Bug 2807 - Out-of-bounds Write in the tiff2bw and pal2rgb tools
: Out-of-bounds Write in the tiff2bw and pal2rgb tools
Status: RESOLVED FIXED
: libtiff
default
: 4.0.1
: All All
: P2 major
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-07-27 04:08 by
Modified: 2019-04-25 07:42 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-07-27 04:08:56
There are two out-of-bounds write in cpTags in tiff2bw and pal2rgb.

448 static void
449 cpTags(TIFF* in, TIFF* out)
450 {
451     struct cpTag *p;
452     for (p = tags; p < &tags[NTAGS]; p++)
453     cpTag(in, out, p->tag, p->count, p->type);
454 }
(tools/tiff2bw.c)

400 static void
401 cpTags(TIFF* in, TIFF* out)
402 {
403     struct cpTag *p;
404     for (p = tags; p < &tags[NTAGS]; p++)
405     cpTag(in, out, p->tag, p->count, p->type);
406 }

(tools/pal2rgb.c)

The correct logic should be "only read/write TIFFTAG_GROUP3OPTIONS or
TAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4"

Below is the proposal patch.

cpTags(TIFF* in, TIFF* out)
 {
     struct cpTag *p;
     for (p = tags; p < &tags[NTAGS]; p++)
-   cpTag(in, out, p->tag, p->count, p->type);
+   {
+       if( p->tag == TIFFTAG_GROUP3OPTIONS )
+       {
+           uint16 compression;
+           if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+               compression != COMPRESSION_CCITTFAX3 )
+               continue;
+       }
+       if( p->tag == TIFFTAG_GROUP4OPTIONS )
+       {
+           uint16 compression;
+           if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+               compression != COMPRESSION_CCITTFAX4 )
+               continue;
+       }
+       cpTag(in, out, p->tag, p->count, p->type);
+   }
 }
------- Comment #2 From 2019-04-25 07:42:17 -------
fixed