-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
da886bd
commit fc0ce8a
Showing
2 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- a/tools/gif2tiff.c | ||
| +++ b/tools/gif2tiff.c | ||
| @@ -350,7 +350,7 @@ readextension(void) | ||
| int status = 1; | ||
|
|
||
| (void) getc(infile); | ||
| - while ((count = getc(infile)) && count <= 255) | ||
| + while ((count = getc(infile)) && count <= 255 && count >=0 ) | ||
| { | ||
| assert(count >= 0); | ||
| if (fread(buf, 1, count, infile) != (size_t) count) { | ||
| fprintf(stderr, "short read from file %s (%s)\n", | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| diff --git a/ChangeLog b/ChangeLog | ||
| index 1b0e5996..dee18813 100644 | ||
| --- a/ChangeLog | ||
| +++ b/ChangeLog | ||
| @@ -1,3 +1,8 @@ | ||
| +2016-06-28 Even Rouault <even.rouault at spatialys.com> | ||
| + | ||
| + * libtiff/tif_pixarlog.c: fix potential buffer write overrun in | ||
| + PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) | ||
| + | ||
| 2016-06-15 Bob Friesenhahn <[email protected]> | ||
|
|
||
| * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 | ||
| diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c | ||
| index 06e8af39..cc486c54 100644 | ||
| --- a/libtiff/tif_pixarlog.c | ||
| +++ b/libtiff/tif_pixarlog.c | ||
| @@ -459,6 +459,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, | ||
| typedef struct { | ||
| TIFFPredictorState predict; | ||
| z_stream stream; | ||
| + tmsize_t tbuf_size; /* only set/used on reading for now */ | ||
| uint16 *tbuf; | ||
| uint16 stride; | ||
| int state; | ||
| @@ -694,6 +695,7 @@ PixarLogSetupDecode(TIFF* tif) | ||
| sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); | ||
| if (sp->tbuf == NULL) | ||
| return (0); | ||
| + sp->tbuf_size = tbuf_size; | ||
| if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) | ||
| sp->user_datafmt = PixarLogGuessDataFmt(td); | ||
| if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { | ||
| @@ -783,6 +785,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) | ||
| TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); | ||
| return (0); | ||
| } | ||
| + /* Check that we will not fill more than what was allocated */ | ||
| + if (sp->stream.avail_out > sp->tbuf_size) | ||
| + { | ||
| + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); | ||
| + return (0); | ||
| + } | ||
| do { | ||
| int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); | ||
| if (state == Z_STREAM_END) { |