File tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-... of Package tiff.3178

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch of Package tiff.3178

--- tiff-4.0.6/libtiff/tif_pixarlog.c	2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c	2016-10-06 09:33:52.616248149 +0200
@@ -973,17 +973,14 @@
 		a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
 	    }
 	} else {
-	    ip += n - 1;	/* point to last one */
-	    wp += n - 1;	/* point to last one */
+        REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
 	    n -= stride;
 	    while (n > 0) {
-		REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
-				wp[stride] -= wp[0];
-				wp[stride] &= mask;
-				wp--; ip--)
+            REPEAT(stride,
+                wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
 		n -= stride;
 	    }
-	    REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
 	}
     }
 }
@@ -1026,17 +1023,14 @@
 		a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
 	    }
 	} else {
-	    ip += n - 1;	/* point to last one */
-	    wp += n - 1;	/* point to last one */
+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
 	    n -= stride;
 	    while (n > 0) {
-		REPEAT(stride, wp[0] = CLAMP(ip[0]);
-				wp[stride] -= wp[0];
-				wp[stride] &= mask;
-				wp--; ip--)
+            REPEAT(stride,
+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
 		n -= stride;
 	    }
-	    REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
 	}
     }
 }
@@ -1079,17 +1073,14 @@
 		ip += 4;
 	    }
 	} else {
-	    wp += n + stride - 1;	/* point to last one */
-	    ip += n + stride - 1;	/* point to last one */
+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
 	    n -= stride;
 	    while (n > 0) {
-		REPEAT(stride, wp[0] = CLAMP(ip[0]);
-				wp[stride] -= wp[0];
-				wp[stride] &= mask;
-				wp--; ip--)
+            REPEAT(stride,
+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
+                wp++; ip++)
 		n -= stride;
 	    }
-	    REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
 	}
     }
 }
--- tiff-4.0.6/libtiff/tif_write.c	2015-08-29 00:16:22.761805698 +0200
+++ tiff-4.0.6/libtiff/tif_write.c	2016-10-06 09:33:52.616248149 +0200
@@ -764,7 +764,14 @@
 		if (!TIFFAppendToStrip(tif,
 		    isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
 		    tif->tif_rawdata, tif->tif_rawcc))
+        {
+            /* We update those variables even in case of error since there's */
+            /* code that doesn't really check the return code of this */
+            /* function */
+            tif->tif_rawcc = 0;
+            tif->tif_rawcp = tif->tif_rawdata;
 			return (0);
+        }
 		tif->tif_rawcc = 0;
 		tif->tif_rawcp = tif->tif_rawdata;
 	}
--- tiff-4.0.6/tools/tiff2pdf.c	2015-09-06 20:24:27.000000000 +0200
+++ tiff-4.0.6/tools/tiff2pdf.c	2016-10-06 09:33:52.616248149 +0200
@@ -286,7 +286,7 @@
 int t2p_process_ojpeg_tables(T2P*, TIFF*);
 #endif
 #ifdef JPEG_SUPPORT
-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
 #endif
 void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
 void t2p_write_advance_directory(T2P*, TIFF*);
@@ -2409,6 +2409,7 @@
 					stripbuffer, 
 					&striplength, 
 					buffer, 
+                    t2p->tiff_datasize,
 					&bufferoffset, 
 					i, 
 					t2p->tiff_length)){
@@ -3439,6 +3440,7 @@
 	unsigned char* strip, 
 	tsize_t* striplength, 
 	unsigned char* buffer, 
+    tsize_t buffersize,
 	tsize_t* bufferoffset, 
 	tstrip_t no, 
 	uint32 height){
@@ -3473,6 +3475,8 @@
 		}
 		switch( strip[i] ){
 			case 0xd8:	/* SOI - start of image */
+                if( *bufferoffset + 2 > buffersize )
+                    return(0);
 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
 				*bufferoffset+=2;
 				break;
@@ -3482,12 +3486,18 @@
 			case 0xc9:	/* SOF9 */
 			case 0xca:	/* SOF10 */
 				if(no==0){
+                    if( *bufferoffset + datalen + 2 + 6 > buffersize )
+                        return(0);
 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+                    if( *bufferoffset + 9 >= buffersize )
+                        return(0);
 					ncomp = buffer[*bufferoffset+9];
 					if (ncomp < 1 || ncomp > 4)
 						return(0);
 					v_samp=1;
 					h_samp=1;
+                    if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
+                        return(0);
 					for(j=0;j<ncomp;j++){
 						uint16 samp = buffer[*bufferoffset+11+(3*j)];
 						if( (samp>>4) > h_samp) 
@@ -3519,20 +3529,28 @@
 				break;
 			case 0xc4: /* DHT */
 			case 0xdb: /* DQT */
+                if( *bufferoffset + datalen + 2 > buffersize )
+                    return(0);
 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
 				*bufferoffset+=datalen+2;
 				break;
 			case 0xda: /* SOS */
 				if(no==0){
+                    if( *bufferoffset + datalen + 2 > buffersize )
+                        return(0);
 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
 					*bufferoffset+=datalen+2;
 				} else {
+                    if( *bufferoffset + 2 > buffersize )
+                        return(0);
 					buffer[(*bufferoffset)++]=0xff;
 					buffer[(*bufferoffset)++]=
                                             (unsigned char)(0xd0 | ((no-1)%8));
 				}
 				i += datalen + 1;
 				/* copy remainder of strip */
+                if( *bufferoffset + *striplength - i > buffersize )
+                    return(0);
 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
 				*bufferoffset+= *striplength - i;
 				return(1);
--- tiff-4.0.6/tools/tiffcrop.c	2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c	2016-10-06 09:33:52.616248149 +0200
@@ -5737,7 +5737,8 @@
   {
   uint32   i;
   float    xres = 0.0, yres = 0.0;
-  uint16   nstrips = 0, ntiles = 0, planar = 0;
+  uint32   nstrips = 0, ntiles = 0;
+  uint16   planar = 0;
   uint16   bps = 0, spp = 0, res_unit = 0;
   uint16   orientation = 0;
   uint16   input_compression = 0, input_photometric = 0;
@@ -6013,11 +6014,23 @@
   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
   /* outside buffer */
   if (!read_buff)
+  {
+    if( buffsize > 0xFFFFFFFFU - 3 )
+    {
+        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+        return (-1);
+    }
     read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+  }
   else
     {
     if (prev_readsize < buffsize)
       {
+      if( buffsize > 0xFFFFFFFFU - 3 )
+      {
+          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+          return (-1);
+      }
       new_buff = _TIFFrealloc(read_buff, buffsize+3);
       if (!new_buff)
         {
@@ -8859,6 +8872,11 @@
     }
 
   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+  if( bytes_per_pixel > sizeof(swapbuff) )
+  {
+    TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
+    return (1);
+  }
   switch (bps / 8)
      {
      case 8:  /* Use memcpy for multiple bytes per sample data */

Places

File tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch of Package tiff.3178

Places