Merge pull request #4853 from StevenHessing/noddos

[feed/packages.git] / libs / tiff / patches / 016-CVE-2017-10688.patch

From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 30 Jun 2017 17:29:44 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: in
 TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
 data type, replace assertion that the file is BigTIFF, by a non-fatal error.
 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
 OWL337

---
 ChangeLog              |  8 ++++++++
 libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6f085e09..77a64385 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2017-06-30  Even Rouault <even.rouault at spatialys.com>
 
+       * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+       functions associated with LONG8/SLONG8 data type, replace assertion that
+       the file is BigTIFF, by a non-fatal error.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
+       Reported by team OWL337
+
+2017-06-30  Even Rouault <even.rouault at spatialys.com>
+
        * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
        function, variant of TIFFReadEncodedStrip() that allocates the
        decoded buffer only after a first successful TIFFFillStrip(). This avoids
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2967da58..8d6686ba 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
 {
        uint64 m;
        assert(sizeof(uint64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
        m=value;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabLong8(&m);
@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
 {
        assert(count<0x20000000);
        assert(sizeof(uint64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong8(value,count);
        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
 {
        int64 m;
        assert(sizeof(int64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
        m=value;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabLong8((uint64*)(&m));
@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
 {
        assert(count<0x20000000);
        assert(sizeof(int64)==8);
-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong8((uint64*)value,count);
        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));