summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog12
-rw-r--r--libtiff/tif_fax3.c23
-rw-r--r--libtiff/tiffiop.h5
-rw-r--r--tools/tiffcp.c14
4 files changed, 43 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 68206e85..60eaae97 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2010-06-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_fax3.c (Fax3SetupState): Yesterday's fix for
+ CVE-2010-1411 was not complete.
+
+ * libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely
+ multiply two integers. Returns zero if there is an integer
+ overflow.
+
+ * tools/tiffcp.c (main): tiffcp should not leak memory if an error
+ is reported when reading the input file.
+
2010-06-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* Update libtool to version 2.2.8.
diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c
index d8a05086..52c16b40 100644
--- a/libtiff/tif_fax3.c
+++ b/libtiff/tif_fax3.c
@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.c,v 1.71 2010-06-08 23:32:23 bfriesen Exp $ */
+/* $Id: tif_fax3.c,v 1.72 2010-06-09 17:17:13 bfriesen Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@@ -504,13 +504,26 @@ Fax3SetupState(TIFF* tif)
td->td_compression == COMPRESSION_CCITTFAX4
);
- /* TIFFroundup_32 returns zero on internal overflow */
+ /*
+ Assure that allocation computations do not overflow.
+
+ TIFFroundup and TIFFSafeMultiply return zero on integer overflow
+ */
+ dsp->runs=(uint32*) NULL;
nruns = TIFFroundup_32(rowpixels,32);
if (needsRefLine) {
- nruns *= 2;
+ nruns = TIFFSafeMultiply(uint32,nruns,2);
+ }
+ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Row pixels integer overflow (rowpixels %u)",
+ rowpixels);
+ return (0);
}
- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns, sizeof (uint32),
- "for Group 3/4 run arrays");
+ dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
+ TIFFSafeMultiply(uint32,nruns,2),
+ sizeof (uint32),
+ "for Group 3/4 run arrays");
if (dsp->runs == NULL)
return (0);
dsp->curruns = dsp->runs;
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 52378d35..4fecb7cd 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.76 2010-06-08 23:32:23 bfriesen Exp $ */
+/* $Id: tiffiop.h,v 1.77 2010-06-09 17:17:13 bfriesen Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -269,6 +269,9 @@ struct tiff {
#define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+/* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)v*m)/(t)m == (t)v) ? (t)v*m : (t)0)
+
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
#define TIFFmin(A,B) ((A)<(B)?(A):(B))
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 484c22aa..ebed5be6 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.44 2010-06-03 17:01:02 fwarmerdam Exp $ */
+/* $Id: tiffcp.c,v 1.45 2010-06-09 17:17:13 bfriesen Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -276,11 +276,14 @@ main(int argc, char* argv[])
for (; optind < argc-1 ; optind++) {
char *imageCursor = argv[optind];
in = openSrcImage (&imageCursor);
- if (in == NULL)
+ if (in == NULL) {
+ (void) TIFFClose(out);
return (-3);
+ }
if (diroff != 0 && !TIFFSetSubDirectory(in, diroff)) {
TIFFError(TIFFFileName(in),
"Error, setting subdirectory at " TIFF_UINT64_FORMAT, diroff);
+ (void) TIFFClose(in);
(void) TIFFClose(out);
return (1);
}
@@ -294,7 +297,8 @@ main(int argc, char* argv[])
tilelength = deftilelength;
g3opts = defg3opts;
if (!tiffcp(in, out) || !TIFFWriteDirectory(out)) {
- TIFFClose(out);
+ (void) TIFFClose(in);
+ (void) TIFFClose(out);
return (1);
}
if (imageCursor) { /* seek next image directory */
@@ -302,10 +306,10 @@ main(int argc, char* argv[])
}else
if (!TIFFReadDirectory(in)) break;
}
- TIFFClose(in);
+ (void) TIFFClose(in);
}
- TIFFClose(out);
+ (void) TIFFClose(out);
return (0);
}