summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
blob: 84566ca23e82a8ab5cf0033a51aa6a34bb0acfed (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
Fix several bugs in libtiff related to use of TIFFGetField():

http://bugzilla.maptools.org/show_bug.cgi?id=2580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095

Patch copied from upstream CVS. 3rd-party Git reference:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06

2017-06-01  Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.208
retrieving revision 1.209
diff -u -r1.208 -r1.209
--- libtiff/libtiff/tif_dirread.c	27 Apr 2017 15:46:22 -0000	1.208
+++ libtiff/libtiff/tif_dirread.c	1 Jun 2017 12:44:04 -0000	1.209
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -3580,6 +3580,10 @@
 							goto bad;
 						dp->tdir_tag=IGNORE;
 						break;
+                                        default:
+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+                                                dp->tdir_tag=IGNORE;
+                                            break;
 				}
 			}
 		}
Index: libtiff/libtiff/tif_dirinfo.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- libtiff/libtiff/tif_dirinfo.c	18 Nov 2016 02:52:13 -0000	1.126
+++ libtiff/libtiff/tif_dirinfo.c	1 Jun 2017 12:44:04 -0000	1.127
@@ -1,4 +1,4 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -956,6 +956,109 @@
 	return 0;
 }
 
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+	/* Filter out non-codec specific tags */
+	switch (tag) {
+	    /* Shared tags */
+	    case TIFFTAG_PREDICTOR:
+	    /* JPEG tags */
+	    case TIFFTAG_JPEGTABLES:
+	    /* OJPEG tags */
+	    case TIFFTAG_JPEGIFOFFSET:
+	    case TIFFTAG_JPEGIFBYTECOUNT:
+	    case TIFFTAG_JPEGQTABLES:
+	    case TIFFTAG_JPEGDCTABLES:
+	    case TIFFTAG_JPEGACTABLES:
+	    case TIFFTAG_JPEGPROC:
+	    case TIFFTAG_JPEGRESTARTINTERVAL:
+	    /* CCITT* */
+	    case TIFFTAG_BADFAXLINES:
+	    case TIFFTAG_CLEANFAXDATA:
+	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
+	    case TIFFTAG_GROUP3OPTIONS:
+	    case TIFFTAG_GROUP4OPTIONS:
+		break;
+	    default:
+		return 1;
+	}
+	/* Check if codec specific tags are allowed for the current
+	 * compression scheme (codec) */
+	switch (tif->tif_dir.td_compression) {
+	    case COMPRESSION_LZW:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	    case COMPRESSION_PACKBITS:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_THUNDERSCAN:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_NEXT:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_JPEG:
+		if (tag == TIFFTAG_JPEGTABLES)
+		    return 1;
+		break;
+	    case COMPRESSION_OJPEG:
+		switch (tag) {
+		    case TIFFTAG_JPEGIFOFFSET:
+		    case TIFFTAG_JPEGIFBYTECOUNT:
+		    case TIFFTAG_JPEGQTABLES:
+		    case TIFFTAG_JPEGDCTABLES:
+		    case TIFFTAG_JPEGACTABLES:
+		    case TIFFTAG_JPEGPROC:
+		    case TIFFTAG_JPEGRESTARTINTERVAL:
+			return 1;
+		}
+		break;
+	    case COMPRESSION_CCITTRLE:
+	    case COMPRESSION_CCITTRLEW:
+	    case COMPRESSION_CCITTFAX3:
+	    case COMPRESSION_CCITTFAX4:
+		switch (tag) {
+		    case TIFFTAG_BADFAXLINES:
+		    case TIFFTAG_CLEANFAXDATA:
+		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
+			return 1;
+		    case TIFFTAG_GROUP3OPTIONS:
+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+			    return 1;
+			break;
+		    case TIFFTAG_GROUP4OPTIONS:
+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+			    return 1;
+			break;
+		}
+		break;
+	    case COMPRESSION_JBIG:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_DEFLATE:
+	    case COMPRESSION_ADOBE_DEFLATE:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	   case COMPRESSION_PIXARLOG:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	    case COMPRESSION_SGILOG:
+	    case COMPRESSION_SGILOG24:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_LZMA:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+
+	}
+	return 0;
+}
+
 /* vim: set ts=8 sts=8 sw=8 noet: */
 
 /*
Index: libtiff/libtiff/tif_dir.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- libtiff/libtiff/tif_dir.h	18 Feb 2011 20:53:05 -0000	1.54
+++ libtiff/libtiff/tif_dir.h	1 Jun 2017 12:44:04 -0000	1.55
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -291,6 +291,7 @@
 extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
 extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
 
 #if defined(__cplusplus)
 }