From 614f95d8b13b88ace11360c6ca63192dd52444e6 Mon Sep 17 00:00:00 2001 From: Bob Friesenhahn Date: Mon, 24 Aug 2009 17:15:05 +0000 Subject: [PATCH] * tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 - CVE-2009-2347 libtiff: integer overflows in various inter-color space conversion tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079 --- ChangeLog | 5 +++++ tools/rgb2ycbcr.c | 32 +++++++++++++++++++++++++------- tools/tiff2rgba.c | 25 +++++++++++++++++++------ 3 files changed, 49 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6e14adca..d21d1ce7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2009-08-24 Bob Friesenhahn + * tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 - + CVE-2009-2347 libtiff: integer overflows in various inter-color + space conversion tools". + http://bugzilla.maptools.org/show_bug.cgi?id=2079 + * libtiff/tif_print.c (TIFFPrintDirectory): Apply fix from Jay Berkenbilt for "Bug 2024 - possible null pointer dereference with one-line fix". diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c index 98d6d7dc..70f8ba33 100644 --- a/tools/rgb2ycbcr.c +++ b/tools/rgb2ycbcr.c @@ -1,4 +1,4 @@ -/* $Id: rgb2ycbcr.c,v 1.11 2009-01-22 20:53:07 fwarmerdam Exp $ */ +/* $Id: rgb2ycbcr.c,v 1.12 2009-08-24 17:15:05 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -38,6 +38,7 @@ # include "libport.h" #endif +#include "tiffiop.h" #include "tiffio.h" #define streq(a,b) (strcmp(a,b) == 0) @@ -282,15 +283,32 @@ tiffcvt(TIFF* in, TIFF* out) float floatv; char *stringv; uint32 longv; - int result; + int result; + size_t pixel_count; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); - } + pixel_count = width * height; + + /* XXX: Check the integer overflow. */ + if (!width || !height || pixel_count / width != height) { + TIFFError(TIFFFileName(in), + "Malformed input file; " + "can't allocate buffer for raster of %lux%lu size", + (unsigned long)width, (unsigned long)height); + return 0; + } + + raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), + "raster buffer"); + if (raster == 0) { + TIFFError(TIFFFileName(in), + "Failed to allocate buffer (%lu elements of %lu each)", + (unsigned long)pixel_count, + (unsigned long)sizeof(uint32)); + return (0); + } + if (!TIFFReadRGBAImage(in, width, height, raster, 0)) { _TIFFfree(raster); return (0); diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c index 074cf0f6..bc2f1790 100644 --- a/tools/tiff2rgba.c +++ b/tools/tiff2rgba.c @@ -1,4 +1,4 @@ -/* $Id: tiff2rgba.c,v 1.16 2009-01-22 20:53:07 fwarmerdam Exp $ */ +/* $Id: tiff2rgba.c,v 1.17 2009-08-24 17:15:05 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -38,6 +38,7 @@ # include "libport.h" #endif +#include "tiffiop.h" #include "tiffio.h" #define streq(a,b) (strcmp(a,b) == 0) @@ -354,16 +355,27 @@ cvt_whole_image( TIFF *in, TIFF *out ) uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */ uint32 row; + size_t pixel_count; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + pixel_count = width * height; + + /* XXX: Check the integer overflow. */ + if (!width || !height || pixel_count / width != height) { + TIFFError(TIFFFileName(in), + "Malformed input file; can't allocate buffer for raster of %lux%lu size", + (unsigned long)width, (unsigned long)height); + return 0; + } rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); + raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer"); if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); + TIFFError(TIFFFileName(in), "Failed to allocate buffer (%lu elements of %lu each)", + (unsigned long)pixel_count, (unsigned long)sizeof(uint32)); return (0); } @@ -387,16 +399,17 @@ cvt_whole_image( TIFF *in, TIFF *out ) */ if (no_alpha) { - int pixel_count = width * height; + size_t count = pixel_count; unsigned char *src, *dst; src = dst = (unsigned char *) raster; - while (pixel_count > 0) + while (count > 0) { *(dst++) = *(src++); *(dst++) = *(src++); *(dst++) = *(src++); - src++, pixel_count--; + src++; + count--; } }