* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in

readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
vadz · Oct 14, 2016 · ae9365d · ae9365d
1 parent b5d6803
commit ae9365d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+2016-10-14 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
+	readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
+	& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+
 2016-10-09 Even Rouault <even.rouault at spatialys.com>
 
 	* tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
@@ -819,9 +819,18 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
     }
     }
 
-  tilebuf = _TIFFmalloc(tile_buffsize);
+  /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+  if( tile_buffsize > 0xFFFFFFFFU - 3 )
+  {
+      TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+      exit(-1);
+  }
+  tilebuf = _TIFFmalloc(tile_buffsize + 3);
   if (tilebuf == 0)
     return 0;
+  tilebuf[tile_buffsize] = 0;
+  tilebuf[tile_buffsize+1] = 0;
+  tilebuf[tile_buffsize+2] = 0;
 
   dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;  
   for (row = 0; row < imagelength; row += tl)