# Security fix for multiple issues (CVE-2006-34{59-65}) # # http://securitytracker.com/alerts/2006/Aug/1016628.html # http://bugs.gentoo.org/show_bug.cgi?id=142383 diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c --- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 @@ -122,6 +122,7 @@ { static const char module[] = "_TIFFVSetField"; + const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); TIFFDirectory* td = &tif->tif_dir; int status = 1; uint32 v32, i, v; @@ -195,10 +196,12 @@ break; case TIFFTAG_ORIENTATION: v = va_arg(ap, uint32); + const TIFFFieldInfo* fip; if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { + fip = _TIFFFieldWithTag(tif, tag); TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "Bad value %lu for \"%s\" tag ignored", - v, _TIFFFieldWithTag(tif, tag)->field_name); + v, fip ? fip->field_name : "Unknown"); } else td->td_orientation = (uint16) v; break; @@ -387,11 +390,15 @@ * happens, for example, when tiffcp is used to convert between * compression schemes and codec-specific tags are blindly copied. */ + /* + * better not dereference fip if it is NULL. + * -- taviso@google.com 15 Jun 2006 + */ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { TIFFErrorExt(tif->tif_clientdata, module, "%s: Invalid %stag \"%s\" (not supported by codec)", tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", - _TIFFFieldWithTag(tif, tag)->field_name); + fip ? fip->field_name : "Unknown"); status = 0; break; } @@ -468,7 +475,7 @@ if (fip->field_type == TIFF_ASCII) _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); else { - tv->value = _TIFFmalloc(tv_size * tv->count); + tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); if (!tv->value) { status = 0; goto end; @@ -563,7 +570,7 @@ } } if (status) { - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); + TIFFSetFieldBit(tif, fip->field_bit); tif->tif_flags |= TIFF_DIRTYDIRECT; } @@ -572,12 +579,12 @@ return (status); badvalue: TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", - tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); + tif->tif_name, v, fip ? fip->field_name : "Unknown"); va_end(ap); return (0); badvalue32: TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", - tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); + tif->tif_name, v32, fip ? fip->field_name : "Unknown"); va_end(ap); return (0); } @@ -813,12 +820,16 @@ * If the client tries to get a tag that is not valid * for the image's codec then we'll arrive here. */ + /* + * dont dereference fip if it's NULL. + * -- taviso@google.com 15 Jun 2006 + */ if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) { TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", "%s: Invalid %stag \"%s\" (not supported by codec)", tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", - _TIFFFieldWithTag(tif, tag)->field_name); + fip ? fip->field_name : "Unknown"); ret_val = 0; break; } diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c --- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 @@ -775,7 +775,8 @@ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", "Internal error, unknown tag 0x%x", (unsigned int) tag); - assert(fip != NULL); + /* assert(fip != NULL); */ + /*NOTREACHED*/ } return (fip); @@ -789,7 +790,8 @@ if (!fip) { TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", "Internal error, unknown tag %s", field_name); - assert(fip != NULL); + /* assert(fip != NULL); */ + /*NOTREACHED*/ } return (fip); diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c --- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 @@ -29,6 +29,9 @@ * * Directory Read Support Routines. */ + +#include + #include "tiffiop.h" #define IGNORE 0 /* tag placeholder used below */ @@ -81,6 +84,7 @@ uint16 dircount; toff_t nextdiroff; int diroutoforderwarning = 0; + int compressionknown = 0; toff_t* new_dirlist; tif->tif_diroff = tif->tif_nextdiroff; @@ -147,13 +151,20 @@ } else { toff_t off = tif->tif_diroff; - if (off + sizeof (uint16) > tif->tif_size) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Can not read TIFF directory count", - tif->tif_name); - return (0); + /* + * Check for integer overflow when validating the dir_off, otherwise + * a very high offset may cause an OOB read and crash the client. + * -- taviso@google.com, 14 Jun 2006. + */ + if (off + sizeof (uint16) > tif->tif_size || + off > (UINT_MAX - sizeof(uint16))) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Can not read TIFF directory count", + tif->tif_name); + return (0); } else - _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); + _TIFFmemcpy(&dircount, tif->tif_base + off, + sizeof (uint16)); off += sizeof (uint16); if (tif->tif_flags & TIFF_SWAB) TIFFSwabShort(&dircount); @@ -254,6 +265,7 @@ while (fix < tif->tif_nfields && tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) fix++; + if (fix >= tif->tif_nfields || tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { @@ -264,17 +276,23 @@ dp->tdir_tag, dp->tdir_tag, dp->tdir_type); - - TIFFMergeFieldInfo(tif, - _TIFFCreateAnonFieldInfo(tif, - dp->tdir_tag, - (TIFFDataType) dp->tdir_type), - 1 ); + /* + * creating anonymous fields prior to knowing the compression + * algorithm (ie, when the field info has been merged) could cause + * crashes with pathological directories. + * -- taviso@google.com 15 Jun 2006 + */ + if (compressionknown) + TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, + (TIFFDataType) dp->tdir_type), 1 ); + else goto ignore; + fix = 0; while (fix < tif->tif_nfields && tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) fix++; } + /* * Null out old tags that we ignore. */ @@ -326,6 +344,7 @@ dp->tdir_type, dp->tdir_offset); if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) goto bad; + else compressionknown++; break; /* XXX: workaround for broken TIFFs */ } else if (dp->tdir_type == TIFF_LONG) { @@ -540,6 +559,7 @@ * Attempt to deal with a missing StripByteCounts tag. */ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); /* * Some manufacturers violate the spec by not giving * the size of the strips. In this case, assume there @@ -556,7 +576,7 @@ "%s: TIFF directory is missing required " "\"%s\" field, calculating from imagelength", tif->tif_name, - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); + fip ? fip->field_name : "Unknown"); if (EstimateStripByteCounts(tif, dir, dircount) < 0) goto bad; /* @@ -580,6 +600,7 @@ } else if (td->td_nstrips == 1 && td->td_stripoffset[0] != 0 && BYTECOUNTLOOKSBAD) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); /* * XXX: Plexus (and others) sometimes give a value of zero for * a tag when they don't know what the correct value is! Try @@ -589,13 +610,14 @@ TIFFWarningExt(tif->tif_clientdata, module, "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", tif->tif_name, - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); + fip ? fip->field_name : "Unknown"); if(EstimateStripByteCounts(tif, dir, dircount) < 0) goto bad; } else if (td->td_planarconfig == PLANARCONFIG_CONTIG && td->td_nstrips > 2 && td->td_compression == COMPRESSION_NONE && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); /* * XXX: Some vendors fill StripByteCount array with absolutely * wrong values (it can be equal to StripOffset array, for @@ -604,7 +626,7 @@ TIFFWarningExt(tif->tif_clientdata, module, "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", tif->tif_name, - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); + fip ? fip->field_name : "Unknown"); if (EstimateStripByteCounts(tif, dir, dircount) < 0) goto bad; } @@ -870,7 +892,13 @@ register TIFFDirEntry *dp; register TIFFDirectory *td = &tif->tif_dir; - uint16 i; + + /* i is used to iterate over td->td_nstrips, so must be + * at least the same width. + * -- taviso@google.com 15 Jun 2006 + */ + + uint32 i; if (td->td_stripbytecount) _TIFFfree(td->td_stripbytecount); @@ -947,16 +975,18 @@ static int CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + if (count > dir->tdir_count) { TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, + fip ? fip->field_name : "Unknown", dir->tdir_count, count); return (0); } else if (count < dir->tdir_count) { TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, + fip ? fip->field_name : "Unknown", dir->tdir_count, count); return (1); } @@ -970,6 +1000,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) { int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); tsize_t cc = dir->tdir_count * w; /* Check for overflow. */ @@ -1013,7 +1044,7 @@ bad: TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Error fetching data for field \"%s\"", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); + fip ? fip->field_name : "Unknown"); return (tsize_t) 0; } @@ -1039,10 +1070,12 @@ static int cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) { + const TIFFFieldInfo* fip; if (denom == 0) { + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "%s: Rational with zero denominator (num = %lu)", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); + fip ? fip->field_name : "Unknown", num); return (0); } else { if (dir->tdir_type == TIFF_RATIONAL) @@ -1159,6 +1192,20 @@ static int TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) { + /* + * Prevent overflowing the v stack arrays below by performing a sanity + * check on tdir_count, this should never be greater than two. + * -- taviso@google.com 14 Jun 2006. + */ + if (dir->tdir_count > 2) { + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "unexpected count for field \"%s\", %lu, expected 2; ignored.", + fip ? fip->field_name : "Unknown", + dir->tdir_count); + return 0; + } + switch (dir->tdir_type) { case TIFF_BYTE: case TIFF_SBYTE: @@ -1329,14 +1376,15 @@ case TIFF_DOUBLE: return (TIFFFetchDoubleArray(tif, dir, (double*) v)); default: + { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); /* TIFF_NOTYPE */ /* TIFF_ASCII */ /* TIFF_UNDEFINED */ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "cannot read TIFF_ANY type %d for field \"%s\"", dir->tdir_type, - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); - return (0); + fip ? fip->field_name : "Unknown"); + return (0); } } return (1); } @@ -1351,6 +1399,9 @@ int ok = 0; const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + if (fip == NULL) { + return (0); + } if (dp->tdir_count > 1) { /* array of values */ char* cp = NULL; @@ -1493,6 +1544,7 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) { uint16 samples = tif->tif_dir.td_samplesperpixel; + const TIFFFieldInfo* fip; int status = 0; if (CheckDirCount(tif, dir, (uint32) samples)) { @@ -1510,9 +1562,10 @@ for (i = 1; i < check_count; i++) if (v[i] != v[0]) { + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Cannot handle different per-sample values for field \"%s\"", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); + fip ? fip->field_name : "Unknown"); goto bad; } *pl = v[0]; @@ -1534,6 +1587,7 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) { uint16 samples = tif->tif_dir.td_samplesperpixel; + const TIFFFieldInfo* fip; int status = 0; if (CheckDirCount(tif, dir, (uint32) samples)) { @@ -1551,9 +1605,10 @@ check_count = samples; for (i = 1; i < check_count; i++) if (v[i] != v[0]) { + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Cannot handle different per-sample values for field \"%s\"", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); + fip ? fip->field_name : "Unknown"); goto bad; } *pl = v[0]; @@ -1574,6 +1629,7 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) { uint16 samples = tif->tif_dir.td_samplesperpixel; + const TIFFFieldInfo* fip; int status = 0; if (CheckDirCount(tif, dir, (uint32) samples)) { @@ -1591,9 +1647,10 @@ for (i = 1; i < check_count; i++) if (v[i] != v[0]) { + fip = _TIFFFieldWithTag(tif, dir->tdir_tag); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Cannot handle different per-sample values for field \"%s\"", - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); + fip ? fip->field_name : "Unknown"); goto bad; } *pl = v[0]; diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c --- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 @@ -1136,6 +1136,7 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) { Fax3BaseState* sp = Fax3State(tif); + const TIFFFieldInfo* fip; assert(sp != 0); assert(sp->vsetparent != 0); @@ -1181,7 +1182,13 @@ default: return (*sp->vsetparent)(tif, tag, ap); } - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); + + if ((fip = _TIFFFieldWithTag(tif, tag))) { + TIFFSetFieldBit(tif, fip->field_bit); + } else { + return (0); + } + tif->tif_flags |= TIFF_DIRTYDIRECT; return (1); } diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c --- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 @@ -722,15 +722,31 @@ segment_width = TIFFhowmany(segment_width, sp->h_sampling); segment_height = TIFFhowmany(segment_height, sp->v_sampling); } - if (sp->cinfo.d.image_width != segment_width || - sp->cinfo.d.image_height != segment_height) { + if (sp->cinfo.d.image_width < segment_width || + sp->cinfo.d.image_height < segment_height) { TIFFWarningExt(tif->tif_clientdata, module, "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", segment_width, segment_height, sp->cinfo.d.image_width, sp->cinfo.d.image_height); + } + + if (sp->cinfo.d.image_width > segment_width || + sp->cinfo.d.image_height > segment_height) { + /* + * This case could be dangerous, if the strip or tile size has been + * reported as less than the amount of data jpeg will return, some + * potential security issues arise. Catch this case and error out. + * -- taviso@google.com 14 Jun 2006 + */ + TIFFErrorExt(tif->tif_clientdata, module, + "JPEG strip/tile size exceeds expected dimensions," + "expected %dx%d, got %dx%d", segment_width, segment_height, + sp->cinfo.d.image_width, sp->cinfo.d.image_height); + return (0); } + if (sp->cinfo.d.num_components != (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1)) { @@ -761,6 +777,22 @@ sp->cinfo.d.comp_info[0].v_samp_factor, sp->h_sampling, sp->v_sampling); + /* + * There are potential security issues here for decoders that + * have already allocated buffers based on the expected sampling + * factors. Lets check the sampling factors dont exceed what + * we were expecting. + * -- taviso@google.com 14 June 2006 + */ + if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || + sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { + TIFFErrorExt(tif->tif_clientdata, module, + "Cannot honour JPEG sampling factors that" + " exceed those specified."); + return (0); + } + + /* * XXX: Files written by the Intergraph software * has different sampling factors stored in the @@ -1521,15 +1553,18 @@ { JPEGState *sp = JState(tif); - assert(sp != 0); + /* assert(sp != 0); */ tif->tif_tagmethods.vgetfield = sp->vgetparent; tif->tif_tagmethods.vsetfield = sp->vsetparent; - if( sp->cinfo_initialized ) - TIFFjpeg_destroy(sp); /* release libjpeg resources */ - if (sp->jpegtables) /* tag value */ - _TIFFfree(sp->jpegtables); + if (sp != NULL) { + if( sp->cinfo_initialized ) + TIFFjpeg_destroy(sp); /* release libjpeg resources */ + if (sp->jpegtables) /* tag value */ + _TIFFfree(sp->jpegtables); + } + _TIFFfree(tif->tif_data); /* release local state */ tif->tif_data = NULL; @@ -1541,6 +1576,7 @@ { JPEGState* sp = JState(tif); TIFFDirectory* td = &tif->tif_dir; + const TIFFFieldInfo* fip; uint32 v32; assert(sp != NULL); @@ -1606,7 +1642,13 @@ default: return (*sp->vsetparent)(tif, tag, ap); } - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); + + if ((fip = _TIFFFieldWithTag(tif, tag))) { + TIFFSetFieldBit(tif, fip->field_bit); + } else { + return (0); + } + tif->tif_flags |= TIFF_DIRTYDIRECT; return (1); } @@ -1726,7 +1768,11 @@ { JPEGState* sp = JState(tif); - assert(sp != NULL); + /* assert(sp != NULL); */ + if (sp == NULL) { + TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); + return; + } (void) flags; if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c --- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 @@ -105,11 +105,16 @@ * as codes of the form * until we've filled the scanline. */ + /* + * Ensure the run does not exceed the scanline + * bounds, potentially resulting in a security issue. + * -- taviso@google.com 14 Jun 2006. + */ op = row; for (;;) { grey = (n>>6) & 0x3; n &= 0x3f; - while (n-- > 0) + while (n-- > 0 && npixels < imagewidth) SETPIXEL(op, grey); if (npixels >= (int) imagewidth) break; diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c --- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 @@ -768,7 +768,19 @@ if (tif->tif_flags & TIFF_SWAB) TIFFSwabArrayOfShort(up, nsamples); - for (i = 0; i < nsamples; i += llen, up += llen) { + /* + * if llen is not an exact multiple of nsamples, the decode operation + * may overflow the output buffer, so truncate it enough to prevent that + * but still salvage as much data as possible. + * -- taviso@google.com 14th June 2006 + */ + if (nsamples % llen) + TIFFWarningExt(tif->tif_clientdata, module, + "%s: stride %lu is not a multiple of sample count, " + "%lu, data truncated.", tif->tif_name, llen, nsamples); + + + for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { switch (sp->user_datafmt) { case PIXARLOGDATAFMT_FLOAT: horizontalAccumulateF(up, llen, sp->stride, diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c --- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 +++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 @@ -31,6 +31,8 @@ #include "tiffiop.h" #include +#include + int TIFFFillStrip(TIFF*, tstrip_t); int TIFFFillTile(TIFF*, ttile_t); static int TIFFStartStrip(TIFF*, tstrip_t); @@ -272,7 +274,13 @@ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) _TIFFfree(tif->tif_rawdata); tif->tif_flags &= ~TIFF_MYBUFFER; - if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { + /* + * This sanity check could potentially overflow, causing an OOB read. + * verify that offset + bytecount is > offset. + * -- taviso@google.com 14 Jun 2006 + */ + if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || + bytecount > (UINT_MAX - td->td_stripoffset[strip])) { /* * This error message might seem strange, but it's * what would happen if a read were done instead. @@ -470,7 +478,13 @@ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) _TIFFfree(tif->tif_rawdata); tif->tif_flags &= ~TIFF_MYBUFFER; - if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { + /* + * We must check this calculation doesnt overflow, potentially + * causing an OOB read. + * -- taviso@google.com 15 Jun 2006 + */ + if (td->td_stripoffset[tile] + bytecount > tif->tif_size || + bytecount > (UINT_MAX - td->td_stripoffset[tile])) { tif->tif_curtile = NOTILE; return (0); }