* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are 0-byte arrays. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced by previous fix done on 2016-11-11 for CVE-2016-9297). Reported by Henri Salo.
This commit is contained in:
parent
5936de5bae
commit
6d055b4f99
@ -1,3 +1,12 @@
|
|||||||
|
2016-11-16 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
|
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
|
||||||
|
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
|
||||||
|
access are 0-byte arrays.
|
||||||
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
|
||||||
|
by previous fix done on 2016-11-11 for CVE-2016-9297).
|
||||||
|
Reported by Henri Salo.
|
||||||
|
|
||||||
2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||||
|
|
||||||
* tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
|
* tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_dirread.c,v 1.203 2016-11-11 20:22:01 erouault Exp $ */
|
/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1988-1997 Sam Leffler
|
* Copyright (c) 1988-1997 Sam Leffler
|
||||||
@ -5000,7 +5000,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
|
|||||||
if (err==TIFFReadDirEntryErrOk)
|
if (err==TIFFReadDirEntryErrOk)
|
||||||
{
|
{
|
||||||
int m;
|
int m;
|
||||||
if( data[dp->tdir_count-1] != '\0' )
|
if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
|
||||||
{
|
{
|
||||||
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||||
data[dp->tdir_count-1] = '\0';
|
data[dp->tdir_count-1] = '\0';
|
||||||
@ -5177,7 +5177,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
|
|||||||
if (err==TIFFReadDirEntryErrOk)
|
if (err==TIFFReadDirEntryErrOk)
|
||||||
{
|
{
|
||||||
int m;
|
int m;
|
||||||
if( data[dp->tdir_count-1] != '\0' )
|
if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
|
||||||
{
|
{
|
||||||
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||||
data[dp->tdir_count-1] = '\0';
|
data[dp->tdir_count-1] = '\0';
|
||||||
|
Loading…
Reference in New Issue
Block a user