diff options
author | Even Rouault <even.rouault@spatialys.com> | 2017-05-14 02:26:07 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2017-05-14 02:26:07 +0000 |
commit | 8d4e4591028e2cdac20a2718480f4252664aec88 (patch) | |
tree | 211504dbc1c56a4eb129feb3ccbd3388b6008c5b | |
parent | 99e8fb373ea71bc7a9fab3fc92674883913884b9 (diff) | |
download | libtiff-git-8d4e4591028e2cdac20a2718480f4252664aec88.tar.gz |
* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | libtiff/tif_packbits.c | 8 |
2 files changed, 13 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2017-05-14 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + 2017-05-13 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 diff --git a/libtiff/tif_packbits.c b/libtiff/tif_packbits.c index 0495e688..18904b01 100644 --- a/libtiff/tif_packbits.c +++ b/libtiff/tif_packbits.c @@ -1,4 +1,4 @@ -/* $Id: tif_packbits.c,v 1.25 2017-01-11 20:33:35 erouault Exp $ */ +/* $Id: tif_packbits.c,v 1.26 2017-05-14 02:26:07 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ)); n = (long)occ; } + if( cc == 0 ) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } occ -= n; b = *bp++; cc--; |