cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tif_fax3: better fix for CVE-2011-0192

Browse Source 
There are some legitimate case which were forbidden by the previous fix
This commit is contained in:
Thomas Bernard 2020-03-01 00:38:59 +01:00
parent 02bb01750f
commit 72c4acef4b
No known key found for this signature in database
GPG Key ID: 0FF11B67A5C0863C
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libtiff/tif_fax3.c
View File

@ -73,6 +73,7 @@ typedef struct {
int EOLcnt; /* count of EOL codes recognized */ int EOLcnt; /* count of EOL codes recognized */
TIFFFaxFillFunc fill; /* fill routine */ TIFFFaxFillFunc fill; /* fill routine */
uint32* runs; /* b&w runs for current/previous row */ uint32* runs; /* b&w runs for current/previous row */
uint32 nruns; /* size of the refruns / curruns arrays */
uint32* refruns; /* runs for reference line */ uint32* refruns; /* runs for reference line */
uint32* curruns; /* runs for current line */ uint32* curruns; /* runs for current line */
@ -506,7 +507,7 @@ Fax3SetupState(TIFF* tif)
int needsRefLine; int needsRefLine;
Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif); Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif);
tmsize_t rowbytes; tmsize_t rowbytes;
uint32 rowpixels, nruns; uint32 rowpixels;
if (td->td_bitspersample != 1) { if (td->td_bitspersample != 1) {
TIFFErrorExt(tif->tif_clientdata, module, TIFFErrorExt(tif->tif_clientdata, module,
@ -539,26 +540,26 @@ Fax3SetupState(TIFF* tif)
TIFFroundup and TIFFSafeMultiply return zero on integer overflow TIFFroundup and TIFFSafeMultiply return zero on integer overflow
*/ */
dsp->runs=(uint32*) NULL; dsp->runs=(uint32*) NULL;
nruns = TIFFroundup_32(rowpixels,32); dsp->nruns = TIFFroundup_32(rowpixels,32);
if (needsRefLine) { if (needsRefLine) {
nruns = TIFFSafeMultiply(uint32,nruns,2); dsp->nruns = TIFFSafeMultiply(uint32,dsp->nruns,2);
} }
if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { if ((dsp->nruns == 0) || (TIFFSafeMultiply(uint32,dsp->nruns,2) == 0)) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Row pixels integer overflow (rowpixels %u)", "Row pixels integer overflow (rowpixels %u)",
rowpixels); rowpixels);
return (0); return (0);
} }
dsp->runs = (uint32*) _TIFFCheckMalloc(tif, dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
TIFFSafeMultiply(uint32,nruns,2), TIFFSafeMultiply(uint32,dsp->nruns,2),
sizeof (uint32), sizeof (uint32),
"for Group 3/4 run arrays"); "for Group 3/4 run arrays");
if (dsp->runs == NULL) if (dsp->runs == NULL)
return (0); return (0);
memset( dsp->runs, 0, TIFFSafeMultiply(uint32,nruns,2)*sizeof(uint32)); memset( dsp->runs, 0, TIFFSafeMultiply(uint32,dsp->nruns,2)*sizeof(uint32));
dsp->curruns = dsp->runs; dsp->curruns = dsp->runs;
if (needsRefLine) if (needsRefLine)
dsp->refruns = dsp->runs + nruns; dsp->refruns = dsp->runs + dsp->nruns;
else else
dsp->refruns = NULL; dsp->refruns = NULL;
if (td->td_compression == COMPRESSION_CCITTFAX3 if (td->td_compression == COMPRESSION_CCITTFAX3

5
libtiff/tif_fax3.h
View File

@ -387,6 +387,11 @@ done1d: \
*/ */
#define EXPAND2D(eoflab) do { \ #define EXPAND2D(eoflab) do { \
while (a0 < lastx) { \ while (a0 < lastx) { \
if (pa >= thisrun + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
break; \
} \
LOOKUP8(7, TIFFFaxMainTable, eof2d); \ LOOKUP8(7, TIFFFaxMainTable, eof2d); \
switch (TabEnt->State) { \ switch (TabEnt->State) { \
case S_Pass: \ case S_Pass: \