diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-24 00:37:17 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-24 00:37:17 +0200 |
commit | 804f40f3bfe85300331fd1fb8317c46aa9625ed0 (patch) | |
tree | 01d18c6871b7cab8f98ac527ab16c69490177e4d | |
parent | 7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (diff) | |
download | libtiff-git-804f40f3bfe85300331fd1fb8317c46aa9625ed0.tar.gz |
_TIFFPartialReadStripArray(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685
-rw-r--r-- | libtiff/tif_dirread.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 95230cda..29874310 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -6033,6 +6033,14 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent, TIFFSwabLong(&offset); nBaseOffset = offset; } + /* To avoid later unsigned integer overflows */ + if( nBaseOffset > (uint64)TIFF_INT64_MAX ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Cannot read offset/size for strile %d", strile); + panVals[strile] = 0; + return 0; + } nOffset = nBaseOffset + sizeofval * strile; nOffsetStartPage = (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE; |