diff options
| author | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2016-09-24 23:11:55 +0000 |
|---|---|---|
| committer | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2016-09-24 23:11:55 +0000 |
| commit | 65d7db09a56c044b059f4053947b6ef40e79a82b (patch) | |
| tree | dc0efcc2dc11e0909c314602552e1e6c71b2a20e /libtiff/tif_getimage.c | |
| parent | edde1c583a2a8c74543c4f7bb13c1f1899ee601c (diff) | |
| download | libtiff-git-65d7db09a56c044b059f4053947b6ef40e79a82b.tar.gz | |
* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
places where it isn't done currently, but it seems this patch is enough.
Diffstat (limited to 'libtiff/tif_getimage.c')
| -rw-r--r-- | libtiff/tif_getimage.c | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 503a2284..b4e58f94 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.96 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_getimage.c,v 1.97 2016-09-24 23:11:55 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) td->td_bitspersample); return (0); } + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { + sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); + return (0); + } colorchannels = td->td_samplesperpixel - td->td_extrasamples; if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { switch (colorchannels) { @@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) "Planarconfiguration", td->td_planarconfig); return (0); } - if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, - "Sorry, can not handle image with %s=%d, %s=%d", - "Samples/pixel", td->td_samplesperpixel, - "colorchannels", colorchannels); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { + sprintf(emsg, + "Sorry, can not handle image with %s=%d, %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels); + return 0; + } break; case PHOTOMETRIC_CIELAB: - if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, - "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, - "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } + if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { + sprintf(emsg, + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } break; - default: + default: sprintf(emsg, "Sorry, can not handle image with %s=%d", photoTag, photometric); return (0); |