Bug#848139: CVE-2016-8707 ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability

Fri, 16 Dec 2016 17:21:42 -0800 

Here's a patch for wheezy, which may be useful for jessie if, like
wheezy, it lacks the ReadYCCKMethod case.



From e5fd9ab1b70b2edd06de8efb606e04482cb9a2f0 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warr...@imagemagick.org>
Date: Thu, 1 Dec 2016 20:06:50 -0500
Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS

---
 ChangeLog     |  2 ++
 coders/tiff.c | 34 +++++++++++++++++++---------------
 2 files changed, 21 insertions(+), 15 deletions(-)

Patch was modified to remove ReadYCCKMethod case because absent from wheezy.

--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,8 @@
 
 2012-06-26  6.7.7-10 Glenn Randers-Pehrson <glennrp@image...>
   * Don't attempt to use Z_RLE compression strategy with old zlib (prior to
+  * Fix possible buffer overflow when writing compressed TIFFS (vulnerability
+    report from Cisco Talos, CVE-2016-8707).
     zlib-1.2.0) that does not support it.
   * Increase PLTE chunk length to accommodate background color in indexed PNG
     (reference www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=21288).
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -866,7 +866,7 @@ static Image *ReadTIFFImage(const ImageI
     width;
 
   unsigned char
-    *pixels;
+    *tiff_pixels;
 
   /*
     Open image.
@@ -1223,7 +1223,13 @@ static Image *ReadTIFFImage(const ImageI
       method=ReadTileMethod;
     quantum_info->endian=LSBEndian;
     quantum_type=RGBQuantum;
-    pixels=GetQuantumPixels(quantum_info);
+    tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+
+      sizeof(uint32));
+    if (tiff_pixels == (unsigned char *) NULL)
+      {
+        TIFFClose(tiff);
+        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+      }
     switch (method)
     {
       case ReadSingleSampleMethod:
@@ -1294,7 +1300,6 @@ static Image *ReadTIFFImage(const ImageI
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
-        pixels=GetQuantumPixels(quantum_info);
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1303,14 +1308,14 @@ static Image *ReadTIFFImage(const ImageI
           register PixelPacket
             *restrict q;
 
-          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
+          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
           if (status == -1)
             break;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
           if (q == (PixelPacket *) NULL)
             break;
           length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-            quantum_type,pixels,exception);
+            quantum_type,tiff_pixels,exception);
           (void) length;
           if (SyncAuthenticPixels(image,exception) == MagickFalse)
             break;
@@ -1352,7 +1357,6 @@ static Image *ReadTIFFImage(const ImageI
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
-        pixels=GetQuantumPixels(quantum_info);
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1361,14 +1365,14 @@ static Image *ReadTIFFImage(const ImageI
           register PixelPacket
             *restrict q;
 
-          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
+          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
           if (status == -1)
             break;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
           if (q == (PixelPacket *) NULL)
             break;
           length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-            quantum_type,pixels,exception);
+            quantum_type,tiff_pixels,exception);
           if (SyncAuthenticPixels(image,exception) == MagickFalse)
             break;
           if (image->previous == (Image *) NULL)
@@ -1397,7 +1401,7 @@ static Image *ReadTIFFImage(const ImageI
               status;
 
             status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *)
-              pixels);
+              tiff_pixels);
             if (status == -1)
               break;
             q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -1423,7 +1427,7 @@ static Image *ReadTIFFImage(const ImageI
                 default: quantum_type=UndefinedQuantum; break;
               }
             length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-              quantum_type,pixels,exception);
+              quantum_type,tiff_pixels,exception);
             if (SyncAuthenticPixels(image,exception) == MagickFalse)
               break;
           }
@@ -1460,13 +1464,13 @@ static Image *ReadTIFFImage(const ImageI
             break;
           if (i == 0)
             {
-              if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) pixels) == 0)
+              if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) tiff_pixels) == 0)
                 break;
               i=(ssize_t) MagickMin((ssize_t) rows_per_strip,(ssize_t)
                 image->rows-y);
             }
           i--;
-          p=((uint32 *) pixels)+image->columns*i;
+          p=((uint32 *) tiff_pixels)+image->columns*i;
           for (x=0; x < (ssize_t) image->columns; x++)
           {
             SetPixelRed(q,ScaleCharToQuantum((unsigned char)
@@ -1676,6 +1680,7 @@ static Image *ReadTIFFImage(const ImageI
         break;
       }
     }
+    tiff_pixels=(unsigned char *) RelinquishMagickMemory(tiff_pixels);
     SetQuantumImageType(image,quantum_type);
   next_tiff_frame:
     quantum_info=DestroyQuantumInfo(quantum_info);

Attachment: signature.asc
Description: Digital signature

Reply via email to