030fe340af
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
37 lines
1.0 KiB
Diff
37 lines
1.0 KiB
Diff
From 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Thu, 12 Jan 2017 17:43:25 +0000
|
|
Subject: [PATCH] libtiff/tif_ojpeg.c: fix leak in
|
|
OJPEGReadHeaderInfoSecTablesAcTable when read fails.
|
|
Patch by Nicolás Peña.
|
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Fixes CVE-2017-7594
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libtiff/tif_ojpeg.c | 3 +++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
|
|
index f19e8fd0..b92f0ebd 100644
|
|
--- a/libtiff/tif_ojpeg.c
|
|
+++ b/libtiff/tif_ojpeg.c
|
|
@@ -1918,7 +1918,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif)
|
|
rb[sizeof(uint32)+5+n]=o[n];
|
|
p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
|
|
if (p!=q)
|
|
+ {
|
|
+ _TIFFfree(rb);
|
|
return(0);
|
|
+ }
|
|
sp->actable[m]=rb;
|
|
sp->sos_tda[m]=(sp->sos_tda[m]|m);
|
|
}
|
|
--
|
|
2.11.0
|
|
|