Skip to content
Snippets Groups Projects

Fix 624: Check input parameters in _TIFFMergeFields()

Closed Fix 624: Check input parameters in _TIFFMergeFields()
Su_Laus/libtiff:fix_624_TIFFMergeFields into master
Closed Su Laus requested to merge Su_Laus/libtiff:fix_624_TIFFMergeFields into master

Check input parameters in _TIFFMergeFields()

Fixes #624 (closed)

Merge request reports

Pipeline #1085033055 passed

Stage: build

Pipeline passed for 7ec1d9a4 on Su_Laus:fix_624_TIFFMergeFields

Approval is optional

Closed by Su LausSu Laus 1 year ago (Dec 1, 2023 7:42pm UTC)

Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
    • Even Rouault
      Even Rouault @rouault ·
      Owner

      @Su_Laus It is not obvious to me that this commit is needed. Can you give more details ?

      • TIFF == null. We don't validate that in other API functions. A non-null TIFF handle is part of the "contract" of usage of the function.
      • If the user passes info[] == null, but n > 0. This is the same. It is a obvious usage issue we don't have to catch (this is like using memcpy() with an inconsistent size w.r.t the passed buffer)
      • And I don't see any obvious issue if the user passes n == 0. This is a bit stupid to do that, but the function shold work just fine, doesn't it ?
      Edited by Even Rouault
    • xc011
      xc011 @xc011 ·

      I think it's needed. Due to the trigger methods listed in issue #624 (closed), "info[] == null, but n > 0" could happen.

      TIFFField *_TIFFCreateAnonField(TIFF *tif, uint32_t tag,
                                TIFFDataType field_type)
{
    TIFFField *fld;
    (void)tif;

    fld = (TIFFField *)_TIFFmallocExt(tif, sizeof(TIFFField));
    if (fld == NULL)
        return NULL;
    ...
    return fld;
}
      if (!_TIFFMergeFields(
    tif,
    _TIFFCreateAnonField(tif, dp->tdir_tag,
        (TIFFDataType)dp->tdir_type),
    1))

      In lines 4281-4285 of tif_dirread.c, _TIFFMergeFields directly uses the return value of _TIFFCreateAnonField() as the second parameter, without checking whether it might be NULL. And malloc failure would be caused by attackers restricting the heap size or virtual memory, or simply by accident.

    • Please register or sign in to reply
  • Even Rouault
    Even Rouault @rouault ·
    Owner

    And malloc failure would be caused by attackers restricting the heap size or virtual memory, or simply by accident.

    so the issue is rather in this _TIFFCreateAnonField function. It should not call _TIFFMergeFields with n = 1 without checking first the return of _TIFFCreateAnonField is not null

    Edited by Even Rouault
  • Su Laus
    Su Laus @Su_Laus ·
    Author Maintainer

    _TIFFMergeFields() is an external function and therefore it was my intention to catch possible calls with invalid arguments there.

    However, if the external argument validity is "part of the contract", then this MR is superfluous and the issue needs to be fixed in all internal functions calling _TIFFCreateAnonField(). That is _TIFFFindOrRegisterField(), TIFFReadDirectory() and TIFFReadCustomDirectory().

    I am going to prepare another MR.

  • Su Laus
    Su Laus @Su_Laus ·
    Author Maintainer

    Another MR 560 was created to solve the issue 624. Closing this MR.

  • Su Laus closed

    closed

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply