| From 1855407c4e5a27ade006b26c2dec8a31745c356e Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Fri, 2 Dec 2016 21:56:56 +0000 |
| Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow |
| in TIFFReadEncodedStrip() that caused an integer division by zero. Reported |
| by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 |
| |
| Upstream-Status: Backport |
| |
| CVE: CVE-2016-10266 |
| Signed-off-by: Rajkumar Veer <rveer@mvista.com> |
| --- |
| ChangeLog | 7 +++++++ |
| libtiff/tif_read.c | 2 +- |
| libtiff/tiffiop.h | 4 ++++ |
| 3 files changed, 12 insertions(+), 1 deletion(-) |
| |
| Index: tiff-4.0.7/ChangeLog |
| =================================================================== |
| --- tiff-4.0.7.orig/ChangeLog |
| +++ tiff-4.0.7/ChangeLog |
| @@ -1,3 +1,10 @@ |
| +2016-12-02 Even Rouault <even.rouault at spatialys.com> |
| + |
| + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in |
| + TIFFReadEncodedStrip() that caused an integer division by zero. |
| + Reported by Agostino Sarubbo. |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 |
| + |
| 2017-07-15 Even Rouault <even.rouault at spatialys.com> |
| |
| * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" |
| Index: tiff-4.0.7/libtiff/tif_read.c |
| =================================================================== |
| --- tiff-4.0.7.orig/libtiff/tif_read.c |
| +++ tiff-4.0.7/libtiff/tif_read.c |
| @@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s |
| rowsperstrip=td->td_rowsperstrip; |
| if (rowsperstrip>td->td_imagelength) |
| rowsperstrip=td->td_imagelength; |
| - stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); |
| + stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); |
| stripinplane=(strip%stripsperplane); |
| plane=(uint16)(strip/stripsperplane); |
| rows=td->td_imagelength-stripinplane*rowsperstrip; |
| Index: tiff-4.0.7/libtiff/tiffiop.h |
| =================================================================== |
| --- tiff-4.0.7.orig/libtiff/tiffiop.h |
| +++ tiff-4.0.7/libtiff/tiffiop.h |
| @@ -250,6 +250,10 @@ struct tiff { |
| #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ |
| ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ |
| 0U) |
| +/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ |
| +/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ |
| +#define TIFFhowmany_32_maxuint_compat(x, y) \ |
| + (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) |
| #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) |
| #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) |
| #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) |