diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-02-24 14:55:10 +0100 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-02-24 17:02:51 +0100 |
commit | 0709cda6fa836ac222a06062abc3fd3ac0730c12 (patch) | |
tree | 2a1222a17ddfc03bad8712d5b523e7f12f94da9b /src | |
parent | 96992c3f771c47f4333a907463de4688830cafd8 (diff) | |
download | qtimageformats-0709cda6fa836ac222a06062abc3fd3ac0730c12.tar.gz |
Avoid oob access when reading certain corrupt tiled tiffs
Add check against corrupt tiffs where libtiff can report conflicting
values of tile width, length and byte size.
This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.
Pick-to: 6.1 6.0 5.15 5.12
Change-Id: Icb9c20317746190c446c93b474f5c490a805551c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/imageformats/tiff/qtiffhandler.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp index 9ddaab8..d9e5478 100644 --- a/src/plugins/imageformats/tiff/qtiffhandler.cpp +++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp @@ -423,14 +423,19 @@ bool QTiffHandler::read(QImage *image) quint32 tileWidth, tileLength; TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth); TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength); - uchar *buf = (uchar *)_TIFFmalloc(TIFFTileSize(tiff)); - if (!tileWidth || !tileLength || !buf) { - _TIFFfree(buf); + if (!tileWidth || !tileLength || tileWidth % 16 || tileLength % 16) { d->close(); return false; } quint32 byteWidth = (format == QImage::Format_Mono) ? (width + 7)/8 : (width * bytesPerPixel); quint32 byteTileWidth = (format == QImage::Format_Mono) ? tileWidth/8 : (tileWidth * bytesPerPixel); + tmsize_t byteTileSize = TIFFTileSize(tiff); + uchar *buf = (uchar *)_TIFFmalloc(byteTileSize); + if (!buf || byteTileSize / tileLength < byteTileWidth) { + _TIFFfree(buf); + d->close(); + return false; + } for (quint32 y = 0; y < height; y += tileLength) { for (quint32 x = 0; x < width; x += tileWidth) { if (TIFFReadTile(tiff, buf, x, y, 0, 0) < 0) { |