- fixes for: CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, AC-branch AC-STABLE auto/ac/libtiff-3_8_2-3 auto/th/libtiff-3_8_2-3 auto/th/libtiff-3_8_2-4 auto/th/libtiff-3_8_2-5 auto/th/libtiff-3_8_2-6 auto/ti/libtiff-3_8_2-5
authorAdam Gołębiowski <adamg@pld-linux.org>
Sun, 6 Aug 2006 20:06:00 +0000 (20:06 +0000)
committercvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
  CVE-2006-3463, CVE-2006-3464, CVE-2006-346

Changed files:
    libtiff-sec.patch -> 1.2

libtiff-sec.patch

index 5422e74..da335d3 100644 (file)
@@ -18,3 +18,672 @@ diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c
                        out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
                        if (out == NULL)
                                return (-2);
+diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
+--- tiff-3.8.2/libtiff/tif_dir.c       2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dir.c   2006-07-14 13:52:01.027562000 +0100
+@@ -122,6 +122,7 @@
+ {
+       static const char module[] = "_TIFFVSetField";
+       
++      const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+       TIFFDirectory* td = &tif->tif_dir;
+       int status = 1;
+       uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+               break;
+       case TIFFTAG_ORIENTATION:
+               v = va_arg(ap, uint32);
++              const TIFFFieldInfo* fip;
+               if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++                      fip = _TIFFFieldWithTag(tif, tag);
+                       TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+                           "Bad value %lu for \"%s\" tag ignored",
+-                          v, _TIFFFieldWithTag(tif, tag)->field_name);
++                          v, fip ? fip->field_name : "Unknown");
+               } else
+                       td->td_orientation = (uint16) v;
+               break;
+@@ -387,11 +390,15 @@
+            * happens, for example, when tiffcp is used to convert between
+            * compression schemes and codec-specific tags are blindly copied.
+              */
++          /* 
++           * better not dereference fip if it is NULL.
++           * -- taviso@google.com 15 Jun 2006
++           */
+             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+               TIFFErrorExt(tif->tif_clientdata, module,
+                   "%s: Invalid %stag \"%s\" (not supported by codec)",
+                   tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+-                  _TIFFFieldWithTag(tif, tag)->field_name);
++                  fip ? fip->field_name : "Unknown");
+               status = 0;
+               break;
+             }
+@@ -468,7 +475,7 @@
+           if (fip->field_type == TIFF_ASCII)
+                   _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+           else {
+-                tv->value = _TIFFmalloc(tv_size * tv->count);
++                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+               if (!tv->value) {
+                   status = 0;
+                   goto end;
+@@ -563,7 +570,7 @@
+           }
+       }
+       if (status) {
+-              TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++              TIFFSetFieldBit(tif, fip->field_bit);
+               tif->tif_flags |= TIFF_DIRTYDIRECT;
+       }
+@@ -572,12 +579,12 @@
+       return (status);
+ badvalue:
+       TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+-                tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++                tif->tif_name, v, fip ? fip->field_name : "Unknown");
+       va_end(ap);
+       return (0);
+ badvalue32:
+       TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+-                 tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++                 tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+       va_end(ap);
+       return (0);
+ }
+@@ -813,12 +820,16 @@
+              * If the client tries to get a tag that is not valid
+              * for the image's codec then we'll arrive here.
+              */
++          /*
++           * dont dereference fip if it's NULL.
++           * -- taviso@google.com 15 Jun 2006
++           */
+             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+             {
+                               TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+                           "%s: Invalid %stag \"%s\" (not supported by codec)",
+                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+-                          _TIFFFieldWithTag(tif, tag)->field_name);
++                          fip ? fip->field_name : "Unknown");
+                 ret_val = 0;
+                 break;
+             }
+diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
+--- tiff-3.8.2/libtiff/tif_dirinfo.c   2006-02-07 13:51:03.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c       2006-07-14 13:52:00.953558000 +0100
+@@ -775,7 +775,8 @@
+               TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+                         "Internal error, unknown tag 0x%x",
+                           (unsigned int) tag);
+-              assert(fip != NULL);
++              /* assert(fip != NULL); */
++
+               /*NOTREACHED*/
+       }
+       return (fip);
+@@ -789,7 +790,8 @@
+       if (!fip) {
+               TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+                         "Internal error, unknown tag %s", field_name);
+-              assert(fip != NULL);
++              /* assert(fip != NULL); */
++              
+               /*NOTREACHED*/
+       }
+       return (fip);
+diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
+--- tiff-3.8.2/libtiff/tif_dirread.c   2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirread.c       2006-07-14 13:52:00.842557000 +0100
+@@ -29,6 +29,9 @@
+  *
+  * Directory Read Support Routines.
+  */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+ #define       IGNORE  0               /* tag placeholder used below */
+@@ -81,6 +84,7 @@
+       uint16 dircount;
+       toff_t nextdiroff;
+       int diroutoforderwarning = 0;
++      int compressionknown = 0;
+       toff_t* new_dirlist;
+       tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+       } else {
+               toff_t off = tif->tif_diroff;
+-              if (off + sizeof (uint16) > tif->tif_size) {
+-                      TIFFErrorExt(tif->tif_clientdata, module,
+-                          "%s: Can not read TIFF directory count",
+-                            tif->tif_name);
+-                      return (0);
++              /*
++               * Check for integer overflow when validating the dir_off, otherwise
++               * a very high offset may cause an OOB read and crash the client.
++               * -- taviso@google.com, 14 Jun 2006.
++               */
++              if (off + sizeof (uint16) > tif->tif_size || 
++                      off > (UINT_MAX - sizeof(uint16))) {
++                              TIFFErrorExt(tif->tif_clientdata, module,
++                                  "%s: Can not read TIFF directory count",
++                                  tif->tif_name);
++                              return (0);
+               } else
+-                      _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++                      _TIFFmemcpy(&dircount, tif->tif_base + off,
++                                      sizeof (uint16));
+               off += sizeof (uint16);
+               if (tif->tif_flags & TIFF_SWAB)
+                       TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+               while (fix < tif->tif_nfields &&
+                      tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+                       fix++;
++
+               if (fix >= tif->tif_nfields ||
+                   tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+@@ -264,17 +276,23 @@
+                                                      dp->tdir_tag,
+                                                      dp->tdir_tag,
+                                                      dp->tdir_type);
+-
+-                    TIFFMergeFieldInfo(tif,
+-                                       _TIFFCreateAnonFieldInfo(tif,
+-                                              dp->tdir_tag,
+-                                              (TIFFDataType) dp->tdir_type),
+-                                     1 );
++                                      /*
++                                       * creating anonymous fields prior to knowing the compression
++                                       * algorithm (ie, when the field info has been merged) could cause
++                                       * crashes with pathological directories.
++                                       * -- taviso@google.com 15 Jun 2006
++                                       */
++                                      if (compressionknown)
++                                          TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
++                                              (TIFFDataType) dp->tdir_type), 1 );
++                                      else goto ignore;
++                  
+                     fix = 0;
+                     while (fix < tif->tif_nfields &&
+                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+                       fix++;
+               }
++              
+               /*
+                * Null out old tags that we ignore.
+                */
+@@ -326,6 +344,7 @@
+                                   dp->tdir_type, dp->tdir_offset);
+                               if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+                                       goto bad;
++                              else compressionknown++;
+                               break;
+                       /* XXX: workaround for broken TIFFs */
+                       } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+        * Attempt to deal with a missing StripByteCounts tag.
+        */
+       if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+               /*
+                * Some manufacturers violate the spec by not giving
+                * the size of the strips.  In this case, assume there
+@@ -556,7 +576,7 @@
+                       "%s: TIFF directory is missing required "
+                       "\"%s\" field, calculating from imagelength",
+                       tif->tif_name,
+-                      _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++                      fip ? fip->field_name : "Unknown");
+               if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+                   goto bad;
+ /* 
+@@ -580,6 +600,7 @@
+       } else if (td->td_nstrips == 1 
+                    && td->td_stripoffset[0] != 0 
+                    && BYTECOUNTLOOKSBAD) {
++              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+               /*
+                * XXX: Plexus (and others) sometimes give a value of zero for
+                * a tag when they don't know what the correct value is!  Try
+@@ -589,13 +610,14 @@
+               TIFFWarningExt(tif->tif_clientdata, module,
+       "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+                             tif->tif_name,
+-                          _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++                          fip ? fip->field_name : "Unknown");
+               if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+                   goto bad;
+       } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+                  && td->td_nstrips > 2
+                  && td->td_compression == COMPRESSION_NONE
+                  && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+               /*
+                * XXX: Some vendors fill StripByteCount array with absolutely
+                * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+               TIFFWarningExt(tif->tif_clientdata, module,
+       "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+                             tif->tif_name,
+-                          _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++                          fip ? fip->field_name : "Unknown");
+               if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+                   goto bad;
+       }
+@@ -870,7 +892,13 @@
+       register TIFFDirEntry *dp;
+       register TIFFDirectory *td = &tif->tif_dir;
+-      uint16 i;
++      
++      /* i is used to iterate over td->td_nstrips, so must be
++       * at least the same width.
++       * -- taviso@google.com 15 Jun 2006
++       */
++
++      uint32 i;
+       if (td->td_stripbytecount)
+               _TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++      const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+       if (count > dir->tdir_count) {
+               TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+       "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+-                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++                  fip ? fip->field_name : "Unknown",
+                   dir->tdir_count, count);
+               return (0);
+       } else if (count < dir->tdir_count) {
+               TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+       "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+-                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++                  fip ? fip->field_name : "Unknown",
+                   dir->tdir_count, count);
+               return (1);
+       }
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+       int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++      const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+       tsize_t cc = dir->tdir_count * w;
+       /* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                    "Error fetching data for field \"%s\"",
+-                   _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                   fip ? fip->field_name : "Unknown");
+       return (tsize_t) 0;
+ }
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++      const TIFFFieldInfo* fip;
+       if (denom == 0) {
++              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                   "%s: Rational with zero denominator (num = %lu)",
+-                  _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++                  fip ? fip->field_name : "Unknown", num);
+               return (0);
+       } else {
+               if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++      /*
++       * Prevent overflowing the v stack arrays below by performing a sanity
++       * check on tdir_count, this should never be greater than two.
++       * -- taviso@google.com 14 Jun 2006.
++       */
++      if (dir->tdir_count > 2) {
++              const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++              TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++                              "unexpected count for field \"%s\", %lu, expected 2; ignored.",
++                              fip ? fip->field_name : "Unknown",
++                              dir->tdir_count);
++              return 0;
++      }
++
+       switch (dir->tdir_type) {
+               case TIFF_BYTE:
+               case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+       case TIFF_DOUBLE:
+               return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+       default:
++              { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+               /* TIFF_NOTYPE */
+               /* TIFF_ASCII */
+               /* TIFF_UNDEFINED */
+               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                            "cannot read TIFF_ANY type %d for field \"%s\"",
+                            dir->tdir_type,
+-                           _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+-              return (0);
++                           fip ? fip->field_name : "Unknown");
++              return (0); }
+       }
+       return (1);
+ }
+@@ -1351,6 +1399,9 @@
+       int ok = 0;
+       const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
++      if (fip == NULL) {
++              return (0);
++      }
+       if (dp->tdir_count > 1) {               /* array of values */
+               char* cp = NULL;
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++                              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+                                       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+                 check_count = samples;
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++                              fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+                                       TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+     uint16 samples = tif->tif_dir.td_samplesperpixel;
++    const TIFFFieldInfo* fip;
+     int status = 0;
+     if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+             for (i = 1; i < check_count; i++)
+                 if (v[i] != v[0]) {
++                  fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+                               "Cannot handle different per-sample values for field \"%s\"",
+-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++                              fip ? fip->field_name : "Unknown");
+                     goto bad;
+                 }
+             *pl = v[0];
+diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
+--- tiff-3.8.2/libtiff/tif_fax3.c      2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_fax3.c  2006-07-14 13:52:00.669557000 +0100
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+       Fax3BaseState* sp = Fax3State(tif);
++      const TIFFFieldInfo* fip;
+       assert(sp != 0);
+       assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+       default:
+               return (*sp->vsetparent)(tif, tag, ap);
+       }
+-      TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++      
++      if ((fip = _TIFFFieldWithTag(tif, tag))) {
++              TIFFSetFieldBit(tif, fip->field_bit);
++      } else {
++              return (0);
++      }
++
+       tif->tif_flags |= TIFF_DIRTYDIRECT;
+       return (1);
+ }
+diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
+--- tiff-3.8.2/libtiff/tif_jpeg.c      2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c  2006-07-14 13:52:00.655560000 +0100
+@@ -722,15 +722,31 @@
+               segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+               segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+       }
+-      if (sp->cinfo.d.image_width != segment_width ||
+-          sp->cinfo.d.image_height != segment_height) {
++      if (sp->cinfo.d.image_width < segment_width ||
++          sp->cinfo.d.image_height < segment_height) {
+               TIFFWarningExt(tif->tif_clientdata, module,
+                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+                           segment_width, 
+                           segment_height,
+                           sp->cinfo.d.image_width, 
+                           sp->cinfo.d.image_height);
++      } 
++      
++      if (sp->cinfo.d.image_width > segment_width ||
++                      sp->cinfo.d.image_height > segment_height) {
++              /*
++               * This case could be dangerous, if the strip or tile size has been
++               * reported as less than the amount of data jpeg will return, some
++               * potential security issues arise. Catch this case and error out.
++               * -- taviso@google.com 14 Jun 2006
++               */
++              TIFFErrorExt(tif->tif_clientdata, module, 
++                      "JPEG strip/tile size exceeds expected dimensions,"
++                      "expected %dx%d, got %dx%d", segment_width, segment_height,
++                      sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++              return (0);
+       }
++
+       if (sp->cinfo.d.num_components !=
+           (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+            td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+                                     sp->cinfo.d.comp_info[0].v_samp_factor,
+                                     sp->h_sampling, sp->v_sampling);
++                              /*
++                               * There are potential security issues here for decoders that
++                               * have already allocated buffers based on the expected sampling
++                               * factors. Lets check the sampling factors dont exceed what
++                               * we were expecting.
++                               * -- taviso@google.com 14 June 2006
++                               */
++                              if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
++                                      sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
++                                              TIFFErrorExt(tif->tif_clientdata, module,
++                                                      "Cannot honour JPEG sampling factors that"
++                                                      " exceed those specified.");
++                                              return (0);
++                              }
++
++
+                           /*
+                            * XXX: Files written by the Intergraph software
+                            * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+       JPEGState *sp = JState(tif);
+       
+-      assert(sp != 0);
++      /* assert(sp != 0); */
+       tif->tif_tagmethods.vgetfield = sp->vgetparent;
+       tif->tif_tagmethods.vsetfield = sp->vsetparent;
+-      if( sp->cinfo_initialized )
+-          TIFFjpeg_destroy(sp);       /* release libjpeg resources */
+-      if (sp->jpegtables)             /* tag value */
+-              _TIFFfree(sp->jpegtables);
++      if (sp != NULL) {
++              if( sp->cinfo_initialized )
++                  TIFFjpeg_destroy(sp);       /* release libjpeg resources */
++              if (sp->jpegtables)             /* tag value */
++                      _TIFFfree(sp->jpegtables);
++      }
++
+       _TIFFfree(tif->tif_data);       /* release local state */
+       tif->tif_data = NULL;
+@@ -1541,6 +1576,7 @@
+ {
+       JPEGState* sp = JState(tif);
+       TIFFDirectory* td = &tif->tif_dir;
++      const TIFFFieldInfo* fip;
+       uint32 v32;
+       assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+       default:
+               return (*sp->vsetparent)(tif, tag, ap);
+       }
+-      TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++      if ((fip = _TIFFFieldWithTag(tif, tag))) {
++              TIFFSetFieldBit(tif, fip->field_bit);
++      } else {
++              return (0);
++      }
++
+       tif->tif_flags |= TIFF_DIRTYDIRECT;
+       return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+       JPEGState* sp = JState(tif);
+-      assert(sp != NULL);
++      /* assert(sp != NULL); */
++      if (sp == NULL) {
++              TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
++              return;
++      }
+       (void) flags;
+       if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
+diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
+--- tiff-3.8.2/libtiff/tif_next.c      2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_next.c  2006-07-14 13:52:00.556567000 +0100
+@@ -105,11 +105,16 @@
+                        * as codes of the form <color><npixels>
+                        * until we've filled the scanline.
+                        */
++                      /*
++                       * Ensure the run does not exceed the scanline
++                       * bounds, potentially resulting in a security issue.
++                       * -- taviso@google.com 14 Jun 2006.
++                       */
+                       op = row;
+                       for (;;) {
+                               grey = (n>>6) & 0x3;
+                               n &= 0x3f;
+-                              while (n-- > 0)
++                              while (n-- > 0 && npixels < imagewidth)
+                                       SETPIXEL(op, grey);
+                               if (npixels >= (int) imagewidth)
+                                       break;
+diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
+--- tiff-3.8.2/libtiff/tif_pixarlog.c  2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c      2006-07-14 13:52:00.483557000 +0100
+@@ -768,7 +768,19 @@
+       if (tif->tif_flags & TIFF_SWAB)
+               TIFFSwabArrayOfShort(up, nsamples);
+-      for (i = 0; i < nsamples; i += llen, up += llen) {
++      /* 
++       * if llen is not an exact multiple of nsamples, the decode operation
++       * may overflow the output buffer, so truncate it enough to prevent that
++       * but still salvage as much data as possible.
++       * -- taviso@google.com 14th June 2006
++       */
++      if (nsamples % llen) 
++              TIFFWarningExt(tif->tif_clientdata, module,
++                              "%s: stride %lu is not a multiple of sample count, "
++                              "%lu, data truncated.", tif->tif_name, llen, nsamples);
++                              
++      
++      for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+               switch (sp->user_datafmt)  {
+               case PIXARLOGDATAFMT_FLOAT:
+                       horizontalAccumulateF(up, llen, sp->stride,
+diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
+--- tiff-3.8.2/libtiff/tif_read.c      2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_read.c  2006-07-14 13:52:00.467568000 +0100
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
++
+       int TIFFFillStrip(TIFF*, tstrip_t);
+       int TIFFFillTile(TIFF*, ttile_t);
+ static        int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+               if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+                       _TIFFfree(tif->tif_rawdata);
+               tif->tif_flags &= ~TIFF_MYBUFFER;
+-              if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++              /*
++               * This sanity check could potentially overflow, causing an OOB read.
++               * verify that offset + bytecount is > offset.
++               * -- taviso@google.com 14 Jun 2006
++               */
++              if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++                      bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+                       /*
+                        * This error message might seem strange, but it's
+                        * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+               if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+                       _TIFFfree(tif->tif_rawdata);
+               tif->tif_flags &= ~TIFF_MYBUFFER;
+-              if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++              /*
++               * We must check this calculation doesnt overflow, potentially
++               * causing an OOB read.
++               * -- taviso@google.com 15 Jun 2006
++               */
++              if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++                      bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+                       tif->tif_curtile = NOTILE;
+                       return (0);
+               }
This page took 0.069614 seconds and 4 git commands to generate.