Bug 2661 – Integer overflow in gtTileContig (tif_getimage.c)

Bug 2661 - Integer overflow in gtTileContig (tif_getimage.c)

Summary:

Integer overflow in gtTileContig (tif_getimage.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P2 enhancement
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-01-17 14:11 by Nicolas
Modified:	2019-10-01 14:20 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Nicolas 2017-01-17 14:11:10

In gtTileContig, w, tw are uint32. tw is obtained from TIFFGetField(tif,
TIFFTAG_TILEWIDTH, &tw); so it could be very large in corrupted files.

fromskew, toskew are int32. There are several places in gtTileContig where
these are assigned to computations using w, tw. Examples:
toskew = -(int32)(tw + w);
fromskew = tw - (w - tocol);

This can result in integer overflows which cause other problems, as pointers
are shifted by toskew/fromskew later on.

------- Comment #1 From Even Rouault 2019-10-01 14:20:15 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.