* libtiff/tif_fax3.c (Fax3SetupState): Yesterday's fix for

CVE-2010-1411 was not complete.

* libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely
multiply two integers.  Returns zero if there is an integer
overflow.

* tools/tiffcp.c (main): tiffcp should not leak memory if an error
is reported when reading the input file.

ChangeLog

@@ -1,3 +1,15 @@
+2010-06-09  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* libtiff/tif_fax3.c (Fax3SetupState): Yesterday's fix for
+	CVE-2010-1411 was not complete.
+
+	* libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely
+	multiply two integers.  Returns zero if there is an integer
+	overflow.
+
+	* tools/tiffcp.c (main): tiffcp should not leak memory if an error
+	is reported when reading the input file.
+
 2010-06-08  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* Update libtool to version 2.2.8.

libtiff/tif_fax3.c

@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.c,v 1.71 2010-06-08 23:32:23 bfriesen Exp $ */
+/* $Id: tif_fax3.c,v 1.72 2010-06-09 17:17:13 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1990-1997 Sam Leffler
@@ -504,13 +504,26 @@ Fax3SetupState(TIFF* tif)
 	    td->td_compression == COMPRESSION_CCITTFAX4
 	);
 
-	/* TIFFroundup_32 returns zero on internal overflow */
+	/*
+	  Assure that allocation computations do not overflow.
+	  
+	  TIFFroundup and TIFFSafeMultiply return zero on integer overflow
+	*/
+	dsp->runs=(uint32*) NULL;
 	nruns = TIFFroundup_32(rowpixels,32);
 	if (needsRefLine) {
-		nruns *= 2;
+		nruns = TIFFSafeMultiply(uint32,nruns,2);
 	}
-	dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns, sizeof (uint32),
+	if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {
-					  "for Group 3/4 run arrays");
+		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+			     "Row pixels integer overflow (rowpixels %u)",
+			     rowpixels);
+		return (0);
+	}
+	dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
+					       TIFFSafeMultiply(uint32,nruns,2),
+					       sizeof (uint32),
+					       "for Group 3/4 run arrays");
 	if (dsp->runs == NULL)
 		return (0);
 	dsp->curruns = dsp->runs;

libtiff/tiffiop.h

@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.76 2010-06-08 23:32:23 bfriesen Exp $ */
+/* $Id: tiffiop.h,v 1.77 2010-06-09 17:17:13 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -269,6 +269,9 @@ struct tiff {
 #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
 #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
 
+/* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)v*m)/(t)m == (t)v) ? (t)v*m : (t)0)
+
 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
 #define TIFFmin(A,B) ((A)<(B)?(A):(B))
 

tools/tiffcp.c

@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.44 2010-06-03 17:01:02 fwarmerdam Exp $ */
+/* $Id: tiffcp.c,v 1.45 2010-06-09 17:17:13 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -276,11 +276,14 @@ main(int argc, char* argv[])
 	for (; optind < argc-1 ; optind++) {
 		char *imageCursor = argv[optind];
 		in = openSrcImage (&imageCursor);
-		if (in == NULL)
+		if (in == NULL) {
+			(void) TIFFClose(out);
 			return (-3);
+		}
 		if (diroff != 0 && !TIFFSetSubDirectory(in, diroff)) {
 			TIFFError(TIFFFileName(in),
 			    "Error, setting subdirectory at " TIFF_UINT64_FORMAT, diroff);
+			(void) TIFFClose(in);
 			(void) TIFFClose(out);
 			return (1);
 		}
@@ -294,7 +297,8 @@ main(int argc, char* argv[])
 			tilelength = deftilelength;
 			g3opts = defg3opts;
 			if (!tiffcp(in, out) || !TIFFWriteDirectory(out)) {
-				TIFFClose(out);
+				(void) TIFFClose(in);
+				(void) TIFFClose(out);
 				return (1);
 			}
 			if (imageCursor) { /* seek next image directory */
@@ -302,10 +306,10 @@ main(int argc, char* argv[])
 			}else
 				if (!TIFFReadDirectory(in)) break;
 		}
-		TIFFClose(in);
+		(void) TIFFClose(in);
 	}
 
-	TIFFClose(out);
+	(void) TIFFClose(out);
 	return (0);
 }