| Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 |
| 2 | From: erouault <erouault> |
| 3 | Date: Sun, 27 Dec 2015 16:55:20 +0000 |
| 4 | Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in |
| 5 | NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif |
| 6 | (bugzilla #2508) |
| 7 | |
| 8 | Upstream-Status: Backport |
| 9 | https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c |
| 10 | hand applied Changelog changes |
| 11 | |
| 12 | CVE: CVE-2015-8784 |
| 13 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 14 | |
| 15 | --- |
| 16 | ChangeLog | 6 ++++++ |
| 17 | libtiff/tif_next.c | 10 ++++++++-- |
| 18 | 2 files changed, 14 insertions(+), 2 deletions(-) |
| 19 | |
| 20 | Index: tiff-4.0.4/ChangeLog |
| 21 | =================================================================== |
| 22 | --- tiff-4.0.4.orig/ChangeLog |
| 23 | +++ tiff-4.0.4/ChangeLog |
| 24 | @@ -1,5 +1,11 @@ |
| 25 | 2015-12-27 Even Rouault <even.rouault at spatialys.com> |
| 26 | |
| 27 | + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() |
| 28 | + triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif |
| 29 | + (bugzilla #2508) |
| 30 | + |
| 31 | +2015-12-27 Even Rouault <even.rouault at spatialys.com> |
| 32 | + |
| 33 | * libtiff/tif_luv.c: fix potential out-of-bound writes in decode |
| 34 | functions in non debug builds by replacing assert()s by regular if |
| 35 | checks (bugzilla #2522). |
| 36 | Index: tiff-4.0.4/libtiff/tif_next.c |
| 37 | =================================================================== |
| 38 | --- tiff-4.0.4.orig/libtiff/tif_next.c |
| 39 | +++ tiff-4.0.4/libtiff/tif_next.c |
| 40 | @@ -37,7 +37,7 @@ |
| 41 | case 0: op[0] = (unsigned char) ((v) << 6); break; \ |
| 42 | case 1: op[0] |= (v) << 4; break; \ |
| 43 | case 2: op[0] |= (v) << 2; break; \ |
| 44 | - case 3: *op++ |= (v); break; \ |
| 45 | + case 3: *op++ |= (v); op_offset++; break; \ |
| 46 | } \ |
| 47 | } |
| 48 | |
| 49 | @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize |
| 50 | uint32 imagewidth = tif->tif_dir.td_imagewidth; |
| 51 | if( isTiled(tif) ) |
| 52 | imagewidth = tif->tif_dir.td_tilewidth; |
| 53 | + tmsize_t op_offset = 0; |
| 54 | |
| 55 | /* |
| 56 | * The scanline is composed of a sequence of constant |
| 57 | @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize |
| 58 | * bounds, potentially resulting in a security |
| 59 | * issue. |
| 60 | */ |
| 61 | - while (n-- > 0 && npixels < imagewidth) |
| 62 | + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) |
| 63 | SETPIXEL(op, grey); |
| 64 | if (npixels >= imagewidth) |
| 65 | break; |
| 66 | + if (op_offset >= scanline ) { |
| 67 | + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", |
| 68 | + (long) tif->tif_row); |
| 69 | + return (0); |
| 70 | + } |
| 71 | if (cc == 0) |
| 72 | goto bad; |
| 73 | n = *bp++, cc--; |