libs/tiff/patches/110-CVE.patch

   1 commit 9991b31a7c651e7b87a3ccd73b3dc5c67dcfdd60
   2 Author: erouault <erouault>
   3 Date:   Sat Dec 3 15:30:31 2016 +0000
   4
   5     * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
   6     limit the return number of inks to SamplesPerPixel, so that code that parses
   7     ink names doesn't go past the end of the buffer.
   8     Reported by Agostino Sarubbo.
   9     Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
  10
  11
  12     Reported by Agostino Sarubbo.
  13
  14 diff --git a/ChangeLog b/ChangeLog
  15 index 0d7b12d..fb9fc0e 100644
  16 --- a/ChangeLog
  17 +++ b/ChangeLog
  18 @@ -1,5 +1,13 @@
  19  2016-12-03 Even Rouault <even.rouault at spatialys.com>
  20
  21 +       * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
  22 +       limit the return number of inks to SamplesPerPixel, so that code that parses
  23 +       ink names doesn't go past the end of the buffer.
  24 +       Reported by Agostino Sarubbo.
  25 +       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
  26 +
  27 +2016-12-03 Even Rouault <even.rouault at spatialys.com>
  28 +
  29         * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
  30         missing.
  31         Reported by Agostino Sarubbo.
  32 diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
  33 index ad21655..2574e74 100644
  34 --- a/libtiff/tif_dir.c
  35 +++ b/libtiff/tif_dir.c
  36 @@ -1,4 +1,4 @@
  37 -/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
  38 +/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
  39
  40  /*
  41   * Copyright (c) 1988-1997 Sam Leffler
  42 @@ -854,6 +854,32 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
  43         if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
  44             return 0;
  45
  46 +        if( tag == TIFFTAG_NUMBEROFINKS )
  47 +        {
  48 +            int i;
  49 +            for (i = 0; i < td->td_customValueCount; i++) {
  50 +                uint16 val;
  51 +                TIFFTagValue *tv = td->td_customValues + i;
  52 +                if (tv->info->field_tag != tag)
  53 +                    continue;
  54 +                val = *(uint16 *)tv->value;
  55 +                /* Truncate to SamplesPerPixel, since the */
  56 +                /* setting code for INKNAMES assume that there are SamplesPerPixel */
  57 +                /* inknames. */
  58 +                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
  59 +                if( val > td->td_samplesperpixel )
  60 +                {
  61 +                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
  62 +                                   "Truncating NumberOfInks from %u to %u",
  63 +                                   val, td->td_samplesperpixel);
  64 +                    val = td->td_samplesperpixel;
  65 +                }
  66 +                *va_arg(ap, uint16*) = val;
  67 +                return 1;
  68 +            }
  69 +            return 0;
  70 +        }
  71 +
  72         /*
  73          * We want to force the custom code to be used for custom
  74          * fields even if the tag happens to match a well known