https://github.com/libsdl-org/libtiff/commit/5fb39dbe2d2b1006fd349ea42357f4043c82c5b2
From 5fb39dbe2d2b1006fd349ea42357f4043c82c5b2 Mon Sep 17 00:00:00 2001
From: Bob Friesenhahn <[EMAIL REDACTED]>
Date: Thu, 20 Aug 2009 20:23:52 +0000
Subject: [PATCH] * tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied patch for
CVE-2009-2347 libtiff: integer overflows in various inter-color space
conversion tools. http://bugzilla.maptools.org/show_bug.cgi?id=2079
---
ChangeLog | 5 +++++
build/Makefile.in | 2 +-
contrib/dbs/xtiff/Makefile.in | 2 +-
html/Makefile.in | 2 +-
libtiff/tif_write.c | 4 ++--
tools/rgb2ycbcr.c | 24 +++++++++++++++++++++---
tools/tiff2rgba.c | 25 +++++++++++++++++++------
7 files changed, 50 insertions(+), 14 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 50ee3d38..c2b77122 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2009-08-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied patch for
+ CVE-2009-2347 libtiff: integer overflows in various inter-color
+ space conversion tools.
+ http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
* configure.ac: Updated autotools. Autoconf 2.64, Automake 1.11,
libtool 2.2.6. Enabled support for silent build rules
(--enable-silent-rules or 'make V=0') and colorized tests.
diff --git a/build/Makefile.in b/build/Makefile.in
index 96cc0f07..1200c15c 100644
--- a/build/Makefile.in
+++ b/build/Makefile.in
@@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.in,v 1.1.2.6 2009-08-20 18:40:32 bfriesen Exp $
+# $Id: Makefile.in,v 1.1.2.7 2009-08-20 20:23:52 bfriesen Exp $
#
# Tag Image File Format (TIFF) Software
#
diff --git a/contrib/dbs/xtiff/Makefile.in b/contrib/dbs/xtiff/Makefile.in
index 6a821ac7..b6e2e8ec 100644
--- a/contrib/dbs/xtiff/Makefile.in
+++ b/contrib/dbs/xtiff/Makefile.in
@@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.in,v 1.36.2.6 2009-08-20 18:40:32 bfriesen Exp $
+# $Id: Makefile.in,v 1.36.2.7 2009-08-20 20:23:52 bfriesen Exp $
#
# Tag Image File Format (TIFF) Software
#
diff --git a/html/Makefile.in b/html/Makefile.in
index 2d096cd6..c831bfd6 100644
--- a/html/Makefile.in
+++ b/html/Makefile.in
@@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.in,v 1.49.2.6 2009-08-20 18:40:32 bfriesen Exp $
+# $Id: Makefile.in,v 1.49.2.7 2009-08-20 20:23:52 bfriesen Exp $
#
# Tag Image File Format (TIFF) Software
#
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 2499b2f8..10702344 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -1,4 +1,4 @@
-/* $Id: tif_write.c,v 1.22.2.2 2009-06-03 23:49:30 fwarmerdam Exp $ */
+/* $Id: tif_write.c,v 1.22.2.3 2009-08-20 20:23:52 bfriesen Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -630,7 +630,7 @@ TIFFAppendToStrip(TIFF* tif, tstrip_t strip, tidata_t data, tsize_t cc)
if( td->td_stripbytecount[strip] != 0
&& td->td_stripoffset[strip] != 0
- && td->td_stripbytecount[strip] >= cc )
+ && (tsize_t) td->td_stripbytecount[strip] >= cc )
{
/*
* There is already tile data on disk, and the new tile
diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
index 20a961ce..edc5b9ff 100644
--- a/tools/rgb2ycbcr.c
+++ b/tools/rgb2ycbcr.c
@@ -1,4 +1,4 @@
-/* $Id: rgb2ycbcr.c,v 1.9 2004-09-03 07:57:13 dron Exp $ */
+/* $Id: rgb2ycbcr.c,v 1.9.2.1 2009-08-20 20:23:53 bfriesen Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -34,6 +34,7 @@
# include <unistd.h>
#endif
+#include "tiffiop.h"
#include "tiffio.h"
#define streq(a,b) (strcmp(a,b) == 0)
@@ -279,13 +280,30 @@ tiffcvt(TIFF* in, TIFF* out)
char *stringv;
uint32 longv;
+ size_t pixel_count;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ pixel_count = width * height;
+
+ /* XXX: Check the integer overflow. */
+ if (!width || !height || pixel_count / width != height) {
+ TIFFError(TIFFFileName(in),
+ "Malformed input file; "
+ "can't allocate buffer for raster of %lux%lu size",
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
+
+ raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32),
+ "raster buffer");
if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
+ TIFFError(TIFFFileName(in),
+ "Requested buffer size is %lu elements %lu each",
+ (unsigned long)pixel_count,
+ (unsigned long)sizeof(uint32));
return (0);
}
+
if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
_TIFFfree(raster);
return (0);
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 05acaab1..2adad5d5 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2rgba.c,v 1.13 2007-01-31 14:46:59 dron Exp $ */
+/* $Id: tiff2rgba.c,v 1.13.2.1 2009-08-20 20:23:53 bfriesen Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -34,6 +34,7 @@
# include <unistd.h>
#endif
+#include "tiffiop.h"
#include "tiffio.h"
#define streq(a,b) (strcmp(a,b) == 0)
@@ -345,16 +346,27 @@ cvt_whole_image( TIFF *in, TIFF *out )
uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */
uint32 row;
+ size_t pixel_count;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+ pixel_count = width * height;
+
+ /* XXX: Check the integer overflow. */
+ if (!width || !height || pixel_count / width != height) {
+ TIFFError(TIFFFileName(in),
+ "Malformed input file; can't allocate buffer for raster of %lux%lu size",
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+ raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
+ TIFFError(TIFFFileName(in), "Requested buffer size is %lu elements %lu each",
+ (unsigned long)pixel_count, (unsigned long)sizeof(uint32));
return (0);
}
@@ -378,16 +390,17 @@ cvt_whole_image( TIFF *in, TIFF *out )
*/
if (no_alpha)
{
- int pixel_count = width * height;
+ size_t count = pixel_count;
unsigned char *src, *dst;
src = dst = (unsigned char *) raster;
- while (pixel_count > 0)
+ while (count > 0)
{
*(dst++) = *(src++);
*(dst++) = *(src++);
*(dst++) = *(src++);
- src++, pixel_count--;
+ src++;
+ count--;
}
}