[TSAM-10146] LibTiff fix security bug for CVE-2016-5652, CVE-2016-5875

 - CVE :

    [CVE-2016-5652] LibTIFF TIFF2PDF TIFFTAG_JPEGTABLES Remote Code Execution Vulnerability
    [CVE-2016-5875] LibTIFF PixarLogDecode Remote Code Execution Vulnerability

 - Reference :

    http://www.talosintelligence.com/reports/TALOS-2016-0205/
    http://www.talosintelligence.com/reports/TALOS-2016-0187/

Change-Id: Ia0db291d180c7e1dae04242c4f3de6e92b895441
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>

diff --git a/ChangeLog b/ChangeLog
index 5b77723..38143a6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,23 @@
+2016-10-09 Even Rouault <even.rouault at spatialys.com>
+
+       * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
+       compressed images. Reported by Tyler Bohan of Cisco Talos as
+       TALOS-CAN-0187 / CVE-2016-5652.
+       Also prevents writing 2 extra uninitialized bytes to the file stream.
+
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+       * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
+       t2p_readwrite_pdf_image_tile(), causing crash, when reading a
+       JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
+       Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
+       the MSRC Vulnerabilities & Mitigations team.
+
+2016-06-28  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
+       PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
+
 2015-09-12  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
        * libtiff 4.0.6 released.

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 044c411..0102fe7 100644 (file)
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
 typedef        struct {
        TIFFPredictorState      predict;
        z_stream                stream;
+       tmsize_t                tbuf_size; /* only set/used on reading for now */
        uint16                  *tbuf; 
        uint16                  stride;
        int                     state;
@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
        sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
        if (sp->tbuf == NULL)
                return (0);
+       sp->tbuf_size = tbuf_size;
        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
                sp->user_datafmt = PixarLogGuessDataFmt(td);
        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
                TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
                return (0);
        }
+       /* Check that we will not fill more than what was allocated */
+       if (sp->stream.avail_out > sp->tbuf_size)
+       {
+               TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+               return (0);
+       }
        do {
                int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
                if (state == Z_STREAM_END) {

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 00bf850..0691523 100644 (file)
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2886,21 +2886,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
                                return(0);
                        }
                        if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
-                               if (count > 0) {
-                                       _TIFFmemcpy(buffer, jpt, count);
+                               if (count >= 4) {
+                                       /* Ignore EOI marker of JpegTables */
+                                       _TIFFmemcpy(buffer, jpt, count - 2);
                                        bufferoffset += count - 2;
+                                       /* Store last 2 bytes of the JpegTables */
                                        table_end[0] = buffer[bufferoffset-2];
                                        table_end[1] = buffer[bufferoffset-1];
-                               }
-                               if (count > 0) {
                                        xuint32 = bufferoffset;
+                                       bufferoffset -= 2;
                                        bufferoffset += TIFFReadRawTile(
                                                input, 
                                                tile, 
-                                               (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
+                                               (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
                                                -1);
-                                               buffer[xuint32-2]=table_end[0];
-                                               buffer[xuint32-1]=table_end[1];
+                                       /* Overwrite SOI marker of image scan with previously */
+                                       /* saved end of JpegTables */
+                                       buffer[xuint32-2]=table_end[0];
+                                       buffer[xuint32-1]=table_end[1];
                                } else {
                                        bufferoffset += TIFFReadRawTile(
                                                input,