diff options
author | erouault <erouault> | 2016-10-14 19:13:20 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-10-14 19:13:20 +0000 |
commit | 1b881bd2631e28377d379f7ebe654c15e2352c28 (patch) | |
tree | d95748a0ad7980db006de9ccddb4aba1a453310c /tools | |
parent | 782d1be02d4cdf5986e0be992715be7d59b150d9 (diff) | |
download | libtiff-1b881bd2631e28377d379f7ebe654c15e2352c28.tar.gz |
* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiffcrop.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 865e2ec2..b18728ae 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1,4 +1,4 @@ -/* $Id: tiffcrop.c,v 1.41 2016-10-08 15:04:31 erouault Exp $ */ +/* $Id: tiffcrop.c,v 1.42 2016-10-14 19:13:20 erouault Exp $ */ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of * the image data through additional options listed below @@ -819,9 +819,18 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, } } - tilebuf = _TIFFmalloc(tile_buffsize); + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if( tile_buffsize > 0xFFFFFFFFU - 3 ) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } + tilebuf = _TIFFmalloc(tile_buffsize + 3); if (tilebuf == 0) return 0; + tilebuf[tile_buffsize] = 0; + tilebuf[tile_buffsize+1] = 0; + tilebuf[tile_buffsize+2] = 0; dst_rowsize = ((imagewidth * bps * spp) + 7) / 8; for (row = 0; row < imagelength; row += tl) |