From d36017b9384e678783453930cfcfa594dde13a1c Mon Sep 17 00:00:00 2001 From: Bob Friesenhahn Date: Wed, 9 Jun 2010 17:17:13 +0000 Subject: * libtiff/tif_fax3.c (Fax3SetupState): Yesterday's fix for CVE-2010-1411 was not complete. * libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely multiply two integers. Returns zero if there is an integer overflow. * tools/tiffcp.c (main): tiffcp should not leak memory if an error is reported when reading the input file. --- ChangeLog | 12 ++++++++++++ libtiff/tif_fax3.c | 23 ++++++++++++++++++----- libtiff/tiffiop.h | 5 ++++- tools/tiffcp.c | 14 +++++++++----- 4 files changed, 43 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 68206e85..60eaae97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2010-06-09 Bob Friesenhahn + + * libtiff/tif_fax3.c (Fax3SetupState): Yesterday's fix for + CVE-2010-1411 was not complete. + + * libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely + multiply two integers. Returns zero if there is an integer + overflow. + + * tools/tiffcp.c (main): tiffcp should not leak memory if an error + is reported when reading the input file. + 2010-06-08 Bob Friesenhahn * Update libtool to version 2.2.8. diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c index d8a05086..52c16b40 100644 --- a/libtiff/tif_fax3.c +++ b/libtiff/tif_fax3.c @@ -1,4 +1,4 @@ -/* $Id: tif_fax3.c,v 1.71 2010-06-08 23:32:23 bfriesen Exp $ */ +/* $Id: tif_fax3.c,v 1.72 2010-06-09 17:17:13 bfriesen Exp $ */ /* * Copyright (c) 1990-1997 Sam Leffler @@ -504,13 +504,26 @@ Fax3SetupState(TIFF* tif) td->td_compression == COMPRESSION_CCITTFAX4 ); - /* TIFFroundup_32 returns zero on internal overflow */ + /* + Assure that allocation computations do not overflow. + + TIFFroundup and TIFFSafeMultiply return zero on integer overflow + */ + dsp->runs=(uint32*) NULL; nruns = TIFFroundup_32(rowpixels,32); if (needsRefLine) { - nruns *= 2; + nruns = TIFFSafeMultiply(uint32,nruns,2); + } + if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Row pixels integer overflow (rowpixels %u)", + rowpixels); + return (0); } - dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns, sizeof (uint32), - "for Group 3/4 run arrays"); + dsp->runs = (uint32*) _TIFFCheckMalloc(tif, + TIFFSafeMultiply(uint32,nruns,2), + sizeof (uint32), + "for Group 3/4 run arrays"); if (dsp->runs == NULL) return (0); dsp->curruns = dsp->runs; diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h index 52378d35..4fecb7cd 100644 --- a/libtiff/tiffiop.h +++ b/libtiff/tiffiop.h @@ -1,4 +1,4 @@ -/* $Id: tiffiop.h,v 1.76 2010-06-08 23:32:23 bfriesen Exp $ */ +/* $Id: tiffiop.h,v 1.77 2010-06-09 17:17:13 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -269,6 +269,9 @@ struct tiff { #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) +/* Safe multiply which returns zero if there is an integer overflow */ +#define TIFFSafeMultiply(t,v,m) ((((t)v*m)/(t)m == (t)v) ? (t)v*m : (t)0) + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) #define TIFFmin(A,B) ((A)<(B)?(A):(B)) diff --git a/tools/tiffcp.c b/tools/tiffcp.c index 484c22aa..ebed5be6 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -1,4 +1,4 @@ -/* $Id: tiffcp.c,v 1.44 2010-06-03 17:01:02 fwarmerdam Exp $ */ +/* $Id: tiffcp.c,v 1.45 2010-06-09 17:17:13 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -276,11 +276,14 @@ main(int argc, char* argv[]) for (; optind < argc-1 ; optind++) { char *imageCursor = argv[optind]; in = openSrcImage (&imageCursor); - if (in == NULL) + if (in == NULL) { + (void) TIFFClose(out); return (-3); + } if (diroff != 0 && !TIFFSetSubDirectory(in, diroff)) { TIFFError(TIFFFileName(in), "Error, setting subdirectory at " TIFF_UINT64_FORMAT, diroff); + (void) TIFFClose(in); (void) TIFFClose(out); return (1); } @@ -294,7 +297,8 @@ main(int argc, char* argv[]) tilelength = deftilelength; g3opts = defg3opts; if (!tiffcp(in, out) || !TIFFWriteDirectory(out)) { - TIFFClose(out); + (void) TIFFClose(in); + (void) TIFFClose(out); return (1); } if (imageCursor) { /* seek next image directory */ @@ -302,10 +306,10 @@ main(int argc, char* argv[]) }else if (!TIFFReadDirectory(in)) break; } - TIFFClose(in); + (void) TIFFClose(in); } - TIFFClose(out); + (void) TIFFClose(out); return (0); } -- cgit v1.2.1