From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:44:22 +0200
Subject: [PATCH 6/8] Fix CVE-2016-3990
---
libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 2793b22..c9f056e 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -462,6 +462,7 @@ typedef struct {
int state;
int user_datafmt;
int quality;
+ tsize_t tbuf_size;
#define PLSTATE_INIT 1
TIFFVSetMethod vgetparent; /* super-class method */
@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif)
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
td->td_rowsperstrip), sizeof(uint16));
+ sp->tbuf_size = tbuf_size;
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
}
llen = sp->stride * td->td_imagewidth;
-
+ if (llen > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
+ exit (0);
+ }
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
+ if (up > sp->tbuf+sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
+ exit (0);
+ }
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalDifferenceF((float *)bp, llen,
@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
"ZLib cannot deal with buffers this size");
return (0);
}
+ if (sp->stream.avail_in > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name);
+ return (0);
+ }
do {
if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) {
--
2.7.4