Commit 5848777b authored by Even Rouault's avatar Even Rouault

Merge branch 'fix_cve-2017-9935' into 'master'

Fix CVE-2017-9935

See merge request !7
parents 254262f3 d4f21363
Pipeline #14939160 passed with stages
in 6 minutes and 36 seconds
......@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
} else {
*va_arg(ap, uint16**) = NULL;
*va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
......
......@@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
float* tiff_transferfunction[3];
uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
......@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
......@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) &&
(t2p->tiff_transferfunction[1] !=
t2p->tiff_transferfunction[0])) {
t2p->tiff_transferfunctioncount = 3;
t2p->tiff_pages[i].page_extra += 4;
t2p->pdf_xrefcount += 4;
} else {
t2p->tiff_transferfunctioncount = 1;
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
}
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
&(tiff_transferfunction[0]),
&(tiff_transferfunction[1]),
&(tiff_transferfunction[2]))) {
if((tiff_transferfunction[1] != (uint16*) NULL) &&
(tiff_transferfunction[2] != (uint16*) NULL)
) {
tiff_transferfunctioncount=3;
} else {
tiff_transferfunctioncount=1;
}
} else {
t2p->tiff_transferfunctioncount=0;
tiff_transferfunctioncount=0;
}
if (i > 0){
if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
TIFFError(
TIFF2PDF_MODULE,
"Different transfer function on page %d",
i);
t2p->t2p_error = T2P_ERR_ERROR;
return;
}
}
t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
if(tiff_transferfunctioncount == 3){
t2p->tiff_pages[i].page_extra += 4;
t2p->pdf_xrefcount += 4;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
} else if (tiff_transferfunctioncount == 1){
t2p->tiff_pages[i].page_extra += 2;
t2p->pdf_xrefcount += 2;
if(t2p->pdf_minorversion < 2)
t2p->pdf_minorversion = 2;
}
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
......@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
(t2p->tiff_transferfunction[2] != (float*) NULL) &&
(t2p->tiff_transferfunction[1] !=
t2p->tiff_transferfunction[0])) {
if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
(t2p->tiff_transferfunction[2] != (uint16*) NULL)
) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment