cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer overflows. Fixes https://oss-fuzz.com/testcase-detail/5686156066291712 and https://oss-fuzz.com/testcase-detail/6332499206078464

Browse Source
This commit is contained in:
Even Rouault 2019-09-03 20:15:41 +02:00
parent 6de57f7e0f
commit 3519ab6c7f
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libtiff/tif_dirread.c
View File

@ -3551,9 +3551,17 @@ static int ByteCountLooksBad(TIFF* tif)
filesize = TIFFGetFileSize(tif);
if( offset <= filesize && bytecount > filesize - offset )
return 1;
if( tif->tif_mode == O_RDONLY &&
bytecount < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength)
return 1;
if( tif->tif_mode == O_RDONLY )
{
uint64 scanlinesize = TIFFScanlineSize64(tif);
if( tif->tif_dir.td_imagelength > 0 &&
scanlinesize > TIFF_UINT64_MAX / tif->tif_dir.td_imagelength )
{
return 1;
}
if( bytecount < scanlinesize * tif->tif_dir.td_imagelength)
return 1;
}
return 0;
}
@ -4573,6 +4581,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
* of data in the strip and trim this number back accordingly.
*/
strip--;
if (td->td_stripoffset_p[strip] > TIFF_UINT64_MAX - td->td_stripbytecount_p[strip])
return -1;
if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) {
if( td->td_stripoffset_p[strip] >= filesize ) {
/* Not sure what we should in that case... */