gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others.

* gnu/packages/patches/libtiff-CVE-2016-10092.patch,
gnu/packages/patches/libtiff-CVE-2016-10093.patch,
gnu/packages/patches/libtiff-CVE-2016-10094.patch,
gnu/packages/patches/libtiff-assertion-failure.patch,
gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
gnu/packages/patches/libtiff-divide-by-zero.patch,
gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
gnu/packages/patches/libtiff-invalid-read.patch,
gnu/packages/patches/libtiff-null-dereference.patch,
gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
This commit is contained in:
Leo Famulari 2017-01-10 03:22:33 -05:00
parent 8966c6b439
commit 4b96149d8b
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
17 changed files with 1056 additions and 0 deletions

View file

@ -683,6 +683,21 @@ dist_patch_DATA = \
%D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10092.patch \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcrop.patch \
%D%/packages/patches/libtiff-divide-by-zero.patch \
%D%/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch \
%D%/packages/patches/libtiff-heap-overflow-tif-dirread.patch \
%D%/packages/patches/libtiff-heap-overflow-tiffcp.patch \
%D%/packages/patches/libtiff-heap-overflow-tiffcrop.patch \
%D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \

View file

@ -8,6 +8,7 @@
;;; Copyright © 2015 Amirouche Boubekki <amirouche@hypermove.net>
;;; Copyright © 2014 John Darrington <jmd@gnu.org>
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
@ -258,6 +259,7 @@ (define-public libicns
(define-public libtiff
(package
(name "libtiff")
(replacement libtiff/fixed)
(version "4.0.7")
(source (origin
(method url-fetch)
@ -290,6 +292,28 @@ (define-public libtiff
"See COPYRIGHT in the distribution."))
(home-page "http://www.simplesystems.org/libtiff/")))
(define libtiff/fixed
(package
(inherit libtiff)
(source
(origin
(inherit (package-source libtiff))
(patches (search-patches "libtiff-heap-overflow-tiffcp.patch"
"libtiff-null-dereference.patch"
"libtiff-heap-overflow-tif-dirread.patch"
"libtiff-heap-overflow-pixarlog-luv.patch"
"libtiff-divide-by-zero.patch"
"libtiff-divide-by-zero-ojpeg.patch"
"libtiff-tiffcp-underflow.patch"
"libtiff-invalid-read.patch"
"libtiff-CVE-2016-10092.patch"
"libtiff-heap-overflow-tiffcrop.patch"
"libtiff-divide-by-zero-tiffcrop.patch"
"libtiff-CVE-2016-10093.patch"
"libtiff-divide-by-zero-tiffcp.patch"
"libtiff-assertion-failure.patch"
"libtiff-CVE-2016-10094.patch"))))))
(define-public libwmf
(package
(name "libwmf")

View file

@ -0,0 +1,42 @@
Fix CVE-2016-10092:
http://bugzilla.maptools.org/show_bug.cgi?id=2620
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092
https://security-tracker.debian.org/tracker/CVE-2016-10092
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
mode so that the output buffer is correctly incremented to avoid write
outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1178; previous revision: 1.1177
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
new revision: 1.47; previous revision: 1.46
Index: libtiff/tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46
+++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -3698,7 +3698,7 @@
(unsigned long) strip, (unsigned long)rows);
return 0;
}
- bufp += bytes_read;
+ bufp += stripsize;
}
return 1;

View file

@ -0,0 +1,53 @@
Fix CVE-2016-10093:
http://bugzilla.maptools.org/show_bug.cgi?id=2610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093
https://security-tracker.debian.org/tracker/CVE-2016-10093
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause
heap-based buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1187; previous revision: 1.1186
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
new revision: 1.59; previous revision: 1.58
Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58
+++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59
@@ -1163,7 +1163,7 @@
static void
cpStripToTile(uint8* out, uint8* in,
- uint32 rows, uint32 cols, int outskew, int inskew)
+ uint32 rows, uint32 cols, int outskew, int64 inskew)
{
while (rows-- > 0) {
uint32 j = cols;
@@ -1320,7 +1320,7 @@
tdata_t tilebuf;
uint32 imagew = TIFFScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew;
+ int64 iskew = (int64)imagew - (int64)tilew;
uint8* bufp = (uint8*) buf;
uint32 tw, tl;
uint32 row;
@@ -1348,7 +1348,7 @@
status = 0;
goto done;
}
- if (colb + tilew > imagew) {
+ if (colb > iskew) {
uint32 width = imagew - colb;
uint32 oskew = tilew - width;
cpStripToTile(bufp + colb,

View file

@ -0,0 +1,34 @@
Fix CVE-2016-10094:
http://bugzilla.maptools.org/show_bug.cgi?id=2640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094
https://security-tracker.debian.org/tracker/CVE-2016-10094
2016-12-20 Even Rouault <even.rouault at spatialys.com>
* tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1199; previous revision: 1.1198
/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c
new revision: 1.101; previous revision: 1.100
Index: libtiff/tools/tiff2pdf.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101
--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100
+++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101
@@ -2895,7 +2895,7 @@
return(0);
}
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
- if (count >= 4) {
+ if (count > 4) {
int retTIFFReadRawTile;
/* Ignore EOI marker of JpegTables */
_TIFFmemcpy(buffer, jpt, count - 2);

View file

@ -0,0 +1,60 @@
Fix assertion failure in readSeparateTilesIntoBuffer():
http://bugzilla.maptools.org/show_bug.cgi?id=2605
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
check.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1188; previous revision: 1.1187
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
new revision: 1.60; previous revision: 1.59
Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59
+++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60
@@ -45,7 +45,6 @@
#include <string.h>
#include <ctype.h>
-#include <assert.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
@@ -1393,7 +1392,12 @@
status = 0;
goto done;
}
- assert( bps % 8 == 0 );
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ status = 0;
+ goto done;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {
@@ -1584,7 +1588,12 @@
_TIFFfree(obuf);
return 0;
}
- assert( bps % 8 == 0 );
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {

View file

@ -0,0 +1,63 @@
Fix divide-by-zero in OJPEGDecodeRaw():
http://bugzilla.maptools.org/show_bug.cgi?id=2611
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure
in
OJPEGPreDecode(). This will avoid a divide by zero, and potential other
issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1177; previous revision: 1.1176
/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
new revision: 1.66; previous revision: 1.65
Index: libtiff/libtiff/tif_ojpeg.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65
+++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
/* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
specification is now totally obsolete and deprecated for new applications and
@@ -244,6 +244,7 @@
typedef struct {
TIFF* tif;
+ int decoder_ok;
#ifndef LIBJPEG_ENCAP_EXTERNAL
JMP_BUF exit_jmpbuf;
#endif
@@ -722,6 +723,7 @@
}
sp->write_curstrile++;
}
+ sp->decoder_ok = 1;
return(1);
}
@@ -784,8 +786,14 @@
static int
OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
+ static const char module[]="OJPEGDecode";
OJPEGState* sp=(OJPEGState*)tif->tif_data;
(void)s;
+ if( !sp->decoder_ok )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+ return 0;
+ }
if (sp->libjpeg_jpeg_query_style==0)
{
if (OJPEGDecodeRaw(tif,buf,cc)==0)

View file

@ -0,0 +1,104 @@
Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer():
http://bugzilla.maptools.org/show_bug.cgi?id=2597
http://bugzilla.maptools.org/show_bug.cgi?id=2607
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
tag is
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1183; previous revision: 1.1182
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
new revision: 1.57; previous revision: 1.56
Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56
+++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1378,7 +1378,7 @@
uint8* bufp = (uint8*) buf;
uint32 tw, tl;
uint32 row;
- uint16 bps, bytes_per_sample;
+ uint16 bps = 0, bytes_per_sample;
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
@@ -1387,6 +1387,12 @@
(void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
(void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample");
+ status = 0;
+ goto done;
+ }
assert( bps % 8 == 0 );
bytes_per_sample = bps/8;
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
tag is
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1186; previous revision: 1.1185
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
new revision: 1.58; previous revision: 1.57
Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57
+++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1569,7 +1569,7 @@
uint8* bufp = (uint8*) buf;
uint32 tl, tw;
uint32 row;
- uint16 bps, bytes_per_sample;
+ uint16 bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(TIFFTileSize(out));
if (obuf == NULL)
@@ -1578,6 +1578,12 @@
(void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
(void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
assert( bps % 8 == 0 );
bytes_per_sample = bps/8;

View file

@ -0,0 +1,57 @@
Fix divide-by-zero in readSeparateStripsIntoBuffer():
http://bugzilla.maptools.org/show_bug.cgi?id=2619
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
missing.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1180; previous revision: 1.1179
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
new revision: 1.49; previous revision: 1.48
Index: libtiff/tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48
+++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -1164,7 +1164,7 @@
tdata_t obuf;
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);
bytes_per_sample = (bps + 7) / 8;
if( width == 0 ||
(uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
@@ -4760,7 +4760,7 @@
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32 j;
int32 bytes_read = 0;
- uint16 bps, planar;
+ uint16 bps = 0, planar;
uint32 nstrips;
uint32 strips_per_sample;
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
@@ -4780,7 +4780,7 @@
}
memset (srcbuffs, '\0', sizeof(srcbuffs));
- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
if (rps > length)

View file

@ -0,0 +1,67 @@
Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero:
http://bugzilla.maptools.org/show_bug.cgi?id=2596
2016-12-02 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1173; previous revision: 1.1172
/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
new revision: 1.50; previous revision: 1.49
/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h
new revision: 1.90; previous revision: 1.89
Index: libtiff/libtiff/tif_read.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49
+++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
+/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -346,7 +346,7 @@
rowsperstrip=td->td_rowsperstrip;
if (rowsperstrip>td->td_imagelength)
rowsperstrip=td->td_imagelength;
- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
stripinplane=(strip%stripsperplane);
plane=(uint16)(strip/stripsperplane);
rows=td->td_imagelength-stripinplane*rowsperstrip;
Index: libtiff/libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89
+++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -250,6 +250,10 @@
#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))

View file

@ -0,0 +1,131 @@
Fix heap-based buffer overflow in _TIFFmemcpy():
http://bugzilla.maptools.org/show_bug.cgi?id=2604
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1175; previous revision: 1.1174
/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c
new revision: 1.44; previous revision: 1.43
/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <--
libtiff/tif_pixarlog.c
new revision: 1.49; previous revision: 1.48
Index: libtiff/libtiff/tif_luv.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43
+++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -158,6 +158,7 @@
typedef struct logLuvState LogLuvState;
struct logLuvState {
+ int encoder_state; /* 1 if encoder correctly initialized */
int user_datafmt; /* user data format */
int encode_meth; /* encoding method */
int pixel_size; /* bytes per pixel */
@@ -1552,6 +1553,7 @@
td->td_photometric, "must be either LogLUV or LogL");
break;
}
+ sp->encoder_state = 1;
return (1);
notsupported:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1565,27 @@
static void
LogLuvClose(TIFF* tif)
{
+ LogLuvState* sp = (LogLuvState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/*
* For consistency, we always want to write out the same
* bitspersample and sampleformat for our TIFF file,
* regardless of the data format being used by the application.
* Since this routine is called after tags have been set but
* before they have been recorded in the file, we reset them here.
+ * Note: this is really a nasty approach. See PixarLogClose
*/
- td->td_samplesperpixel =
- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
- td->td_bitspersample = 16;
- td->td_sampleformat = SAMPLEFORMAT_INT;
+ if( sp->encoder_state )
+ {
+ /* See PixarLogClose. Might avoid issues with tags whose size depends
+ * on those below, but not completely sure this is enough. */
+ td->td_samplesperpixel =
+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+ td->td_bitspersample = 16;
+ td->td_sampleformat = SAMPLEFORMAT_INT;
+ }
}
static void
Index: libtiff/libtiff/tif_pixarlog.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48
+++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49
@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
+/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@@ -1233,8 +1233,10 @@
static void
PixarLogClose(TIFF* tif)
{
+ PixarLogState* sp = (PixarLogState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/* In a really sneaky (and really incorrect, and untruthful, and
* troublesome, and error-prone) maneuver that completely goes against
* the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1245,19 @@
* readers that don't know about PixarLog, or how to set
* the PIXARLOGDATFMT pseudo-tag.
*/
- td->td_bitspersample = 8;
- td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+ if (sp->state&PLSTATE_INIT) {
+ /* We test the state to avoid an issue such as in
+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+ * What appends in that case is that the bitspersample is 1 and
+ * a TransferFunction is set. The size of the TransferFunction
+ * depends on 1<<bitspersample. So if we increase it, an access
+ * out of the buffer will happen at directory flushing.
+ * Another option would be to clear those targs.
+ */
+ td->td_bitspersample = 8;
+ td->td_sampleformat = SAMPLEFORMAT_UINT;
+ }
}
static void

View file

@ -0,0 +1,132 @@
Fix heap-based buffer overflow in TIFFFillStrip():
http://bugzilla.maptools.org/show_bug.cgi?id=2608
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and
thus
results in reading outside of the StripByCounts/StripOffsets arrays
when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
since
the above change is a better fix that makes it unnecessary.
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1176; previous revision: 1.1175
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--
libtiff/tif_dirread.c
new revision: 1.205; previous revision: 1.204
/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c
new revision: 1.38; previous revision: 1.37
Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.204
retrieving revision 1.205
diff -u -r1.204 -r1.205
--- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204
+++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -5502,8 +5502,7 @@
uint64 rowblockbytes;
uint64 stripbytes;
uint32 strip;
- uint64 nstrips64;
- uint32 nstrips32;
+ uint32 nstrips;
uint32 rowsperstrip;
uint64* newcounts;
uint64* newoffsets;
@@ -5534,18 +5533,17 @@
return;
/*
- * never increase the number of strips in an image
+ * never increase the number of rows per strip
*/
if (rowsperstrip >= td->td_rowsperstrip)
return;
- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
- return;
- nstrips32 = (uint32)nstrips64;
+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+ if( nstrips == 0 )
+ return;
- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripOffsets\" array");
if (newcounts == NULL || newoffsets == NULL) {
/*
@@ -5562,18 +5560,18 @@
* Fill the strip information arrays with new bytecounts and offsets
* that reflect the broken-up format.
*/
- for (strip = 0; strip < nstrips32; strip++) {
+ for (strip = 0; strip < nstrips; strip++) {
if (stripbytes > bytecount)
stripbytes = bytecount;
newcounts[strip] = stripbytes;
- newoffsets[strip] = offset;
+ newoffsets[strip] = stripbytes ? offset : 0;
offset += stripbytes;
bytecount -= stripbytes;
}
/*
* Replace old single strip info with multi-strip info.
*/
- td->td_stripsperimage = td->td_nstrips = nstrips32;
+ td->td_stripsperimage = td->td_nstrips = nstrips;
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
_TIFFfree(td->td_stripbytecount);
Index: libtiff/libtiff/tif_strip.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37
+++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38
@@ -1,4 +1,4 @@
-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
+/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -63,15 +63,6 @@
TIFFDirectory *td = &tif->tif_dir;
uint32 nstrips;
- /* If the value was already computed and store in td_nstrips, then return it,
- since ChopUpSingleUncompressedStrip might have altered and resized the
- since the td_stripbytecount and td_stripoffset arrays to the new value
- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
- tif_dirread.c ~line 3612.
- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
- if( td->td_nstrips )
- return td->td_nstrips;
-
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

View file

@ -0,0 +1,67 @@
Fix heap buffer overflow in tiffcp when parsing number of inks:
http://bugzilla.maptools.org/show_bug.cgi?id=2599
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
called,
limit the return number of inks to SamplesPerPixel, so that code that
parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1184; previous revision: 1.1183
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
new revision: 1.128; previous revision: 1.127
Index: libtiff/libtiff/tif_dir.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127
+++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -854,6 +854,32 @@
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
return 0;
+ if( tag == TIFFTAG_NUMBEROFINKS )
+ {
+ int i;
+ for (i = 0; i < td->td_customValueCount; i++) {
+ uint16 val;
+ TIFFTagValue *tv = td->td_customValues + i;
+ if (tv->info->field_tag != tag)
+ continue;
+ val = *(uint16 *)tv->value;
+ /* Truncate to SamplesPerPixel, since the */
+ /* setting code for INKNAMES assume that there are SamplesPerPixel */
+ /* inknames. */
+ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+ if( val > td->td_samplesperpixel )
+ {
+ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+ "Truncating NumberOfInks from %u to %u",
+ val, td->td_samplesperpixel);
+ val = td->td_samplesperpixel;
+ }
+ *va_arg(ap, uint16*) = val;
+ return 1;
+ }
+ return 0;
+ }
+
/*
* We want to force the custom code to be used for custom
* fields even if the tag happens to match a well known

View file

@ -0,0 +1,60 @@
Fix heap-based buffer overflow in combineSeparateSamples16bits():
http://bugzilla.maptools.org/show_bug.cgi?id=2621
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1179; previous revision: 1.1178
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
new revision: 1.48; previous revision: 1.47
Index: libtiff/tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -r1.47 -r1.48
--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47
+++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -4815,10 +4815,17 @@
nstrips = TIFFNumberOfStrips(in);
strips_per_sample = nstrips /spp;
+ /* Add 3 padding bytes for combineSeparateSamples32bits */
+ if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
+ {
+ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
+
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = _TIFFmalloc(stripsize);
+ buff = _TIFFmalloc(stripsize + 3);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4827,6 +4834,9 @@
_TIFFfree (srcbuffs[i]);
return 0;
}
+ buff[stripsize] = 0;
+ buff[stripsize+1] = 0;
+ buff[stripsize+2] = 0;
srcbuffs[s] = buff;
}

View file

@ -0,0 +1,64 @@
Fix invalid read in t2p_writeproc():
http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 Even Rouault <even.rouault at spatialys.com>
* tools/tiff2pdf.c: avoid potential invalid memory read in
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1198; previous revision: 1.1197
/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c
new revision: 1.100; previous revision: 1.99
Index: libtiff/tools/tiff2pdf.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99
+++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100
@@ -2896,6 +2896,7 @@
}
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
if (count >= 4) {
+ int retTIFFReadRawTile;
/* Ignore EOI marker of JpegTables */
_TIFFmemcpy(buffer, jpt, count - 2);
bufferoffset += count - 2;
@@ -2903,22 +2904,23 @@
table_end[0] = buffer[bufferoffset-2];
table_end[1] = buffer[bufferoffset-1];
xuint32 = bufferoffset;
- bufferoffset -= 2;
- bufferoffset += TIFFReadRawTile(
+ bufferoffset -= 2;
+ retTIFFReadRawTile= TIFFReadRawTile(
input,
tile,
(tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
-1);
+ if( retTIFFReadRawTile < 0 )
+ {
+ _TIFFfree(buffer);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return(0);
+ }
+ bufferoffset += retTIFFReadRawTile;
/* Overwrite SOI marker of image scan with previously */
/* saved end of JpegTables */
buffer[xuint32-2]=table_end[0];
buffer[xuint32-1]=table_end[1];
- } else {
- bufferoffset += TIFFReadRawTile(
- input,
- tile,
- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
- -1);
}
}
t2pWriteFile(output, (tdata_t) buffer, bufferoffset);

View file

@ -0,0 +1,42 @@
Fix NULL pointer dereference in TIFFReadRawData():
http://bugzilla.maptools.org/show_bug.cgi?id=2594
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffinfo.c: fix null pointer dereference in -r mode when
* the
image has
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1182; previous revision: 1.1181
/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c
new revision: 1.26; previous revision: 1.25
Index: libtiff/tools/tiffinfo.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25
+++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26
@@ -1,4 +1,4 @@
-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */
+/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -417,7 +417,7 @@
uint64* stripbc=NULL;
TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc);
- if (nstrips > 0) {
+ if (stripbc != NULL && nstrips > 0) {
uint32 bufsize = (uint32) stripbc[0];
tdata_t buf = _TIFFmalloc(bufsize);
tstrip_t s;

View file

@ -0,0 +1,41 @@
Fix a integer underflow in tiffcp that led to heap overflows in
TIFFReverseBits():
http://bugzilla.maptools.org/show_bug.cgi?id=2598
2016-12-02 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1174; previous revision: 1.1173
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
new revision: 1.56; previous revision: 1.55
Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55
+++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -985,7 +985,7 @@
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 row = 0;
_TIFFmemset(buf, 0, stripsize);
- for (s = 0; s < ns; s++) {
+ for (s = 0; s < ns && row < imagelength; s++) {
tsize_t cc = (row + rowsperstrip > imagelength) ?
TIFFVStripSize(in, imagelength - row) : stripsize;
if (TIFFReadEncodedStrip(in, s, buf, cc) < 0