Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

* libtiff/tif_read.c: Fix out-of-bounds read on

memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)
  • Loading branch information...
erouault
erouault committed Jul 10, 2016
1 parent 4bdc915 commit 0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496
Showing with 12 additions and 2 deletions.
  1. +7 −0 ChangeLog
  2. +5 −2 libtiff/tif_read.c
@@ -1,3 +1,10 @@
2016-07-10 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_read.c: Fix out-of-bounds read on
memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)

2016-07-10 Even Rouault <even.rouault at spatialys.com>

* tools/tiffdump.c: fix a few misaligned 64-bit reads warned
@@ -31,6 +31,9 @@
#include "tiffiop.h"
#include <stdio.h>

#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)

int TIFFFillStrip(TIFF* tif, uint32 strip);
int TIFFFillTile(TIFF* tif, uint32 tile);
static int TIFFStartStrip(TIFF* tif, uint32 strip);
@@ -421,7 +424,7 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
tmsize_t n;
ma=(tmsize_t)td->td_stripoffset[strip];
mb=ma+size;
if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size))
if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
n=0;
else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
n=tif->tif_size-ma;
@@ -755,7 +758,7 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
tmsize_t n;
ma=(tmsize_t)td->td_stripoffset[tile];
mb=ma+size;
if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size))
if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
n=0;
else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
n=tif->tif_size-ma;

0 comments on commit 0ba5d88

Please sign in to comment.
You can’t perform that action at this time.