Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata): http://bugzilla.maptools.org/show_bug.cgi?id=2651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593 https://security-tracker.debian.org/tracker/CVE-2017-7593 2017-01-11 Even Rouault * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero initialize tif_rawdata. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1208; previous revision: 1.1207 /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c new revision: 1.53; previous revision: 1.52 /cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c new revision: 1.28; previous revision: 1.27 /cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c new revision: 1.14; previous revision: 1.13 /cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c new revision: 1.42; previous revision: 1.41 /cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h new revision: 1.94; previous revision: 1.93 diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h --- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500 +++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400 @@ -1,4 +1,4 @@ -/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -293,6 +293,7 @@ */ extern void* _TIFFmalloc(tmsize_t s); +extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); extern void* _TIFFrealloc(void* p, tmsize_t s); extern void _TIFFmemset(void* p, int v, tmsize_t c); extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c --- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400 +++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400 @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ +/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -976,7 +976,9 @@ "Invalid buffer size"); return (0); } - tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); + /* Initialize to zero to avoid uninitialized buffers in case of */ + /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ + tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } if (tif->tif_rawdata == NULL) { diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c --- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500 +++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400 @@ -1,4 +1,4 @@ -/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */ +/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -316,6 +316,14 @@ return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) { diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c --- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500 +++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400 @@ -1,4 +1,4 @@ -/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */ +/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -360,6 +360,14 @@ return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) {