You need to log in before you can comment on or make changes to this bug.
There are two out-of-bound read vulnerability in function TIFFReadSeparateTileData and function TIFFReadContigTileData in tools/tiffinfoce.c. void TIFFReadSeparateTileData(TIFF* tif) { unsigned char *buf; tsize_t rowsize = TIFFTileRowSize(tif); buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif)); if (buf) { uint32 tw, th, w, h; uint32 row, col; tsample_t s, samplesperpixel; TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w); TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h); TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel); for (row = 0; row < h; row += th) { for (col = 0; col < w; col += tw) { for (s = 0; s < samplesperpixel; s++) { if (TIFFReadTile(tif, buf, col, row, 0, s) < 0) { if (stoponerr) break; } else if (showdata) ShowTile(row, col, s, buf, th, rowsize); } } } _TIFFfree(buf); } } if condition "rowsize==0" or "th > TIFFTileSize(tif)/rowsize", the program should return. this issue is the same as TIFFReadContigTileData. Below is the proposal patch for function TIFFReadSeparateTileData. TIFFReadSeparateTileData(TIFF* tif) { unsigned char *buf; - tsize_t rowsize = TIFFTileRowSize(tif); + tmsize_t rowsize = TIFFTileRowSize(tif); + tmsize_t tilesize = TIFFTileSize(tif); - buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif)); + buf = (unsigned char *)_TIFFmalloc(tilesize); if (buf) { - uint32 tw, th, w, h; + uint32 tw=0, th=0, w=0, h=0; uint32 row, col; tsample_t s, samplesperpixel; @@ -331,6 +332,12 @@ TIFFReadSeparateTileData(TIFF* tif) TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel); + if( rowsize == 0 || th > tilesize / rowsize ) + { + fprintf(stderr, "Cannot display data: th * rowsize > tilesize\n"); + _TIFFfree(buf); + return; + } for (row = 0; row < h; row += th) { for (col = 0; col < w; col += tw) { for (s = 0; s < samplesperpixel; s++) {
you could (should?) create a merge request on https://gitlab.com/libtiff/libtiff
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.