cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tif_fax3.h: extra buffer overflow checks. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25934

Browse Source
This commit is contained in:
Even Rouault 2020-09-26 23:02:19 +02:00
parent c8f0a16f4a
commit 9febb7599a
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libtiff/tif_fax3.h
View File

@ -382,6 +382,11 @@ done1d: \
*/ */
#define CHECK_b1 do { \ #define CHECK_b1 do { \
if (pa != thisrun) while (b1 <= a0 && b1 < lastx) { \ if (pa != thisrun) while (b1 <= a0 && b1 < lastx) { \
if( pb + 1 >= sp->refruns + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
return (-1); \
} \
b1 += pb[0] + pb[1]; \ b1 += pb[0] + pb[1]; \
pb += 2; \ pb += 2; \
} \ } \
@ -401,6 +406,11 @@ done1d: \
switch (TabEnt->State) { \ switch (TabEnt->State) { \
case S_Pass: \ case S_Pass: \
CHECK_b1; \ CHECK_b1; \
if( pb + 1 >= sp->refruns + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
return (-1); \
} \
b1 += *pb++; \ b1 += *pb++; \
RunLength += b1 - a0; \ RunLength += b1 - a0; \
a0 = b1; \ a0 = b1; \
@ -479,11 +489,21 @@ done1d: \
case S_V0: \ case S_V0: \
CHECK_b1; \ CHECK_b1; \
SETVALUE(b1 - a0); \ SETVALUE(b1 - a0); \
if( pb >= sp->refruns + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
return (-1); \
} \
b1 += *pb++; \ b1 += *pb++; \
break; \ break; \
case S_VR: \ case S_VR: \
CHECK_b1; \ CHECK_b1; \
SETVALUE(b1 - a0 + TabEnt->Param); \ SETVALUE(b1 - a0 + TabEnt->Param); \
if( pb >= sp->refruns + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
return (-1); \
} \
b1 += *pb++; \ b1 += *pb++; \
break; \ break; \
case S_VL: \ case S_VL: \