Blob Blame History Raw
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 30 Oct 2018 18:50:27 +0100
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
 case of out of memory situation. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661

(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
---
 libtiff/tiffiop.h |  1 +
 tools/tiff2bw.c   | 30 ++++++++++++++++++++++++++----
 tools/tiffcrop.c  |  5 -----
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index daa291c0..08e5dc44 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
 #endif
 
 #define    streq(a,b)      (strcmp(a,b) == 0)
+#define    strneq(a,b,n)   (strncmp(a,b,n) == 0)
 
 #ifndef TRUE
 #define	TRUE	1
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index dad54afa..1f3bb2cd 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -40,9 +40,7 @@
 #endif
 
 #include "tiffio.h"
-
-#define	streq(a,b)	(strcmp((a),(b)) == 0)
-#define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+#include "tiffiop.h"
 
 /* x% weighting -> fraction of full color */
 #define	PCT(x)	(((x)*256+50)/100)
@@ -223,6 +221,11 @@ main(int argc, char* argv[])
 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+        if( !outbuf )
+        {
+            fprintf(stderr, "Out of memory\n");
+            goto tiff2bw_error;
+        }
 	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
 	    TIFFDefaultStripSize(out, rowsperstrip));
 
@@ -246,6 +249,11 @@ main(int argc, char* argv[])
 #undef CVT
 		}
 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+                if( !inbuf )
+                {
+                    fprintf(stderr, "Out of memory\n");
+                    goto tiff2bw_error;
+                }
 		for (row = 0; row < h; row++) {
 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
 				break;
@@ -256,6 +264,11 @@ main(int argc, char* argv[])
 		break;
 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+                if( !inbuf )
+                {
+                    fprintf(stderr, "Out of memory\n");
+                    goto tiff2bw_error;
+                }
 		for (row = 0; row < h; row++) {
 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
 				break;
@@ -265,8 +278,16 @@ main(int argc, char* argv[])
 		}
 		break;
 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
+        {
+                tmsize_t inbufsize;
 		rowsize = TIFFScanlineSize(in);
-		inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
+                inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
+		inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
+                if( !inbuf )
+                {
+                    fprintf(stderr, "Out of memory\n");
+                    goto tiff2bw_error;
+                }
 		for (row = 0; row < h; row++) {
 			for (s = 0; s < 3; s++)
 				if (TIFFReadScanline(in,
@@ -278,6 +299,7 @@ main(int argc, char* argv[])
 				break;
 		}
 		break;
+        }
 	}
 #undef pack
         if (inbuf)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c60cb389..3862b1ca 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
 
 #define TIFF_UINT32_MAX     0xFFFFFFFFU
 
-#ifndef streq
-#define	streq(a,b)	(strcmp((a),(b)) == 0)
-#endif
-#define	strneq(a,b,n)	(strncmp((a),(b),(n)) == 0)
-
 #define	TRUE	1
 #define	FALSE	0