From 80017a1c7f829355edce61d5d50196cd1e13dcdd Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Thu, 11 Oct 2018 15:26:14 +0200 Subject: Bundled libtiff: add a number of security-related upstream patches This comprises the following libtiff commits, related to the listed CVEs: 3719385a3fac5cfb20b487619a5f08abbf967cf8 CVE-2017-11613 7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2017-11613 de144fd228e4be8aa484c3caf3d814b6fa88c6d9 CVE-2018-10963 58a898cb4459055bb488ca815c23b880c242a27d CVE-2018-8905 981e43ecae83935625c86c9118c0778c942c7048 CVE-2018-10779 [ChangeLog][TIFF] A number of security-related upstream patches has been applied to the bundled libtiff Change-Id: I3def9a9b91d0dd2cfd959c5e83d972beed9394d6 Reviewed-by: Liang Qi --- src/3rdparty/libtiff/libtiff/tif_dirread.c | 10 ++++++++++ src/3rdparty/libtiff/libtiff/tif_dirwrite.c | 7 +++++-- src/3rdparty/libtiff/libtiff/tif_lzw.c | 18 ++++++++++++------ src/3rdparty/libtiff/libtiff/tif_write.c | 6 ++++-- 4 files changed, 31 insertions(+), 10 deletions(-) diff --git a/src/3rdparty/libtiff/libtiff/tif_dirread.c b/src/3rdparty/libtiff/libtiff/tif_dirread.c index 5e62e81..aa258ba 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dirread.c +++ b/src/3rdparty/libtiff/libtiff/tif_dirread.c @@ -5698,6 +5698,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) if( nstrips == 0 ) return; + /* If we are going to allocate a lot of memory, make sure that the */ + /* file is as big as needed */ + if( tif->tif_mode == O_RDONLY && + nstrips > 1000000 && + (offset >= TIFFGetFileSize(tif) || + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) + { + return; + } + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c index c68d6d2..5d0a669 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c +++ b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c @@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) } break; default: - assert(0); /* we should never get here */ - break; + TIFFErrorExt(tif->tif_clientdata,module, + "Cannot write tag %d (%s)", + TIFFFieldTag(o), + o->field_name ? o->field_name : "unknown"); + goto bad; } } } diff --git a/src/3rdparty/libtiff/libtiff/tif_lzw.c b/src/3rdparty/libtiff/libtiff/tif_lzw.c index bc8f9c8..186ea3c 100644 --- a/src/3rdparty/libtiff/libtiff/tif_lzw.c +++ b/src/3rdparty/libtiff/libtiff/tif_lzw.c @@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) char *tp; unsigned char *bp; int code, nbits; + int len; long nextbits, nextdata, nbitsmask; code_t *codep, *free_entp, *maxcodep, *oldcodep; @@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } while (--occ); break; } - assert(occ >= codep->length); - op += codep->length; - occ -= codep->length; - tp = op; + len = codep->length; + tp = op + len; do { - *--tp = codep->value; - } while( (codep = codep->next) != NULL ); + int t; + --tp; + t = codep->value; + codep = codep->next; + *tp = (char)t; + } while (codep && tp > op); + assert(occ >= len); + op += len; + occ -= len; } else { *op++ = (char)code; occ--; diff --git a/src/3rdparty/libtiff/libtiff/tif_write.c b/src/3rdparty/libtiff/libtiff/tif_write.c index 4c216ec..208a2ee 100644 --- a/src/3rdparty/libtiff/libtiff/tif_write.c +++ b/src/3rdparty/libtiff/libtiff/tif_write.c @@ -540,9 +540,11 @@ TIFFSetupStrips(TIFF* tif) if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; td->td_stripoffset = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripOffsets\" array"); td->td_stripbytecount = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripByteCounts\" array"); if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) return (0); /* -- cgit v1.2.3