summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorfwarmerdam <fwarmerdam>2012-06-20 05:22:51 +0000
committerfwarmerdam <fwarmerdam>2012-06-20 05:22:51 +0000
commit9c4e225ef8d3e33015ed76427877c45a1f98eb94 (patch)
tree26d937f6bf27e9b0e30e4f8d468bc89f05eb5daf
parentdb4a2d9356c566b8d2ff8d8f1609d3b8c8df9194 (diff)
downloadlibtiff-9c4e225ef8d3e33015ed76427877c45a1f98eb94.tar.gz
avoid read past end of source data buffer with corrupt data
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--libtiff/tif_packbits.c10
2 files changed, 12 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 4eab3bba..42314e5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2012-06-19 Frank Warmerdam <warmerdam@google.com>
+
+ * libtiff/tif_packbits.c: fix read past end of data buffer.
+
2012-06-15 Frank Warmerdam <warmerdam@google.com>
* libtiff 4.0.2 released.
diff --git a/libtiff/tif_packbits.c b/libtiff/tif_packbits.c
index a79abe86..4aff450f 100644
--- a/libtiff/tif_packbits.c
+++ b/libtiff/tif_packbits.c
@@ -1,4 +1,4 @@
-/* $Id: tif_packbits.c,v 1.20 2010-03-10 18:56:49 bfriesen Exp $ */
+/* $Id: tif_packbits.c,v 1.21 2012-06-20 05:22:52 fwarmerdam Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -252,7 +252,13 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(unsigned long) ((tmsize_t)n - occ + 1));
n = (long)occ - 1;
}
- _TIFFmemcpy(op, bp, ++n); /* TODO: may be reading past input buffer here when input data is corrupt or ends prematurely */
+ if (cc < (tmsize_t) (n+1))
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Terminating PackBitsDecode due to lack of data.");
+ break;
+ }
+ _TIFFmemcpy(op, bp, ++n);
op += n; occ -= n;
bp += n; cc -= n;
}
View Lorry Controller Status