|
|
460672 |
From c188f95bd865b1428f88c193b895fe9b3f6767e9 Mon Sep 17 00:00:00 2001
|
|
|
460672 |
From: Even Rouault <even.rouault@spatialys.com>
|
|
|
460672 |
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
|
|
460672 |
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
|
|
460672 |
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
|
|
|
460672 |
CVE-2018-18661
|
|
|
460672 |
|
|
|
460672 |
---
|
|
|
460672 |
libtiff/tiffiop.h | 1 +
|
|
|
460672 |
tools/tiff2bw.c | 63 +++++++++++++++++++++++++++++++++++++++--------
|
|
|
460672 |
tools/tiffcrop.c | 5 ----
|
|
|
460672 |
3 files changed, 54 insertions(+), 15 deletions(-)
|
|
|
460672 |
|
|
|
460672 |
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
|
|
460672 |
index 53357d8..8d1357b 100644
|
|
|
460672 |
--- a/libtiff/tiffiop.h
|
|
|
460672 |
+++ b/libtiff/tiffiop.h
|
|
|
460672 |
@@ -66,6 +66,7 @@ extern void *lfind(const void *, const void *, size_t *, size_t,
|
|
|
460672 |
#endif
|
|
|
460672 |
|
|
|
460672 |
#define streq(a,b) (strcmp(a,b) == 0)
|
|
|
460672 |
+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
|
|
460672 |
|
|
|
460672 |
#ifndef TRUE
|
|
|
460672 |
#define TRUE 1
|
|
|
460672 |
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
|
|
460672 |
index 53067e7..ad797b2 100644
|
|
|
460672 |
--- a/tools/tiff2bw.c
|
|
|
460672 |
+++ b/tools/tiff2bw.c
|
|
|
460672 |
@@ -40,9 +40,7 @@
|
|
|
460672 |
#endif
|
|
|
460672 |
|
|
|
460672 |
#include "tiffio.h"
|
|
|
460672 |
-
|
|
|
460672 |
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
|
|
460672 |
-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
|
|
460672 |
+#include "tiffiop.h"
|
|
|
460672 |
|
|
|
460672 |
/* x% weighting -> fraction of full color */
|
|
|
460672 |
#define PCT(x) (((x)*255+127)/100)
|
|
|
460672 |
@@ -130,6 +128,11 @@ main(int argc, char* argv[])
|
|
|
460672 |
extern int optind;
|
|
|
460672 |
extern char *optarg;
|
|
|
460672 |
|
|
|
460672 |
+ in = (TIFF *) NULL;
|
|
|
460672 |
+ out = (TIFF *) NULL;
|
|
|
460672 |
+ inbuf = (unsigned char *) NULL;
|
|
|
460672 |
+ outbuf = (unsigned char *) NULL;
|
|
|
460672 |
+
|
|
|
460672 |
while ((c = getopt(argc, argv, "c:r:R:G:B:")) != -1)
|
|
|
460672 |
switch (c) {
|
|
|
460672 |
case 'c': /* compression scheme */
|
|
|
460672 |
@@ -163,24 +166,24 @@ main(int argc, char* argv[])
|
|
|
460672 |
fprintf(stderr,
|
|
|
460672 |
"%s: Bad photometric; can only handle RGB and Palette images.\n",
|
|
|
460672 |
argv[optind]);
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
}
|
|
|
460672 |
TIFFGetField(in, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
|
|
|
460672 |
if (samplesperpixel != 1 && samplesperpixel != 3) {
|
|
|
460672 |
fprintf(stderr, "%s: Bad samples/pixel %u.\n",
|
|
|
460672 |
argv[optind], samplesperpixel);
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
}
|
|
|
460672 |
if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
|
|
|
460672 |
fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
|
|
|
460672 |
argv[optind], samplesperpixel);
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
}
|
|
|
460672 |
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
|
|
|
460672 |
if (bitspersample != 8) {
|
|
|
460672 |
fprintf(stderr,
|
|
|
460672 |
" %s: Sorry, only handle 8-bit samples.\n", argv[optind]);
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
}
|
|
|
460672 |
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &w);
|
|
|
460672 |
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &h);
|
|
|
460672 |
@@ -188,7 +191,7 @@ main(int argc, char* argv[])
|
|
|
460672 |
|
|
|
460672 |
out = TIFFOpen(argv[optind+1], "w");
|
|
|
460672 |
if (out == NULL)
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_IMAGEWIDTH, w);
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_IMAGELENGTH, h);
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_BITSPERSAMPLE, 8);
|
|
|
460672 |
@@ -214,6 +217,11 @@ main(int argc, char* argv[])
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
|
|
|
460672 |
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
|
|
460672 |
+ if( !outbuf )
|
|
|
460672 |
+ {
|
|
|
460672 |
+ fprintf(stderr, "Out of memory\n");
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
+ }
|
|
|
460672 |
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
|
|
460672 |
TIFFDefaultStripSize(out, rowsperstrip));
|
|
|
460672 |
|
|
|
460672 |
@@ -237,6 +245,11 @@ main(int argc, char* argv[])
|
|
|
460672 |
#undef CVT
|
|
|
460672 |
}
|
|
|
460672 |
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
|
|
460672 |
+ if( !inbuf )
|
|
|
460672 |
+ {
|
|
|
460672 |
+ fprintf(stderr, "Out of memory\n");
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
+ }
|
|
|
460672 |
for (row = 0; row < h; row++) {
|
|
|
460672 |
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
|
|
460672 |
break;
|
|
|
460672 |
@@ -247,6 +260,11 @@ main(int argc, char* argv[])
|
|
|
460672 |
break;
|
|
|
460672 |
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
|
|
|
460672 |
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
|
|
460672 |
+ if( !inbuf )
|
|
|
460672 |
+ {
|
|
|
460672 |
+ fprintf(stderr, "Out of memory\n");
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
+ }
|
|
|
460672 |
for (row = 0; row < h; row++) {
|
|
|
460672 |
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
|
|
460672 |
break;
|
|
|
460672 |
@@ -256,23 +274,48 @@ main(int argc, char* argv[])
|
|
|
460672 |
}
|
|
|
460672 |
break;
|
|
|
460672 |
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
|
|
|
460672 |
+ {
|
|
|
460672 |
+ tmsize_t inbufsize;
|
|
|
460672 |
rowsize = TIFFScanlineSize(in);
|
|
|
460672 |
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
|
|
|
460672 |
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
|
|
|
460672 |
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
|
|
|
460672 |
+ if( !inbuf )
|
|
|
460672 |
+ {
|
|
|
460672 |
+ fprintf(stderr, "Out of memory\n");
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
+ }
|
|
|
460672 |
for (row = 0; row < h; row++) {
|
|
|
460672 |
for (s = 0; s < 3; s++)
|
|
|
460672 |
if (TIFFReadScanline(in,
|
|
|
460672 |
inbuf+s*rowsize, row, s) < 0)
|
|
|
460672 |
- return (-1);
|
|
|
460672 |
+ goto tiff2bw_error;
|
|
|
460672 |
compresssep(outbuf,
|
|
|
460672 |
inbuf, inbuf+rowsize, inbuf+2*rowsize, w);
|
|
|
460672 |
if (TIFFWriteScanline(out, outbuf, row, 0) < 0)
|
|
|
460672 |
break;
|
|
|
460672 |
}
|
|
|
460672 |
break;
|
|
|
460672 |
+ }
|
|
|
460672 |
}
|
|
|
460672 |
#undef pack
|
|
|
460672 |
+ if (inbuf)
|
|
|
460672 |
+ _TIFFfree(inbuf);
|
|
|
460672 |
+ if (outbuf)
|
|
|
460672 |
+ _TIFFfree(outbuf);
|
|
|
460672 |
+ TIFFClose(in);
|
|
|
460672 |
TIFFClose(out);
|
|
|
460672 |
return (0);
|
|
|
460672 |
+
|
|
|
460672 |
+ tiff2bw_error:
|
|
|
460672 |
+ if (inbuf)
|
|
|
460672 |
+ _TIFFfree(inbuf);
|
|
|
460672 |
+ if (outbuf)
|
|
|
460672 |
+ _TIFFfree(outbuf);
|
|
|
460672 |
+ if (out)
|
|
|
460672 |
+ TIFFClose(out);
|
|
|
460672 |
+ if (in)
|
|
|
460672 |
+ TIFFClose(in);
|
|
|
460672 |
+ return (-1);
|
|
|
460672 |
}
|
|
|
460672 |
|
|
|
460672 |
static int
|
|
|
460672 |
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
|
460672 |
index 02c53cd..0192f3f 100644
|
|
|
460672 |
--- a/tools/tiffcrop.c
|
|
|
460672 |
+++ b/tools/tiffcrop.c
|
|
|
460672 |
@@ -148,11 +148,6 @@ extern int getopt(int, char**, char*);
|
|
|
460672 |
#define PATH_MAX 1024
|
|
|
460672 |
#endif
|
|
|
460672 |
|
|
|
460672 |
-#ifndef streq
|
|
|
460672 |
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
|
|
460672 |
-#endif
|
|
|
460672 |
-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
|
|
|
460672 |
-
|
|
|
460672 |
#define TRUE 1
|
|
|
460672 |
#define FALSE 0
|
|
|
460672 |
|
|
|
460672 |
--
|
|
|
460672 |
2.17.2
|
|
|
460672 |
|