Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in

readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
  • Loading branch information...
erouault
erouault committed Oct 14, 2016
1 parent b5d6803 commit ae9365db1b271b62b35ce018eac8799b1d5e8a53
Showing with 16 additions and 1 deletion.
  1. +6 −0 ChangeLog
  2. +10 −1 tools/tiffcrop.c
@@ -1,3 +1,9 @@
2016-10-14 Even Rouault <even.rouault at spatialys.com>

* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.

2016-10-09 Even Rouault <even.rouault at spatialys.com>

* tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
@@ -819,9 +819,18 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
}
}

tilebuf = _TIFFmalloc(tile_buffsize);
/* Add 3 padding bytes for extractContigSamplesShifted32bits */
if( tile_buffsize > 0xFFFFFFFFU - 3 )
{
TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
exit(-1);
}
tilebuf = _TIFFmalloc(tile_buffsize + 3);
if (tilebuf == 0)
return 0;
tilebuf[tile_buffsize] = 0;
tilebuf[tile_buffsize+1] = 0;
tilebuf[tile_buffsize+2] = 0;

dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;
for (row = 0; row < imagelength; row += tl)

0 comments on commit ae9365d

Please sign in to comment.
You can’t perform that action at this time.