From 342de0bef86b4a7be5599a02a6ff4a6e07328b11 Mon Sep 17 00:00:00 2001 From: thestig Date: Thu, 9 Jun 2016 15:33:10 -0700 Subject: Apply security fixes to libtiff that are not in 4.0.6. BUG=618164 Review-Url: https://codereview.chromium.org/2054993002 --- third_party/libtiff/0002-CVE-2015-8665-8683.patch | 114 ++++++++++++++ .../libtiff/0003-CVE-2015-8781-8782-8783.patch | 172 +++++++++++++++++++++ third_party/libtiff/0004-CVE-2015-8784.patch | 50 ++++++ third_party/libtiff/README.pdfium | 3 + third_party/libtiff/tif_getimage.c | 35 +++-- third_party/libtiff/tif_luv.c | 55 +++++-- third_party/libtiff/tif_next.c | 10 +- 7 files changed, 413 insertions(+), 26 deletions(-) create mode 100644 third_party/libtiff/0002-CVE-2015-8665-8683.patch create mode 100644 third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch create mode 100644 third_party/libtiff/0004-CVE-2015-8784.patch diff --git a/third_party/libtiff/0002-CVE-2015-8665-8683.patch b/third_party/libtiff/0002-CVE-2015-8665-8683.patch new file mode 100644 index 0000000000..0d740e229d --- /dev/null +++ b/third_party/libtiff/0002-CVE-2015-8665-8683.patch @@ -0,0 +1,114 @@ +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sat, 26 Dec 2015 17:32:03 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +--- + ChangeLog | 8 ++++++++ + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- + 2 files changed, 30 insertions(+), 13 deletions(-) + +Index: tiff-4.0.3/libtiff/tif_getimage.c +=================================================================== +--- tiff-4.0.3.orig/libtiff/tif_getimage.c 2016-03-23 10:13:42.728371661 -0400 ++++ tiff-4.0.3/libtiff/tif_getimage.c 2016-03-23 10:13:42.724371614 -0400 +@@ -182,20 +182,22 @@ + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d", +- "Samples/pixel", td->td_samplesperpixel); ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); + return 0; + } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d and %s=%d", ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } +@@ -255,6 +257,9 @@ + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -2470,29 +2475,33 @@ + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2501,7 +2510,7 @@ + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2597,7 +2606,7 @@ + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; diff --git a/third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch b/third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch new file mode 100644 index 0000000000..c4ed67dfc8 --- /dev/null +++ b/third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch @@ -0,0 +1,172 @@ +From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 27 Dec 2015 16:25:11 +0000 +Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in + decode functions in non debug builds by replacing assert()s by regular if + checks (bugzilla #2522). Fix potential out-of-bound reads in case of short + input data. + +--- + ChangeLog | 7 +++++++ + libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- + 2 files changed, 51 insertions(+), 11 deletions(-) + +Index: tiff-4.0.3/libtiff/tif_luv.c +=================================================================== +--- tiff-4.0.3.orig/libtiff/tif_luv.c 2016-03-23 10:13:56.868540963 -0400 ++++ tiff-4.0.3/libtiff/tif_luv.c 2016-03-23 10:13:56.864540914 -0400 +@@ -202,7 +202,11 @@ + if (sp->user_datafmt == SGILOGDATAFMT_16BIT) + tp = (int16*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (int16*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -211,9 +215,11 @@ + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 2*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ +- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ if( cc < 2 ) ++ break; ++ rc = *bp++ + (2-128); + b = (int16)(*bp++ << shft); + cc -= 2; + while (rc-- && i < npixels) +@@ -223,6 +229,7 @@ + while (--cc && rc-- && i < npixels) + tp[i++] |= (int16)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -268,13 +275,17 @@ + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32 *)op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32 *) sp->tbuf; + } + /* copy to array of uint32 */ + bp = (unsigned char*) tif->tif_rawcp; + cc = tif->tif_rawcc; +- for (i = 0; i < npixels && cc > 0; i++) { ++ for (i = 0; i < npixels && cc >= 3; i++) { + tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; + bp += 3; + cc -= 3; +@@ -325,7 +336,11 @@ + if (sp->user_datafmt == SGILOGDATAFMT_RAW) + tp = (uint32*) op; + else { +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + tp = (uint32*) sp->tbuf; + } + _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); +@@ -334,11 +349,13 @@ + cc = tif->tif_rawcc; + /* get each byte string */ + for (shft = 4*8; (shft -= 8) >= 0; ) { +- for (i = 0; i < npixels && cc > 0; ) ++ for (i = 0; i < npixels && cc > 0; ) { + if (*bp >= 128) { /* run */ ++ if( cc < 2 ) ++ break; + rc = *bp++ + (2-128); + b = (uint32)*bp++ << shft; +- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ ++ cc -= 2; + while (rc-- && i < npixels) + tp[i++] |= b; + } else { /* non-run */ +@@ -346,6 +363,7 @@ + while (--cc && rc-- && i < npixels) + tp[i++] |= (uint32)*bp++ << shft; + } ++ } + if (i != npixels) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, +@@ -407,6 +425,7 @@ + static int + LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogL16Encode"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -427,7 +446,11 @@ + tp = (int16*) bp; + else { + tp = (int16*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ +@@ -500,6 +523,7 @@ + static int + LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode24"; + LogLuvState* sp = EncoderState(tif); + tmsize_t i; + tmsize_t npixels; +@@ -515,7 +539,11 @@ + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* write out encoded pixels */ +@@ -547,6 +575,7 @@ + static int + LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + { ++ static const char module[] = "LogLuvEncode32"; + LogLuvState* sp = EncoderState(tif); + int shft; + tmsize_t i; +@@ -568,7 +597,11 @@ + tp = (uint32*) bp; + else { + tp = (uint32*) sp->tbuf; +- assert(sp->tbuflen >= npixels); ++ if(sp->tbuflen < npixels) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Translation buffer too short"); ++ return (0); ++ } + (*sp->tfunc)(sp, bp, npixels); + } + /* compress each byte string */ diff --git a/third_party/libtiff/0004-CVE-2015-8784.patch b/third_party/libtiff/0004-CVE-2015-8784.patch new file mode 100644 index 0000000000..e4415de6c1 --- /dev/null +++ b/third_party/libtiff/0004-CVE-2015-8784.patch @@ -0,0 +1,50 @@ +From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 27 Dec 2015 16:55:20 +0000 +Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in + NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif + (bugzilla #2508) + +--- + ChangeLog | 6 ++++++ + libtiff/tif_next.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index dd669cc..0a5b635 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; ++ tmsize_t op_offset = 0; + + /* + * The scanline is composed of a sequence of constant +@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index c9b0f48407..09577f93fb 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -11,3 +11,6 @@ Local Modifications: 0000-build-config.patch: Local build configuration changes. 0001-build-config.patch: Enable HAVE_SEARCH_H in tiffconf.h for VS 2015 +0002-CVE-2015-8665-8683.patch: Security fixes +0003-CVE-2015-8781-8782-8783.patch: Security fixes +0004-CVE-2015-8784.patch: Security fixes diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c index f49b73fd47..85237937ec 100644 --- a/third_party/libtiff/tif_getimage.c +++ b/third_party/libtiff/tif_getimage.c @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d", - "Samples/pixel", td->td_samplesperpixel); + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); return 0; } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d and %s=%d", + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, "Bits/sample", td->td_bitspersample); return 0; } @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; + + if( !TIFFRGBAImageOK(tif, emsg) ) + return 0; /* Initialize to normal values */ img->row_offset = 0; @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >= 4) img->put.contig = putRGBAAcontig8bittile; - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >= 4) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } - else + else if( img->samplesperpixel >= 3 ) img->put.contig = putRGBcontig8bittile; break; case 16: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } - else + else if( img->samplesperpixel >=3 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) } break; case PHOTOMETRIC_SEPARATED: - if (buildMap(img)) { + if (img->samplesperpixel >=4 && buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile; @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) } break; case PHOTOMETRIC_CIELAB: - if (buildMap(img)) { + if (img->samplesperpixel == 3 && buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; diff --git a/third_party/libtiff/tif_luv.c b/third_party/libtiff/tif_luv.c index 4e328bad80..01f39c0d63 100644 --- a/third_party/libtiff/tif_luv.c +++ b/third_party/libtiff/tif_luv.c @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_16BIT) tp = (int16*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (int16*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 2*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + if( cc < 2 ) + break; + rc = *bp++ + (2-128); b = (int16)(*bp++ << shft); cc -= 2; while (rc-- && i < npixels) @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (int16)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32 *)op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32 *) sp->tbuf; } /* copy to array of uint32 */ bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; - for (i = 0; i < npixels && cc > 0; i++) { + for (i = 0; i < npixels && cc >= 3; i++) { tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; bp += 3; cc -= 3; @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 4*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ + if( cc < 2 ) + break; rc = *bp++ + (2-128); b = (uint32)*bp++ << shft; - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + cc -= 2; while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (uint32)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogL16Encode"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (int16*) bp; else { tp = (int16*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode24"; LogLuvState* sp = EncoderState(tif); tmsize_t i; tmsize_t npixels; @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* write out encoded pixels */ @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode32"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ diff --git a/third_party/libtiff/tif_next.c b/third_party/libtiff/tif_next.c index 17e031111a..b2076a0b01 100644 --- a/third_party/libtiff/tif_next.c +++ b/third_party/libtiff/tif_next.c @@ -37,7 +37,7 @@ case 0: op[0] = (unsigned char) ((v) << 6); break; \ case 1: op[0] |= (v) << 4; break; \ case 2: op[0] |= (v) << 2; break; \ - case 3: *op++ |= (v); break; \ + case 3: *op++ |= (v); op_offset++; break; \ } \ } @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) uint32 imagewidth = tif->tif_dir.td_imagewidth; if( isTiled(tif) ) imagewidth = tif->tif_dir.td_tilewidth; + tmsize_t op_offset = 0; /* * The scanline is composed of a sequence of constant @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) * bounds, potentially resulting in a security * issue. */ - while (n-- > 0 && npixels < imagewidth) + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) SETPIXEL(op, grey); if (npixels >= imagewidth) break; + if (op_offset >= scanline ) { + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", + (long) tif->tif_row); + return (0); + } if (cc == 0) goto bad; n = *bp++, cc--; -- cgit v1.2.3