* tools/tiff2pdf.c: Fix two crashes (oCERT-2014-013)

author: erouault <erouault> 2015-01-22 09:58:49 +0000
committer: erouault <erouault> 2015-01-22 09:58:49 +0000
commit: f4c85dbdee61ea81f9c3f3998eb06a5faeab4734 (patch)
tree: 377ecdb4e8b4ff3e333add9dc10b175fb11a89e2 /tools
parent: 00829045979d24e4bdbb0db385082b47124ab96c (diff)
download: libtiff-f4c85dbdee61ea81f9c3f3998eb06a5faeab4734.tar.gz
1 files changed, 32 insertions, 2 deletions
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index ab49824f..3761d387 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.82 2015-01-05 19:03:11 olivier Exp $
+/* $Id: tiff2pdf.c,v 1.83 2015-01-22 09:58:49 erouault Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -32,6 +32,7 @@
 #include <ctype.h>
 #include <time.h>
 #include <errno.h>
+#include <limits.h>
 
 #if HAVE_UNISTD_H
 # include <unistd.h>
@@ -1404,10 +1405,28 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
 							&xuint16, &xuint16p)
 					   && xuint16 == 1) {
 						if(xuint16p[0] == EXTRASAMPLE_ASSOCALPHA){
+							if( t2p->tiff_bitspersample != 8 )
+							{
+							    TIFFError(
+								    TIFF2PDF_MODULE, 
+								    "No support for BitsPerSample=%d for RGBA",
+								    t2p->tiff_bitspersample);
+							    t2p->t2p_error = T2P_ERR_ERROR;
+							    return;
+							}
 							t2p->pdf_sample=T2P_SAMPLE_RGBAA_TO_RGB;
 							break;
 						}
 						if(xuint16p[0] == EXTRASAMPLE_UNASSALPHA){
+							if( t2p->tiff_bitspersample != 8 )
+							{
+							    TIFFError(
+								    TIFF2PDF_MODULE, 
+								    "No support for BitsPerSample=%d for RGBA",
+								    t2p->tiff_bitspersample);
+							    t2p->t2p_error = T2P_ERR_ERROR;
+							    return;
+							}
 							t2p->pdf_sample=T2P_SAMPLE_RGBA_TO_RGB;
 							break;
 						}
@@ -1701,6 +1720,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
 	}
 
 	t2p_compose_pdf_page(t2p);
+        if( t2p->t2p_error == T2P_ERR_ERROR )
+	    return;
 
 	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
 	if(t2p->pdf_nopassthrough==0){
@@ -3643,7 +3664,7 @@ t2p_sample_rgba_to_rgb(tdata_t data, uint32 samplecount)
 	uint32 i = 0;
 	uint32 sample = 0;
 	uint8 alpha = 0;
-	
+
 	for (i = 0; i < samplecount; i++) {
 		sample=((uint32*)data)[i];
 		alpha=(uint8)((255 - ((sample >> 24) & 0xff)));
@@ -4374,6 +4395,15 @@ void t2p_compose_pdf_page(T2P* t2p){
 	} else {
 		tilewidth=(t2p->tiff_tiles[t2p->pdf_page]).tiles_tilewidth;
 		tilelength=(t2p->tiff_tiles[t2p->pdf_page]).tiles_tilelength;
+		if( tilewidth > INT_MAX ||
+		    tilelength > INT_MAX ||
+		    t2p->tiff_width > INT_MAX - tilewidth ||
+		    t2p->tiff_length > INT_MAX - tilelength )
+		{
+		    TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+		    t2p->t2p_error = T2P_ERR_ERROR;
+		    return;
+		}
 		tilecountx=(t2p->tiff_width + 
 			tilewidth -1)/ 
 			tilewidth;
author	erouault <erouault>	2015-01-22 09:58:49 +0000
committer	erouault <erouault>	2015-01-22 09:58:49 +0000
commit	f4c85dbdee61ea81f9c3f3998eb06a5faeab4734 (patch)
tree	377ecdb4e8b4ff3e333add9dc10b175fb11a89e2 /tools
parent	00829045979d24e4bdbb0db385082b47124ab96c (diff)
download	libtiff-f4c85dbdee61ea81f9c3f3998eb06a5faeab4734.tar.gz