From: Adam Gołębiowski Date: Sun, 6 Aug 2006 20:06:00 +0000 (+0000) Subject: - fixes for: CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, X-Git-Tag: AC-STABLE X-Git-Url: http://git.pld-linux.org/?p=packages%2Fcrossmingw32-libtiff.git;a=commitdiff_plain;h=6a63362fb563b2a54632831242801c759d986c35 - fixes for: CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-346 Changed files: libtiff-sec.patch -> 1.2 --- diff --git a/libtiff-sec.patch b/libtiff-sec.patch index 5422e74..da335d3 100644 --- a/libtiff-sec.patch +++ b/libtiff-sec.patch @@ -18,3 +18,672 @@ diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); if (out == NULL) return (-2); +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include + ++#include ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + }