120 lines
3.7 KiB
Diff
120 lines
3.7 KiB
Diff
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
|
|
From: Even Rouault <even.rouault@spatialys.com>
|
|
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
|
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
|
|
case of out of memory situation. Fixes
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
|
|
|
|
(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
|
|
---
|
|
libtiff/tiffiop.h | 1 +
|
|
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
|
|
tools/tiffcrop.c | 5 -----
|
|
3 files changed, 27 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
|
index daa291c0..08e5dc44 100644
|
|
--- a/libtiff/tiffiop.h
|
|
+++ b/libtiff/tiffiop.h
|
|
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
|
#endif
|
|
|
|
#define streq(a,b) (strcmp(a,b) == 0)
|
|
+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
|
|
|
#ifndef TRUE
|
|
#define TRUE 1
|
|
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
|
index dad54afa..1f3bb2cd 100644
|
|
--- a/tools/tiff2bw.c
|
|
+++ b/tools/tiff2bw.c
|
|
@@ -40,9 +40,7 @@
|
|
#endif
|
|
|
|
#include "tiffio.h"
|
|
-
|
|
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
|
-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
|
+#include "tiffiop.h"
|
|
|
|
/* x% weighting -> fraction of full color */
|
|
#define PCT(x) (((x)*256+50)/100)
|
|
@@ -223,6 +221,11 @@ main(int argc, char* argv[])
|
|
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
|
|
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
|
|
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
|
+ if( !outbuf )
|
|
+ {
|
|
+ fprintf(stderr, "Out of memory\n");
|
|
+ goto tiff2bw_error;
|
|
+ }
|
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
|
TIFFDefaultStripSize(out, rowsperstrip));
|
|
|
|
@@ -246,6 +249,11 @@ main(int argc, char* argv[])
|
|
#undef CVT
|
|
}
|
|
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
|
+ if( !inbuf )
|
|
+ {
|
|
+ fprintf(stderr, "Out of memory\n");
|
|
+ goto tiff2bw_error;
|
|
+ }
|
|
for (row = 0; row < h; row++) {
|
|
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
|
break;
|
|
@@ -256,6 +264,11 @@ main(int argc, char* argv[])
|
|
break;
|
|
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
|
|
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
|
+ if( !inbuf )
|
|
+ {
|
|
+ fprintf(stderr, "Out of memory\n");
|
|
+ goto tiff2bw_error;
|
|
+ }
|
|
for (row = 0; row < h; row++) {
|
|
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
|
|
break;
|
|
@@ -265,8 +278,16 @@ main(int argc, char* argv[])
|
|
}
|
|
break;
|
|
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
|
|
+ {
|
|
+ tmsize_t inbufsize;
|
|
rowsize = TIFFScanlineSize(in);
|
|
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
|
|
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
|
|
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
|
|
+ if( !inbuf )
|
|
+ {
|
|
+ fprintf(stderr, "Out of memory\n");
|
|
+ goto tiff2bw_error;
|
|
+ }
|
|
for (row = 0; row < h; row++) {
|
|
for (s = 0; s < 3; s++)
|
|
if (TIFFReadScanline(in,
|
|
@@ -278,6 +299,7 @@ main(int argc, char* argv[])
|
|
break;
|
|
}
|
|
break;
|
|
+ }
|
|
}
|
|
#undef pack
|
|
if (inbuf)
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index c60cb389..3862b1ca 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
|
|
|
#define TIFF_UINT32_MAX 0xFFFFFFFFU
|
|
|
|
-#ifndef streq
|
|
-#define streq(a,b) (strcmp((a),(b)) == 0)
|
|
-#endif
|
|
-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
|
|
-
|
|
#define TRUE 1
|
|
#define FALSE 0
|
|
|