From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 15 Aug 2016 20:49:48 +0000 Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode if more input samples are provided than expected by PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and simpler check. (bugzilla #2544) invalid tests that rejected valid files. (bugzilla #2545) CVE: CVE-2016-3990 Upstream-Status: Backport https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Signed-off-by: Yi Zhao --- ChangeLog | 10 +++++++++- libtiff/tif_pixarlog.c | 7 +++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9c0ab29..db4ea18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,18 @@ 2016-08-15 Even Rouault + * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode + if more input samples are provided than expected by PixarLogSetupEncode. + Idea based on libtiff-CVE-2016-3990.patch from + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and + simpler check. (bugzilla #2544) + +2016-08-15 Even Rouault + * tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when -b mode is enabled, that could result in out-of-bounds write. Based initially on patch tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for - invalid tests that rejected valid files. + invalid tests that rejected valid files. (bugzilla #2545) 2016-07-11 Even Rouault diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index e78f788..28329d1 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) } llen = sp->stride * td->td_imagewidth; + /* Check against the number of elements (of size uint16) of sp->tbuf */ + if( n > td->td_rowsperstrip * llen ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Too many input bytes provided"); + return 0; + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) { -- 2.7.4