diff options
author | erouault <erouault> | 2016-11-16 15:14:15 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-11-16 15:14:15 +0000 |
commit | c1577027702cef55f66f23bcd2b1afd59e2770bf (patch) | |
tree | c3a3385b0a5c2634a8fbd72d10dac5393220c1b7 | |
parent | ba6438fb98b76c0d97f93bcd2dae46bb74eb035f (diff) | |
download | libtiff-c1577027702cef55f66f23bcd2b1afd59e2770bf.tar.gz |
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | libtiff/tif_dirread.c | 6 |
2 files changed, 12 insertions, 3 deletions
@@ -1,3 +1,12 @@ +2016-11-16 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference + NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII + access are 0-byte arrays. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced + by previous fix done on 2016-11-11 for CVE-2016-9297). + Reported by Henri Salo. + 2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 0ed3afa2..01070f2e 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.203 2016-11-11 20:22:01 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -5000,7 +5000,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; - if( data[dp->tdir_count-1] != '\0' ) + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) { TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); data[dp->tdir_count-1] = '\0'; @@ -5177,7 +5177,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; - if( data[dp->tdir_count-1] != '\0' ) + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) { TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); data[dp->tdir_count-1] = '\0'; |