* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and

PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)

(CVE-2016-587)
This commit is contained in:
Even Rouault 2016-07-01 11:06:04 +00:00
parent f8b7c3de4d
commit 33c391eff4
2 changed files with 18 additions and 1 deletions

View File

@ -1,7 +1,16 @@
2016-07-01 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)
2016-06-28 Even Rouault <even.rouault at spatialys.com> 2016-06-28 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_pixarlog.c: fix potential buffer write overrun in * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
(CVE-2016-587)
2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

View File

@ -1,4 +1,4 @@
/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ /* $Id: tif_luv.c,v 1.42 2016-07-01 11:06:04 erouault Exp $ */
/* /*
* Copyright (c) 1997 Greg Ward Larson * Copyright (c) 1997 Greg Ward Larson
@ -1276,6 +1276,14 @@ LogL16InitState(TIFF* tif)
assert(sp != NULL); assert(sp != NULL);
assert(td->td_photometric == PHOTOMETRIC_LOGL); assert(td->td_photometric == PHOTOMETRIC_LOGL);
if( td->td_samplesperpixel != 1 )
{
TIFFErrorExt(tif->tif_clientdata, module,
"Sorry, can not handle LogL image with %s=%d",
"Samples/pixel", td->td_samplesperpixel);
return 0;
}
/* for some reason, we can't do this in TIFFInitLogL16 */ /* for some reason, we can't do this in TIFFInitLogL16 */
if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
sp->user_datafmt = LogL16GuessDataFmt(td); sp->user_datafmt = LogL16GuessDataFmt(td);