* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -

CVE-2009-2347 libtiff: integer overflows in various inter-color
space conversion tools".
http://bugzilla.maptools.org/show_bug.cgi?id=2079
This commit is contained in:
Bob Friesenhahn 2009-08-24 17:15:05 +00:00
parent ed66fcdf7b
commit 614f95d8b1
3 changed files with 49 additions and 13 deletions

View File

@ -1,5 +1,10 @@
2009-08-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2009-08-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -
CVE-2009-2347 libtiff: integer overflows in various inter-color
space conversion tools".
http://bugzilla.maptools.org/show_bug.cgi?id=2079
* libtiff/tif_print.c (TIFFPrintDirectory): Apply fix from Jay * libtiff/tif_print.c (TIFFPrintDirectory): Apply fix from Jay
Berkenbilt for "Bug 2024 - possible null pointer dereference with Berkenbilt for "Bug 2024 - possible null pointer dereference with
one-line fix". one-line fix".

View File

@ -1,4 +1,4 @@
/* $Id: rgb2ycbcr.c,v 1.11 2009-01-22 20:53:07 fwarmerdam Exp $ */ /* $Id: rgb2ycbcr.c,v 1.12 2009-08-24 17:15:05 bfriesen Exp $ */
/* /*
* Copyright (c) 1991-1997 Sam Leffler * Copyright (c) 1991-1997 Sam Leffler
@ -38,6 +38,7 @@
# include "libport.h" # include "libport.h"
#endif #endif
#include "tiffiop.h"
#include "tiffio.h" #include "tiffio.h"
#define streq(a,b) (strcmp(a,b) == 0) #define streq(a,b) (strcmp(a,b) == 0)
@ -282,15 +283,32 @@ tiffcvt(TIFF* in, TIFF* out)
float floatv; float floatv;
char *stringv; char *stringv;
uint32 longv; uint32 longv;
int result; int result;
size_t pixel_count;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); pixel_count = width * height;
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer"); /* XXX: Check the integer overflow. */
return (0); if (!width || !height || pixel_count / width != height) {
} TIFFError(TIFFFileName(in),
"Malformed input file; "
"can't allocate buffer for raster of %lux%lu size",
(unsigned long)width, (unsigned long)height);
return 0;
}
raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32),
"raster buffer");
if (raster == 0) {
TIFFError(TIFFFileName(in),
"Failed to allocate buffer (%lu elements of %lu each)",
(unsigned long)pixel_count,
(unsigned long)sizeof(uint32));
return (0);
}
if (!TIFFReadRGBAImage(in, width, height, raster, 0)) { if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
_TIFFfree(raster); _TIFFfree(raster);
return (0); return (0);

View File

@ -1,4 +1,4 @@
/* $Id: tiff2rgba.c,v 1.16 2009-01-22 20:53:07 fwarmerdam Exp $ */ /* $Id: tiff2rgba.c,v 1.17 2009-08-24 17:15:05 bfriesen Exp $ */
/* /*
* Copyright (c) 1991-1997 Sam Leffler * Copyright (c) 1991-1997 Sam Leffler
@ -38,6 +38,7 @@
# include "libport.h" # include "libport.h"
#endif #endif
#include "tiffiop.h"
#include "tiffio.h" #include "tiffio.h"
#define streq(a,b) (strcmp(a,b) == 0) #define streq(a,b) (strcmp(a,b) == 0)
@ -354,16 +355,27 @@ cvt_whole_image( TIFF *in, TIFF *out )
uint32* raster; /* retrieve RGBA image */ uint32* raster; /* retrieve RGBA image */
uint32 width, height; /* image width & height */ uint32 width, height; /* image width & height */
uint32 row; uint32 row;
size_t pixel_count;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
pixel_count = width * height;
/* XXX: Check the integer overflow. */
if (!width || !height || pixel_count / width != height) {
TIFFError(TIFFFileName(in),
"Malformed input file; can't allocate buffer for raster of %lux%lu size",
(unsigned long)width, (unsigned long)height);
return 0;
}
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
if (raster == 0) { if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer"); TIFFError(TIFFFileName(in), "Failed to allocate buffer (%lu elements of %lu each)",
(unsigned long)pixel_count, (unsigned long)sizeof(uint32));
return (0); return (0);
} }
@ -387,16 +399,17 @@ cvt_whole_image( TIFF *in, TIFF *out )
*/ */
if (no_alpha) if (no_alpha)
{ {
int pixel_count = width * height; size_t count = pixel_count;
unsigned char *src, *dst; unsigned char *src, *dst;
src = dst = (unsigned char *) raster; src = dst = (unsigned char *) raster;
while (pixel_count > 0) while (count > 0)
{ {
*(dst++) = *(src++); *(dst++) = *(src++);
*(dst++) = *(src++); *(dst++) = *(src++);
*(dst++) = *(src++); *(dst++) = *(src++);
src++, pixel_count--; src++;
count--;
} }
} }