Skip to content

Commit 2167403

Browse files
committed
Internal libtiff: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
1 parent e63e2ed commit 2167403

File tree

1 file changed

+20
-6
lines changed

1 file changed

+20
-6
lines changed

Diff for: gdal/frmts/gtiff/libtiff/tif_getimage.c

+20-6
Original file line numberDiff line numberDiff line change
@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
949949
fromskew = (w < imagewidth ? imagewidth - w : 0);
950950
for (row = 0; row < h; row += nrow)
951951
{
952+
uint32 temp;
952953
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
953954
nrow = (row + rowstoread > h ? h - row : rowstoread);
954955
nrowsub = nrow;
955956
if ((nrowsub%subsamplingver)!=0)
956957
nrowsub+=subsamplingver-nrowsub%subsamplingver;
958+
temp = (row + img->row_offset)%rowsperstrip + nrowsub;
959+
if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
960+
{
961+
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
962+
return 0;
963+
}
957964
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
958965
TIFFComputeStrip(tif,row+img->row_offset, 0),
959966
(void**)(&buf),
960967
maxstripsize,
961-
((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
968+
temp * scanline)==(tmsize_t)(-1)
962969
&& (buf == NULL || img->stoponerr))
963970
{
964971
ret = 0;
@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
10511058
fromskew = (w < imagewidth ? imagewidth - w : 0);
10521059
for (row = 0; row < h; row += nrow)
10531060
{
1061+
uint32 temp;
10541062
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
10551063
nrow = (row + rowstoread > h ? h - row : rowstoread);
10561064
offset_row = row + img->row_offset;
1065+
temp = (row + img->row_offset)%rowsperstrip + nrow;
1066+
if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
1067+
{
1068+
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
1069+
return 0;
1070+
}
10571071
if( buf == NULL )
10581072
{
10591073
if (_TIFFReadEncodedStripAndAllocBuffer(
10601074
tif, TIFFComputeStrip(tif, offset_row, 0),
10611075
(void**) &buf, bufsize,
1062-
((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
1076+
temp * scanline)==(tmsize_t)(-1)
10631077
&& (buf == NULL || img->stoponerr))
10641078
{
10651079
ret = 0;
@@ -1079,23 +1093,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
10791093
}
10801094
}
10811095
else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
1082-
p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
1096+
p0, temp * scanline)==(tmsize_t)(-1)
10831097
&& img->stoponerr)
10841098
{
10851099
ret = 0;
10861100
break;
10871101
}
10881102
if (colorchannels > 1
10891103
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
1090-
p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
1104+
p1, temp * scanline) == (tmsize_t)(-1)
10911105
&& img->stoponerr)
10921106
{
10931107
ret = 0;
10941108
break;
10951109
}
10961110
if (colorchannels > 1
10971111
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
1098-
p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
1112+
p2, temp * scanline) == (tmsize_t)(-1)
10991113
&& img->stoponerr)
11001114
{
11011115
ret = 0;
@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
11041118
if (alpha)
11051119
{
11061120
if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
1107-
pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
1121+
pa, temp * scanline)==(tmsize_t)(-1)
11081122
&& img->stoponerr)
11091123
{
11101124
ret = 0;

0 commit comments

Comments
 (0)