030fe340af
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Wed, 11 Jan 2017 12:15:01 +0000
|
|
Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in
|
|
JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2653
|
|
|
|
Fixes CVE-2017-7595
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libtiff/tif_jpeg.c | 7 +++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
|
|
index 38595f98..6c17c388 100644
|
|
--- a/libtiff/tif_jpeg.c
|
|
+++ b/libtiff/tif_jpeg.c
|
|
@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)
|
|
case PHOTOMETRIC_YCBCR:
|
|
sp->h_sampling = td->td_ycbcrsubsampling[0];
|
|
sp->v_sampling = td->td_ycbcrsubsampling[1];
|
|
+ if( sp->h_sampling == 0 || sp->v_sampling == 0 )
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
+ "Invalig horizontal/vertical sampling value");
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/*
|
|
* A ReferenceBlackWhite field *must* be present since the
|
|
* default value is inappropriate for YCbCr. Fill in the
|
|
--
|
|
2.11.0
|
|
|