Kei Kebreau wrote 8 years ago
(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kei@openmailbox.org)
20170506144557.28785-1-kei@openmailbox.org
* gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
* gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
* gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Use them.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 7 +-
gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 ++++++
gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 +++
.../patches/libtiff-multiple-UBSAN-crashes.patch | 449 +++++++++++++++++++++
5 files changed, 624 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch
create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
Toggle diff (519 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c93dca64c..d983d62fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -739,6 +739,9 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
%D%/packages/patches/libtiff-CVE-2017-5225.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7593.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7594.patch \
+ %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2027395ca..a8cc837d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
;;;
;;; This file is part of GNU Guix.
@@ -319,7 +319,10 @@ extracting icontainer icon files.")
"libtiff-divide-by-zero-tiffcp.patch"
"libtiff-assertion-failure.patch"
"libtiff-CVE-2016-10094.patch"
- "libtiff-CVE-2017-5225.patch"))
+ "libtiff-CVE-2017-5225.patch"
+ "libtiff-CVE-2017-7593.patch"
+ "libtiff-CVE-2017-7594.patch"
+ "libtiff-multiple-UBSAN-crashes.patch"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
new file mode 100644
index 000000000..496efb73b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
@@ -0,0 +1,113 @@
+Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593
+https://security-tracker.debian.org/tracker/CVE-2017-7593
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1208; previous revision: 1.1207
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.53; previous revision: 1.52
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c
+new revision: 1.28; previous revision: 1.27
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c
+new revision: 1.14; previous revision: 1.13
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c
+new revision: 1.42; previous revision: 1.41
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h
+new revision: 1.94; previous revision: 1.93
+
+diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
+--- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -293,6 +293,7 @@
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
+--- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400
++++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -976,7 +976,9 @@
+ "Invalid buffer size");
+ return (0);
+ }
+- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++ /* Initialize to zero to avoid uninitialized buffers in case of */
++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
+ if (tif->tif_rawdata == NULL) {
+diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
+--- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -316,6 +316,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c
+--- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -360,6 +360,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
new file mode 100644
index 000000000..d17997d44
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
@@ -0,0 +1,54 @@
+Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594
+https://security-tracker.debian.org/tracker/CVE-2017-7594
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+ when read fails.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1212; previous revision: 1.1211
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
+new revision: 1.67; previous revision: 1.66
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.67
+retrieving revision 1.68
+diff -u -r1.67 -r1.68
+--- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67
++++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */
+
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+ specification is now totally obsolete and deprecated for new applications and
+@@ -1790,7 +1790,10 @@
+ TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
+ p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ if (p!=64)
++ {
++ _TIFFfree(ob);
+ return(0);
++ }
+ sp->qtable[m]=ob;
+ sp->sof_tq[m]=m;
+ }
+@@ -1854,7 +1857,10 @@
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->dctable[m]=rb;
+ sp->sos_tda[m]=(m<<4);
+ }
diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
new file mode 100644
index 000000000..2f4509f38
--- /dev/null
+++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
@@ -0,0 +1,449 @@
+Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various
+ clampings
+ of double to other data types to avoid undefined behaviour if the
+ output range
+ isn't big enough to hold the input value.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1204; previous revision: 1.1203
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
+new revision: 1.129; previous revision: 1.128
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.207; previous revision: 1.206
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c
+new revision: 1.85; previous revision: 1.84
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: avoid division by floating point 0 in
+ TIFFReadDirEntryCheckedRational() and
+ TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1203; previous revision: 1.1202
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.206; previous revision: 1.205
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to
+ avoid undefined behaviour caused by invalid shift exponent.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1205; previous revision: 1.1204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c
+new revision: 1.126; previous revision: 1.125
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed
+ integer addition in TIFFReadRawStrip1() in isMapped() case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1206; previous revision: 1.1205
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.51; previous revision: 1.50
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -u -r1.128 -r1.129
+--- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
++++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ /*
+ * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+ return (0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_xresolution = (float) dblval;
++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_yresolution = (float) dblval;
++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+ td->td_planarconfig = (uint16) v;
+ break;
+ case TIFFTAG_XPOSITION:
+- td->td_xposition = (float) va_arg(ap, double);
++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_YPOSITION:
+- td->td_yposition = (float) va_arg(ap, double);
++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_RESOLUTIONUNIT:
+ v = (uint16) va_arg(ap, uint16_vap);
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.206
+retrieving revision 1.207
+diff -u -r1.206 -r1.207
+--- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -40,6 +40,7 @@
+ */
+
+ #include "tiffiop.h"
++#include <float.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+ ma=(double*)origdata;
+ mb=data;
+ for (n=0; n<count; n++)
+- *mb++=(float)(*ma++);
++ {
++ double val = *ma++;
++ if( val > FLT_MAX )
++ val = FLT_MAX;
++ else if( val < -FLT_MAX )
++ val = -FLT_MAX;
++ *mb++=(float)val;
++ }
+ }
+ break;
+ }
+Index: libtiff/libtiff/tif_dirwrite.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
+retrieving revision 1.84
+retrieving revision 1.85
+diff -u -r1.84 -r1.85
+--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84
++++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -30,6 +30,7 @@
+ * Directory Write Support Routines.
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+ return(0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++ if( val > 127 )
++ return 127;
++ if( val < -128 || val != val )
++ return -128;
++ return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++ if( val > 32767 )
++ return 32767;
++ if( val < -32768 || val != val )
++ return -32768;
++ return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++ if( val > 0x7FFFFFFF )
++ return 0x7FFFFFFF;
++ if( val < -0x7FFFFFFF-1 || val != val )
++ return -0x7FFFFFFF-1;
++ return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 255 || val != val )
++ return 255;
++ return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 65535 || val != val )
++ return 65535;
++ return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+ if (tif->tif_dir.td_bitspersample<=32)
+ {
+ for (i = 0; i < count; ++i)
+- ((float*)conv)[i] = (float)value[i];
++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ }
+ else
+@@ -971,19 +1035,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((int8*)conv)[i] = (int8)value[i];
++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((int16*)conv)[i] = (int16)value[i];
++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((int32*)conv)[i] = (int32)value[i];
++ ((int32*)conv)[i
This message was truncated. Download the full message here.