diff options
author | erouault <erouault> | 2016-08-15 20:06:40 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-08-15 20:06:40 +0000 |
commit | fc8eb92852f02a06bcf8265b35f2059360dd31c5 (patch) | |
tree | 8ad0050d7643a7a77e872002345bcd796cdd1b4b | |
parent | cd6e724a665fd952a6f7b0d5923a89ca9ee1821d (diff) | |
download | libtiff-fc8eb92852f02a06bcf8265b35f2059360dd31c5.tar.gz |
* tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | tools/tiff2rgba.c | 36 |
2 files changed, 39 insertions, 5 deletions
@@ -1,3 +1,11 @@ +2016-08-15 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2rgba.c: Fix integer overflow in size of allocated + buffer, when -b mode is enabled, that could result in out-of-bounds + write. Based initially on patch tiff-CVE-2016-3945.patch from + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for + invalid tests that rejected valid files. + 2016-07-11 Even Rouault <even.rouault at spatialys.com> * tools/tiffcrop.c: Avoid access outside of stack allocated array diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c index 7d47c940..4de96aec 100644 --- a/tools/tiff2rgba.c +++ b/tools/tiff2rgba.c @@ -1,4 +1,4 @@ -/* $Id: tiff2rgba.c,v 1.21 2015-06-21 01:09:10 bfriesen Exp $ */ +/* $Id: tiff2rgba.c,v 1.22 2016-08-15 20:06:41 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; @@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; |