| From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Wed, 11 Jan 2017 19:25:44 +0000 |
| Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow |
| and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based |
| overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and |
| http://bugzilla.maptools.org/show_bug.cgi?id=2657 |
| |
| Fixes CVE-2017-5225 |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| tools/tiffcp.c | 24 ++++++++++++++++++++++-- |
| 1 file changed, 29 insertions(+), 2 deletions(-) |
| |
| diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
| index bdf754c3..8bbcd52f 100644 |
| --- a/tools/tiffcp.c |
| +++ b/tools/tiffcp.c |
| @@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); |
| static int |
| tiffcp(TIFF* in, TIFF* out) |
| { |
| - uint16 bitspersample, samplesperpixel = 1; |
| + uint16 bitspersample = 1, samplesperpixel = 1; |
| uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; |
| copyFunc cf; |
| uint32 width, length; |
| @@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) |
| register uint32 n; |
| uint32 row; |
| tsample_t s; |
| + uint16 bps = 0; |
| + |
| + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); |
| + if( bps != 8 ) |
| + { |
| + TIFFError(TIFFFileName(in), |
| + "Error, can only handle BitsPerSample=8 in %s", |
| + "cpContig2SeparateByRow"); |
| + return 0; |
| + } |
| |
| inbuf = _TIFFmalloc(scanlinesizein); |
| outbuf = _TIFFmalloc(scanlinesizeout); |
| @@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) |
| register uint32 n; |
| uint32 row; |
| tsample_t s; |
| + uint16 bps = 0; |
| + |
| + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); |
| + if( bps != 8 ) |
| + { |
| + TIFFError(TIFFFileName(in), |
| + "Error, can only handle BitsPerSample=8 in %s", |
| + "cpSeparate2ContigByRow"); |
| + return 0; |
| + } |
| |
| inbuf = _TIFFmalloc(scanlinesizein); |
| outbuf = _TIFFmalloc(scanlinesizeout); |
| @@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) |
| uint32 w, l, tw, tl; |
| int bychunk; |
| |
| - (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); |
| + (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); |
| if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { |
| fprintf(stderr, |
| "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", |
| -- |
| 2.11.0 |
| |