LibTiff Mailing List

This is a proposed modification to Tom Lane's patch in
http://bugzilla.maptools.org/show_bug.cgi?id=2297 We have a
customer-submitted image which cannot be decoded once we applied Tom's patch
(http://bugzilla.maptools.org/attachment.cgi?id=443). The image contains
privacy information which cannot be shared. Our investigation leads us to
propose another patch, which relaxes the catch condition slightly. The main
change is that in addition to allowing (treating as valid) the case of
equality at the first element of the current row, it is also allowed if it
is at the second element of the row. Namely, fromif (b1 < (int) (a0 +
TabEnt->Param) || pa != thisrun) { unexpected(...); }toif (b1 < (int) (a0 +
TabEnt->Param) || (pa != thisrun && pa != thisrun + 1)) { unexpected(...); }
In our customer-submitted image, the code "V0 VL(...)" was occasionally
found at the beginning of the row. In this particular image, the value of VL
is always equal to (b1 - a0), thus falling into the equality case (that is,
it was not trying to move backwards). Furthermore, "a0" is always zero when
this code is seen. If my interpretation is correct, the following would also
work:if (b1 < (int) (a0 + TabEnt->Param) || (pa != thisrun && pa != thisrun
+ 1 || a0 != 0)) { unexpected(...); } Your opinions are greatly appreciated.
In particular, we would like to know if any risk can be identified from this
code change. Regards,rwong_002@hotmail.com

--- libtiff-3_9_5_r227596\source\libtiff\tif_fax3.h	2012-01-06 17:40:59.780697800 -0800
+++ libtiff-3_9_5\source\libtiff\tif_fax3.h	2012-01-06 17:49:50.101760000 -0800
@@ -476,13 +476,13 @@
 	    SETVALUE(b1 - a0 + TabEnt->Param);				\
 	    b1 += *pb++;						\
 	    break;							\
 	case S_VL:							\
 	    CHECK_b1;							\
 	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
-		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
+		if (b1 < (int) (a0 + TabEnt->Param) || (pa != thisrun && pa != thisrun + 1)) {	\
 		    unexpected("VL", a0);				\
 		    goto eol2d;						\
 		}							\
 	    }								\
 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
 	    b1 -= *--pb;						\



AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive January 2012 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	Thread 2012.01.07 02:29 "Proposed modification to", by Ryan Wong 2012.01.16 20:50 "Re: Proposed modification to", by Ryan Wong 2012.01.07 02:29 "Proposed modification to", by Ryan Wong This is a proposed modification to Tom Lane's patch in http://bugzilla.maptools.org/show_bug.cgi?id=2297 We have a customer-submitted image which cannot be decoded once we applied Tom's patch (http://bugzilla.maptools.org/attachment.cgi?id=443). The image contains privacy information which cannot be shared. Our investigation leads us to propose another patch, which relaxes the catch condition slightly. The main change is that in addition to allowing (treating as valid) the case of equality at the first element of the current row, it is also allowed if it is at the second element of the row. Namely, fromif (b1 < (int) (a0 + TabEnt->Param) \|\| pa != thisrun) { unexpected(...); }toif (b1 < (int) (a0 + TabEnt->Param) \|\| (pa != thisrun && pa != thisrun + 1)) { unexpected(...); } In our customer-submitted image, the code "V0 VL(...)" was occasionally found at the beginning of the row. In this particular image, the value of VL is always equal to (b1 - a0), thus falling into the equality case (that is, it was not trying to move backwards). Furthermore, "a0" is always zero when this code is seen. If my interpretation is correct, the following would also work:if (b1 < (int) (a0 + TabEnt->Param) \|\| (pa != thisrun && pa != thisrun + 1 \|\| a0 != 0)) { unexpected(...); } Your opinions are greatly appreciated. In particular, we would like to know if any risk can be identified from this code change. Regards,rwong_002@hotmail.com --- libtiff-3_9_5_r227596\source\libtiff\tif_fax3.h 2012-01-06 17:40:59.780697800 -0800 +++ libtiff-3_9_5\source\libtiff\tif_fax3.h 2012-01-06 17:49:50.101760000 -0800 @@ -476,13 +476,13 @@ SETVALUE(b1 - a0 + TabEnt->Param); \ b1 += pb++; \ break; \ case S_VL: \ CHECK_b1; \ if (b1 <= (int) (a0 + TabEnt->Param)) { \ - if (b1 < (int) (a0 + TabEnt->Param) \|\| pa != thisrun) { \ + if (b1 < (int) (a0 + TabEnt->Param) \|\| (pa != thisrun && pa != thisrun + 1)) { \ unexpected("VL", a0); \ goto eol2d; \ } \ } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= --pb; \

LibTiff Mailing List

Thread

2012.01.07 02:29 "Proposed modification to", by Ryan Wong