diff options
| author | erouault <erouault> | 2017-05-13 15:34:06 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-05-13 15:34:06 +0000 |
| commit | 5b62bf5bae336ef5b95de17df683bd617351e2c2 (patch) | |
| tree | ae99c8c1861e5a318e7b8a838261d5b43d174c19 | |
| parent | 3116b55389fa734dbdf0b4821c45b6bd6570cba7 (diff) | |
| download | libtiff-5b62bf5bae336ef5b95de17df683bd617351e2c2.tar.gz | |
* libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | libtiff/tif_read.c | 10 |
2 files changed, 17 insertions, 2 deletions
@@ -1,3 +1,12 @@ +2017-05-13 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT + mode with tif_rawdataloaded when calling TIFFStartStrip() or + TIFFFillStripPartial(). This avoids reading beyond tif_rawdata + when bytecount > tif_rawdatasize. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + 2017-05-12 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_read.c: TIFFFillStripPartial(): diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 34163f56..cc4f5d2f 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.58 2017-05-12 21:12:24 erouault Exp $ */ +/* $Id: tif_read.c,v 1.59 2017-05-13 15:34:06 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -277,7 +277,10 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) if( restart ) return TIFFStartStrip(tif, strip); else + { + tif->tif_rawcc = tif->tif_rawdataloaded; return 1; + } } /* @@ -1260,7 +1263,10 @@ TIFFStartStrip(TIFF* tif, uint32 strip) else { tif->tif_rawcp = tif->tif_rawdata; - tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip]; + if( tif->tif_rawdataloaded > 0 ) + tif->tif_rawcc = tif->tif_rawdataloaded; + else + tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip]; } return ((*tif->tif_predecode)(tif, (uint16)(strip / td->td_stripsperimage))); |