CVE-2012-4447 Index: tif_pixarlog.c =================================================================== RCS file: a/libtiff/tif_pixarlog.c,v retrieving revision 1.36 retrieving revision 1.39 diff -u -U 8 -r1.36 -r1.39 --- a/libtiff/tif_pixarlog.c 21 Jun 2012 01:01:53 -0000 1.38 +++ b/libtiff/tif_pixarlog.c 10 Dec 2012 17:27:13 -0000 1.39 @@ -639,16 +639,30 @@ tmsize_t bytes = m1 * m2; if (m1 && bytes / m1 != m2) bytes = 0; return bytes; } +static tmsize_t +add_ms(tmsize_t m1, tmsize_t m2) +{ + tmsize_t bytes = m1 + m2; + + /* if either input is zero, assume overflow already occurred */ + if (m1 == 0 || m2 == 0) + bytes = 0; + else if (bytes <= m1 || bytes <= m2) + bytes = 0; + + return bytes; +} + static int PixarLogFixupTags(TIFF* tif) { (void) tif; return (1); } static int @@ -666,19 +680,21 @@ tif->tif_postdecode = _TIFFNoPostDecode; /* for some reason, we can't do this in TIFFInitPixarLog */ sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), td->td_rowsperstrip), sizeof(uint16)); + /* add one more stride in case input ends mid-stride */ + tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); CVE-2012-4564 Index: ppm2tiff.c =================================================================== RCS file: a/tools/ppm2tiff.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -U 8 -r1.16 -r1.18 --- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 +++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18 @@ -67,33 +67,45 @@ static void BadPPM(char* file) { fprintf(stderr, "%s: Not a PPM file.\n", file); exit(-2); } +static tmsize_t +multiply_ms(tmsize_t m1, tmsize_t m2) +{ + tmsize_t bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + int main(int argc, char* argv[]) { uint16 photometric = 0; uint32 rowsperstrip = (uint32) -1; double resolution = -1; unsigned char *buf = NULL; - tsize_t linebytes = 0; + tmsize_t linebytes = 0; uint16 spp = 1; uint16 bpp = 8; TIFF *out; FILE *in; unsigned int w, h, prec, row; char *infile; int c; extern int optind; extern char* optarg; + tmsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); usage(); } while ((c = getopt(argc, argv, "c:r:R:")) != -1) switch (c) { case 'c': /* compression scheme */ @@ -216,34 +228,51 @@ TIFFSetField(out, TIFFTAG_PREDICTOR, predictor); break; case COMPRESSION_CCITTFAX3: TIFFSetField(out, TIFFTAG_GROUP3OPTIONS, g3opts); break; } switch (bpp) { case 1: - linebytes = (spp * w + (8 - 1)) / 8; + /* if round-up overflows, result will be zero, OK */ + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; if (rowsperstrip == (uint32) -1) { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); } else { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); } break; case 8: - linebytes = spp * w; + linebytes = multiply_ms(spp, w); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); break; } - if (TIFFScanlineSize(out) > linebytes) + if (linebytes == 0) { + fprintf(stderr, "%s: scanline size overflow\n", infile); + (void) TIFFClose(out); + exit(-2); + } + scanline_size = TIFFScanlineSize(out); + if (scanline_size == 0) { + /* overflow - TIFFScanlineSize already printed a message */ + (void) TIFFClose(out); + exit(-2); + } + if (scanline_size < linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + buf = (unsigned char *)_TIFFmalloc(scanline_size); + if (buf == NULL) { + fprintf(stderr, "%s: Not enough memory\n", infile); + (void) TIFFClose(out); + exit(-2); + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_RESOLUTIONUNIT, RESUNIT_INCH); } for (row = 0; row < h; row++) { if (fread(buf, linebytes, 1, in) != 1) { fprintf(stderr, "%s: scanline %lu: Read error.\n", CVE-2013-1961 diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c --- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400 +++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400 @@ -512,9 +512,9 @@ Arg args[1]; if (tfMultiPage) - sprintf(buffer, "%s - page %d", fileName, tfDirectory); + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); else - strcpy(buffer, fileName); + snprintf(buffer, sizeof(buffer), "%s", fileName); XtSetArg(args[0], XtNlabel, buffer); XtSetValues(labelWidget, args, 1); } diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c --- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500 +++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400 @@ -108,7 +108,8 @@ const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); char compression_code[20]; - sprintf( compression_code, "%d", tif->tif_dir.td_compression ); + snprintf(compression_code, sizeof(compression_code), "%d", + tif->tif_dir.td_compression ); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "%s compression support is not configured", c ? c->name : compression_code ); diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c --- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400 +++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400 @@ -711,7 +711,7 @@ * note that this name is a special sign to TIFFClose() and * _TIFFSetupFields() to free the field */ - sprintf(fld->field_name, "Tag %d", (int) tag); + snprintf(fld->field_name, 32, "Tag %d", (int) tag); return fld; } diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c --- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400 +++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400 @@ -332,7 +332,8 @@ TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); { char buf[2048]; char *cp = strrchr(TIFFFileName(in), '/'); - sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); + snprintf(buf, sizeof(buf), "YCbCr conversion of %s", + cp ? cp+1 : TIFFFileName(in)); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); } TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c --- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400 +++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400 @@ -205,7 +205,7 @@ } } TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); - sprintf(thing, "B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c --- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 +++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400 @@ -3609,7 +3609,9 @@ char buffer[16]; int buflen=0; - buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff); + buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ", + t2p->pdf_majorversion&0xff, + t2p->pdf_minorversion&0xff); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7); @@ -3623,10 +3625,10 @@ tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; - buflen=sprintf(buffer, "%lu", (unsigned long)number); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); written += t2pWriteFile(output, (tdata_t) buffer, buflen ); written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7); @@ -3665,13 +3667,13 @@ written += t2pWriteFile(output, (tdata_t) "/", 1); for (i=0;i 0x7E){ - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); nextchar=1; @@ -3679,57 +3681,57 @@ if (nextchar==0){ switch (name[i]){ case 0x23: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x25: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x28: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x29: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x2F: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x3C: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x3E: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x5B: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x5D: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x7B: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; case 0x7D: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break; @@ -3844,14 +3846,14 @@ tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "/Length ", 8); if(len!=0){ written += t2p_write_pdf_stream_length(len, output); } else { - buflen=sprintf(buffer, "%lu", (unsigned long)number); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); } @@ -3892,10 +3894,10 @@ tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; - buflen=sprintf(buffer, "%lu", (unsigned long)len); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n", 1); @@ -3909,7 +3911,7 @@ tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output) { tsize_t written = 0; - char buffer[16]; + char buffer[32]; int buflen = 0; written += t2pWriteFile(output, @@ -3948,7 +3950,6 @@ written += t2p_write_pdf_string(t2p->pdf_datetime, output); } written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11); - _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer)); snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION); written += t2p_write_pdf_string(buffer, output); written += t2pWriteFile(output, (tdata_t) "\n", 1); @@ -4089,7 +4090,7 @@ { tsize_t written=0; tdir_t i=0; - char buffer[16]; + char buffer[32]; int buflen=0; int page=0; @@ -4097,7 +4098,7 @@ (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26); page = t2p->pdf_pages+1; for (i=0;itiff_pagecount;i++){ - buflen=sprintf(buffer, "%d", page); + buflen=snprintf(buffer, sizeof(buffer), "%d", page); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); if ( ((i+1)%8)==0 ) { @@ -4112,8 +4113,7 @@ } } written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%d", t2p->tiff_pagecount); + buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6); @@ -4128,28 +4128,28 @@ unsigned int i=0; tsize_t written=0; - char buffer[16]; + char buffer[256]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); + buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "] \n", 3); written += t2pWriteFile(output, (tdata_t) "/Contents ", 10); - buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1)); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6); written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15); @@ -4157,15 +4157,13 @@ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount;i++){ written += t2pWriteFile(output, (tdata_t) "/Im", 3); - buflen = sprintf(buffer, "%u", t2p->pdf_page+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "_", 1); - buflen = sprintf(buffer, "%u", i+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", i+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4177,12 +4175,10 @@ } else { written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12); written += t2pWriteFile(output, (tdata_t) "/Im", 3); - buflen = sprintf(buffer, "%u", t2p->pdf_page+1); + buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4191,9 +4187,7 @@ if(t2p->tiff_transferfunctioncount != 0) { written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13); t2pWriteFile(output, (tdata_t) "/GS1 ", 5); - buflen = sprintf( - buffer, - "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 3)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4566,7 +4560,7 @@ if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ for(i=0;itiff_tiles[t2p->pdf_page].tiles_tilecount; i++){ box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box; - buflen=sprintf(buffer, + buflen=snprintf(buffer, sizeof(buffer), "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", t2p->tiff_transferfunctioncount?"/GS1 gs ":"", box.mat[0], @@ -4581,7 +4575,7 @@ } } else { box=t2p->pdf_imagebox; - buflen=sprintf(buffer, + buflen=snprintf(buffer, sizeof(buffer), "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", t2p->tiff_transferfunctioncount?"/GS1 gs ":"", box.mat[0], @@ -4606,59 +4600,48 @@ TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); written += t2pWriteFile(output, (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", 42); - buflen=sprintf(buffer, "%u", t2p->pdf_page+1); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1); written += t2pWriteFile(output, (tdata_t) buffer, buflen); if(tile != 0){ written += t2pWriteFile(output, (tdata_t) "_", 1); - buflen=sprintf(buffer, "%lu", (unsigned long)tile); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8); - _TIFFmemset((tdata_t)buffer, 0x00, 16); if(tile==0){ - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); } else { if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); } else { - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); } } written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9); - _TIFFmemset((tdata_t)buffer, 0x00, 16); if(tile==0){ - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); } else { if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){ - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); } else { - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); } } written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19); - _TIFFmemset((tdata_t)buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13); written += t2p_write_pdf_xobject_cs(t2p, output); @@ -4702,11 +4685,10 @@ t2p->pdf_colorspace ^= T2P_CS_PALETTE; written += t2p_write_pdf_xobject_cs(t2p, output); t2p->pdf_colorspace |= T2P_CS_PALETTE; - buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); + buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 ); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " ", 1); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7); return(written); @@ -4740,10 +4722,10 @@ X_W /= Y_W; Z_W /= Y_W; Y_W = 1.0F; - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Range ", 7); - buflen=sprintf(buffer, "[%d %d %d %d] \n", + buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", t2p->pdf_labrange[0], t2p->pdf_labrange[1], t2p->pdf_labrange[2], @@ -4759,26 +4741,26 @@ tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25); if(t2p->tiff_transferfunctioncount == 1){ - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); } else { written += t2pWriteFile(output, (tdata_t) "[ ", 2); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 2)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 3)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R ", 5); @@ -4800,7 +4782,7 @@ written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17); written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19); written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18); - buflen=sprintf(buffer, "/Size [%u] \n", (1<tiff_bitspersample)); + buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<tiff_bitspersample)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19); written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output); @@ -4827,7 +4809,7 @@ tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[128]; + char buffer[256]; int buflen=0; float X_W=0.0; @@ -4895,16 +4877,16 @@ written += t2pWriteFile(output, (tdata_t) "<< \n", 4); if(t2p->pdf_colorspace & T2P_CS_CALGRAY){ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12); } if(t2p->pdf_colorspace & T2P_CS_CALRGB){ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12); - buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8); - buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", + buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", X_R, Y_R, Z_R, X_G, Y_G, Z_G, X_B, Y_B, Z_B); @@ -4923,11 +4905,11 @@ tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7); @@ -4937,11 +4919,11 @@ tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; written += t2pWriteFile(output, (tdata_t) "/N ", 3); - buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel); + buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11); t2p->pdf_colorspace ^= T2P_CS_ICCBASED; @@ -5006,7 +4988,7 @@ tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[16]; + char buffer[32]; int buflen=0; if(t2p->pdf_compression==T2P_COMPRESS_NONE){ @@ -5021,41 +5003,33 @@ written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9); if(tile==0){ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf(buffer, "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { written += t2pWriteFile(output, (tdata_t) "/Columns ", 9); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } else { written += t2pWriteFile(output, (tdata_t) " /Rows ", 7); - buflen=sprintf( - buffer, - "%lu", + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength); written += t2pWriteFile(output, (tdata_t) buffer, buflen); } @@ -5082,21 +5056,17 @@ if(t2p->pdf_compressionquality%100){ written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Columns ", 10); - _TIFFmemset(buffer, 0x00, 16); - buflen = sprintf(buffer, "%lu", + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /Colors ", 9); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19); - _TIFFmemset(buffer, 0x00, 16); - buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample); + buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) ">>\n", 3); } @@ -5116,16 +5086,16 @@ tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){ tsize_t written=0; - char buffer[21]; + char buffer[64]; int buflen=0; uint32 i=0; written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7); - buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22); for (i=0;ipdf_xrefcount;i++){ - sprintf(buffer, "%.10lu 00000 n \n", + snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n", (unsigned long)t2p->pdf_xrefoffsets[i]); written += t2pWriteFile(output, (tdata_t) buffer, 20); } @@ -5149,17 +5119,14 @@ snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand()); written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17); - buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); + buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1)); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11); written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, sizeof(t2p->pdf_fileid) - 1); @@ -5167,9 +5134,8 @@ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid, sizeof(t2p->pdf_fileid) - 1); written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16); - buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref); + buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref); written += t2pWriteFile(output, (tdata_t) buffer, buflen); - _TIFFmemset(buffer, 0x00, 32); written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7); return(written); diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c --- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400 +++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400 @@ -1781,8 +1781,8 @@ imageOp = "imagemask"; (void)strcpy(im_x, "0"); - (void)sprintf(im_y, "%lu", (long) h); - (void)sprintf(im_h, "%lu", (long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); + (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); tile_width = w; tile_height = h; if (TIFFIsTiled(tif)) { @@ -1803,7 +1803,7 @@ } if (tile_height < h) { fputs("/im_y 0 def\n", fd); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } else { repeat_count = tf_numberstrips; @@ -1815,7 +1815,7 @@ fprintf(fd, "/im_h %lu def\n", (unsigned long) tile_height); (void)strcpy(im_h, "im_h"); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c --- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500 +++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400 @@ -2077,7 +2077,7 @@ return 1; } - sprintf (filenum, "-%03d%s", findex, export_ext); + snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); filenum[14] = '\0'; strncat (exportname, filenum, 15); } @@ -2230,8 +2230,8 @@ /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", + dump.infilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) { @@ -2249,8 +2249,8 @@ /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", + dump.outfilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) { diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c --- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500 +++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400 @@ -260,7 +260,7 @@ TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); else CopyField(TIFFTAG_FILLORDER, shortv); - sprintf(thing, "Dithered B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); CopyField(TIFFTAG_PHOTOMETRIC, shortv); CopyField(TIFFTAG_ORIENTATION, shortv); CVE-2013-1960 CVE-2013-4232 Index: tiff2pdf.c =================================================================== RCS file: a/tools/tiff2pdf.c,v retrieving revision 1.70 retrieving revision 1.72 diff -u -U 8 -r1.70 -r1.72 --- a/tools/tiff2pdf.c 2 May 2013 14:44:29 -0000 1.70 +++ b/tools/tiff2pdf.c 14 Aug 2013 05:11:37 -0000 1.72 @@ -2456,17 +2456,18 @@ (tdata_t) buffer, t2p->tiff_datasize * t2p->tiff_samplesperpixel); if(samplebuffer==NULL){ TIFFError(TIFF2PDF_MODULE, "Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s", (unsigned long) t2p->tiff_datasize, TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; - _TIFFfree(buffer); + _TIFFfree(buffer); + return(0); } else { buffer=samplebuffer; t2p->tiff_datasize *= t2p->tiff_samplesperpixel; } t2p_sample_realize_palette(t2p, buffer); } if(t2p->pdf_sample & T2P_SAMPLE_RGBA_TO_RGB){ @@ -3336,95 +3337,116 @@ unsigned char* strip, tsize_t* striplength, unsigned char* buffer, tsize_t* bufferoffset, tstrip_t no, uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; ri=((( ((uint16)(buffer[*bufferoffset+5])<<8) | (uint16)(buffer[*bufferoffset+6]) )+v_samp-1)/ v_samp); ri*=((( ((uint16)(buffer[*bufferoffset+7])<<8) | (uint16)(buffer[*bufferoffset+8]) )+h_samp-1)/ h_samp); buffer[*bufferoffset+5]= (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; - + *bufferoffset+=datalen+2; + /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; - case 0xc4: - case 0xdb: - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; break; - case 0xda: + case 0xda: /* SOS */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); - *bufferoffset+=(*striplength)-i-1; + i += datalen + 1; + /* copy remainder of strip */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; return(1); default: - i+=strip[i+2]+2; + /* ignore any other marker */ + break; } + i += datalen + 1; } - + /* failed to find SOS marker */ return(0); } #endif /* This functions converts a tilewidth x tilelength buffer of samples into an edgetilewidth x tilelength buffer of samples. */ CVE-2013-4231 CVE-2013-4244 Index: gif2tiff.c =================================================================== RCS file: a/tools/gif2tiff.c,v retrieving revision 1.12 retrieving revision 1.14 diff -u -U 8 -r1.12 -r1.14 --- a/tools/gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12 +++ b/tools/gif2tiff.c 14 Aug 2013 13:59:17 -0000 1.14 @@ -328,16 +328,18 @@ unsigned char buf[255]; register int bits=0; register unsigned long datum=0; register unsigned char *ch; register int count, code; int status = 1; datasize = getc(infile); + if (datasize > 12) + return 0; clear = 1 << datasize; eoi = clear + 1; avail = clear + 2; oldcode = -1; codesize = datasize + 1; codemask = (1 << codesize) - 1; for (code = 0; code < clear; code++) { prefix[code] = 0; @@ -393,16 +395,20 @@ codesize = datasize + 1; codemask = (1 << codesize) - 1; avail = clear + 2; oldcode = -1; return 1; } if (oldcode == -1) { + if (code >= clear) { + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } *(*fill)++ = suffix[code]; firstchar = oldcode = code; return 1; } if (code > avail) { fprintf(stderr, "code %d too large for %d\n", code, avail); return 0; }