| From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Wed, 23 Aug 2017 13:33:42 +0000 |
| Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not |
| fitting on uint32 when selecting the value of SubIFD tag by runtime check (in |
| TIFFWriteDirectoryTagSubifd()). Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 |
| |
| SubIFD tag by runtime check (in TIFFWriteDirectorySec()) |
| |
| Upstream-Status: Backport |
| [https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc] |
| |
| CVE: CVE-2017-13727 |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| ChangeLog | 10 +++++++++- |
| libtiff/tif_dirwrite.c | 9 ++++++++- |
| 2 files changed, 17 insertions(+), 2 deletions(-) |
| |
| diff --git a/ChangeLog b/ChangeLog |
| index 3e299d9..8f5efe9 100644 |
| --- a/ChangeLog |
| +++ b/ChangeLog |
| @@ -1,7 +1,15 @@ |
| 2017-08-23 Even Rouault <even.rouault at spatialys.com> |
| |
| + * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting |
| + on uint32 when selecting the value of SubIFD tag by runtime check |
| + (in TIFFWriteDirectoryTagSubifd()). |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 |
| + Reported by team OWL337 |
| + |
| +2017-08-23 Even Rouault <even.rouault at spatialys.com> |
| + |
| * libtiff/tif_dirwrite.c: replace assertion related to not finding the |
| - SubIFD tag by runtime check. |
| + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) |
| Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 |
| Reported by team OWL337 |
| |
| diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
| index 14090ae..f0a4baa 100644 |
| --- a/libtiff/tif_dirwrite.c |
| +++ b/libtiff/tif_dirwrite.c |
| @@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) |
| for (p=0; p < tif->tif_dir.td_nsubifd; p++) |
| { |
| assert(pa != 0); |
| - assert(*pa <= 0xFFFFFFFFUL); |
| + |
| + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ |
| + if( *pa > 0xFFFFFFFFUL) |
| + { |
| + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); |
| + _TIFFfree(o); |
| + return(0); |
| + } |
| *pb++=(uint32)(*pa++); |
| } |
| n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); |
| -- |
| 2.7.4 |
| |