1 From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001
2 From: erouault <erouault>
3 Date: Sun, 27 Dec 2015 16:25:11 +0000
4 Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
5 decode functions in non debug builds by replacing assert()s by regular if
6 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
11 libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------
12 2 files changed, 52 insertions(+), 12 deletions(-)
14 diff --git a/ChangeLog b/ChangeLog
15 index 4beb30b..b8aa23c 100644
19 +2015-12-27 Even Rouault <even.rouault at spatialys.com>
21 + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
22 + functions in non debug builds by replacing assert()s by regular if
23 + checks (bugzilla #2522).
24 + Fix potential out-of-bound reads in case of short input data.
26 2015-12-26 Even Rouault <even.rouault at spatialys.com>
28 * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
29 diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
30 index 4e328ba..60a174d 100644
31 --- a/libtiff/tif_luv.c
32 +++ b/libtiff/tif_luv.c
34 -/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
35 +/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
38 * Copyright (c) 1997 Greg Ward Larson
39 @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
40 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
43 - assert(sp->tbuflen >= npixels);
44 + if(sp->tbuflen < npixels) {
45 + TIFFErrorExt(tif->tif_clientdata, module,
46 + "Translation buffer too short");
49 tp = (int16*) sp->tbuf;
51 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
52 @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
54 /* get each byte string */
55 for (shft = 2*8; (shft -= 8) >= 0; ) {
56 - for (i = 0; i < npixels && cc > 0; )
57 + for (i = 0; i < npixels && cc > 0; ) {
58 if (*bp >= 128) { /* run */
59 - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
62 + rc = *bp++ + (2-128);
63 b = (int16)(*bp++ << shft);
65 while (rc-- && i < npixels)
66 @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
67 while (--cc && rc-- && i < npixels)
68 tp[i++] |= (int16)*bp++ << shft;
72 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
73 TIFFErrorExt(tif->tif_clientdata, module,
74 @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
75 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
78 - assert(sp->tbuflen >= npixels);
79 + if(sp->tbuflen < npixels) {
80 + TIFFErrorExt(tif->tif_clientdata, module,
81 + "Translation buffer too short");
84 tp = (uint32 *) sp->tbuf;
86 /* copy to array of uint32 */
87 bp = (unsigned char*) tif->tif_rawcp;
89 - for (i = 0; i < npixels && cc > 0; i++) {
90 + for (i = 0; i < npixels && cc >= 3; i++) {
91 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
94 @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
95 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
98 - assert(sp->tbuflen >= npixels);
99 + if(sp->tbuflen < npixels) {
100 + TIFFErrorExt(tif->tif_clientdata, module,
101 + "Translation buffer too short");
104 tp = (uint32*) sp->tbuf;
106 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
107 @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
109 /* get each byte string */
110 for (shft = 4*8; (shft -= 8) >= 0; ) {
111 - for (i = 0; i < npixels && cc > 0; )
112 + for (i = 0; i < npixels && cc > 0; ) {
113 if (*bp >= 128) { /* run */
116 rc = *bp++ + (2-128);
117 b = (uint32)*bp++ << shft;
118 - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
120 while (rc-- && i < npixels)
122 } else { /* non-run */
123 @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
124 while (--cc && rc-- && i < npixels)
125 tp[i++] |= (uint32)*bp++ << shft;
129 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
130 TIFFErrorExt(tif->tif_clientdata, module,
131 @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
133 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
135 + static const char module[] = "LogL16Encode";
136 LogLuvState* sp = EncoderState(tif);
139 @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
142 tp = (int16*) sp->tbuf;
143 - assert(sp->tbuflen >= npixels);
144 + if(sp->tbuflen < npixels) {
145 + TIFFErrorExt(tif->tif_clientdata, module,
146 + "Translation buffer too short");
149 (*sp->tfunc)(sp, bp, npixels);
151 /* compress each byte string */
152 @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
154 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
156 + static const char module[] = "LogLuvEncode24";
157 LogLuvState* sp = EncoderState(tif);
160 @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
163 tp = (uint32*) sp->tbuf;
164 - assert(sp->tbuflen >= npixels);
165 + if(sp->tbuflen < npixels) {
166 + TIFFErrorExt(tif->tif_clientdata, module,
167 + "Translation buffer too short");
170 (*sp->tfunc)(sp, bp, npixels);
172 /* write out encoded pixels */
173 @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
175 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
177 + static const char module[] = "LogLuvEncode32";
178 LogLuvState* sp = EncoderState(tif);
181 @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
184 tp = (uint32*) sp->tbuf;
185 - assert(sp->tbuflen >= npixels);
186 + if(sp->tbuflen < npixels) {
187 + TIFFErrorExt(tif->tif_clientdata, module,
188 + "Translation buffer too short");
191 (*sp->tfunc)(sp, bp, npixels);
193 /* compress each byte string */