blob: 2c11f93d138639df2e9601fc5c6a8431bc418a19 [file] [log] [blame]
Brad Bishopd5ae7d92018-06-14 09:52:03 -07001From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
2From: Hugo Lefeuvre <hle@debian.org>
3Date: Sun, 8 Apr 2018 14:07:08 -0400
4Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
5
6The TIFFPrintDirectory function relies on the following assumptions,
7supposed to be guaranteed by the specification:
8
9(a) A Transfer Function field is only present if the TIFF file has
10 photometric type < 3.
11
12(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
13 has count SamplesPerPixel - (Color Channels) and contains
14 information about supplementary channels.
15
16While respect of (a) and (b) are essential for the well functioning of
17TIFFPrintDirectory, no checks are realized neither by the callee nor
18by TIFFPrintDirectory itself. Hence, following scenarios might happen
19and trigger the NULL pointer dereference:
20
21(1) TIFF File of photometric type 4 or more has illegal Transfer
22 Function field.
23
24(2) TIFF File has photometric type 3 or less and defines a
25 SamplesPerPixel field such that SamplesPerPixel > Color Channels
26 without defining all extra samples in the ExtraSamples fields.
27
28In this patch, we address both issues with respect of the following
29principles:
30
31(A) In the case of (1), the defined transfer table should be printed
32 safely even if it isn't 'legal'. This allows us to avoid expensive
33 checks in TIFFPrintDirectory. Also, it is quite possible that
34 an alternative photometric type would be developed (not part of the
35 standard) and would allow definition of Transfer Table. We want
36 libtiff to be able to handle this scenario out of the box.
37
38(B) In the case of (2), the transfer table should be printed at its
39 right size, that is if TIFF file has photometric type Palette
40 then the transfer table should have one row and not three, even
41 if two extra samples are declared.
42
43In order to fulfill (A) we simply add a new 'i < 3' end condition to
44the broken TIFFPrintDirectory loop. This makes sure that in any case
45where (b) would be respected but not (a), everything stays fine.
46
47(B) is fulfilled by the loop condition
48'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
49long as (b) is respected.
50
51Naturally, we also make sure (b) is respected. This is done in the
52TIFFReadDirectory function by making sure any non-color channel is
53counted in ExtraSamples.
54
55This commit addresses CVE-2018-7456.
56
57---
58CVE: CVE-2018-7456
59
60Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...]
61
62Signed-off-by: Joe Slater <joe.slater@windriver.com>
63
64---
65 libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++
66 libtiff/tif_print.c | 2 +-
67 2 files changed, 63 insertions(+), 1 deletion(-)
68
69diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
70index 6baa7b3..af5b84a 100644
71--- a/libtiff/tif_dirread.c
72+++ b/libtiff/tif_dirread.c
73@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
74 static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
75 static void ChopUpSingleUncompressedStrip(TIFF*);
76 static uint64 TIFFReadUInt64(const uint8 *value);
77+static int _TIFFGetMaxColorChannels(uint16 photometric);
78
79 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
80
81@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
82 }
83
84 /*
85+ * Return the maximum number of color channels specified for a given photometric
86+ * type. 0 is returned if photometric type isn't supported or no default value
87+ * is defined by the specification.
88+ */
89+static int _TIFFGetMaxColorChannels( uint16 photometric )
90+{
91+ switch (photometric) {
92+ case PHOTOMETRIC_PALETTE:
93+ case PHOTOMETRIC_MINISWHITE:
94+ case PHOTOMETRIC_MINISBLACK:
95+ return 1;
96+ case PHOTOMETRIC_YCBCR:
97+ case PHOTOMETRIC_RGB:
98+ case PHOTOMETRIC_CIELAB:
99+ return 3;
100+ case PHOTOMETRIC_SEPARATED:
101+ case PHOTOMETRIC_MASK:
102+ return 4;
103+ case PHOTOMETRIC_LOGL:
104+ case PHOTOMETRIC_LOGLUV:
105+ case PHOTOMETRIC_CFA:
106+ case PHOTOMETRIC_ITULAB:
107+ case PHOTOMETRIC_ICCLAB:
108+ default:
109+ return 0;
110+ }
111+}
112+
113+/*
114 * Read the next TIFF directory from a file and convert it to the internal
115 * format. We read directories sequentially.
116 */
117@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
118 uint32 fii=FAILED_FII;
119 toff_t nextdiroff;
120 int bitspersample_read = FALSE;
121+ int color_channels;
122
123 tif->tif_diroff=tif->tif_nextdiroff;
124 if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
125@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
126 }
127 }
128 }
129+
130+ /*
131+ * Make sure all non-color channels are extrasamples.
132+ * If it's not the case, define them as such.
133+ */
134+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
135+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
136+ uint16 old_extrasamples;
137+ uint16 *new_sampleinfo;
138+
139+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
140+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
141+ "Defining non-color channels as ExtraSamples.");
142+
143+ old_extrasamples = tif->tif_dir.td_extrasamples;
144+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
145+
146+ // sampleinfo should contain information relative to these new extra samples
147+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
148+ if (!new_sampleinfo) {
149+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
150+ "temporary new sampleinfo array (%d 16 bit elements)",
151+ tif->tif_dir.td_extrasamples);
152+ goto bad;
153+ }
154+
155+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
156+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
157+ _TIFFfree(new_sampleinfo);
158+ }
159+
160 /*
161 * Verify Palette image has a Colormap.
162 */
163diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
164index 8deceb2..1d86adb 100644
165--- a/libtiff/tif_print.c
166+++ b/libtiff/tif_print.c
167@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
168 uint16 i;
169 fprintf(fd, " %2ld: %5u",
170 l, td->td_transferfunction[0][l]);
171- for (i = 1; i < td->td_samplesperpixel; i++)
172+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
173 fprintf(fd, " %5u",
174 td->td_transferfunction[i][l]);
175 fputc('\n', fd);
176--
1771.7.9.5
178