| From 3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Wed, 11 Jan 2017 13:28:01 +0000 |
| Subject: [PATCH] * libtiff/tif_dirread.c: avoid division by floating point 0 |
| in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), |
| and return 0 in that case (instead of infinity as before presumably) |
| Apparently some sanitizers do not like those divisions by zero. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2644 |
| |
| Upstream-Status: Backport |
| |
| CVE: CVE-2017-7598 |
| Signed-off-by: Rajkumar Veer <rveer@mvista.com> |
| Index: tiff-4.0.7/ChangeLog |
| =================================================================== |
| --- tiff-4.0.7.orig/ChangeLog 2017-04-25 16:14:59.858612730 +0530 |
| +++ tiff-4.0.7/ChangeLog 2017-04-25 18:11:36.048107127 +0530 |
| @@ -1,3 +1,4 @@ |
| + |
| 2017-01-12 Even Rouault <even.rouault at spatialys.com> |
| |
| * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, |
| @@ -8,6 +9,14 @@ |
| |
| 2017-01-11 Even Rouault <even.rouault at spatialys.com> |
| |
| + * libtiff/tif_dirread.c: avoid division by floating point 0 in |
| + TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), |
| + and return 0 in that case (instead of infinity as before presumably) |
| + Apparently some sanitizers do not like those divisions by zero. |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 |
| + |
| +2017-01-11 Even Rouault <even.rouault at spatialys.com> |
| + |
| * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings |
| of double to other data types to avoid undefined behaviour if the output range |
| isn't big enough to hold the input value. |
| Index: tiff-4.0.7/libtiff/tif_dirread.c |
| =================================================================== |
| --- tiff-4.0.7.orig/libtiff/tif_dirread.c 2017-04-25 16:14:59.858612730 +0530 |
| +++ tiff-4.0.7/libtiff/tif_dirread.c 2017-04-25 18:16:21.836111576 +0530 |
| @@ -2880,7 +2880,10 @@ |
| m.l = direntry->tdir_offset.toff_long8; |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabArrayOfLong(m.i,2); |
| - if (m.i[0]==0) |
| + /* Not completely sure what we should do when m.i[1]==0, but some */ |
| + /* sanitizers do not like division by 0.0: */ |
| + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ |
| + if (m.i[0]==0 || m.i[1]==0) |
| *value=0.0; |
| else |
| *value=(double)m.i[0]/(double)m.i[1]; |
| @@ -2908,7 +2911,10 @@ |
| m.l=direntry->tdir_offset.toff_long8; |
| if (tif->tif_flags&TIFF_SWAB) |
| TIFFSwabArrayOfLong(m.i,2); |
| - if ((int32)m.i[0]==0) |
| + /* Not completely sure what we should do when m.i[1]==0, but some */ |
| + /* sanitizers do not like division by 0.0: */ |
| + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ |
| + if ((int32)m.i[0]==0 || m.i[1]==0) |
| *value=0.0; |
| else |
| *value=(double)((int32)m.i[0])/(double)m.i[1]; |