summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2017-05-14 02:26:07 +0000
committerEven Rouault <even.rouault@spatialys.com>2017-05-14 02:26:07 +0000
commit8d4e4591028e2cdac20a2718480f4252664aec88 (patch)
tree211504dbc1c56a4eb129feb3ccbd3388b6008c5b
parent99e8fb373ea71bc7a9fab3fc92674883913884b9 (diff)
downloadlibtiff-git-8d4e4591028e2cdac20a2718480f4252664aec88.tar.gz
* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 Credit to OSS-Fuzz
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--libtiff/tif_packbits.c8
2 files changed, 13 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 120a80da..28e7be7e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-05-14 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
+ Credit to OSS-Fuzz
+
2017-05-13 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
diff --git a/libtiff/tif_packbits.c b/libtiff/tif_packbits.c
index 0495e688..18904b01 100644
--- a/libtiff/tif_packbits.c
+++ b/libtiff/tif_packbits.c
@@ -1,4 +1,4 @@
-/* $Id: tif_packbits.c,v 1.25 2017-01-11 20:33:35 erouault Exp $ */
+/* $Id: tif_packbits.c,v 1.26 2017-05-14 02:26:07 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(unsigned long) ((tmsize_t)n - occ));
n = (long)occ;
}
+ if( cc == 0 )
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Terminating PackBitsDecode due to lack of data.");
+ break;
+ }
occ -= n;
b = *bp++;
cc--;
View Lorry Controller Status