0039-CVE-2018-18661.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
From c188f95bd865b1428f88c193b895fe9b3f6767e9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 30 Oct 2018 18:50:27 +0100
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
CVE-2018-18661
---
libtiff/tiffiop.h | 1 +
tools/tiff2bw.c | 63 +++++++++++++++++++++++++++++++++++++++--------
tools/tiffcrop.c | 5 ----
3 files changed, 54 insertions(+), 15 deletions(-)
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 53357d8..8d1357b 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -66,6 +66,7 @@ extern void *lfind(const void *, const void *, size_t *, size_t,
#endif
#define streq(a,b) (strcmp(a,b) == 0)
+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
#ifndef TRUE
#define TRUE 1
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index 53067e7..ad797b2 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -40,9 +40,7 @@
#endif
#include "tiffio.h"
-
-#define streq(a,b) (strcmp((a),(b)) == 0)
-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
+#include "tiffiop.h"
/* x% weighting -> fraction of full color */
#define PCT(x) (((x)*255+127)/100)
@@ -130,6 +128,11 @@ main(int argc, char* argv[])
extern int optind;
extern char *optarg;
+ in = (TIFF *) NULL;
+ out = (TIFF *) NULL;
+ inbuf = (unsigned char *) NULL;
+ outbuf = (unsigned char *) NULL;
+
while ((c = getopt(argc, argv, "c:r:R:G:B:")) != -1)
switch (c) {
case 'c': /* compression scheme */
@@ -163,24 +166,24 @@ main(int argc, char* argv[])
fprintf(stderr,
"%s: Bad photometric; can only handle RGB and Palette images.\n",
argv[optind]);
- return (-1);
+ goto tiff2bw_error;
}
TIFFGetField(in, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
if (samplesperpixel != 1 && samplesperpixel != 3) {
fprintf(stderr, "%s: Bad samples/pixel %u.\n",
argv[optind], samplesperpixel);
- return (-1);
+ goto tiff2bw_error;
}
if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
argv[optind], samplesperpixel);
- return (-1);
+ goto tiff2bw_error;
}
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
if (bitspersample != 8) {
fprintf(stderr,
" %s: Sorry, only handle 8-bit samples.\n", argv[optind]);
- return (-1);
+ goto tiff2bw_error;
}
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &w);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &h);
@@ -188,7 +191,7 @@ main(int argc, char* argv[])
out = TIFFOpen(argv[optind+1], "w");
if (out == NULL)
- return (-1);
+ goto tiff2bw_error;
TIFFSetField(out, TIFFTAG_IMAGEWIDTH, w);
TIFFSetField(out, TIFFTAG_IMAGELENGTH, h);
TIFFSetField(out, TIFFTAG_BITSPERSAMPLE, 8);
@@ -214,6 +217,11 @@ main(int argc, char* argv[])
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ if( !outbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
@@ -237,6 +245,11 @@ main(int argc, char* argv[])
#undef CVT
}
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -247,6 +260,11 @@ main(int argc, char* argv[])
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -256,23 +274,48 @@ main(int argc, char* argv[])
}
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
+ {
+ tmsize_t inbufsize;
rowsize = TIFFScanlineSize(in);
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
for (s = 0; s < 3; s++)
if (TIFFReadScanline(in,
inbuf+s*rowsize, row, s) < 0)
- return (-1);
+ goto tiff2bw_error;
compresssep(outbuf,
inbuf, inbuf+rowsize, inbuf+2*rowsize, w);
if (TIFFWriteScanline(out, outbuf, row, 0) < 0)
break;
}
break;
+ }
}
#undef pack
+ if (inbuf)
+ _TIFFfree(inbuf);
+ if (outbuf)
+ _TIFFfree(outbuf);
+ TIFFClose(in);
TIFFClose(out);
return (0);
+
+ tiff2bw_error:
+ if (inbuf)
+ _TIFFfree(inbuf);
+ if (outbuf)
+ _TIFFfree(outbuf);
+ if (out)
+ TIFFClose(out);
+ if (in)
+ TIFFClose(in);
+ return (-1);
}
static int
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 02c53cd..0192f3f 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -148,11 +148,6 @@ extern int getopt(int, char**, char*);
#define PATH_MAX 1024
#endif
-#ifndef streq
-#define streq(a,b) (strcmp((a),(b)) == 0)
-#endif
-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
-
#define TRUE 1
#define FALSE 0
--
2.17.2