Blob Blame History Raw
From f4ee7a53cc422490986225c49f92935b3ba52866 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Thu, 13 Dec 2018 17:06:44 +0100
Subject: [PATCH] Fix Covscan defects

---
 contrib/addtiffo/addtiffo.c |  3 ++-
 libtiff/tif_dir.c           |  2 +-
 libtiff/tif_ojpeg.c         |  7 ++++++-
 tools/gif2tiff.c            | 21 +++++++++++++++------
 tools/ras2tiff.c            | 22 +++++++++++++++++++++-
 tools/rasterfile.h          | 16 +++++++++-------
 tools/tiffcrop.c            |  4 ++++
 7 files changed, 58 insertions(+), 17 deletions(-)

diff --git a/contrib/addtiffo/addtiffo.c b/contrib/addtiffo/addtiffo.c
index d3920e2..47f5fa8 100644
--- a/contrib/addtiffo/addtiffo.c
+++ b/contrib/addtiffo/addtiffo.c
@@ -120,7 +120,8 @@ int main( int argc, char ** argv )
     while( nOverviewCount < argc - 2 && nOverviewCount < 100 )
     {
         anOverviews[nOverviewCount] = atoi(argv[nOverviewCount+2]);
-        if( anOverviews[nOverviewCount] <= 0)
+        if( (anOverviews[nOverviewCount] <= 0) ||
+            ((anOverviews[nOverviewCount] > 1024)))
         {
             fprintf( stderr, "Incorrect parameters\n" );
             return(1);
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f812fa2..9c613da 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -706,7 +706,7 @@ badvaluedouble:
         TIFFErrorExt(tif->tif_clientdata, module,
              "%s: Bad value %f for \"%s\" tag",
              tif->tif_name, dblval,
-		     fip->field_name);
+		     fip ? fip->field_name : "Unknown");
         va_end(ap);
         }
     return (0);
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 6ea3c38..1d9c77c 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -528,6 +528,8 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)
 	uint32 ma;
 	uint64* mb;
 	uint32 n;
+	const TIFFField* fip;
+
 	switch(tag)
 	{
 		case TIFFTAG_JPEGIFOFFSET:
@@ -597,7 +599,10 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)
 		default:
 			return (*sp->vsetparent)(tif,tag,ap);
 	}
-	TIFFSetFieldBit(tif,TIFFFieldWithTag(tif,tag)->field_bit);
+	fip = TIFFFieldWithTag(tif,tag);
+	if( fip == NULL ) /* shouldn't happen */
+	    return(0);
+	TIFFSetFieldBit(tif,fip->field_bit);
 	tif->tif_flags|=TIFF_DIRTYDIRECT;
 	return(1);
 }
diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
index e89ac5b..012345d 100644
--- a/tools/gif2tiff.c
+++ b/tools/gif2tiff.c
@@ -38,6 +38,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <errno.h>
 #include <math.h>
 
 #ifdef HAVE_UNISTD_H
@@ -266,13 +267,15 @@ readgifimage(char* mode)
     unsigned char localmap[256][3];
     int localbits;
     int status;
+    size_t raster_size;
 
-    if (fread(buf, 1, 9, infile) == 0) {
-        perror(filename);
+    if (fread(buf, 1, 9, infile) != 9) {
+        fprintf(stderr, "short read from file %s (%s)\n",
+                filename, strerror(errno));
 	return (0);
     }
-    width = buf[4] + (buf[5] << 8);
-    height = buf[6] + (buf[7] << 8);
+    width = (buf[4] + (buf[5] << 8)) & 0xffff; /* 16 bit */
+    height = (buf[6] + (buf[7] << 8)) & 0xffff;  /* 16 bit */
     local = buf[8] & 0x80;
     interleaved = buf[8] & 0x40;
 
@@ -280,11 +283,17 @@ readgifimage(char* mode)
         fprintf(stderr, "no colormap present for image\n");
         return (0);
     }
-    if (width == 0 || height == 0) {
+    if (width == 0UL || height == 0UL || (width > 2000000000UL / height)) {
         fprintf(stderr, "Invalid value of width or height\n");
         return(0);
     }
-    if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+    raster_size=width*height;
+    if ((raster_size/width) == height) {
+        raster_size += EXTRAFUDGE;  /* Add elbow room */
+    } else {
+        raster_size=0;
+    }
+    if ((raster = (unsigned char*) _TIFFmalloc(raster_size)) == NULL) {
         fprintf(stderr, "not enough memory for image\n");
         return (0);
     }
diff --git a/tools/ras2tiff.c b/tools/ras2tiff.c
index ec8a071..007dd8c 100644
--- a/tools/ras2tiff.c
+++ b/tools/ras2tiff.c
@@ -30,6 +30,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 
 #ifdef HAVE_UNISTD_H
 # include <unistd.h>
@@ -122,6 +123,25 @@ main(int argc, char* argv[])
 		fclose(in);
 		return (-3);
 	}
+        if ((h.ras_width <= 0) || (h.ras_width >= INT_MAX) ||
+            (h.ras_height <= 0) || (h.ras_height >= INT_MAX) ||
+            (h.ras_depth <= 0) || (h.ras_depth >= INT_MAX) ||
+            (h.ras_length <= 0) || (h.ras_length >= INT_MAX) ||
+            (h.ras_type < 0) ||
+            (h.ras_maptype < 0) ||
+            (h.ras_maplength < 0) || (h.ras_maplength >= INT_MAX)) {
+                fprintf(stderr, "%s: Improper image header.\n", argv[optind]);
+                fclose(in);
+		return (-2);
+        }
+        if ((h.ras_depth != 1) &&
+            (h.ras_depth != 8) &&
+            (h.ras_depth != 24)) {
+                fprintf(stderr, "%s: Improper image depth (%d).\n",
+                        argv[optind], h.ras_depth);
+                fclose(in);
+		return (-2);
+        }
 	out = TIFFOpen(argv[optind+1], "w");
 	if (out == NULL)
 	{
@@ -153,7 +173,7 @@ main(int argc, char* argv[])
 		mapsize = 1<<h.ras_depth; 
 		if (h.ras_maplength > mapsize*3) {
 			fprintf(stderr,
-			    "%s: Huh, %ld colormap entries, should be %d?\n",
+			    "%s: Huh, %d colormap entries, should be %d?\n",
 			    argv[optind], h.ras_maplength, mapsize*3);
 			return (-7);
 		}
diff --git a/tools/rasterfile.h b/tools/rasterfile.h
index 833e095..33da707 100644
--- a/tools/rasterfile.h
+++ b/tools/rasterfile.h
@@ -1,17 +1,19 @@
 /* $Header: /cvs/libtiff/tools/rasterfile.h,v 1.3 2003/11/12 19:14:33 dron Exp $ */
 
+#include "tiff.h"
+
 /*
  * Description of header for files containing raster images
  */
 struct rasterfile {
 	char	ras_magic[4];		/* magic number */
-	long	ras_width;		/* width (pixels) of image */
-	long	ras_height;		/* height (pixels) of image */
-	long	ras_depth;		/* depth (1, 8, or 24 bits) of pixel */
-	long	ras_length;		/* length (bytes) of image */
-	long	ras_type;		/* type of file; see RT_* below */
-	long	ras_maptype;		/* type of colormap; see RMT_* below */
-	long	ras_maplength;		/* length (bytes) of following map */
+       int32   ras_width;              /* width (pixels) of image */
+       int32   ras_height;             /* height (pixels) of image */
+       int32   ras_depth;              /* depth (1, 8, or 24 bits) of pixel */
+       int32   ras_length;             /* length (bytes) of image */
+       int32   ras_type;               /* type of file; see RT_* below */
+       int32   ras_maptype;            /* type of colormap; see RMT_* below */
+       int32   ras_maplength;          /* length (bytes) of following map */
 	/* color map follows for ras_maplength bytes, followed by image */
 };
 #define	RAS_MAGIC	"\x59\xa6\x6a\x95"
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 0192f3f..ae6ec1a 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2029,6 +2029,10 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
                     {
 		    crop_data->zones++;
 		    opt_offset = strchr(opt_ptr, ':');
+		    if (!opt_offset) {
+			TIFFError("Wrong parameter syntax for -Z", "tiffcrop -h");
+			exit(-1);
+		    }
                     *opt_offset = '\0';
                     crop_data->zonelist[i].position = atoi(opt_ptr);
                     crop_data->zonelist[i].total    = atoi(opt_offset + 1);
-- 
2.21.0