* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd

tile width vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:54:56 +00:00 · 2016-10-08 15:54:56 +00:00 · 6f13bf391a
commit 6f13bf391a
parent 7399a6f13b
2 changed files with 10 additions and 3 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
+	tile width vs image width. Reported as MSVR 35103
+	by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
+	Mitigations team.
+
 2016-10-08 Even Rouault <even.rouault at spatialys.com>

 	* tools/tiff2pdf.c: fix read -largely- outsize of buffer in
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.54 2016-10-08 15:04:31 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */

 /*
 * Copyright (c) 1988-1997 Sam Leffler
@ -1338,7 +1338,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
 		uint32 colb = 0;
 		uint32 col;

-		for (col = 0; col < imagewidth; col += tw) {
+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
 			if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
 			    && !ignore) {
 				TIFFError(TIFFFileName(in),
@ -1523,7 +1523,7 @@ DECLAREwriteFunc(writeBufferToContigTiles)
 		uint32 colb = 0;
 		uint32 col;

-		for (col = 0; col < imagewidth; col += tw) {
+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
 			/*
 			 * Tile is clipped horizontally.  Calculate
 			 * visible portion and skewing factors.