diff options
| author | Frank Warmerdam <warmerdam@pobox.com> | 2011-03-21 16:02:27 +0000 |
|---|---|---|
| committer | Frank Warmerdam <warmerdam@pobox.com> | 2011-03-21 16:02:27 +0000 |
| commit | 0cea5839ccf481a3371aff8dc9f7bfad35b5884b (patch) | |
| tree | 914658e4be842510957e1be5507a1970de237bb5 | |
| parent | 4dda1458c6ba00463437c3abed08c5009600ac6f (diff) | |
| download | libtiff-git-0cea5839ccf481a3371aff8dc9f7bfad35b5884b.tar.gz | |
Correct potential buffer overflow with thunder encoded files with wrong
bitspersample set (CVE-2011-1167)
http://bugzilla.maptools.org/show_bug.cgi?id=2300
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | libtiff/tif_thunder.c | 38 |
2 files changed, 40 insertions, 7 deletions
@@ -1,3 +1,12 @@ +2011-03-21 Frank Warmerdam <warmerdam@pobox.com> + + * libtiff/tif_thunder.c: Correct potential buffer overflow with + thunder encoded files with wrong bitspersample set. The libtiff + development team would like to thank Marin Barbella and TippingPoint's + Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004, + CVE-2011-1167). + http://bugzilla.maptools.org/show_bug.cgi?id=2300 + 2011-03-10 Frank Warmerdam <warmerdam@pobox.com> * libtiff/tif_fax3.h: Fix to last change allowing zero length diff --git a/libtiff/tif_thunder.c b/libtiff/tif_thunder.c index dcb1a777..5f3257fb 100644 --- a/libtiff/tif_thunder.c +++ b/libtiff/tif_thunder.c @@ -1,4 +1,4 @@ -/* $Id: tif_thunder.c,v 1.10 2010-03-10 18:56:49 bfriesen Exp $ */ +/* $Id: tif_thunder.c,v 1.11 2011-03-21 16:02:27 fwarmerdam Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include <assert.h> #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#define SETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#define SETPIXEL(op, v) { \ + lastpixel = (v) & 0xf; \ + if ( npixels < maxpixels ) \ + { \ + if (npixels++ & 1) \ + *op++ |= lastpixel; \ + else \ op[0] = (uint8) (lastpixel << 4); \ + } \ +} + +static int +ThunderSetupDecode(TIFF* tif) +{ + static const char module[] = "ThunderSetupDecode"; + + if( tif->tif_dir.td_bitspersample != 4 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", + (int) tif->tif_dir.td_bitspersample ); + return 0; + } + + + return (1); } static int @@ -139,7 +160,8 @@ ThunderDecode(TIFF* tif, uint8* op, tmsize_t maxpixels) #endif return (0); } - return (1); + + return (1); } static int @@ -167,6 +189,8 @@ int TIFFInitThunderScan(TIFF* tif, int scheme) { (void) scheme; + + tif->tif_setupdecode = ThunderSetupDecode; tif->tif_decoderow = ThunderDecodeRow; tif->tif_decodestrip = ThunderDecodeRow; return (1); |