Avoid oob access when reading certain corrupt tiled tiffs

Add check against corrupt tiffs where libtiff can report conflicting
values of tile width, length and byte size.

This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.

Pick-to: 6.1 6.0 5.15 5.12
Change-Id: Icb9c20317746190c446c93b474f5c490a805551c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>

1 files changed, 8 insertions, 3 deletions

diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index 9ddaab8..d9e5478 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -423,14 +423,19 @@ bool QTiffHandler::read(QImage *image)
             quint32 tileWidth, tileLength;
             TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
             TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
-            uchar *buf = (uchar *)_TIFFmalloc(TIFFTileSize(tiff));
-            if (!tileWidth || !tileLength || !buf) {
-                _TIFFfree(buf);
+            if (!tileWidth || !tileLength || tileWidth % 16 || tileLength % 16) {
                 d->close();
                 return false;
             }
             quint32 byteWidth = (format == QImage::Format_Mono) ? (width + 7)/8 : (width * bytesPerPixel);
             quint32 byteTileWidth = (format == QImage::Format_Mono) ? tileWidth/8 : (tileWidth * bytesPerPixel);
+            tmsize_t byteTileSize = TIFFTileSize(tiff);
+            uchar *buf = (uchar *)_TIFFmalloc(byteTileSize);
+            if (!buf || byteTileSize / tileLength < byteTileWidth) {
+                _TIFFfree(buf);
+                d->close();
+                return false;
+            }
             for (quint32 y = 0; y < height; y += tileLength) {
                 for (quint32 x = 0; x < width; x += tileWidth) {
                     if (TIFFReadTile(tiff, buf, x, y, 0, 0) < 0) {