* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference

NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
This commit is contained in:
Even Rouault 2016-11-16 15:14:15 +00:00
parent 5936de5bae
commit 6d055b4f99
2 changed files with 12 additions and 3 deletions

View File

@ -1,3 +1,12 @@
2016-11-16 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned

View File

@ -1,4 +1,4 @@
/* $Id: tif_dirread.c,v 1.203 2016-11-11 20:22:01 erouault Exp $ */ /* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
/* /*
* Copyright (c) 1988-1997 Sam Leffler * Copyright (c) 1988-1997 Sam Leffler
@ -5000,7 +5000,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
if (err==TIFFReadDirEntryErrOk) if (err==TIFFReadDirEntryErrOk)
{ {
int m; int m;
if( data[dp->tdir_count-1] != '\0' ) if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
{ {
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
data[dp->tdir_count-1] = '\0'; data[dp->tdir_count-1] = '\0';
@ -5177,7 +5177,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
if (err==TIFFReadDirEntryErrOk) if (err==TIFFReadDirEntryErrOk)
{ {
int m; int m;
if( data[dp->tdir_count-1] != '\0' ) if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
{ {
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
data[dp->tdir_count-1] = '\0'; data[dp->tdir_count-1] = '\0';