* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd

tile width vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
vadz · Oct 8, 2016 · 5ad9d80 · 5ad9d80
1 parent d295571
commit 5ad9d80
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
+	tile width vs image width. Reported as MSVR 35103
+	by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
+	Mitigations team.
+
 2016-10-08 Even Rouault <even.rouault at spatialys.com>
 
 	* tools/tiff2pdf.c: fix read -largely- outsize of buffer in

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
@@ -1338,7 +1338,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
 		uint32 colb = 0;
 		uint32 col;
 
-		for (col = 0; col < imagewidth; col += tw) {
+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
 			if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
 			    && !ignore) {
 				TIFFError(TIFFFileName(in),
@@ -1523,7 +1523,7 @@ DECLAREwriteFunc(writeBufferToContigTiles)
 		uint32 colb = 0;
 		uint32 col;
 
-		for (col = 0; col < imagewidth; col += tw) {
+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
 			/*
 			 * Tile is clipped horizontally.  Calculate
 			 * visible portion and skewing factors.