diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2020-09-22 18:27:44 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2020-09-22 18:27:44 +0200 |
| commit | c8f0a16f4ad10cd5d595bd5614104e2ecf52ee92 (patch) | |
| tree | 94442e6614f49a9ea4abdae5004335a8f9438665 | |
| parent | 57d487aa1ccb1eaee657ae9f6dfd6dd6fdd3c1e1 (diff) | |
| download | libtiff-git-c8f0a16f4ad10cd5d595bd5614104e2ecf52ee92.tar.gz | |
tif_fax3.h: return error when a buffer overflow occurs. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25552 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25849
| -rw-r--r-- | libtiff/tif_fax3.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h index 117619c5..9d765b6b 100644 --- a/libtiff/tif_fax3.h +++ b/libtiff/tif_fax3.h @@ -240,6 +240,11 @@ static const char* StateNames[] = { * current row and reset decoding state. */ #define SETVALUE(x) do { \ + if (pa >= thisrun + sp->nruns) { \ + TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \ + sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \ + return (-1); \ + } \ *pa++ = RunLength + (x); \ a0 += (x); \ RunLength = 0; \ |