89 lines
2.5 KiB
Diff
89 lines
2.5 KiB
Diff
|
From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
|
||
|
|
From: erouault <erouault>
|
||
|
|
Date: Wed, 11 Jan 2017 19:02:49 +0000
|
||
|
|
Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
|
||
|
|
_TIFFcalloc()
|
||
|
|
|
||
|
|
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
|
||
|
|
initialize tif_rawdata.
|
||
|
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
|
||
|
|
|
||
|
|
Fixes CVE-2017-7593
|
||
|
|
|
||
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||
|
|
---
|
||
|
|
libtiff/tif_read.c | 4 +++-
|
||
|
|
libtiff/tif_unix.c | 8 ++++++++
|
||
|
|
libtiff/tif_win32.c | 8 ++++++++
|
||
|
|
libtiff/tiffio.h | 1 +
|
||
|
|
4 files changed, 36 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||
|
|
index 277fdd69..4535ccb3 100644
|
||
|
|
--- a/libtiff/tif_read.c
|
||
|
|
+++ b/libtiff/tif_read.c
|
||
|
|
@@ -985,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
|
||
|
|
"Invalid buffer size");
|
||
|
|
return (0);
|
||
|
|
}
|
||
|
|
- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
|
||
|
|
+ /* Initialize to zero to avoid uninitialized buffers in case of */
|
||
|
|
+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
|
||
|
|
+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
|
||
|
|
tif->tif_flags |= TIFF_MYBUFFER;
|
||
|
|
}
|
||
|
|
if (tif->tif_rawdata == NULL) {
|
||
|
|
diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
|
||
|
|
index 7c7bc961..89dd32e8 100644
|
||
|
|
--- a/libtiff/tif_unix.c
|
||
|
|
+++ b/libtiff/tif_unix.c
|
||
|
|
@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
|
||
|
|
return (malloc((size_t) s));
|
||
|
|
}
|
||
|
|
|
||
|
|
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
|
||
|
|
+{
|
||
|
|
+ if( nmemb == 0 || siz == 0 )
|
||
|
|
+ return ((void *) NULL);
|
||
|
|
+
|
||
|
|
+ return calloc((size_t) nmemb, (size_t)siz);
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
void
|
||
|
|
_TIFFfree(void* p)
|
||
|
|
{
|
||
|
|
diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
|
||
|
|
index d730b3ab..3e9001b7 100644
|
||
|
|
--- a/libtiff/tif_win32.c
|
||
|
|
+++ b/libtiff/tif_win32.c
|
||
|
|
@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
|
||
|
|
return (malloc((size_t) s));
|
||
|
|
}
|
||
|
|
|
||
|
|
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
|
||
|
|
+{
|
||
|
|
+ if( nmemb == 0 || siz == 0 )
|
||
|
|
+ return ((void *) NULL);
|
||
|
|
+
|
||
|
|
+ return calloc((size_t) nmemb, (size_t)siz);
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
void
|
||
|
|
_TIFFfree(void* p)
|
||
|
|
{
|
||
|
|
diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
|
||
|
|
index 732da17f..fbd9171f 100644
|
||
|
|
--- a/libtiff/tiffio.h
|
||
|
|
+++ b/libtiff/tiffio.h
|
||
|
|
@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
|
||
|
|
*/
|
||
|
|
|
||
|
|
extern void* _TIFFmalloc(tmsize_t s);
|
||
|
|
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
|
||
|
|
extern void* _TIFFrealloc(void* p, tmsize_t s);
|
||
|
|
extern void _TIFFmemset(void* p, int v, tmsize_t c);
|
||
|
|
extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
|
||
|
|
--
|
||
|
|
2.11.0
|
||
|
|
|