← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

Backport of:

From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Mon, 29 Dec 2014 12:09:11 +0000
Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
 read outside of the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
---
 ChangeLog              |  9 +++++++++
 libtiff/tif_getimage.c | 12 +++++++-----
 libtiff/tif_next.c     |  4 +++-
 3 files changed, 19 insertions(+), 6 deletions(-)

Index: tiff-3.9.5/libtiff/tif_getimage.c
===================================================================
--- tiff-3.9.5.orig/libtiff/tif_getimage.c	2015-03-30 08:00:11.795924791 -0400
+++ tiff-3.9.5/libtiff/tif_getimage.c	2015-03-30 08:00:11.791924755 -0400
@@ -1759,7 +1759,7 @@
 
     (void) y;
     fromskew = (fromskew * 10) / 4;
-    if ((h & 3) == 0 && (w & 1) == 0) {
+    if ((w & 3) == 0 && (h & 1) == 0) {
         for (; h >= 2; h -= 2) {
             x = w>>2;
             do {
@@ -1836,7 +1836,7 @@
     /* XXX adjust fromskew */
     do {
 	x = w>>2;
-	do {
+	while(x>0) {
 	    int32 Cb = pp[4];
 	    int32 Cr = pp[5];
 
@@ -1847,7 +1847,8 @@
 
 	    cp += 4;
 	    pp += 6;
-	} while (--x);
+		x--;
+	}
 
         if( (w&3) != 0 )
         {
@@ -1938,7 +1939,7 @@
 	fromskew = (fromskew * 4) / 2;
 	do {
 		x = w>>1;
-		do {
+		while(x>0) {
 			int32 Cb = pp[2];
 			int32 Cr = pp[3];
 
@@ -1947,7 +1948,8 @@
 
 			cp += 2;
 			pp += 4;
-		} while (--x);
+			x --;
+		}
 
 		if( (w&1) != 0 )
 		{
Index: tiff-3.9.5/libtiff/tif_next.c
===================================================================
--- tiff-3.9.5.orig/libtiff/tif_next.c	2015-03-30 08:00:11.795924791 -0400
+++ tiff-3.9.5/libtiff/tif_next.c	2015-03-30 08:00:52.444278078 -0400
@@ -65,7 +65,7 @@
 	bp = (unsigned char *)tif->tif_rawcp;
 	cc = tif->tif_rawcc;
 	scanline = tif->tif_scanlinesize;
-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
 		n = *bp++, cc--;
 		switch (n) {
 		case LITERALROW:
@@ -84,6 +84,8 @@
 			 * The scanline has a literal span that begins at some
 			 * offset.
 			 */
+			if( cc < 4 )
+				goto bad;
 			off = (bp[0] * 256) + bp[1];
 			n = (bp[2] * 256) + bp[3];
 			if (cc < 4+n || off+n > scanline)