LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11796 Commits
1 Branch
46 MiB
Tree: eb046968e2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'eb046968e2'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/021-CVE-2018-7456.patch

170 lines
6.5 KiB
Raw Normal View History

tiff: Fix remaining CVEs Taken from Fedora. Reordered them so as to apply properly. Added a CPE ID. Added parallel build for faster compilation. Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years ago
 
  1. From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
  2. From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
  3. Date: Tue, 17 Apr 2018 18:42:09 +0200
  4. Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
  5. 

  6. The TIFFPrintDirectory function relies on the following assumptions,
  7. supposed to be guaranteed by the specification:
  8. 

  9. (a) A Transfer Function field is only present if the TIFF file has
  10.     photometric type < 3.
  11. 

  12. (b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
  13.     has count SamplesPerPixel - (Color Channels) and contains
  14.     information about supplementary channels.
  15. 

  16. While respect of (a) and (b) are essential for the well functioning of
  17. TIFFPrintDirectory, no checks are realized neither by the callee nor
  18. by TIFFPrintDirectory itself. Hence, following scenarios might happen
  19. and trigger the NULL pointer dereference:
  20. 

  21. (1) TIFF File of photometric type 4 or more has illegal Transfer
  22.     Function field.
  23. 

  24. (2) TIFF File has photometric type 3 or less and defines a
  25.     SamplesPerPixel field such that SamplesPerPixel > Color Channels
  26.     without defining all extra samples in the ExtraSamples fields.
  27. 

  28. In this patch, we address both issues with respect of the following
  29. principles:
  30. 

  31. (A) In the case of (1), the defined transfer table should be printed
  32.     safely even if it isn't 'legal'. This allows us to avoid expensive
  33.     checks in TIFFPrintDirectory. Also, it is quite possible that
  34.     an alternative photometric type would be developed (not part of the
  35.     standard) and would allow definition of Transfer Table. We want
  36.     libtiff to be able to handle this scenario out of the box.
  37. 

  38. (B) In the case of (2), the transfer table should be printed at its
  39.     right size, that is if TIFF file has photometric type Palette
  40.     then the transfer table should have one row and not three, even
  41.     if two extra samples are declared.
  42. 

  43. In order to fulfill (A) we simply add a new 'i < 3' end condition to
  44. the broken TIFFPrintDirectory loop. This makes sure that in any case
  45. where (b) would be respected but not (a), everything stays fine.
  46. 

  47. (B) is fulfilled by the loop condition
  48. 'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
  49. long as (b) is respected.
  50. 

  51. Naturally, we also make sure (b) is respected. This is done in the
  52. TIFFReadDirectory function by making sure any non-color channel is
  53. counted in ExtraSamples.
  54. 

  55. This commit addresses CVE-2018-7456.
  56. ---

  57.  libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
  58.  libtiff/tif_print.c   |  2 +-
  59.  2 files changed, 63 insertions(+), 1 deletion(-)
  60. 

  61. diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

  62. index 5e62e81..80aaf8d 100644

  63. --- a/libtiff/tif_dirread.c

  64. +++ b/libtiff/tif_dirread.c

  65. @@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin

  66.  static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
  67.  static void ChopUpSingleUncompressedStrip(TIFF*);
  68.  static uint64 TIFFReadUInt64(const uint8 *value);
  69. +static int _TIFFGetMaxColorChannels(uint16 photometric);

  70.  
  71.  static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
  72.  
  73. @@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c

  74.  	}
  75.  }
  76.  
  77. +/*

  78. + * Return the maximum number of color channels specified for a given photometric

  79. + * type. 0 is returned if photometric type isn't supported or no default value

  80. + * is defined by the specification.

  81. + */

  82. +static int _TIFFGetMaxColorChannels( uint16 photometric )

  83. +{

  84. +    switch (photometric) {

  85. +	case PHOTOMETRIC_PALETTE:

  86. +	case PHOTOMETRIC_MINISWHITE:

  87. +	case PHOTOMETRIC_MINISBLACK:

  88. +            return 1;

  89. +	case PHOTOMETRIC_YCBCR:

  90. +	case PHOTOMETRIC_RGB:

  91. +	case PHOTOMETRIC_CIELAB:

  92. +            return 3;

  93. +	case PHOTOMETRIC_SEPARATED:

  94. +	case PHOTOMETRIC_MASK:

  95. +            return 4;

  96. +	case PHOTOMETRIC_LOGL:

  97. +	case PHOTOMETRIC_LOGLUV:

  98. +	case PHOTOMETRIC_CFA:

  99. +	case PHOTOMETRIC_ITULAB:

  100. +	case PHOTOMETRIC_ICCLAB:

  101. +	default:

  102. +            return 0;

  103. +    }

  104. +}

  105. +

  106.  /*
  107.   * Read the next TIFF directory from a file and convert it to the internal
  108.   * format. We read directories sequentially.
  109. @@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)

  110.  	uint32 fii=FAILED_FII;
  111.          toff_t nextdiroff;
  112.      int bitspersample_read = FALSE;
  113. +        int color_channels;

  114.  
  115.  	tif->tif_diroff=tif->tif_nextdiroff;
  116.  	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
  117. @@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)

  118.  			}
  119.  		}
  120.  	}
  121. +

  122. +	/*

  123. +	 * Make sure all non-color channels are extrasamples.

  124. +	 * If it's not the case, define them as such.

  125. +	 */

  126. +        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);

  127. +        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {

  128. +                uint16 old_extrasamples;

  129. +                uint16 *new_sampleinfo;

  130. +

  131. +                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "

  132. +                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "

  133. +                    "Defining non-color channels as ExtraSamples.");

  134. +

  135. +                old_extrasamples = tif->tif_dir.td_extrasamples;

  136. +                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);

  137. +

  138. +                // sampleinfo should contain information relative to these new extra samples

  139. +                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));

  140. +                if (!new_sampleinfo) {

  141. +                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "

  142. +                                "temporary new sampleinfo array (%d 16 bit elements)",

  143. +                                tif->tif_dir.td_extrasamples);

  144. +                    goto bad;

  145. +                }

  146. +

  147. +                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));

  148. +                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);

  149. +                _TIFFfree(new_sampleinfo);

  150. +        }

  151. +

  152.  	/*
  153.  	 * Verify Palette image has a Colormap.
  154.  	 */
  155. diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c

  156. index 24d4b98..10a588e 100644

  157. --- a/libtiff/tif_print.c

  158. +++ b/libtiff/tif_print.c

  159. @@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)

  160.  				uint16 i;
  161.  				fprintf(fd, "    %2ld: %5u",
  162.  				    l, td->td_transferfunction[0][l]);
  163. -				for (i = 1; i < td->td_samplesperpixel; i++)

  164. +				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)

  165.  					fprintf(fd, " %5u",
  166.  					    td->td_transferfunction[i][l]);
  167.  				fputc('\n', fd);
  168. -- 

  169. 2.17.0
  170.