| From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Wed, 11 Jan 2017 16:33:34 +0000 |
| Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on |
| signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2650 |
| |
| Upstream-Status: Backport |
| |
| CVE: CVE-2017-7602 |
| Signed-off-by: Rajkumar Veer <rveer@mvista.com> |
| |
| Index: tiff-4.0.7/ChangeLog |
| =================================================================== |
| --- tiff-4.0.7.orig/ChangeLog 2017-04-25 18:42:07.656135638 +0530 |
| +++ tiff-4.0.7/ChangeLog 2017-04-25 18:54:36.812147299 +0530 |
| @@ -8,6 +8,12 @@ |
| |
| 2017-01-11 Even Rouault <even.rouault at spatialys.com> |
| |
| + * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer |
| + addition in TIFFReadRawStrip1() in isMapped() case. |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 |
| + |
| +2017-01-11 Even Rouault <even.rouault at spatialys.com> |
| + |
| * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid |
| undefined behaviour caused by invalid shift exponent. |
| Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 |
| Index: tiff-4.0.7/libtiff/tif_read.c |
| =================================================================== |
| --- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 18:42:07.132135629 +0530 |
| +++ tiff-4.0.7/libtiff/tif_read.c 2017-04-25 18:58:25.272150855 +0530 |
| @@ -420,16 +420,26 @@ |
| return ((tmsize_t)(-1)); |
| } |
| } else { |
| - tmsize_t ma,mb; |
| + tmsize_t ma; |
| tmsize_t n; |
| - ma=(tmsize_t)td->td_stripoffset[strip]; |
| - mb=ma+size; |
| - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) |
| - n=0; |
| - else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) |
| - n=tif->tif_size-ma; |
| - else |
| - n=size; |
| + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| |
| + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) |
| + { |
| + n=0; |
| + } |
| + else if( ma > TIFF_TMSIZE_T_MAX - size ) |
| + { |
| + n=0; |
| + } |
| + else |
| + { |
| + tmsize_t mb=ma+size; |
| + if (mb>tif->tif_size) |
| + n=tif->tif_size-ma; |
| + else |
| + n=size; |
| + } |
| + |
| if (n!=size) { |
| #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) |
| TIFFErrorExt(tif->tif_clientdata, module, |