LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8567 Commits
1 Branch
46 MiB
Tree: dd3dbcfd07
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dd3dbcfd07'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/015-OOM_in_gtTileContig.patch

295 lines
11 KiB
Raw Normal View History

tiff: update package to version 4.0.8 Signed-off-by: Jiri Slachta <jiri@slachta.eu>
7 years ago
 
  1. From 1077fad562e03d1cad591dd10163dd80ad63ab0e Mon Sep 17 00:00:00 2001
  2. From: Even Rouault <even.rouault@spatialys.com>
  3. Date: Fri, 30 Jun 2017 13:11:18 +0000
  4. Subject: [PATCH] * libtiff/tif_read.c, tiffiop.h: add a
  5.  _TIFFReadEncodedStripAndAllocBuffer() function, variant of
  6.  TIFFReadEncodedStrip() that allocates the decoded buffer only after a first
  7.  successful TIFFFillStrip(). This avoids excessive memory allocation on
  8.  corrupted files. * libtiff/tif_getimage.c: use
  9.  _TIFFReadEncodedStripAndAllocBuffer(). Fixes
  10.  http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
  11.  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . Credit to OSS
  12.  Fuzz
  13. 

  14. ---

  15.  ChangeLog              | 11 +++++++
  16.  libtiff/tif_getimage.c | 59 ++++++++++++++++++++++----------------
  17.  libtiff/tif_read.c     | 78 +++++++++++++++++++++++++++++++++++++++++++-------
  18.  libtiff/tiffiop.h      |  5 ++++
  19.  4 files changed, 118 insertions(+), 35 deletions(-)
  20. 

  21. diff --git a/ChangeLog b/ChangeLog

  22. index c969f9e2..6f085e09 100644

  23. --- a/ChangeLog

  24. +++ b/ChangeLog

  25. @@ -1,3 +1,14 @@

  26. +2017-06-30  Even Rouault <even.rouault at spatialys.com>

  27. +

  28. +	* libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()

  29. +	function, variant of TIFFReadEncodedStrip() that allocates the

  30. +	decoded buffer only after a first successful TIFFFillStrip(). This avoids

  31. +	excessive memory allocation on corrupted files.

  32. +	* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). 

  33. +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and

  34. +	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .

  35. +	Credit to OSS Fuzz

  36. +

  37.  2017-06-26  Even Rouault <even.rouault at spatialys.com>
  38.  
  39.  	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
  40. diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c

  41. index cee8e930..cc6e8f30 100644

  42. --- a/libtiff/tif_getimage.c

  43. +++ b/libtiff/tif_getimage.c

  44. @@ -905,26 +905,22 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  45.  	tileContigRoutine put = img->put.contig;
  46.  	uint32 row, y, nrow, nrowsub, rowstoread;
  47.  	tmsize_t pos;
  48. -	unsigned char* buf;

  49. +	unsigned char* buf = NULL;

  50.  	uint32 rowsperstrip;
  51.  	uint16 subsamplinghor,subsamplingver;
  52.  	uint32 imagewidth = img->width;
  53.  	tmsize_t scanline;
  54.  	int32 fromskew, toskew;
  55.  	int ret = 1, flip;
  56. +        tmsize_t maxstripsize;

  57.  
  58.  	TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
  59.  	if( subsamplingver == 0 ) {
  60.  		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
  61.  		return (0);
  62.  	}
  63. -

  64. -	buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));

  65. -	if (buf == 0) {

  66. -		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");

  67. -		return (0);

  68. -	}

  69. -	_TIFFmemset(buf, 0, TIFFStripSize(tif));

  70. +	

  71. +	maxstripsize = TIFFStripSize(tif);

  72.  
  73.  	flip = setorientation(img);
  74.  	if (flip & FLIP_VERTICALLY) {
  75. @@ -946,11 +942,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  76.  		nrowsub = nrow;
  77.  		if ((nrowsub%subsamplingver)!=0)
  78.  			nrowsub+=subsamplingver-nrowsub%subsamplingver;
  79. -		if (TIFFReadEncodedStrip(tif,

  80. +		if (_TIFFReadEncodedStripAndAllocBuffer(tif,

  81.  		    TIFFComputeStrip(tif,row+img->row_offset, 0),
  82. -		    buf,

  83. +		    (void**)(&buf),

  84. +                    maxstripsize,

  85.  		    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
  86. -		    && img->stoponerr)

  87. +		    && (buf == NULL || img->stoponerr))

  88.  		{
  89.  			ret = 0;
  90.  			break;
  91. @@ -994,8 +991,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  92.  {
  93.  	TIFF* tif = img->tif;
  94.  	tileSeparateRoutine put = img->put.separate;
  95. -	unsigned char *buf;

  96. -	unsigned char *p0, *p1, *p2, *pa;

  97. +	unsigned char *buf = NULL;

  98. +	unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL;

  99.  	uint32 row, y, nrow, rowstoread;
  100.  	tmsize_t pos;
  101.  	tmsize_t scanline;
  102. @@ -1014,15 +1011,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  103.  		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
  104.  		return (0);
  105.  	}
  106. -	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);

  107. -	if (buf == 0) {

  108. -		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");

  109. -		return (0);

  110. -	}

  111. -	_TIFFmemset(buf, 0, bufsize);

  112. -	p1 = p0 + stripsize;

  113. -	p2 = p1 + stripsize;

  114. -	pa = (alpha?(p2+stripsize):NULL);

  115.  
  116.  	flip = setorientation(img);
  117.  	if (flip & FLIP_VERTICALLY) {
  118. @@ -1040,7 +1028,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  119.            case PHOTOMETRIC_MINISBLACK:
  120.            case PHOTOMETRIC_PALETTE:
  121.              colorchannels = 1;
  122. -            p2 = p1 = p0;

  123.              break;
  124.  
  125.            default:
  126. @@ -1056,7 +1043,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

  127.  		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
  128.  		nrow = (row + rowstoread > h ? h - row : rowstoread);
  129.  		offset_row = row + img->row_offset;
  130. -		if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),

  131. +                if( buf == NULL )

  132. +                {

  133. +                    if (_TIFFReadEncodedStripAndAllocBuffer(

  134. +                            tif, TIFFComputeStrip(tif, offset_row, 0),

  135. +                            (void**) &buf, bufsize,

  136. +                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)

  137. +                        && (buf == NULL || img->stoponerr))

  138. +                    {

  139. +                            ret = 0;

  140. +                            break;

  141. +                    }

  142. +                    p0 = buf;

  143. +                    if( colorchannels == 1 )

  144. +                    {

  145. +                        p2 = p1 = p0;

  146. +                        pa = (alpha?(p0+3*stripsize):NULL);

  147. +                    }

  148. +                    else

  149. +                    {

  150. +                        p1 = p0 + stripsize;

  151. +                        p2 = p1 + stripsize;

  152. +                        pa = (alpha?(p2+stripsize):NULL);

  153. +                    }

  154. +                }

  155. +		else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),

  156.  		    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
  157.  		    && img->stoponerr)
  158.  		{
  159. diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c

  160. index fc0072e7..047305ab 100644

  161. --- a/libtiff/tif_read.c

  162. +++ b/libtiff/tif_read.c

  163. @@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)

  164.  }
  165.  
  166.  /*
  167. - * Read a strip of data and decompress the specified

  168. - * amount into the user-supplied buffer.

  169. + * Calculate the strip size according to the number of

  170. + * rows in the strip (check for truncated last strip on any

  171. + * of the separations).

  172.   */
  173. -tmsize_t

  174. -TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)

  175. +static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)

  176.  {
  177.  	static const char module[] = "TIFFReadEncodedStrip";
  178.  	TIFFDirectory *td = &tif->tif_dir;
  179.  	uint32 rowsperstrip;
  180.  	uint32 stripsperplane;
  181.  	uint32 stripinplane;
  182. -	uint16 plane;

  183.  	uint32 rows;
  184.  	tmsize_t stripsize;
  185.  	if (!TIFFCheckRead(tif,0))
  186. @@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)

  187.  		    (unsigned long)td->td_nstrips);
  188.  		return((tmsize_t)(-1));
  189.  	}
  190. -	/*

  191. -	 * Calculate the strip size according to the number of

  192. -	 * rows in the strip (check for truncated last strip on any

  193. -	 * of the separations).

  194. -	 */

  195. +

  196.  	rowsperstrip=td->td_rowsperstrip;
  197.  	if (rowsperstrip>td->td_imagelength)
  198.  		rowsperstrip=td->td_imagelength;
  199.  	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
  200.  	stripinplane=(strip%stripsperplane);
  201. -	plane=(uint16)(strip/stripsperplane);

  202. +	if( pplane ) *pplane=(uint16)(strip/stripsperplane);

  203.  	rows=td->td_imagelength-stripinplane*rowsperstrip;
  204.  	if (rows>rowsperstrip)
  205.  		rows=rowsperstrip;
  206.  	stripsize=TIFFVStripSize(tif,rows);
  207.  	if (stripsize==0)
  208.  		return((tmsize_t)(-1));
  209. +	return stripsize;

  210. +}

  211. +

  212. +/*

  213. + * Read a strip of data and decompress the specified

  214. + * amount into the user-supplied buffer.

  215. + */

  216. +tmsize_t

  217. +TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)

  218. +{

  219. +	static const char module[] = "TIFFReadEncodedStrip";

  220. +	TIFFDirectory *td = &tif->tif_dir;

  221. +	tmsize_t stripsize;

  222. +	uint16 plane;

  223. +

  224. +	stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);

  225. +	if (stripsize==((tmsize_t)(-1)))

  226. +		return((tmsize_t)(-1));

  227.  
  228.      /* shortcut to avoid an extra memcpy() */
  229.      if( td->td_compression == COMPRESSION_NONE &&
  230. @@ -510,6 +523,49 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)

  231.  	return(stripsize);
  232.  }
  233.  
  234. +/* Variant of TIFFReadEncodedStrip() that does 

  235. + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has

  236. + *   suceeded. This avoid excessive memory allocation in case of truncated

  237. + *   file.

  238. + * * calls regular TIFFReadEncodedStrip() if *buf != NULL

  239. + */

  240. +tmsize_t

  241. +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,

  242. +                                    void **buf, tmsize_t bufsizetoalloc,

  243. +                                    tmsize_t size_to_read)

  244. +{

  245. +    tmsize_t this_stripsize;

  246. +    uint16 plane;

  247. +

  248. +    if( *buf != NULL )

  249. +    {

  250. +        return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);

  251. +    }

  252. +

  253. +    this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);

  254. +    if (this_stripsize==((tmsize_t)(-1)))

  255. +            return((tmsize_t)(-1));

  256. +

  257. +    if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))

  258. +            this_stripsize=size_to_read;

  259. +    if (!TIFFFillStrip(tif,strip))

  260. +            return((tmsize_t)(-1));

  261. +

  262. +    *buf = _TIFFmalloc(bufsizetoalloc);

  263. +    if (*buf == NULL) {

  264. +            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");

  265. +            return((tmsize_t)(-1));

  266. +    }

  267. +    _TIFFmemset(*buf, 0, bufsizetoalloc);

  268. +

  269. +    if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)

  270. +            return((tmsize_t)(-1));

  271. +    (*tif->tif_postdecode)(tif,*buf,this_stripsize);

  272. +    return(this_stripsize);

  273. +

  274. +

  275. +}

  276. +

  277.  static tmsize_t
  278.  TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
  279.      const char* module)
  280. diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h

  281. index 846ade03..7f0b90f7 100644

  282. --- a/libtiff/tiffiop.h

  283. +++ b/libtiff/tiffiop.h

  284. @@ -365,6 +365,11 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);

  285.  extern double _TIFFUInt64ToDouble(uint64);
  286.  extern float _TIFFUInt64ToFloat(uint64);
  287.  
  288. +extern tmsize_t

  289. +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,

  290. +                                    void **buf, tmsize_t bufsizetoalloc,

  291. +                                    tmsize_t size_to_read);

  292. +

  293.  extern int TIFFInitDumpMode(TIFF*, int);
  294.  #ifdef PACKBITS_SUPPORT
  295.  extern int TIFFInitPackBits(TIFF*, int);