298dde72b0
"Some vulnerabilities have been reported in libTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerabilities are caused due to various heap and integer overflows when processing TIFF images and can be exploited via a specially crafted TIFF image. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code." http://secunia.com/advisories/21304/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 Patches from Tavis Ormandy, Google Security Team via SUSE. Bump PKGREVISION.
119 lines
3.9 KiB
Text
119 lines
3.9 KiB
Text
$NetBSD: patch-az,v 1.1 2006/08/02 15:42:25 salo Exp $
|
|
|
|
Security fix for SA21304.
|
|
|
|
--- libtiff/tif_jpeg.c.orig 2006-03-21 17:42:50.000000000 +0100
|
|
+++ libtiff/tif_jpeg.c 2006-08-02 17:18:41.000000000 +0200
|
|
@@ -722,8 +722,8 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
|
|
segment_width = TIFFhowmany(segment_width, sp->h_sampling);
|
|
segment_height = TIFFhowmany(segment_height, sp->v_sampling);
|
|
}
|
|
- if (sp->cinfo.d.image_width != segment_width ||
|
|
- sp->cinfo.d.image_height != segment_height) {
|
|
+ if (sp->cinfo.d.image_width < segment_width ||
|
|
+ sp->cinfo.d.image_height < segment_height) {
|
|
TIFFWarningExt(tif->tif_clientdata, module,
|
|
"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
|
|
segment_width,
|
|
@@ -731,6 +731,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
|
|
sp->cinfo.d.image_width,
|
|
sp->cinfo.d.image_height);
|
|
}
|
|
+
|
|
+ if (sp->cinfo.d.image_width > segment_width ||
|
|
+ sp->cinfo.d.image_height > segment_height) {
|
|
+ /*
|
|
+ * This case could be dangerous, if the strip or tile size has been
|
|
+ * reported as less than the amount of data jpeg will return, some
|
|
+ * potential security issues arise. Catch this case and error out.
|
|
+ * -- taviso@google.com 14 Jun 2006
|
|
+ */
|
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
+ "JPEG strip/tile size exceeds expected dimensions,"
|
|
+ "expected %dx%d, got %dx%d", segment_width, segment_height,
|
|
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
if (sp->cinfo.d.num_components !=
|
|
(td->td_planarconfig == PLANARCONFIG_CONTIG ?
|
|
td->td_samplesperpixel : 1)) {
|
|
@@ -762,6 +778,22 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
|
|
sp->h_sampling, sp->v_sampling);
|
|
|
|
/*
|
|
+ * There are potential security issues here for decoders that
|
|
+ * have already allocated buffers based on the expected sampling
|
|
+ * factors. Lets check the sampling factors dont exceed what
|
|
+ * we were expecting.
|
|
+ * -- taviso@google.com 14 June 2006
|
|
+ */
|
|
+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
|
|
+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
|
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
+ "Cannot honour JPEG sampling factors that"
|
|
+ " exceed those specified.");
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
+
|
|
+ /*
|
|
* XXX: Files written by the Intergraph software
|
|
* has different sampling factors stored in the
|
|
* TIFF tags and in the JPEG structures. We will
|
|
@@ -1521,15 +1553,18 @@ JPEGCleanup(TIFF* tif)
|
|
{
|
|
JPEGState *sp = JState(tif);
|
|
|
|
- assert(sp != 0);
|
|
+ /* assert(sp != 0); */
|
|
|
|
tif->tif_tagmethods.vgetfield = sp->vgetparent;
|
|
tif->tif_tagmethods.vsetfield = sp->vsetparent;
|
|
|
|
+ if (sp != NULL) {
|
|
if( sp->cinfo_initialized )
|
|
TIFFjpeg_destroy(sp); /* release libjpeg resources */
|
|
if (sp->jpegtables) /* tag value */
|
|
_TIFFfree(sp->jpegtables);
|
|
+ }
|
|
+
|
|
_TIFFfree(tif->tif_data); /* release local state */
|
|
tif->tif_data = NULL;
|
|
|
|
@@ -1541,6 +1576,7 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
|
|
{
|
|
JPEGState* sp = JState(tif);
|
|
TIFFDirectory* td = &tif->tif_dir;
|
|
+ const TIFFFieldInfo* fip;
|
|
uint32 v32;
|
|
|
|
assert(sp != NULL);
|
|
@@ -1606,7 +1642,13 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
|
|
default:
|
|
return (*sp->vsetparent)(tif, tag, ap);
|
|
}
|
|
- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
|
|
+
|
|
+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
|
|
+ TIFFSetFieldBit(tif, fip->field_bit);
|
|
+ } else {
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
tif->tif_flags |= TIFF_DIRTYDIRECT;
|
|
return (1);
|
|
}
|
|
@@ -1726,7 +1768,11 @@ JPEGPrintDir(TIFF* tif, FILE* fd, long f
|
|
{
|
|
JPEGState* sp = JState(tif);
|
|
|
|
- assert(sp != NULL);
|
|
+ /* assert(sp != NULL); */
|
|
+ if (sp == NULL) {
|
|
+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
|
|
+ return;
|
|
+ }
|
|
|
|
(void) flags;
|
|
if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
|