Commit | Line | Data |
---|---|---|
62cf8fa7 LF |
1 | Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): |
2 | ||
3 | http://bugzilla.maptools.org/show_bug.cgi?id=2656 | |
4 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 | |
5 | https://security-tracker.debian.org/tracker/CVE-2017-5225 | |
6 | ||
7 | 2017-01-11 Even Rouault <even.rouault at spatialys.com> | |
8 | ||
9 | * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and | |
10 | cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based | |
11 | overflow. | |
12 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and | |
13 | http://bugzilla.maptools.org/show_bug.cgi?id=2657 | |
14 | ||
15 | ||
16 | less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog | |
17 | new revision: 1.1210; previous revision: 1.1209 | |
18 | /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c | |
19 | new revision: 1.61; previous revision: 1.60 | |
20 | ||
21 | Index: libtiff/tools/tiffcp.c | |
22 | =================================================================== | |
23 | RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v | |
24 | retrieving revision 1.60 | |
25 | retrieving revision 1.61 | |
26 | diff -u -r1.60 -r1.61 | |
27 | --- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 | |
28 | +++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 | |
29 | #@@ -1,4 +1,4 @@ | |
30 | #-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ | |
31 | #+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ | |
32 | # | |
33 | # /* | |
34 | # * Copyright (c) 1988-1997 Sam Leffler | |
35 | @@ -591,7 +591,7 @@ | |
36 | static int | |
37 | tiffcp(TIFF* in, TIFF* out) | |
38 | { | |
39 | - uint16 bitspersample, samplesperpixel = 1; | |
40 | + uint16 bitspersample = 1, samplesperpixel = 1; | |
41 | uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; | |
42 | copyFunc cf; | |
43 | uint32 width, length; | |
44 | @@ -1067,6 +1067,16 @@ | |
45 | register uint32 n; | |
46 | uint32 row; | |
47 | tsample_t s; | |
48 | + uint16 bps = 0; | |
49 | + | |
50 | + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); | |
51 | + if( bps != 8 ) | |
52 | + { | |
53 | + TIFFError(TIFFFileName(in), | |
54 | + "Error, can only handle BitsPerSample=8 in %s", | |
55 | + "cpContig2SeparateByRow"); | |
56 | + return 0; | |
57 | + } | |
58 | ||
59 | inbuf = _TIFFmalloc(scanlinesizein); | |
60 | outbuf = _TIFFmalloc(scanlinesizeout); | |
61 | @@ -1120,6 +1130,16 @@ | |
62 | register uint32 n; | |
63 | uint32 row; | |
64 | tsample_t s; | |
65 | + uint16 bps = 0; | |
66 | + | |
67 | + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); | |
68 | + if( bps != 8 ) | |
69 | + { | |
70 | + TIFFError(TIFFFileName(in), | |
71 | + "Error, can only handle BitsPerSample=8 in %s", | |
72 | + "cpSeparate2ContigByRow"); | |
73 | + return 0; | |
74 | + } | |
75 | ||
76 | inbuf = _TIFFmalloc(scanlinesizein); | |
77 | outbuf = _TIFFmalloc(scanlinesizeout); | |
78 | @@ -1784,7 +1804,7 @@ | |
79 | uint32 w, l, tw, tl; | |
80 | int bychunk; | |
81 | ||
82 | - (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); | |
83 | + (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); | |
84 | if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { | |
85 | fprintf(stderr, | |
86 | "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", |