Bug 2659 - Direct leak in tif_ojpeg.c
: Direct leak in tif_ojpeg.c
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-01-12 11:33 by
Modified: 2017-04-10 02:05 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-01-12 11:33:06
In tif_ojpeg.c, in OJPEGReadHeaderInfoSecTablesDcTable, we have
rb=_TIFFmalloc(ra). After, values for rb are filled out. Then there is an if
(p!=q) return 0, which goes before the line sp->dctable[m]=rb;

Therefore, clearly rb is leaking every time the if (p!=q) is entered, since
memory is allocated but it is not even assigned anywhere. Our fix:

https://pdfium-review.googlesource.com/c/2176/
------- Comment #1 From 2017-01-12 12:43:35 -------
Patch applied per

2017-01-12 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
        when read fails.
        Patch by Nicolás Peña.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1212; previous revision: 1.1211
/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_ojpeg.c
new revision: 1.67; previous revision: 1.66
------- Comment #2 From 2017-01-12 14:12:24 -------
(In reply to comment #1)
> Patch applied per
> 
> 2017-01-12 Even Rouault <even.rouault at spatialys.com>
> 
>         * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
>         when read fails.
>         Patch by Nicolás Peña.
>         Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
> 
> /cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
> new revision: 1.1212; previous revision: 1.1211
> /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_ojpeg.c
> new revision: 1.67; previous revision: 1.66

I added to my patch fixes to similar leaks in other methods in the same file.
------- Comment #3 From 2017-01-12 14:23:31 -------
Additional fixes pushed in

/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_ojpeg.c
new revision: 1.68; previous revision: 1.67
------- Comment #4 From 2017-04-10 02:05:29 -------
this is CVE-2017-7594