[packages] libtiff: fix multiple buffer overflows (patches from Debian)
[openwrt/svn-archive/archive.git] / libs / tiff / patches / 901-cve-2006-3459-3465.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
3
4 --- a/libtiff/tif_dir.c
5 +++ b/libtiff/tif_dir.c
6 @@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
7 {
8 static const char module[] = "_TIFFVSetField";
9
10 + const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
11 TIFFDirectory* td = &tif->tif_dir;
12 int status = 1;
13 uint32 v32, i, v;
14 @@ -195,10 +196,12 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
15 break;
16 case TIFFTAG_ORIENTATION:
17 v = va_arg(ap, uint32);
18 + const TIFFFieldInfo* fip;
19 if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
20 + fip = _TIFFFieldWithTag(tif, tag);
21 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
22 "Bad value %lu for \"%s\" tag ignored",
23 - v, _TIFFFieldWithTag(tif, tag)->field_name);
24 + v, fip ? fip->field_name : "Unknown");
25 } else
26 td->td_orientation = (uint16) v;
27 break;
28 @@ -387,11 +390,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
29 * happens, for example, when tiffcp is used to convert between
30 * compression schemes and codec-specific tags are blindly copied.
31 */
32 + /*
33 + * better not dereference fip if it is NULL.
34 + * -- taviso@google.com 15 Jun 2006
35 + */
36 if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
37 TIFFErrorExt(tif->tif_clientdata, module,
38 "%s: Invalid %stag \"%s\" (not supported by codec)",
39 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
40 - _TIFFFieldWithTag(tif, tag)->field_name);
41 + fip ? fip->field_name : "Unknown");
42 status = 0;
43 break;
44 }
45 @@ -468,7 +475,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
46 if (fip->field_type == TIFF_ASCII)
47 _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
48 else {
49 - tv->value = _TIFFmalloc(tv_size * tv->count);
50 + tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
51 if (!tv->value) {
52 status = 0;
53 goto end;
54 @@ -563,7 +570,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
55 }
56 }
57 if (status) {
58 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
59 + TIFFSetFieldBit(tif, fip->field_bit);
60 tif->tif_flags |= TIFF_DIRTYDIRECT;
61 }
62
63 @@ -572,12 +579,12 @@ end:
64 return (status);
65 badvalue:
66 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
67 - tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
68 + tif->tif_name, v, fip ? fip->field_name : "Unknown");
69 va_end(ap);
70 return (0);
71 badvalue32:
72 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
73 - tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
74 + tif->tif_name, v32, fip ? fip->field_name : "Unknown");
75 va_end(ap);
76 return (0);
77 }
78 @@ -813,12 +820,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
79 * If the client tries to get a tag that is not valid
80 * for the image's codec then we'll arrive here.
81 */
82 + /*
83 + * dont dereference fip if it's NULL.
84 + * -- taviso@google.com 15 Jun 2006
85 + */
86 if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
87 {
88 TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
89 "%s: Invalid %stag \"%s\" (not supported by codec)",
90 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
91 - _TIFFFieldWithTag(tif, tag)->field_name);
92 + fip ? fip->field_name : "Unknown");
93 ret_val = 0;
94 break;
95 }
96 --- a/libtiff/tif_dirinfo.c
97 +++ b/libtiff/tif_dirinfo.c
98 @@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
99 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
100 "Internal error, unknown tag 0x%x",
101 (unsigned int) tag);
102 - assert(fip != NULL);
103 + /* assert(fip != NULL); */
104 +
105 /*NOTREACHED*/
106 }
107 return (fip);
108 @@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char
109 if (!fip) {
110 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
111 "Internal error, unknown tag %s", field_name);
112 - assert(fip != NULL);
113 + /* assert(fip != NULL); */
114 +
115 /*NOTREACHED*/
116 }
117 return (fip);
118 --- a/libtiff/tif_dirread.c
119 +++ b/libtiff/tif_dirread.c
120 @@ -29,6 +29,9 @@
121 *
122 * Directory Read Support Routines.
123 */
124 +
125 +#include <limits.h>
126 +
127 #include "tiffiop.h"
128
129 #define IGNORE 0 /* tag placeholder used below */
130 @@ -81,6 +84,7 @@ TIFFReadDirectory(TIFF* tif)
131 uint16 dircount;
132 toff_t nextdiroff;
133 int diroutoforderwarning = 0;
134 + int compressionknown = 0;
135 toff_t* new_dirlist;
136
137 tif->tif_diroff = tif->tif_nextdiroff;
138 @@ -147,13 +151,20 @@ TIFFReadDirectory(TIFF* tif)
139 } else {
140 toff_t off = tif->tif_diroff;
141
142 - if (off + sizeof (uint16) > tif->tif_size) {
143 - TIFFErrorExt(tif->tif_clientdata, module,
144 - "%s: Can not read TIFF directory count",
145 - tif->tif_name);
146 - return (0);
147 + /*
148 + * Check for integer overflow when validating the dir_off, otherwise
149 + * a very high offset may cause an OOB read and crash the client.
150 + * -- taviso@google.com, 14 Jun 2006.
151 + */
152 + if (off + sizeof (uint16) > tif->tif_size ||
153 + off > (UINT_MAX - sizeof(uint16))) {
154 + TIFFErrorExt(tif->tif_clientdata, module,
155 + "%s: Can not read TIFF directory count",
156 + tif->tif_name);
157 + return (0);
158 } else
159 - _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
160 + _TIFFmemcpy(&dircount, tif->tif_base + off,
161 + sizeof (uint16));
162 off += sizeof (uint16);
163 if (tif->tif_flags & TIFF_SWAB)
164 TIFFSwabShort(&dircount);
165 @@ -254,6 +265,7 @@ TIFFReadDirectory(TIFF* tif)
166 while (fix < tif->tif_nfields &&
167 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
168 fix++;
169 +
170 if (fix >= tif->tif_nfields ||
171 tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
172
173 @@ -264,17 +276,23 @@ TIFFReadDirectory(TIFF* tif)
174 dp->tdir_tag,
175 dp->tdir_tag,
176 dp->tdir_type);
177 -
178 - TIFFMergeFieldInfo(tif,
179 - _TIFFCreateAnonFieldInfo(tif,
180 - dp->tdir_tag,
181 - (TIFFDataType) dp->tdir_type),
182 - 1 );
183 + /*
184 + * creating anonymous fields prior to knowing the compression
185 + * algorithm (ie, when the field info has been merged) could cause
186 + * crashes with pathological directories.
187 + * -- taviso@google.com 15 Jun 2006
188 + */
189 + if (compressionknown)
190 + TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
191 + (TIFFDataType) dp->tdir_type), 1 );
192 + else goto ignore;
193 +
194 fix = 0;
195 while (fix < tif->tif_nfields &&
196 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
197 fix++;
198 }
199 +
200 /*
201 * Null out old tags that we ignore.
202 */
203 @@ -326,6 +344,7 @@ TIFFReadDirectory(TIFF* tif)
204 dp->tdir_type, dp->tdir_offset);
205 if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
206 goto bad;
207 + else compressionknown++;
208 break;
209 /* XXX: workaround for broken TIFFs */
210 } else if (dp->tdir_type == TIFF_LONG) {
211 @@ -540,6 +559,7 @@ TIFFReadDirectory(TIFF* tif)
212 * Attempt to deal with a missing StripByteCounts tag.
213 */
214 if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
215 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
216 /*
217 * Some manufacturers violate the spec by not giving
218 * the size of the strips. In this case, assume there
219 @@ -556,7 +576,7 @@ TIFFReadDirectory(TIFF* tif)
220 "%s: TIFF directory is missing required "
221 "\"%s\" field, calculating from imagelength",
222 tif->tif_name,
223 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
224 + fip ? fip->field_name : "Unknown");
225 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
226 goto bad;
227 /*
228 @@ -580,6 +600,7 @@ TIFFReadDirectory(TIFF* tif)
229 } else if (td->td_nstrips == 1
230 && td->td_stripoffset[0] != 0
231 && BYTECOUNTLOOKSBAD) {
232 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
233 /*
234 * XXX: Plexus (and others) sometimes give a value of zero for
235 * a tag when they don't know what the correct value is! Try
236 @@ -589,13 +610,14 @@ TIFFReadDirectory(TIFF* tif)
237 TIFFWarningExt(tif->tif_clientdata, module,
238 "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
239 tif->tif_name,
240 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
241 + fip ? fip->field_name : "Unknown");
242 if(EstimateStripByteCounts(tif, dir, dircount) < 0)
243 goto bad;
244 } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
245 && td->td_nstrips > 2
246 && td->td_compression == COMPRESSION_NONE
247 && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
248 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
249 /*
250 * XXX: Some vendors fill StripByteCount array with absolutely
251 * wrong values (it can be equal to StripOffset array, for
252 @@ -604,7 +626,7 @@ TIFFReadDirectory(TIFF* tif)
253 TIFFWarningExt(tif->tif_clientdata, module,
254 "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
255 tif->tif_name,
256 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
257 + fip ? fip->field_name : "Unknown");
258 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
259 goto bad;
260 }
261 @@ -870,7 +892,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
262
263 register TIFFDirEntry *dp;
264 register TIFFDirectory *td = &tif->tif_dir;
265 - uint16 i;
266 +
267 + /* i is used to iterate over td->td_nstrips, so must be
268 + * at least the same width.
269 + * -- taviso@google.com 15 Jun 2006
270 + */
271 +
272 + uint32 i;
273
274 if (td->td_stripbytecount)
275 _TIFFfree(td->td_stripbytecount);
276 @@ -947,16 +975,18 @@ MissingRequired(TIFF* tif, const char* t
277 static int
278 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
279 {
280 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
281 +
282 if (count > dir->tdir_count) {
283 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
284 "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
285 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
286 + fip ? fip->field_name : "Unknown",
287 dir->tdir_count, count);
288 return (0);
289 } else if (count < dir->tdir_count) {
290 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
291 "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
292 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
293 + fip ? fip->field_name : "Unknown",
294 dir->tdir_count, count);
295 return (1);
296 }
297 @@ -970,6 +1000,7 @@ static tsize_t
298 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
299 {
300 int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
301 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
302 tsize_t cc = dir->tdir_count * w;
303
304 /* Check for overflow. */
305 @@ -1013,7 +1044,7 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d
306 bad:
307 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
308 "Error fetching data for field \"%s\"",
309 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
310 + fip ? fip->field_name : "Unknown");
311 return (tsize_t) 0;
312 }
313
314 @@ -1039,10 +1070,12 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry*
315 static int
316 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
317 {
318 + const TIFFFieldInfo* fip;
319 if (denom == 0) {
320 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
321 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
322 "%s: Rational with zero denominator (num = %lu)",
323 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
324 + fip ? fip->field_name : "Unknown", num);
325 return (0);
326 } else {
327 if (dir->tdir_type == TIFF_RATIONAL)
328 @@ -1159,6 +1192,20 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEn
329 static int
330 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
331 {
332 + /*
333 + * Prevent overflowing the v stack arrays below by performing a sanity
334 + * check on tdir_count, this should never be greater than two.
335 + * -- taviso@google.com 14 Jun 2006.
336 + */
337 + if (dir->tdir_count > 2) {
338 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
339 + TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
340 + "unexpected count for field \"%s\", %lu, expected 2; ignored.",
341 + fip ? fip->field_name : "Unknown",
342 + dir->tdir_count);
343 + return 0;
344 + }
345 +
346 switch (dir->tdir_type) {
347 case TIFF_BYTE:
348 case TIFF_SBYTE:
349 @@ -1329,14 +1376,15 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr
350 case TIFF_DOUBLE:
351 return (TIFFFetchDoubleArray(tif, dir, (double*) v));
352 default:
353 + { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
354 /* TIFF_NOTYPE */
355 /* TIFF_ASCII */
356 /* TIFF_UNDEFINED */
357 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
358 "cannot read TIFF_ANY type %d for field \"%s\"",
359 dir->tdir_type,
360 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
361 - return (0);
362 + fip ? fip->field_name : "Unknown");
363 + return (0); }
364 }
365 return (1);
366 }
367 @@ -1351,6 +1399,9 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
368 int ok = 0;
369 const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
370
371 + if (fip == NULL) {
372 + return (0);
373 + }
374 if (dp->tdir_count > 1) { /* array of values */
375 char* cp = NULL;
376
377 @@ -1493,6 +1544,7 @@ static int
378 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
379 {
380 uint16 samples = tif->tif_dir.td_samplesperpixel;
381 + const TIFFFieldInfo* fip;
382 int status = 0;
383
384 if (CheckDirCount(tif, dir, (uint32) samples)) {
385 @@ -1510,9 +1562,10 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF
386
387 for (i = 1; i < check_count; i++)
388 if (v[i] != v[0]) {
389 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
390 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
391 "Cannot handle different per-sample values for field \"%s\"",
392 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
393 + fip ? fip->field_name : "Unknown");
394 goto bad;
395 }
396 *pl = v[0];
397 @@ -1534,6 +1587,7 @@ static int
398 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
399 {
400 uint16 samples = tif->tif_dir.td_samplesperpixel;
401 + const TIFFFieldInfo* fip;
402 int status = 0;
403
404 if (CheckDirCount(tif, dir, (uint32) samples)) {
405 @@ -1551,9 +1605,10 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD
406 check_count = samples;
407 for (i = 1; i < check_count; i++)
408 if (v[i] != v[0]) {
409 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
410 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
411 "Cannot handle different per-sample values for field \"%s\"",
412 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
413 + fip ? fip->field_name : "Unknown");
414 goto bad;
415 }
416 *pl = v[0];
417 @@ -1574,6 +1629,7 @@ static int
418 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
419 {
420 uint16 samples = tif->tif_dir.td_samplesperpixel;
421 + const TIFFFieldInfo* fip;
422 int status = 0;
423
424 if (CheckDirCount(tif, dir, (uint32) samples)) {
425 @@ -1591,9 +1647,10 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi
426
427 for (i = 1; i < check_count; i++)
428 if (v[i] != v[0]) {
429 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
430 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
431 "Cannot handle different per-sample values for field \"%s\"",
432 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
433 + fip ? fip->field_name : "Unknown");
434 goto bad;
435 }
436 *pl = v[0];
437 --- a/libtiff/tif_fax3.c
438 +++ b/libtiff/tif_fax3.c
439 @@ -1136,6 +1136,7 @@ static int
440 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
441 {
442 Fax3BaseState* sp = Fax3State(tif);
443 + const TIFFFieldInfo* fip;
444
445 assert(sp != 0);
446 assert(sp->vsetparent != 0);
447 @@ -1181,7 +1182,13 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_
448 default:
449 return (*sp->vsetparent)(tif, tag, ap);
450 }
451 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
452 +
453 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
454 + TIFFSetFieldBit(tif, fip->field_bit);
455 + } else {
456 + return (0);
457 + }
458 +
459 tif->tif_flags |= TIFF_DIRTYDIRECT;
460 return (1);
461 }
462 --- a/libtiff/tif_jpeg.c
463 +++ b/libtiff/tif_jpeg.c
464 @@ -722,15 +722,31 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
465 segment_width = TIFFhowmany(segment_width, sp->h_sampling);
466 segment_height = TIFFhowmany(segment_height, sp->v_sampling);
467 }
468 - if (sp->cinfo.d.image_width != segment_width ||
469 - sp->cinfo.d.image_height != segment_height) {
470 + if (sp->cinfo.d.image_width < segment_width ||
471 + sp->cinfo.d.image_height < segment_height) {
472 TIFFWarningExt(tif->tif_clientdata, module,
473 "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
474 segment_width,
475 segment_height,
476 sp->cinfo.d.image_width,
477 sp->cinfo.d.image_height);
478 + }
479 +
480 + if (sp->cinfo.d.image_width > segment_width ||
481 + sp->cinfo.d.image_height > segment_height) {
482 + /*
483 + * This case could be dangerous, if the strip or tile size has been
484 + * reported as less than the amount of data jpeg will return, some
485 + * potential security issues arise. Catch this case and error out.
486 + * -- taviso@google.com 14 Jun 2006
487 + */
488 + TIFFErrorExt(tif->tif_clientdata, module,
489 + "JPEG strip/tile size exceeds expected dimensions,"
490 + "expected %dx%d, got %dx%d", segment_width, segment_height,
491 + sp->cinfo.d.image_width, sp->cinfo.d.image_height);
492 + return (0);
493 }
494 +
495 if (sp->cinfo.d.num_components !=
496 (td->td_planarconfig == PLANARCONFIG_CONTIG ?
497 td->td_samplesperpixel : 1)) {
498 @@ -761,6 +777,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
499 sp->cinfo.d.comp_info[0].v_samp_factor,
500 sp->h_sampling, sp->v_sampling);
501
502 + /*
503 + * There are potential security issues here for decoders that
504 + * have already allocated buffers based on the expected sampling
505 + * factors. Lets check the sampling factors dont exceed what
506 + * we were expecting.
507 + * -- taviso@google.com 14 June 2006
508 + */
509 + if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
510 + sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
511 + TIFFErrorExt(tif->tif_clientdata, module,
512 + "Cannot honour JPEG sampling factors that"
513 + " exceed those specified.");
514 + return (0);
515 + }
516 +
517 +
518 /*
519 * XXX: Files written by the Intergraph software
520 * has different sampling factors stored in the
521 @@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif)
522 {
523 JPEGState *sp = JState(tif);
524
525 - assert(sp != 0);
526 + /* assert(sp != 0); */
527
528 tif->tif_tagmethods.vgetfield = sp->vgetparent;
529 tif->tif_tagmethods.vsetfield = sp->vsetparent;
530
531 - if( sp->cinfo_initialized )
532 - TIFFjpeg_destroy(sp); /* release libjpeg resources */
533 - if (sp->jpegtables) /* tag value */
534 - _TIFFfree(sp->jpegtables);
535 + if (sp != NULL) {
536 + if( sp->cinfo_initialized )
537 + TIFFjpeg_destroy(sp); /* release libjpeg resources */
538 + if (sp->jpegtables) /* tag value */
539 + _TIFFfree(sp->jpegtables);
540 + }
541 +
542 _TIFFfree(tif->tif_data); /* release local state */
543 tif->tif_data = NULL;
544
545 @@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
546 {
547 JPEGState* sp = JState(tif);
548 TIFFDirectory* td = &tif->tif_dir;
549 + const TIFFFieldInfo* fip;
550 uint32 v32;
551
552 assert(sp != NULL);
553 @@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
554 default:
555 return (*sp->vsetparent)(tif, tag, ap);
556 }
557 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
558 +
559 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
560 + TIFFSetFieldBit(tif, fip->field_bit);
561 + } else {
562 + return (0);
563 + }
564 +
565 tif->tif_flags |= TIFF_DIRTYDIRECT;
566 return (1);
567 }
568 @@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long f
569 {
570 JPEGState* sp = JState(tif);
571
572 - assert(sp != NULL);
573 + /* assert(sp != NULL); */
574 + if (sp == NULL) {
575 + TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
576 + return;
577 + }
578
579 (void) flags;
580 if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
581 --- a/libtiff/tif_next.c
582 +++ b/libtiff/tif_next.c
583 @@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
584 * as codes of the form <color><npixels>
585 * until we've filled the scanline.
586 */
587 + /*
588 + * Ensure the run does not exceed the scanline
589 + * bounds, potentially resulting in a security issue.
590 + * -- taviso@google.com 14 Jun 2006.
591 + */
592 op = row;
593 for (;;) {
594 grey = (n>>6) & 0x3;
595 n &= 0x3f;
596 - while (n-- > 0)
597 + while (n-- > 0 && npixels < imagewidth)
598 SETPIXEL(op, grey);
599 if (npixels >= (int) imagewidth)
600 break;
601 --- a/libtiff/tif_pixarlog.c
602 +++ b/libtiff/tif_pixarlog.c
603 @@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
604 if (tif->tif_flags & TIFF_SWAB)
605 TIFFSwabArrayOfShort(up, nsamples);
606
607 - for (i = 0; i < nsamples; i += llen, up += llen) {
608 + /*
609 + * if llen is not an exact multiple of nsamples, the decode operation
610 + * may overflow the output buffer, so truncate it enough to prevent that
611 + * but still salvage as much data as possible.
612 + * -- taviso@google.com 14th June 2006
613 + */
614 + if (nsamples % llen)
615 + TIFFWarningExt(tif->tif_clientdata, module,
616 + "%s: stride %lu is not a multiple of sample count, "
617 + "%lu, data truncated.", tif->tif_name, llen, nsamples);
618 +
619 +
620 + for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
621 switch (sp->user_datafmt) {
622 case PIXARLOGDATAFMT_FLOAT:
623 horizontalAccumulateF(up, llen, sp->stride,
624 --- a/libtiff/tif_read.c
625 +++ b/libtiff/tif_read.c
626 @@ -31,6 +31,8 @@
627 #include "tiffiop.h"
628 #include <stdio.h>
629
630 +#include <limits.h>
631 +
632 int TIFFFillStrip(TIFF*, tstrip_t);
633 int TIFFFillTile(TIFF*, ttile_t);
634 static int TIFFStartStrip(TIFF*, tstrip_t);
635 @@ -272,7 +274,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
636 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
637 _TIFFfree(tif->tif_rawdata);
638 tif->tif_flags &= ~TIFF_MYBUFFER;
639 - if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
640 + /*
641 + * This sanity check could potentially overflow, causing an OOB read.
642 + * verify that offset + bytecount is > offset.
643 + * -- taviso@google.com 14 Jun 2006
644 + */
645 + if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
646 + bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
647 /*
648 * This error message might seem strange, but it's
649 * what would happen if a read were done instead.
650 @@ -470,7 +478,13 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
651 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
652 _TIFFfree(tif->tif_rawdata);
653 tif->tif_flags &= ~TIFF_MYBUFFER;
654 - if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
655 + /*
656 + * We must check this calculation doesnt overflow, potentially
657 + * causing an OOB read.
658 + * -- taviso@google.com 15 Jun 2006
659 + */
660 + if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
661 + bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
662 tif->tif_curtile = NOTILE;
663 return (0);
664 }