Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(144)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libtiff/0002-CVE-2015-8665-8683.patch

Issue 2054993002: Apply security fixes to libtiff that are not in 4.0.6. (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
2 From: erouault <erouault>
3 Date: Sat, 26 Dec 2015 17:32:03 +0000
4 Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
5 TIFFRGBAImage interface in case of unsupported values of
6 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
7 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
8 limingxing and CVE-2015-8683 reported by zzf of Alibaba.
9
10 ---
11 ChangeLog | 8 ++++++++
12 libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
13 2 files changed, 30 insertions(+), 13 deletions(-)
14
15 Index: tiff-4.0.3/libtiff/tif_getimage.c
16 ===================================================================
17 --- tiff-4.0.3.orig/libtiff/tif_getimage.c 2016-03-23 10:13:42.728371661 -0 400
18 +++ tiff-4.0.3/libtiff/tif_getimage.c 2016-03-23 10:13:42.724371614 -0400
19 @@ -182,20 +182,22 @@
20 "Planarconfiguration", td->td_planarconfig);
21 return (0);
22 }
23 - if( td->td_samplesperpixel != 3 )
24 + if( td->td_samplesperpixel != 3 || colorchannels != 3 )
25 {
26 sprintf(emsg,
27 - "Sorry, can not handle image with %s=%d",
28 - "Samples/pixel", td->td_samplesperpixel);
29 + "Sorry, can not handle image with %s=%d, %s=%d",
30 + "Samples/pixel", td->td_samplesperpixel,
31 + "colorchannels", colorchannels);
32 return 0;
33 }
34 break;
35 case PHOTOMETRIC_CIELAB:
36 - if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
37 + if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bit spersample != 8 )
38 {
39 sprintf(emsg,
40 - "Sorry, can not handle image with %s=%d and %s=%d",
41 + "Sorry, can not handle image with %s=%d, %s=%d and %s=% d",
42 "Samples/pixel", td->td_samplesperpixel,
43 + "colorchannels", colorchannels,
44 "Bits/sample", td->td_bitspersample);
45 return 0;
46 }
47 @@ -255,6 +257,9 @@
48 int colorchannels;
49 uint16 *red_orig, *green_orig, *blue_orig;
50 int n_color;
51 +
52 + if( !TIFFRGBAImageOK(tif, emsg) )
53 + return 0;
54
55 /* Initialize to normal values */
56 img->row_offset = 0;
57 @@ -2470,29 +2475,33 @@
58 case PHOTOMETRIC_RGB:
59 switch (img->bitspersample) {
60 case 8:
61 - if (img->alpha == EXTRASAMPLE_ASSOCALPHA )
62 + if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
63 + img->samplesperpixel >= 4)
64 img->put.contig = putRGBAAcontig 8bittile;
65 - else if (img->alpha == EXTRASAMPLE_UNASS ALPHA)
66 + else if (img->alpha == EXTRASAMPLE_UNASS ALPHA &&
67 + img->samplesperpixel >= 4)
68 {
69 if (BuildMapUaToAa(img))
70 img->put.contig = putRGB UAcontig8bittile;
71 }
72 - else
73 + else if( img->samplesperpixel >= 3 )
74 img->put.contig = putRGBcontig8b ittile;
75 break;
76 case 16:
77 - if (img->alpha == EXTRASAMPLE_ASSOCALPHA )
78 + if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
79 + img->samplesperpixel >=4 )
80 {
81 if (BuildMapBitdepth16To8(img))
82 img->put.contig = putRGB AAcontig16bittile;
83 }
84 - else if (img->alpha == EXTRASAMPLE_UNASS ALPHA)
85 + else if (img->alpha == EXTRASAMPLE_UNASS ALPHA &&
86 + img->samplesperpixel >= 4 )
87 {
88 if (BuildMapBitdepth16To8(img) & &
89 BuildMapUaToAa(img))
90 img->put.contig = putRGB UAcontig16bittile;
91 }
92 - else
93 + else if( img->samplesperpixel >=3 )
94 {
95 if (BuildMapBitdepth16To8(img))
96 img->put.contig = putRGB contig16bittile;
97 @@ -2501,7 +2510,7 @@
98 }
99 break;
100 case PHOTOMETRIC_SEPARATED:
101 - if (buildMap(img)) {
102 + if (img->samplesperpixel >=4 && buildMap(img)) {
103 if (img->bitspersample == 8) {
104 if (!img->Map)
105 img->put.contig = putRGBcontig8b itCMYKtile;
106 @@ -2597,7 +2606,7 @@
107 }
108 break;
109 case PHOTOMETRIC_CIELAB:
110 - if (buildMap(img)) {
111 + if (img->samplesperpixel == 3 && buildMap(img)) {
112 if (img->bitspersample == 8)
113 img->put.contig = initCIELabConversion(i mg);
114 break;
OLDNEW
« no previous file with comments | « no previous file | third_party/libtiff/0003-CVE-2015-8781-8782-8783.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698