, '\0', PATH_MAX + 1);
-- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
-+ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
-+ dump.infilename, dump_images,
- (dump.format == DUMP_TEXT) ? "txt" : "raw");
- if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
- {
-@@ -2249,8 +2249,8 @@
-
- /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
- fewer than PATH_MAX */
-- memset (temp_filename, '\0', PATH_MAX + 1);
-- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
-+ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
-+ dump.outfilename, dump_images,
- (dump.format == DUMP_TEXT) ? "txt" : "raw");
- if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
- {
-diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c
---- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500
-+++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400
-@@ -260,7 +260,7 @@
- TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
- else
- CopyField(TIFFTAG_FILLORDER, shortv);
-- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
-+ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- CopyField(TIFFTAG_PHOTOMETRIC, shortv);
- CopyField(TIFFTAG_ORIENTATION, shortv);
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch
deleted file mode 100644
index c4b3446..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-4231.patch
-http://bugs.gentoo.org/480466
-
---- tools/gif2tiff.c
-+++ tools/gif2tiff.c
-@@ -333,6 +333,10 @@ readraster(void)
- int status = 1;
-
- datasize = getc(infile);
-+
-+ if (datasize > 12)
-+ return 0;
-+
- clear = 1 << datasize;
- eoi = clear + 1;
- avail = clear + 2;
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch
deleted file mode 100644
index 98edff5..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-4232.patch
-http://bugs.gentoo.org/480466
-
---- tools/tiff2pdf.c
-+++ tools/tiff2pdf.c
-@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
- TIFFFileName(input));
- t2p->t2p_error = T2P_ERR_ERROR;
- _TIFFfree(buffer);
-+ return(0);
- } else {
- buffer=samplebuffer;
- t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch
deleted file mode 100644
index 792e076..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
-index 375b152..2731273 100644
---- a/tools/gif2tiff.c
-+++ b/tools/gif2tiff.c
-@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill)
- }
-
- if (oldcode == -1) {
-+ if (code >= clear) {
-+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
-+ return 0;
-+ }
- *(*fill)++ = suffix[code];
- firstchar = oldcode = code;
- return 1;
diff --git a/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch b/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch
deleted file mode 100644
index 92cff7e..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-Back-port upstream patch to avoid assuming quite so much about what libjpeg
-will return. Needed because libjpeg-turbo with the jpeg8 API broke the
-expectations of the previous coding.
-
-
-diff -Naur tiff-4.0.3.orig/test/raw_decode.c tiff-4.0.3/test/raw_decode.c
---- tiff-4.0.3.orig/test/raw_decode.c 2012-07-06 13:05:16.000000000 -0400
-+++ tiff-4.0.3/test/raw_decode.c 2012-12-19 13:04:37.609738276 -0500
-@@ -71,33 +71,54 @@
- return 1;
- }
-
--static int check_rgb_pixel( int pixel, int red, int green, int blue, unsigned char *buffer ) {
-+static int check_rgb_pixel( int pixel,
-+ int min_red, int max_red,
-+ int min_green, int max_green,
-+ int min_blue, int max_blue,
-+ unsigned char *buffer ) {
- unsigned char *rgb = buffer + 3 * pixel;
-
-- if( rgb[0] == red && rgb[1] == green && rgb[2] == blue ) {
-+ if( rgb[0] >= min_red && rgb[0] <= max_red &&
-+ rgb[1] >= min_green && rgb[1] <= max_green &&
-+ rgb[2] >= min_blue && rgb[2] <= max_blue ) {
- return 0;
- }
-
- fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
-- fprintf( stderr, "Expect: %3d %3d %3d\n", red, green, blue );
-- fprintf( stderr, " Got: %3d %3d %3d\n", rgb[0], rgb[1], rgb[2] );
-+ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d)\n",
-+ rgb[0], min_red, max_red,
-+ rgb[1], min_green, max_green,
-+ rgb[2], min_blue, max_blue );
- return 1;
- }
-
--static int check_rgba_pixel( int pixel, int red, int green, int blue, int alpha, uint32 *buffer ) {
-+static int check_rgba_pixel( int pixel,
-+ int min_red, int max_red,
-+ int min_green, int max_green,
-+ int min_blue, int max_blue,
-+ int min_alpha, int max_alpha,
-+ uint32 *buffer ) {
- /* RGBA images are upside down - adjust for normal ordering */
- int adjusted_pixel = pixel % 128 + (127 - (pixel/128)) * 128;
- uint32 rgba = buffer[adjusted_pixel];
-
-- if( TIFFGetR(rgba) == (uint32) red && TIFFGetG(rgba) == (uint32) green &&
-- TIFFGetB(rgba) == (uint32) blue && TIFFGetA(rgba) == (uint32) alpha ) {
-+ if( TIFFGetR(rgba) >= (uint32) min_red &&
-+ TIFFGetR(rgba) <= (uint32) max_red &&
-+ TIFFGetG(rgba) >= (uint32) min_green &&
-+ TIFFGetG(rgba) <= (uint32) max_green &&
-+ TIFFGetB(rgba) >= (uint32) min_blue &&
-+ TIFFGetB(rgba) <= (uint32) max_blue &&
-+ TIFFGetA(rgba) >= (uint32) min_alpha &&
-+ TIFFGetA(rgba) <= (uint32) max_alpha ) {
- return 0;
- }
-
- fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
-- fprintf( stderr, "Expect: %3d %3d %3d %3d\n", red, green, blue, alpha );
-- fprintf( stderr, " Got: %3d %3d %3d %3d\n",
-- TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), TIFFGetA(rgba) );
-+ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d), A=%d (expected %d..%d)\n",
-+ TIFFGetR(rgba), min_red, max_red,
-+ TIFFGetG(rgba), min_green, max_green,
-+ TIFFGetB(rgba), min_blue, max_blue,
-+ TIFFGetA(rgba), min_alpha, max_alpha );
- return 1;
- }
-
-@@ -191,15 +212,17 @@
- return 1;
- }
-
--#if JPEG_LIB_VERSION >= 70
-- pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer );
-- pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer );
-- pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer );
--#else
-- pixel_status |= check_rgb_pixel( 0, 15, 0, 18, buffer );
-- pixel_status |= check_rgb_pixel( 64, 0, 0, 2, buffer );
-- pixel_status |= check_rgb_pixel( 512, 6, 36, 182, buffer );
--#endif
-+ /*
-+ * JPEG decoding is inherently inexact, so we can't test for exact
-+ * pixel values. (Well, if we knew exactly which libjpeg version
-+ * we were using, and with what settings, we could expect specific
-+ * values ... but it's not worth the trouble to keep track of.)
-+ * Hence, use ranges of expected values. The ranges may need to be
-+ * widened over time as more versions of libjpeg appear.
-+ */
-+ pixel_status |= check_rgb_pixel( 0, 15, 18, 0, 0, 18, 41, buffer );
-+ pixel_status |= check_rgb_pixel( 64, 0, 0, 0, 0, 0, 2, buffer );
-+ pixel_status |= check_rgb_pixel( 512, 5, 6, 34, 36, 182, 196, buffer );
-
- free( buffer );
-
-@@ -224,15 +247,12 @@
- * accomplish it from the YCbCr subsampled buffer ourselves in which
- * case the results may be subtly different but similar.
- */
--#if JPEG_LIB_VERSION >= 70
-- pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer );
-- pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer );
-- pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer );
--#else
-- pixel_status |= check_rgba_pixel( 0, 15, 0, 18, 255, rgba_buffer );
-- pixel_status |= check_rgba_pixel( 64, 0, 0, 2, 255, rgba_buffer );
-- pixel_status |= check_rgba_pixel( 512, 6, 36, 182, 255, rgba_buffer );
--#endif
-+ pixel_status |= check_rgba_pixel( 0, 15, 18, 0, 0, 18, 41, 255, 255,
-+ rgba_buffer );
-+ pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 0, 0, 2, 255, 255,
-+ rgba_buffer );
-+ pixel_status |= check_rgba_pixel( 512, 5, 6, 34, 36, 182, 196, 255, 255,
-+ rgba_buffer );
-
- free( rgba_buffer );
- TIFFClose(tif);
diff --git a/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch b/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch
deleted file mode 100644
index a503444..00000000
--- a/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-http://bugs.gentoo.org/145055
-
-http://build.opensuse.org/package/view_file?file=tiff-4.0.2-tiff2pdf-colors.patch&package=tiff&project=openSUSE%3AFactory
-
---- tools/tiff2pdf.c
-+++ tools/tiff2pdf.c
-@@ -4991,7 +4991,7 @@
-
- if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) {
- written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
-- written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24);
-+ written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24);
- }
- break;
- #endif
^ permalink raw reply related [flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/
@ 2016-08-07 21:54 Lars Wendler
0 siblings, 0 replies; 6+ messages in thread
From: Lars Wendler @ 2016-08-07 21:54 UTC (permalink / raw
To: gentoo-commits
commit: 04540112d67f5e0a9d0dd41bc1990c15d01140a1
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sun Aug 7 21:53:57 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sun Aug 7 21:54:13 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04540112
media-libs/tiff: Also remove gif2tiff test (bug #590708).
Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch b/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch
index 9cf4ec5..ea5c2c3 100644
--- a/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch
+++ b/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch
@@ -15,6 +15,16 @@ https://bugs.gentoo.org/585274
pal2rgb.1 \
ppm2tiff.1 \
ras2tiff.1 \
+--- tiff-4.0.6/test/Makefile.am
++++ tiff-4.0.6/test/Makefile.am
+@@ -68,7 +68,6 @@
+ TESTSCRIPTS = \
+ bmp2tiff_palette.sh \
+ bmp2tiff_rgb.sh \
+- gif2tiff.sh \
+ ppm2tiff_pbm.sh \
+ ppm2tiff_pgm.sh \
+ ppm2tiff_ppm.sh \
--- tiff-4.0.6/tools/Makefile.am
+++ tiff-4.0.6/tools/Makefile.am
@@ -34,7 +34,6 @@
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-07 4:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-20 1:29 [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/ Aaron Bauman
-- strict thread matches above, loose matches on Subject: below --
2023-02-07 4:30 Sam James
2019-03-27 23:56 Patrice Clement
2018-06-13 21:18 Aaron Bauman
2016-12-29 13:14 David Seifert
2016-08-07 21:54 Lars Wendler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox