Skip to content
This repository was archived by the owner on Dec 1, 2017. It is now read-only.

Commit 9a72a69

Browse files
author
erouault
committed
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on the total size of data. Which is faulty is the total size of data is not sufficient to fill the whole image, and thus results in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since the above change is a better fix that makes it unnecessary.
1 parent 1044b43 commit 9a72a69

File tree

3 files changed

+25
-21
lines changed

3 files changed

+25
-21
lines changed

Diff for: ChangeLog

+15
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,18 @@
1+
2016-12-03 Even Rouault <even.rouault at spatialys.com>
2+
3+
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
4+
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
5+
instead of a logic based on the total size of data. Which is faulty is
6+
the total size of data is not sufficient to fill the whole image, and thus
7+
results in reading outside of the StripByCounts/StripOffsets arrays when
8+
using TIFFReadScanline().
9+
Reported by Agostino Sarubbo.
10+
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
11+
12+
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
13+
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
14+
the above change is a better fix that makes it unnecessary.
15+
116
2016-12-03 Even Rouault <even.rouault at spatialys.com>
217

318
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer

Diff for: libtiff/tif_dirread.c

+10-12
Original file line numberDiff line numberDiff line change
@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
55025502
uint64 rowblockbytes;
55035503
uint64 stripbytes;
55045504
uint32 strip;
5505-
uint64 nstrips64;
5506-
uint32 nstrips32;
5505+
uint32 nstrips;
55075506
uint32 rowsperstrip;
55085507
uint64* newcounts;
55095508
uint64* newoffsets;
@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
55345533
return;
55355534

55365535
/*
5537-
* never increase the number of strips in an image
5536+
* never increase the number of rows per strip
55385537
*/
55395538
if (rowsperstrip >= td->td_rowsperstrip)
55405539
return;
5541-
nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
5542-
if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
5543-
return;
5544-
nstrips32 = (uint32)nstrips64;
5540+
nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
5541+
if( nstrips == 0 )
5542+
return;
55455543

5546-
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
5544+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
55475545
"for chopped \"StripByteCounts\" array");
5548-
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
5546+
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
55495547
"for chopped \"StripOffsets\" array");
55505548
if (newcounts == NULL || newoffsets == NULL) {
55515549
/*
@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
55625560
* Fill the strip information arrays with new bytecounts and offsets
55635561
* that reflect the broken-up format.
55645562
*/
5565-
for (strip = 0; strip < nstrips32; strip++) {
5563+
for (strip = 0; strip < nstrips; strip++) {
55665564
if (stripbytes > bytecount)
55675565
stripbytes = bytecount;
55685566
newcounts[strip] = stripbytes;
5569-
newoffsets[strip] = offset;
5567+
newoffsets[strip] = stripbytes ? offset : 0;
55705568
offset += stripbytes;
55715569
bytecount -= stripbytes;
55725570
}
55735571
/*
55745572
* Replace old single strip info with multi-strip info.
55755573
*/
5576-
td->td_stripsperimage = td->td_nstrips = nstrips32;
5574+
td->td_stripsperimage = td->td_nstrips = nstrips;
55775575
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
55785576

55795577
_TIFFfree(td->td_stripbytecount);

Diff for: libtiff/tif_strip.c

-9
Original file line numberDiff line numberDiff line change
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
6363
TIFFDirectory *td = &tif->tif_dir;
6464
uint32 nstrips;
6565

66-
/* If the value was already computed and store in td_nstrips, then return it,
67-
since ChopUpSingleUncompressedStrip might have altered and resized the
68-
since the td_stripbytecount and td_stripoffset arrays to the new value
69-
after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
70-
tif_dirread.c ~line 3612.
71-
See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
72-
if( td->td_nstrips )
73-
return td->td_nstrips;
74-
7566
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
7667
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
7768
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

0 commit comments

Comments
 (0)