From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001 From: Su_Laus Date: Tue, 30 Aug 2022 16:56:48 +0200 Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: Behaviour for writing: `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. `NumberOfInks` is automatically set when `InkNames` is set. If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. Behaviour for reading: When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. (cherry picked from commit f00484b9519df933723deb38fff943dc291a793d) --- libtiff/tif_dir.c | 118 ++++++++++++++++++++++++----------------- libtiff/tif_dir.h | 2 + libtiff/tif_dirinfo.c | 2 +- libtiff/tif_dirwrite.c | 5 ++ libtiff/tif_print.c | 4 ++ 5 files changed, 82 insertions(+), 49 deletions(-) diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index ad550c65..cb329fd8 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) } /* - * Confirm we have "samplesperpixel" ink names separated by \0. Returns + * Count ink names separated by \0. Returns * zero if the ink names are not as expected. */ -static uint32 -checkInkNamesString(TIFF* tif, uint32 slen, const char* s) +static uint16 +countInkNamesString(TIFF *tif, uint32 slen, const char *s) { - TIFFDirectory* td = &tif->tif_dir; - uint16 i = td->td_samplesperpixel; + uint16 i = 0; + const char *ep = s + slen; + const char *cp = s; if (slen > 0) { - const char* ep = s+slen; - const char* cp = s; - for (; i > 0; i--) { + do { for (; cp < ep && *cp != '\0'; cp++) {} if (cp >= ep) goto bad; cp++; /* skip \0 */ - } - return ((uint32)(cp-s)); + i++; + } while (cp < ep); + return (i); } bad: TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", - "%s: Invalid InkNames value; expecting %d names, found %d", - tif->tif_name, - td->td_samplesperpixel, - td->td_samplesperpixel-i); + "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink", + tif->tif_name, slen, i); return (0); } @@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); break; case TIFFTAG_INKNAMES: - v = (uint16) va_arg(ap, uint16_vap); - s = va_arg(ap, char*); - v = checkInkNamesString(tif, v, s); - status = v > 0; - if( v > 0 ) { - _TIFFsetNString(&td->td_inknames, s, v); - td->td_inknameslen = v; + { + v = (uint16) va_arg(ap, uint16_vap); + s = va_arg(ap, char*); + uint16 ninksinstring; + ninksinstring = countInkNamesString(tif, v, s); + status = ninksinstring > 0; + if(ninksinstring > 0 ) { + _TIFFsetNString(&td->td_inknames, s, v); + td->td_inknameslen = v; + /* Set NumberOfInks to the value ninksinstring */ + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) + { + if (td->td_numberofinks != ninksinstring) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d", + tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); + td->td_numberofinks = ninksinstring; + } + } else { + td->td_numberofinks = ninksinstring; + TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); + } + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) + { + if (td->td_numberofinks != td->td_samplesperpixel) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", + tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); + } + } + } + } + break; + case TIFFTAG_NUMBEROFINKS: + v = (uint16)va_arg(ap, uint16_vap); + /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ + if (TIFFFieldSet(tif, FIELD_INKNAMES)) + { + if (v != td->td_numberofinks) { + TIFFErrorExt(tif->tif_clientdata, module, + "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)", + tif->tif_name, fip->field_name, v, td->td_numberofinks); + /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ + status = 0; + } + } else { + td->td_numberofinks = (uint16)v; + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) + { + if (td->td_numberofinks != td->td_samplesperpixel) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d", + tif->tif_name, fip->field_name, v, td->td_samplesperpixel); + } + } } break; case TIFFTAG_PERSAMPLE: @@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ return 0; - if( tag == TIFFTAG_NUMBEROFINKS ) - { - int i; - for (i = 0; i < td->td_customValueCount; i++) { - uint16 val; - TIFFTagValue *tv = td->td_customValues + i; - if (tv->info->field_tag != tag) - continue; - if( tv->value == NULL ) - return 0; - val = *(uint16 *)tv->value; - /* Truncate to SamplesPerPixel, since the */ - /* setting code for INKNAMES assume that there are SamplesPerPixel */ - /* inknames. */ - /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ - if( val > td->td_samplesperpixel ) - { - TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", - "Truncating NumberOfInks from %u to %u", - val, td->td_samplesperpixel); - val = td->td_samplesperpixel; - } - *va_arg(ap, uint16*) = val; - return 1; - } - return 0; - } /* * We want to force the custom code to be used for custom @@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) case TIFFTAG_INKNAMES: *va_arg(ap, char**) = td->td_inknames; break; + case TIFFTAG_NUMBEROFINKS: + *va_arg(ap, uint16 *) = td->td_numberofinks; + break; default: { int i; diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h index 5a380767..b5881b02 100644 --- a/libtiff/tif_dir.h +++ b/libtiff/tif_dir.h @@ -113,6 +113,7 @@ typedef struct { /* CMYK parameters */ int td_inknameslen; char* td_inknames; + uint16 td_numberofinks; /* number of inks in InkNames string */ int td_customValueCount; TIFFTagValue *td_customValues; @@ -168,6 +169,7 @@ typedef struct { #define FIELD_TRANSFERFUNCTION 44 #define FIELD_INKNAMES 46 #define FIELD_SUBIFD 49 +#define FIELD_NUMBEROFINKS 50 /* FIELD_CUSTOM (see tiffio.h) 65 */ /* end of support for well-known tags; codec-private tags follow */ #define FIELD_CODEC 66 /* base of codec-private tags */ diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c index 4904f540..8bbc8323 100644 --- a/libtiff/tif_dirinfo.c +++ b/libtiff/tif_dirinfo.c @@ -106,7 +106,7 @@ tiffFields[] = { { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, - { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c index 03a9f296..994fa57a 100644 --- a/libtiff/tif_dirwrite.c +++ b/libtiff/tif_dirwrite.c @@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) goto bad; } + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) + { + if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) + goto bad; + } if (TIFFFieldSet(tif,FIELD_SUBIFD)) { if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c index b9b53a0f..9caba038 100644 --- a/libtiff/tif_print.c +++ b/libtiff/tif_print.c @@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) } fputs("\n", fd); } + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { + fprintf(fd, " NumberOfInks: %d\n", + td->td_numberofinks); + } if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { fprintf(fd, " Thresholding: "); switch (td->td_threshholding) {