From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Mon, 11 Jul 2016 15:50:56 +0200

Subject: [PATCH 1/8] Fix CVE-2014-9655

---

 libtiff/tif_getimage.c | 20 ++++++++++++++------

 libtiff/tif_next.c     |  4 +++-

 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c

index a85273c..1c1cf9e 100644

--- a/libtiff/tif_getimage.c

+++ b/libtiff/tif_getimage.c

@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

 	int32 fromskew, toskew;

 	int ret = 1, flip;

+	TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);

+	if( subsamplingver == 0 ) {

+		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");

+		return (0);

+	}

+

 	buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));

 	if (buf == 0) {

 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");

@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

 	}

 	TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);

-	TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);

+

 	scanline = TIFFScanlineSize(tif);

 	fromskew = (w < imagewidth ? imagewidth - w : 0);

 	for (row = 0; row < h; row += nrow)

@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)

     (void) y;

     fromskew = (fromskew * 10) / 4;

-    if ((h & 3) == 0 && (w & 1) == 0) {

+    if ((w & 3) == 0 && (h & 1) == 0) {

         for (; h >= 2; h -= 2) {

             x = w>>2;

             do {

@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)

     /* XXX adjust fromskew */

     do {

 	x = w>>2;

-	do {

+	while(x>0) {

 	    int32 Cb = pp[4];

 	    int32 Cr = pp[5];

@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)

 	    cp += 4;

 	    pp += 6;

-	} while (--x);

+		x--;

+	}

         if( (w&3) != 0 )

         {

@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)

 	fromskew = (fromskew * 4) / 2;

 	do {

 		x = w>>1;

-		do {

+		while(x>0) {

 			int32 Cb = pp[2];

 			int32 Cr = pp[3];

@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)

 			cp += 2;

 			pp += 4;

-		} while (--x);

+			x --;

+		}

 		if( (w&1) != 0 )

 		{

diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c

index 524e127..92ef6ee 100644

--- a/libtiff/tif_next.c

+++ b/libtiff/tif_next.c

@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)

 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");

 		return (0);

 	}

-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {

+	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {

 		n = *bp++, cc--;

 		switch (n) {

 		case LITERALROW:

@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)

 			 * The scanline has a literal span that begins at some

 			 * offset.

 			 */

+			if( cc < 4 )

+				goto bad;

 			off = (bp[0] * 256) + bp[1];

 			n = (bp[2] * 256) + bp[3];

 			if (cc < 4+n || off+n > scanline)

-- 

2.7.4