Keine Beschreibung

012-CVE-2013-1961.patch 32KB


  1. Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
  2. ===================================================================
  3. --- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.163629483 -0400
  4. +++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-06-23 10:36:51.147629484 -0400
  5. @@ -512,9 +512,9 @@
  6. Arg args[1];
  7. if (tfMultiPage)
  8. - sprintf(buffer, "%s - page %d", fileName, tfDirectory);
  9. + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
  10. else
  11. - strcpy(buffer, fileName);
  12. + snprintf(buffer, sizeof(buffer), "%s", fileName);
  13. XtSetArg(args[0], XtNlabel, buffer);
  14. XtSetValues(labelWidget, args, 1);
  15. }
  16. Index: tiff-4.0.3/libtiff/tif_dirinfo.c
  17. ===================================================================
  18. --- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.163629483 -0400
  19. +++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-06-23 10:36:51.147629484 -0400
  20. @@ -711,7 +711,7 @@
  21. * note that this name is a special sign to TIFFClose() and
  22. * _TIFFSetupFields() to free the field
  23. */
  24. - sprintf(fld->field_name, "Tag %d", (int) tag);
  25. + snprintf(fld->field_name, 32, "Tag %d", (int) tag);
  26. return fld;
  27. }
  28. Index: tiff-4.0.3/libtiff/tif_codec.c
  29. ===================================================================
  30. --- tiff-4.0.3.orig/libtiff/tif_codec.c 2013-06-23 10:36:51.163629483 -0400
  31. +++ tiff-4.0.3/libtiff/tif_codec.c 2013-06-23 10:36:51.151629482 -0400
  32. @@ -108,7 +108,8 @@
  33. const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
  34. char compression_code[20];
  35. - sprintf( compression_code, "%d", tif->tif_dir.td_compression );
  36. + snprintf(compression_code, sizeof(compression_code), "%d",
  37. + tif->tif_dir.td_compression );
  38. TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
  39. "%s compression support is not configured",
  40. c ? c->name : compression_code );
  41. Index: tiff-4.0.3/tools/tiffdither.c
  42. ===================================================================
  43. --- tiff-4.0.3.orig/tools/tiffdither.c 2013-06-23 10:36:51.163629483 -0400
  44. +++ tiff-4.0.3/tools/tiffdither.c 2013-06-23 10:36:51.151629482 -0400
  45. @@ -260,7 +260,7 @@
  46. TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
  47. else
  48. CopyField(TIFFTAG_FILLORDER, shortv);
  49. - sprintf(thing, "Dithered B&W version of %s", argv[optind]);
  50. + snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
  51. TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
  52. CopyField(TIFFTAG_PHOTOMETRIC, shortv);
  53. CopyField(TIFFTAG_ORIENTATION, shortv);
  54. Index: tiff-4.0.3/tools/rgb2ycbcr.c
  55. ===================================================================
  56. --- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2013-06-23 10:36:51.163629483 -0400
  57. +++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-06-23 10:36:51.151629482 -0400
  58. @@ -332,7 +332,8 @@
  59. TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
  60. { char buf[2048];
  61. char *cp = strrchr(TIFFFileName(in), '/');
  62. - sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
  63. + snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
  64. + cp ? cp+1 : TIFFFileName(in));
  65. TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
  66. }
  67. TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
  68. Index: tiff-4.0.3/tools/tiff2pdf.c
  69. ===================================================================
  70. --- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:51.163629483 -0400
  71. +++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:51.151629482 -0400
  72. @@ -3630,7 +3630,9 @@
  73. char buffer[16];
  74. int buflen=0;
  75. - buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
  76. + buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
  77. + t2p->pdf_majorversion&0xff,
  78. + t2p->pdf_minorversion&0xff);
  79. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  80. written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
  81. @@ -3644,10 +3646,10 @@
  82. tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
  83. tsize_t written=0;
  84. - char buffer[16];
  85. + char buffer[32];
  86. int buflen=0;
  87. - buflen=sprintf(buffer, "%lu", (unsigned long)number);
  88. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
  89. written += t2pWriteFile(output, (tdata_t) buffer, buflen );
  90. written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
  91. @@ -3686,13 +3688,13 @@
  92. written += t2pWriteFile(output, (tdata_t) "/", 1);
  93. for (i=0;i<namelen;i++){
  94. if ( ((unsigned char)name[i]) < 0x21){
  95. - sprintf(buffer, "#%.2X", name[i]);
  96. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  97. buffer[sizeof(buffer) - 1] = '\0';
  98. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  99. nextchar=1;
  100. }
  101. if ( ((unsigned char)name[i]) > 0x7E){
  102. - sprintf(buffer, "#%.2X", name[i]);
  103. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  104. buffer[sizeof(buffer) - 1] = '\0';
  105. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  106. nextchar=1;
  107. @@ -3700,57 +3702,57 @@
  108. if (nextchar==0){
  109. switch (name[i]){
  110. case 0x23:
  111. - sprintf(buffer, "#%.2X", name[i]);
  112. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  113. buffer[sizeof(buffer) - 1] = '\0';
  114. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  115. break;
  116. case 0x25:
  117. - sprintf(buffer, "#%.2X", name[i]);
  118. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  119. buffer[sizeof(buffer) - 1] = '\0';
  120. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  121. break;
  122. case 0x28:
  123. - sprintf(buffer, "#%.2X", name[i]);
  124. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  125. buffer[sizeof(buffer) - 1] = '\0';
  126. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  127. break;
  128. case 0x29:
  129. - sprintf(buffer, "#%.2X", name[i]);
  130. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  131. buffer[sizeof(buffer) - 1] = '\0';
  132. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  133. break;
  134. case 0x2F:
  135. - sprintf(buffer, "#%.2X", name[i]);
  136. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  137. buffer[sizeof(buffer) - 1] = '\0';
  138. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  139. break;
  140. case 0x3C:
  141. - sprintf(buffer, "#%.2X", name[i]);
  142. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  143. buffer[sizeof(buffer) - 1] = '\0';
  144. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  145. break;
  146. case 0x3E:
  147. - sprintf(buffer, "#%.2X", name[i]);
  148. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  149. buffer[sizeof(buffer) - 1] = '\0';
  150. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  151. break;
  152. case 0x5B:
  153. - sprintf(buffer, "#%.2X", name[i]);
  154. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  155. buffer[sizeof(buffer) - 1] = '\0';
  156. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  157. break;
  158. case 0x5D:
  159. - sprintf(buffer, "#%.2X", name[i]);
  160. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  161. buffer[sizeof(buffer) - 1] = '\0';
  162. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  163. break;
  164. case 0x7B:
  165. - sprintf(buffer, "#%.2X", name[i]);
  166. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  167. buffer[sizeof(buffer) - 1] = '\0';
  168. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  169. break;
  170. case 0x7D:
  171. - sprintf(buffer, "#%.2X", name[i]);
  172. + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
  173. buffer[sizeof(buffer) - 1] = '\0';
  174. written += t2pWriteFile(output, (tdata_t) buffer, 3);
  175. break;
  176. @@ -3865,14 +3867,14 @@
  177. tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
  178. tsize_t written=0;
  179. - char buffer[16];
  180. + char buffer[32];
  181. int buflen=0;
  182. written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
  183. if(len!=0){
  184. written += t2p_write_pdf_stream_length(len, output);
  185. } else {
  186. - buflen=sprintf(buffer, "%lu", (unsigned long)number);
  187. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
  188. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  189. written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
  190. }
  191. @@ -3913,10 +3915,10 @@
  192. tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
  193. tsize_t written=0;
  194. - char buffer[16];
  195. + char buffer[32];
  196. int buflen=0;
  197. - buflen=sprintf(buffer, "%lu", (unsigned long)len);
  198. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
  199. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  200. written += t2pWriteFile(output, (tdata_t) "\n", 1);
  201. @@ -3930,7 +3932,7 @@
  202. tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
  203. {
  204. tsize_t written = 0;
  205. - char buffer[16];
  206. + char buffer[32];
  207. int buflen = 0;
  208. written += t2pWriteFile(output,
  209. @@ -3969,7 +3971,6 @@
  210. written += t2p_write_pdf_string(t2p->pdf_datetime, output);
  211. }
  212. written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
  213. - _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
  214. snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
  215. written += t2p_write_pdf_string(buffer, output);
  216. written += t2pWriteFile(output, (tdata_t) "\n", 1);
  217. @@ -4110,7 +4111,7 @@
  218. {
  219. tsize_t written=0;
  220. tdir_t i=0;
  221. - char buffer[16];
  222. + char buffer[32];
  223. int buflen=0;
  224. int page=0;
  225. @@ -4118,7 +4119,7 @@
  226. (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
  227. page = t2p->pdf_pages+1;
  228. for (i=0;i<t2p->tiff_pagecount;i++){
  229. - buflen=sprintf(buffer, "%d", page);
  230. + buflen=snprintf(buffer, sizeof(buffer), "%d", page);
  231. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  232. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  233. if ( ((i+1)%8)==0 ) {
  234. @@ -4133,8 +4134,7 @@
  235. }
  236. }
  237. written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
  238. - _TIFFmemset(buffer, 0x00, 16);
  239. - buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
  240. + buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
  241. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  242. written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
  243. @@ -4149,28 +4149,28 @@
  244. unsigned int i=0;
  245. tsize_t written=0;
  246. - char buffer[16];
  247. + char buffer[256];
  248. int buflen=0;
  249. written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
  250. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
  251. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
  252. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  253. written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
  254. written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
  255. - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
  256. + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
  257. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  258. written += t2pWriteFile(output, (tdata_t) " ", 1);
  259. - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
  260. + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
  261. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  262. written += t2pWriteFile(output, (tdata_t) " ", 1);
  263. - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
  264. + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
  265. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  266. written += t2pWriteFile(output, (tdata_t) " ", 1);
  267. - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
  268. + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
  269. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  270. written += t2pWriteFile(output, (tdata_t) "] \n", 3);
  271. written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
  272. - buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
  273. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
  274. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  275. written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
  276. written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
  277. @@ -4178,15 +4178,13 @@
  278. written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
  279. for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
  280. written += t2pWriteFile(output, (tdata_t) "/Im", 3);
  281. - buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
  282. + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
  283. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  284. written += t2pWriteFile(output, (tdata_t) "_", 1);
  285. - buflen = sprintf(buffer, "%u", i+1);
  286. + buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
  287. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  288. written += t2pWriteFile(output, (tdata_t) " ", 1);
  289. - buflen = sprintf(
  290. - buffer,
  291. - "%lu",
  292. + buflen = snprintf(buffer, sizeof(buffer), "%lu",
  293. (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
  294. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  295. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  296. @@ -4198,12 +4196,10 @@
  297. } else {
  298. written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
  299. written += t2pWriteFile(output, (tdata_t) "/Im", 3);
  300. - buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
  301. + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
  302. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  303. written += t2pWriteFile(output, (tdata_t) " ", 1);
  304. - buflen = sprintf(
  305. - buffer,
  306. - "%lu",
  307. + buflen = snprintf(buffer, sizeof(buffer), "%lu",
  308. (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
  309. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  310. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  311. @@ -4212,9 +4208,7 @@
  312. if(t2p->tiff_transferfunctioncount != 0) {
  313. written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
  314. t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
  315. - buflen = sprintf(
  316. - buffer,
  317. - "%lu",
  318. + buflen = snprintf(buffer, sizeof(buffer), "%lu",
  319. (unsigned long)(object + 3));
  320. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  321. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  322. @@ -4587,7 +4581,7 @@
  323. if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
  324. for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
  325. box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
  326. - buflen=sprintf(buffer,
  327. + buflen=snprintf(buffer, sizeof(buffer),
  328. "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
  329. t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
  330. box.mat[0],
  331. @@ -4602,7 +4596,7 @@
  332. }
  333. } else {
  334. box=t2p->pdf_imagebox;
  335. - buflen=sprintf(buffer,
  336. + buflen=snprintf(buffer, sizeof(buffer),
  337. "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
  338. t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
  339. box.mat[0],
  340. @@ -4627,59 +4621,48 @@
  341. TIFF* output){
  342. tsize_t written=0;
  343. - char buffer[16];
  344. + char buffer[32];
  345. int buflen=0;
  346. written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
  347. written += t2pWriteFile(output,
  348. (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
  349. 42);
  350. - buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
  351. + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
  352. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  353. if(tile != 0){
  354. written += t2pWriteFile(output, (tdata_t) "_", 1);
  355. - buflen=sprintf(buffer, "%lu", (unsigned long)tile);
  356. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
  357. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  358. }
  359. written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
  360. - _TIFFmemset((tdata_t)buffer, 0x00, 16);
  361. if(tile==0){
  362. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
  363. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
  364. } else {
  365. if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
  366. - buflen=sprintf(
  367. - buffer,
  368. - "%lu",
  369. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  370. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
  371. } else {
  372. - buflen=sprintf(
  373. - buffer,
  374. - "%lu",
  375. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  376. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
  377. }
  378. }
  379. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  380. written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
  381. - _TIFFmemset((tdata_t)buffer, 0x00, 16);
  382. if(tile==0){
  383. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
  384. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
  385. } else {
  386. if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
  387. - buflen=sprintf(
  388. - buffer,
  389. - "%lu",
  390. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  391. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
  392. } else {
  393. - buflen=sprintf(
  394. - buffer,
  395. - "%lu",
  396. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  397. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
  398. }
  399. }
  400. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  401. written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
  402. - _TIFFmemset((tdata_t)buffer, 0x00, 16);
  403. - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
  404. + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
  405. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  406. written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
  407. written += t2p_write_pdf_xobject_cs(t2p, output);
  408. @@ -4723,11 +4706,10 @@
  409. t2p->pdf_colorspace ^= T2P_CS_PALETTE;
  410. written += t2p_write_pdf_xobject_cs(t2p, output);
  411. t2p->pdf_colorspace |= T2P_CS_PALETTE;
  412. - buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
  413. + buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
  414. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  415. written += t2pWriteFile(output, (tdata_t) " ", 1);
  416. - _TIFFmemset(buffer, 0x00, 16);
  417. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
  418. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
  419. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  420. written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
  421. return(written);
  422. @@ -4761,10 +4743,10 @@
  423. X_W /= Y_W;
  424. Z_W /= Y_W;
  425. Y_W = 1.0F;
  426. - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  427. + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  428. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  429. written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
  430. - buflen=sprintf(buffer, "[%d %d %d %d] \n",
  431. + buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
  432. t2p->pdf_labrange[0],
  433. t2p->pdf_labrange[1],
  434. t2p->pdf_labrange[2],
  435. @@ -4780,26 +4762,26 @@
  436. tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
  437. tsize_t written=0;
  438. - char buffer[16];
  439. + char buffer[32];
  440. int buflen=0;
  441. written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
  442. if(t2p->tiff_transferfunctioncount == 1){
  443. - buflen=sprintf(buffer, "%lu",
  444. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  445. (unsigned long)(t2p->pdf_xrefcount + 1));
  446. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  447. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  448. } else {
  449. written += t2pWriteFile(output, (tdata_t) "[ ", 2);
  450. - buflen=sprintf(buffer, "%lu",
  451. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  452. (unsigned long)(t2p->pdf_xrefcount + 1));
  453. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  454. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  455. - buflen=sprintf(buffer, "%lu",
  456. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  457. (unsigned long)(t2p->pdf_xrefcount + 2));
  458. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  459. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  460. - buflen=sprintf(buffer, "%lu",
  461. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  462. (unsigned long)(t2p->pdf_xrefcount + 3));
  463. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  464. written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
  465. @@ -4821,7 +4803,7 @@
  466. written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
  467. written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
  468. written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
  469. - buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
  470. + buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
  471. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  472. written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
  473. written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
  474. @@ -4848,7 +4830,7 @@
  475. tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
  476. tsize_t written=0;
  477. - char buffer[128];
  478. + char buffer[256];
  479. int buflen=0;
  480. float X_W=0.0;
  481. @@ -4916,16 +4898,16 @@
  482. written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
  483. if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
  484. written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
  485. - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  486. + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  487. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  488. written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
  489. }
  490. if(t2p->pdf_colorspace & T2P_CS_CALRGB){
  491. written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
  492. - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  493. + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
  494. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  495. written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
  496. - buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
  497. + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
  498. X_R, Y_R, Z_R,
  499. X_G, Y_G, Z_G,
  500. X_B, Y_B, Z_B);
  501. @@ -4944,11 +4926,11 @@
  502. tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
  503. tsize_t written=0;
  504. - char buffer[16];
  505. + char buffer[32];
  506. int buflen=0;
  507. written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
  508. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
  509. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
  510. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  511. written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
  512. @@ -4958,11 +4940,11 @@
  513. tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
  514. tsize_t written=0;
  515. - char buffer[16];
  516. + char buffer[32];
  517. int buflen=0;
  518. written += t2pWriteFile(output, (tdata_t) "/N ", 3);
  519. - buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
  520. + buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
  521. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  522. written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
  523. t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
  524. @@ -5027,7 +5009,7 @@
  525. tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
  526. tsize_t written=0;
  527. - char buffer[16];
  528. + char buffer[32];
  529. int buflen=0;
  530. if(t2p->pdf_compression==T2P_COMPRESS_NONE){
  531. @@ -5042,41 +5024,33 @@
  532. written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
  533. if(tile==0){
  534. written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
  535. - buflen=sprintf(buffer, "%lu",
  536. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  537. (unsigned long)t2p->tiff_width);
  538. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  539. written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
  540. - buflen=sprintf(buffer, "%lu",
  541. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  542. (unsigned long)t2p->tiff_length);
  543. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  544. } else {
  545. if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
  546. written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
  547. - buflen=sprintf(
  548. - buffer,
  549. - "%lu",
  550. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  551. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
  552. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  553. } else {
  554. written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
  555. - buflen=sprintf(
  556. - buffer,
  557. - "%lu",
  558. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  559. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
  560. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  561. }
  562. if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
  563. written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
  564. - buflen=sprintf(
  565. - buffer,
  566. - "%lu",
  567. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  568. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
  569. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  570. } else {
  571. written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
  572. - buflen=sprintf(
  573. - buffer,
  574. - "%lu",
  575. + buflen=snprintf(buffer, sizeof(buffer), "%lu",
  576. (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
  577. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  578. }
  579. @@ -5103,21 +5077,17 @@
  580. if(t2p->pdf_compressionquality%100){
  581. written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
  582. written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
  583. - _TIFFmemset(buffer, 0x00, 16);
  584. - buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
  585. + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
  586. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  587. written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
  588. - _TIFFmemset(buffer, 0x00, 16);
  589. - buflen = sprintf(buffer, "%lu",
  590. + buflen = snprintf(buffer, sizeof(buffer), "%lu",
  591. (unsigned long)t2p->tiff_width);
  592. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  593. written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
  594. - _TIFFmemset(buffer, 0x00, 16);
  595. - buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
  596. + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
  597. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  598. written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
  599. - _TIFFmemset(buffer, 0x00, 16);
  600. - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
  601. + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
  602. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  603. written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
  604. }
  605. @@ -5137,16 +5107,16 @@
  606. tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
  607. tsize_t written=0;
  608. - char buffer[21];
  609. + char buffer[64];
  610. int buflen=0;
  611. uint32 i=0;
  612. written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
  613. - buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
  614. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
  615. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  616. written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
  617. for (i=0;i<t2p->pdf_xrefcount;i++){
  618. - sprintf(buffer, "%.10lu 00000 n \n",
  619. + snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
  620. (unsigned long)t2p->pdf_xrefoffsets[i]);
  621. written += t2pWriteFile(output, (tdata_t) buffer, 20);
  622. }
  623. @@ -5170,17 +5140,14 @@
  624. snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
  625. written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
  626. - buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
  627. + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
  628. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  629. - _TIFFmemset(buffer, 0x00, 32);
  630. written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
  631. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
  632. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
  633. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  634. - _TIFFmemset(buffer, 0x00, 32);
  635. written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
  636. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
  637. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
  638. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  639. - _TIFFmemset(buffer, 0x00, 32);
  640. written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
  641. written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
  642. sizeof(t2p->pdf_fileid) - 1);
  643. @@ -5188,9 +5155,8 @@
  644. written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
  645. sizeof(t2p->pdf_fileid) - 1);
  646. written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
  647. - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
  648. + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
  649. written += t2pWriteFile(output, (tdata_t) buffer, buflen);
  650. - _TIFFmemset(buffer, 0x00, 32);
  651. written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
  652. return(written);
  653. Index: tiff-4.0.3/tools/tiff2ps.c
  654. ===================================================================
  655. --- tiff-4.0.3.orig/tools/tiff2ps.c 2013-06-23 10:36:51.163629483 -0400
  656. +++ tiff-4.0.3/tools/tiff2ps.c 2013-06-23 10:36:51.155629481 -0400
  657. @@ -1781,8 +1781,8 @@
  658. imageOp = "imagemask";
  659. (void)strcpy(im_x, "0");
  660. - (void)sprintf(im_y, "%lu", (long) h);
  661. - (void)sprintf(im_h, "%lu", (long) h);
  662. + (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
  663. + (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
  664. tile_width = w;
  665. tile_height = h;
  666. if (TIFFIsTiled(tif)) {
  667. @@ -1803,7 +1803,7 @@
  668. }
  669. if (tile_height < h) {
  670. fputs("/im_y 0 def\n", fd);
  671. - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
  672. + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
  673. }
  674. } else {
  675. repeat_count = tf_numberstrips;
  676. @@ -1815,7 +1815,7 @@
  677. fprintf(fd, "/im_h %lu def\n",
  678. (unsigned long) tile_height);
  679. (void)strcpy(im_h, "im_h");
  680. - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
  681. + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
  682. }
  683. }
  684. Index: tiff-4.0.3/tools/tiffcrop.c
  685. ===================================================================
  686. --- tiff-4.0.3.orig/tools/tiffcrop.c 2013-06-23 10:36:51.163629483 -0400
  687. +++ tiff-4.0.3/tools/tiffcrop.c 2013-06-23 10:36:51.159629481 -0400
  688. @@ -2077,7 +2077,7 @@
  689. return 1;
  690. }
  691. - sprintf (filenum, "-%03d%s", findex, export_ext);
  692. + snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
  693. filenum[14] = '\0';
  694. strncat (exportname, filenum, 15);
  695. }
  696. @@ -2230,8 +2230,8 @@
  697. /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
  698. fewer than PATH_MAX */
  699. - memset (temp_filename, '\0', PATH_MAX + 1);
  700. - sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
  701. + snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
  702. + dump.infilename, dump_images,
  703. (dump.format == DUMP_TEXT) ? "txt" : "raw");
  704. if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
  705. {
  706. @@ -2249,8 +2249,8 @@
  707. /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
  708. fewer than PATH_MAX */
  709. - memset (temp_filename, '\0', PATH_MAX + 1);
  710. - sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
  711. + snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
  712. + dump.outfilename, dump_images,
  713. (dump.format == DUMP_TEXT) ? "txt" : "raw");
  714. if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
  715. {
  716. Index: tiff-4.0.3/tools/tiff2bw.c
  717. ===================================================================
  718. --- tiff-4.0.3.orig/tools/tiff2bw.c 2013-06-23 10:36:51.163629483 -0400
  719. +++ tiff-4.0.3/tools/tiff2bw.c 2013-06-23 10:36:51.159629481 -0400
  720. @@ -205,7 +205,7 @@
  721. }
  722. }
  723. TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
  724. - sprintf(thing, "B&W version of %s", argv[optind]);
  725. + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
  726. TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
  727. TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
  728. outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));