commit da99990ba6e1203798a59eb836fc6433ed6e3d66 Author: erouault Date: Fri Dec 2 23:05:51 2016 +0000 * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 diff --git a/ChangeLog b/ChangeLog index 0f154d6..93c01f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2016-12-03 Even Rouault + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + 2016-12-02 Even Rouault * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c index ca08f30..f42ac01 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -158,6 +158,7 @@ typedef struct logLuvState LogLuvState; struct logLuvState { + int encoder_state; /* 1 if encoder correctly initialized */ int user_datafmt; /* user data format */ int encode_meth; /* encoding method */ int pixel_size; /* bytes per pixel */ @@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) td->td_photometric, "must be either LogLUV or LogL"); break; } + sp->encoder_state = 1; return (1); notsupported: TIFFErrorExt(tif->tif_clientdata, module, @@ -1563,19 +1565,27 @@ notsupported: static void LogLuvClose(TIFF* tif) { + LogLuvState* sp = (LogLuvState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* * For consistency, we always want to write out the same * bitspersample and sampleformat for our TIFF file, * regardless of the data format being used by the application. * Since this routine is called after tags have been set but * before they have been recorded in the file, we reset them here. + * Note: this is really a nasty approach. See PixarLogClose */ - td->td_samplesperpixel = - (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; - td->td_bitspersample = 16; - td->td_sampleformat = SAMPLEFORMAT_INT; + if( sp->encoder_state ) + { + /* See PixarLogClose. Might avoid issues with tags whose size depends + * on those below, but not completely sure this is enough. */ + td->td_samplesperpixel = + (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; + td->td_bitspersample = 16; + td->td_sampleformat = SAMPLEFORMAT_INT; + } } static void diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index f4af2ba..9836dce 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) static void PixarLogClose(TIFF* tif) { + PixarLogState* sp = (PixarLogState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* In a really sneaky (and really incorrect, and untruthful, and * troublesome, and error-prone) maneuver that completely goes against * the spirit of TIFF, and breaks TIFF, on close, we covertly @@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) * readers that don't know about PixarLog, or how to set * the PIXARLOGDATFMT pseudo-tag. */ - td->td_bitspersample = 8; - td->td_sampleformat = SAMPLEFORMAT_UINT; + + if (sp->state&PLSTATE_INIT) { + /* We test the state to avoid an issue such as in + * http://bugzilla.maptools.org/show_bug.cgi?id=2604 + * What appends in that case is that the bitspersample is 1 and + * a TransferFunction is set. The size of the TransferFunction + * depends on 1<td_bitspersample = 8; + td->td_sampleformat = SAMPLEFORMAT_UINT; + } } static void