| @@ -1,133 +1,127 @@ | | | @@ -1,133 +1,127 @@ |
1 | $NetBSD: patch-libtiff_tif_dirinfo.c,v 1.2 2017/06/21 02:38:21 pgoyette Exp $ | | 1 | $NetBSD: patch-libtiff_tif_dirinfo.c,v 1.3 2017/06/21 02:47:45 pgoyette Exp $ |
2 | | | 2 | |
3 | fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095 | | 3 | fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095 |
4 | per http://bugzilla.maptools.org/show_bug.cgi?id=2580 | | 4 | per http://bugzilla.maptools.org/show_bug.cgi?id=2580 |
5 | | | 5 | |
6 | also CVE-2017-9147 | | 6 | also CVE-2017-9147 |
7 | (http://bugzilla.maptools.org/show_bug.cgi?id=2693) | | 7 | (http://bugzilla.maptools.org/show_bug.cgi?id=2693) |
8 | | | 8 | |
9 | | | 9 | |
10 | Index: tif_dirinfo.c | | 10 | Index: tif_dirinfo.c |
11 | =================================================================== | | 11 | =================================================================== |
12 | RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v | | 12 | RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v |
13 | retrieving revision 1.126 | | 13 | retrieving revision 1.126 |
14 | retrieving revision 1.127 | | 14 | retrieving revision 1.127 |
15 | diff -w -u -b -r1.126 -r1.127 | | 15 | diff -w -u -b -r1.126 -r1.127 |
16 | --- libtiff/tif_dirinfo.c.orig 18 Nov 2016 02:52:13 -0000 1.126 | | 16 | --- libtiff/tif_dirinfo.c.orig 18 Nov 2016 02:52:13 -0000 1.126 |
17 | +++ libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127 | | 17 | +++ libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127 |
18 | @@ -1,4 +1,4 @@ | | | |
19 | -/* $Id: patch-libtiff_tif_dirinfo.c,v 1.2 2017/06/21 02:38:21 pgoyette Exp $ */ | | | |
20 | +/* $Id: patch-libtiff_tif_dirinfo.c,v 1.2 2017/06/21 02:38:21 pgoyette Exp $ */ | | | |
21 | | | | |
22 | /* | | | |
23 | * Copyright (c) 1988-1997 Sam Leffler | | | |
24 | @@ -956,6 +956,109 @@ | | 18 | @@ -956,6 +956,109 @@ |
25 | return 0; | | 19 | return 0; |
26 | } | | 20 | } |
27 | | | 21 | |
28 | +int | | 22 | +int |
29 | +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) | | 23 | +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) |
30 | +{ | | 24 | +{ |
31 | + /* Filter out non-codec specific tags */ | | 25 | + /* Filter out non-codec specific tags */ |
32 | + switch (tag) { | | 26 | + switch (tag) { |
33 | + /* Shared tags */ | | 27 | + /* Shared tags */ |
34 | + case TIFFTAG_PREDICTOR: | | 28 | + case TIFFTAG_PREDICTOR: |
35 | + /* JPEG tags */ | | 29 | + /* JPEG tags */ |
36 | + case TIFFTAG_JPEGTABLES: | | 30 | + case TIFFTAG_JPEGTABLES: |
37 | + /* OJPEG tags */ | | 31 | + /* OJPEG tags */ |
38 | + case TIFFTAG_JPEGIFOFFSET: | | 32 | + case TIFFTAG_JPEGIFOFFSET: |
39 | + case TIFFTAG_JPEGIFBYTECOUNT: | | 33 | + case TIFFTAG_JPEGIFBYTECOUNT: |
40 | + case TIFFTAG_JPEGQTABLES: | | 34 | + case TIFFTAG_JPEGQTABLES: |
41 | + case TIFFTAG_JPEGDCTABLES: | | 35 | + case TIFFTAG_JPEGDCTABLES: |
42 | + case TIFFTAG_JPEGACTABLES: | | 36 | + case TIFFTAG_JPEGACTABLES: |
43 | + case TIFFTAG_JPEGPROC: | | 37 | + case TIFFTAG_JPEGPROC: |
44 | + case TIFFTAG_JPEGRESTARTINTERVAL: | | 38 | + case TIFFTAG_JPEGRESTARTINTERVAL: |
45 | + /* CCITT* */ | | 39 | + /* CCITT* */ |
46 | + case TIFFTAG_BADFAXLINES: | | 40 | + case TIFFTAG_BADFAXLINES: |
47 | + case TIFFTAG_CLEANFAXDATA: | | 41 | + case TIFFTAG_CLEANFAXDATA: |
48 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: | | 42 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: |
49 | + case TIFFTAG_GROUP3OPTIONS: | | 43 | + case TIFFTAG_GROUP3OPTIONS: |
50 | + case TIFFTAG_GROUP4OPTIONS: | | 44 | + case TIFFTAG_GROUP4OPTIONS: |
51 | + break; | | 45 | + break; |
52 | + default: | | 46 | + default: |
53 | + return 1; | | 47 | + return 1; |
54 | + } | | 48 | + } |
55 | + /* Check if codec specific tags are allowed for the current | | 49 | + /* Check if codec specific tags are allowed for the current |
56 | + * compression scheme (codec) */ | | 50 | + * compression scheme (codec) */ |
57 | + switch (tif->tif_dir.td_compression) { | | 51 | + switch (tif->tif_dir.td_compression) { |
58 | + case COMPRESSION_LZW: | | 52 | + case COMPRESSION_LZW: |
59 | + if (tag == TIFFTAG_PREDICTOR) | | 53 | + if (tag == TIFFTAG_PREDICTOR) |
60 | + return 1; | | 54 | + return 1; |
61 | + break; | | 55 | + break; |
62 | + case COMPRESSION_PACKBITS: | | 56 | + case COMPRESSION_PACKBITS: |
63 | + /* No codec-specific tags */ | | 57 | + /* No codec-specific tags */ |
64 | + break; | | 58 | + break; |
65 | + case COMPRESSION_THUNDERSCAN: | | 59 | + case COMPRESSION_THUNDERSCAN: |
66 | + /* No codec-specific tags */ | | 60 | + /* No codec-specific tags */ |
67 | + break; | | 61 | + break; |
68 | + case COMPRESSION_NEXT: | | 62 | + case COMPRESSION_NEXT: |
69 | + /* No codec-specific tags */ | | 63 | + /* No codec-specific tags */ |
70 | + break; | | 64 | + break; |
71 | + case COMPRESSION_JPEG: | | 65 | + case COMPRESSION_JPEG: |
72 | + if (tag == TIFFTAG_JPEGTABLES) | | 66 | + if (tag == TIFFTAG_JPEGTABLES) |
73 | + return 1; | | 67 | + return 1; |
74 | + break; | | 68 | + break; |
75 | + case COMPRESSION_OJPEG: | | 69 | + case COMPRESSION_OJPEG: |
76 | + switch (tag) { | | 70 | + switch (tag) { |
77 | + case TIFFTAG_JPEGIFOFFSET: | | 71 | + case TIFFTAG_JPEGIFOFFSET: |
78 | + case TIFFTAG_JPEGIFBYTECOUNT: | | 72 | + case TIFFTAG_JPEGIFBYTECOUNT: |
79 | + case TIFFTAG_JPEGQTABLES: | | 73 | + case TIFFTAG_JPEGQTABLES: |
80 | + case TIFFTAG_JPEGDCTABLES: | | 74 | + case TIFFTAG_JPEGDCTABLES: |
81 | + case TIFFTAG_JPEGACTABLES: | | 75 | + case TIFFTAG_JPEGACTABLES: |
82 | + case TIFFTAG_JPEGPROC: | | 76 | + case TIFFTAG_JPEGPROC: |
83 | + case TIFFTAG_JPEGRESTARTINTERVAL: | | 77 | + case TIFFTAG_JPEGRESTARTINTERVAL: |
84 | + return 1; | | 78 | + return 1; |
85 | + } | | 79 | + } |
86 | + break; | | 80 | + break; |
87 | + case COMPRESSION_CCITTRLE: | | 81 | + case COMPRESSION_CCITTRLE: |
88 | + case COMPRESSION_CCITTRLEW: | | 82 | + case COMPRESSION_CCITTRLEW: |
89 | + case COMPRESSION_CCITTFAX3: | | 83 | + case COMPRESSION_CCITTFAX3: |
90 | + case COMPRESSION_CCITTFAX4: | | 84 | + case COMPRESSION_CCITTFAX4: |
91 | + switch (tag) { | | 85 | + switch (tag) { |
92 | + case TIFFTAG_BADFAXLINES: | | 86 | + case TIFFTAG_BADFAXLINES: |
93 | + case TIFFTAG_CLEANFAXDATA: | | 87 | + case TIFFTAG_CLEANFAXDATA: |
94 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: | | 88 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: |
95 | + return 1; | | 89 | + return 1; |
96 | + case TIFFTAG_GROUP3OPTIONS: | | 90 | + case TIFFTAG_GROUP3OPTIONS: |
97 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) | | 91 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) |
98 | + return 1; | | 92 | + return 1; |
99 | + break; | | 93 | + break; |
100 | + case TIFFTAG_GROUP4OPTIONS: | | 94 | + case TIFFTAG_GROUP4OPTIONS: |
101 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) | | 95 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) |
102 | + return 1; | | 96 | + return 1; |
103 | + break; | | 97 | + break; |
104 | + } | | 98 | + } |
105 | + break; | | 99 | + break; |
106 | + case COMPRESSION_JBIG: | | 100 | + case COMPRESSION_JBIG: |
107 | + /* No codec-specific tags */ | | 101 | + /* No codec-specific tags */ |
108 | + break; | | 102 | + break; |
109 | + case COMPRESSION_DEFLATE: | | 103 | + case COMPRESSION_DEFLATE: |
110 | + case COMPRESSION_ADOBE_DEFLATE: | | 104 | + case COMPRESSION_ADOBE_DEFLATE: |
111 | + if (tag == TIFFTAG_PREDICTOR) | | 105 | + if (tag == TIFFTAG_PREDICTOR) |
112 | + return 1; | | 106 | + return 1; |
113 | + break; | | 107 | + break; |
114 | + case COMPRESSION_PIXARLOG: | | 108 | + case COMPRESSION_PIXARLOG: |
115 | + if (tag == TIFFTAG_PREDICTOR) | | 109 | + if (tag == TIFFTAG_PREDICTOR) |
116 | + return 1; | | 110 | + return 1; |
117 | + break; | | 111 | + break; |
118 | + case COMPRESSION_SGILOG: | | 112 | + case COMPRESSION_SGILOG: |
119 | + case COMPRESSION_SGILOG24: | | 113 | + case COMPRESSION_SGILOG24: |
120 | + /* No codec-specific tags */ | | 114 | + /* No codec-specific tags */ |
121 | + break; | | 115 | + break; |
122 | + case COMPRESSION_LZMA: | | 116 | + case COMPRESSION_LZMA: |
123 | + if (tag == TIFFTAG_PREDICTOR) | | 117 | + if (tag == TIFFTAG_PREDICTOR) |
124 | + return 1; | | 118 | + return 1; |
125 | + break; | | 119 | + break; |
126 | + | | 120 | + |
127 | + } | | 121 | + } |
128 | + return 0; | | 122 | + return 0; |
129 | +} | | 123 | +} |
130 | + | | 124 | + |
131 | /* vim: set ts=8 sts=8 sw=8 noet: */ | | 125 | /* vim: set ts=8 sts=8 sw=8 noet: */ |
132 | | | 126 | |
133 | /* | | 127 | /* |