Skip to content

libtiff

Jump to bottom
Suresoft-GLaDOS edited this page May 26, 2023 · 9 revisions

#1

Link : https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
Description: Avoid access outside of stack allocated array
CVE Info: CVE-2016-5321

At tools/tiffcrop.c

@@ -989,7 +989,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
     nrow = (row + tl > imagelength) ? imagelength - row : tl;
     for (col = 0; col < imagewidth; col += tw)
       {
+      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
-      for (s = 0; s < spp; s++)
         {  /* Read each plane of a tile set into srcbuffs[s] */
 	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
         if (tbytes < 0  && !ignore)

Tags
#Memory-error #Invalid-condition #Single-line #Modified #CVE

#2

Link : https://github.com/vadz/libtiff/commit/8a37c8e244de3457283b54986d09a8db4d24381c
Description: Fix failure to update libtiff version in AC_INIT.

At tools/gif2tiff.c

@@ -370,7 +370,7 @@ readextension(void)
     int status = 1;
     (void) getc(infile);
+    while ((count = getc(infile)) && count >= 0 && count <= 255)
-    while ((count = getc(infile)) && count <= 255)
         if (fread(buf, 1, count, infile) != (size_t) count) {
             fprintf(stderr, "short read from file %s (%s)\n",
                     filename, strerror(errno));

Tags
#Memory-error #Invalid-condition #Single-line #Modified

#3

Link : https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
Description: Validate values of -v and -h parameters to avoid potential divide by zero.
CVE Info: CVE-2016-3623

At tools/rgb2ycbcr.c

@@ -116,8 +116,6 @@ main(int argc, char* argv[])
 			break;
 		case 'h':
 			horizSubSampling = atoi(optarg);
+            if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
+                usage(-1);
 			break;
 		case 'v':
 			vertSubSampling = atoi(optarg);

Tags
#Division-by-zero #Omission #Multi-line #Added #CVE

#4

Link : https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
Description: Avoid integer division by zero in JPEGSetupEncode()

At libtiff/tif_jpeg.c

@@ -1626,13 +1626,7 @@ JPEGSetupEncode(TIFF* tif)
 	case PHOTOMETRIC_YCBCR:
 		sp->h_sampling = td->td_ycbcrsubsampling[0];
 		sp->v_sampling = td->td_ycbcrsubsampling[1];
+                if( sp->h_sampling == 0 || sp->v_sampling == 0 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                            "Invalig horizontal/vertical sampling value");
+                    return (0);
+                }
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the
 		 * default value is inappropriate for YCbCr.  Fill in the

Tags
#Division-by-zero #Omission #Multi-line #Added

#5

Link : https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7
Description: Heap-buffer-overflow in cpStrips
CVE Info: CVE-2016-9273

At libtiff/tif_strip.c

@@ -69,8 +69,6 @@ TIFFNumberOfStrips(TIFF* tif)
        after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
        tif_dirread.c ~line 3612.
        See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+    if( td->td_nstrips )
+        return td->td_nstrips;
 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));

Tags
#Memory-error #Omission #Multi-line #Added #CVE

HOME

TAGS

Lines

Patch Type

Error Type

#CVE

#Address_Sanitizer

Clone this wiki locally