DescriptionVasyl Kaigorodov
2015-01-26 10:42:03 UTC
Multiple out-of-bounds reads were reported in various libtiff tools:
http://bugzilla.maptools.org/show_bug.cgi?id=2500http://bugzilla.maptools.org/show_bug.cgi?id=2497http://bugzilla.maptools.org/show_bug.cgi?id=2496http://bugzilla.maptools.org/show_bug.cgi?id=2485http://bugzilla.maptools.org/show_bug.cgi?id=2486http://bugzilla.maptools.org/show_bug.cgi?id=2484
Above upstream bugs were fixed by the below commits:
2014-12-21 Even Rouault <even.rouault>
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not worth the
burden for those esoteric utilities. http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
2014-12-21 Even Rouault <even.rouault>
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
2014-12-21 Even Rouault <even.rouault>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.