~ubuntu-branches/ubuntu/natty/tiff/natty-security

Viewing changes to .pc/CVE-2012-2088.patch/libtiff/tif_tile.c

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-07-04 10:59:25 UTC
Revision ID: package-import@ubuntu.com-20120704105925-codjws8elgvml0lf

Tags: 3.9.4-5ubuntu6.2

* SECURITY UPDATE: possible arbitrary code execution via buffer overflow
  due to type-conversion flaw (LP: #1016324)
  - debian/patches/CVE-2012-2088.patch: check for overflows in
    libtiff/tif_strip.c and libtiff/tif_tile.c.
  - CVE-2012-2088
* SECURITY UPDATE: possible arbitrary code execution via integer
  overflows in tiff2pdf (LP: #1016324)
  - debian/patches/CVE-2012-2113.patch: check for overflows in
    tools/tiff2pdf.c.
  - CVE-2012-2113

files added:
.pc/.quilt_patches

.pc/.quilt_series

.pc/CVE-2012-2088.patch

.pc/CVE-2012-2088.patch/libtiff

.pc/CVE-2012-2088.patch/libtiff/tif_strip.c

.pc/CVE-2012-2088.patch/libtiff/tif_tile.c

.pc/CVE-2012-2113.patch

.pc/CVE-2012-2113.patch/tools

.pc/CVE-2012-2113.patch/tools/tiff2pdf.c

debian/patches/CVE-2012-2088.patch

debian/patches/CVE-2012-2113.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

libtiff/tif_strip.c

libtiff/tif_tile.c

tools/tiff2pdf.c

Show diffs side-by-side

added added

removed removed

.pc/CVE-2012-2088.patch/libtiff/tif_tile.c

/* $Id: tif_tile.c,v 1.12.2.1 2010-06-08 18:50:43 bfriesen Exp $ */

* Permission to use, copy, modify, distribute, and sell this software and

* its documentation for any purpose is hereby granted without fee, provided

* that (i) the above copyright notices and this permission notice appear in

* all copies of the software and related documentation, and (ii) the names of

* Sam Leffler and Silicon Graphics may not be used in any advertising or

* publicity relating to the software without the specific, prior written

* permission of Sam Leffler and Silicon Graphics.

* THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,

* EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY

* WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

* IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR

* ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,

* OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,

* WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF

* LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE

* OF THIS SOFTWARE.

* TIFF Library.

* Tiled Image Support Routines.

#include "tiffiop.h"

static uint32

summarize(TIFF* tif, size_t summand1, size_t summand2, const char* where)

{

* XXX: We are using casting to uint32 here, because sizeof(size_t)

* may be larger than sizeof(uint32) on 64-bit architectures.

uint32 bytes = summand1 + summand2;

if (bytes - summand1 != summand2) {

TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", where);

bytes = 0;

}

return (bytes);

}

static uint32

multiply(TIFF* tif, size_t nmemb, size_t elem_size, const char* where)

{

uint32 bytes = nmemb * elem_size;

if (elem_size && bytes / elem_size != nmemb) {

TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", where);

bytes = 0;

}

return (bytes);

}

* Compute which tile an (x,y,z,s) value is in.

ttile_t

TIFFComputeTile(TIFF* tif, uint32 x, uint32 y, uint32 z, tsample_t s)

{

TIFFDirectory *td = &tif->tif_dir;

uint32 dx = td->td_tilewidth;

uint32 dy = td->td_tilelength;

uint32 dz = td->td_tiledepth;

ttile_t tile = 1;

if (td->td_imagedepth == 1)

z = 0;

if (dx == (uint32) -1)

dx = td->td_imagewidth;

if (dy == (uint32) -1)

dy = td->td_imagelength;

if (dz == (uint32) -1)

dz = td->td_imagedepth;

if (dx != 0 && dy != 0 && dz != 0) {

uint32 xpt = TIFFhowmany(td->td_imagewidth, dx);

uint32 ypt = TIFFhowmany(td->td_imagelength, dy);

uint32 zpt = TIFFhowmany(td->td_imagedepth, dz);

if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

tile = (xpt*ypt*zpt)*s +

(xpt*ypt)*(z/dz) +

xpt*(y/dy) +

x/dx;

else

tile = (xpt*ypt)*(z/dz) + xpt*(y/dy) + x/dx;

}

return (tile);

}

100

101

* Check an (x,y,z,s) coordinate

102

* against the image bounds.

103

104

int

105

TIFFCheckTile(TIFF* tif, uint32 x, uint32 y, uint32 z, tsample_t s)

106

{

107

TIFFDirectory *td = &tif->tif_dir;

108

109

if (x >= td->td_imagewidth) {

110

TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

111

"%lu: Col out of range, max %lu",

112

(unsigned long) x,

113

(unsigned long) (td->td_imagewidth - 1));

114

return (0);

115

}

116

if (y >= td->td_imagelength) {

117

TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

118

"%lu: Row out of range, max %lu",

119

(unsigned long) y,

120

(unsigned long) (td->td_imagelength - 1));

121

return (0);

122

}

123

if (z >= td->td_imagedepth) {

124

TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

125

"%lu: Depth out of range, max %lu",

126

(unsigned long) z,

127

(unsigned long) (td->td_imagedepth - 1));

128

return (0);

129

}

130

if (td->td_planarconfig == PLANARCONFIG_SEPARATE &&

131

s >= td->td_samplesperpixel) {

132

TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

133

"%lu: Sample out of range, max %lu",

134

(unsigned long) s,

135

(unsigned long) (td->td_samplesperpixel - 1));

136

return (0);

137

}

138

return (1);

139

}

140

141

142

* Compute how many tiles are in an image.

143

144

ttile_t

145

TIFFNumberOfTiles(TIFF* tif)

146

{

147

TIFFDirectory *td = &tif->tif_dir;

148

uint32 dx = td->td_tilewidth;

149

uint32 dy = td->td_tilelength;

150

uint32 dz = td->td_tiledepth;

151

ttile_t ntiles;

152

153

if (dx == (uint32) -1)

154

dx = td->td_imagewidth;

155

if (dy == (uint32) -1)

156

dy = td->td_imagelength;

157

if (dz == (uint32) -1)

158

dz = td->td_imagedepth;

159

ntiles = (dx == 0 || dy == 0 || dz == 0) ? 0 :

160

multiply(tif, multiply(tif, TIFFhowmany(td->td_imagewidth, dx),

161

TIFFhowmany(td->td_imagelength, dy),

162

"TIFFNumberOfTiles"),

163

TIFFhowmany(td->td_imagedepth, dz), "TIFFNumberOfTiles");

164

if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

165

ntiles = multiply(tif, ntiles, td->td_samplesperpixel,

166

"TIFFNumberOfTiles");

167

return (ntiles);

168

}

169

170

171

* Compute the # bytes in each row of a tile.

172

173

tsize_t

174

TIFFTileRowSize(TIFF* tif)

175

{

176

TIFFDirectory *td = &tif->tif_dir;

177

tsize_t rowsize;

178

179

if (td->td_tilelength == 0 || td->td_tilewidth == 0)

180

return ((tsize_t) 0);

181

rowsize = multiply(tif, td->td_bitspersample, td->td_tilewidth,

182

"TIFFTileRowSize");

183

if (td->td_planarconfig == PLANARCONFIG_CONTIG)

184

rowsize = multiply(tif, rowsize, td->td_samplesperpixel,

185

"TIFFTileRowSize");

186

return ((tsize_t) TIFFhowmany8(rowsize));

187

}

188

189

190

* Compute the # bytes in a variable length, row-aligned tile.

191

192

tsize_t

193

TIFFVTileSize(TIFF* tif, uint32 nrows)

194

{

195

TIFFDirectory *td = &tif->tif_dir;

196

tsize_t tilesize;

197

198

if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||

199

td->td_tiledepth == 0)

200

return ((tsize_t) 0);

201

if (td->td_planarconfig == PLANARCONFIG_CONTIG &&

202

td->td_photometric == PHOTOMETRIC_YCBCR &&

203

!isUpSampled(tif)) {

204

205

* Packed YCbCr data contain one Cb+Cr for every

206

* HorizontalSampling*VerticalSampling Y values.

207

* Must also roundup width and height when calculating

208

* since images that are not a multiple of the

209

* horizontal/vertical subsampling area include

210

* YCbCr data for the extended image.

211

212

tsize_t w =

213

TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);

214

tsize_t rowsize =

215

TIFFhowmany8(multiply(tif, w, td->td_bitspersample,

216

"TIFFVTileSize"));

217

tsize_t samplingarea =

218

td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];

219

if (samplingarea == 0) {

220

TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");

221

return 0;

222

}

223

nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]);

224

/* NB: don't need TIFFhowmany here 'cuz everything is rounded */

225

tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize");

226

tilesize = summarize(tif, tilesize,

227

multiply(tif, 2, tilesize / samplingarea,

228

"TIFFVTileSize"),

229

"TIFFVTileSize");

230

} else

231

tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),

232

"TIFFVTileSize");

233

return ((tsize_t)

234

multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"));

235

}

236

237

238

* Compute the # bytes in a row-aligned tile.

239

240

tsize_t

241

TIFFTileSize(TIFF* tif)

242

{

243

return (TIFFVTileSize(tif, tif->tif_dir.td_tilelength));

244

}

245

246

247

* Compute a default tile size based on the image

248

* characteristics and a requested value. If a

249

* request is <1 then we choose a size according

250

* to certain heuristics.

251

252

void

253

TIFFDefaultTileSize(TIFF* tif, uint32* tw, uint32* th)

254

{

255

(*tif->tif_deftilesize)(tif, tw, th);

256

}

257

258

void

259

_TIFFDefaultTileSize(TIFF* tif, uint32* tw, uint32* th)

260

{

261

(void) tif;

262

if (*(int32*) tw < 1)

263

*tw = 256;

264

if (*(int32*) th < 1)

265

*th = 256;

266

/* roundup to a multiple of 16 per the spec */

267

if (*tw & 0xf)

268

*tw = TIFFroundup(*tw, 16);

269

if (*th & 0xf)

270

*th = TIFFroundup(*th, 16);

271

}

272

273

/* vim: set ts=8 sts=8 sw=8 noet: */

274

275

* Local Variables:

276

* mode: c

277

* c-basic-offset: 8

278

* fill-column: 78

279

* End:

280

Older »