Skip to content
Permalink
Browse files Browse the repository at this point in the history
Internal libtiff: fix integer overflow potentially causing write heap…
… buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
  • Loading branch information
rouault committed Aug 15, 2019
1 parent e63e2ed commit 2167403
Showing 1 changed file with 20 additions and 6 deletions.
26 changes: 20 additions & 6 deletions gdal/frmts/gtiff/libtiff/tif_getimage.c
Expand Up @@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
fromskew = (w < imagewidth ? imagewidth - w : 0);
for (row = 0; row < h; row += nrow)
{
uint32 temp;
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
nrow = (row + rowstoread > h ? h - row : rowstoread);
nrowsub = nrow;
if ((nrowsub%subsamplingver)!=0)
nrowsub+=subsamplingver-nrowsub%subsamplingver;
temp = (row + img->row_offset)%rowsperstrip + nrowsub;
if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
{
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
return 0;
}
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
TIFFComputeStrip(tif,row+img->row_offset, 0),
(void**)(&buf),
maxstripsize,
((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
temp * scanline)==(tmsize_t)(-1)
&& (buf == NULL || img->stoponerr))
{
ret = 0;
Expand Down Expand Up @@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
fromskew = (w < imagewidth ? imagewidth - w : 0);
for (row = 0; row < h; row += nrow)
{
uint32 temp;
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
nrow = (row + rowstoread > h ? h - row : rowstoread);
offset_row = row + img->row_offset;
temp = (row + img->row_offset)%rowsperstrip + nrow;
if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
{
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
return 0;
}
if( buf == NULL )
{
if (_TIFFReadEncodedStripAndAllocBuffer(
tif, TIFFComputeStrip(tif, offset_row, 0),
(void**) &buf, bufsize,
((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
temp * scanline)==(tmsize_t)(-1)
&& (buf == NULL || img->stoponerr))
{
ret = 0;
Expand All @@ -1079,23 +1093,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
}
}
else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
p0, temp * scanline)==(tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
break;
}
if (colorchannels > 1
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
p1, temp * scanline) == (tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
break;
}
if (colorchannels > 1
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
p2, temp * scanline) == (tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
Expand All @@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
if (alpha)
{
if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
pa, temp * scanline)==(tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
Expand Down

0 comments on commit 2167403

Please sign in to comment.