Bug#846838: marked as done (tiff: divide-by-zero in readSeparateStripsIntoBuffer)

Wed, 07 Dec 2016 08:51:57 -0800 

Your message dated Wed, 07 Dec 2016 16:49:56 +0000
with message-id <[email protected]>
and subject line Bug#846838: fixed in tiff 4.0.7-2
has caused the Debian Bug report #846838,
regarding tiff: divide-by-zero in readSeparateStripsIntoBuffer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
846838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846838
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: tiff
Version: 4.0.3-12.3
Severity: normal
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2619

Hi

This was forwarded to upstream to
http://bugzilla.maptools.org/show_bug.cgi?id=2619 . From a quick look
at the code:

4756 static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 
length,
4757                                          uint32 width, uint16 spp,
4758                                          struct dump_opts *dump)           
                  
4759   {
[...]
4766   uint32 src_rowsize, dst_rowsize, rows_processed, rps;
[...]
4796   src_rowsize = ((bps * width) + 7) / 8;
[...]
4833   rows_processed = 0;
4834   for (j = 0; (j < strips_per_sample) && (result == 1); j++)
4835     {
4836     for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
4837       {
4838       buff = srcbuffs[s];
4839       strip = (s * strips_per_sample) + j;
4840       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
4841       rows_this_strip = bytes_read / src_rowsize;

would lead to a division-by-zero in tiffcrop if bps would be zero.

I have not reasearched when this could happen.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: tiff
Source-Version: 4.0.7-2

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Dec 2016 12:24:44 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all amd64
Version: 4.0.7-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 846837 846838
Changes:
 tiff (4.0.7-2) unstable; urgency=high
 .
   * Backport security fixes:
     - fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer
       division by zero,
     - avoid uint32 underflow in cpDecodedStrips that can cause various
       issues, such as buffer overflows in the library,
     - fix heap-based buffer overflow on generation of PixarLog / LUV
       compressed files, with ColorMap, TransferFunction attached and nasty
       plays with bitspersample,
     - fix ChopUpSingleUncompressedStrip() in reading outside of the
       StripByCounts/StripOffsets arrays when using TIFFReadScanline()
       (closes: #846837),
     - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to
       avoid a divide by zero, and potential other issues,
     - fix readContigStripsIntoBuffer() in -i (ignore) mode so that the
       output buffer is correctly incremented to avoid write outside bounds,
     - add 3 extra bytes at end of strip buffer in
       readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
       buffer,
     - fix integer division by zero when BitsPerSample is missing
       (closes: #846838),
     - fix null pointer dereference in -r mode when the image has no
       StripByteCount tag,
     - avoid potential division by zero if BitsPerSamples tag is missing,
     - limit the return number of inks to SamplesPerPixel in
       TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink
       names doesn't go past the end of the buffer,
     - avoid another potential division by zero if BitsPerSamples tag is
       missing,
     - fix uint32 underflow/overflow that can cause heap-based buffer overflow,
     - replace assert( (bps % 8) == 0 ) by a non assert check.
   * Remove thumbnail and rgb2ycbcr documentations, these tools no longer
     present.
Checksums-Sha1:
 48a52b27dffb639cdc00ed341a7b42a7a9bebdff 2157 tiff_4.0.7-2.dsc
 8bbf361bc019c94010c042adbb7ca1e6d9286289 23124 tiff_4.0.7-2.debian.tar.xz
 da0f4a602201d406340a2199b1d4c020ff16e0a3 387840 libtiff-doc_4.0.7-2_all.deb
 74a11cea49462af4c833c34715de330f2b27a281 14158 
libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
 c11eb4f61f80fe39fac4bdaaf7c9edbd1af09f51 95566 libtiff-opengl_4.0.7-2_amd64.deb
 422accb6d1662cfeff3b25805d47d391ee8e7b7c 350840 
libtiff-tools-dbgsym_4.0.7-2_amd64.deb
 d5a9ee3cb85533eddb43802a6139277a3c4c9d5b 275862 libtiff-tools_4.0.7-2_amd64.deb
 9e2bdf09281a1b7e9bc6a3b2ba9c16ffc7677f66 365976 
libtiff5-dbgsym_4.0.7-2_amd64.deb
 a3af72e56fb83c5cdc1c8751f4e71c6048358d2a 352096 libtiff5-dev_4.0.7-2_amd64.deb
 87c8ea7848b81e325d9131efa0b5b8e772e7b6cf 229734 libtiff5_4.0.7-2_amd64.deb
 87a7475184993fc7d32b4beecf6a6a6e19f9c0ef 21036 
libtiffxx5-dbgsym_4.0.7-2_amd64.deb
 d8268885a02ea6ac4d02a39ea6a7368eb5e6137c 90880 libtiffxx5_4.0.7-2_amd64.deb
 bc251a142914feb33c305c3e13dd9b8bd5d49bda 10083 tiff_4.0.7-2_amd64.buildinfo
Checksums-Sha256:
 45c96169b9d438e37fe6f64ef77e342620330850ab741880dca4af9f69a451cc 2157 
tiff_4.0.7-2.dsc
 496252f073d2382ae47167b3830338353b88115fce87ff07c1bff05040cdb500 23124 
tiff_4.0.7-2.debian.tar.xz
 bb6599e2fe13367004995b5a6387e16896007b60d846890c3552ac412cfcf45f 387840 
libtiff-doc_4.0.7-2_all.deb
 d604a1032575ac424625c52a30625f132f35cb3d4183fc2a4ce7a6164ffda5ff 14158 
libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
 16bd6bd3884b29c156f841132e163ededa0c92477aff9fb8aed4010020a77baf 95566 
libtiff-opengl_4.0.7-2_amd64.deb
 52458ea875e80387b2590e6120ce2ddcc2a54a872fbce01721fb3e7edc52e790 350840 
libtiff-tools-dbgsym_4.0.7-2_amd64.deb
 353e1c142898b0921d1c02b33d5f0d1f9846f9bc6015d34da03ce491d8732455 275862 
libtiff-tools_4.0.7-2_amd64.deb
 321691466a975988eeaedc71450a58cc4a9ed8602205f15d32146822d59cbafc 365976 
libtiff5-dbgsym_4.0.7-2_amd64.deb
 0e9a2690d1a81d45418b715d5f3c77a7a20215227e64edecbd172366ac5e0dfc 352096 
libtiff5-dev_4.0.7-2_amd64.deb
 3ea0525dcbc394d00e3843c870a7ba4b7d71bbaad36ea6222a3721e6c9f39318 229734 
libtiff5_4.0.7-2_amd64.deb
 f4610ac7108f9fb759772c698c4c73e0e97dee0711f3aad73147374baf1fbb35 21036 
libtiffxx5-dbgsym_4.0.7-2_amd64.deb
 0d2e4a3a5027d0906d9fe1db1f7112fdbdf7bfe9c76dc2b54520d5320ccfd6b9 90880 
libtiffxx5_4.0.7-2_amd64.deb
 228e339f498a2130e48eeb277c3a9080b676e508b4580cbb6b225ae862bad33e 10083 
tiff_4.0.7-2_amd64.buildinfo
Files:
 8dd7b62d683875235152ebd5474fe1a0 2157 libs optional tiff_4.0.7-2.dsc
 1d0287fad4becf7356f4b0571b11671f 23124 libs optional tiff_4.0.7-2.debian.tar.xz
 7c4d34c93487f4234585d3fb1e17c58d 387840 doc optional 
libtiff-doc_4.0.7-2_all.deb
 572f79e4d7636b1a8988ad7dfc59cefc 14158 debug extra 
libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
 73ed530fe8985ea368d54296ede8af28 95566 graphics optional 
libtiff-opengl_4.0.7-2_amd64.deb
 16a9f62b7cfad7ddf59bd750dd667cbd 350840 debug extra 
libtiff-tools-dbgsym_4.0.7-2_amd64.deb
 daa49cbe81d060da50264f5b1fe67d2b 275862 graphics optional 
libtiff-tools_4.0.7-2_amd64.deb
 3bfd5646dcf48c96c41fa580ed17cc38 365976 debug extra 
libtiff5-dbgsym_4.0.7-2_amd64.deb
 89dc8984b3b09db0c69808c2b0ea6dc7 352096 libdevel optional 
libtiff5-dev_4.0.7-2_amd64.deb
 aa798ccec3b1fe6f7d80772090de08b6 229734 libs optional 
libtiff5_4.0.7-2_amd64.deb
 a12e84476d46ce639123b61c38c537ab 21036 debug extra 
libtiffxx5-dbgsym_4.0.7-2_amd64.deb
 8bc509217559495288d9a41eb1f1f67d 90880 libs optional 
libtiffxx5_4.0.7-2_amd64.deb
 fd513485f58ac736b759384716b21483 10083 libs optional 
tiff_4.0.7-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlhIOs4ACgkQ3OMQ54ZM
yL9ZTRAAtgHJ8/l/2mW9rYtjsYzQzUNV02l3aZxPjhN7+6opSwuxAqUdZVHusrDL
mttaoQnU5DtgOIE0TXOKJAwdZhKvORM4Fyzj44dh+VCyEuqeqDXODLtzYjtfGL+O
7JGsUtGYFY4041LE114ka5bXgmKaZKspt/Zzfg0JM19zDhoSwSazUV1ZDFOjDpmN
zg4CyEuYkxmZHAzSOLb030qeLV7pgLr/viUC4AIYal9gToxYfWoFdaCKOnOHeZYz
zsPVnaibov95hwxOzgbLoNAiboF4H2oowFs1iJB4h/iARtrA1/ZfSAHh24pMUU87
nltAcE0OJLmTMiQEWuM5qdiTVqEC+R61sWkYaFAXUxGWx21LMBXSDY5GwUCosBYY
o6EmuXz6nBswAgiJ67+9h3U+hFUStLq3RHm16XAOcN+rdOmuLxueKjZrHhD7z3Yq
N/HhaxUXCDdqTX4NJRifrd2Oka4YLPWG90OSqfUOV/WXth7nAHOpZU6YCZsUfMub
DVxahlj4tLQDYK+ACqsPJt0Y65z6w59raVQoBzWbhOH0HK4+ve28kpOeVw4LE/Ys
W9k2jYy2YoOUw5X/BzEYiLbc+MVmkLB6sawPRpAe/hcbRjUzmi/2ng6qCpmYKOqD
Zgl41wm906TUfxtsO6bWybM6pamOemg5GrKuOdGv/dqyMV29Lic=
=PwDx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to