diff options
author | fwarmerdam <fwarmerdam> | 2012-06-20 05:22:51 +0000 |
---|---|---|
committer | fwarmerdam <fwarmerdam> | 2012-06-20 05:22:51 +0000 |
commit | 9c4e225ef8d3e33015ed76427877c45a1f98eb94 (patch) | |
tree | 26d937f6bf27e9b0e30e4f8d468bc89f05eb5daf | |
parent | db4a2d9356c566b8d2ff8d8f1609d3b8c8df9194 (diff) | |
download | libtiff-9c4e225ef8d3e33015ed76427877c45a1f98eb94.tar.gz |
avoid read past end of source data buffer with corrupt data
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | libtiff/tif_packbits.c | 10 |
2 files changed, 12 insertions, 2 deletions
@@ -1,3 +1,7 @@ +2012-06-19 Frank Warmerdam <warmerdam@google.com> + + * libtiff/tif_packbits.c: fix read past end of data buffer. + 2012-06-15 Frank Warmerdam <warmerdam@google.com> * libtiff 4.0.2 released. diff --git a/libtiff/tif_packbits.c b/libtiff/tif_packbits.c index a79abe86..4aff450f 100644 --- a/libtiff/tif_packbits.c +++ b/libtiff/tif_packbits.c @@ -1,4 +1,4 @@ -/* $Id: tif_packbits.c,v 1.20 2010-03-10 18:56:49 bfriesen Exp $ */ +/* $Id: tif_packbits.c,v 1.21 2012-06-20 05:22:52 fwarmerdam Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -252,7 +252,13 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ + 1)); n = (long)occ - 1; } - _TIFFmemcpy(op, bp, ++n); /* TODO: may be reading past input buffer here when input data is corrupt or ends prematurely */ + if (cc < (tmsize_t) (n+1)) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } + _TIFFmemcpy(op, bp, ++n); op += n; occ -= n; bp += n; cc -= n; } |