From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 12 May 2018 15:32:31 +0200 Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 The fix consists in using the similar code LZWDecode() to validate we don't write outside of the output buffer. --- libtiff/tif_lzw.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c index 4ccb443c..94d85e38 100644 --- a/libtiff/tif_lzw.c +++ b/libtiff/tif_lzw.c @@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) char *tp; unsigned char *bp; int code, nbits; + int len; long nextbits, nextdata, nbitsmask; code_t *codep, *free_entp, *maxcodep, *oldcodep; @@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } while (--occ); break; } - assert(occ >= codep->length); - op += codep->length; - occ -= codep->length; - tp = op; + len = codep->length; + tp = op + len; do { - *--tp = codep->value; - } while( (codep = codep->next) != NULL ); + int t; + --tp; + t = codep->value; + codep = codep->next; + *tp = (char)t; + } while (codep && tp > op); + assert(occ >= len); + op += len; + occ -= len; } else { *op++ = (char)code; occ--;