* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -
CVE-2009-2347 libtiff: integer overflows in various inter-color space conversion tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079
This commit is contained in:
parent
ed66fcdf7b
commit
614f95d8b1
@ -1,5 +1,10 @@
|
|||||||
2009-08-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
2009-08-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||||
|
|
||||||
|
* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -
|
||||||
|
CVE-2009-2347 libtiff: integer overflows in various inter-color
|
||||||
|
space conversion tools".
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2079
|
||||||
|
|
||||||
* libtiff/tif_print.c (TIFFPrintDirectory): Apply fix from Jay
|
* libtiff/tif_print.c (TIFFPrintDirectory): Apply fix from Jay
|
||||||
Berkenbilt for "Bug 2024 - possible null pointer dereference with
|
Berkenbilt for "Bug 2024 - possible null pointer dereference with
|
||||||
one-line fix".
|
one-line fix".
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: rgb2ycbcr.c,v 1.11 2009-01-22 20:53:07 fwarmerdam Exp $ */
|
/* $Id: rgb2ycbcr.c,v 1.12 2009-08-24 17:15:05 bfriesen Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1991-1997 Sam Leffler
|
* Copyright (c) 1991-1997 Sam Leffler
|
||||||
@ -38,6 +38,7 @@
|
|||||||
# include "libport.h"
|
# include "libport.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include "tiffiop.h"
|
||||||
#include "tiffio.h"
|
#include "tiffio.h"
|
||||||
|
|
||||||
#define streq(a,b) (strcmp(a,b) == 0)
|
#define streq(a,b) (strcmp(a,b) == 0)
|
||||||
@ -282,15 +283,32 @@ tiffcvt(TIFF* in, TIFF* out)
|
|||||||
float floatv;
|
float floatv;
|
||||||
char *stringv;
|
char *stringv;
|
||||||
uint32 longv;
|
uint32 longv;
|
||||||
int result;
|
int result;
|
||||||
|
size_t pixel_count;
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||||
raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
|
pixel_count = width * height;
|
||||||
if (raster == 0) {
|
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
/* XXX: Check the integer overflow. */
|
||||||
return (0);
|
if (!width || !height || pixel_count / width != height) {
|
||||||
}
|
TIFFError(TIFFFileName(in),
|
||||||
|
"Malformed input file; "
|
||||||
|
"can't allocate buffer for raster of %lux%lu size",
|
||||||
|
(unsigned long)width, (unsigned long)height);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32),
|
||||||
|
"raster buffer");
|
||||||
|
if (raster == 0) {
|
||||||
|
TIFFError(TIFFFileName(in),
|
||||||
|
"Failed to allocate buffer (%lu elements of %lu each)",
|
||||||
|
(unsigned long)pixel_count,
|
||||||
|
(unsigned long)sizeof(uint32));
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
|
if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
|
||||||
_TIFFfree(raster);
|
_TIFFfree(raster);
|
||||||
return (0);
|
return (0);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tiff2rgba.c,v 1.16 2009-01-22 20:53:07 fwarmerdam Exp $ */
|
/* $Id: tiff2rgba.c,v 1.17 2009-08-24 17:15:05 bfriesen Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1991-1997 Sam Leffler
|
* Copyright (c) 1991-1997 Sam Leffler
|
||||||
@ -38,6 +38,7 @@
|
|||||||
# include "libport.h"
|
# include "libport.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include "tiffiop.h"
|
||||||
#include "tiffio.h"
|
#include "tiffio.h"
|
||||||
|
|
||||||
#define streq(a,b) (strcmp(a,b) == 0)
|
#define streq(a,b) (strcmp(a,b) == 0)
|
||||||
@ -354,16 +355,27 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
|||||||
uint32* raster; /* retrieve RGBA image */
|
uint32* raster; /* retrieve RGBA image */
|
||||||
uint32 width, height; /* image width & height */
|
uint32 width, height; /* image width & height */
|
||||||
uint32 row;
|
uint32 row;
|
||||||
|
size_t pixel_count;
|
||||||
|
|
||||||
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
||||||
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
||||||
|
pixel_count = width * height;
|
||||||
|
|
||||||
|
/* XXX: Check the integer overflow. */
|
||||||
|
if (!width || !height || pixel_count / width != height) {
|
||||||
|
TIFFError(TIFFFileName(in),
|
||||||
|
"Malformed input file; can't allocate buffer for raster of %lux%lu size",
|
||||||
|
(unsigned long)width, (unsigned long)height);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
|
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
|
||||||
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
||||||
|
|
||||||
raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
|
raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
|
||||||
if (raster == 0) {
|
if (raster == 0) {
|
||||||
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
TIFFError(TIFFFileName(in), "Failed to allocate buffer (%lu elements of %lu each)",
|
||||||
|
(unsigned long)pixel_count, (unsigned long)sizeof(uint32));
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -387,16 +399,17 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
|||||||
*/
|
*/
|
||||||
if (no_alpha)
|
if (no_alpha)
|
||||||
{
|
{
|
||||||
int pixel_count = width * height;
|
size_t count = pixel_count;
|
||||||
unsigned char *src, *dst;
|
unsigned char *src, *dst;
|
||||||
|
|
||||||
src = dst = (unsigned char *) raster;
|
src = dst = (unsigned char *) raster;
|
||||||
while (pixel_count > 0)
|
while (count > 0)
|
||||||
{
|
{
|
||||||
*(dst++) = *(src++);
|
*(dst++) = *(src++);
|
||||||
*(dst++) = *(src++);
|
*(dst++) = *(src++);
|
||||||
*(dst++) = *(src++);
|
*(dst++) = *(src++);
|
||||||
src++, pixel_count--;
|
src++;
|
||||||
|
count--;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user