* libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to

be defective, then set it to zero before returning error in order to terminate processing of truncated TIFF. Issue found and fix suggested by Richard Nolde. * tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244) * tools/tiff2pdf.c: terminate after failure of allocating * tools/tiffinfo.c: Default various values fetched with
2013-09-13 02:34:50 +00:00 · 2013-09-13 02:34:50 +00:00 · f4203fa738
commit f4203fa738
parent 163627448a
2 changed files with 12 additions and 4 deletions
--- a/13
+++ b/13
@ -1,18 +1,25 @@
+2013-09-12  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to
+	be defective, then set it to zero before returning error in order
+	to terminate processing of truncated TIFF.  Issue found and fix
+	suggested by Richard Nolde.
+
 2013-08-14  Frank Warmerdam  <warmerdam@pobox.com>

-	* tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244) 
+	* tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244)

 2013-08-13  Frank Warmerdam  <warmerdam@pobox.com>

 	* tools/gif2tiff.c: Be more careful about corrupt or
 	hostile input files (#2450, CVE-2013-4231)

-	* tools/tiff2pdf.c: terminate after failure of allocating 
+	* tools/tiff2pdf.c: terminate after failure of allocating
 	ycbcr buffer (bug #2449, CVE-2013-4232)

 2013-07-09  Frank Warmerdam  <warmerdam@google.com>

-	* tools/tiffinfo.c: Default various values fetched with 
+	* tools/tiffinfo.c: Default various values fetched with
 	TIFFGetField() to avoid being uninitialized.

 2013-05-02  Tom Lane  <tgl@sss.pgh.pa.us>
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.113 2012-06-14 20:32:53 fwarmerdam Exp $ */
+/* $Id: tif_dir.c,v 1.114 2013-09-13 02:34:50 bfriesen Exp $ */

 /*
 * Copyright (c) 1988-1997 Sam Leffler
@ -1344,6 +1344,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off)
 			if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size))
 			{
 				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
+                                  *nextdir=0;
 				return(0);
 			}
 			_TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));