| From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Fri, 30 Jun 2017 17:29:44 +0000 |
| Subject: [PATCH] * libtiff/tif_dirwrite.c: in |
| TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 |
| data type, replace assertion that the file is BigTIFF, by a non-fatal error. |
| Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team |
| OWL337 |
| |
| Upstream-Status: Backport |
| [https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1] |
| |
| CVE: CVE-2017-10688 |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| ChangeLog | 8 ++++++++ |
| libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- |
| 2 files changed, 24 insertions(+), 4 deletions(-) |
| |
| Index: tiff-4.0.7/ChangeLog |
| =================================================================== |
| --- tiff-4.0.7.orig/ChangeLog |
| +++ tiff-4.0.7/ChangeLog |
| @@ -1,3 +1,11 @@ |
| +2017-06-30 Even Rouault <even.rouault at spatialys.com> |
| + |
| + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() |
| + functions associated with LONG8/SLONG8 data type, replace assertion that |
| + the file is BigTIFF, by a non-fatal error. |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 |
| + Reported by team OWL337 |
| + |
| 2017-06-26 Even Rouault <even.rouault at spatialys.com> |
| |
| * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() |
| Index: tiff-4.0.7/libtiff/tif_dirwrite.c |
| =================================================================== |
| --- tiff-4.0.7.orig/libtiff/tif_dirwrite.c |
| +++ tiff-4.0.7/libtiff/tif_dirwrite.c |
| @@ -2047,7 +2047,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* |
| { |
| uint64 m; |
| assert(sizeof(uint64)==8); |
| - assert(tif->tif_flags&TIFF_BIGTIFF); |
| + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
| + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); |
| + return(0); |
| + } |
| m=value; |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabLong8(&m); |
| @@ -2060,7 +2063,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(T |
| { |
| assert(count<0x20000000); |
| assert(sizeof(uint64)==8); |
| - assert(tif->tif_flags&TIFF_BIGTIFF); |
| + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
| + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); |
| + return(0); |
| + } |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabArrayOfLong8(value,count); |
| return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); |
| @@ -2072,7 +2078,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* |
| { |
| int64 m; |
| assert(sizeof(int64)==8); |
| - assert(tif->tif_flags&TIFF_BIGTIFF); |
| + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
| + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); |
| + return(0); |
| + } |
| m=value; |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabLong8((uint64*)(&m)); |
| @@ -2085,7 +2094,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array( |
| { |
| assert(count<0x20000000); |
| assert(sizeof(int64)==8); |
| - assert(tif->tif_flags&TIFF_BIGTIFF); |
| + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { |
| + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); |
| + return(0); |
| + } |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabArrayOfLong8((uint64*)value,count); |
| return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); |