From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 11 Jul 2016 16:44:22 +0200 Subject: [PATCH 6/8] Fix CVE-2016-3990 --- libtiff/tif_pixarlog.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index 2793b22..c9f056e 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -462,6 +462,7 @@ typedef struct { int state; int user_datafmt; int quality; + tsize_t tbuf_size; #define PLSTATE_INIT 1 TIFFVSetMethod vgetparent; /* super-class method */ @@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif) td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), td->td_rowsperstrip), sizeof(uint16)); + sp->tbuf_size = tbuf_size; if (tbuf_size == 0) return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); @@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) } llen = sp->stride * td->td_imagewidth; - + if (llen > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); + exit (0); + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { + if (up > sp->tbuf+sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name); + exit (0); + } switch (sp->user_datafmt) { case PIXARLOGDATAFMT_FLOAT: horizontalDifferenceF((float *)bp, llen, @@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) "ZLib cannot deal with buffers this size"); return (0); } + if (sp->stream.avail_in > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name); + return (0); + } do { if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) { -- 2.7.4