2015-12-26 Even Rouault * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of Alibaba. diff -u -r1.93 -r1.94 --- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93 +++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94 @@ -182,20 +182,22 @@ "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d", - "Samples/pixel", td->td_samplesperpixel); + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); return 0; } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d and %s=%d", + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, "Bits/sample", td->td_bitspersample); return 0; } @@ -255,6 +257,9 @@ int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; + + if( !TIFFRGBAImageOK(tif, emsg) ) + return 0; /* Initialize to normal values */ img->row_offset = 0; @@ -2509,29 +2514,33 @@ case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >= 4) img->put.contig = putRGBAAcontig8bittile; - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >= 4) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } - else + else if( img->samplesperpixel >= 3 ) img->put.contig = putRGBcontig8bittile; break; case 16: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } - else + else if( img->samplesperpixel >=3 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; @@ -2540,7 +2549,7 @@ } break; case PHOTOMETRIC_SEPARATED: - if (buildMap(img)) { + if (img->samplesperpixel >=4 && buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile; @@ -2636,7 +2645,7 @@ } break; case PHOTOMETRIC_CIELAB: - if (buildMap(img)) { + if (img->samplesperpixel == 3 && buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; . ("package with arguments"): New test. Ludovic Courtès 2021-11-11import: print: Handle patches that are origins....* guix/import/print.scm (package->code)[source->code]: Handle patches that are origins. * tests/print.scm (pkg-with-origin-input): Add 'patches' field. (pkg-with-origin-patch, pkg-with-origin-patch-source): New variables. ("package with origin patch"): New test. Ludovic Courtès 2021-11-11import: print: Correctly handle URI lists....* guix/import/print.scm (package->code)[factorized-uri-code]: New procedure. [source->code]: Use it, and factorize URI when it's a list. * tests/print.scm (pkg-with-origin-input): Check origin URI to a list. Ludovic Courtès 2021-11-11import: print: Properly render packages with origins as inputs....* guix/import/print.scm (package->code)[source->code]: Check whether VERSION is true before calling 'factorize-uri'. [package-lists->code]: Add clause for inputs that are origins. * tests/print.scm (pkg-with-origin-input, pkg-with-origin-input-source): New variables. ("package with origin input"): New test. Ludovic Courtès 2021-07-11import: print: Emit new-style package inputs when possible....* guix/import/print.scm (redundant-input-labels?): New procedure. (package->code)[package-lists->code]: Rename to... [inputs->code]: ... this. When 'redundant-input-labels?' returns true, emit label-less inputs. Adjust callers to new name. * tests/print.scm (pkg-with-inputs): Adjust accordingly. Ludovic Courtès