Home Explore Help
Register Sign In
pi31415
/
librecmc-package-feed
forked from libreCMC/package-feed
1
0
Fork 0
Files
Tree: 9810a4e618
Branches Tags
librecmc-packag...
/
libs
/
tiff
/
patches
/
004-fix_potential_out-of-bound_write_in_NeXTDecode.patch

004-fix_potential_out-of-bound_write_in_NeXTDecode.patch 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001
    2. 

  2. From: erouault <erouault>
    3. 

  3. Date: Sun, 27 Dec 2015 16:55:20 +0000
    4. 

  4. Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
    5. 

  5.  NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
    6. 

  6.  (bugzilla #2508)
    7. 

  7. 

  8. ---
    9. 

  9.  ChangeLog          |  6 ++++++
    10. 

  10.  libtiff/tif_next.c | 12 +++++++++---
    11. 

  11.  2 files changed, 15 insertions(+), 3 deletions(-)
    12. 

  12. 

  13. diff --git a/ChangeLog b/ChangeLog
    14. 

  14. index b8aa23c..04926a3 100644
    15. 

  15. --- a/ChangeLog
    16. 

  16. +++ b/ChangeLog
    17. 

  17. @@ -1,5 +1,11 @@
    18. 

  18.  2015-12-27  Even Rouault <even.rouault at spatialys.com>
    19. 

  19.  
    20. 

  20. +	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
    21. 

  21. +	triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
    22. 

  22. +	(bugzilla #2508)
    23. 

  23. +
    24. 

  24. +2015-12-27  Even Rouault <even.rouault at spatialys.com>
    25. 

  25. +
    26. 

  26.  	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
    27. 

  27.  	functions in non debug builds by replacing assert()s by regular if
    28. 

  28.  	checks (bugzilla #2522).
    29. 

  29. diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
    30. 

  30. index 17e0311..1248caa 100644
    31. 

  31. --- a/libtiff/tif_next.c
    32. 

  32. +++ b/libtiff/tif_next.c
    33. 

  33. @@ -1,4 +1,4 @@
    34. 

  34. -/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
    35. 

  35. +/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */
    36. 

  36.  
    37. 

  37.  /*
    38. 

  38.   * Copyright (c) 1988-1997 Sam Leffler
    39. 

  39. @@ -37,7 +37,7 @@
    40. 

  40.  	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
    41. 

  41.  	case 1:	op[0] |= (v) << 4; break;	\
    42. 

  42.  	case 2:	op[0] |= (v) << 2; break;	\
    43. 

  43. -	case 3:	*op++ |= (v);	   break;	\
    44. 

  44. +	case 3:	*op++ |= (v);	   op_offset++; break;	\
    45. 

  45.  	}					\
    46. 

  46.  }
    47. 

  47.  
    48. 

  48. @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
    49. 

  49.  			uint32 imagewidth = tif->tif_dir.td_imagewidth;
    50. 

  50.              if( isTiled(tif) )
    51. 

  51.                  imagewidth = tif->tif_dir.td_tilewidth;
    52. 

  52. +            tmsize_t op_offset = 0;
    53. 

  53.  
    54. 

  54.  			/*
    55. 

  55.  			 * The scanline is composed of a sequence of constant
    56. 

  56. @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
    57. 

  57.  				 * bounds, potentially resulting in a security
    58. 

  58.  				 * issue.
    59. 

  59.  				 */
    60. 

  60. -				while (n-- > 0 && npixels < imagewidth)
    61. 

  61. +				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
    62. 

  62.  					SETPIXEL(op, grey);
    63. 

  63.  				if (npixels >= imagewidth)
    64. 

  64.  					break;
    65. 

  65. +                if (op_offset >= scanline ) {
    66. 

  66. +                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
    67. 

  67. +                        (long) tif->tif_row);
    68. 

  68. +                    return (0);
    69. 

  69. +                }
    70. 

  70.  				if (cc == 0)
    71. 

  71.  					goto bad;
    72. 

  72.  				n = *bp++, cc--;
    73.