TIFFStartStrip(): avoid potential crash in WebP codec when using scanline access on corrupted files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26650

author: Even Rouault <even.rouault@spatialys.com> 2020-10-26 11:32:42 +0100
committer: Even Rouault <even.rouault@spatialys.com> 2020-10-26 11:32:42 +0100
commit: 2e822691d750c01cec5b5cc4ee73567a204ab2a3 (patch)
tree: d2074f9eff8c759c5d27ea80ee5562a1f3caf4e3
parent: b0469e8157cb8b694f261d28c98674c1d0ce85e6 (diff)
download: libtiff-git-2e822691d750c01cec5b5cc4ee73567a204ab2a3.tar.gz
1 files changed, 10 insertions, 2 deletions
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 38869385..c4c868b1 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -1445,8 +1445,16 @@ TIFFStartStrip(TIFF* tif, uint32 strip)
 		else
 			tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, strip);
 	}
-	return ((*tif->tif_predecode)(tif,
-			(uint16)(strip / td->td_stripsperimage)));
+	if ((*tif->tif_predecode)(tif,
+			(uint16)(strip / td->td_stripsperimage)) == 0 ) {
+            /* Needed for example for scanline access, if tif_predecode */
+            /* fails, and we try to read the same strip again. Without invalidating */
+            /* tif_curstrip, we'd call tif_decoderow() on a possibly invalid */
+            /* codec state. */
+            tif->tif_curstrip = NOSTRIP;
+            return 0;
+        }
+        return 1;
 }
 
 /*
author	Even Rouault <even.rouault@spatialys.com>	2020-10-26 11:32:42 +0100
committer	Even Rouault <even.rouault@spatialys.com>	2020-10-26 11:32:42 +0100
commit	2e822691d750c01cec5b5cc4ee73567a204ab2a3 (patch)
tree	d2074f9eff8c759c5d27ea80ee5562a1f3caf4e3
parent	b0469e8157cb8b694f261d28c98674c1d0ce85e6 (diff)
download	libtiff-git-2e822691d750c01cec5b5cc4ee73567a204ab2a3.tar.gz