Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer

overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
  • Loading branch information...
erouault
erouault committed Dec 2, 2016
1 parent 5397a41 commit 1044b43637fa7f70fb19b93593777b78bd20da86
Showing with 39 additions and 6 deletions.
  1. +10 −0 ChangeLog
  2. +14 −4 libtiff/tif_luv.c
  3. +15 −2 libtiff/tif_pixarlog.c
@@ -1,3 +1,13 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604

2016-12-02 Even Rouault <even.rouault at spatialys.com>

* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
@@ -158,6 +158,7 @@
typedef struct logLuvState LogLuvState;

struct logLuvState {
int encoder_state; /* 1 if encoder correctly initialized */
int user_datafmt; /* user data format */
int encode_meth; /* encoding method */
int pixel_size; /* bytes per pixel */
@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
td->td_photometric, "must be either LogLUV or LogL");
break;
}
sp->encoder_state = 1;
return (1);
notsupported:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1565,27 @@ LogLuvSetupEncode(TIFF* tif)
static void
LogLuvClose(TIFF* tif)
{
LogLuvState* sp = (LogLuvState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;

assert(sp != 0);
/*
* For consistency, we always want to write out the same
* bitspersample and sampleformat for our TIFF file,
* regardless of the data format being used by the application.
* Since this routine is called after tags have been set but
* before they have been recorded in the file, we reset them here.
* Note: this is really a nasty approach. See PixarLogClose
*/
td->td_samplesperpixel =
(td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
td->td_bitspersample = 16;
td->td_sampleformat = SAMPLEFORMAT_INT;
if( sp->encoder_state )
{
/* See PixarLogClose. Might avoid issues with tags whose size depends
* on those below, but not completely sure this is enough. */
td->td_samplesperpixel =
(td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
td->td_bitspersample = 16;
td->td_sampleformat = SAMPLEFORMAT_INT;
}
}

static void
@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
static void
PixarLogClose(TIFF* tif)
{
PixarLogState* sp = (PixarLogState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;

assert(sp != 0);
/* In a really sneaky (and really incorrect, and untruthful, and
* troublesome, and error-prone) maneuver that completely goes against
* the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
* readers that don't know about PixarLog, or how to set
* the PIXARLOGDATFMT pseudo-tag.
*/
td->td_bitspersample = 8;
td->td_sampleformat = SAMPLEFORMAT_UINT;

if (sp->state&PLSTATE_INIT) {
/* We test the state to avoid an issue such as in
* http://bugzilla.maptools.org/show_bug.cgi?id=2604
* What appends in that case is that the bitspersample is 1 and
* a TransferFunction is set. The size of the TransferFunction
* depends on 1<<bitspersample. So if we increase it, an access
* out of the buffer will happen at directory flushing.
* Another option would be to clear those targs.
*/
td->td_bitspersample = 8;
td->td_sampleformat = SAMPLEFORMAT_UINT;
}
}

static void

0 comments on commit 1044b43

Please sign in to comment.
You can’t perform that action at this time.