Bundled libtiff: add a number of security-related upstream patches

This comprises the following libtiff commits, related to the listed CVEs: 3719385a3fac5cfb20b487619a5f08abbf967cf8 CVE-2017-11613 7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2017-11613 de144fd228e4be8aa484c3caf3d814b6fa88c6d9 CVE-2018-10963 58a898cb4459055bb488ca815c23b880c242a27d CVE-2018-8905 981e43ecae83935625c86c9118c0778c942c7048 CVE-2018-10779 [ChangeLog][TIFF] A number of security-related upstream patches has been applied to the bundled libtiff Change-Id: I3def9a9b91d0dd2cfd959c5e83d972beed9394d6 Reviewed-by: Liang Qi <liang.qi@qt.io>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2018-10-11 15:26:14 +0200
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2018-10-12 07:51:09 +0000
commit: 80017a1c7f829355edce61d5d50196cd1e13dcdd (patch)
tree: 94723739a2e1b2722d2a11ab208f157b5733ebbf
parent: 855106d17258638cf50099b47d2db801c747ebb6 (diff)
4 files changed, 31 insertions, 10 deletions
diff --git a/src/3rdparty/libtiff/libtiff/tif_dirread.c b/src/3rdparty/libtiff/libtiff/tif_dirread.c
index 5e62e81..aa258ba 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dirread.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dirread.c
@@ -5698,6 +5698,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
         if( nstrips == 0 )
             return;
 
+        /* If we are going to allocate a lot of memory, make sure that the */
+        /* file is as big as needed */
+        if( tif->tif_mode == O_RDONLY &&
+            nstrips > 1000000 &&
+            (offset >= TIFFGetFileSize(tif) ||
+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+        {
+            return;
+        }
+
 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripByteCounts\" array");
 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
index c68d6d2..5d0a669 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
 								}
 								break;
 							default:
-								assert(0);   /* we should never get here */
-								break;
+								TIFFErrorExt(tif->tif_clientdata,module,
+								            "Cannot write tag %d (%s)",
+								            TIFFFieldTag(o),
+                                                                            o->field_name ? o->field_name : "unknown");
+								goto bad;
 						}
 					}
 				}
diff --git a/src/3rdparty/libtiff/libtiff/tif_lzw.c b/src/3rdparty/libtiff/libtiff/tif_lzw.c
index bc8f9c8..186ea3c 100644
--- a/src/3rdparty/libtiff/libtiff/tif_lzw.c
+++ b/src/3rdparty/libtiff/libtiff/tif_lzw.c
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
 	char *tp;
 	unsigned char *bp;
 	int code, nbits;
+	int len;
 	long nextbits, nextdata, nbitsmask;
 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
 
@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
 				}  while (--occ);
 				break;
 			}
-			assert(occ >= codep->length);
-			op += codep->length;
-			occ -= codep->length;
-			tp = op;
+			len = codep->length;
+			tp = op + len;
 			do {
-				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL );
+				int t;
+				--tp;
+				t = codep->value;
+				codep = codep->next;
+				*tp = (char)t;
+			} while (codep && tp > op);
+			assert(occ >= len);
+			op += len;
+			occ -= len;
 		} else {
 			*op++ = (char)code;
 			occ--;
diff --git a/src/3rdparty/libtiff/libtiff/tif_write.c b/src/3rdparty/libtiff/libtiff/tif_write.c
index 4c216ec..208a2ee 100644
--- a/src/3rdparty/libtiff/libtiff/tif_write.c
+++ b/src/3rdparty/libtiff/libtiff/tif_write.c
@@ -540,9 +540,11 @@ TIFFSetupStrips(TIFF* tif)
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
 		td->td_stripsperimage /= td->td_samplesperpixel;
 	td->td_stripoffset = (uint64 *)
-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+                             "for \"StripOffsets\" array");
 	td->td_stripbytecount = (uint64 *)
-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+                             "for \"StripByteCounts\" array");
 	if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
 		return (0);
 	/*
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2018-10-11 15:26:14 +0200
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2018-10-12 07:51:09 +0000
commit	80017a1c7f829355edce61d5d50196cd1e13dcdd (patch)
tree	94723739a2e1b2722d2a11ab208f157b5733ebbf
parent	855106d17258638cf50099b47d2db801c747ebb6 (diff)