|
|
edc570 |
From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
|
|
|
ca139f |
From: Thomas Bernard <miniupnp@free.fr>
|
|
|
ca139f |
Date: Mon, 11 Feb 2019 23:08:25 +0100
|
|
|
edc570 |
Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
|
|
|
edc570 |
4
|
|
|
ca139f |
|
|
|
ca139f |
too much bytes were processed, causing a heap buffer overrun
|
|
|
ca139f |
http://bugzilla.maptools.org/show_bug.cgi?id=2831
|
|
|
ca139f |
the loop counter must be
|
|
|
ca139f |
for (col = 0; col < width; col += 8 / bps)
|
|
|
ca139f |
|
|
|
ca139f |
Also the values were not properly calculated. It should be
|
|
|
ca139f |
255-x, 15-x, 3-x for bps 8, 4, 2.
|
|
|
ca139f |
|
|
|
ca139f |
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
|
|
|
ca139f |
(substracting from a binary number composed of all 1 is like inverting
|
|
|
ca139f |
the bits)
|
|
|
edc570 |
|
|
|
edc570 |
(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
|
|
|
ca139f |
---
|
|
|
ca139f |
tools/tiffcrop.c | 37 ++++++-------------------------------
|
|
|
ca139f |
1 file changed, 6 insertions(+), 31 deletions(-)
|
|
|
ca139f |
|
|
|
ca139f |
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
|
edc570 |
index 3862b1ca..a6129148 100644
|
|
|
ca139f |
--- a/tools/tiffcrop.c
|
|
|
ca139f |
+++ b/tools/tiffcrop.c
|
|
|
ca139f |
@@ -9142,7 +9142,6 @@ static int
|
|
|
ca139f |
invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
|
|
|
ca139f |
{
|
|
|
ca139f |
uint32 row, col;
|
|
|
ca139f |
- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
|
|
|
ca139f |
unsigned char *src;
|
|
|
ca139f |
uint16 *src_uint16;
|
|
|
ca139f |
uint32 *src_uint32;
|
|
|
ca139f |
@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
|
|
ca139f |
for (row = 0; row < length; row++)
|
|
|
ca139f |
for (col = 0; col < width; col++)
|
|
|
ca139f |
{
|
|
|
ca139f |
- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
|
|
|
ca139f |
+ *src_uint32 = ~(*src_uint32);
|
|
|
ca139f |
src_uint32++;
|
|
|
ca139f |
}
|
|
|
ca139f |
break;
|
|
|
ca139f |
@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
|
|
ca139f |
for (row = 0; row < length; row++)
|
|
|
ca139f |
for (col = 0; col < width; col++)
|
|
|
ca139f |
{
|
|
|
ca139f |
- *src_uint16 = (uint16)0xFFFF - *src_uint16;
|
|
|
ca139f |
+ *src_uint16 = ~(*src_uint16);
|
|
|
ca139f |
src_uint16++;
|
|
|
ca139f |
}
|
|
|
ca139f |
break;
|
|
|
ca139f |
- case 8: for (row = 0; row < length; row++)
|
|
|
ca139f |
- for (col = 0; col < width; col++)
|
|
|
ca139f |
- {
|
|
|
ca139f |
- *src = (uint8)255 - *src;
|
|
|
ca139f |
- src++;
|
|
|
ca139f |
- }
|
|
|
ca139f |
- break;
|
|
|
ca139f |
- case 4: for (row = 0; row < length; row++)
|
|
|
ca139f |
- for (col = 0; col < width; col++)
|
|
|
ca139f |
- {
|
|
|
ca139f |
- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
|
|
|
ca139f |
- bytebuff2 = 16 - (*src & 15);
|
|
|
ca139f |
- *src = bytebuff1 << 4 & bytebuff2;
|
|
|
ca139f |
- src++;
|
|
|
ca139f |
- }
|
|
|
ca139f |
- break;
|
|
|
ca139f |
- case 2: for (row = 0; row < length; row++)
|
|
|
ca139f |
- for (col = 0; col < width; col++)
|
|
|
ca139f |
- {
|
|
|
ca139f |
- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
|
|
|
ca139f |
- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
|
|
|
ca139f |
- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
|
|
|
ca139f |
- bytebuff4 = 4 - (uint8)(*src & 3);
|
|
|
ca139f |
- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
|
|
|
ca139f |
- src++;
|
|
|
ca139f |
- }
|
|
|
ca139f |
- break;
|
|
|
ca139f |
+ case 8:
|
|
|
ca139f |
+ case 4:
|
|
|
ca139f |
+ case 2:
|
|
|
ca139f |
case 1: for (row = 0; row < length; row++)
|
|
|
ca139f |
- for (col = 0; col < width; col += 8 /(spp * bps))
|
|
|
ca139f |
+ for (col = 0; col < width; col += 8 / bps)
|
|
|
ca139f |
{
|
|
|
ca139f |
*src = ~(*src);
|
|
|
ca139f |
src++;
|