1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
From: bfriesen <bfriesen>
Date: Sat, 24 Sep 2016 23:11:55 +0000
Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
to read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
CVE: CVE-2016-3622
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
---
ChangeLog | 11 ++++++++++-
libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
libtiff/tif_predict.c | 11 ++++++++++-
3 files changed, 40 insertions(+), 20 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 26d6f47..a628277 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+ read floating point images.
+
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
+ "Divide By Zero in the tiff2rgba tool."
+
2016-08-15 Even Rouault <even.rouault at spatialys.com>
* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 386cee0..3e689ee 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
td->td_bitspersample);
return (0);
}
+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
+ return (0);
+ }
colorchannels = td->td_samplesperpixel - td->td_extrasamples;
if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
switch (colorchannels) {
@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
- {
- sprintf(emsg,
- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
- "colorchannels", colorchannels,
- "Bits/sample", td->td_bitspersample);
- return 0;
- }
+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
- default:
+ default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
photoTag, photometric);
return (0);
diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index 081eb11..555f2f9 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
td->td_sampleformat);
return 0;
}
+ if (td->td_bitspersample != 16
+ && td->td_bitspersample != 24
+ && td->td_bitspersample != 32
+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Floating point \"Predictor\" not supported with %d-bit samples",
+ td->td_bitspersample);
+ return 0;
+ }
break;
default:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
}
/*
* Allocate buffer to keep the decoded bytes before
- * rearranging in the ight order
+ * rearranging in the right order
*/
}
--
2.7.4
|