1 diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c
2 --- tiff-3.7.4-old/tools/tiffsplit.c 2005-05-26 20:38:48.000000000 +0200
3 +++ tiff-3.7.4/tools/tiffsplit.c 2006-06-01 16:00:11.000000000 +0200
8 - strcpy(fname, argv[2]);
9 + snprintf(fname, sizeof(fname), "%s", argv[2]);
10 in = TIFFOpen(argv[1], "r");
15 - strcpy(path, fname);
16 - strcat(path, ".tif");
17 + snprintf(path, sizeof(path), "%s.tif", fname);
18 out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
21 diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
22 --- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
23 +++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
26 static const char module[] = "_TIFFVSetField";
28 + const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
29 TIFFDirectory* td = &tif->tif_dir;
34 case TIFFTAG_ORIENTATION:
35 v = va_arg(ap, uint32);
36 + const TIFFFieldInfo* fip;
37 if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
38 + fip = _TIFFFieldWithTag(tif, tag);
39 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
40 "Bad value %lu for \"%s\" tag ignored",
41 - v, _TIFFFieldWithTag(tif, tag)->field_name);
42 + v, fip ? fip->field_name : "Unknown");
44 td->td_orientation = (uint16) v;
47 * happens, for example, when tiffcp is used to convert between
48 * compression schemes and codec-specific tags are blindly copied.
51 + * better not dereference fip if it is NULL.
52 + * -- taviso@google.com 15 Jun 2006
54 if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
55 TIFFErrorExt(tif->tif_clientdata, module,
56 "%s: Invalid %stag \"%s\" (not supported by codec)",
57 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
58 - _TIFFFieldWithTag(tif, tag)->field_name);
59 + fip ? fip->field_name : "Unknown");
64 if (fip->field_type == TIFF_ASCII)
65 _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
67 - tv->value = _TIFFmalloc(tv_size * tv->count);
68 + tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
76 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
77 + TIFFSetFieldBit(tif, fip->field_bit);
78 tif->tif_flags |= TIFF_DIRTYDIRECT;
84 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
85 - tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
86 + tif->tif_name, v, fip ? fip->field_name : "Unknown");
90 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
91 - tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
92 + tif->tif_name, v32, fip ? fip->field_name : "Unknown");
97 * If the client tries to get a tag that is not valid
98 * for the image's codec then we'll arrive here.
101 + * dont dereference fip if it's NULL.
102 + * -- taviso@google.com 15 Jun 2006
104 if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
106 TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
107 "%s: Invalid %stag \"%s\" (not supported by codec)",
108 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
109 - _TIFFFieldWithTag(tif, tag)->field_name);
110 + fip ? fip->field_name : "Unknown");
114 diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
115 --- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
116 +++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
118 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
119 "Internal error, unknown tag 0x%x",
121 - assert(fip != NULL);
122 + /* assert(fip != NULL); */
129 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
130 "Internal error, unknown tag %s", field_name);
131 - assert(fip != NULL);
132 + /* assert(fip != NULL); */
137 diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
138 --- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
139 +++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
142 * Directory Read Support Routines.
149 #define IGNORE 0 /* tag placeholder used below */
153 int diroutoforderwarning = 0;
154 + int compressionknown = 0;
157 tif->tif_diroff = tif->tif_nextdiroff;
158 @@ -147,13 +151,20 @@
160 toff_t off = tif->tif_diroff;
162 - if (off + sizeof (uint16) > tif->tif_size) {
163 - TIFFErrorExt(tif->tif_clientdata, module,
164 - "%s: Can not read TIFF directory count",
168 + * Check for integer overflow when validating the dir_off, otherwise
169 + * a very high offset may cause an OOB read and crash the client.
170 + * -- taviso@google.com, 14 Jun 2006.
172 + if (off + sizeof (uint16) > tif->tif_size ||
173 + off > (UINT_MAX - sizeof(uint16))) {
174 + TIFFErrorExt(tif->tif_clientdata, module,
175 + "%s: Can not read TIFF directory count",
179 - _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
180 + _TIFFmemcpy(&dircount, tif->tif_base + off,
182 off += sizeof (uint16);
183 if (tif->tif_flags & TIFF_SWAB)
184 TIFFSwabShort(&dircount);
186 while (fix < tif->tif_nfields &&
187 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
190 if (fix >= tif->tif_nfields ||
191 tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
193 @@ -264,17 +276,23 @@
198 - TIFFMergeFieldInfo(tif,
199 - _TIFFCreateAnonFieldInfo(tif,
201 - (TIFFDataType) dp->tdir_type),
204 + * creating anonymous fields prior to knowing the compression
205 + * algorithm (ie, when the field info has been merged) could cause
206 + * crashes with pathological directories.
207 + * -- taviso@google.com 15 Jun 2006
209 + if (compressionknown)
210 + TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
211 + (TIFFDataType) dp->tdir_type), 1 );
215 while (fix < tif->tif_nfields &&
216 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
221 * Null out old tags that we ignore.
224 dp->tdir_type, dp->tdir_offset);
225 if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
227 + else compressionknown++;
229 /* XXX: workaround for broken TIFFs */
230 } else if (dp->tdir_type == TIFF_LONG) {
232 * Attempt to deal with a missing StripByteCounts tag.
234 if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
235 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
237 * Some manufacturers violate the spec by not giving
238 * the size of the strips. In this case, assume there
240 "%s: TIFF directory is missing required "
241 "\"%s\" field, calculating from imagelength",
243 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
244 + fip ? fip->field_name : "Unknown");
245 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
249 } else if (td->td_nstrips == 1
250 && td->td_stripoffset[0] != 0
251 && BYTECOUNTLOOKSBAD) {
252 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
254 * XXX: Plexus (and others) sometimes give a value of zero for
255 * a tag when they don't know what the correct value is! Try
256 @@ -589,13 +610,14 @@
257 TIFFWarningExt(tif->tif_clientdata, module,
258 "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
260 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
261 + fip ? fip->field_name : "Unknown");
262 if(EstimateStripByteCounts(tif, dir, dircount) < 0)
264 } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
265 && td->td_nstrips > 2
266 && td->td_compression == COMPRESSION_NONE
267 && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
268 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
270 * XXX: Some vendors fill StripByteCount array with absolutely
271 * wrong values (it can be equal to StripOffset array, for
273 TIFFWarningExt(tif->tif_clientdata, module,
274 "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
276 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
277 + fip ? fip->field_name : "Unknown");
278 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
283 register TIFFDirEntry *dp;
284 register TIFFDirectory *td = &tif->tif_dir;
287 + /* i is used to iterate over td->td_nstrips, so must be
288 + * at least the same width.
289 + * -- taviso@google.com 15 Jun 2006
294 if (td->td_stripbytecount)
295 _TIFFfree(td->td_stripbytecount);
296 @@ -947,16 +975,18 @@
298 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
300 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
302 if (count > dir->tdir_count) {
303 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
304 "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
305 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
306 + fip ? fip->field_name : "Unknown",
307 dir->tdir_count, count);
309 } else if (count < dir->tdir_count) {
310 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
311 "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
312 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
313 + fip ? fip->field_name : "Unknown",
314 dir->tdir_count, count);
318 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
320 int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
321 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
322 tsize_t cc = dir->tdir_count * w;
324 /* Check for overflow. */
325 @@ -1013,7 +1044,7 @@
327 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
328 "Error fetching data for field \"%s\"",
329 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
330 + fip ? fip->field_name : "Unknown");
334 @@ -1039,10 +1070,12 @@
336 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
338 + const TIFFFieldInfo* fip;
340 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
341 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
342 "%s: Rational with zero denominator (num = %lu)",
343 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
344 + fip ? fip->field_name : "Unknown", num);
347 if (dir->tdir_type == TIFF_RATIONAL)
348 @@ -1159,6 +1192,20 @@
350 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
353 + * Prevent overflowing the v stack arrays below by performing a sanity
354 + * check on tdir_count, this should never be greater than two.
355 + * -- taviso@google.com 14 Jun 2006.
357 + if (dir->tdir_count > 2) {
358 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
359 + TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
360 + "unexpected count for field \"%s\", %lu, expected 2; ignored.",
361 + fip ? fip->field_name : "Unknown",
366 switch (dir->tdir_type) {
369 @@ -1329,14 +1376,15 @@
371 return (TIFFFetchDoubleArray(tif, dir, (double*) v));
373 + { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
377 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
378 "cannot read TIFF_ANY type %d for field \"%s\"",
380 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
382 + fip ? fip->field_name : "Unknown");
387 @@ -1351,6 +1399,9 @@
389 const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
394 if (dp->tdir_count > 1) { /* array of values */
397 @@ -1493,6 +1544,7 @@
398 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
400 uint16 samples = tif->tif_dir.td_samplesperpixel;
401 + const TIFFFieldInfo* fip;
404 if (CheckDirCount(tif, dir, (uint32) samples)) {
405 @@ -1510,9 +1562,10 @@
407 for (i = 1; i < check_count; i++)
409 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
410 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
411 "Cannot handle different per-sample values for field \"%s\"",
412 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
413 + fip ? fip->field_name : "Unknown");
417 @@ -1534,6 +1587,7 @@
418 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
420 uint16 samples = tif->tif_dir.td_samplesperpixel;
421 + const TIFFFieldInfo* fip;
424 if (CheckDirCount(tif, dir, (uint32) samples)) {
425 @@ -1551,9 +1605,10 @@
426 check_count = samples;
427 for (i = 1; i < check_count; i++)
429 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
430 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
431 "Cannot handle different per-sample values for field \"%s\"",
432 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
433 + fip ? fip->field_name : "Unknown");
437 @@ -1574,6 +1629,7 @@
438 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
440 uint16 samples = tif->tif_dir.td_samplesperpixel;
441 + const TIFFFieldInfo* fip;
444 if (CheckDirCount(tif, dir, (uint32) samples)) {
445 @@ -1591,9 +1647,10 @@
447 for (i = 1; i < check_count; i++)
449 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
450 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
451 "Cannot handle different per-sample values for field \"%s\"",
452 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
453 + fip ? fip->field_name : "Unknown");
457 diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
458 --- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
459 +++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
460 @@ -1136,6 +1136,7 @@
461 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
463 Fax3BaseState* sp = Fax3State(tif);
464 + const TIFFFieldInfo* fip;
467 assert(sp->vsetparent != 0);
468 @@ -1181,7 +1182,13 @@
470 return (*sp->vsetparent)(tif, tag, ap);
472 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
474 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
475 + TIFFSetFieldBit(tif, fip->field_bit);
480 tif->tif_flags |= TIFF_DIRTYDIRECT;
483 diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
484 --- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
485 +++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
486 @@ -722,15 +722,31 @@
487 segment_width = TIFFhowmany(segment_width, sp->h_sampling);
488 segment_height = TIFFhowmany(segment_height, sp->v_sampling);
490 - if (sp->cinfo.d.image_width != segment_width ||
491 - sp->cinfo.d.image_height != segment_height) {
492 + if (sp->cinfo.d.image_width < segment_width ||
493 + sp->cinfo.d.image_height < segment_height) {
494 TIFFWarningExt(tif->tif_clientdata, module,
495 "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
498 sp->cinfo.d.image_width,
499 sp->cinfo.d.image_height);
502 + if (sp->cinfo.d.image_width > segment_width ||
503 + sp->cinfo.d.image_height > segment_height) {
505 + * This case could be dangerous, if the strip or tile size has been
506 + * reported as less than the amount of data jpeg will return, some
507 + * potential security issues arise. Catch this case and error out.
508 + * -- taviso@google.com 14 Jun 2006
510 + TIFFErrorExt(tif->tif_clientdata, module,
511 + "JPEG strip/tile size exceeds expected dimensions,"
512 + "expected %dx%d, got %dx%d", segment_width, segment_height,
513 + sp->cinfo.d.image_width, sp->cinfo.d.image_height);
517 if (sp->cinfo.d.num_components !=
518 (td->td_planarconfig == PLANARCONFIG_CONTIG ?
519 td->td_samplesperpixel : 1)) {
521 sp->cinfo.d.comp_info[0].v_samp_factor,
522 sp->h_sampling, sp->v_sampling);
525 + * There are potential security issues here for decoders that
526 + * have already allocated buffers based on the expected sampling
527 + * factors. Lets check the sampling factors dont exceed what
528 + * we were expecting.
529 + * -- taviso@google.com 14 June 2006
531 + if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
532 + sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
533 + TIFFErrorExt(tif->tif_clientdata, module,
534 + "Cannot honour JPEG sampling factors that"
535 + " exceed those specified.");
541 * XXX: Files written by the Intergraph software
542 * has different sampling factors stored in the
543 @@ -1521,15 +1553,18 @@
545 JPEGState *sp = JState(tif);
548 + /* assert(sp != 0); */
550 tif->tif_tagmethods.vgetfield = sp->vgetparent;
551 tif->tif_tagmethods.vsetfield = sp->vsetparent;
553 - if( sp->cinfo_initialized )
554 - TIFFjpeg_destroy(sp); /* release libjpeg resources */
555 - if (sp->jpegtables) /* tag value */
556 - _TIFFfree(sp->jpegtables);
558 + if( sp->cinfo_initialized )
559 + TIFFjpeg_destroy(sp); /* release libjpeg resources */
560 + if (sp->jpegtables) /* tag value */
561 + _TIFFfree(sp->jpegtables);
564 _TIFFfree(tif->tif_data); /* release local state */
565 tif->tif_data = NULL;
567 @@ -1541,6 +1576,7 @@
569 JPEGState* sp = JState(tif);
570 TIFFDirectory* td = &tif->tif_dir;
571 + const TIFFFieldInfo* fip;
575 @@ -1606,7 +1642,13 @@
577 return (*sp->vsetparent)(tif, tag, ap);
579 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
581 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
582 + TIFFSetFieldBit(tif, fip->field_bit);
587 tif->tif_flags |= TIFF_DIRTYDIRECT;
590 @@ -1726,7 +1768,11 @@
592 JPEGState* sp = JState(tif);
594 - assert(sp != NULL);
595 + /* assert(sp != NULL); */
597 + TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
602 if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
603 diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
604 --- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
605 +++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
606 @@ -105,11 +105,16 @@
607 * as codes of the form <color><npixels>
608 * until we've filled the scanline.
611 + * Ensure the run does not exceed the scanline
612 + * bounds, potentially resulting in a security issue.
613 + * -- taviso@google.com 14 Jun 2006.
620 + while (n-- > 0 && npixels < imagewidth)
622 if (npixels >= (int) imagewidth)
624 diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
625 --- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
626 +++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
628 if (tif->tif_flags & TIFF_SWAB)
629 TIFFSwabArrayOfShort(up, nsamples);
631 - for (i = 0; i < nsamples; i += llen, up += llen) {
633 + * if llen is not an exact multiple of nsamples, the decode operation
634 + * may overflow the output buffer, so truncate it enough to prevent that
635 + * but still salvage as much data as possible.
636 + * -- taviso@google.com 14th June 2006
638 + if (nsamples % llen)
639 + TIFFWarningExt(tif->tif_clientdata, module,
640 + "%s: stride %lu is not a multiple of sample count, "
641 + "%lu, data truncated.", tif->tif_name, llen, nsamples);
644 + for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
645 switch (sp->user_datafmt) {
646 case PIXARLOGDATAFMT_FLOAT:
647 horizontalAccumulateF(up, llen, sp->stride,
648 diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
649 --- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
650 +++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
657 int TIFFFillStrip(TIFF*, tstrip_t);
658 int TIFFFillTile(TIFF*, ttile_t);
659 static int TIFFStartStrip(TIFF*, tstrip_t);
661 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
662 _TIFFfree(tif->tif_rawdata);
663 tif->tif_flags &= ~TIFF_MYBUFFER;
664 - if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
666 + * This sanity check could potentially overflow, causing an OOB read.
667 + * verify that offset + bytecount is > offset.
668 + * -- taviso@google.com 14 Jun 2006
670 + if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
671 + bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
673 * This error message might seem strange, but it's
674 * what would happen if a read were done instead.
676 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
677 _TIFFfree(tif->tif_rawdata);
678 tif->tif_flags &= ~TIFF_MYBUFFER;
679 - if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
681 + * We must check this calculation doesnt overflow, potentially
682 + * causing an OOB read.
683 + * -- taviso@google.com 15 Jun 2006
685 + if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
686 + bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
687 tif->tif_curtile = NOTILE;