cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'issue-174' into 'master'

Browse Source 
tif_fax3.c: check buffer overflow in Fax4Decode()

Closes #174

See merge request libtiff/libtiff!108
This commit is contained in:
Even Rouault 2020-02-29 11:35:15 +00:00
commit d04e3d26c5
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libtiff/tif_fax3.c
View File

@ -1453,6 +1453,13 @@ Fax4Decode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
EXPAND2D(EOFG4); EXPAND2D(EOFG4);
if (EOLcnt) if (EOLcnt)
goto EOFG4; goto EOFG4;
if (((lastx + 7) >> 3) > (int)occ) /* check for buffer overrun */
{
TIFFErrorExt(tif->tif_clientdata, module,
"Buffer overrun detected : %d bytes available, %d bits needed",
(int)occ, lastx);
return -1;
}
(*sp->fill)(buf, thisrun, pa, lastx); (*sp->fill)(buf, thisrun, pa, lastx);
SETVALUE(0); /* imaginary change for reference */ SETVALUE(0); /* imaginary change for reference */
SWAP(uint32*, sp->curruns, sp->refruns); SWAP(uint32*, sp->curruns, sp->refruns);
@ -1468,6 +1475,13 @@ Fax4Decode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
fputs( "Bad EOFB\n", stderr ); fputs( "Bad EOFB\n", stderr );
#endif #endif
ClrBits( 13 ); ClrBits( 13 );
if (((lastx + 7) >> 3) > (int)occ) /* check for buffer overrun */
{
TIFFErrorExt(tif->tif_clientdata, module,
"Buffer overrun detected : %d bytes available, %d bits needed",
(int)occ, lastx);
return -1;
}
(*sp->fill)(buf, thisrun, pa, lastx); (*sp->fill)(buf, thisrun, pa, lastx);
UNCACHE_STATE(tif, sp); UNCACHE_STATE(tif, sp);
return ( sp->line ? 1 : -1); /* don't error on badly-terminated strips */ return ( sp->line ? 1 : -1); /* don't error on badly-terminated strips */