rpms / libtiff

Clone
Source Code
GIT

Blame SOURCES/libtiff-CVE-2019-17546.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   5d4babe6a3d25816b9f132b7355825550e129c61
  2.   SOURCES
  3.   libtiff-CVE-2019-17546.patch
Blob History Raw
5d4bab 
From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
5d4bab 
From: Even Rouault <even.rouault@spatialys.com>
5d4bab 
Date: Thu, 15 Aug 2019 15:05:28 +0200
5d4bab 
Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
5d4bab 
 write heap buffer overflow, especially on 32 bit builds. Fixes
5d4bab 
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
5d4bab 
 Fuzz
5d4bab
5d4bab 
---
5d4bab 
 libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
5d4bab 
 1 file changed, 20 insertions(+), 6 deletions(-)
5d4bab
5d4bab 
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
5d4bab 
index ec09fea..c6edd27 100644
5d4bab 
--- a/libtiff/tif_getimage.c
5d4bab 
+++ b/libtiff/tif_getimage.c
5d4bab 
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
 	fromskew = (w < imagewidth ? imagewidth - w : 0);
5d4bab 
 	for (row = 0; row < h; row += nrow)
5d4bab 
 	{
5d4bab 
+		uint32 temp;
5d4bab 
 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
5d4bab 
 		nrow = (row + rowstoread > h ? h - row : rowstoread);
5d4bab 
 		nrowsub = nrow;
5d4bab 
 		if ((nrowsub%subsamplingver)!=0)
5d4bab 
 			nrowsub+=subsamplingver-nrowsub%subsamplingver;
5d4bab 
+		temp = (row + img->row_offset)%rowsperstrip + nrowsub;
5d4bab 
+		if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
5d4bab 
+		{
5d4bab 
+			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
5d4bab 
+			return 0;
5d4bab 
+		}
5d4bab 
 		if (_TIFFReadEncodedStripAndAllocBuffer(tif,
5d4bab 
 		    TIFFComputeStrip(tif,row+img->row_offset, 0),
5d4bab 
 		    (void**)(&buf),
5d4bab 
                     maxstripsize,
5d4bab 
-		    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
5d4bab 
+		    temp * scanline)==(tmsize_t)(-1)
5d4bab 
 		    && (buf == NULL || img->stoponerr))
5d4bab 
 		{
5d4bab 
 			ret = 0;
5d4bab 
@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
 	fromskew = (w < imagewidth ? imagewidth - w : 0);
5d4bab 
 	for (row = 0; row < h; row += nrow)
5d4bab 
 	{
5d4bab 
+                uint32 temp;
5d4bab 
 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
5d4bab 
 		nrow = (row + rowstoread > h ? h - row : rowstoread);
5d4bab 
 		offset_row = row + img->row_offset;
5d4bab 
+                temp = (row + img->row_offset)%rowsperstrip + nrow;
5d4bab 
+                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
5d4bab 
+                {
5d4bab 
+                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
5d4bab 
+                        return 0;
5d4bab 
+                }
5d4bab 
                 if( buf == NULL )
5d4bab 
                 {
5d4bab 
                     if (_TIFFReadEncodedStripAndAllocBuffer(
5d4bab 
                             tif, TIFFComputeStrip(tif, offset_row, 0),
5d4bab 
                             (void**) &buf, bufsize,
5d4bab 
-                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
5d4bab 
+                            temp * scanline)==(tmsize_t)(-1)
5d4bab 
                         && (buf == NULL || img->stoponerr))
5d4bab 
                     {
5d4bab 
                             ret = 0;
5d4bab 
@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
                     }
5d4bab 
                 }
5d4bab 
 		else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
5d4bab 
-		    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
5d4bab 
+		    p0, temp * scanline)==(tmsize_t)(-1)
5d4bab 
 		    && img->stoponerr)
5d4bab 
 		{
5d4bab 
 			ret = 0;
5d4bab 
@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
 		}
5d4bab 
 		if (colorchannels > 1
5d4bab 
                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
5d4bab 
-                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
5d4bab 
+                                            p1, temp * scanline) == (tmsize_t)(-1)
5d4bab 
 		    && img->stoponerr)
5d4bab 
 		{
5d4bab 
 			ret = 0;
5d4bab 
@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
 		}
5d4bab 
 		if (colorchannels > 1
5d4bab 
                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
5d4bab 
-                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
5d4bab 
+                                            p2, temp * scanline) == (tmsize_t)(-1)
5d4bab 
 		    && img->stoponerr)
5d4bab 
 		{
5d4bab 
 			ret = 0;
5d4bab 
@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
5d4bab 
 		if (alpha)
5d4bab 
 		{
5d4bab 
 			if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
5d4bab 
-			    pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
5d4bab 
+			    pa, temp * scanline)==(tmsize_t)(-1)
5d4bab 
 			    && img->stoponerr)
5d4bab 
 			{
5d4bab 
 				ret = 0;
5d4bab 
--
5d4bab 
2.21.1
5d4bab

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation