libs/tiff/patches/003-fix_potential_out-of-bound_writes_in_decode_functions.patch

   1 From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001
   2 From: erouault <erouault>
   3 Date: Sun, 27 Dec 2015 16:25:11 +0000
   4 Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
   5  decode functions in non debug builds by replacing assert()s by regular if
   6  checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
   7  input data.
   8
   9 ---
  10  ChangeLog         |  7 +++++++
  11  libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------
  12  2 files changed, 52 insertions(+), 12 deletions(-)
  13
  14 diff --git a/ChangeLog b/ChangeLog
  15 index 4beb30b..b8aa23c 100644
  16 --- a/ChangeLog
  17 +++ b/ChangeLog
  18 @@ -1,3 +1,10 @@
  19 +2015-12-27  Even Rouault <even.rouault at spatialys.com>
  20 +
  21 +       * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
  22 +       functions in non debug builds by replacing assert()s by regular if
  23 +       checks (bugzilla #2522).
  24 +       Fix potential out-of-bound reads in case of short input data.
  25 +
  26  2015-12-26  Even Rouault <even.rouault at spatialys.com>
  27
  28         * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
  29 diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
  30 index 4e328ba..60a174d 100644
  31 --- a/libtiff/tif_luv.c
  32 +++ b/libtiff/tif_luv.c
  33 @@ -1,4 +1,4 @@
  34 -/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
  35 +/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
  36
  37  /*
  38   * Copyright (c) 1997 Greg Ward Larson
  39 @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  40         if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
  41                 tp = (int16*) op;
  42         else {
  43 -               assert(sp->tbuflen >= npixels);
  44 +               if(sp->tbuflen < npixels) {
  45 +                       TIFFErrorExt(tif->tif_clientdata, module,
  46 +                                                "Translation buffer too short");
  47 +                       return (0);
  48 +               }
  49                 tp = (int16*) sp->tbuf;
  50         }
  51         _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
  52 @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  53         cc = tif->tif_rawcc;
  54         /* get each byte string */
  55         for (shft = 2*8; (shft -= 8) >= 0; ) {
  56 -               for (i = 0; i < npixels && cc > 0; )
  57 +               for (i = 0; i < npixels && cc > 0; ) {
  58                         if (*bp >= 128) {               /* run */
  59 -                               rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
  60 +                               if( cc < 2 )
  61 +                                       break;
  62 +                               rc = *bp++ + (2-128);
  63                                 b = (int16)(*bp++ << shft);
  64                                 cc -= 2;
  65                                 while (rc-- && i < npixels)
  66 @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  67                                 while (--cc && rc-- && i < npixels)
  68                                         tp[i++] |= (int16)*bp++ << shft;
  69                         }
  70 +               }
  71                 if (i != npixels) {
  72  #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
  73                         TIFFErrorExt(tif->tif_clientdata, module,
  74 @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  75         if (sp->user_datafmt == SGILOGDATAFMT_RAW)
  76                 tp = (uint32 *)op;
  77         else {
  78 -               assert(sp->tbuflen >= npixels);
  79 +               if(sp->tbuflen < npixels) {
  80 +                       TIFFErrorExt(tif->tif_clientdata, module,
  81 +                                                "Translation buffer too short");
  82 +                       return (0);
  83 +               }
  84                 tp = (uint32 *) sp->tbuf;
  85         }
  86         /* copy to array of uint32 */
  87         bp = (unsigned char*) tif->tif_rawcp;
  88         cc = tif->tif_rawcc;
  89 -       for (i = 0; i < npixels && cc > 0; i++) {
  90 +       for (i = 0; i < npixels && cc >= 3; i++) {
  91                 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
  92                 bp += 3;
  93                 cc -= 3;
  94 @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  95         if (sp->user_datafmt == SGILOGDATAFMT_RAW)
  96                 tp = (uint32*) op;
  97         else {
  98 -               assert(sp->tbuflen >= npixels);
  99 +               if(sp->tbuflen < npixels) {
 100 +                       TIFFErrorExt(tif->tif_clientdata, module,
 101 +                                                "Translation buffer too short");
 102 +                       return (0);
 103 +               }
 104                 tp = (uint32*) sp->tbuf;
 105         }
 106         _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
 107 @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 108         cc = tif->tif_rawcc;
 109         /* get each byte string */
 110         for (shft = 4*8; (shft -= 8) >= 0; ) {
 111 -               for (i = 0; i < npixels && cc > 0; )
 112 +               for (i = 0; i < npixels && cc > 0; ) {
 113                         if (*bp >= 128) {               /* run */
 114 +                               if( cc < 2 )
 115 +                                       break;
 116                                 rc = *bp++ + (2-128);
 117                                 b = (uint32)*bp++ << shft;
 118 -                               cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
 119 +                               cc -= 2;
 120                                 while (rc-- && i < npixels)
 121                                         tp[i++] |= b;
 122                         } else {                        /* non-run */
 123 @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 124                                 while (--cc && rc-- && i < npixels)
 125                                         tp[i++] |= (uint32)*bp++ << shft;
 126                         }
 127 +               }
 128                 if (i != npixels) {
 129  #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 130                         TIFFErrorExt(tif->tif_clientdata, module,
 131 @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 132  static int
 133  LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 134  {
 135 +       static const char module[] = "LogL16Encode";
 136         LogLuvState* sp = EncoderState(tif);
 137         int shft;
 138         tmsize_t i;
 139 @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 140                 tp = (int16*) bp;
 141         else {
 142                 tp = (int16*) sp->tbuf;
 143 -               assert(sp->tbuflen >= npixels);
 144 +               if(sp->tbuflen < npixels) {
 145 +                       TIFFErrorExt(tif->tif_clientdata, module,
 146 +                                                "Translation buffer too short");
 147 +                       return (0);
 148 +               }
 149                 (*sp->tfunc)(sp, bp, npixels);
 150         }
 151         /* compress each byte string */
 152 @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 153  static int
 154  LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 155  {
 156 +       static const char module[] = "LogLuvEncode24";
 157         LogLuvState* sp = EncoderState(tif);
 158         tmsize_t i;
 159         tmsize_t npixels;
 160 @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 161                 tp = (uint32*) bp;
 162         else {
 163                 tp = (uint32*) sp->tbuf;
 164 -               assert(sp->tbuflen >= npixels);
 165 +               if(sp->tbuflen < npixels) {
 166 +                       TIFFErrorExt(tif->tif_clientdata, module,
 167 +                                                "Translation buffer too short");
 168 +                       return (0);
 169 +               }
 170                 (*sp->tfunc)(sp, bp, npixels);
 171         }
 172         /* write out encoded pixels */
 173 @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 174  static int
 175  LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 176  {
 177 +       static const char module[] = "LogLuvEncode32";
 178         LogLuvState* sp = EncoderState(tif);
 179         int shft;
 180         tmsize_t i;
 181 @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
 182                 tp = (uint32*) bp;
 183         else {
 184                 tp = (uint32*) sp->tbuf;
 185 -               assert(sp->tbuflen >= npixels);
 186 +               if(sp->tbuflen < npixels) {
 187 +                       TIFFErrorExt(tif->tif_clientdata, module,
 188 +                                                "Translation buffer too short");
 189 +                       return (0);
 190 +               }
 191                 (*sp->tfunc)(sp, bp, npixels);
 192         }
 193         /* compress each byte string */