From: Jiyong Min Date: Tue, 22 Nov 2016 23:14:48 +0000 (+0900) Subject: [TSAM-10146] LibTiff fix security bug for CVE-2016-5652, CVE-2016-5875 X-Git-Tag: accepted/tizen/common/20161129.173543^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F08%2F99408%2F1;p=platform%2Fupstream%2Ftiff.git [TSAM-10146] LibTiff fix security bug for CVE-2016-5652, CVE-2016-5875 - CVE : [CVE-2016-5652] LibTIFF TIFF2PDF TIFFTAG_JPEGTABLES Remote Code Execution Vulnerability [CVE-2016-5875] LibTIFF PixarLogDecode Remote Code Execution Vulnerability - Reference : http://www.talosintelligence.com/reports/TALOS-2016-0205/ http://www.talosintelligence.com/reports/TALOS-2016-0187/ Change-Id: Ia0db291d180c7e1dae04242c4f3de6e92b895441 Signed-off-by: Jiyong Min --- diff --git a/ChangeLog b/ChangeLog index 5b77723..38143a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,23 @@ +2016-10-09 Even Rouault + + * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG + compressed images. Reported by Tyler Bohan of Cisco Talos as + TALOS-CAN-0187 / CVE-2016-5652. + Also prevents writing 2 extra uninitialized bytes to the file stream. + +2016-10-08 Even Rouault + + * tools/tiff2pdf.c: fix read -largely- outsize of buffer in + t2p_readwrite_pdf_image_tile(), causing crash, when reading a + JPEG compressed image with TIFFTAG_JPEGTABLES length being one. + Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from + the MSRC Vulnerabilities & Mitigations team. + +2016-06-28 Even Rouault + + * libtiff/tif_pixarlog.c: fix potential buffer write overrun in + PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) + 2015-09-12 Bob Friesenhahn * libtiff 4.0.6 released. diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index 044c411..0102fe7 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if (sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index 00bf850..0691523 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -2886,21 +2886,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count > 0) { - _TIFFmemcpy(buffer, jpt, count); + if (count >= 4) { + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); bufferoffset += count - 2; + /* Store last 2 bytes of the JpegTables */ table_end[0] = buffer[bufferoffset-2]; table_end[1] = buffer[bufferoffset-1]; - } - if (count > 0) { xuint32 = bufferoffset; + bufferoffset -= 2; bufferoffset += TIFFReadRawTile( input, tile, - (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), -1); - buffer[xuint32-2]=table_end[0]; - buffer[xuint32-1]=table_end[1]; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; } else { bufferoffset += TIFFReadRawTile( input,