Skip to content
This repository was archived by the owner on Dec 1, 2017. It is now read-only.

Commit 1044b43

Browse files
author
erouault
committed
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
1 parent 5397a41 commit 1044b43

File tree

3 files changed

+39
-6
lines changed

3 files changed

+39
-6
lines changed

Diff for: ChangeLog

+10
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,13 @@
1+
2016-12-03 Even Rouault <even.rouault at spatialys.com>
2+
3+
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
4+
overflow on generation of PixarLog / LUV compressed files, with
5+
ColorMap, TransferFunction attached and nasty plays with bitspersample.
6+
The fix for LUV has not been tested, but suffers from the same kind
7+
of issue of PixarLog.
8+
Reported by Agostino Sarubbo.
9+
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
10+
111
2016-12-02 Even Rouault <even.rouault at spatialys.com>
212

313
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that

Diff for: libtiff/tif_luv.c

+14-4
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,7 @@
158158
typedef struct logLuvState LogLuvState;
159159

160160
struct logLuvState {
161+
int encoder_state; /* 1 if encoder correctly initialized */
161162
int user_datafmt; /* user data format */
162163
int encode_meth; /* encoding method */
163164
int pixel_size; /* bytes per pixel */
@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
15521553
td->td_photometric, "must be either LogLUV or LogL");
15531554
break;
15541555
}
1556+
sp->encoder_state = 1;
15551557
return (1);
15561558
notsupported:
15571559
TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1565,27 @@ LogLuvSetupEncode(TIFF* tif)
15631565
static void
15641566
LogLuvClose(TIFF* tif)
15651567
{
1568+
LogLuvState* sp = (LogLuvState*) tif->tif_data;
15661569
TIFFDirectory *td = &tif->tif_dir;
15671570

1571+
assert(sp != 0);
15681572
/*
15691573
* For consistency, we always want to write out the same
15701574
* bitspersample and sampleformat for our TIFF file,
15711575
* regardless of the data format being used by the application.
15721576
* Since this routine is called after tags have been set but
15731577
* before they have been recorded in the file, we reset them here.
1578+
* Note: this is really a nasty approach. See PixarLogClose
15741579
*/
1575-
td->td_samplesperpixel =
1576-
(td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
1577-
td->td_bitspersample = 16;
1578-
td->td_sampleformat = SAMPLEFORMAT_INT;
1580+
if( sp->encoder_state )
1581+
{
1582+
/* See PixarLogClose. Might avoid issues with tags whose size depends
1583+
* on those below, but not completely sure this is enough. */
1584+
td->td_samplesperpixel =
1585+
(td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
1586+
td->td_bitspersample = 16;
1587+
td->td_sampleformat = SAMPLEFORMAT_INT;
1588+
}
15791589
}
15801590

15811591
static void

Diff for: libtiff/tif_pixarlog.c

+15-2
Original file line numberDiff line numberDiff line change
@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
12331233
static void
12341234
PixarLogClose(TIFF* tif)
12351235
{
1236+
PixarLogState* sp = (PixarLogState*) tif->tif_data;
12361237
TIFFDirectory *td = &tif->tif_dir;
12371238

1239+
assert(sp != 0);
12381240
/* In a really sneaky (and really incorrect, and untruthful, and
12391241
* troublesome, and error-prone) maneuver that completely goes against
12401242
* the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
12431245
* readers that don't know about PixarLog, or how to set
12441246
* the PIXARLOGDATFMT pseudo-tag.
12451247
*/
1246-
td->td_bitspersample = 8;
1247-
td->td_sampleformat = SAMPLEFORMAT_UINT;
1248+
1249+
if (sp->state&PLSTATE_INIT) {
1250+
/* We test the state to avoid an issue such as in
1251+
* http://bugzilla.maptools.org/show_bug.cgi?id=2604
1252+
* What appends in that case is that the bitspersample is 1 and
1253+
* a TransferFunction is set. The size of the TransferFunction
1254+
* depends on 1<<bitspersample. So if we increase it, an access
1255+
* out of the buffer will happen at directory flushing.
1256+
* Another option would be to clear those targs.
1257+
*/
1258+
td->td_bitspersample = 8;
1259+
td->td_sampleformat = SAMPLEFORMAT_UINT;
1260+
}
12481261
}
12491262

12501263
static void

0 commit comments

Comments
 (0)