1 security patch from upstream |
|
2 |
|
3 From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 |
|
4 From: erouault <erouault> |
|
5 Date: Sun, 27 Dec 2015 16:25:11 +0000 |
|
6 Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in |
|
7 decode functions in non debug builds by replacing assert()s by regular if |
|
8 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short |
|
9 input data. |
|
10 |
|
11 --- tiff-4.0.6/libtiff/tif_luv.c Fri Mar 25 08:46:18 2016 |
|
12 +++ tiff-4.0.6/libtiff/tif_luv.c Fri Mar 25 09:22:33 2016 |
|
13 @@ -202,7 +202,11 @@ |
|
14 if (sp->user_datafmt == SGILOGDATAFMT_16BIT) |
|
15 tp = (int16*) op; |
|
16 else { |
|
17 - assert(sp->tbuflen >= npixels); |
|
18 + if(sp->tbuflen < npixels) { |
|
19 + TIFFErrorExt(tif->tif_clientdata, module, |
|
20 + "Translation buffer too short"); |
|
21 + return (0); |
|
22 + } |
|
23 tp = (int16*) sp->tbuf; |
|
24 } |
|
25 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); |
|
26 @@ -211,9 +215,11 @@ |
|
27 cc = tif->tif_rawcc; |
|
28 /* get each byte string */ |
|
29 for (shft = 2*8; (shft -= 8) >= 0; ) { |
|
30 - for (i = 0; i < npixels && cc > 0; ) |
|
31 + for (i = 0; i < npixels && cc > 0; ) { |
|
32 if (*bp >= 128) { /* run */ |
|
33 - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ |
|
34 + if( cc < 2 ) |
|
35 + break; |
|
36 + rc = *bp++ + (2-128); |
|
37 b = (int16)(*bp++ << shft); |
|
38 cc -= 2; |
|
39 while (rc-- && i < npixels) |
|
40 @@ -223,6 +229,7 @@ |
|
41 while (--cc && rc-- && i < npixels) |
|
42 tp[i++] |= (int16)*bp++ << shft; |
|
43 } |
|
44 + } |
|
45 if (i != npixels) { |
|
46 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
|
47 TIFFErrorExt(tif->tif_clientdata, module, |
|
48 @@ -268,13 +275,17 @@ |
|
49 if (sp->user_datafmt == SGILOGDATAFMT_RAW) |
|
50 tp = (uint32 *)op; |
|
51 else { |
|
52 - assert(sp->tbuflen >= npixels); |
|
53 + if(sp->tbuflen < npixels) { |
|
54 + TIFFErrorExt(tif->tif_clientdata, module, |
|
55 + "Translation buffer too short"); |
|
56 + return (0); |
|
57 + } |
|
58 tp = (uint32 *) sp->tbuf; |
|
59 } |
|
60 /* copy to array of uint32 */ |
|
61 bp = (unsigned char*) tif->tif_rawcp; |
|
62 cc = tif->tif_rawcc; |
|
63 - for (i = 0; i < npixels && cc > 0; i++) { |
|
64 + for (i = 0; i < npixels && cc >= 3; i++) { |
|
65 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; |
|
66 bp += 3; |
|
67 cc -= 3; |
|
68 @@ -325,7 +336,11 @@ |
|
69 if (sp->user_datafmt == SGILOGDATAFMT_RAW) |
|
70 tp = (uint32*) op; |
|
71 else { |
|
72 - assert(sp->tbuflen >= npixels); |
|
73 + if(sp->tbuflen < npixels) { |
|
74 + TIFFErrorExt(tif->tif_clientdata, module, |
|
75 + "Translation buffer too short"); |
|
76 + return (0); |
|
77 + } |
|
78 tp = (uint32*) sp->tbuf; |
|
79 } |
|
80 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); |
|
81 @@ -334,11 +349,13 @@ |
|
82 cc = tif->tif_rawcc; |
|
83 /* get each byte string */ |
|
84 for (shft = 4*8; (shft -= 8) >= 0; ) { |
|
85 - for (i = 0; i < npixels && cc > 0; ) |
|
86 + for (i = 0; i < npixels && cc > 0; ) { |
|
87 if (*bp >= 128) { /* run */ |
|
88 + if( cc < 2 ) |
|
89 + break; |
|
90 rc = *bp++ + (2-128); |
|
91 b = (uint32)*bp++ << shft; |
|
92 - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ |
|
93 + cc -= 2; |
|
94 while (rc-- && i < npixels) |
|
95 tp[i++] |= b; |
|
96 } else { /* non-run */ |
|
97 @@ -346,6 +363,7 @@ |
|
98 while (--cc && rc-- && i < npixels) |
|
99 tp[i++] |= (uint32)*bp++ << shft; |
|
100 } |
|
101 + } |
|
102 if (i != npixels) { |
|
103 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
|
104 TIFFErrorExt(tif->tif_clientdata, module, |
|
105 @@ -413,6 +431,7 @@ |
|
106 static int |
|
107 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
|
108 { |
|
109 + static const char module[] = "LogL16Encode"; |
|
110 LogLuvState* sp = EncoderState(tif); |
|
111 int shft; |
|
112 tmsize_t i; |
|
113 @@ -433,7 +452,11 @@ |
|
114 tp = (int16*) bp; |
|
115 else { |
|
116 tp = (int16*) sp->tbuf; |
|
117 - assert(sp->tbuflen >= npixels); |
|
118 + if(sp->tbuflen < npixels) { |
|
119 + TIFFErrorExt(tif->tif_clientdata, module, |
|
120 + "Translation buffer too short"); |
|
121 + return (0); |
|
122 + } |
|
123 (*sp->tfunc)(sp, bp, npixels); |
|
124 } |
|
125 /* compress each byte string */ |
|
126 @@ -506,6 +529,7 @@ |
|
127 static int |
|
128 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
|
129 { |
|
130 + static const char module[] = "LogLuvEncode24"; |
|
131 LogLuvState* sp = EncoderState(tif); |
|
132 tmsize_t i; |
|
133 tmsize_t npixels; |
|
134 @@ -521,7 +545,11 @@ |
|
135 tp = (uint32*) bp; |
|
136 else { |
|
137 tp = (uint32*) sp->tbuf; |
|
138 - assert(sp->tbuflen >= npixels); |
|
139 + if(sp->tbuflen < npixels) { |
|
140 + TIFFErrorExt(tif->tif_clientdata, module, |
|
141 + "Translation buffer too short"); |
|
142 + return (0); |
|
143 + } |
|
144 (*sp->tfunc)(sp, bp, npixels); |
|
145 } |
|
146 /* write out encoded pixels */ |
|
147 @@ -553,6 +581,7 @@ |
|
148 static int |
|
149 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
|
150 { |
|
151 + static const char module[] = "LogLuvEncode32"; |
|
152 LogLuvState* sp = EncoderState(tif); |
|
153 int shft; |
|
154 tmsize_t i; |
|
155 @@ -574,7 +603,11 @@ |
|
156 tp = (uint32*) bp; |
|
157 else { |
|
158 tp = (uint32*) sp->tbuf; |
|
159 - assert(sp->tbuflen >= npixels); |
|
160 + if(sp->tbuflen < npixels) { |
|
161 + TIFFErrorExt(tif->tif_clientdata, module, |
|
162 + "Translation buffer too short"); |
|
163 + return (0); |
|
164 + } |
|
165 (*sp->tfunc)(sp, bp, npixels); |
|
166 } |
|
167 /* compress each byte string */ |
|