From 9febb7599a65eb38a2ef21083f40f220dd34690d Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 26 Sep 2020 23:02:19 +0200 Subject: [PATCH] tif_fax3.h: extra buffer overflow checks. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25934 --- libtiff/tif_fax3.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h index 9d765b6b..61e9522a 100644 --- a/libtiff/tif_fax3.h +++ b/libtiff/tif_fax3.h @@ -382,6 +382,11 @@ done1d: \ */ #define CHECK_b1 do { \ if (pa != thisrun) while (b1 <= a0 && b1 < lastx) { \ + if( pb + 1 >= sp->refruns + sp->nruns) { \ + TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \ + sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \ + return (-1); \ + } \ b1 += pb[0] + pb[1]; \ pb += 2; \ } \ @@ -401,6 +406,11 @@ done1d: \ switch (TabEnt->State) { \ case S_Pass: \ CHECK_b1; \ + if( pb + 1 >= sp->refruns + sp->nruns) { \ + TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \ + sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \ + return (-1); \ + } \ b1 += *pb++; \ RunLength += b1 - a0; \ a0 = b1; \ @@ -479,11 +489,21 @@ done1d: \ case S_V0: \ CHECK_b1; \ SETVALUE(b1 - a0); \ + if( pb >= sp->refruns + sp->nruns) { \ + TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \ + sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \ + return (-1); \ + } \ b1 += *pb++; \ break; \ case S_VR: \ CHECK_b1; \ SETVALUE(b1 - a0 + TabEnt->Param); \ + if( pb >= sp->refruns + sp->nruns) { \ + TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \ + sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \ + return (-1); \ + } \ b1 += *pb++; \ break; \ case S_VL: \