Submitted By: Michael Labuschke (michael at labuschke dot de) Date: 2004-10-14 Initial Package Version: 3.6.1 Origin: diffed against libtiff cvs Upstream Status: not sent ( is allready included in libtiff cvs) Description: This patches some buffer overflow problems in libtiff 3.6.1 diff -Naur tiff-v3.6.1.orig/libtiff/tif_luv.c tiff-v3.6.1/libtiff/tif_luv.c --- tiff-v3.6.1.orig/libtiff/tif_luv.c 2003-11-27 15:08:10.000000000 +0000 +++ tiff-v3.6.1/libtiff/tif_luv.c 2004-10-12 18:50:48.000000000 +0000 @@ -1,3 +1,5 @@ +/* $Id: tiff-v3.6.1-buffer_overflow-1.patch,v 1.2 2004/10/14 14:39:52 zigman Exp $ */ + /* * Copyright (c) 1997 Greg Ward Larson * Copyright (c) 1997 Silicon Graphics, Inc. @@ -185,7 +186,7 @@ { LogLuvState* sp = DecoderState(tif); int shft, i, npixels; - u_char* bp; + unsigned char* bp; int16* tp; int16 b; int cc, rc; @@ -203,7 +204,7 @@ } _TIFFmemset((tdata_t) tp, 0, npixels*sizeof (tp[0])); - bp = (u_char*) tif->tif_rawcp; + bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; /* get each byte string */ for (shft = 2*8; (shft -= 8) >= 0; ) { @@ -212,11 +213,11 @@ rc = *bp++ + (2-128); b = (int16)(*bp++ << shft); cc -= 2; - while (rc--) + while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ rc = *bp++; /* nul is noop */ - while (--cc && rc--) + while (--cc && rc-- && i < npixels) tp[i++] |= (int16)*bp++ << shft; } if (i != npixels) { @@ -242,7 +243,7 @@ { LogLuvState* sp = DecoderState(tif); int cc, i, npixels; - u_char* bp; + unsigned char* bp; uint32* tp; assert(s == 0); @@ -257,7 +258,7 @@ tp = (uint32 *) sp->tbuf; } /* copy to array of uint32 */ - bp = (u_char*) tif->tif_rawcp; + bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; for (i = 0; i < npixels && cc > 0; i++) { tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; @@ -284,7 +285,7 @@ { LogLuvState* sp; int shft, i, npixels; - u_char* bp; + unsigned char* bp; uint32* tp; uint32 b; int cc, rc; @@ -303,7 +304,7 @@ } _TIFFmemset((tdata_t) tp, 0, npixels*sizeof (tp[0])); - bp = (u_char*) tif->tif_rawcp; + bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; /* get each byte string */ for (shft = 4*8; (shft -= 8) >= 0; ) { @@ -312,11 +313,11 @@ rc = *bp++ + (2-128); b = (uint32)*bp++ << shft; cc -= 2; - while (rc--) + while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ rc = *bp++; /* nul is noop */ - while (--cc && rc--) + while (--cc && rc-- && i < npixels) tp[i++] |= (uint32)*bp++ << shft; } if (i != npixels) { @@ -1161,6 +1162,17 @@ return (SGILOGDATAFMT_UNKNOWN); } +static uint32 +multiply(size_t m1, size_t m2) +{ + uint32 bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + static int LogL16InitState(TIFF* tif) { @@ -1189,9 +1201,9 @@ "No support for converting user data format to LogL"); return (0); } - sp->tbuflen = td->td_imagewidth * td->td_rowsperstrip; - sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (int16)); - if (sp->tbuf == NULL) { + sp->tbuflen = multiply(td->td_imagewidth, td->td_rowsperstrip); + if (multiply(sp->tbuflen, sizeof (int16)) == 0 || + (sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) { TIFFError(module, "%s: No space for SGILog translation buffer", tif->tif_name); return (0); @@ -1287,9 +1299,9 @@ "No support for converting user data format to LogLuv"); return (0); } - sp->tbuflen = td->td_imagewidth * td->td_rowsperstrip; - sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (uint32)); - if (sp->tbuf == NULL) { + sp->tbuflen = multiply(td->td_imagewidth, td->td_rowsperstrip); + if (multiply(sp->tbuflen, sizeof (uint32)) == 0 || + (sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFError(module, "%s: No space for SGILog translation buffer", tif->tif_name); return (0); @@ -1497,7 +1509,7 @@ /* * Must recalculate sizes should bits/sample change. */ - tif->tif_tilesize = TIFFTileSize(tif); + tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1; tif->tif_scanlinesize = TIFFScanlineSize(tif); return (1); case TIFFTAG_SGILOGENCODE: @@ -1584,3 +1596,5 @@ return (0); } #endif /* LOGLUV_SUPPORT */ + +/* vim: set ts=8 sts=8 sw=8 noet: */ diff -Naur tiff-v3.6.1.orig/libtiff/tif_next.c tiff-v3.6.1/libtiff/tif_next.c --- tiff-v3.6.1.orig/libtiff/tif_next.c 2003-07-11 06:25:25.000000000 +0000 +++ tiff-v3.6.1/libtiff/tif_next.c 2004-09-19 10:08:38.000000000 +0000 @@ -1,4 +1,4 @@ -/* $Header: /usr/local/cvsroot/lfs/lfs-addon/patches/tiff-v3.6.1-buffer_overflow-1.patch,v 1.2 2004/10/14 14:39:52 zigman Exp $ */ +/* $Id: tiff-v3.6.1-buffer_overflow-1.patch,v 1.2 2004/10/14 14:39:52 zigman Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -87,7 +87,7 @@ */ off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; - if (cc < 4+n) + if (cc < 4+n || off+n > scanline) goto bad; _TIFFmemcpy(row+off, bp+4, n); bp += 4+n; @@ -140,3 +140,5 @@ return (1); } #endif /* NEXT_SUPPORT */ + +/* vim: set ts=8 sts=8 sw=8 noet: */ diff -Naur tiff-v3.6.1.orig/libtiff/tif_thunder.c tiff-v3.6.1/libtiff/tif_thunder.c --- tiff-v3.6.1.orig/libtiff/tif_thunder.c 2003-07-11 06:25:25.000000000 +0000 +++ tiff-v3.6.1/libtiff/tif_thunder.c 2004-09-19 10:08:38.000000000 +0000 @@ -1,4 +1,4 @@ -/* $Header: /usr/local/cvsroot/lfs/lfs-addon/patches/tiff-v3.6.1-buffer_overflow-1.patch,v 1.2 2004/10/14 14:39:52 zigman Exp $ */ +/* $Id: tiff-v3.6.1-buffer_overflow-1.patch,v 1.2 2004/10/14 14:39:52 zigman Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -66,12 +66,12 @@ static int ThunderDecode(TIFF* tif, tidata_t op, tsize_t maxpixels) { - register u_char *bp; + register unsigned char *bp; register tsize_t cc; - u_int lastpixel; + unsigned int lastpixel; tsize_t npixels; - bp = (u_char *)tif->tif_rawcp; + bp = (unsigned char *)tif->tif_rawcp; cc = tif->tif_rawcc; lastpixel = 0; npixels = 0; @@ -91,8 +91,10 @@ } else lastpixel |= lastpixel << 4; npixels += n; - for (; n > 0; n -= 2) - *op++ = (tidataval_t) lastpixel; + if (npixels < maxpixels) { + for (; n > 0; n -= 2) + *op++ = (tidataval_t) lastpixel; + } if (n == -1) *--op &= 0xf0; lastpixel &= 0xf; @@ -152,3 +154,5 @@ return (1); } #endif /* THUNDER_SUPPORT */ + +/* vim: set ts=8 sts=8 sw=8 noet: */