From f4ee7a53cc422490986225c49f92935b3ba52866 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Thu, 13 Dec 2018 17:06:44 +0100

Subject: [PATCH] Fix Covscan defects

---

 contrib/addtiffo/addtiffo.c |  3 ++-

 libtiff/tif_dir.c           |  2 +-

 libtiff/tif_ojpeg.c         |  7 ++++++-

 tools/gif2tiff.c            | 21 +++++++++++++++------

 tools/ras2tiff.c            | 22 +++++++++++++++++++++-

 tools/rasterfile.h          | 16 +++++++++-------

 tools/tiffcrop.c            |  4 ++++

 7 files changed, 58 insertions(+), 17 deletions(-)

diff --git a/contrib/addtiffo/addtiffo.c b/contrib/addtiffo/addtiffo.c

index d3920e2..47f5fa8 100644

--- a/contrib/addtiffo/addtiffo.c

+++ b/contrib/addtiffo/addtiffo.c

@@ -120,7 +120,8 @@ int main( int argc, char ** argv )

     while( nOverviewCount < argc - 2 && nOverviewCount < 100 )

     {

         anOverviews[nOverviewCount] = atoi(argv[nOverviewCount+2]);

-        if( anOverviews[nOverviewCount] <= 0)

+        if( (anOverviews[nOverviewCount] <= 0) ||

+            ((anOverviews[nOverviewCount] > 1024)))

         {

             fprintf( stderr, "Incorrect parameters\n" );

             return(1);

diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c

index f812fa2..9c613da 100644

--- a/libtiff/tif_dir.c

+++ b/libtiff/tif_dir.c

@@ -706,7 +706,7 @@ badvaluedouble:

         TIFFErrorExt(tif->tif_clientdata, module,

              "%s: Bad value %f for \"%s\" tag",

              tif->tif_name, dblval,

-		     fip->field_name);

+		     fip ? fip->field_name : "Unknown");

         va_end(ap);

         }

     return (0);

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c

index 6ea3c38..1d9c77c 100644

--- a/libtiff/tif_ojpeg.c

+++ b/libtiff/tif_ojpeg.c

@@ -528,6 +528,8 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)

 	uint32 ma;

 	uint64* mb;

 	uint32 n;

+	const TIFFField* fip;

+

 	switch(tag)

 	{

 		case TIFFTAG_JPEGIFOFFSET:

@@ -597,7 +599,10 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)

 		default:

 			return (*sp->vsetparent)(tif,tag,ap);

 	}

-	TIFFSetFieldBit(tif,TIFFFieldWithTag(tif,tag)->field_bit);

+	fip = TIFFFieldWithTag(tif,tag);

+	if( fip == NULL ) /* shouldn't happen */

+	    return(0);

+	TIFFSetFieldBit(tif,fip->field_bit);

 	tif->tif_flags|=TIFF_DIRTYDIRECT;

 	return(1);

 }

diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c

index e89ac5b..012345d 100644

--- a/tools/gif2tiff.c

+++ b/tools/gif2tiff.c

@@ -38,6 +38,7 @@

 #include <stdio.h>

 #include <stdlib.h>

 #include <string.h>

+#include <errno.h>

 #include <math.h>

 #ifdef HAVE_UNISTD_H

@@ -266,13 +267,15 @@ readgifimage(char* mode)

     unsigned char localmap[256][3];

     int localbits;

     int status;

+    size_t raster_size;

-    if (fread(buf, 1, 9, infile) == 0) {

-        perror(filename);

+    if (fread(buf, 1, 9, infile) != 9) {

+        fprintf(stderr, "short read from file %s (%s)\n",

+                filename, strerror(errno));

 	return (0);

     }

-    width = buf[4] + (buf[5] << 8);

-    height = buf[6] + (buf[7] << 8);

+    width = (buf[4] + (buf[5] << 8)) & 0xffff; /* 16 bit */

+    height = (buf[6] + (buf[7] << 8)) & 0xffff;  /* 16 bit */

     local = buf[8] & 0x80;

     interleaved = buf[8] & 0x40;

@@ -280,11 +283,17 @@ readgifimage(char* mode)

         fprintf(stderr, "no colormap present for image\n");

         return (0);

     }

-    if (width == 0 || height == 0) {

+    if (width == 0UL || height == 0UL || (width > 2000000000UL / height)) {

         fprintf(stderr, "Invalid value of width or height\n");

         return(0);

     }

-    if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {

+    raster_size=width*height;

+    if ((raster_size/width) == height) {

+        raster_size += EXTRAFUDGE;  /* Add elbow room */

+    } else {

+        raster_size=0;

+    }

+    if ((raster = (unsigned char*) _TIFFmalloc(raster_size)) == NULL) {

         fprintf(stderr, "not enough memory for image\n");

         return (0);

     }

diff --git a/tools/ras2tiff.c b/tools/ras2tiff.c

index ec8a071..007dd8c 100644

--- a/tools/ras2tiff.c

+++ b/tools/ras2tiff.c

@@ -30,6 +30,7 @@

 #include <stdlib.h>

 #include <string.h>

 #include <ctype.h>

+#include <limits.h>

 #ifdef HAVE_UNISTD_H

 # include <unistd.h>

@@ -122,6 +123,25 @@ main(int argc, char* argv[])

 		fclose(in);

 		return (-3);

 	}

+        if ((h.ras_width <= 0) || (h.ras_width >= INT_MAX) ||

+            (h.ras_height <= 0) || (h.ras_height >= INT_MAX) ||

+            (h.ras_depth <= 0) || (h.ras_depth >= INT_MAX) ||

+            (h.ras_length <= 0) || (h.ras_length >= INT_MAX) ||

+            (h.ras_type < 0) ||

+            (h.ras_maptype < 0) ||

+            (h.ras_maplength < 0) || (h.ras_maplength >= INT_MAX)) {

+                fprintf(stderr, "%s: Improper image header.\n", argv[optind]);

+                fclose(in);

+		return (-2);

+        }

+        if ((h.ras_depth != 1) &&

+            (h.ras_depth != 8) &&

+            (h.ras_depth != 24)) {

+                fprintf(stderr, "%s: Improper image depth (%d).\n",

+                        argv[optind], h.ras_depth);

+                fclose(in);

+		return (-2);

+        }

 	out = TIFFOpen(argv[optind+1], "w");

 	if (out == NULL)

 	{

@@ -153,7 +173,7 @@ main(int argc, char* argv[])

 		mapsize = 1<

 		if (h.ras_maplength > mapsize*3) {

 			fprintf(stderr,

-			    "%s: Huh, %ld colormap entries, should be %d?\n",

+			    "%s: Huh, %d colormap entries, should be %d?\n",

 			    argv[optind], h.ras_maplength, mapsize*3);

 			return (-7);

 		}

diff --git a/tools/rasterfile.h b/tools/rasterfile.h

index 833e095..33da707 100644

--- a/tools/rasterfile.h

+++ b/tools/rasterfile.h

@@ -1,17 +1,19 @@

 /* $Header: /cvs/libtiff/tools/rasterfile.h,v 1.3 2003/11/12 19:14:33 dron Exp $ */

+#include "tiff.h"

+

 /*

  * Description of header for files containing raster images

  */

 struct rasterfile {

 	char	ras_magic[4];		/* magic number */

-	long	ras_width;		/* width (pixels) of image */

-	long	ras_height;		/* height (pixels) of image */

-	long	ras_depth;		/* depth (1, 8, or 24 bits) of pixel */

-	long	ras_length;		/* length (bytes) of image */

-	long	ras_type;		/* type of file; see RT_* below */

-	long	ras_maptype;		/* type of colormap; see RMT_* below */

-	long	ras_maplength;		/* length (bytes) of following map */

+       int32   ras_width;              /* width (pixels) of image */

+       int32   ras_height;             /* height (pixels) of image */

+       int32   ras_depth;              /* depth (1, 8, or 24 bits) of pixel */

+       int32   ras_length;             /* length (bytes) of image */

+       int32   ras_type;               /* type of file; see RT_* below */

+       int32   ras_maptype;            /* type of colormap; see RMT_* below */

+       int32   ras_maplength;          /* length (bytes) of following map */

 	/* color map follows for ras_maplength bytes, followed by image */

 };

 #define	RAS_MAGIC	"\x59\xa6\x6a\x95"

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

index 0192f3f..ae6ec1a 100644

--- a/tools/tiffcrop.c

+++ b/tools/tiffcrop.c

@@ -2029,6 +2029,10 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32

                     {

 		    crop_data->zones++;

 		    opt_offset = strchr(opt_ptr, ':');

+		    if (!opt_offset) {

+			TIFFError("Wrong parameter syntax for -Z", "tiffcrop -h");

+			exit(-1);

+		    }

                     *opt_offset = '\0';

                     crop_data->zonelist[i].position = atoi(opt_ptr);

                     crop_data->zonelist[i].total    = atoi(opt_offset + 1);

-- 

2.21.0