From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001

From: Thomas Bernard <miniupnp@free.fr>

Date: Mon, 11 Feb 2019 23:08:25 +0100

Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and

 4

too much bytes were processed, causing a heap buffer overrun

    http://bugzilla.maptools.org/show_bug.cgi?id=2831

the loop counter must be

    for (col = 0; col < width; col += 8 / bps)

Also the values were not properly calculated. It should be

255-x, 15-x, 3-x for bps 8, 4, 2.

But anyway it is easyer to invert all bits as 255-x = ~x, etc.

(substracting from a binary number composed of all 1 is like inverting

the bits)

(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)

---

 tools/tiffcrop.c | 37 ++++++-------------------------------

 1 file changed, 6 insertions(+), 31 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

index 3862b1ca..a6129148 100644

--- a/tools/tiffcrop.c

+++ b/tools/tiffcrop.c

@@ -9142,7 +9142,6 @@ static int

 invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)

   {

   uint32   row, col;

-  unsigned char  bytebuff1, bytebuff2, bytebuff3, bytebuff4;

   unsigned char *src;

   uint16        *src_uint16;

   uint32        *src_uint32;

@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len

              for (row = 0; row < length; row++)

                for (col = 0; col < width; col++)

                  {

-		 *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;

+		 *src_uint32 = ~(*src_uint32);

                   src_uint32++;

                  }

             break;

@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len

              for (row = 0; row < length; row++)

                for (col = 0; col < width; col++)

                  {

-		 *src_uint16 = (uint16)0xFFFF - *src_uint16;

+		 *src_uint16 = ~(*src_uint16);

                   src_uint16++;

                  }

             break;

-    case 8: for (row = 0; row < length; row++)

-              for (col = 0; col < width; col++)

-                {

-		*src = (uint8)255 - *src;

-                 src++;

-                }

-            break;

-    case 4: for (row = 0; row < length; row++)

-              for (col = 0; col < width; col++)

-                {

-		bytebuff1 = 16 - (uint8)(*src & 240 >> 4);

-		bytebuff2 = 16 - (*src & 15);

-		*src = bytebuff1 << 4 & bytebuff2;

-                src++;

-                }

-            break;

-    case 2: for (row = 0; row < length; row++)

-              for (col = 0; col < width; col++)

-                {

-		bytebuff1 = 4 - (uint8)(*src & 192 >> 6);

-		bytebuff2 = 4 - (uint8)(*src & 48  >> 4);

-		bytebuff3 = 4 - (uint8)(*src & 12  >> 2);

-		bytebuff4 = 4 - (uint8)(*src & 3);

-		*src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;

-                src++;

-                }

-            break;

+    case 8:

+    case 4:

+    case 2:

     case 1: for (row = 0; row < length; row++)

-              for (col = 0; col < width; col += 8 /(spp * bps))

+              for (col = 0; col < width; col += 8 / bps)

                 {

                 *src = ~(*src);

                 src++;