1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 19:02:49 +0000
Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
_TIFFcalloc()
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
Upstream-Status: Backport
CVE: CVE-2017-7593
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Index: tiff-4.0.7/ChangeLog
===================================================================
--- tiff-4.0.7.orig/ChangeLog 2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/ChangeLog 2017-04-26 12:09:41.986866896 +0530
@@ -44,6 +44,14 @@
2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolas Pena.
Index: tiff-4.0.7/libtiff/tif_read.c
===================================================================
--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/libtiff/tif_read.c 2017-04-26 12:11:42.814863729 +0530
@@ -986,7 +986,9 @@
"Invalid buffer size");
return (0);
}
- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+ /* Initialize to zero to avoid uninitialized buffers in case of */
+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
tif->tif_flags |= TIFF_MYBUFFER;
}
if (tif->tif_rawdata == NULL) {
Index: tiff-4.0.7/libtiff/tif_unix.c
===================================================================
--- tiff-4.0.7.orig/libtiff/tif_unix.c 2015-08-29 03:46:22.707817041 +0530
+++ tiff-4.0.7/libtiff/tif_unix.c 2017-04-26 12:13:07.442861510 +0530
@@ -316,6 +316,14 @@
return (malloc((size_t) s));
}
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+ if( nmemb == 0 || siz == 0 )
+ return ((void *) NULL);
+
+ return calloc((size_t) nmemb, (size_t)siz);
+}
+
void
_TIFFfree(void* p)
{
Index: tiff-4.0.7/libtiff/tif_win32.c
===================================================================
--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
+++ tiff-4.0.7/libtiff/tif_win32.c 2017-04-26 12:14:12.918859794 +0530
@@ -360,6 +360,14 @@
return (malloc((size_t) s));
}
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+ if( nmemb == 0 || siz == 0 )
+ return ((void *) NULL);
+
+ return calloc((size_t) nmemb, (size_t)siz);
+}
+
void
_TIFFfree(void* p)
{
Index: tiff-4.0.7/libtiff/tiffio.h
===================================================================
--- tiff-4.0.7.orig/libtiff/tiffio.h 2016-01-24 21:09:51.894442042 +0530
+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
@@ -293,6 +293,7 @@
*/
extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
extern void* _TIFFrealloc(void* p, tmsize_t s);
extern void _TIFFmemset(void* p, int v, tmsize_t c);
extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
|
