tiff / CVE-2018-7456
I attempted to fix CVE-2018-7456 issue in tiff, for the version in
stretch. My patch is below. But curiously my patch only works if I
enable the commented out call to fprintf or use -O0 instead of the
default -O2 (-O1 also fails). Otherwise the if condition never gets
executed, and it segfaults later on with a null pointer error when
trying to access the same pointer.
To me, this seems like some sort of weird compiler optimization
error. Does this make sense?
This was with the gcc from stretch. I also tried the compiler in sid -
with the same source, which gave similar results.
Index: tiff-4.0.8/libtiff/tif_print.c
===================================================================
--- tiff-4.0.8.orig/libtiff/tif_print.c
+++ tiff-4.0.8/libtiff/tif_print.c
@@ -540,8 +540,18 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd,
if (TIFFFieldSet(tif,FIELD_TRANSFERFUNCTION)) {
fprintf(fd, " Transfer Function: ");
if (flags & TIFFPRINT_CURVES) {
- fprintf(fd, "\n");
+ uint16 i;
n = 1L<<td->td_bitspersample;
+ for (i = 1; i < td->td_samplesperpixel; i++) {
+ // fprintf(fd, "%p\n", td->td_transferfunction[i]);
+ if (NULL == td->td_transferfunction[i]) {
+ // abort();
+ fprintf(fd, "(unexpected end of table)\n");
+ n = 0;
+ break;
+ }
+ }
+ fprintf(fd, "\n");
for (l = 0; l < n; l++) {
uint16 i;
fprintf(fd, " %2ld: %5u",
--
Brian May <bam@debian.org>
Reply to: