cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fax3PreDecode(): reset curruns and refruns state variables

Browse Source 
to avoid out-of-bounds write triggered by GDAL when repeatedly
reading a corrupt strip.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25493
This commit is contained in:
Even Rouault 2020-09-07 23:51:21 +02:00
parent 1373f8dacb
commit 7b840002c1
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libtiff/tif_fax3.c
View File

@ -161,7 +161,9 @@ Fax3PreDecode(TIFF* tif, uint16 s)
*/ */
sp->bitmap = sp->bitmap =
TIFFGetBitRevTable(tif->tif_dir.td_fillorder != FILLORDER_LSB2MSB); TIFFGetBitRevTable(tif->tif_dir.td_fillorder != FILLORDER_LSB2MSB);
sp->curruns = sp->runs;
if (sp->refruns) { /* init reference line to white */ if (sp->refruns) { /* init reference line to white */
sp->refruns = sp->runs + sp->nruns;
sp->refruns[0] = (uint32) sp->b.rowpixels; sp->refruns[0] = (uint32) sp->b.rowpixels;
sp->refruns[1] = 0; sp->refruns[1] = 0;
} }