diff options
| author | fwarmerdam <fwarmerdam> | 2011-03-21 16:02:27 +0000 |
|---|---|---|
| committer | fwarmerdam <fwarmerdam> | 2011-03-21 16:02:27 +0000 |
| commit | 3061496d6a47c14c445b03681b511d5456672609 (patch) | |
| tree | a879f45f5e88111368cbdadb9e8f95ee2f505643 /libtiff/tif_thunder.c | |
| parent | b53b30b6f5f1e353767b3a65a5d5d4a6cbf75dd7 (diff) | |
| download | libtiff-3061496d6a47c14c445b03681b511d5456672609.tar.gz | |
Correct potential buffer overflow with thunder encoded files with wrong
bitspersample set (CVE-2011-1167)
http://bugzilla.maptools.org/show_bug.cgi?id=2300
Diffstat (limited to 'libtiff/tif_thunder.c')
| -rw-r--r-- | libtiff/tif_thunder.c | 38 |
1 files changed, 31 insertions, 7 deletions
diff --git a/libtiff/tif_thunder.c b/libtiff/tif_thunder.c index dcb1a777..5f3257fb 100644 --- a/libtiff/tif_thunder.c +++ b/libtiff/tif_thunder.c @@ -1,4 +1,4 @@ -/* $Id: tif_thunder.c,v 1.10 2010-03-10 18:56:49 bfriesen Exp $ */ +/* $Id: tif_thunder.c,v 1.11 2011-03-21 16:02:27 fwarmerdam Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include <assert.h> #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#define SETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#define SETPIXEL(op, v) { \ + lastpixel = (v) & 0xf; \ + if ( npixels < maxpixels ) \ + { \ + if (npixels++ & 1) \ + *op++ |= lastpixel; \ + else \ op[0] = (uint8) (lastpixel << 4); \ + } \ +} + +static int +ThunderSetupDecode(TIFF* tif) +{ + static const char module[] = "ThunderSetupDecode"; + + if( tif->tif_dir.td_bitspersample != 4 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", + (int) tif->tif_dir.td_bitspersample ); + return 0; + } + + + return (1); } static int @@ -139,7 +160,8 @@ ThunderDecode(TIFF* tif, uint8* op, tmsize_t maxpixels) #endif return (0); } - return (1); + + return (1); } static int @@ -167,6 +189,8 @@ int TIFFInitThunderScan(TIFF* tif, int scheme) { (void) scheme; + + tif->tif_setupdecode = ThunderSetupDecode; tif->tif_decoderow = ThunderDecodeRow; tif->tif_decodestrip = ThunderDecodeRow; return (1); |