libs/tiff/patches/002-CVE-2015-8665_and_CVE-2015-8683.patch

   1 From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
   2 From: erouault <erouault>
   3 Date: Sat, 26 Dec 2015 17:32:03 +0000
   4 Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
   5  TIFFRGBAImage interface in case of unsupported values of
   6  SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
   7  TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
   8  limingxing and CVE-2015-8683 reported by zzf of Alibaba.
   9
  10 ---
  11  ChangeLog              |  8 ++++++++
  12  libtiff/tif_getimage.c | 37 +++++++++++++++++++++++--------------
  13  2 files changed, 31 insertions(+), 14 deletions(-)
  14
  15 diff --git a/ChangeLog b/ChangeLog
  16 index a7d283a..4beb30b 100644
  17 --- a/ChangeLog
  18 +++ b/ChangeLog
  19 @@ -1,3 +1,11 @@
  20 +2015-12-26  Even Rouault <even.rouault at spatialys.com>
  21 +
  22 +       * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
  23 +       interface in case of unsupported values of SamplesPerPixel/ExtraSamples
  24 +       for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
  25 +       TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
  26 +       CVE-2015-8683 reported by zzf of Alibaba.
  27 +
  28  2015-09-12  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
  29
  30         * libtiff 4.0.6 released.
  31 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
  32 index fd0a4f9..fae1e31 100644
  33 --- a/libtiff/tif_getimage.c
  34 +++ b/libtiff/tif_getimage.c
  35 @@ -1,4 +1,4 @@
  36 -/* $Id: tif_getimage.c,v 1.90 2015-06-17 01:34:08 bfriesen Exp $ */
  37 +/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */
  38
  39  /*
  40   * Copyright (c) 1991-1997 Sam Leffler
  41 @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
  42                                     "Planarconfiguration", td->td_planarconfig);
  43                                 return (0);
  44                         }
  45 -                       if( td->td_samplesperpixel != 3 )
  46 +                       if( td->td_samplesperpixel != 3 || colorchannels != 3 )
  47              {
  48                  sprintf(emsg,
  49 -                        "Sorry, can not handle image with %s=%d",
  50 -                        "Samples/pixel", td->td_samplesperpixel);
  51 +                        "Sorry, can not handle image with %s=%d, %s=%d",
  52 +                        "Samples/pixel", td->td_samplesperpixel,
  53 +                        "colorchannels", colorchannels);
  54                  return 0;
  55              }
  56                         break;
  57                 case PHOTOMETRIC_CIELAB:
  58 -            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
  59 +            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
  60              {
  61                  sprintf(emsg,
  62 -                        "Sorry, can not handle image with %s=%d and %s=%d",
  63 +                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
  64                          "Samples/pixel", td->td_samplesperpixel,
  65 +                        "colorchannels", colorchannels,
  66                          "Bits/sample", td->td_bitspersample);
  67                  return 0;
  68              }
  69 @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
  70         int colorchannels;
  71         uint16 *red_orig, *green_orig, *blue_orig;
  72         int n_color;
  73 +
  74 +       if( !TIFFRGBAImageOK(tif, emsg) )
  75 +               return 0;
  76
  77         /* Initialize to normal values */
  78         img->row_offset = 0;
  79 @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
  80                 case PHOTOMETRIC_RGB:
  81                         switch (img->bitspersample) {
  82                                 case 8:
  83 -                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
  84 +                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
  85 +                                               img->samplesperpixel >= 4)
  86                                                 img->put.contig = putRGBAAcontig8bittile;
  87 -                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
  88 +                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
  89 +                                                        img->samplesperpixel >= 4)
  90                                         {
  91                                                 if (BuildMapUaToAa(img))
  92                                                         img->put.contig = putRGBUAcontig8bittile;
  93                                         }
  94 -                                       else
  95 +                                       else if( img->samplesperpixel >= 3 )
  96                                                 img->put.contig = putRGBcontig8bittile;
  97                                         break;
  98                                 case 16:
  99 -                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
 100 +                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
 101 +                                               img->samplesperpixel >=4 )
 102                                         {
 103                                                 if (BuildMapBitdepth16To8(img))
 104                                                         img->put.contig = putRGBAAcontig16bittile;
 105                                         }
 106 -                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
 107 +                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
 108 +                                                        img->samplesperpixel >=4 )
 109                                         {
 110                                                 if (BuildMapBitdepth16To8(img) &&
 111                                                     BuildMapUaToAa(img))
 112                                                         img->put.contig = putRGBUAcontig16bittile;
 113                                         }
 114 -                                       else
 115 +                                       else if( img->samplesperpixel >=3 )
 116                                         {
 117                                                 if (BuildMapBitdepth16To8(img))
 118                                                         img->put.contig = putRGBcontig16bittile;
 119 @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
 120                         }
 121                         break;
 122                 case PHOTOMETRIC_SEPARATED:
 123 -                       if (buildMap(img)) {
 124 +                       if (img->samplesperpixel >=4 && buildMap(img)) {
 125                                 if (img->bitspersample == 8) {
 126                                         if (!img->Map)
 127                                                 img->put.contig = putRGBcontig8bitCMYKtile;
 128 @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
 129                         }
 130                         break;
 131                 case PHOTOMETRIC_CIELAB:
 132 -                       if (buildMap(img)) {
 133 +                       if (img->samplesperpixel == 3 && buildMap(img)) {
 134                                 if (img->bitspersample == 8)
 135                                         img->put.contig = initCIELabConversion(img);
 136                                 break;