Bug#595064: libtiff crashes on OOB reads in putcontig8bitYCbCr11tile

Tue, 31 Aug 2010 12:21:20 -0700 

Package: tiff
Version: 3.9.4-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch


In Ubuntu, we've applied the attached patch in lucid-security to
achieve the following:

  * debian/patches/fix-ycbcr-oob-read.patch fix crash on
    OOB reads in putcontig8bitYCbCr11tile (LP: #591605)

We thought you might be interested in doing the same.

The patch origin is from

  https://bugzilla.redhat.com/attachment.cgi?id=423329

and was committed on the 3.9 and 4.0 branch of libtiff. You can
see how it was applied on the 3.9 branch in the upstream cvs tree by
doing

  cvs diff -r 1.63.2.4 -r 1.63.2.5 libtiff/tif_getimage.c

The related launchpad bug is

  https://bugs.launchpad.net/bugs/591605

and includes a reproducer

  
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605/+attachment/1421368/+files/sample.tif.gz

The upstream bug report is at

  http://bugzilla.maptools.org/show_bug.cgi?id=2216

Thanks!


-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 
'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-19-server (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch
--- tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch	1969-12-31 16:00:00.000000000 -0800
+++ tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch	2010-08-31 10:31:44.000000000 -0700
@@ -0,0 +1,18 @@
+Description: fix crash on OOB reads in putcontig8bitYCbCr11tile
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/591605
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=603081
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=423329
+
+Index: tiff-3.9.2/libtiff/tif_getimage.c
+===================================================================
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2010-06-16 10:47:29.147649657 -0700
++++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-16 10:48:06.103986457 -0700
+@@ -2399,7 +2399,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
++			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series	2010-08-13 17:11:51.000000000 -0700
+++ tiff-3.9.4/debian/patches/series	2010-08-31 10:31:44.000000000 -0700
@@ -2,3 +2,4 @@
 man-errors.patch
 man-spelling.patch
 tif_getimage.c-CVE-2010-2233.patch
+fix-ycbcr-oob-read.patch

Reply via email to