* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS

or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)

ChangeLog

@@ -1,3 +1,10 @@
+2014-12-21  Even Rouault  <even.rouault@spatialys.com>
+
+	* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
+	or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
+	COMPRESSION_CCITTFAX4
+	http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
+
 2014-12-21  Even Rouault  <even.rouault@spatialys.com>
 
 	* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes

tools/thumbnail.c

@@ -1,4 +1,4 @@
-/* $Id: thumbnail.c,v 1.17 2014-12-07 22:33:06 erouault Exp $ */
+/* $Id: thumbnail.c,v 1.18 2014-12-21 18:52:42 erouault Exp $ */
 
 /*
  * Copyright (c) 1994-1997 Sam Leffler
@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out)
 {
     struct cpTag *p;
     for (p = tags; p < &tags[NTAGS]; p++)
-	cpTag(in, out, p->tag, p->count, p->type);
+	{
+		/* Horrible: but TIFFGetField() expects 2 arguments to be passed */
+		/* if we request a tag that is defined in a codec, but that codec */
+		/* isn't used */
+		if( p->tag == TIFFTAG_GROUP3OPTIONS )
+		{
+			uint16 compression;
+			if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+				compression != COMPRESSION_CCITTFAX3 )
+				continue;
+		}
+		if( p->tag == TIFFTAG_GROUP4OPTIONS )
+		{
+			uint16 compression;
+			if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+				compression != COMPRESSION_CCITTFAX4 )
+				continue;
+		}
+		cpTag(in, out, p->tag, p->count, p->type);
+	}
 }
 #undef NTAGS
 

tools/tiffcmp.c

@@ -1,4 +1,4 @@
-/* $Id: tiffcmp.c,v 1.16 2010-03-10 18:56:50 bfriesen Exp $ */
+/* $Id: tiffcmp.c,v 1.17 2014-12-21 18:52:42 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -260,6 +260,7 @@ bad1:
 static int
 cmptags(TIFF* tif1, TIFF* tif2)
 {
+	uint16 compression1, compression2;
 	CmpLongField(TIFFTAG_SUBFILETYPE,	"SubFileType");
 	CmpLongField(TIFFTAG_IMAGEWIDTH,	"ImageWidth");
 	CmpLongField(TIFFTAG_IMAGELENGTH,	"ImageLength");
@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2)
 	CmpShortField(TIFFTAG_SAMPLEFORMAT,	"SampleFormat");
 	CmpFloatField(TIFFTAG_XRESOLUTION,	"XResolution");
 	CmpFloatField(TIFFTAG_YRESOLUTION,	"YResolution");
-	CmpLongField(TIFFTAG_GROUP3OPTIONS,	"Group3Options");
+	if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
-	CmpLongField(TIFFTAG_GROUP4OPTIONS,	"Group4Options");
+		compression1 == COMPRESSION_CCITTFAX3 &&
+		TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+		compression2 == COMPRESSION_CCITTFAX3 )
+	{
+		CmpLongField(TIFFTAG_GROUP3OPTIONS,	"Group3Options");
+	}
+	if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
+		compression1 == COMPRESSION_CCITTFAX4 &&
+		TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
+		compression2 == COMPRESSION_CCITTFAX4 )
+	{
+		CmpLongField(TIFFTAG_GROUP4OPTIONS,	"Group4Options");
+	}
 	CmpShortField(TIFFTAG_RESOLUTIONUNIT,	"ResolutionUnit");
 	CmpShortField(TIFFTAG_PLANARCONFIG,	"PlanarConfiguration");
 	CmpLongField(TIFFTAG_ROWSPERSTRIP,	"RowsPerStrip");