diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | libtiff/tif_thunder.c | 38 |
2 files changed, 40 insertions, 7 deletions
@@ -1,3 +1,12 @@ +2011-03-12 Frank Warmerdam <warmerdam@pobox.com> + + * libtiff/tif_thunder.c: Correct potential buffer overflow with + thunder encoded files with wrong bitspersample set. The libtiff + development team would like to thank Marin Barbella and TippingPoint's + Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004, + CVE-2011-1167). + http://bugzilla.maptools.org/show_bug.cgi?id=2300 + 2011-03-10 Frank Warmerdam <warmerdam@pobox.com> * libtiff/tif_fax3.h: Fix to last change allowing zero length diff --git a/libtiff/tif_thunder.c b/libtiff/tif_thunder.c index 8e7a1258..62e4bc75 100644 --- a/libtiff/tif_thunder.c +++ b/libtiff/tif_thunder.c @@ -1,4 +1,4 @@ -/* $Id: tif_thunder.c,v 1.5.2.1 2010-06-08 18:50:43 bfriesen Exp $ */ +/* $Id: tif_thunder.c,v 1.5.2.2 2011-03-21 16:01:28 fwarmerdam Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include <assert.h> #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#define SETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#define SETPIXEL(op, v) { \ + lastpixel = (v) & 0xf; \ + if ( npixels < maxpixels ) \ + { \ + if (npixels++ & 1) \ + *op++ |= lastpixel; \ + else \ op[0] = (tidataval_t) (lastpixel << 4); \ + } \ +} + +static int +ThunderSetupDecode(TIFF* tif) +{ + static const char module[] = "ThunderSetupDecode"; + + if( tif->tif_dir.td_bitspersample != 4 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", + (int) tif->tif_dir.td_bitspersample ); + return 0; + } + + + return (1); } static int @@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) occ -= tif->tif_scanlinesize; row += tif->tif_scanlinesize; } - return (1); + + return (1); } int @@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int scheme) (void) scheme; tif->tif_decoderow = ThunderDecodeRow; tif->tif_decodestrip = ThunderDecodeRow; + tif->tif_setupdecode = ThunderSetupDecode; return (1); } #endif /* THUNDER_SUPPORT */ @@ -163,3 +186,4 @@ TIFFInitThunderScan(TIFF* tif, int scheme) * fill-column: 78 * End: */ + |