| From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Sat, 3 Dec 2016 11:15:18 +0000 |
| Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case |
| of failure in OJPEGPreDecode(). This will avoid a divide by zero, and |
| potential other issues. Reported by Agostino Sarubbo. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2611 |
| |
| Fixes CVE-2016-10267 |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| libtiff/tif_ojpeg.c | 8 ++++++++ |
| 1 files changed, 15 insertions(+) |
| |
| diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c |
| index 1ccc3f9b..f19e8fd0 100644 |
| --- a/libtiff/tif_ojpeg.c |
| +++ b/libtiff/tif_ojpeg.c |
| @@ -244,6 +244,7 @@ typedef enum { |
| |
| typedef struct { |
| TIFF* tif; |
| + int decoder_ok; |
| #ifndef LIBJPEG_ENCAP_EXTERNAL |
| JMP_BUF exit_jmpbuf; |
| #endif |
| @@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) |
| } |
| sp->write_curstrile++; |
| } |
| + sp->decoder_ok = 1; |
| return(1); |
| } |
| |
| @@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) |
| static int |
| OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) |
| { |
| + static const char module[]="OJPEGDecode"; |
| OJPEGState* sp=(OJPEGState*)tif->tif_data; |
| (void)s; |
| + if( !sp->decoder_ok ) |
| + { |
| + TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); |
| + return 0; |
| + } |
| if (sp->libjpeg_jpeg_query_style==0) |
| { |
| if (OJPEGDecodeRaw(tif,buf,cc)==0) |
| -- |
| 2.11.0 |
| |