Commit | Line | Data |
---|---|---|
4b96149d LF |
1 | Fix a integer underflow in tiffcp that led to heap overflows in |
2 | TIFFReverseBits(): | |
3 | ||
4 | http://bugzilla.maptools.org/show_bug.cgi?id=2598 | |
5 | ||
6 | 2016-12-02 Even Rouault <even.rouault at spatialys.com> | |
7 | ||
8 | * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that | |
9 | can cause various issues, such as buffer overflows in the library. | |
10 | Reported by Agostino Sarubbo. | |
11 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 | |
12 | ||
13 | ||
14 | /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog | |
15 | new revision: 1.1174; previous revision: 1.1173 | |
16 | /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c | |
17 | new revision: 1.56; previous revision: 1.55 | |
18 | ||
19 | Index: libtiff/tools/tiffcp.c | |
20 | =================================================================== | |
21 | RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v | |
22 | retrieving revision 1.55 | |
23 | retrieving revision 1.56 | |
24 | diff -u -r1.55 -r1.56 | |
25 | --- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 | |
26 | +++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 | |
27 | @@ -1,4 +1,4 @@ | |
28 | -/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ | |
29 | +/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ | |
30 | ||
31 | /* | |
32 | * Copyright (c) 1988-1997 Sam Leffler | |
33 | @@ -985,7 +985,7 @@ | |
34 | tstrip_t s, ns = TIFFNumberOfStrips(in); | |
35 | uint32 row = 0; | |
36 | _TIFFmemset(buf, 0, stripsize); | |
37 | - for (s = 0; s < ns; s++) { | |
38 | + for (s = 0; s < ns && row < imagelength; s++) { | |
39 | tsize_t cc = (row + rowsperstrip > imagelength) ? | |
40 | TIFFVStripSize(in, imagelength - row) : stripsize; | |
41 | if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 |