* libtiff/tif_next.c: add new tests to check that we don't read outsi…

…de of the compressed input stream buffer. * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
vadz · Dec 29, 2014 · 40a5955 · 40a5955
1 parent 26d8e90
commit 40a5955
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,12 @@
+2014-12-29  Even Rouault  <even.rouault@spatialys.com>
+
+	* libtiff/tif_next.c: add new tests to check that we don't read outside of
+	the compressed input stream buffer.
+
+	* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
+    in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
+    putcontig8bitYCbCr21tile cases.
+
 2014-12-27  Even Rouault  <even.rouault@spatialys.com>
 
 	* libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
 
     (void) y;
     fromskew = (fromskew * 10) / 4;
-    if ((h & 3) == 0 && (w & 1) == 0) {
+    if ((w & 3) == 0 && (h & 1) == 0) {
         for (; h >= 2; h -= 2) {
             x = w>>2;
             do {
@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
     /* XXX adjust fromskew */
     do {
 	x = w>>2;
-	do {
+	while(x>0) {
 	    int32 Cb = pp[4];
 	    int32 Cr = pp[5];
 
@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
 
 	    cp += 4;
 	    pp += 6;
-	} while (--x);
+		x--;
+	}
 
         if( (w&3) != 0 )
         {
@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
 	fromskew = (fromskew * 4) / 2;
 	do {
 		x = w>>1;
-		do {
+		while(x>0) {
 			int32 Cb = pp[2];
 			int32 Cr = pp[3];
 
@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
 
 			cp += 2;
 			pp += 4;
-		} while (--x);
+			x --;
+		}
 
 		if( (w&1) != 0 )
 		{

diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
 		return (0);
 	}
-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
 		n = *bp++, cc--;
 		switch (n) {
 		case LITERALROW:
@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 			 * The scanline has a literal span that begins at some
 			 * offset.
 			 */
+			if( cc < 4 )
+				goto bad;
 			off = (bp[0] * 256) + bp[1];
 			n = (bp[2] * 256) + bp[3];
 			if (cc < 4+n || off+n > scanline)