Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

* libtiff/tif_pixarlog.c: fix potential buffer write overrun in

PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
  • Loading branch information...
erouault
erouault committed Jun 28, 2016
1 parent c421b99 commit 391e77fcd217e78b2c51342ac3ddb7100ecacdd2
Showing with 13 additions and 0 deletions.
  1. +5 −0 ChangeLog
  2. +8 −0 libtiff/tif_pixarlog.c
@@ -1,3 +1,8 @@
2016-06-28 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)

2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

* libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64
@@ -459,6 +459,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
typedef struct {
TIFFPredictorState predict;
z_stream stream;
tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -694,6 +695,7 @@ PixarLogSetupDecode(TIFF* tif)
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -783,6 +785,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
/* Check that we will not fill more than what was allocated */
if (sp->stream.avail_out > sp->tbuf_size)
{
TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
return (0);
}
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {

0 comments on commit 391e77f

Please sign in to comment.
You can’t perform that action at this time.