LibGfx/TIFF: Prevent recursion when following IFD pointers

Fixes oss-fuzz 66587. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66587&sort=-opened&q=proj%3Aserenity%20TIFF&can=1
trflynn89 · Apr 7, 2024 · cb5f30a · cb5f30a
1 parent 2c86633
commit cb5f30a
Showing 1 changed file with 18 additions and 5 deletions.
diff --git a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp
@@ -530,14 +530,24 @@ class TIFFLoadingContext {
         VERIFY_NOT_REACHED();
     }
 
+    ErrorOr<void> set_next_ifd(u32 ifd_offset)
+    {
+        if (ifd_offset != 0) {
+            if (ifd_offset < TRY(m_stream->tell()))
+                return Error::from_string_literal("TIFFImageDecoderPlugin: Can not accept an IFD pointing to previous data");
+
+            m_next_ifd = Optional<u32> { ifd_offset };
+        } else {
+            m_next_ifd = OptionalNone {};
+        }
+        return {};
+    }
+
     ErrorOr<void> read_next_idf_offset()
     {
         auto const next_block_position = TRY(read_value<u32>());
+        TRY(set_next_ifd(next_block_position));
 
-        if (next_block_position != 0)
-            m_next_ifd = Optional<u32> { next_block_position };
-        else
-            m_next_ifd = OptionalNone {};
         return {};
     }
 
@@ -684,7 +694,10 @@ class TIFFLoadingContext {
         }()));
 
         auto subifd_handler = [&](u32 ifd_offset) -> ErrorOr<void> {
-            m_next_ifd = ifd_offset;
+            if (auto result = set_next_ifd(ifd_offset); result.is_error()) {
+                dbgln("{}", result.error());
+                return {};
+            }
             TRY(read_next_image_file_directory());
             return {};
         };