Skip to content
Permalink
Browse files Browse the repository at this point in the history
Issue 23654 in oss-fuzz: Heap-buffer-overflow in pixReadFromTiffStream
  * Increase scanline buffer for reading gray+alpha and converting to RGBA
  • Loading branch information
DanBloomberg committed Jun 23, 2020
1 parent ab66d05 commit 5ba34b1
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions prog/dewarptest1.c
Expand Up @@ -52,6 +52,8 @@ PIX *pixs2, *pixn2, *pixg2, *pixb2, *pixd2;

setLeptDebugOK(1);
lept_mkdir("lept/model");
lept_rmdir("lept/dewmod");
lept_mkdir("lept/dewmod");

/* pixs = pixRead("1555.007.jpg"); */
pixs = pixRead("cat.035.jpg");
Expand Down Expand Up @@ -160,8 +162,6 @@ PIX *pixs2, *pixn2, *pixg2, *pixb2, *pixd2;
"/tmp/lept/dewarptest1.pdf");
lept_stderr("pdf file made: /tmp/lept/model/dewarptest1.pdf\n");

lept_rmdir("lept/dewmod");
lept_rmdir("lept/dewtest");
pixDestroy(&pixs);
pixDestroy(&pixn);
pixDestroy(&pixg);
Expand Down
2 changes: 1 addition & 1 deletion src/tiffio.c
Expand Up @@ -602,7 +602,7 @@ PIXCMAP *cmap;
} else if (spp == 2 && bps == 8) { /* gray plus alpha */
L_INFO("gray+alpha is not supported; converting to RGBA\n", procName);
pixSetSpp(pix, 4);
linebuf = (l_uint8 *)LEPT_CALLOC(tiffbpl + 1, sizeof(l_uint8));
linebuf = (l_uint8 *)LEPT_CALLOC(2 * tiffbpl + 1, sizeof(l_uint8));
pixdata = pixGetData(pix);
for (i = 0; i < h; i++) {
if (TIFFReadScanline(tif, linebuf, i, 0) < 0) {
Expand Down

1 comment on commit 5ba34b1

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2020-36280 was assigned to this commit.

Please sign in to comment.