Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 1 | From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 |
| 2 | From: erouault <erouault> |
| 3 | Date: Sat, 26 Dec 2015 17:32:03 +0000 |
| 4 | Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in |
| 5 | TIFFRGBAImage interface in case of unsupported values of |
| 6 | SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to |
| 7 | TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by |
| 8 | limingxing and CVE-2015-8683 reported by zzf of Alibaba. |
| 9 | |
| 10 | Upstream-Status: Backport |
| 11 | CVE: CVE-2015-8665 |
| 12 | CVE: CVE-2015-8683 |
| 13 | https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 |
| 14 | |
| 15 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 16 | |
| 17 | --- |
| 18 | ChangeLog | 8 ++++++++ |
| 19 | libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- |
| 20 | 2 files changed, 30 insertions(+), 13 deletions(-) |
| 21 | |
| 22 | Index: tiff-4.0.6/libtiff/tif_getimage.c |
| 23 | =================================================================== |
| 24 | --- tiff-4.0.6.orig/libtiff/tif_getimage.c |
| 25 | +++ tiff-4.0.6/libtiff/tif_getimage.c |
| 26 | @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 |
| 27 | "Planarconfiguration", td->td_planarconfig); |
| 28 | return (0); |
| 29 | } |
| 30 | - if( td->td_samplesperpixel != 3 ) |
| 31 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) |
| 32 | { |
| 33 | sprintf(emsg, |
| 34 | - "Sorry, can not handle image with %s=%d", |
| 35 | - "Samples/pixel", td->td_samplesperpixel); |
| 36 | + "Sorry, can not handle image with %s=%d, %s=%d", |
| 37 | + "Samples/pixel", td->td_samplesperpixel, |
| 38 | + "colorchannels", colorchannels); |
| 39 | return 0; |
| 40 | } |
| 41 | break; |
| 42 | case PHOTOMETRIC_CIELAB: |
| 43 | - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) |
| 44 | + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) |
| 45 | { |
| 46 | sprintf(emsg, |
| 47 | - "Sorry, can not handle image with %s=%d and %s=%d", |
| 48 | + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", |
| 49 | "Samples/pixel", td->td_samplesperpixel, |
| 50 | + "colorchannels", colorchannels, |
| 51 | "Bits/sample", td->td_bitspersample); |
| 52 | return 0; |
| 53 | } |
| 54 | @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T |
| 55 | int colorchannels; |
| 56 | uint16 *red_orig, *green_orig, *blue_orig; |
| 57 | int n_color; |
| 58 | + |
| 59 | + if( !TIFFRGBAImageOK(tif, emsg) ) |
| 60 | + return 0; |
| 61 | |
| 62 | /* Initialize to normal values */ |
| 63 | img->row_offset = 0; |
| 64 | @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) |
| 65 | case PHOTOMETRIC_RGB: |
| 66 | switch (img->bitspersample) { |
| 67 | case 8: |
| 68 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
| 69 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
| 70 | + img->samplesperpixel >= 4) |
| 71 | img->put.contig = putRGBAAcontig8bittile; |
| 72 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
| 73 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
| 74 | + img->samplesperpixel >= 4) |
| 75 | { |
| 76 | if (BuildMapUaToAa(img)) |
| 77 | img->put.contig = putRGBUAcontig8bittile; |
| 78 | } |
| 79 | - else |
| 80 | + else if( img->samplesperpixel >= 3 ) |
| 81 | img->put.contig = putRGBcontig8bittile; |
| 82 | break; |
| 83 | case 16: |
| 84 | - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
| 85 | + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
| 86 | + img->samplesperpixel >=4 ) |
| 87 | { |
| 88 | if (BuildMapBitdepth16To8(img)) |
| 89 | img->put.contig = putRGBAAcontig16bittile; |
| 90 | } |
| 91 | - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
| 92 | + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
| 93 | + img->samplesperpixel >=4 ) |
| 94 | { |
| 95 | if (BuildMapBitdepth16To8(img) && |
| 96 | BuildMapUaToAa(img)) |
| 97 | img->put.contig = putRGBUAcontig16bittile; |
| 98 | } |
| 99 | - else |
| 100 | + else if( img->samplesperpixel >=3 ) |
| 101 | { |
| 102 | if (BuildMapBitdepth16To8(img)) |
| 103 | img->put.contig = putRGBcontig16bittile; |
| 104 | @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) |
| 105 | } |
| 106 | break; |
| 107 | case PHOTOMETRIC_SEPARATED: |
| 108 | - if (buildMap(img)) { |
| 109 | + if (img->samplesperpixel >=4 && buildMap(img)) { |
| 110 | if (img->bitspersample == 8) { |
| 111 | if (!img->Map) |
| 112 | img->put.contig = putRGBcontig8bitCMYKtile; |
| 113 | @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) |
| 114 | } |
| 115 | break; |
| 116 | case PHOTOMETRIC_CIELAB: |
| 117 | - if (buildMap(img)) { |
| 118 | + if (img->samplesperpixel == 3 && buildMap(img)) { |
| 119 | if (img->bitspersample == 8) |
| 120 | img->put.contig = initCIELabConversion(img); |
| 121 | break; |
| 122 | Index: tiff-4.0.6/ChangeLog |
| 123 | =================================================================== |
| 124 | --- tiff-4.0.6.orig/ChangeLog |
| 125 | +++ tiff-4.0.6/ChangeLog |
| 126 | @@ -1,3 +1,11 @@ |
| 127 | +2015-12-26 Even Rouault <even.rouault at spatialys.com> |
| 128 | + |
| 129 | + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage |
| 130 | + interface in case of unsupported values of SamplesPerPixel/ExtraSamples |
| 131 | + for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in |
| 132 | + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and |
| 133 | + CVE-2015-8683 reported by zzf of Alibaba. |
| 134 | + |
| 135 | 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> |
| 136 | |
| 137 | * libtiff 4.0.6 released. |