* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and

cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and http://bugzilla.maptools.org/show_bug.cgi?id=2657
author: erouault <erouault> 2017-01-11 19:25:44 +0000
committer: erouault <erouault> 2017-01-11 19:25:44 +0000
commit: f5a2f1fa2e05d97bedeb6face8f031704c32ba51 (patch)
tree: b522204e4dcebf9cf1c4bf2ca4091705c68c9194
parent: 51bcfefc0e08167c1d693693f85bc405f4f7e258 (diff)
download: libtiff-f5a2f1fa2e05d97bedeb6face8f031704c32ba51.tar.gz
2 files changed, 30 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index f78cad04..064f25b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2017-01-11 Even Rouault <even.rouault at spatialys.com>
 
+	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+	cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+	http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
 
 	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 49c9d371..489459a7 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
author	erouault <erouault>	2017-01-11 19:25:44 +0000
committer	erouault <erouault>	2017-01-11 19:25:44 +0000
commit	f5a2f1fa2e05d97bedeb6face8f031704c32ba51 (patch)
tree	b522204e4dcebf9cf1c4bf2ca4091705c68c9194
parent	51bcfefc0e08167c1d693693f85bc405f4f7e258 (diff)
download	libtiff-f5a2f1fa2e05d97bedeb6face8f031704c32ba51.tar.gz