1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 30 Jun 2017 17:29:44 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: in
TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
data type, replace assertion that the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
OWL337
Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
CVE: CVE-2017-10688
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
ChangeLog | 8 ++++++++
libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 0240f0b..42eaeb7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-06-30 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+ functions associated with LONG8/SLONG8 data type, replace assertion that
+ the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
+ Reported by team OWL337
+
2017-06-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2967da5..8d6686b 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
{
uint64 m;
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&m);
@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
{
assert(count<0x20000000);
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8(value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
{
int64 m;
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8((uint64*)(&m));
@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
{
assert(count<0x20000000);
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8((uint64*)value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
--
2.7.4
|
