libtiff_sanitizer

#1

Link : https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Description: Fix 2 heap-based buffer overflows (in PSDataBW and PSDataColorConfig).

At tools/tiff2ps.c

@@ -2466,11 +2466,6 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 	unsigned char *cp, c;
 	(void) w;
+        if( es <= 0 )
+        {
+            TIFFError(filename, "Inconsistent value of es: %d", es);
+            return;
+        }
 	tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow);
 	if (tf_buf == NULL) {
 		TIFFError(filename, "No space for scanline buffer");

Tags
#Memory-error #Address-sanitizer #Omission #Multi-line #Added

#2

Link : https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
Description: Avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile().

At tools/tiff2pdf.c

@@ -2923,7 +2923,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
 				return(0);
 			}
 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+				if (count > 4) {
-				if (count >= 4) {
                                         int retTIFFReadRawTile;
                     /* Ignore EOI marker of JpegTables */
 					_TIFFmemcpy(buffer, jpt, count - 2);

Tags
#Invalid-condition #Single-line #Modified

#3

Link : https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
Description: Validate BitsPerSample in JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift exponent.

At libtiff/tif_jpeg.c

@@ -1632,13 +1632,6 @@ JPEGSetupEncode(TIFF* tif)
                             "Invalig horizontal/vertical sampling value");
                     return (0);
                 }
+                if( td->td_bitspersample > 16 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                                 "BitsPerSample %d not allowed for JPEG",
+                                 td->td_bitspersample);
+                    return (0);
+                }
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the

Tags
#Omission #Multi-line #Added

#4

Link : https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
Description: Divide-by-zero in OJPEGDecodeRaw (tif_ojpeg.c)

At libtiff/tif_ojpeg.c

@@ -244,7 +244,6 @@ typedef enum {
 typedef struct {
 	TIFF* tif;
+        int decoder_ok;
 	#ifndef LIBJPEG_ENCAP_EXTERNAL
 	JMP_BUF exit_jmpbuf;
 	#endif
@@ -723,7 +722,6 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
 		}
 		sp->write_curstrile++;
 	}
+	sp->decoder_ok = 1;
 	return(1);
 }
@@ -786,14 +784,8 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
 static int
 OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
 {
+        static const char module[]="OJPEGDecode";
 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
 	(void)s;
+        if( !sp->decoder_ok )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+            return 0;
+        }
 	if (sp->libjpeg_jpeg_query_style==0)
 	{
 		if (OJPEGDecodeRaw(tif,buf,cc)==0)

Tags
#Division-by-zero #Logical-error #Multi-line #Added