cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into 'master'

Browse Source 
fix three potential vulnerabilities.

See merge request libtiff/libtiff!33
This commit is contained in:
Even Rouault 2018-09-17 18:33:33 +00:00
commit 31374a7bf1
4 changed files with 61 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tools/pal2rgb.c
View File

@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
cpTag(in, out, p->tag, p->count, p->type);
{
if( p->tag == TIFFTAG_GROUP3OPTIONS )
{
uint16 compression;
if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
compression != COMPRESSION_CCITTFAX3 )
continue;
}
if( p->tag == TIFFTAG_GROUP4OPTIONS )
{
uint16 compression;
if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
compression != COMPRESSION_CCITTFAX4 )
continue;
}
cpTag(in, out, p->tag, p->count, p->type);
}
}
#undef NTAGS

13
tools/ppm2tiff.c
View File

@ -70,15 +70,16 @@ BadPPM(char* file)
exit(-2);
}
#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
tmsize_t bytes = m1 * m2;
if (m1 && bytes / m1 != m2)
bytes = 0;
return bytes;
if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
return 0;
return m1 * m2;
}
int

18
tools/tiff2bw.c
View File

@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
cpTag(in, out, p->tag, p->count, p->type);
{
if( p->tag == TIFFTAG_GROUP3OPTIONS )
{
uint16 compression;
if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
compression != COMPRESSION_CCITTFAX3 )
continue;
}
if( p->tag == TIFFTAG_GROUP4OPTIONS )
{
uint16 compression;
if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
compression != COMPRESSION_CCITTFAX4 )
continue;
}
cpTag(in, out, p->tag, p->count, p->type);
}
}
#undef NTAGS

26
tools/tiffinfoce.c
View File

@ -290,17 +290,24 @@ void
TIFFReadContigTileData(TIFF* tif)
{
unsigned char *buf;
tsize_t rowsize = TIFFTileRowSize(tif);
tmsize_t rowsize = TIFFTileRowSize(tif);
tmsize_t tilesize = TIFFTileSize(tif);
buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
buf = (unsigned char *)_TIFFmalloc(tilesize);
if (buf) {
uint32 tw, th, w, h;
uint32 tw=0, th=0, w=0, h=0;
uint32 row, col;
TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
if( rowsize == 0 || th > tilesize / rowsize )
{
fprintf(stderr, "Cannot display data: th * rowsize > tilesize\n");
_TIFFfree(buf);
return;
}
for (row = 0; row < h; row += th) {
for (col = 0; col < w; col += tw) {
if (TIFFReadTile(tif, buf, col, row, 0, 0) < 0) {
@ -318,11 +325,12 @@ void
TIFFReadSeparateTileData(TIFF* tif)
{
unsigned char *buf;
tsize_t rowsize = TIFFTileRowSize(tif);
tmsize_t rowsize = TIFFTileRowSize(tif);
tmsize_t tilesize = TIFFTileSize(tif);
buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
buf = (unsigned char *)_TIFFmalloc(tilesize);
if (buf) {
uint32 tw, th, w, h;
uint32 tw=0, th=0, w=0, h=0;
uint32 row, col;
tsample_t s, samplesperpixel;
@ -331,6 +339,12 @@ TIFFReadSeparateTileData(TIFF* tif)
TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
if( rowsize == 0 || th > tilesize / rowsize )
{
fprintf(stderr, "Cannot display data: th * rowsize > tilesize\n");
_TIFFfree(buf);
return;
}
for (row = 0; row < h; row += th) {
for (col = 0; col < w; col += tw) {
for (s = 0; s < samplesperpixel; s++) {