cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* tools/tiffcp.c: fix read of undefined variable in case of missing

Browse Source 
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
This commit is contained in:
Even Rouault 2016-10-08 15:04:31 +00:00
parent d4dd6ccc1e
commit 5707841070
3 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
2016-10-08 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
2016-09-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* html: Change as many remotesensing.org broken links to a working

6
tools/tiffcp.c
View File

@ -1,4 +1,4 @@
/* $Id: tiffcp.c,v 1.53 2015-06-21 01:09:10 bfriesen Exp $ */
/* $Id: tiffcp.c,v 1.54 2016-10-08 15:04:31 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
static int
tiffcp(TIFF* in, TIFF* out)
{
uint16 bitspersample, samplesperpixel;
uint16 input_compression, input_photometric;
uint16 bitspersample, samplesperpixel = 1;
uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
copyFunc cf;
uint32 width, length;
struct cpTag* p;

11
tools/tiffcrop.c
View File

@ -1,4 +1,4 @@
/* $Id: tiffcrop.c,v 1.40 2016-09-23 22:12:18 erouault Exp $ */
/* $Id: tiffcrop.c,v 1.41 2016-10-08 15:04:31 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
{
uint8* bufp = buf;
int32 bytes_read = 0;
uint16 strip, nstrips = TIFFNumberOfStrips(in);
uint32 strip, nstrips = TIFFNumberOfStrips(in);
uint32 stripsize = TIFFStripSize(in);
uint32 rows = 0;
uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
uint32 width, uint16 spp,
struct dump_opts *dump)
{
int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32 j;
int32 bytes_read = 0;
uint16 bps, nstrips, planar, strips_per_sample;
uint16 bps, planar;
uint32 nstrips;
uint32 strips_per_sample;
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
uint32 rows_this_strip = 0;
tsample_t s;