File tiff-CVE-2018-18557.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2018-18557.patch of Package tiff

Index: tiff-4.0.9/libtiff/tif_jbig.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_jbig.c	2017-06-30 15:27:54.399206925 +0200
+++ tiff-4.0.9/libtiff/tif_jbig.c	2018-11-12 15:30:14.276033487 +0100
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8*
 	struct jbg_dec_state decoder;
 	int decodeStatus = 0;
 	unsigned char* pImage = NULL;
-	(void) size, (void) s;
+	unsigned long decodedSize;
+	(void) s;
 
 	if (isFillOrder(tif, tif->tif_dir.td_fillorder))
 	{
-		TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
+		TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
 	}
 
 	jbg_dec_init(&decoder);
 
 #if defined(HAVE_JBG_NEWLEN)
-	jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
+	jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
 	/*
 	 * I do not check the return status of jbg_newlen because even if this
 	 * function fails it does not necessarily mean that decoding the image
@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8*
 	 */
 #endif /* HAVE_JBG_NEWLEN */
 
-	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
-				  (size_t)tif->tif_rawdatasize, NULL);
+	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
+				  (size_t)tif->tif_rawcc, NULL);
 	if (JBG_EOK != decodeStatus)
 	{
 		/*
@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8*
 		return 0;
 	}
 
+	decodedSize = jbg_dec_getsize(&decoder);
+	if( (tmsize_t)decodedSize < size )
+	{
+	    TIFFWarningExt(tif->tif_clientdata, "JBIG",
+	                   "Only decoded %lu bytes, whereas %lu requested",
+	                   decodedSize, (unsigned long)size);
+	}
+	else if( (tmsize_t)decodedSize > size )
+	{
+	    TIFFErrorExt(tif->tif_clientdata, "JBIG",
+	                 "Decoded %lu bytes, whereas %lu were requested",
+	                 decodedSize, (unsigned long)size);
+	    jbg_dec_free(&decoder);
+	    return 0;
+	}
 	pImage = jbg_dec_getimage(&decoder, 0);
-	_TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
+	_TIFFmemcpy(buffer, pImage, decodedSize);
 	jbg_dec_free(&decoder);
+
+        tif->tif_rawcp += tif->tif_rawcc;
+        tif->tif_rawcc = 0;
+
 	return 1;
 }
 
Index: tiff-4.0.9/libtiff/tif_read.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_read.c	2018-11-12 15:30:14.276033487 +0100
+++ tiff-4.0.9/libtiff/tif_read.c	2018-11-12 15:38:53.074497838 +0100
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s
             return 0;
         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
                 || isMapped(tif);
+        if( td->td_compression == COMPRESSION_JBIG )
+        {
+            /* Ideally plugins should have a way to declare they don't support
+             * chunk strip */
+            whole_strip = 1;
+        }
 #else
         whole_strip = 1;
 #endif

Places

File tiff-CVE-2018-18557.patch of Package tiff

Places