diff options
author | Even Rouault <even.rouault@spatialys.com> | 2016-10-14 19:13:20 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2016-10-14 19:13:20 +0000 |
commit | 0d521dfab0613833a7ce4c146f4f1411f6270105 (patch) | |
tree | 07dea9659f88d5db2480836d0bbe9e319fa3249a | |
parent | 0937638efd79afb96215b08cfddf48d20c03eead (diff) | |
download | libtiff-git-0d521dfab0613833a7ce4c146f4f1411f6270105.tar.gz |
* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | tools/tiffcrop.c | 13 |
2 files changed, 17 insertions, 2 deletions
@@ -1,3 +1,9 @@ +2016-10-14 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in + readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet + & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. + 2016-10-09 Even Rouault <even.rouault at spatialys.com> * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 865e2ec2..b18728ae 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1,4 +1,4 @@ -/* $Id: tiffcrop.c,v 1.41 2016-10-08 15:04:31 erouault Exp $ */ +/* $Id: tiffcrop.c,v 1.42 2016-10-14 19:13:20 erouault Exp $ */ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of * the image data through additional options listed below @@ -819,9 +819,18 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, } } - tilebuf = _TIFFmalloc(tile_buffsize); + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if( tile_buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } + tilebuf = _TIFFmalloc(tile_buffsize + 3); if (tilebuf == 0) return 0; + tilebuf[tile_buffsize] = 0; + tilebuf[tile_buffsize+1] = 0; + tilebuf[tile_buffsize+2] = 0; dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; for (row = 0; row < imagelength; row += tl) |