File tiff-CVE-2018-17000,19210.patch of Package tiff.26866

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2018-17000,19210.patch of Package tiff.26866

Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c	2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c	2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
 	}
 	m=(1<<tif->tif_dir.td_bitspersample);
 	n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+        if (tif->tif_dir.td_transferfunction[2] == NULL ||
+            tif->tif_dir.td_transferfunction[1] == NULL)
+          n = 1;
 	/*
 	 * Check if the table can be written as a single column,
 	 * or if it must be written as 3 columns.  Note that we
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
                 _TIFFfree(td->td_smaxsamplevalue);
                 td->td_smaxsamplevalue = NULL;
             }
+            /* Test if 3 transfer functions instead of just one are now needed
+               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "SamplesPerPixel tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
         }
 		td->td_samplesperpixel = (uint16) v;
 		break;
@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
 		break;
 	case TIFFTAG_EXTRASAMPLES:
+            if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+                 !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "ExtraSamples tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
 		if (!setExtraSamples(td, ap, &v))
 			goto badvalue;
 		break;

Places

File tiff-CVE-2018-17000,19210.patch of Package tiff.26866

Places