diff options
author | erouault <erouault> | 2016-07-11 21:26:03 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-07-11 21:26:03 +0000 |
commit | 33b8d330d98c90ee566b444e20ef496aadff26e9 (patch) | |
tree | 54b2bc98dc3c71f7103ce99c333b32162fab850e /tools | |
parent | 039c920a8c575631b6d6113a3d709ebd0ea8a0d4 (diff) | |
download | libtiff-33b8d330d98c90ee566b444e20ef496aadff26e9.tar.gz |
* tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiffcrop.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index b5a49cc2..0bbaaddb 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1,4 +1,4 @@ -/* $Id: tiffcrop.c,v 1.35 2015-08-19 02:31:04 bfriesen Exp $ */ +/* $Id: tiffcrop.c,v 1.36 2016-07-11 21:26:03 erouault Exp $ */ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of * the image data through additional options listed below @@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, nrow = (row + tl > imagelength) ? imagelength - row : tl; for (col = 0; col < imagewidth; col += tw) { - for (s = 0; s < spp; s++) + for (s = 0; s < spp && s < MAX_SAMPLES; s++) { /* Read each plane of a tile set into srcbuffs[s] */ tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); if (tbytes < 0 && !ignore) |