diff options
| author | erouault <erouault> | 2014-12-29 12:09:11 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2014-12-29 12:09:11 +0000 |
| commit | eadb5dd5f1103314a3bd9121d2235d2b17d690f4 (patch) | |
| tree | 7dfdbf2a10410410a8e11d6155721cd4028ee12e | |
| parent | 8e04ac45a091f23e7cdb1e55f013da9c267dbca9 (diff) | |
| download | libtiff-eadb5dd5f1103314a3bd9121d2235d2b17d690f4.tar.gz | |
* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | libtiff/tif_getimage.c | 14 | ||||
| -rw-r--r-- | libtiff/tif_next.c | 6 |
3 files changed, 21 insertions, 8 deletions
@@ -1,3 +1,12 @@ +2014-12-29 Even Rouault <even.rouault@spatialys.com> + + * libtiff/tif_next.c: add new tests to check that we don't read outside of + the compressed input stream buffer. + + * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height + in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and + putcontig8bitYCbCr21tile cases. + 2014-12-27 Even Rouault <even.rouault@spatialys.com> * libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index d247fa30..20170396 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.85 2014-12-25 18:29:11 erouault Exp $ */ +/* $Id: tif_getimage.c,v 1.86 2014-12-29 12:09:11 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) (void) y; fromskew = (fromskew * 10) / 4; - if ((h & 3) == 0 && (w & 1) == 0) { + if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; do { @@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) /* XXX adjust fromskew */ do { x = w>>2; - do { + while(x>0) { int32 Cb = pp[4]; int32 Cr = pp[5]; @@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) cp += 4; pp += 6; - } while (--x); + x--; + } if( (w&3) != 0 ) { @@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) fromskew = (fromskew * 4) / 2; do { x = w>>1; - do { + while(x>0) { int32 Cb = pp[2]; int32 Cr = pp[3]; @@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) cp += 2; pp += 4; - } while (--x); + x --; + } if( (w&1) != 0 ) { diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c index 11cac7d5..17e03111 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -1,4 +1,4 @@ -/* $Id: tif_next.c,v 1.15 2014-12-21 18:07:48 erouault Exp $ */ +/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); return (0); } - for (row = buf; occ > 0; occ -= scanline, row += scanline) { + for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) * The scanline has a literal span that begins at some * offset. */ + if( cc < 4 ) + goto bad; off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; if (cc < 4+n || off+n > scanline) |