| @@ -1,18 +1,21 @@ | | | @@ -1,18 +1,21 @@ |
1 | $NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $ | | 1 | $NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $ |
2 | | | 2 | |
3 | see https://bugzilla.redhat.com/show_bug.cgi?id=952131 | | 3 | see https://bugzilla.redhat.com/show_bug.cgi?id=952131 |
4 | and https://bugzilla.redhat.com/show_bug.cgi?id=952158 | | 4 | and https://bugzilla.redhat.com/show_bug.cgi?id=952158 |
5 | | | 5 | |
| | | 6 | also fixes CVE-2013-4232 |
| | | 7 | see http://bugzilla.maptools.org/show_bug.cgi?id=2449 |
| | | 8 | |
6 | --- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 | | 9 | --- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 |
7 | +++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 | | 10 | +++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 |
8 | @@ -512,9 +512,9 @@ SetNameLabel() | | 11 | @@ -512,9 +512,9 @@ SetNameLabel() |
9 | Arg args[1]; | | 12 | Arg args[1]; |
10 | | | 13 | |
11 | if (tfMultiPage) | | 14 | if (tfMultiPage) |
12 | - sprintf(buffer, "%s - page %d", fileName, tfDirectory); | | 15 | - sprintf(buffer, "%s - page %d", fileName, tfDirectory); |
13 | + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); | | 16 | + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); |
14 | else | | 17 | else |
15 | - strcpy(buffer, fileName); | | 18 | - strcpy(buffer, fileName); |
16 | + snprintf(buffer, sizeof(buffer), "%s", fileName); | | 19 | + snprintf(buffer, sizeof(buffer), "%s", fileName); |
17 | XtSetArg(args[0], XtNlabel, buffer); | | 20 | XtSetArg(args[0], XtNlabel, buffer); |
18 | XtSetValues(labelWidget, args, 1); | | 21 | XtSetValues(labelWidget, args, 1); |
| @@ -53,29 +56,37 @@ and https://bugzilla.redhat.com/show_bug | | | @@ -53,29 +56,37 @@ and https://bugzilla.redhat.com/show_bug |
53 | } | | 56 | } |
54 | TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); | | 57 | TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); |
55 | --- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200 | | 58 | --- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200 |
56 | +++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200 | | 59 | +++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200 |
57 | @@ -205,7 +205,7 @@ main(int argc, char* argv[]) | | 60 | @@ -205,7 +205,7 @@ main(int argc, char* argv[]) |
58 | } | | 61 | } |
59 | } | | 62 | } |
60 | TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); | | 63 | TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); |
61 | - sprintf(thing, "B&W version of %s", argv[optind]); | | 64 | - sprintf(thing, "B&W version of %s", argv[optind]); |
62 | + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); | | 65 | + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); |
63 | TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); | | 66 | TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); |
64 | TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); | | 67 | TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); |
65 | outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); | | 68 | outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); |
66 | --- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200 | | 69 | --- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000 |
67 | +++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200 | | 70 | +++ tools/tiff2pdf.c |
68 | @@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( | | 71 | @@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p |
| | | 72 | TIFFFileName(input)); |
| | | 73 | t2p->t2p_error = T2P_ERR_ERROR; |
| | | 74 | _TIFFfree(buffer); |
| | | 75 | + return(0); |
| | | 76 | } else { |
| | | 77 | buffer=samplebuffer; |
| | | 78 | t2p->tiff_datasize *= t2p->tiff_samplesperpixel; |
| | | 79 | @@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip( |
69 | uint32 height){ | | 80 | uint32 height){ |
70 | | | 81 | |
71 | tsize_t i=0; | | 82 | tsize_t i=0; |
72 | - uint16 ri =0; | | 83 | - uint16 ri =0; |
73 | - uint16 v_samp=1; | | 84 | - uint16 v_samp=1; |
74 | - uint16 h_samp=1; | | 85 | - uint16 h_samp=1; |
75 | - int j=0; | | 86 | - int j=0; |
76 | - | | 87 | - |
77 | - i++; | | 88 | - i++; |
78 | - | | 89 | - |
79 | - while(i<(*striplength)){ | | 90 | - while(i<(*striplength)){ |
80 | + | | 91 | + |
81 | + while (i < *striplength) { | | 92 | + while (i < *striplength) { |
| @@ -134,27 +145,27 @@ and https://bugzilla.redhat.com/show_bug | | | @@ -134,27 +145,27 @@ and https://bugzilla.redhat.com/show_bug |
134 | + if (ncomp < 1 || ncomp > 4) | | 145 | + if (ncomp < 1 || ncomp > 4) |
135 | + return(0); | | 146 | + return(0); |
136 | + v_samp=1; | | 147 | + v_samp=1; |
137 | + h_samp=1; | | 148 | + h_samp=1; |
138 | + for(j=0;j<ncomp;j++){ | | 149 | + for(j=0;j<ncomp;j++){ |
139 | + uint16 samp = buffer[*bufferoffset+11+(3*j)]; | | 150 | + uint16 samp = buffer[*bufferoffset+11+(3*j)]; |
140 | + if( (samp>>4) > h_samp) | | 151 | + if( (samp>>4) > h_samp) |
141 | + h_samp = (samp>>4); | | 152 | + h_samp = (samp>>4); |
142 | + if( (samp & 0x0f) > v_samp) | | 153 | + if( (samp & 0x0f) > v_samp) |
143 | + v_samp = (samp & 0x0f); | | 154 | + v_samp = (samp & 0x0f); |
144 | } | | 155 | } |
145 | v_samp*=8; | | 156 | v_samp*=8; |
146 | h_samp*=8; | | 157 | h_samp*=8; |
147 | @@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( | | 158 | @@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip( |
148 | (unsigned char) ((height>>8) & 0xff); | | 159 | (unsigned char) ((height>>8) & 0xff); |
149 | buffer[*bufferoffset+6]= | | 160 | buffer[*bufferoffset+6]= |
150 | (unsigned char) (height & 0xff); | | 161 | (unsigned char) (height & 0xff); |
151 | - *bufferoffset+=strip[i+2]+2; | | 162 | - *bufferoffset+=strip[i+2]+2; |
152 | - i+=strip[i+2]+2; | | 163 | - i+=strip[i+2]+2; |
153 | - | | 164 | - |
154 | + *bufferoffset+=datalen+2; | | 165 | + *bufferoffset+=datalen+2; |
155 | + /* insert a DRI marker */ | | 166 | + /* insert a DRI marker */ |
156 | buffer[(*bufferoffset)++]=0xff; | | 167 | buffer[(*bufferoffset)++]=0xff; |
157 | buffer[(*bufferoffset)++]=0xdd; | | 168 | buffer[(*bufferoffset)++]=0xdd; |
158 | buffer[(*bufferoffset)++]=0x00; | | 169 | buffer[(*bufferoffset)++]=0x00; |
159 | buffer[(*bufferoffset)++]=0x04; | | 170 | buffer[(*bufferoffset)++]=0x04; |
160 | buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; | | 171 | buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; |