diff -uNr -r tiff-3.7.3-orig/libtiff/tif_color.c tiff-3.7.3/libtiff/tif_color.c --- tiff-3.7.3-orig/libtiff/tif_color.c 2005-07-05 18:38:08.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_color.c 2006-05-09 19:16:08.799819750 +0200 @@ -92,6 +92,11 @@ Yg = TIFFmax(Yg, cielab->display.d_Y0G); Yb = TIFFmax(Yb, cielab->display.d_Y0B); + /* Avoid overflow in case of wrong input values */ + Yr = TIFFmin(Yr, cielab->display.d_YCR); + Yg = TIFFmin(Yg, cielab->display.d_YCG); + Yb = TIFFmin(Yb, cielab->display.d_YCB); + /* Turn luminosity to colour value. */ i = (int)((Yr - cielab->display.d_Y0R) / cielab->rstep); i = TIFFmin(cielab->range, i); diff -uNr -r tiff-3.7.3-orig/libtiff/tif_dirread.c tiff-3.7.3/libtiff/tif_dirread.c --- tiff-3.7.3-orig/libtiff/tif_dirread.c 2005-05-24 20:55:20.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_dirread.c 2006-05-09 19:16:08.799819750 +0200 @@ -798,13 +798,20 @@ int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); tsize_t cc = dir->tdir_count * w; + /* Check for overflow. */ + if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count) + goto bad; + if (!isMapped(tif)) { if (!SeekOK(tif, dir->tdir_offset)) goto bad; if (!ReadOK(tif, cp, cc)) goto bad; } else { - if (dir->tdir_offset + cc > tif->tif_size) + /* Check for overflow. */ + if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset + || (tsize_t)dir->tdir_offset + cc < cc + || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size) goto bad; _TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc); } diff -uNr -r tiff-3.7.3-orig/libtiff/tif_fax3.c tiff-3.7.3/libtiff/tif_fax3.c --- tiff-3.7.3-orig/libtiff/tif_fax3.c 2005-03-06 11:51:36.000000000 +0100 +++ tiff-3.7.3/libtiff/tif_fax3.c 2006-05-09 19:16:08.799819750 +0200 @@ -1074,6 +1074,10 @@ if (tif->tif_data) { Fax3CodecState* sp = DecoderState(tif); + assert (sp != 0); + tif->tif_tagmethods.vgetfield = sp->b.vgetparent; + tif->tif_tagmethods.vsetfield = sp->b.vsetparent; + if (sp->runs) _TIFFfree(sp->runs); if (sp->refline) @@ -1134,6 +1138,8 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) { Fax3BaseState* sp = Fax3State(tif); + assert (sp != 0); + assert (sp->vsetparent != 0); switch (tag) { case TIFFTAG_FAXMODE: diff -uNr -r tiff-3.7.3-orig/libtiff/tif_jpeg.c tiff-3.7.3/libtiff/tif_jpeg.c --- tiff-3.7.3-orig/libtiff/tif_jpeg.c 2005-06-01 19:15:14.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_jpeg.c 2006-05-09 19:16:08.799819750 +0200 @@ -1500,15 +1500,18 @@ static void JPEGCleanup(TIFF* tif) { - if (tif->tif_data) { JPEGState *sp = JState(tif); + + assert (sp != 0); + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + if( sp->cinfo_initialized ) TIFFjpeg_destroy(sp); /* release libjpeg resources */ if (sp->jpegtables) /* tag value */ _TIFFfree(sp->jpegtables); _TIFFfree(tif->tif_data); /* release local state */ tif->tif_data = NULL; - } } static int diff -uNr -r tiff-3.7.3-orig/libtiff/tif_lzw.c tiff-3.7.3/libtiff/tif_lzw.c --- tiff-3.7.3-orig/libtiff/tif_lzw.c 2004-10-02 15:52:29.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_lzw.c 2006-05-09 19:16:08.799819750 +0200 @@ -1002,6 +1002,8 @@ static void LZWCleanup(TIFF* tif) { + (void)TIFFPredictorCleanup(tif); + if (tif->tif_data) { if (DecoderState(tif)->dec_codetab) _TIFFfree(DecoderState(tif)->dec_codetab); diff -uNr -r tiff-3.7.3-orig/libtiff/tif_pixarlog.c tiff-3.7.3/libtiff/tif_pixarlog.c --- tiff-3.7.3-orig/libtiff/tif_pixarlog.c 2005-01-15 18:20:58.000000000 +0100 +++ tiff-3.7.3/libtiff/tif_pixarlog.c 2006-05-09 19:16:08.803820000 +0200 @@ -1163,7 +1163,13 @@ { PixarLogState* sp = (PixarLogState*) tif->tif_data; - if (sp) { + assert(sp != 0); + + (void)TIFFPredictorCleanup(tif); + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + if (sp->FromLT2) _TIFFfree(sp->FromLT2); if (sp->From14) _TIFFfree(sp->From14); if (sp->From8) _TIFFfree(sp->From8); @@ -1180,7 +1186,6 @@ _TIFFfree(sp->tbuf); _TIFFfree(sp); tif->tif_data = NULL; - } } static int diff -uNr -r tiff-3.7.3-orig/libtiff/tif_predict.c tiff-3.7.3/libtiff/tif_predict.c --- tiff-3.7.3-orig/libtiff/tif_predict.c 2005-06-05 18:13:15.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_predict.c 2006-05-09 19:16:08.803820000 +0200 @@ -519,6 +519,9 @@ { TIFFPredictorState *sp = PredictorState(tif); + assert(sp != NULL); + assert(sp->vsetparent != NULL); + switch (tag) { case TIFFTAG_PREDICTOR: sp->predictor = (uint16) va_arg(ap, int); @@ -536,6 +539,9 @@ { TIFFPredictorState *sp = PredictorState(tif); + assert(sp != NULL); + assert(sp->vgetparent != NULL); + switch (tag) { case TIFFTAG_PREDICTOR: *va_arg(ap, uint16*) = sp->predictor; @@ -569,6 +575,8 @@ TIFFPredictorInit(TIFF* tif) { TIFFPredictorState* sp = PredictorState(tif); + + assert(sp != NULL); /* * Merge codec-specific tag information and @@ -595,4 +603,20 @@ return 1; } +int +TIFFPredictorCleanup(TIFF* tif) +{ + TIFFPredictorState* sp = PredictorState(tif); + + assert(sp != 0); + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + tif->tif_tagmethods.printdir = sp->printdir; + tif->tif_setupdecode = sp->setupdecode; + tif->tif_setupencode = sp->setupencode; + + return 1; +} + /* vim: set ts=8 sts=8 sw=8 noet: */ diff -uNr -r tiff-3.7.3-orig/libtiff/tif_predict.h tiff-3.7.3/libtiff/tif_predict.h --- tiff-3.7.3-orig/libtiff/tif_predict.h 2005-04-15 19:13:34.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_predict.h 2006-05-09 19:16:08.803820000 +0200 @@ -55,6 +55,7 @@ extern "C" { #endif extern int TIFFPredictorInit(TIFF*); +extern int TIFFPredictorCleanup(TIFF*); #if defined(__cplusplus) } #endif diff -uNr -r tiff-3.7.3-orig/libtiff/tif_zip.c tiff-3.7.3/libtiff/tif_zip.c --- tiff-3.7.3-orig/libtiff/tif_zip.c 2004-10-02 15:52:29.000000000 +0200 +++ tiff-3.7.3/libtiff/tif_zip.c 2006-05-09 19:16:08.803820000 +0200 @@ -249,7 +249,14 @@ ZIPCleanup(TIFF* tif) { ZIPState* sp = ZState(tif); - if (sp) { + + assert(sp != 0); + + (void)TIFFPredictorCleanup(tif); + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + if (sp->state&ZSTATE_INIT) { /* NB: avoid problems in the library */ if (tif->tif_mode == O_RDONLY) @@ -259,7 +266,6 @@ } _TIFFfree(sp); tif->tif_data = NULL; - } } static int