Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 578149 Details for
Bug 810551
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch for lack of overflow checking in tiff2pdf (3.9)
libtiff-tiff2pdf.patch (text/plain), 8.96 KB, created by
Tom Lane
on 2012-04-17 20:52:01 UTC
(
hide
)
Description:
patch for lack of overflow checking in tiff2pdf (3.9)
Filename:
MIME Type:
Creator:
Tom Lane
Created:
2012-04-17 20:52:01 UTC
Size:
8.96 KB
patch
obsolete
>mv Index: tools/tiff2pdf.c >=================================================================== >RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v >retrieving revision 1.37.2.19 >diff -c -r1.37.2.19 tiff2pdf.c >*** tools/tiff2pdf.c 13 Dec 2010 05:41:11 -0000 1.37.2.19 >--- tools/tiff2pdf.c 17 Apr 2012 20:15:03 -0000 >*************** >*** 431,436 **** >--- 431,464 ---- > (void) handle, (void) data, (void) offset; > } > >+ static uint64 >+ checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) >+ { >+ uint64 bytes = summand1 + summand2; >+ >+ if (bytes - summand1 != summand2) { >+ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >+ t2p->t2p_error = T2P_ERR_ERROR; >+ bytes = 0; >+ } >+ >+ return bytes; >+ } >+ >+ static uint64 >+ checkMultiply64(uint64 first, uint64 second, T2P* t2p) >+ { >+ uint64 bytes = first * second; >+ >+ if (second && bytes / second != first) { >+ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >+ t2p->t2p_error = T2P_ERR_ERROR; >+ bytes = 0; >+ } >+ >+ return bytes; >+ } >+ > /* > > This is the main function. >*************** >*** 1773,1781 **** > tstrip_t i=0; > tstrip_t stripcount=0; > #endif >! #ifdef OJPEG_SUPPORT >! tsize_t k = 0; >! #endif > > if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ > #ifdef CCITT_SUPPORT >--- 1801,1807 ---- > tstrip_t i=0; > tstrip_t stripcount=0; > #endif >! uint64 k = 0; > > if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ > #ifdef CCITT_SUPPORT >*************** >*** 1803,1821 **** > } > stripcount=TIFFNumberOfStrips(input); > for(i=0;i<stripcount;i++){ >! k += sbc[i]; > } > if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ > if(t2p->tiff_dataoffset != 0){ > if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ > if(t2p->tiff_datasize < k) { >- t2p->pdf_ojpegiflength=t2p->tiff_datasize; >- t2p->tiff_datasize+=k; >- t2p->tiff_datasize+=6; >- t2p->tiff_datasize+=2*stripcount; > TIFFWarning(TIFF2PDF_MODULE, > "Input file %s has short JPEG interchange file byte count", > TIFFFileName(input)); > return; > } > return; >--- 1829,1853 ---- > } > stripcount=TIFFNumberOfStrips(input); > for(i=0;i<stripcount;i++){ >! k = checkAdd64(k, sbc[i], t2p); > } > if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ > if(t2p->tiff_dataoffset != 0){ > if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ > if(t2p->tiff_datasize < k) { > TIFFWarning(TIFF2PDF_MODULE, > "Input file %s has short JPEG interchange file byte count", > TIFFFileName(input)); >+ t2p->pdf_ojpegiflength=t2p->tiff_datasize; >+ k = checkAdd64(k, t2p->tiff_datasize, t2p); >+ k = checkAdd64(k, 6, t2p); >+ k = checkAdd64(k, stripcount, t2p); >+ k = checkAdd64(k, stripcount, t2p); >+ t2p->tiff_datasize = (tsize_t) k; >+ if ((uint64) t2p->tiff_datasize != k) { >+ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >+ t2p->t2p_error = T2P_ERR_ERROR; >+ } > return; > } > return; >*************** >*** 1828,1836 **** > } > } > } >! t2p->tiff_datasize+=k; >! t2p->tiff_datasize+=2*stripcount; >! t2p->tiff_datasize+=2048; > return; > } > #endif >--- 1860,1873 ---- > } > } > } >! k = checkAdd64(k, stripcount, t2p); >! k = checkAdd64(k, stripcount, t2p); >! k = checkAdd64(k, 2048, t2p); >! t2p->tiff_datasize = (tsize_t) k; >! if ((uint64) t2p->tiff_datasize != k) { >! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >! t2p->t2p_error = T2P_ERR_ERROR; >! } > return; > } > #endif >*************** >*** 1839,1849 **** > uint32 count = 0; > if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ > if(count > 4){ >! t2p->tiff_datasize += count; >! t2p->tiff_datasize -= 2; /* don't use EOI of header */ > } > } else { >! t2p->tiff_datasize = 2; /* SOI for first strip */ > } > stripcount=TIFFNumberOfStrips(input); > if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ >--- 1876,1886 ---- > uint32 count = 0; > if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ > if(count > 4){ >! k += count; >! k -= 2; /* don't use EOI of header */ > } > } else { >! k = 2; /* SOI for first strip */ > } > stripcount=TIFFNumberOfStrips(input); > if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ >*************** >*** 1854,1871 **** > return; > } > for(i=0;i<stripcount;i++){ >! t2p->tiff_datasize += sbc[i]; >! t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ > } >- t2p->tiff_datasize +=2; /* use EOI of last strip */ > return; > } > #endif > (void) 0; > } >! t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; > if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ >! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; > } > > return; >--- 1891,1923 ---- > return; > } > for(i=0;i<stripcount;i++){ >! k = checkAdd64(k, sbc[i], t2p); >! k -=4; /* don't use SOI or EOI of strip */ >! } >! k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ >! t2p->tiff_datasize = (tsize_t) k; >! if ((uint64) t2p->tiff_datasize != k) { >! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >! t2p->t2p_error = T2P_ERR_ERROR; > } > return; > } > #endif > (void) 0; > } >! k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); > if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ >! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); >! } >! if (k == 0) { >! /* Assume we had overflow inside TIFFScanlineSize */ >! t2p->t2p_error = T2P_ERR_ERROR; >! } >! >! t2p->tiff_datasize = (tsize_t) k; >! if ((uint64) t2p->tiff_datasize != k) { >! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >! t2p->t2p_error = T2P_ERR_ERROR; > } > > return; >*************** >*** 1883,1888 **** >--- 1935,1941 ---- > #ifdef JPEG_SUPPORT > unsigned char* jpt; > #endif >+ uint64 k; > > edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); > edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); >*************** >*** 1894,1907 **** > #endif > ){ > t2p->tiff_datasize=TIFFTileSize(input); > return; > } else { > TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); >! t2p->tiff_datasize=tbc[tile]; > #ifdef OJPEG_SUPPORT > if(t2p->tiff_compression==COMPRESSION_OJPEG){ >! t2p->tiff_datasize+=2048; >! return; > } > #endif > #ifdef JPEG_SUPPORT >--- 1947,1963 ---- > #endif > ){ > t2p->tiff_datasize=TIFFTileSize(input); >+ if (t2p->tiff_datasize == 0) { >+ /* Assume we had overflow inside TIFFTileSize */ >+ t2p->t2p_error = T2P_ERR_ERROR; >+ } > return; > } else { > TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); >! k=tbc[tile]; > #ifdef OJPEG_SUPPORT > if(t2p->tiff_compression==COMPRESSION_OJPEG){ >! k = checkAdd64(k, 2048, t2p); > } > #endif > #ifdef JPEG_SUPPORT >*************** >*** 1909,1926 **** > uint32 count = 0; > if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ > if(count > 4){ >! t2p->tiff_datasize += count; >! t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ > } > } > } > #endif > return; > } > } >! t2p->tiff_datasize=TIFFTileSize(input); > if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ >! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; > } > > return; >--- 1965,1997 ---- > uint32 count = 0; > if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ > if(count > 4){ >! k = checkAdd64(k, count, t2p); >! k -= 2; /* don't use EOI of header or SOI of tile */ > } > } > } > #endif >+ t2p->tiff_datasize = (tsize_t) k; >+ if ((uint64) t2p->tiff_datasize != k) { >+ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >+ t2p->t2p_error = T2P_ERR_ERROR; >+ } > return; > } > } >! k = TIFFTileSize(input); > if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ >! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); >! } >! if (k == 0) { >! /* Assume we had overflow inside TIFFTileSize */ >! t2p->t2p_error = T2P_ERR_ERROR; >! } >! >! t2p->tiff_datasize = (tsize_t) k; >! if ((uint64) t2p->tiff_datasize != k) { >! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); >! t2p->t2p_error = T2P_ERR_ERROR; > } > > return; >*************** >*** 2013,2018 **** >--- 2084,2093 ---- > uint32 max_striplength=0; > #endif > >+ /* Fail if prior error (in particular, can't trust tiff_datasize) */ >+ if (t2p->t2p_error != T2P_ERR_OK) >+ return(0); >+ > if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ > #ifdef CCITT_SUPPORT > if(t2p->pdf_compression == T2P_COMPRESS_G4){ >*************** >*** 2586,2591 **** >--- 2661,2670 ---- > uint32 xuint32=0; > #endif > >+ /* Fail if prior error (in particular, can't trust tiff_datasize) */ >+ if (t2p->t2p_error != T2P_ERR_OK) >+ return(0); >+ > edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); > edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=578149">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 810551
:
576121
|
578148
| 578149