From 98648d3b62d4f123915410b8cae47954f9223000 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Thu, 6 Oct 2022 10:11:06 +0000 Subject: [PATCH] (CVE-2023-40090) Improved IFD-Loop Handling (fixes #455) Closes #455 See merge request libtiff/libtiff!386 (cherry picked from commit d093eb5d961e21ba51420bc22382c514683a4d91) --- libtiff/tif_close.c | 6 +- libtiff/tif_dir.c | 129 +++++++++++++++++++++++++----------- libtiff/tif_dir.h | 2 + libtiff/tif_dirread.c | 147 +++++++++++++++++++++++++++++++++--------- libtiff/tif_open.c | 3 +- libtiff/tiffiop.h | 3 +- 6 files changed, 219 insertions(+), 71 deletions(-) diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c index 6c9f7349..b5fa9603 100644 --- a/libtiff/tif_close.c +++ b/libtiff/tif_close.c @@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif) (*tif->tif_cleanup)(tif); TIFFFreeDirectory(tif); - if (tif->tif_dirlist) - _TIFFfree(tif->tif_dirlist); + if (tif->tif_dirlistoff) + _TIFFfree(tif->tif_dirlistoff); + if (tif->tif_dirlistdirn) + _TIFFfree(tif->tif_dirlistdirn); /* * Clean up client info links. diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index a4295dc9..d9022f5b 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -1521,12 +1521,22 @@ TIFFDefaultDirectory(TIFF* tif) } static int -TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) +TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* nextdirnum) { static const char module[] = "TIFFAdvanceDirectory"; + + /* Add this directory to the directory list, if not already in. */ + if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { + TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might cause an IFD loop", + *nextdirnum, *nextdiroff, *nextdiroff); + *nextdiroff = 0; + *nextdirnum = 0; + return(0); + } + if (isMapped(tif)) { - uint64_t poff=*nextdir; + uint64_t poff=*nextdiroff; if (!(tif->tif_flags&TIFF_BIGTIFF)) { tmsize_t poffa,poffb,poffc,poffd; @@ -1537,7 +1547,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) if (((uint64_t)poffa != poff) || (poffb < poffa) || (poffb < (tmsize_t)sizeof(uint16_t)) || (poffb > tif->tif_size)) { TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); - *nextdir=0; + *nextdiroff=0; return(0); } _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16_t)); @@ -1555,7 +1565,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) _TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32_t)); if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong(&nextdir32); - *nextdir=nextdir32; + *nextdiroff=nextdir32; } else { @@ -1587,11 +1597,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) } if (off!=NULL) *off=(uint64_t)poffc; - _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64_t)); + _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64_t)); if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8(nextdir); + TIFFSwabLong8(nextdiroff); } - return(1); } else { @@ -1599,7 +1608,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) { uint16_t dircount; uint32_t nextdir32; - if (!SeekOK(tif, *nextdir) || + if (!SeekOK(tif, *nextdiroff) || !ReadOK(tif, &dircount, sizeof (uint16_t))) { TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", tif->tif_name); @@ -1620,13 +1629,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) } if (tif->tif_flags & TIFF_SWAB) TIFFSwabLong(&nextdir32); - *nextdir=nextdir32; + *nextdiroff=nextdir32; } else { uint64_t dircount64; uint16_t dircount16; - if (!SeekOK(tif, *nextdir) || + if (!SeekOK(tif, *nextdiroff) || !ReadOK(tif, &dircount64, sizeof (uint64_t))) { TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", tif->tif_name); @@ -1646,17 +1655,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off) else (void) TIFFSeekFile(tif, dircount16*20, SEEK_CUR); - if (!ReadOK(tif, nextdir, sizeof (uint64_t))) { + if (!ReadOK(tif, nextdiroff, sizeof (uint64_t))) { TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory link", tif->tif_name); return (0); } if (tif->tif_flags & TIFF_SWAB) - TIFFSwabLong8(nextdir); + TIFFSwabLong8(nextdiroff); } - return (1); } + if (*nextdiroff != 0) { + (*nextdirnum)++; + /* Check next directory for IFD looping and if so, set it as last directory. */ + if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { + TIFFWarningExt(tif->tif_clientdata, module, "the next directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might be an IFD loop. Treating directory %"PRIu16" as last directory", + *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1); + *nextdiroff = 0; + (*nextdirnum)--; + } + } + return (1); } /* @@ -1666,14 +1685,16 @@ uint16_t TIFFNumberOfDirectories(TIFF* tif) { static const char module[] = "TIFFNumberOfDirectories"; - uint64_t nextdir; + uint64_t nextdiroff; + uint16_t nextdirnum; uint16_t n; if (!(tif->tif_flags&TIFF_BIGTIFF)) - nextdir = tif->tif_header.classic.tiff_diroff; + nextdiroff = tif->tif_header.classic.tiff_diroff; else - nextdir = tif->tif_header.big.tiff_diroff; + nextdiroff = tif->tif_header.big.tiff_diroff; + nextdirnum = 0; n = 0; - while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL)) + while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) { if (n != 65535) { ++n; @@ -1696,28 +1717,30 @@ TIFFNumberOfDirectories(TIFF* tif) int TIFFSetDirectory(TIFF* tif, uint16_t dirn) { - uint64_t nextdir; + uint64_t nextdiroff; + uint16_t nextdirnum; uint16_t n; if (!(tif->tif_flags&TIFF_BIGTIFF)) - nextdir = tif->tif_header.classic.tiff_diroff; + nextdiroff = tif->tif_header.classic.tiff_diroff; else - nextdir = tif->tif_header.big.tiff_diroff; - for (n = dirn; n > 0 && nextdir != 0; n--) - if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) + nextdiroff = tif->tif_header.big.tiff_diroff; + nextdirnum = 0; + for (n = dirn; n > 0 && nextdiroff != 0; n--) + if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) return (0); - tif->tif_nextdiroff = nextdir; + /* If the n-th directory could not be reached (does not exist), + * return here without touching anything further. */ + if (nextdiroff == 0 || n > 0) + return (0); + + tif->tif_nextdiroff = nextdiroff; /* * Set curdir to the actual directory index. The * -1 is because TIFFReadDirectory will increment * tif_curdir after successfully reading the directory. */ tif->tif_curdir = (dirn - n) - 1; - /* - * Reset tif_dirnumber counter and start new list of seen directories. - * We need this to prevent IFD loops. - */ - tif->tif_dirnumber = 0; return (TIFFReadDirectory(tif)); } @@ -1730,13 +1753,42 @@ TIFFSetDirectory(TIFF* tif, uint16_t dirn) int TIFFSetSubDirectory(TIFF* tif, uint64_t diroff) { - tif->tif_nextdiroff = diroff; - /* - * Reset tif_dirnumber counter and start new list of seen directories. - * We need this to prevent IFD loops. + /* Match nextdiroff and curdir for consistent IFD-loop checking. + * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets + * within the main IFD tree. + * In the case of several subIFDs of a main image, + * there are two possibilities that are not even mutually exclusive. + * a.) The subIFD tag contains an array with all offsets of the subIFDs. + * b.) The SubIFDs are concatenated with their NextIFD parameters. + * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.) */ - tif->tif_dirnumber = 0; - return (TIFFReadDirectory(tif)); + int retval; + uint16_t curdir = 0; + int8_t probablySubIFD = 0; + if (diroff == 0) { + /* Special case to invalidate the tif_lastdiroff member. */ + tif->tif_curdir = 65535; + } else { + if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) { + /* Non-existing offsets might point to a SubIFD or invalid IFD.*/ + probablySubIFD = 1; + } + /* -1 because TIFFReadDirectory() will increment tif_curdir. */ + tif->tif_curdir = curdir - 1; + } + + tif->tif_nextdiroff = diroff; + retval = TIFFReadDirectory(tif); + /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */ + if (!retval )tif->tif_curdir++; + if (retval && probablySubIFD) { + /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */ + tif->tif_dirnumber = 0; + tif->tif_curdir = 0; /* first directory of new chain */ + /* add this offset to new IFD list */ + _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff); + } + return (retval); } /* @@ -1760,12 +1812,15 @@ TIFFLastDirectory(TIFF* tif) /* * Unlink the specified directory from the directory chain. + * Note: First directory starts with number dirn=1. + * This is different to TIFFSetDirectory() where the first directory starts with zero. */ int TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn) { static const char module[] = "TIFFUnlinkDirectory"; uint64_t nextdir; + uint16_t nextdirnum; uint64_t off; uint16_t n; @@ -1789,19 +1844,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn) nextdir = tif->tif_header.big.tiff_diroff; off = 8; } + nextdirnum = 0; /* First directory is dirn=0 */ + for (n = dirn-1; n > 0; n--) { if (nextdir == 0) { TIFFErrorExt(tif->tif_clientdata, module, "Directory %"PRIu16" does not exist", dirn); return (0); } - if (!TIFFAdvanceDirectory(tif, &nextdir, &off)) + if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum)) return (0); } /* * Advance to the directory to be unlinked and fetch * the offset of the directory that follows. */ - if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) + if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum)) return (0); /* * Go back and patch the link field of the preceding diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h index 0c251c9e..deaa4594 100644 --- a/libtiff/tif_dir.h +++ b/libtiff/tif_dir.h @@ -302,6 +302,8 @@ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32_t); extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32_t, TIFFDataType); extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32_t, TIFFDataType); extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); +extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff); +extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t *dirn); #if defined(__cplusplus) } diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 32653f04..f4c1b08d 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -159,7 +159,6 @@ static void TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16_t tagid, uint32_t* static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount); static void MissingRequired(TIFF*, const char*); -static int TIFFCheckDirOffset(TIFF* tif, uint64_t diroff); static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32_t); static uint16_t TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, uint64_t* nextdiroff); static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover); @@ -3922,12 +3921,19 @@ TIFFReadDirectory(TIFF* tif) int bitspersample_read = FALSE; int color_channels; - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) - return 0; /* last offset or bad offset (IFD looping) */ - (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ - tif->tif_curdir++; - nextdiroff = tif->tif_nextdiroff; + if (tif->tif_nextdiroff == 0) { + /* In this special case, tif_diroff needs also to be set to 0. */ + tif->tif_diroff = tif->tif_nextdiroff; + return 0; /* last offset, thus no checking necessary */ + } + + nextdiroff = tif->tif_nextdiroff; + /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */ + if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) { + TIFFWarningExt(tif->tif_clientdata, module, + "Didn't read next directory due to IFD looping at offset 0x%"PRIx64" (%"PRIu64") to offset 0x%"PRIx64" (%"PRIu64")", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff); + return 0; /* bad offset (IFD looping) */ + } dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff); if (!dircount) { @@ -3935,6 +3941,11 @@ TIFFReadDirectory(TIFF* tif) "Failed to read directory at offset %" PRIu64, nextdiroff); return 0; } + /* Set global values after a valid directory has been fetched. + * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */ + tif->tif_curdir++; + (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ + TIFFReadDirectoryCheckOrder(tif,dir,dircount); /* @@ -5026,53 +5037,127 @@ MissingRequired(TIFF* tif, const char* tagname) } /* - * Check the directory offset against the list of already seen directory - * offsets. This is a trick to prevent IFD looping. The one can create TIFF - * file with looped directory pointers. We will maintain a list of already - * seen directories and check every IFD offset against that list. + * Check the directory number and offset against the list of already seen + * directory numbers and offsets. This is a trick to prevent IFD looping. + * The one can create TIFF file with looped directory pointers. We will + * maintain a list of already seen directories and check every IFD offset + * and its IFD number against that list. However, the offset of an IFD number + * can change - e.g. when writing updates to file. + * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered, + * or an error has occured. */ -static int -TIFFCheckDirOffset(TIFF* tif, uint64_t diroff) +int +_TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff) { uint16_t n; if (diroff == 0) /* no more directories */ return 0; if (tif->tif_dirnumber == 65535) { - TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset", - "Cannot handle more than 65535 TIFF directories"); - return 0; + TIFFErrorExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset", + "Cannot handle more than 65535 TIFF directories"); + return 0; } - for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) { - if (tif->tif_dirlist[n] == diroff) - return 0; + /* Check if offset is already in the list: + * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop + * - no: add to list or update offset at that IFD number + */ + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) { + if (tif->tif_dirlistoff[n] == diroff) { + if (tif->tif_dirlistdirn[n] == dirn) { + return 1; + } else { + TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset", + "TIFF directory %"PRIu16" has IFD looping to directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64")", + dirn-1, tif->tif_dirlistdirn[n], diroff, diroff); + return 0; + } + } + } + /* Check if offset of an IFD has been changed and update offset of that IFD number. */ + if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) { + /* tif_dirlistdirn can have IFD numbers dirn in random order */ + for (n = 0; n < tif->tif_dirnumber; n++) { + if (tif->tif_dirlistdirn[n] == dirn) { + tif->tif_dirlistoff[n] = diroff; + return 1; + } + } } + /* Add IFD offset and dirn to IFD directory list */ tif->tif_dirnumber++; - if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { - uint64_t* new_dirlist; - + if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { + uint64_t *new_dirlist; /* * XXX: Reduce memory allocation granularity of the dirlist * array. */ - new_dirlist = (uint64_t*)_TIFFCheckRealloc(tif, tif->tif_dirlist, - tif->tif_dirnumber, 2 * sizeof(uint64_t), "for IFD list"); + if (tif->tif_dirnumber >= 32768) + tif->tif_dirlistsize = 65535; + else + tif->tif_dirlistsize = 2 * tif->tif_dirnumber; + + new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff, + tif->tif_dirlistsize, sizeof(uint64_t), "for IFD offset list"); if (!new_dirlist) return 0; - if( tif->tif_dirnumber >= 32768 ) - tif->tif_dirlistsize = 65535; - else - tif->tif_dirlistsize = 2 * tif->tif_dirnumber; - tif->tif_dirlist = new_dirlist; + tif->tif_dirlistoff = new_dirlist; + new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn, + tif->tif_dirlistsize, sizeof(uint16_t), "for IFD dirnumber list"); + if (!new_dirlist) + return 0; + tif->tif_dirlistdirn = (uint16_t *)new_dirlist; } - tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff; + tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff; + tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn; return 1; -} +} /* --- _TIFFCheckDirNumberAndOffset() ---*/ + +/* + * Retrieve the matching IFD directory number of a given IFD offset + * from the list of directories already seen. + * Returns 1 if the offset was in the list and the directory number + * can be returned. + * Otherwise returns 0 or if an error occured. + */ +int +_TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t* dirn) +{ + uint16_t n; + + if (diroff == 0) /* no more directories */ + return 0; + if (tif->tif_dirnumber == 65535) { + TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset", + "Cannot handle more than 65535 TIFF directories"); + return 0; + } + + /* Check if offset is already in the list and return matching directory number. + * Otherwise update IFD list using TIFFNumberOfDirectories() + * and search again in IFD list. + */ + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { + if (tif->tif_dirlistoff[n] == diroff) { + *dirn = tif->tif_dirlistdirn[n]; + return 1; + } + } + TIFFNumberOfDirectories(tif); + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { + if (tif->tif_dirlistoff[n] == diroff) { + *dirn = tif->tif_dirlistdirn[n]; + return 1; + } + } + return 0; +} /*--- _TIFFGetDirNumberFromOffset() ---*/ + /* * Check the count field of a directory entry against a known value. The diff --git a/libtiff/tif_open.c b/libtiff/tif_open.c index 549f56ce..85c2af47 100644 --- a/libtiff/tif_open.c +++ b/libtiff/tif_open.c @@ -354,7 +354,8 @@ TIFFClientOpen( goto bad; tif->tif_diroff = 0; tif->tif_lastdiroff = 0; - tif->tif_dirlist = NULL; + tif->tif_dirlistoff = NULL; + tif->tif_dirlistdirn = NULL; tif->tif_dirlistsize = 0; tif->tif_dirnumber = 0; return (tif); diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h index 4e8bdac2..8e0e2454 100644 --- a/libtiff/tiffiop.h +++ b/libtiff/tiffiop.h @@ -118,7 +118,8 @@ struct tiff { uint64_t tif_diroff; /* file offset of current directory */ uint64_t tif_nextdiroff; /* file offset of following directory */ uint64_t tif_lastdiroff; /* file offset of last directory written so far */ - uint64_t* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */ + uint64_t* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */ + uint16_t* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */ uint16_t tif_dirlistsize; /* number of entries in offset list */ uint16_t tif_dirnumber; /* number of already seen directories */ TIFFDirectory tif_dir; /* internal rep of current directory */