From 2e822691d750c01cec5b5cc4ee73567a204ab2a3 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Mon, 26 Oct 2020 11:32:42 +0100 Subject: [PATCH] TIFFStartStrip(): avoid potential crash in WebP codec when using scanline access on corrupted files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26650 --- libtiff/tif_read.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 38869385..c4c868b1 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1445,8 +1445,16 @@ TIFFStartStrip(TIFF* tif, uint32 strip) else tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, strip); } - return ((*tif->tif_predecode)(tif, - (uint16)(strip / td->td_stripsperimage))); + if ((*tif->tif_predecode)(tif, + (uint16)(strip / td->td_stripsperimage)) == 0 ) { + /* Needed for example for scanline access, if tif_predecode */ + /* fails, and we try to read the same strip again. Without invalidating */ + /* tif_curstrip, we'd call tif_decoderow() on a possibly invalid */ + /* codec state. */ + tif->tif_curstrip = NOSTRIP; + return 0; + } + return 1; } /*