* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid potential invalid memory write on corrupted/unexpected images when using the TIFFRGBAImageBegin() interface (reported by Clay Wood) (CVE-2016-587)
This commit is contained in:
parent
f8b7c3de4d
commit
33c391eff4
@ -1,7 +1,16 @@
|
|||||||
|
2016-07-01 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
|
* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
|
||||||
|
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
|
||||||
|
potential invalid memory write on corrupted/unexpected images when
|
||||||
|
using the TIFFRGBAImageBegin() interface (reported by
|
||||||
|
Clay Wood)
|
||||||
|
|
||||||
2016-06-28 Even Rouault <even.rouault at spatialys.com>
|
2016-06-28 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
|
* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
|
||||||
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
|
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
|
||||||
|
(CVE-2016-587)
|
||||||
|
|
||||||
2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
|
/* $Id: tif_luv.c,v 1.42 2016-07-01 11:06:04 erouault Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 Greg Ward Larson
|
* Copyright (c) 1997 Greg Ward Larson
|
||||||
@ -1276,6 +1276,14 @@ LogL16InitState(TIFF* tif)
|
|||||||
assert(sp != NULL);
|
assert(sp != NULL);
|
||||||
assert(td->td_photometric == PHOTOMETRIC_LOGL);
|
assert(td->td_photometric == PHOTOMETRIC_LOGL);
|
||||||
|
|
||||||
|
if( td->td_samplesperpixel != 1 )
|
||||||
|
{
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
"Sorry, can not handle LogL image with %s=%d",
|
||||||
|
"Samples/pixel", td->td_samplesperpixel);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* for some reason, we can't do this in TIFFInitLogL16 */
|
/* for some reason, we can't do this in TIFFInitLogL16 */
|
||||||
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
|
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
|
||||||
sp->user_datafmt = LogL16GuessDataFmt(td);
|
sp->user_datafmt = LogL16GuessDataFmt(td);
|
||||||
|
Loading…
Reference in New Issue
Block a user