Commit 5848777b authored by Even Rouault's avatar Even Rouault

Merge branch 'fix_cve-2017-9935' into 'master'

Fix CVE-2017-9935

See merge request !7
parents 254262f3 d4f21363
Pipeline #14939160 passed with stages
in 6 minutes and 36 seconds
...@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) ...@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) { if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1]; *va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2]; *va_arg(ap, uint16**) = td->td_transferfunction[2];
} else {
*va_arg(ap, uint16**) = NULL;
*va_arg(ap, uint16**) = NULL;
} }
break; break;
case TIFFTAG_REFERENCEBLACKWHITE: case TIFFTAG_REFERENCEBLACKWHITE:
......
...@@ -237,7 +237,7 @@ typedef struct { ...@@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2]; float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6]; float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2]; float tiff_referenceblackwhite[2];
float* tiff_transferfunction[3]; uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate, int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */ 1 : interpolate */
uint16 tiff_transferfunctioncount; uint16 tiff_transferfunctioncount;
...@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ ...@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0; uint16 pagen=0;
uint16 paged=0; uint16 paged=0;
uint16 xuint16=0; uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input); directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
...@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ ...@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
} }
#endif #endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
&(t2p->tiff_transferfunction[0]), &(tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]), &(tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) { &(tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) && if((tiff_transferfunction[1] != (uint16*) NULL) &&
(t2p->tiff_transferfunction[1] != (tiff_transferfunction[2] != (uint16*) NULL)
t2p->tiff_transferfunction[0])) { ) {
t2p->tiff_transferfunctioncount = 3; tiff_transferfunctioncount=3;
t2p->tiff_pages[i].page_extra += 4; } else {
t2p->pdf_xrefcount += 4; tiff_transferfunctioncount=1;
} else { }
t2p->tiff_transferfunctioncount = 1;
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
}
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
} else { } else {
t2p->tiff_transferfunctioncount=0; tiff_transferfunctioncount=0;
} }
if (i > 0){
if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
TIFFError(
TIFF2PDF_MODULE,
"Different transfer function on page %d",
i);
t2p->t2p_error = T2P_ERR_ERROR;
return;
}
}
t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
if(tiff_transferfunctioncount == 3){
t2p->tiff_pages[i].page_extra += 4;
t2p->pdf_xrefcount += 4;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
} else if (tiff_transferfunctioncount == 1){
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
}
if( TIFFGetField( if( TIFFGetField(
input, input,
TIFFTAG_ICCPROFILE, TIFFTAG_ICCPROFILE,
...@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ ...@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]), &(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) { &(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) && if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) && (t2p->tiff_transferfunction[2] != (uint16*) NULL)
(t2p->tiff_transferfunction[1] != ) {
t2p->tiff_transferfunction[0])) {
t2p->tiff_transferfunctioncount=3; t2p->tiff_transferfunctioncount=3;
} else { } else {
t2p->tiff_transferfunctioncount=1; t2p->tiff_transferfunctioncount=1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment