From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001

From: Even Rouault <even.rouault@spatialys.com>

Date: Tue, 30 Oct 2018 18:50:27 +0100

Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in

 case of out of memory situation. Fixes

 http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661

(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)

---

 libtiff/tiffiop.h |  1 +

 tools/tiff2bw.c   | 30 ++++++++++++++++++++++++++----

 tools/tiffcrop.c  |  5 -----

 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h

index daa291c0..08e5dc44 100644

--- a/libtiff/tiffiop.h

+++ b/libtiff/tiffiop.h

@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);

 #endif

 #define    streq(a,b)      (strcmp(a,b) == 0)

+#define    strneq(a,b,n)   (strncmp(a,b,n) == 0)

 #ifndef TRUE

 #define	TRUE	1

diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c

index dad54afa..1f3bb2cd 100644

--- a/tools/tiff2bw.c

+++ b/tools/tiff2bw.c

@@ -40,9 +40,7 @@

 #endif

 #include "tiffio.h"

-

-#define	streq(a,b)	(strcmp((a),(b)) == 0)

-#define	strneq(a,b,n)	(strncmp(a,b,n) == 0)

+#include "tiffiop.h"

 /* x% weighting -> fraction of full color */

 #define	PCT(x)	(((x)*256+50)/100)

@@ -223,6 +221,11 @@ main(int argc, char* argv[])

 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);

 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");

 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));

+        if( !outbuf )

+        {

+            fprintf(stderr, "Out of memory\n");

+            goto tiff2bw_error;

+        }

 	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,

 	    TIFFDefaultStripSize(out, rowsperstrip));

@@ -246,6 +249,11 @@ main(int argc, char* argv[])

 #undef CVT

 		}

 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));

+                if( !inbuf )

+                {

+                    fprintf(stderr, "Out of memory\n");

+                    goto tiff2bw_error;

+                }

 		for (row = 0; row < h; row++) {

 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)

 				break;

@@ -256,6 +264,11 @@ main(int argc, char* argv[])

 		break;

 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):

 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));

+                if( !inbuf )

+                {

+                    fprintf(stderr, "Out of memory\n");

+                    goto tiff2bw_error;

+                }

 		for (row = 0; row < h; row++) {

 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)

 				break;

@@ -265,8 +278,16 @@ main(int argc, char* argv[])

 		}

 		break;

 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):

+        {

+                tmsize_t inbufsize;

 		rowsize = TIFFScanlineSize(in);

-		inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);

+                inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);

+		inbuf = (unsigned char *)_TIFFmalloc(inbufsize);

+                if( !inbuf )

+                {

+                    fprintf(stderr, "Out of memory\n");

+                    goto tiff2bw_error;

+                }

 		for (row = 0; row < h; row++) {

 			for (s = 0; s < 3; s++)

 				if (TIFFReadScanline(in,

@@ -278,6 +299,7 @@ main(int argc, char* argv[])

 				break;

 		}

 		break;

+        }

 	}

 #undef pack

         if (inbuf)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

index c60cb389..3862b1ca 100644

--- a/tools/tiffcrop.c

+++ b/tools/tiffcrop.c

@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);

 #define TIFF_UINT32_MAX     0xFFFFFFFFU

-#ifndef streq

-#define	streq(a,b)	(strcmp((a),(b)) == 0)

-#endif

-#define	strneq(a,b,n)	(strncmp((a),(b),(n)) == 0)

-

 #define	TRUE	1

 #define	FALSE	0