cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

_TIFFPartialReadStripArray(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685

Browse Source
This commit is contained in:
Even Rouault 2019-08-24 00:37:17 +02:00
parent 7db298e3a8
commit 804f40f3bf
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libtiff/tif_dirread.c
View File

@ -6033,6 +6033,14 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
TIFFSwabLong(&offset); TIFFSwabLong(&offset);
nBaseOffset = offset; nBaseOffset = offset;
} }
/* To avoid later unsigned integer overflows */
if( nBaseOffset > (uint64)TIFF_INT64_MAX )
{
TIFFErrorExt(tif->tif_clientdata, module,
"Cannot read offset/size for strile %d", strile);
panVals[strile] = 0;
return 0;
}
nOffset = nBaseOffset + sizeofval * strile; nOffset = nBaseOffset + sizeofval * strile;
nOffsetStartPage = nOffsetStartPage =
(nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE; (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;