* libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW

strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)

2 files changed, 11 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 4b139085..992dfe97 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2017-07-11  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
+	strips. Crashing issue only on memory mapped files, where the strip
+	offset is the last byte of the file, and the file size is a multiple
+	of one page size on the CPU architecture (typically 4096). Credit
+	to myself :-)
+
+2017-07-11  Even Rouault <even.rouault at spatialys.com>
+
 	* test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files
 	to test old-style LZW decompression
 	* test/common.sh, Makefile.am, CMakeList.txt: updated with above
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 118ac696..bc8f9c84 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,4 +1,4 @@
-/* $Id: tif_lzw.c,v 1.56 2017-07-11 08:55:07 erouault Exp $ */
+/* $Id: tif_lzw.c,v 1.57 2017-07-11 10:54:29 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -275,7 +275,8 @@ LZWPreDecode(TIFF* tif, uint16 s)
 	/*
 	 * Check for old bit-reversed codes.
 	 */
-	if (tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
+	if (tif->tif_rawcc >= 2 &&
+	    tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
 #ifdef LZW_COMPAT
 		if (!sp->dec_decode) {
 			TIFFWarningExt(tif->tif_clientdata, module,