https://github.com/libsdl-org/libtiff/commit/130c55232b841b536ead402c774e42792dec1c08
From 130c55232b841b536ead402c774e42792dec1c08 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <[EMAIL REDACTED]>
Date: Mon, 21 Mar 2011 16:01:28 +0000
Subject: [PATCH] Correct potential buffer overflow with thunder encoded files
with wrong bitspersample set (CVE-2011-1167)
http://bugzilla.maptools.org/show_bug.cgi?id=2300
---
ChangeLog | 9 +++++++++
libtiff/tif_thunder.c | 38 +++++++++++++++++++++++++++++++-------
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b30ddefd..a81e6537 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2011-03-12 Frank Warmerdam <warmerdam@pobox.com>
+
+ * libtiff/tif_thunder.c: Correct potential buffer overflow with
+ thunder encoded files with wrong bitspersample set. The libtiff
+ development team would like to thank Marin Barbella and TippingPoint's
+ Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004,
+ CVE-2011-1167).
+ http://bugzilla.maptools.org/show_bug.cgi?id=2300
+
2011-03-10 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_fax3.h: Fix to last change allowing zero length
diff --git a/libtiff/tif_thunder.c b/libtiff/tif_thunder.c
index 8e7a1258..62e4bc75 100644
--- a/libtiff/tif_thunder.c
+++ b/libtiff/tif_thunder.c
@@ -1,4 +1,4 @@
-/* $Id: tif_thunder.c,v 1.5.2.1 2010-06-08 18:50:43 bfriesen Exp $ */
+/* $Id: tif_thunder.c,v 1.5.2.2 2011-03-21 16:01:28 fwarmerdam Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -25,6 +25,7 @@
*/
#include "tiffiop.h"
+#include <assert.h>
#ifdef THUNDER_SUPPORT
/*
* TIFF Library.
@@ -55,12 +56,32 @@
static const int twobitdeltas[4] = { 0, 1, 0, -1 };
static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
-#define SETPIXEL(op, v) { \
- lastpixel = (v) & 0xf; \
- if (npixels++ & 1) \
- *op++ |= lastpixel; \
- else \
+#define SETPIXEL(op, v) { \
+ lastpixel = (v) & 0xf; \
+ if ( npixels < maxpixels ) \
+ { \
+ if (npixels++ & 1) \
+ *op++ |= lastpixel; \
+ else \
op[0] = (tidataval_t) (lastpixel << 4); \
+ } \
+}
+
+static int
+ThunderSetupDecode(TIFF* tif)
+{
+ static const char module[] = "ThunderSetupDecode";
+
+ if( tif->tif_dir.td_bitspersample != 4 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
+ (int) tif->tif_dir.td_bitspersample );
+ return 0;
+ }
+
+
+ return (1);
}
static int
@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s)
occ -= tif->tif_scanlinesize;
row += tif->tif_scanlinesize;
}
- return (1);
+
+ return (1);
}
int
@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int scheme)
(void) scheme;
tif->tif_decoderow = ThunderDecodeRow;
tif->tif_decodestrip = ThunderDecodeRow;
+ tif->tif_setupdecode = ThunderSetupDecode;
return (1);
}
#endif /* THUNDER_SUPPORT */
@@ -163,3 +186,4 @@ TIFFInitThunderScan(TIFF* tif, int scheme)
* fill-column: 78
* End:
*/
+