cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'fix_cve-2017-9935' into 'master'

Browse Source 
Fix CVE-2017-9935

See merge request libtiff/libtiff!7
This commit is contained in:
Even Rouault 2017-12-10 21:00:44 +00:00
commit 5848777bd7
2 changed files with 49 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libtiff/tif_dir.c
View File

@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
} else {
*va_arg(ap, uint16**) = NULL;
*va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:

69
tools/tiff2pdf.c
View File

@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
float* tiff_transferfunction[3];
uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) &&
(t2p->tiff_transferfunction[1] !=
t2p->tiff_transferfunction[0])) {
t2p->tiff_transferfunctioncount = 3;
t2p->tiff_pages[i].page_extra += 4;
t2p->pdf_xrefcount += 4;
} else {
t2p->tiff_transferfunctioncount = 1;
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
}
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
&(tiff_transferfunction[0]),
&(tiff_transferfunction[1]),
&(tiff_transferfunction[2]))) {
if((tiff_transferfunction[1] != (uint16*) NULL) &&
(tiff_transferfunction[2] != (uint16*) NULL)
) {
tiff_transferfunctioncount=3;
} else {
tiff_transferfunctioncount=1;
}
} else {
t2p->tiff_transferfunctioncount=0;
tiff_transferfunctioncount=0;
}
if (i > 0){
if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
TIFFError(
TIFF2PDF_MODULE,
"Different transfer function on page %d",
i);
t2p->t2p_error = T2P_ERR_ERROR;
return;
}
}
t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
if(tiff_transferfunctioncount == 3){
t2p->tiff_pages[i].page_extra += 4;
t2p->pdf_xrefcount += 4;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
} else if (tiff_transferfunctioncount == 1){
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
}
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) &&
(t2p->tiff_transferfunction[1] !=
t2p->tiff_transferfunction[0])) {
if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
(t2p->tiff_transferfunction[2] != (uint16*) NULL)
) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;