libs/tiff/patches/121-CVE-2017-7602.patch

   1 From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
   2 From: erouault <erouault>
   3 Date: Wed, 11 Jan 2017 16:33:34 +0000
   4 Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
   5  signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
   6  http://bugzilla.maptools.org/show_bug.cgi?id=2650
   7
   8 ---
   9  ChangeLog          |  6 ++++++
  10  libtiff/tif_read.c | 27 ++++++++++++++++++---------
  11  2 files changed, 24 insertions(+), 9 deletions(-)
  12
  13 diff --git a/ChangeLog b/ChangeLog
  14 index 8e202a2..3e31464 100644
  15 --- a/ChangeLog
  16 +++ b/ChangeLog
  17 @@ -1,5 +1,11 @@
  18  2017-01-11 Even Rouault <even.rouault at spatialys.com>
  19
  20 +       * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
  21 +       addition in TIFFReadRawStrip1() in isMapped() case.
  22 +       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
  23 +
  24 +2017-01-11 Even Rouault <even.rouault at spatialys.com>
  25 +
  26         * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
  27         undefined behaviour caused by invalid shift exponent.
  28         Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
  29 diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
  30 index 52bbf50..b7aacbd 100644
  31 --- a/libtiff/tif_read.c
  32 +++ b/libtiff/tif_read.c
  33 @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
  34                         return ((tmsize_t)(-1));
  35                 }
  36         } else {
  37 -               tmsize_t ma,mb;
  38 +               tmsize_t ma;
  39                 tmsize_t n;
  40 -               ma=(tmsize_t)td->td_stripoffset[strip];
  41 -               mb=ma+size;
  42 -               if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
  43 -                       n=0;
  44 -               else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
  45 -                       n=tif->tif_size-ma;
  46 -               else
  47 -                       n=size;
  48 +               if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
  49 +                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
  50 +                {
  51 +                    n=0;
  52 +                }
  53 +                else if( ma > TIFF_TMSIZE_T_MAX - size )
  54 +                {
  55 +                    n=0;
  56 +                }
  57 +                else
  58 +                {
  59 +                    tmsize_t mb=ma+size;
  60 +                    if (mb>tif->tif_size)
  61 +                            n=tif->tif_size-ma;
  62 +                    else
  63 +                            n=size;
  64 +                }
  65                 if (n!=size) {
  66  #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
  67                         TIFFErrorExt(tif->tif_clientdata, module,