Copied from Debian From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 21 Dec 2014 18:52:42 +0000 Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) --- ChangeLog | 7 +++++++ tools/thumbnail.c | 21 ++++++++++++++++++++- tools/tiffcmp.c | 17 +++++++++++++++-- 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/tools/thumbnail.c b/tools/thumbnail.c index a98a881..fab63f6 100644 --- a/tools/thumbnail.c +++ b/tools/thumbnail.c @@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out) { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ + /* if we request a tag that is defined in a codec, but that codec */ + /* isn't used */ + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c index 508a461..d6392af 100644 --- a/tools/tiffcmp.c +++ b/tools/tiffcmp.c @@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2) static int cmptags(TIFF* tif1, TIFF* tif2) { + uint16 compression1, compression2; CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); @@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2) CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); - CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); - CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX3 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX3 ) + { + CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); + } + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX4 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX4 ) + { + CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + } CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");