Blame patches/tiff/CVE-2018-8905.patch

Lucio Andrés Illanes Albornoz daac7c
From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
Lucio Andrés Illanes Albornoz daac7c
From: Even Rouault <even.rouault@spatialys.com>
Lucio Andrés Illanes Albornoz daac7c
Date: Sat, 12 May 2018 15:32:31 +0200
Lucio Andrés Illanes Albornoz daac7c
Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
The fix consists in using the similar code LZWDecode() to validate we
Lucio Andrés Illanes Albornoz daac7c
don't write outside of the output buffer.
Lucio Andrés Illanes Albornoz daac7c
---
Lucio Andrés Illanes Albornoz daac7c
 libtiff/tif_lzw.c | 18 ++++++++++++------
Lucio Andrés Illanes Albornoz daac7c
 1 file changed, 12 insertions(+), 6 deletions(-)
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
Lucio Andrés Illanes Albornoz daac7c
index 4ccb443..94d85e3 100644
Lucio Andrés Illanes Albornoz daac7c
--- a/libtiff/tif_lzw.c
Lucio Andrés Illanes Albornoz daac7c
+++ b/libtiff/tif_lzw.c
Lucio Andrés Illanes Albornoz daac7c
@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
Lucio Andrés Illanes Albornoz daac7c
 	char *tp;
Lucio Andrés Illanes Albornoz daac7c
 	unsigned char *bp;
Lucio Andrés Illanes Albornoz daac7c
 	int code, nbits;
Lucio Andrés Illanes Albornoz daac7c
+	int len;
Lucio Andrés Illanes Albornoz daac7c
 	long nextbits, nextdata, nbitsmask;
Lucio Andrés Illanes Albornoz daac7c
 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
Lucio Andrés Illanes Albornoz daac7c
 
Lucio Andrés Illanes Albornoz daac7c
@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
Lucio Andrés Illanes Albornoz daac7c
 				}  while (--occ);
Lucio Andrés Illanes Albornoz daac7c
 				break;
Lucio Andrés Illanes Albornoz daac7c
 			}
Lucio Andrés Illanes Albornoz daac7c
-			assert(occ >= codep->length);
Lucio Andrés Illanes Albornoz daac7c
-			op += codep->length;
Lucio Andrés Illanes Albornoz daac7c
-			occ -= codep->length;
Lucio Andrés Illanes Albornoz daac7c
-			tp = op;
Lucio Andrés Illanes Albornoz daac7c
+			len = codep->length;
Lucio Andrés Illanes Albornoz daac7c
+			tp = op + len;
Lucio Andrés Illanes Albornoz daac7c
 			do {
Lucio Andrés Illanes Albornoz daac7c
-				*--tp = codep->value;
Lucio Andrés Illanes Albornoz daac7c
-			} while( (codep = codep->next) != NULL );
Lucio Andrés Illanes Albornoz daac7c
+				int t;
Lucio Andrés Illanes Albornoz daac7c
+				--tp;
Lucio Andrés Illanes Albornoz daac7c
+				t = codep->value;
Lucio Andrés Illanes Albornoz daac7c
+				codep = codep->next;
Lucio Andrés Illanes Albornoz daac7c
+				*tp = (char)t;
Lucio Andrés Illanes Albornoz daac7c
+			} while (codep && tp > op);
Lucio Andrés Illanes Albornoz daac7c
+			assert(occ >= len);
Lucio Andrés Illanes Albornoz daac7c
+			op += len;
Lucio Andrés Illanes Albornoz daac7c
+			occ -= len;
Lucio Andrés Illanes Albornoz daac7c
 		} else {
Lucio Andrés Illanes Albornoz daac7c
 			*op++ = (char)code;
Lucio Andrés Illanes Albornoz daac7c
 			occ--;
Lucio Andrés Illanes Albornoz daac7c
--
Lucio Andrés Illanes Albornoz daac7c
libgit2 0.27.0
Lucio Andrés Illanes Albornoz daac7c