File tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch of Package tiff.3178
--- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-10-06 09:33:52.616248149 +0200
@@ -973,17 +973,14 @@
a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1026,17 +1023,14 @@
a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
}
} else {
- ip += n - 1; /* point to last one */
- wp += n - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
@@ -1079,17 +1073,14 @@
ip += 4;
}
} else {
- wp += n + stride - 1; /* point to last one */
- ip += n + stride - 1; /* point to last one */
+ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
n -= stride;
while (n > 0) {
- REPEAT(stride, wp[0] = CLAMP(ip[0]);
- wp[stride] -= wp[0];
- wp[stride] &= mask;
- wp--; ip--)
+ REPEAT(stride,
+ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+ wp++; ip++)
n -= stride;
}
- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
}
}
}
--- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c 2016-10-06 09:33:52.616248149 +0200
@@ -764,7 +764,14 @@
if (!TIFFAppendToStrip(tif,
isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
tif->tif_rawdata, tif->tif_rawcc))
+ {
+ /* We update those variables even in case of error since there's */
+ /* code that doesn't really check the return code of this */
+ /* function */
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
return (0);
+ }
tif->tif_rawcc = 0;
tif->tif_rawcp = tif->tif_rawdata;
}
--- tiff-4.0.6/tools/tiff2pdf.c 2015-09-06 20:24:27.000000000 +0200
+++ tiff-4.0.6/tools/tiff2pdf.c 2016-10-06 09:33:52.616248149 +0200
@@ -286,7 +286,7 @@
int t2p_process_ojpeg_tables(T2P*, TIFF*);
#endif
#ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
#endif
void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2409,6 +2409,7 @@
stripbuffer,
&striplength,
buffer,
+ t2p->tiff_datasize,
&bufferoffset,
i,
t2p->tiff_length)){
@@ -3439,6 +3440,7 @@
unsigned char* strip,
tsize_t* striplength,
unsigned char* buffer,
+ tsize_t buffersize,
tsize_t* bufferoffset,
tstrip_t no,
uint32 height){
@@ -3473,6 +3475,8 @@
}
switch( strip[i] ){
case 0xd8: /* SOI - start of image */
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
*bufferoffset+=2;
break;
@@ -3482,12 +3486,18 @@
case 0xc9: /* SOF9 */
case 0xca: /* SOF10 */
if(no==0){
+ if( *bufferoffset + datalen + 2 + 6 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ if( *bufferoffset + 9 >= buffersize )
+ return(0);
ncomp = buffer[*bufferoffset+9];
if (ncomp < 1 || ncomp > 4)
return(0);
v_samp=1;
h_samp=1;
+ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+ return(0);
for(j=0;j<ncomp;j++){
uint16 samp = buffer[*bufferoffset+11+(3*j)];
if( (samp>>4) > h_samp)
@@ -3519,20 +3529,28 @@
break;
case 0xc4: /* DHT */
case 0xdb: /* DQT */
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
break;
case 0xda: /* SOS */
if(no==0){
+ if( *bufferoffset + datalen + 2 > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
*bufferoffset+=datalen+2;
} else {
+ if( *bufferoffset + 2 > buffersize )
+ return(0);
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
}
i += datalen + 1;
/* copy remainder of strip */
+ if( *bufferoffset + *striplength - i > buffersize )
+ return(0);
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
*bufferoffset+= *striplength - i;
return(1);
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-10-06 09:33:52.616248149 +0200
@@ -5737,7 +5737,8 @@
{
uint32 i;
float xres = 0.0, yres = 0.0;
- uint16 nstrips = 0, ntiles = 0, planar = 0;
+ uint32 nstrips = 0, ntiles = 0;
+ uint16 planar = 0;
uint16 bps = 0, spp = 0, res_unit = 0;
uint16 orientation = 0;
uint16 input_compression = 0, input_photometric = 0;
@@ -6013,11 +6014,23 @@
/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
/* outside buffer */
if (!read_buff)
+ {
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
else
{
if (prev_readsize < buffsize)
{
+ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
new_buff = _TIFFrealloc(read_buff, buffsize+3);
if (!new_buff)
{
@@ -8859,6 +8872,11 @@
}
bytes_per_pixel = ((bps * spp) + 7) / 8;
+ if( bytes_per_pixel > sizeof(swapbuff) )
+ {
+ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+ return (1);
+ }
switch (bps / 8)
{
case 8: /* Use memcpy for multiple bytes per sample data */
