aboutsummaryrefslogtreecommitdiffstats
path: root/main/tiff/CVE-2018-17100-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/tiff/CVE-2018-17100-1.patch')
-rw-r--r--main/tiff/CVE-2018-17100-1.patch112
1 files changed, 112 insertions, 0 deletions
diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch
new file mode 100644
index 0000000000..f5a9e1a915
--- /dev/null
+++ b/main/tiff/CVE-2018-17100-1.patch
@@ -0,0 +1,112 @@
+From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:36:12 +0800
+Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or
+ TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
+ COMPRESSION_CCITTFAX4
+
+---
+ tools/pal2rgb.c | 18 +++++++++++++++++-
+ tools/tiff2bw.c | 18 +++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01fcf941..01d8502e 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 05faba87..5bef3142 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+--
+2.18.1
+
+
+From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms()
+
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index af6e4124..c2d59257 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -70,15 +70,16 @@ BadPPM(char* file)
+ exit(-2);
+ }
+
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
+-
+- return bytes;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
++ return m1 * m2;
+ }
+
+ int
+--
+2.18.1