* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 Credit to OSS-Fuzz
2017-05-14 02:26:07 +00:00 · 2017-05-14 02:26:07 +00:00 · 8d4e459102
commit 8d4e459102
parent 99e8fb373e
2 changed files with 13 additions and 1 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2017-05-14 Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
+	Credit to OSS-Fuzz
+
 2017-05-13 Even Rouault <even.rouault at spatialys.com>

 	* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
--- a/libtiff/tif_packbits.c
+++ b/libtiff/tif_packbits.c
@ -1,4 +1,4 @@
-/* $Id: tif_packbits.c,v 1.25 2017-01-11 20:33:35 erouault Exp $ */
+/* $Id: tif_packbits.c,v 1.26 2017-05-14 02:26:07 erouault Exp $ */

 /*
 * Copyright (c) 1988-1997 Sam Leffler
@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 				    (unsigned long) ((tmsize_t)n - occ));
 				n = (long)occ;
 			}
+			if( cc == 0 )
+			{
+				TIFFWarningExt(tif->tif_clientdata, module,
+					       "Terminating PackBitsDecode due to lack of data.");
+				break;
+			}
 			occ -= n;
 			b = *bp++;
 			cc--;