Skip to content
This repository was archived by the owner on Dec 1, 2017. It is now read-only.

Commit 5ad9d80

Browse files
author
erouault
committed
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
1 parent d295571 commit 5ad9d80

File tree

2 files changed

+9
-2
lines changed

2 files changed

+9
-2
lines changed

Diff for: ChangeLog

+7
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
2016-10-08 Even Rouault <even.rouault at spatialys.com>
2+
3+
* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
4+
tile width vs image width. Reported as MSVR 35103
5+
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
6+
Mitigations team.
7+
18
2016-10-08 Even Rouault <even.rouault at spatialys.com>
29

310
* tools/tiff2pdf.c: fix read -largely- outsize of buffer in

Diff for: tools/tiffcp.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -1338,7 +1338,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
13381338
uint32 colb = 0;
13391339
uint32 col;
13401340

1341-
for (col = 0; col < imagewidth; col += tw) {
1341+
for (col = 0; col < imagewidth && colb < imagew; col += tw) {
13421342
if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
13431343
&& !ignore) {
13441344
TIFFError(TIFFFileName(in),
@@ -1523,7 +1523,7 @@ DECLAREwriteFunc(writeBufferToContigTiles)
15231523
uint32 colb = 0;
15241524
uint32 col;
15251525

1526-
for (col = 0; col < imagewidth; col += tw) {
1526+
for (col = 0; col < imagewidth && colb < imagew; col += tw) {
15271527
/*
15281528
* Tile is clipped horizontally. Calculate
15291529
* visible portion and skewing factors.

0 commit comments

Comments
 (0)