diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 4d93deb84bb599243913f0c65b93b010550a64b7..00308b932c3be8698706d40f302729c62a003e34 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
-pkgver=4.3.0
+pkgver=4.4.0
pkgrel=0
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="https://gitlab.com/libtiff/libtiff"
@@ -12,21 +12,14 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
checkdepends="diffutils"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx"
-source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz
- CVE-2018-12900.patch
- CVE-2022-0561.patch
- CVE-2022-0562.patch
- CVE-2022-0865.patch
- CVE-2022-0891.patch
- CVE-2022-0907.patch
- CVE-2022-0908.patch
- CVE-2022-0909.patch
- CVE-2022-0924.patch
- CVE-2022-22844.patch
- "
+source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz"
builddir="$srcdir/libtiff-v$pkgver"
# secfixes:
+# 4.4.0-r0:
+# - CVE-2022-2867
+# - CVE-2022-2868
+# - CVE-2022-2869
# 4.3.0-r0:
# - CVE-2022-0561
# - CVE-2022-0562
@@ -125,15 +118,5 @@ tools() {
}
sha512sums="
-eaa2503dc1805283e0590b06e3e660a793fe849ae8b975b2d69369695d65a40640787c156574faaca856917be799eeb844e60f55555e1f219dd513cef66ea95d libtiff-v4.3.0.tar.gz
-c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch
-a1a11110f74ab4ee5468aae51962bea48a2bcbd51c9cb75dbb4e277cec394afab644906eb3b3b6fb95f413821a4799c227f986b720c383b8553dea67a92236a0 CVE-2022-0561.patch
-d2decdafd32a2a41001a263c6da5f538538286d54e5072afb2a3d281ca7815ac0e78f5ab9a72e10b28fe9960819038fc6cff6419e2ac7982aea6199012d3ae80 CVE-2022-0562.patch
-e8eb613809909e463fb8b401f295c56f41a8f8aabe0acea2f14e52ab42f90c62b7eee5c6fedfdce0f6c15c093dd2f11e34af1b23491782716254832d353fbc75 CVE-2022-0865.patch
-516fb18524a6d0320000515daeadc2a0272aaf409e158c67fec49ba6704abcaed6f9a73c6e8e3ec13c6e0ff7a952bd36e8187dcdda5cd3931f2ffcaede33fc46 CVE-2022-0891.patch
-1b7168bf339b31fd2b532ccdd99dd25787ed71220ef6db3f1206e618f7150f095dee8aed7bb84fa4af304bb5bc1914e800c03c88e5c03385943fd6c41d3e82da CVE-2022-0907.patch
-2feea03d8493d5fef3815ecf3ad52df2aef0db7def8832531f3d1e6e59df548729a51259f3a06a9b017219fffd37d541e06964bb3622a01b47d3e4408cd3850f CVE-2022-0908.patch
-d415ef9dd5292e7bbb1da76dfa11ecbe149d0c5039afc5134e2afae72ae264bcdd8417c96051c61fad6635d0530b9c5cd2e2ef30458baa3d0dce59b3489baf8f CVE-2022-0909.patch
-78fcddd4e254178349971629bccc25be451f2b6d816c0ed063fad034060814c9f97c04904ff58f1923b7ae1c6c4d00d86ba2c8cf950e864f3bc8ead871a3ff45 CVE-2022-0924.patch
-d22f8486e5166a9e0a3ddae910972001aa806baef7619f7b6aaba219f850faf5144bb2cc6668090646cf9d849fdd4217ff5f542746184aa1cd1d21078e33f579 CVE-2022-22844.patch
+93955a2b802cf243e41d49048499da73862b5d3ffc005e3eddf0bf948a8bd1537f7c9e7f112e72d082549b4c49e256b9da9a3b6d8039ad8fc5c09a941b7e75d7 libtiff-v4.4.0.tar.gz
"
diff --git a/main/tiff/CVE-2018-12900.patch b/main/tiff/CVE-2018-12900.patch
deleted file mode 100644
index f95cd06a523ff5fd28ecf91c03076af67a3c0b4c..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2018-12900.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001
-From: pgajdos <pgajdos@suse.cz>
-Date: Tue, 13 Nov 2018 09:03:31 +0100
-Subject: [PATCH] prevent integer overflow
-
----
- tools/tiffcp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 2f406e2d..ece7ba13 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- status = 0;
- goto done;
- }
-+ if (0xFFFFFFFF / tilew < spp)
-+ {
-+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
-+ status = 0;
-+ goto done;
-+ }
- bytes_per_sample = bps/8;
-
- for (row = 0; row < imagelength; row += tl) {
---
-2.18.1
-
diff --git a/main/tiff/CVE-2022-0561.patch b/main/tiff/CVE-2022-0561.patch
deleted file mode 100644
index 7bda47c46eb0627c2605a331326f0303dce18cc6..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0561.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 6 Feb 2022 13:08:38 +0100
-Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #362)
-
----
- libtiff/tif_dirread.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 23194ced..50ebf8ac 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
- _TIFFfree(data);
- return(0);
- }
-- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
-- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
-+ if( dir->tdir_count )
-+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
-+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
- _TIFFfree(data);
- data=resizeddata;
- }
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0562.patch b/main/tiff/CVE-2022-0562.patch
deleted file mode 100644
index 906b641aac055b119e53c2c24d4c14489d6b2c36..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0562.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 5 Feb 2022 20:36:41 +0100
-Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #362)
-
----
- libtiff/tif_dirread.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 2bbc4585..23194ced 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
- goto bad;
- }
-
-- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
-+ if (old_extrasamples > 0)
-+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
- _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
- _TIFFfree(new_sampleinfo);
- }
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0865.patch b/main/tiff/CVE-2022-0865.patch
deleted file mode 100644
index bcb339974f2b62ba67f9a05853534728821b29b0..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0865.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 24 Feb 2022 22:26:02 +0100
-Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
- in memory-mapped mode and when bit reversal is needed (fixes #385)
-
----
- libtiff/tif_jbig.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 74086338..8bfa4cef 100644
---- a/libtiff/tif_jbig.c
-+++ b/libtiff/tif_jbig.c
-@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
- */
- tif->tif_flags |= TIFF_NOBITREV;
- tif->tif_flags &= ~TIFF_MAPPED;
-+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
-+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
-+ * value to be consistent with the state of a non-memory mapped file.
-+ */
-+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
-+ tif->tif_rawdata = NULL;
-+ tif->tif_rawdatasize = 0;
-+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
-+ tif->tif_flags |= TIFF_MYBUFFER;
-+ }
-
- /* Setup the function pointers for encode, decode, and cleanup. */
- tif->tif_setupdecode = JBIGSetupDecode;
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0891.patch b/main/tiff/CVE-2022-0891.patch
deleted file mode 100644
index d038d0450d54c986a125c7fc740a5b85cb4460a8..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0891.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Tue, 8 Mar 2022 17:02:44 +0000
-Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
- extractImageSection
-
----
- tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
- 1 file changed, 36 insertions(+), 56 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index f2e5474a..e62bcc71 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -105,8 +105,8 @@
- * of messages to monitor progress without enabling dump logs.
- */
-
--static char tiffcrop_version_id[] = "2.4";
--static char tiffcrop_rev_date[] = "12-13-2010";
-+static char tiffcrop_version_id[] = "2.4.1";
-+static char tiffcrop_rev_date[] = "03-03-2010";
-
- #include "tif_config.h"
- #include "libport.h"
-@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- uint32_t img_length;
- #endif
-- uint32_t j, shift1, shift2, trailing_bits;
-+ uint32_t j, shift1, trailing_bits;
- uint32_t row, first_row, last_row, first_col, last_col;
- uint32_t src_offset, dst_offset, row_offset, col_offset;
-- uint32_t offset1, offset2, full_bytes;
-+ uint32_t offset1, full_bytes;
- uint32_t sect_width;
- #ifdef DEVELMODE
- uint32_t sect_length;
-@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- int k;
- unsigned char bitset;
-- static char *bitarray = NULL;
- #endif
-
- img_width = image->width;
-@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- dst_offset = 0;
-
- #ifdef DEVELMODE
-- if (bitarray == NULL)
-- {
-- if ((bitarray = (char *)malloc(img_width)) == NULL)
-- {
-- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
-- return (-1);
-- }
-- }
-+ char bitarray[39];
- #endif
-
-- /* rows, columns, width, length are expressed in pixels */
-+ /* rows, columns, width, length are expressed in pixels
-+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
-+ * last_col shall be also extracted. */
- first_row = section->y1;
- last_row = section->y2;
- first_col = section->x1;
-@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #ifdef DEVELMODE
- sect_length = last_row - first_row + 1;
- #endif
-- img_rowsize = ((img_width * bps + 7) / 8) * spp;
-- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
-- trailing_bits = (sect_width * bps) % 8;
-+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
-+ * samples rather than separate planes so the same logic works to extract regions
-+ * regardless of the way the data are organized in the input file.
-+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
-+ */
-+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
-+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
-+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
-
- #ifdef DEVELMODE
- TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
-@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
-
- if ((bps % 8) == 0)
- {
-- col_offset = first_col * spp * bps / 8;
-+ col_offset = (first_col * spp * bps) / 8;
- for (row = first_row; row <= last_row; row++)
- {
-- /* row_offset = row * img_width * spp * bps / 8; */
- row_offset = row * img_rowsize;
- src_offset = row_offset + col_offset;
-
-@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- }
- else
- { /* bps != 8 */
-- shift1 = spp * ((first_col * bps) % 8);
-- shift2 = spp * ((last_col * bps) % 8);
-+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
- for (row = first_row; row <= last_row; row++)
- {
- /* pull out the first byte */
- row_offset = row * img_rowsize;
-- offset1 = row_offset + (first_col * bps / 8);
-- offset2 = row_offset + (last_col * bps / 8);
-+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
-
- #ifdef DEVELMODE
- for (j = 0, k = 7; j < 8; j++, k--)
-@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- sprintf(&bitarray[9], " ");
- for (j = 10, k = 7; j < 18; j++, k--)
- {
-- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
-+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
- sprintf(&bitarray[j], (bitset) ? "1" : "0");
- }
- bitarray[18] = '\0';
-- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
-- row, offset1, shift1, offset2, shift2);
-+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
-+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
- #endif
-
- bytebuff1 = bytebuff2 = 0;
-@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
-
- if (trailing_bits != 0)
- {
-- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
-+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
-+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
- sect_buff[dst_offset] = bytebuff2;
- #ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
-- offset2, dst_offset);
-+ offset1 + full_bytes, dst_offset);
- for (j = 30, k = 7; j < 38; j++, k--)
- {
- bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
-@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #endif
- for (j = 0; j <= full_bytes; j++)
- {
-- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
-- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
-+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
-+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
-+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
-+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
- sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
- }
- #ifdef DEVELMODE
-@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
- #endif
- dst_offset += full_bytes;
-
-+ /* Copy the trailing_bits for the last byte in the destination buffer.
-+ Could come from one ore two bytes of the source buffer. */
- if (trailing_bits != 0)
- {
- #ifdef DEVELMODE
-- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
--#endif
-- if (shift2 > shift1)
-- {
-- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
-- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
-- sect_buff[dst_offset] = bytebuff2;
--#ifdef DEVELMODE
-- TIFFError ("", " Shift2 > Shift1\n");
-+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
- #endif
-+ /* More than necessary bits are already copied into last destination buffer,
-+ * only masking of last byte in destination buffer is necessary.*/
-+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
- }
-- else
-- {
-- if (shift2 < shift1)
-- {
-- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
-- sect_buff[dst_offset] &= bytebuff2;
--#ifdef DEVELMODE
-- TIFFError ("", " Shift2 < Shift1\n");
--#endif
-- }
--#ifdef DEVELMODE
-- else
-- TIFFError ("", " Shift2 == Shift1\n");
--#endif
-- }
-- }
- #ifdef DEVELMODE
- sprintf(&bitarray[28], " ");
- sprintf(&bitarray[29], " ");
-@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
- width = sections[i].x2 - sections[i].x1 + 1;
- length = sections[i].y2 - sections[i].y1 + 1;
- sectsize = (uint32_t)
-- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
-+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
- /* allocate a buffer if we don't have one already */
- if (createImageSection(sectsize, sect_buff_ptr))
- {
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0907.patch b/main/tiff/CVE-2022-0907.patch
deleted file mode 100644
index 9f6e087b9d826afaae7640cb79953972da9bc81f..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0907.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
-From: Augustus <wangdw.augustus@qq.com>
-Date: Mon, 7 Mar 2022 18:21:49 +0800
-Subject: [PATCH] add checks for return value of limitMalloc (#392)
-
----
- tools/tiffcrop.c | 33 +++++++++++++++++++++------------
- 1 file changed, 21 insertions(+), 12 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index f2e5474a..9b8acc7e 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -7406,7 +7406,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
- if (!sect_buff)
- {
- sect_buff = (unsigned char *)limitMalloc(sectsize);
-- *sect_buff_ptr = sect_buff;
-+ if (!sect_buff)
-+ {
-+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-+ return (-1);
-+ }
- _TIFFmemset(sect_buff, 0, sectsize);
- }
- else
-@@ -7422,15 +7426,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
- else
- sect_buff = new_buff;
-
-+ if (!sect_buff)
-+ {
-+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-+ return (-1);
-+ }
- _TIFFmemset(sect_buff, 0, sectsize);
- }
- }
-
-- if (!sect_buff)
-- {
-- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
-- return (-1);
-- }
- prev_sectsize = sectsize;
- *sect_buff_ptr = sect_buff;
-
-@@ -7697,7 +7701,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
- if (!crop_buff)
- {
- crop_buff = (unsigned char *)limitMalloc(cropsize);
-- *crop_buff_ptr = crop_buff;
-+ if (!crop_buff)
-+ {
-+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-+ return (-1);
-+ }
- _TIFFmemset(crop_buff, 0, cropsize);
- prev_cropsize = cropsize;
- }
-@@ -7713,15 +7721,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
- }
- else
- crop_buff = new_buff;
-+ if (!crop_buff)
-+ {
-+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-+ return (-1);
-+ }
- _TIFFmemset(crop_buff, 0, cropsize);
- }
- }
-
-- if (!crop_buff)
-- {
-- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
-- return (-1);
-- }
- *crop_buff_ptr = crop_buff;
-
- if (crop->crop_mode & CROP_INVERT)
-@@ -9280,3 +9288,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
- * fill-column: 78
- * End:
- */
-+
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0908.patch b/main/tiff/CVE-2022-0908.patch
deleted file mode 100644
index 36b485836290e6ef6ac7f5a8513e95f7b92b6834..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0908.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Feb 2022 15:28:43 +0100
-Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
- source pointer and size of zero (fixes #383)
-
----
- libtiff/tif_dirread.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 50ebf8ac..2ec44a4f 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5091,7 +5091,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
- _TIFFfree(data);
- return(0);
- }
-- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
-+ if (dp->tdir_count > 0 )
-+ {
-+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
-+ }
- o[(uint32_t)dp->tdir_count]=0;
- if (data!=0)
- _TIFFfree(data);
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0909.patch b/main/tiff/CVE-2022-0909.patch
deleted file mode 100644
index 67dfeaeea24645310992d680880284c678a5c0b5..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0909.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 8 Mar 2022 16:22:04 +0000
-Subject: [PATCH] fix the FPE in tiffcrop (#393)
-
----
- libtiff/tif_dir.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 57055ca9..59b346ca 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -333,13 +333,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
- break;
- case TIFFTAG_XRESOLUTION:
- dblval = va_arg(ap, double);
-- if( dblval < 0 )
-+ if( dblval != dblval || dblval < 0 )
- goto badvaluedouble;
- td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
- break;
- case TIFFTAG_YRESOLUTION:
- dblval = va_arg(ap, double);
-- if( dblval < 0 )
-+ if( dblval != dblval || dblval < 0 )
- goto badvaluedouble;
- td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
- break;
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-0924.patch b/main/tiff/CVE-2022-0924.patch
deleted file mode 100644
index f6cf2351d1aebf5789970491dfb3b2299b23b5ab..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-0924.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Thu, 10 Mar 2022 08:48:00 +0000
-Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
-
----
- tools/tiffcp.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 224583e0..aa32b118 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
- tdata_t obuf;
- tstrip_t strip = 0;
- tsample_t s;
-+ uint16_t bps = 0, bytes_per_sample;
-
- obuf = limitMalloc(stripsize);
- if (obuf == NULL)
- return (0);
- _TIFFmemset(obuf, 0, stripsize);
- (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-+ if( bps == 0 )
-+ {
-+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
-+ _TIFFfree(obuf);
-+ return 0;
-+ }
-+ if( (bps % 8) != 0 )
-+ {
-+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
-+ _TIFFfree(obuf);
-+ return 0;
-+ }
-+ bytes_per_sample = bps/8;
- for (s = 0; s < spp; s++) {
- uint32_t row;
- for (row = 0; row < imagelength; row += rowsperstrip) {
-@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
-
- cpContigBufToSeparateBuf(
- obuf, (uint8_t*) buf + row * rowsize + s,
-- nrows, imagewidth, 0, 0, spp, 1);
-+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
- if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
- TIFFError(TIFFFileName(out),
- "Error, can't write strip %"PRIu32,
---
-GitLab
-
diff --git a/main/tiff/CVE-2022-22844.patch b/main/tiff/CVE-2022-22844.patch
deleted file mode 100644
index b1f89b444ce78d3b4c2418fa0b1eda47d8a893b6..0000000000000000000000000000000000000000
--- a/main/tiff/CVE-2022-22844.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 25 Jan 2022 16:25:28 +0000
-Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
- count is required (fixes #355)
-
----
- tools/tiffset.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/tools/tiffset.c b/tools/tiffset.c
-index 8c9e23c5..e7a88c09 100644
---- a/tools/tiffset.c
-+++ b/tools/tiffset.c
-@@ -146,9 +146,19 @@ main(int argc, char* argv[])
-
- arg_index++;
- if (TIFFFieldDataType(fip) == TIFF_ASCII) {
-- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
-- fprintf( stderr, "Failed to set %s=%s\n",
-- TIFFFieldName(fip), argv[arg_index] );
-+ if(TIFFFieldPassCount( fip )) {
-+ size_t len;
-+ len = strlen(argv[arg_index]) + 1;
-+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
-+ (uint16_t)len, argv[arg_index]) != 1)
-+ fprintf( stderr, "Failed to set %s=%s\n",
-+ TIFFFieldName(fip), argv[arg_index] );
-+ } else {
-+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
-+ argv[arg_index]) != 1)
-+ fprintf( stderr, "Failed to set %s=%s\n",
-+ TIFFFieldName(fip), argv[arg_index] );
-+ }
- } else if (TIFFFieldWriteCount(fip) > 0
- || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
- int ret = 1;
---
-GitLab
-