Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 93188 Details for
Bug 142383
media-libs/tiff Multiple issues (CVE-2006-34{59-65})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
tiff-3.8.2-goo-sec.diff
tiff-3.8.2-goo-sec.diff (text/plain), 22.70 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-08-01 00:56:39 UTC
(
hide
)
Description:
tiff-3.8.2-goo-sec.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-08-01 00:56:39 UTC
Size:
22.70 KB
patch
obsolete
>diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c >--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 >@@ -122,6 +122,7 @@ > { > static const char module[] = "_TIFFVSetField"; > >+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); > TIFFDirectory* td = &tif->tif_dir; > int status = 1; > uint32 v32, i, v; >@@ -195,10 +196,12 @@ > break; > case TIFFTAG_ORIENTATION: > v = va_arg(ap, uint32); >+ const TIFFFieldInfo* fip; > if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { >+ fip = _TIFFFieldWithTag(tif, tag); > TIFFWarningExt(tif->tif_clientdata, tif->tif_name, > "Bad value %lu for \"%s\" tag ignored", >- v, _TIFFFieldWithTag(tif, tag)->field_name); >+ v, fip ? fip->field_name : "Unknown"); > } else > td->td_orientation = (uint16) v; > break; >@@ -387,11 +390,15 @@ > * happens, for example, when tiffcp is used to convert between > * compression schemes and codec-specific tags are blindly copied. > */ >+ /* >+ * better not dereference fip if it is NULL. >+ * -- taviso@google.com 15 Jun 2006 >+ */ > if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { > TIFFErrorExt(tif->tif_clientdata, module, > "%s: Invalid %stag \"%s\" (not supported by codec)", > tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", >- _TIFFFieldWithTag(tif, tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > status = 0; > break; > } >@@ -468,7 +475,7 @@ > if (fip->field_type == TIFF_ASCII) > _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); > else { >- tv->value = _TIFFmalloc(tv_size * tv->count); >+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); > if (!tv->value) { > status = 0; > goto end; >@@ -563,7 +570,7 @@ > } > } > if (status) { >- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); >+ TIFFSetFieldBit(tif, fip->field_bit); > tif->tif_flags |= TIFF_DIRTYDIRECT; > } > >@@ -572,12 +579,12 @@ > return (status); > badvalue: > TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", >- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); >+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); > va_end(ap); > return (0); > badvalue32: > TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", >- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); >+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); > va_end(ap); > return (0); > } >@@ -813,12 +820,16 @@ > * If the client tries to get a tag that is not valid > * for the image's codec then we'll arrive here. > */ >+ /* >+ * dont dereference fip if it's NULL. >+ * -- taviso@google.com 15 Jun 2006 >+ */ > if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) > { > TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", > "%s: Invalid %stag \"%s\" (not supported by codec)", > tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", >- _TIFFFieldWithTag(tif, tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > ret_val = 0; > break; > } >diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c >--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 >@@ -775,7 +775,8 @@ > TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", > "Internal error, unknown tag 0x%x", > (unsigned int) tag); >- assert(fip != NULL); >+ /* assert(fip != NULL); */ >+ > /*NOTREACHED*/ > } > return (fip); >@@ -789,7 +790,8 @@ > if (!fip) { > TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", > "Internal error, unknown tag %s", field_name); >- assert(fip != NULL); >+ /* assert(fip != NULL); */ >+ > /*NOTREACHED*/ > } > return (fip); >diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c >--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 >@@ -29,6 +29,9 @@ > * > * Directory Read Support Routines. > */ >+ >+#include <limits.h> >+ > #include "tiffiop.h" > > #define IGNORE 0 /* tag placeholder used below */ >@@ -81,6 +84,7 @@ > uint16 dircount; > toff_t nextdiroff; > int diroutoforderwarning = 0; >+ int compressionknown = 0; > toff_t* new_dirlist; > > tif->tif_diroff = tif->tif_nextdiroff; >@@ -147,13 +151,20 @@ > } else { > toff_t off = tif->tif_diroff; > >- if (off + sizeof (uint16) > tif->tif_size) { >- TIFFErrorExt(tif->tif_clientdata, module, >- "%s: Can not read TIFF directory count", >- tif->tif_name); >- return (0); >+ /* >+ * Check for integer overflow when validating the dir_off, otherwise >+ * a very high offset may cause an OOB read and crash the client. >+ * -- taviso@google.com, 14 Jun 2006. >+ */ >+ if (off + sizeof (uint16) > tif->tif_size || >+ off > (UINT_MAX - sizeof(uint16))) { >+ TIFFErrorExt(tif->tif_clientdata, module, >+ "%s: Can not read TIFF directory count", >+ tif->tif_name); >+ return (0); > } else >- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); >+ _TIFFmemcpy(&dircount, tif->tif_base + off, >+ sizeof (uint16)); > off += sizeof (uint16); > if (tif->tif_flags & TIFF_SWAB) > TIFFSwabShort(&dircount); >@@ -254,6 +265,7 @@ > while (fix < tif->tif_nfields && > tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) > fix++; >+ > if (fix >= tif->tif_nfields || > tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { > >@@ -264,17 +276,23 @@ > dp->tdir_tag, > dp->tdir_tag, > dp->tdir_type); >- >- TIFFMergeFieldInfo(tif, >- _TIFFCreateAnonFieldInfo(tif, >- dp->tdir_tag, >- (TIFFDataType) dp->tdir_type), >- 1 ); >+ /* >+ * creating anonymous fields prior to knowing the compression >+ * algorithm (ie, when the field info has been merged) could cause >+ * crashes with pathological directories. >+ * -- taviso@google.com 15 Jun 2006 >+ */ >+ if (compressionknown) >+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, >+ (TIFFDataType) dp->tdir_type), 1 ); >+ else goto ignore; >+ > fix = 0; > while (fix < tif->tif_nfields && > tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) > fix++; > } >+ > /* > * Null out old tags that we ignore. > */ >@@ -326,6 +344,7 @@ > dp->tdir_type, dp->tdir_offset); > if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) > goto bad; >+ else compressionknown++; > break; > /* XXX: workaround for broken TIFFs */ > } else if (dp->tdir_type == TIFF_LONG) { >@@ -540,6 +559,7 @@ > * Attempt to deal with a missing StripByteCounts tag. > */ > if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); > /* > * Some manufacturers violate the spec by not giving > * the size of the strips. In this case, assume there >@@ -556,7 +576,7 @@ > "%s: TIFF directory is missing required " > "\"%s\" field, calculating from imagelength", > tif->tif_name, >- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); >+ fip ? fip->field_name : "Unknown"); > if (EstimateStripByteCounts(tif, dir, dircount) < 0) > goto bad; > /* >@@ -580,6 +600,7 @@ > } else if (td->td_nstrips == 1 > && td->td_stripoffset[0] != 0 > && BYTECOUNTLOOKSBAD) { >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); > /* > * XXX: Plexus (and others) sometimes give a value of zero for > * a tag when they don't know what the correct value is! Try >@@ -589,13 +610,14 @@ > TIFFWarningExt(tif->tif_clientdata, module, > "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", > tif->tif_name, >- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); >+ fip ? fip->field_name : "Unknown"); > if(EstimateStripByteCounts(tif, dir, dircount) < 0) > goto bad; > } else if (td->td_planarconfig == PLANARCONFIG_CONTIG > && td->td_nstrips > 2 > && td->td_compression == COMPRESSION_NONE > && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); > /* > * XXX: Some vendors fill StripByteCount array with absolutely > * wrong values (it can be equal to StripOffset array, for >@@ -604,7 +626,7 @@ > TIFFWarningExt(tif->tif_clientdata, module, > "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", > tif->tif_name, >- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); >+ fip ? fip->field_name : "Unknown"); > if (EstimateStripByteCounts(tif, dir, dircount) < 0) > goto bad; > } >@@ -870,7 +892,13 @@ > > register TIFFDirEntry *dp; > register TIFFDirectory *td = &tif->tif_dir; >- uint16 i; >+ >+ /* i is used to iterate over td->td_nstrips, so must be >+ * at least the same width. >+ * -- taviso@google.com 15 Jun 2006 >+ */ >+ >+ uint32 i; > > if (td->td_stripbytecount) > _TIFFfree(td->td_stripbytecount); >@@ -947,16 +975,18 @@ > static int > CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) > { >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); >+ > if (count > dir->tdir_count) { > TIFFWarningExt(tif->tif_clientdata, tif->tif_name, > "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, >+ fip ? fip->field_name : "Unknown", > dir->tdir_count, count); > return (0); > } else if (count < dir->tdir_count) { > TIFFWarningExt(tif->tif_clientdata, tif->tif_name, > "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, >+ fip ? fip->field_name : "Unknown", > dir->tdir_count, count); > return (1); > } >@@ -970,6 +1000,7 @@ > TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) > { > int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > tsize_t cc = dir->tdir_count * w; > > /* Check for overflow. */ >@@ -1013,7 +1044,7 @@ > bad: > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "Error fetching data for field \"%s\"", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > return (tsize_t) 0; > } > >@@ -1039,10 +1070,12 @@ > static int > cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) > { >+ const TIFFFieldInfo* fip; > if (denom == 0) { >+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "%s: Rational with zero denominator (num = %lu)", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); >+ fip ? fip->field_name : "Unknown", num); > return (0); > } else { > if (dir->tdir_type == TIFF_RATIONAL) >@@ -1159,6 +1192,20 @@ > static int > TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) > { >+ /* >+ * Prevent overflowing the v stack arrays below by performing a sanity >+ * check on tdir_count, this should never be greater than two. >+ * -- taviso@google.com 14 Jun 2006. >+ */ >+ if (dir->tdir_count > 2) { >+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); >+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, >+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", >+ fip ? fip->field_name : "Unknown", >+ dir->tdir_count); >+ return 0; >+ } >+ > switch (dir->tdir_type) { > case TIFF_BYTE: > case TIFF_SBYTE: >@@ -1329,14 +1376,15 @@ > case TIFF_DOUBLE: > return (TIFFFetchDoubleArray(tif, dir, (double*) v)); > default: >+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > /* TIFF_NOTYPE */ > /* TIFF_ASCII */ > /* TIFF_UNDEFINED */ > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "cannot read TIFF_ANY type %d for field \"%s\"", > dir->tdir_type, >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); >- return (0); >+ fip ? fip->field_name : "Unknown"); >+ return (0); } > } > return (1); > } >@@ -1351,6 +1399,9 @@ > int ok = 0; > const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); > >+ if (fip == NULL) { >+ return (0); >+ } > if (dp->tdir_count > 1) { /* array of values */ > char* cp = NULL; > >@@ -1493,6 +1544,7 @@ > TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) > { > uint16 samples = tif->tif_dir.td_samplesperpixel; >+ const TIFFFieldInfo* fip; > int status = 0; > > if (CheckDirCount(tif, dir, (uint32) samples)) { >@@ -1510,9 +1562,10 @@ > > for (i = 1; i < check_count; i++) > if (v[i] != v[0]) { >+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "Cannot handle different per-sample values for field \"%s\"", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > goto bad; > } > *pl = v[0]; >@@ -1534,6 +1587,7 @@ > TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) > { > uint16 samples = tif->tif_dir.td_samplesperpixel; >+ const TIFFFieldInfo* fip; > int status = 0; > > if (CheckDirCount(tif, dir, (uint32) samples)) { >@@ -1551,9 +1605,10 @@ > check_count = samples; > for (i = 1; i < check_count; i++) > if (v[i] != v[0]) { >+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "Cannot handle different per-sample values for field \"%s\"", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > goto bad; > } > *pl = v[0]; >@@ -1574,6 +1629,7 @@ > TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) > { > uint16 samples = tif->tif_dir.td_samplesperpixel; >+ const TIFFFieldInfo* fip; > int status = 0; > > if (CheckDirCount(tif, dir, (uint32) samples)) { >@@ -1591,9 +1647,10 @@ > > for (i = 1; i < check_count; i++) > if (v[i] != v[0]) { >+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, > "Cannot handle different per-sample values for field \"%s\"", >- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); >+ fip ? fip->field_name : "Unknown"); > goto bad; > } > *pl = v[0]; >diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c >--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 >@@ -1136,6 +1136,7 @@ > Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) > { > Fax3BaseState* sp = Fax3State(tif); >+ const TIFFFieldInfo* fip; > > assert(sp != 0); > assert(sp->vsetparent != 0); >@@ -1181,7 +1182,13 @@ > default: > return (*sp->vsetparent)(tif, tag, ap); > } >- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); >+ >+ if ((fip = _TIFFFieldWithTag(tif, tag))) { >+ TIFFSetFieldBit(tif, fip->field_bit); >+ } else { >+ return (0); >+ } >+ > tif->tif_flags |= TIFF_DIRTYDIRECT; > return (1); > } >diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c >--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 >@@ -722,15 +722,31 @@ > segment_width = TIFFhowmany(segment_width, sp->h_sampling); > segment_height = TIFFhowmany(segment_height, sp->v_sampling); > } >- if (sp->cinfo.d.image_width != segment_width || >- sp->cinfo.d.image_height != segment_height) { >+ if (sp->cinfo.d.image_width < segment_width || >+ sp->cinfo.d.image_height < segment_height) { > TIFFWarningExt(tif->tif_clientdata, module, > "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", > segment_width, > segment_height, > sp->cinfo.d.image_width, > sp->cinfo.d.image_height); >+ } >+ >+ if (sp->cinfo.d.image_width > segment_width || >+ sp->cinfo.d.image_height > segment_height) { >+ /* >+ * This case could be dangerous, if the strip or tile size has been >+ * reported as less than the amount of data jpeg will return, some >+ * potential security issues arise. Catch this case and error out. >+ * -- taviso@google.com 14 Jun 2006 >+ */ >+ TIFFErrorExt(tif->tif_clientdata, module, >+ "JPEG strip/tile size exceeds expected dimensions," >+ "expected %dx%d, got %dx%d", segment_width, segment_height, >+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); >+ return (0); > } >+ > if (sp->cinfo.d.num_components != > (td->td_planarconfig == PLANARCONFIG_CONTIG ? > td->td_samplesperpixel : 1)) { >@@ -761,6 +777,22 @@ > sp->cinfo.d.comp_info[0].v_samp_factor, > sp->h_sampling, sp->v_sampling); > >+ /* >+ * There are potential security issues here for decoders that >+ * have already allocated buffers based on the expected sampling >+ * factors. Lets check the sampling factors dont exceed what >+ * we were expecting. >+ * -- taviso@google.com 14 June 2006 >+ */ >+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || >+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { >+ TIFFErrorExt(tif->tif_clientdata, module, >+ "Cannot honour JPEG sampling factors that" >+ " exceed those specified."); >+ return (0); >+ } >+ >+ > /* > * XXX: Files written by the Intergraph software > * has different sampling factors stored in the >@@ -1521,15 +1553,18 @@ > { > JPEGState *sp = JState(tif); > >- assert(sp != 0); >+ /* assert(sp != 0); */ > > tif->tif_tagmethods.vgetfield = sp->vgetparent; > tif->tif_tagmethods.vsetfield = sp->vsetparent; > >- if( sp->cinfo_initialized ) >- TIFFjpeg_destroy(sp); /* release libjpeg resources */ >- if (sp->jpegtables) /* tag value */ >- _TIFFfree(sp->jpegtables); >+ if (sp != NULL) { >+ if( sp->cinfo_initialized ) >+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ >+ if (sp->jpegtables) /* tag value */ >+ _TIFFfree(sp->jpegtables); >+ } >+ > _TIFFfree(tif->tif_data); /* release local state */ > tif->tif_data = NULL; > >@@ -1541,6 +1576,7 @@ > { > JPEGState* sp = JState(tif); > TIFFDirectory* td = &tif->tif_dir; >+ const TIFFFieldInfo* fip; > uint32 v32; > > assert(sp != NULL); >@@ -1606,7 +1642,13 @@ > default: > return (*sp->vsetparent)(tif, tag, ap); > } >- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); >+ >+ if ((fip = _TIFFFieldWithTag(tif, tag))) { >+ TIFFSetFieldBit(tif, fip->field_bit); >+ } else { >+ return (0); >+ } >+ > tif->tif_flags |= TIFF_DIRTYDIRECT; > return (1); > } >@@ -1726,7 +1768,11 @@ > { > JPEGState* sp = JState(tif); > >- assert(sp != NULL); >+ /* assert(sp != NULL); */ >+ if (sp == NULL) { >+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); >+ return; >+ } > > (void) flags; > if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) >diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c >--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 >@@ -105,11 +105,16 @@ > * as codes of the form <color><npixels> > * until we've filled the scanline. > */ >+ /* >+ * Ensure the run does not exceed the scanline >+ * bounds, potentially resulting in a security issue. >+ * -- taviso@google.com 14 Jun 2006. >+ */ > op = row; > for (;;) { > grey = (n>>6) & 0x3; > n &= 0x3f; >- while (n-- > 0) >+ while (n-- > 0 && npixels < imagewidth) > SETPIXEL(op, grey); > if (npixels >= (int) imagewidth) > break; >diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c >--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 >@@ -768,7 +768,19 @@ > if (tif->tif_flags & TIFF_SWAB) > TIFFSwabArrayOfShort(up, nsamples); > >- for (i = 0; i < nsamples; i += llen, up += llen) { >+ /* >+ * if llen is not an exact multiple of nsamples, the decode operation >+ * may overflow the output buffer, so truncate it enough to prevent that >+ * but still salvage as much data as possible. >+ * -- taviso@google.com 14th June 2006 >+ */ >+ if (nsamples % llen) >+ TIFFWarningExt(tif->tif_clientdata, module, >+ "%s: stride %lu is not a multiple of sample count, " >+ "%lu, data truncated.", tif->tif_name, llen, nsamples); >+ >+ >+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { > switch (sp->user_datafmt) { > case PIXARLOGDATAFMT_FLOAT: > horizontalAccumulateF(up, llen, sp->stride, >diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c >--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 >+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 >@@ -31,6 +31,8 @@ > #include "tiffiop.h" > #include <stdio.h> > >+#include <limits.h> >+ > int TIFFFillStrip(TIFF*, tstrip_t); > int TIFFFillTile(TIFF*, ttile_t); > static int TIFFStartStrip(TIFF*, tstrip_t); >@@ -272,7 +274,13 @@ > if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) > _TIFFfree(tif->tif_rawdata); > tif->tif_flags &= ~TIFF_MYBUFFER; >- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { >+ /* >+ * This sanity check could potentially overflow, causing an OOB read. >+ * verify that offset + bytecount is > offset. >+ * -- taviso@google.com 14 Jun 2006 >+ */ >+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || >+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { > /* > * This error message might seem strange, but it's > * what would happen if a read were done instead. >@@ -470,7 +478,13 @@ > if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) > _TIFFfree(tif->tif_rawdata); > tif->tif_flags &= ~TIFF_MYBUFFER; >- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { >+ /* >+ * We must check this calculation doesnt overflow, potentially >+ * causing an OOB read. >+ * -- taviso@google.com 15 Jun 2006 >+ */ >+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || >+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { > tif->tif_curtile = NOTILE; > return (0); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 142383
: 93188 |
93315
|
93632