* tools/tiffcrop.c: Patch from Richard Nolde to avoid a

potentially unterminated buffer due to using an exceptionally long file name.
author: bfriesen <bfriesen> 2010-07-13 15:52:01 +0000
committer: bfriesen <bfriesen> 2010-07-13 15:52:01 +0000
commit: 6ee141d4e0f8a812b788b343088d850ce7725b67 (patch)
tree: aa24056024fde7b59ac67e1d5acdd873fb96be5c
parent: d1e10cb5e5277c375f835f6cd19bc0b272a74a40 (diff)
download: libtiff-6ee141d4e0f8a812b788b343088d850ce7725b67.tar.gz
2 files changed, 46 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index b27b4036..0ea8c0cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-07-13  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* tools/tiffcrop.c: Patch from Richard Nolde to avoid a
+	potentially unterminated buffer due to using an exceptionally long
+	file name.
+
 2010-07-08  Andrey Kiselev  <dron@ak4719.spb.edu>
 
 	* tools/tiff2pdf.c: Fixed ID buffer filling in
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 69e403d3..8cc0863e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.3.2.13 2010-06-16 01:54:25 bfriesen Exp $ */
+/* $Id: tiffcrop.c,v 1.3.2.14 2010-07-13 15:52:01 bfriesen Exp $ */
 
 /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
  * the image data through additional options listed below
@@ -6,7 +6,7 @@
  * Original code:
  * Copyright (c) 1988-1997 Sam Leffler
  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
- * Additions (c) Richard Nolde 2006-2009 
+ * Additions (c) Richard Nolde 2006-2010 
  *
  * Permission to use, copy, modify, distribute, and sell this software and 
  * its documentation for any purpose is hereby granted without fee, provided
@@ -108,7 +108,7 @@
  */
 
 static   char tiffcrop_version_id[] = "2.3";
-static   char tiffcrop_rev_date[] = "06-15-2010";
+static   char tiffcrop_rev_date[] = "07-12-2010";
 
 #include "tif_config.h"
 #include "tiffiop.h"
@@ -152,6 +152,11 @@ extern int getopt(int, char**, char*);
 #define	TRUE	1
 #define	FALSE	0
 
+#ifndef TIFFhowmany
+#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
+#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+#endif
+
 /*
  * Definitions and data structures required to support cropping and image
  * manipulations.
@@ -200,6 +205,7 @@ extern int getopt(int, char**, char*);
 #define MAX_IMAGES 2048  /* number of images in descrete list, not in the file */
 #define MAX_SAMPLES   8  /* maximum number of samples per pixel supported */
 #define MAX_BITS_PER_SAMPLE 64 /* maximum bit depth supported */
+#define MAX_EXPORT_PAGES 999999  /* maximum number of export pages per file */
 
 #define DUMP_NONE   0
 #define DUMP_TEXT   1
@@ -1670,9 +1676,6 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
                     (opt_ptr = strtok (NULL, ",")), i++)
                     {
 		    opt_offset = strpbrk(opt_ptr, ":=");
-		    /*
-		    opt_offset = strchr(opt_ptr, ':');
-		    */
                     if (opt_offset == NULL)
                       {
                       TIFFError("Invalid dump option", "%s", optarg);
@@ -1717,12 +1720,18 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
                       { /* Look for dump level specification */
                       if (strncmp (opt_ptr, "lev", 3) == 0)
                         dump->level = atoi(opt_offset + 1);
-                      /* Look for input data dump file name */
+                        /* Look for input data dump file name */
                       if (strncmp (opt_ptr, "in", 2) == 0)
+		        {
                         strncpy (dump->infilename, opt_offset + 1, PATH_MAX - 20);
-                       /* Look for output data dump file name */
+                        dump->infilename[PATH_MAX - 20] = '\0';
+                        }
+                        /* Look for output data dump file name */
                       if (strncmp (opt_ptr, "out", 3) == 0)
-                          strncpy (dump->outfilename, opt_offset + 1, PATH_MAX - 20);
+			{
+                        strncpy (dump->outfilename, opt_offset + 1, PATH_MAX - 20);
+                        dump->outfilename[PATH_MAX - 20] = '\0';
+                        }
                       if (strncmp (opt_ptr, "deb", 3) == 0)
 			dump->debug = atoi(opt_offset + 1);
 		      }
@@ -2031,7 +2040,6 @@ update_output_file (TIFF **tiffout, char *mode, int autoindex,
   char   export_ext[16];
   char   exportname[PATH_MAX];
 
-  strcpy (export_ext, ".tiff");
   if (autoindex && (*tiffout != NULL))
     {   
     /* Close any export file that was previously opened */
@@ -2039,7 +2047,11 @@ update_output_file (TIFF **tiffout, char *mode, int autoindex,
     *tiffout = NULL;
     }
 
-  strncpy (exportname, outname, PATH_MAX - 15);
+  strcpy (export_ext, ".tiff");
+  memset (exportname, '\0', PATH_MAX);
+
+  /* Leave room for page number portion of the new filename */
+  strncpy (exportname, outname, PATH_MAX - 16);
   if (*tiffout == NULL)   /* This is a new export file */
     {
     if (autoindex)
@@ -2054,10 +2066,18 @@ update_output_file (TIFF **tiffout, char *mode, int autoindex,
         strncpy (export_ext, ".tiff", 5);
       export_ext[5] = '\0';
 
+      /* MAX_EXPORT_PAGES limited to 6 digits to prevent string overflow of pathname */
+      if (findex > MAX_EXPORT_PAGES)
+	{
+	TIFFError("update_output_file", "Maximum of %d pages per file exceeded.\n", MAX_EXPORT_PAGES);
+        return 1;
+        }
+
       sprintf (filenum, "-%03d%s", findex, export_ext);
-      filenum[15] = '\0';
-      strncat (exportname, filenum, 14);
+      filenum[14] = '\0';
+      strncat (exportname, filenum, 15);
       }
+    exportname[PATH_MAX - 1] = '\0';
 
     *tiffout = TIFFOpen(exportname, mode);
     if (*tiffout == NULL)
@@ -2113,7 +2133,7 @@ main(int argc, char* argv[])
   unsigned int  end_of_input = FALSE;
   int    seg, length;
   char   temp_filename[PATH_MAX + 1];
-  memset (temp_filename, '\0', PATH_MAX + 1);              
+
   little_endian = *((unsigned char *)&little_endian) & '1';
 
   initImageData(&image);
@@ -2204,6 +2224,9 @@ main(int argc, char* argv[])
           if (dump.infile != NULL)
             fclose (dump.infile);
 
+          /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes 
+             fewer than PATH_MAX */ 
+          memset (temp_filename, '\0', PATH_MAX + 1);              
           sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
                   (dump.format == DUMP_TEXT) ? "txt" : "raw");
           if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
@@ -2220,6 +2243,9 @@ main(int argc, char* argv[])
           if (dump.outfile != NULL)
             fclose (dump.outfile);
 
+          /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes 
+             fewer than PATH_MAX */ 
+          memset (temp_filename, '\0', PATH_MAX + 1);              
           sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
                   (dump.format == DUMP_TEXT) ? "txt" : "raw");
           if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
author	bfriesen <bfriesen>	2010-07-13 15:52:01 +0000
committer	bfriesen <bfriesen>	2010-07-13 15:52:01 +0000
commit	6ee141d4e0f8a812b788b343088d850ce7725b67 (patch)
tree	aa24056024fde7b59ac67e1d5acdd873fb96be5c
parent	d1e10cb5e5277c375f835f6cd19bc0b272a74a40 (diff)
download	libtiff-6ee141d4e0f8a812b788b343088d850ce7725b67.tar.gz