libs/tiff/patches/102-CVE.patch

   1 commit da99990ba6e1203798a59eb836fc6433ed6e3d66
   2 Author: erouault <erouault>
   3 Date:   Fri Dec 2 23:05:51 2016 +0000
   4
   5     * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
   6     overflow on generation of PixarLog / LUV compressed files, with
   7     ColorMap, TransferFunction attached and nasty plays with bitspersample.
   8     The fix for LUV has not been tested, but suffers from the same kind
   9     of issue of PixarLog.
  10     Reported by Agostino Sarubbo.
  11     Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
  12
  13 diff --git a/ChangeLog b/ChangeLog
  14 index 0f154d6..93c01f8 100644
  15 --- a/ChangeLog
  16 +++ b/ChangeLog
  17 @@ -1,3 +1,13 @@
  18 +2016-12-03 Even Rouault <even.rouault at spatialys.com>
  19 +
  20 +       * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
  21 +       overflow on generation of PixarLog / LUV compressed files, with
  22 +       ColorMap, TransferFunction attached and nasty plays with bitspersample.
  23 +       The fix for LUV has not been tested, but suffers from the same kind
  24 +       of issue of PixarLog.
  25 +       Reported by Agostino Sarubbo.
  26 +       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
  27 +
  28  2016-12-02 Even Rouault <even.rouault at spatialys.com>
  29
  30         * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
  31 diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
  32 index ca08f30..f42ac01 100644
  33 --- a/libtiff/tif_luv.c
  34 +++ b/libtiff/tif_luv.c
  35 @@ -1,4 +1,4 @@
  36 -/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
  37 +/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */
  38
  39  /*
  40   * Copyright (c) 1997 Greg Ward Larson
  41 @@ -158,6 +158,7 @@
  42  typedef struct logLuvState LogLuvState;
  43
  44  struct logLuvState {
  45 +        int                     encoder_state;  /* 1 if encoder correctly initialized */
  46         int                     user_datafmt;   /* user data format */
  47         int                     encode_meth;    /* encoding method */
  48         int                     pixel_size;     /* bytes per pixel */
  49 @@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
  50                     td->td_photometric, "must be either LogLUV or LogL");
  51                 break;
  52         }
  53 +       sp->encoder_state = 1;
  54         return (1);
  55  notsupported:
  56         TIFFErrorExt(tif->tif_clientdata, module,
  57 @@ -1563,19 +1565,27 @@ notsupported:
  58  static void
  59  LogLuvClose(TIFF* tif)
  60  {
  61 +        LogLuvState* sp = (LogLuvState*) tif->tif_data;
  62         TIFFDirectory *td = &tif->tif_dir;
  63
  64 +       assert(sp != 0);
  65         /*
  66          * For consistency, we always want to write out the same
  67          * bitspersample and sampleformat for our TIFF file,
  68          * regardless of the data format being used by the application.
  69          * Since this routine is called after tags have been set but
  70          * before they have been recorded in the file, we reset them here.
  71 +         * Note: this is really a nasty approach. See PixarLogClose
  72          */
  73 -       td->td_samplesperpixel =
  74 -           (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
  75 -       td->td_bitspersample = 16;
  76 -       td->td_sampleformat = SAMPLEFORMAT_INT;
  77 +        if( sp->encoder_state )
  78 +        {
  79 +            /* See PixarLogClose. Might avoid issues with tags whose size depends
  80 +             * on those below, but not completely sure this is enough. */
  81 +            td->td_samplesperpixel =
  82 +                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
  83 +            td->td_bitspersample = 16;
  84 +            td->td_sampleformat = SAMPLEFORMAT_INT;
  85 +        }
  86  }
  87
  88  static void
  89 diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
  90 index f4af2ba..9836dce 100644
  91 --- a/libtiff/tif_pixarlog.c
  92 +++ b/libtiff/tif_pixarlog.c
  93 @@ -1,4 +1,4 @@
  94 -/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
  95 +/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */
  96
  97  /*
  98   * Copyright (c) 1996-1997 Sam Leffler
  99 @@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
 100  static void
 101  PixarLogClose(TIFF* tif)
 102  {
 103 +        PixarLogState* sp = (PixarLogState*) tif->tif_data;
 104         TIFFDirectory *td = &tif->tif_dir;
 105
 106 +       assert(sp != 0);
 107         /* In a really sneaky (and really incorrect, and untruthful, and
 108          * troublesome, and error-prone) maneuver that completely goes against
 109          * the spirit of TIFF, and breaks TIFF, on close, we covertly
 110 @@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
 111          * readers that don't know about PixarLog, or how to set
 112          * the PIXARLOGDATFMT pseudo-tag.
 113          */
 114 -       td->td_bitspersample = 8;
 115 -       td->td_sampleformat = SAMPLEFORMAT_UINT;
 116 +
 117 +        if (sp->state&PLSTATE_INIT) {
 118 +            /* We test the state to avoid an issue such as in
 119 +             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
 120 +             * What appends in that case is that the bitspersample is 1 and
 121 +             * a TransferFunction is set. The size of the TransferFunction
 122 +             * depends on 1<<bitspersample. So if we increase it, an access
 123 +             * out of the buffer will happen at directory flushing.
 124 +             * Another option would be to clear those targs.
 125 +             */
 126 +            td->td_bitspersample = 8;
 127 +            td->td_sampleformat = SAMPLEFORMAT_UINT;
 128 +        }
 129  }
 130
 131  static void