From 811d68846feaad751338a8d7fdd17d302baa192a Mon Sep 17 00:00:00 2001 From: erouault Date: Sun, 2 Jul 2017 14:13:39 +0000 Subject: * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), limiting the number of bytes read. But it could probably have been hit too in CHUNKY_STRIP_READ_SUPPORT mode previously ? Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 Credit to OSS Fuzz --- ChangeLog | 10 ++++++++++ libtiff/tif_read.c | 7 +++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62258ddb..9a0082aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2017-07-02 Even Rouault + + * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to + tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). + This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), + limiting the number of bytes read. But it could probably have been hit + too in CHUNKY_STRIP_READ_SUPPORT mode previously ? + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 + Credit to OSS Fuzz + 2017-06-30 Even Rouault * man: update documentation regarding SubIFD tag and diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 7e887d63..8153746d 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.62 2017-06-30 13:11:18 erouault Exp $ */ +/* $Id: tif_read.c,v 1.63 2017-07-02 14:13:39 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1421,7 +1421,10 @@ TIFFStartTile(TIFF* tif, uint32 tile) else { tif->tif_rawcp = tif->tif_rawdata; - tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile]; + if( tif->tif_rawdataloaded > 0 ) + tif->tif_rawcc = tif->tif_rawdataloaded; + else + tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile]; } return ((*tif->tif_predecode)(tif, (uint16)(tile/td->td_stripsperimage))); -- cgit v1.2.1