diff options
author | erouault <erouault> | 2017-07-11 21:38:04 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-07-11 21:38:04 +0000 |
commit | c907c9aaaf37b171245e759cf69023ad911864ef (patch) | |
tree | 1b28ef0c794dc9bc4099b2555b5cfd943307124e | |
parent | 9b06b7337760a212e21a805a25ab4ff9fa6ad39e (diff) | |
download | libtiff-c907c9aaaf37b171245e759cf69023ad911864ef.tar.gz |
* libtiff/tif_dir.c: avoid potential null pointer dereference in
_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | libtiff/tif_dir.c | 4 |
2 files changed, 9 insertions, 1 deletions
@@ -1,5 +1,11 @@ 2017-07-11 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_dir.c: avoid potential null pointer dereference in + _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713 + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW strips. Crashing issue only on memory mapped files, where the strip offset is the last byte of the file, and the file size is a multiple diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index a8839491..f00f8080 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -1,4 +1,4 @@ -/* $Id: tif_dir.c,v 1.130 2017-05-17 21:54:05 erouault Exp $ */ +/* $Id: tif_dir.c,v 1.131 2017-07-11 21:38:04 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -872,6 +872,8 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) TIFFTagValue *tv = td->td_customValues + i; if (tv->info->field_tag != tag) continue; + if( tv->value == NULL ) + return 0; val = *(uint16 *)tv->value; /* Truncate to SamplesPerPixel, since the */ /* setting code for INKNAMES assume that there are SamplesPerPixel */ |