cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905

Browse Source 
The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
This commit is contained in:
Even Rouault 2018-05-12 15:32:31 +02:00
parent b68fc85f39
commit 58a898cb44
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
libtiff/tif_lzw.c
View File

@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
char *tp; char *tp;
unsigned char *bp; unsigned char *bp;
int code, nbits; int code, nbits;
int len;
long nextbits, nextdata, nbitsmask; long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep; code_t *codep, *free_entp, *maxcodep, *oldcodep;
@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
} while (--occ); } while (--occ);
break; break;
} }
assert(occ >= codep->length); len = codep->length;
op += codep->length; tp = op + len;
occ -= codep->length;
tp = op;
do { do {
*--tp = codep->value; int t;
} while( (codep = codep->next) != NULL ); --tp;
t = codep->value;
codep = codep->next;
*tp = (char)t;
} while (codep && tp > op);
assert(occ >= len);
op += len;
occ -= len;
} else { } else {
*op++ = (char)code; *op++ = (char)code;
occ--; occ--;