diff options
| author | erouault <erouault> | 2017-05-10 15:21:16 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-05-10 15:21:16 +0000 |
| commit | 790cd66a0e9bf2c0644c7b2a552c9e9a957b2562 (patch) | |
| tree | be658622ed7f80b33911fd50b383c9c35336f2c4 | |
| parent | 7dd1b157ceeb1a425891579dece7b2ff7de16aff (diff) | |
| download | libtiff-790cd66a0e9bf2c0644c7b2a552c9e9a957b2562.tar.gz | |
* libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | libtiff/tif_pixarlog.c | 8 | ||||
| -rw-r--r-- | libtiff/tif_predict.c | 5 | ||||
| -rw-r--r-- | libtiff/tif_zip.c | 8 |
4 files changed, 24 insertions, 4 deletions
@@ -1,5 +1,12 @@ 2017-05-10 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory + leak when the underlying codec (ZIP, PixarLog) succeeds its + setupdecode() method, but PredictorSetup fails. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-10 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation. diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index 972ee75e..ae84fff5 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.50 2017-02-18 20:30:26 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.51 2017-05-10 15:21:16 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -678,6 +678,12 @@ PixarLogSetupDecode(TIFF* tif) assert(sp != NULL); + /* This function can possibly be called several times by */ + /* PredictorSetupDecode() if this function succeeds but */ + /* PredictorSetup() fails */ + if( (sp->state & PLSTATE_INIT) != 0 ) + return 1; + /* Make sure no byte swapping happens on the data * after decompression. */ tif->tif_postdecode = _TIFFNoPostDecode; diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c index 78b97073..7a60a39e 100644 --- a/libtiff/tif_predict.c +++ b/libtiff/tif_predict.c @@ -1,4 +1,4 @@ -/* $Id: tif_predict.c,v 1.42 2017-02-25 17:05:12 erouault Exp $ */ +/* $Id: tif_predict.c,v 1.43 2017-05-10 15:21:16 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -117,6 +117,9 @@ PredictorSetupDecode(TIFF* tif) TIFFPredictorState* sp = PredictorState(tif); TIFFDirectory* td = &tif->tif_dir; + /* Note: when PredictorSetup() fails, the effets of setupdecode() */ + /* will not be "cancelled" so setupdecode() might be robust to */ + /* be called several times. */ if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) return 0; diff --git a/libtiff/tif_zip.c b/libtiff/tif_zip.c index 8c35aea8..42943fbb 100644 --- a/libtiff/tif_zip.c +++ b/libtiff/tif_zip.c @@ -1,4 +1,4 @@ -/* $Id: tif_zip.c,v 1.36 2016-11-12 16:48:28 erouault Exp $ */ +/* $Id: tif_zip.c,v 1.37 2017-05-10 15:21:16 erouault Exp $ */ /* * Copyright (c) 1995-1997 Sam Leffler @@ -107,7 +107,11 @@ ZIPSetupDecode(TIFF* tif) sp->state = 0; } - if (inflateInit(&sp->stream) != Z_OK) { + /* This function can possibly be called several times by */ + /* PredictorSetupDecode() if this function succeeds but */ + /* PredictorSetup() fails */ + if ((sp->state & ZSTATE_INIT_DECODE) == 0 && + inflateInit(&sp->stream) != Z_OK) { TIFFErrorExt(tif->tif_clientdata, module, "%s", SAFE_MSG(sp)); return (0); } else { |