| Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 |
| 2 | From: erouault <erouault> |
| 3 | Date: Sun, 27 Dec 2015 16:25:11 +0000 |
| 4 | Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in |
| 5 | decode functions in non debug builds by replacing assert()s by regular if |
| 6 | checks (bugzilla #2522). Fix potential out-of-bound reads in case of short |
| 7 | input data. |
| 8 | |
| 9 | Upstream-Status: Backport |
| 10 | |
| 11 | https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 |
| 12 | hand applied Changelog changes |
| 13 | |
| 14 | CVE: CVE-2015-8781 |
| 15 | |
| 16 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 17 | --- |
| 18 | ChangeLog | 7 +++++++ |
| 19 | libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- |
| 20 | 2 files changed, 51 insertions(+), 11 deletions(-) |
| 21 | |
| 22 | Index: tiff-4.0.4/ChangeLog |
| 23 | =================================================================== |
| 24 | --- tiff-4.0.4.orig/ChangeLog |
| 25 | +++ tiff-4.0.4/ChangeLog |
| 26 | @@ -1,3 +1,11 @@ |
| 27 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> |
| 28 | + |
| 29 | + * libtiff/tif_luv.c: fix potential out-of-bound writes in decode |
| 30 | + functions in non debug builds by replacing assert()s by regular if |
| 31 | + checks (bugzilla #2522). |
| 32 | + Fix potential out-of-bound reads in case of short input data. |
| 33 | + |
| 34 | + |
| 35 | 2015-06-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> |
| 36 | |
| 37 | * libtiff 4.0.4 released. |
| 38 | Index: tiff-4.0.4/libtiff/tif_luv.c |
| 39 | =================================================================== |
| 40 | --- tiff-4.0.4.orig/libtiff/tif_luv.c |
| 41 | +++ tiff-4.0.4/libtiff/tif_luv.c |
| 42 | @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz |
| 43 | if (sp->user_datafmt == SGILOGDATAFMT_16BIT) |
| 44 | tp = (int16*) op; |
| 45 | else { |
| 46 | - assert(sp->tbuflen >= npixels); |
| 47 | + if(sp->tbuflen < npixels) { |
| 48 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 49 | + "Translation buffer too short"); |
| 50 | + return (0); |
| 51 | + } |
| 52 | tp = (int16*) sp->tbuf; |
| 53 | } |
| 54 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); |
| 55 | @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz |
| 56 | cc = tif->tif_rawcc; |
| 57 | /* get each byte string */ |
| 58 | for (shft = 2*8; (shft -= 8) >= 0; ) { |
| 59 | - for (i = 0; i < npixels && cc > 0; ) |
| 60 | + for (i = 0; i < npixels && cc > 0; ) { |
| 61 | if (*bp >= 128) { /* run */ |
| 62 | - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ |
| 63 | + if( cc < 2 ) |
| 64 | + break; |
| 65 | + rc = *bp++ + (2-128); |
| 66 | b = (int16)(*bp++ << shft); |
| 67 | cc -= 2; |
| 68 | while (rc-- && i < npixels) |
| 69 | @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz |
| 70 | while (--cc && rc-- && i < npixels) |
| 71 | tp[i++] |= (int16)*bp++ << shft; |
| 72 | } |
| 73 | + } |
| 74 | if (i != npixels) { |
| 75 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
| 76 | TIFFErrorExt(tif->tif_clientdata, module, |
| 77 | @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms |
| 78 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) |
| 79 | tp = (uint32 *)op; |
| 80 | else { |
| 81 | - assert(sp->tbuflen >= npixels); |
| 82 | + if(sp->tbuflen < npixels) { |
| 83 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 84 | + "Translation buffer too short"); |
| 85 | + return (0); |
| 86 | + } |
| 87 | tp = (uint32 *) sp->tbuf; |
| 88 | } |
| 89 | /* copy to array of uint32 */ |
| 90 | bp = (unsigned char*) tif->tif_rawcp; |
| 91 | cc = tif->tif_rawcc; |
| 92 | - for (i = 0; i < npixels && cc > 0; i++) { |
| 93 | + for (i = 0; i < npixels && cc >= 3; i++) { |
| 94 | tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; |
| 95 | bp += 3; |
| 96 | cc -= 3; |
| 97 | @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms |
| 98 | if (sp->user_datafmt == SGILOGDATAFMT_RAW) |
| 99 | tp = (uint32*) op; |
| 100 | else { |
| 101 | - assert(sp->tbuflen >= npixels); |
| 102 | + if(sp->tbuflen < npixels) { |
| 103 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 104 | + "Translation buffer too short"); |
| 105 | + return (0); |
| 106 | + } |
| 107 | tp = (uint32*) sp->tbuf; |
| 108 | } |
| 109 | _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); |
| 110 | @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms |
| 111 | cc = tif->tif_rawcc; |
| 112 | /* get each byte string */ |
| 113 | for (shft = 4*8; (shft -= 8) >= 0; ) { |
| 114 | - for (i = 0; i < npixels && cc > 0; ) |
| 115 | + for (i = 0; i < npixels && cc > 0; ) { |
| 116 | if (*bp >= 128) { /* run */ |
| 117 | + if( cc < 2 ) |
| 118 | + break; |
| 119 | rc = *bp++ + (2-128); |
| 120 | b = (uint32)*bp++ << shft; |
| 121 | - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ |
| 122 | + cc -= 2; |
| 123 | while (rc-- && i < npixels) |
| 124 | tp[i++] |= b; |
| 125 | } else { /* non-run */ |
| 126 | @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms |
| 127 | while (--cc && rc-- && i < npixels) |
| 128 | tp[i++] |= (uint32)*bp++ << shft; |
| 129 | } |
| 130 | + } |
| 131 | if (i != npixels) { |
| 132 | #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
| 133 | TIFFErrorExt(tif->tif_clientdata, module, |
| 134 | @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t |
| 135 | static int |
| 136 | LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
| 137 | { |
| 138 | + static const char module[] = "LogL16Encode"; |
| 139 | LogLuvState* sp = EncoderState(tif); |
| 140 | int shft; |
| 141 | tmsize_t i; |
| 142 | @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz |
| 143 | tp = (int16*) bp; |
| 144 | else { |
| 145 | tp = (int16*) sp->tbuf; |
| 146 | - assert(sp->tbuflen >= npixels); |
| 147 | + if(sp->tbuflen < npixels) { |
| 148 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 149 | + "Translation buffer too short"); |
| 150 | + return (0); |
| 151 | + } |
| 152 | (*sp->tfunc)(sp, bp, npixels); |
| 153 | } |
| 154 | /* compress each byte string */ |
| 155 | @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz |
| 156 | static int |
| 157 | LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
| 158 | { |
| 159 | + static const char module[] = "LogLuvEncode24"; |
| 160 | LogLuvState* sp = EncoderState(tif); |
| 161 | tmsize_t i; |
| 162 | tmsize_t npixels; |
| 163 | @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms |
| 164 | tp = (uint32*) bp; |
| 165 | else { |
| 166 | tp = (uint32*) sp->tbuf; |
| 167 | - assert(sp->tbuflen >= npixels); |
| 168 | + if(sp->tbuflen < npixels) { |
| 169 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 170 | + "Translation buffer too short"); |
| 171 | + return (0); |
| 172 | + } |
| 173 | (*sp->tfunc)(sp, bp, npixels); |
| 174 | } |
| 175 | /* write out encoded pixels */ |
| 176 | @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms |
| 177 | static int |
| 178 | LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) |
| 179 | { |
| 180 | + static const char module[] = "LogLuvEncode32"; |
| 181 | LogLuvState* sp = EncoderState(tif); |
| 182 | int shft; |
| 183 | tmsize_t i; |
| 184 | @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms |
| 185 | tp = (uint32*) bp; |
| 186 | else { |
| 187 | tp = (uint32*) sp->tbuf; |
| 188 | - assert(sp->tbuflen >= npixels); |
| 189 | + if(sp->tbuflen < npixels) { |
| 190 | + TIFFErrorExt(tif->tif_clientdata, module, |
| 191 | + "Translation buffer too short"); |
| 192 | + return (0); |
| 193 | + } |
| 194 | (*sp->tfunc)(sp, bp, npixels); |
| 195 | } |
| 196 | /* compress each byte string */ |