From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 26 Dec 2015 17:32:03 +0000 Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of Alibaba. Upstream-Status: Backport CVE: CVE-2015-8665 CVE: CVE-2015-8683 https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 Signed-off-by: Armin Kuster --- ChangeLog | 8 ++++++++ libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- 2 files changed, 30 insertions(+), 13 deletions(-) Index: tiff-4.0.6/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.6.orig/libtiff/tif_getimage.c +++ tiff-4.0.6/libtiff/tif_getimage.c @@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d", - "Samples/pixel", td->td_samplesperpixel); + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); return 0; } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { sprintf(emsg, - "Sorry, can not handle image with %s=%d and %s=%d", + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, "Bits/sample", td->td_bitspersample); return 0; } @@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T int colorchannels; uint16 *red_orig, *green_orig, *blue_orig; int n_color; + + if( !TIFFRGBAImageOK(tif, emsg) ) + return 0; /* Initialize to normal values */ img->row_offset = 0; @@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) case PHOTOMETRIC_RGB: switch (img->bitspersample) { case 8: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >= 4) img->put.contig = putRGBAAcontig8bittile; - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >= 4) { if (BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig8bittile; } - else + else if( img->samplesperpixel >= 3 ) img->put.contig = putRGBcontig8bittile; break; case 16: - if (img->alpha == EXTRASAMPLE_ASSOCALPHA) + if (img->alpha == EXTRASAMPLE_ASSOCALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBAAcontig16bittile; } - else if (img->alpha == EXTRASAMPLE_UNASSALPHA) + else if (img->alpha == EXTRASAMPLE_UNASSALPHA && + img->samplesperpixel >=4 ) { if (BuildMapBitdepth16To8(img) && BuildMapUaToAa(img)) img->put.contig = putRGBUAcontig16bittile; } - else + else if( img->samplesperpixel >=3 ) { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; @@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) } break; case PHOTOMETRIC_SEPARATED: - if (buildMap(img)) { + if (img->samplesperpixel >=4 && buildMap(img)) { if (img->bitspersample == 8) { if (!img->Map) img->put.contig = putRGBcontig8bitCMYKtile; @@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) } break; case PHOTOMETRIC_CIELAB: - if (buildMap(img)) { + if (img->samplesperpixel == 3 && buildMap(img)) { if (img->bitspersample == 8) img->put.contig = initCIELabConversion(img); break; Index: tiff-4.0.6/ChangeLog =================================================================== --- tiff-4.0.6.orig/ChangeLog +++ tiff-4.0.6/ChangeLog @@ -1,3 +1,11 @@ +2015-12-26 Even Rouault + + * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage + interface in case of unsupported values of SamplesPerPixel/ExtraSamples + for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and + CVE-2015-8683 reported by zzf of Alibaba. + 2015-09-12 Bob Friesenhahn * libtiff 4.0.6 released.