| From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Sat, 26 Dec 2015 17:32:03 +0000 |
| Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in |
| TIFFRGBAImage interface in case of unsupported values of |
| SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to |
| TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by |
| limingxing and CVE-2015-8683 reported by zzf of Alibaba. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2015-8665 |
| CVE: CVE-2015-8683 |
| https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 |
| |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| ChangeLog | 8 ++++++++ |
| libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- |
| 2 files changed, 30 insertions(+), 13 deletions(-) |
| |
| Index: tiff-4.0.6/libtiff/tif_getimage.c |
| =================================================================== |
| --- tiff-4.0.6.orig/libtiff/tif_getimage.c |
| +++ tiff-4.0.6/libtiff/tif_getimage.c |
| @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 |
| "Planarconfiguration", td->td_planarconfig); |
| return (0); |
| } |
| - if( td->td_samplesperpixel != 3 ) |
| + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) |
| { |
| sprintf(emsg, |
| - "Sorry, can not handle image with %s=%d", |
| - "Samples/pixel", td->td_samplesperpixel); |
| + "Sorry, can not handle image with %s=%d, %s=%d", |
| + "Samples/pixel", td->td_samplesperpixel, |
| + "colorchannels", colorchannels); |
| return 0; |
| } |
| break; |
| case PHOTOMETRIC_CIELAB: |
| - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) |
| + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) |
| { |
| sprintf(emsg, |
| - "Sorry, can not handle image with %s=%d and %s=%d", |
| + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", |
| "Samples/pixel", td->td_samplesperpixel, |
| + "colorchannels", colorchannels, |
| "Bits/sample", td->td_bitspersample); |
| return 0; |
| } |
| @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T |
| int colorchannels; |
| uint16 *red_orig, *green_orig, *blue_orig; |
| int n_color; |
| + |
| + if( !TIFFRGBAImageOK(tif, emsg) ) |
| + return 0; |
| |
| /* Initialize to normal values */ |
| img->row_offset = 0; |
| @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) |
| case PHOTOMETRIC_RGB: |
| switch (img->bitspersample) { |
| case 8: |
| - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
| + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
| + img->samplesperpixel >= 4) |
| img->put.contig = putRGBAAcontig8bittile; |
| - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
| + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
| + img->samplesperpixel >= 4) |
| { |
| if (BuildMapUaToAa(img)) |
| img->put.contig = putRGBUAcontig8bittile; |
| } |
| - else |
| + else if( img->samplesperpixel >= 3 ) |
| img->put.contig = putRGBcontig8bittile; |
| break; |
| case 16: |
| - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
| + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
| + img->samplesperpixel >=4 ) |
| { |
| if (BuildMapBitdepth16To8(img)) |
| img->put.contig = putRGBAAcontig16bittile; |
| } |
| - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
| + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
| + img->samplesperpixel >=4 ) |
| { |
| if (BuildMapBitdepth16To8(img) && |
| BuildMapUaToAa(img)) |
| img->put.contig = putRGBUAcontig16bittile; |
| } |
| - else |
| + else if( img->samplesperpixel >=3 ) |
| { |
| if (BuildMapBitdepth16To8(img)) |
| img->put.contig = putRGBcontig16bittile; |
| @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) |
| } |
| break; |
| case PHOTOMETRIC_SEPARATED: |
| - if (buildMap(img)) { |
| + if (img->samplesperpixel >=4 && buildMap(img)) { |
| if (img->bitspersample == 8) { |
| if (!img->Map) |
| img->put.contig = putRGBcontig8bitCMYKtile; |
| @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) |
| } |
| break; |
| case PHOTOMETRIC_CIELAB: |
| - if (buildMap(img)) { |
| + if (img->samplesperpixel == 3 && buildMap(img)) { |
| if (img->bitspersample == 8) |
| img->put.contig = initCIELabConversion(img); |
| break; |
| Index: tiff-4.0.6/ChangeLog |
| =================================================================== |
| --- tiff-4.0.6.orig/ChangeLog |
| +++ tiff-4.0.6/ChangeLog |
| @@ -1,3 +1,11 @@ |
| +2015-12-26 Even Rouault <even.rouault at spatialys.com> |
| + |
| + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage |
| + interface in case of unsupported values of SamplesPerPixel/ExtraSamples |
| + for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in |
| + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and |
| + CVE-2015-8683 reported by zzf of Alibaba. |
| + |
| 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> |
| |
| * libtiff 4.0.6 released. |