1 # Security fix for multiple issues (CVE-2006-34{59-65})
3 # http://securitytracker.com/alerts/2006/Aug/1016628.html
4 # http://bugs.gentoo.org/show_bug.cgi?id=142383
6 diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
7 --- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
8 +++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
11 static const char module[] = "_TIFFVSetField";
13 + const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
14 TIFFDirectory* td = &tif->tif_dir;
19 case TIFFTAG_ORIENTATION:
20 v = va_arg(ap, uint32);
21 + const TIFFFieldInfo* fip;
22 if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
23 + fip = _TIFFFieldWithTag(tif, tag);
24 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
25 "Bad value %lu for \"%s\" tag ignored",
26 - v, _TIFFFieldWithTag(tif, tag)->field_name);
27 + v, fip ? fip->field_name : "Unknown");
29 td->td_orientation = (uint16) v;
32 * happens, for example, when tiffcp is used to convert between
33 * compression schemes and codec-specific tags are blindly copied.
36 + * better not dereference fip if it is NULL.
37 + * -- taviso@google.com 15 Jun 2006
39 if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
40 TIFFErrorExt(tif->tif_clientdata, module,
41 "%s: Invalid %stag \"%s\" (not supported by codec)",
42 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
43 - _TIFFFieldWithTag(tif, tag)->field_name);
44 + fip ? fip->field_name : "Unknown");
49 if (fip->field_type == TIFF_ASCII)
50 _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
52 - tv->value = _TIFFmalloc(tv_size * tv->count);
53 + tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
61 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
62 + TIFFSetFieldBit(tif, fip->field_bit);
63 tif->tif_flags |= TIFF_DIRTYDIRECT;
69 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
70 - tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
71 + tif->tif_name, v, fip ? fip->field_name : "Unknown");
75 TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
76 - tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
77 + tif->tif_name, v32, fip ? fip->field_name : "Unknown");
82 * If the client tries to get a tag that is not valid
83 * for the image's codec then we'll arrive here.
86 + * dont dereference fip if it's NULL.
87 + * -- taviso@google.com 15 Jun 2006
89 if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
91 TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
92 "%s: Invalid %stag \"%s\" (not supported by codec)",
93 tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
94 - _TIFFFieldWithTag(tif, tag)->field_name);
95 + fip ? fip->field_name : "Unknown");
99 diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
100 --- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
101 +++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
103 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
104 "Internal error, unknown tag 0x%x",
106 - assert(fip != NULL);
107 + /* assert(fip != NULL); */
114 TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
115 "Internal error, unknown tag %s", field_name);
116 - assert(fip != NULL);
117 + /* assert(fip != NULL); */
122 diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
123 --- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
124 +++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
127 * Directory Read Support Routines.
134 #define IGNORE 0 /* tag placeholder used below */
138 int diroutoforderwarning = 0;
139 + int compressionknown = 0;
142 tif->tif_diroff = tif->tif_nextdiroff;
143 @@ -147,13 +151,20 @@
145 toff_t off = tif->tif_diroff;
147 - if (off + sizeof (uint16) > tif->tif_size) {
148 - TIFFErrorExt(tif->tif_clientdata, module,
149 - "%s: Can not read TIFF directory count",
153 + * Check for integer overflow when validating the dir_off, otherwise
154 + * a very high offset may cause an OOB read and crash the client.
155 + * -- taviso@google.com, 14 Jun 2006.
157 + if (off + sizeof (uint16) > tif->tif_size ||
158 + off > (UINT_MAX - sizeof(uint16))) {
159 + TIFFErrorExt(tif->tif_clientdata, module,
160 + "%s: Can not read TIFF directory count",
164 - _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
165 + _TIFFmemcpy(&dircount, tif->tif_base + off,
167 off += sizeof (uint16);
168 if (tif->tif_flags & TIFF_SWAB)
169 TIFFSwabShort(&dircount);
171 while (fix < tif->tif_nfields &&
172 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
175 if (fix >= tif->tif_nfields ||
176 tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
178 @@ -264,17 +276,23 @@
183 - TIFFMergeFieldInfo(tif,
184 - _TIFFCreateAnonFieldInfo(tif,
186 - (TIFFDataType) dp->tdir_type),
189 + * creating anonymous fields prior to knowing the compression
190 + * algorithm (ie, when the field info has been merged) could cause
191 + * crashes with pathological directories.
192 + * -- taviso@google.com 15 Jun 2006
194 + if (compressionknown)
195 + TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
196 + (TIFFDataType) dp->tdir_type), 1 );
200 while (fix < tif->tif_nfields &&
201 tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
206 * Null out old tags that we ignore.
209 dp->tdir_type, dp->tdir_offset);
210 if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
212 + else compressionknown++;
214 /* XXX: workaround for broken TIFFs */
215 } else if (dp->tdir_type == TIFF_LONG) {
217 * Attempt to deal with a missing StripByteCounts tag.
219 if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
220 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
222 * Some manufacturers violate the spec by not giving
223 * the size of the strips. In this case, assume there
225 "%s: TIFF directory is missing required "
226 "\"%s\" field, calculating from imagelength",
228 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
229 + fip ? fip->field_name : "Unknown");
230 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
234 } else if (td->td_nstrips == 1
235 && td->td_stripoffset[0] != 0
236 && BYTECOUNTLOOKSBAD) {
237 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
239 * XXX: Plexus (and others) sometimes give a value of zero for
240 * a tag when they don't know what the correct value is! Try
241 @@ -589,13 +610,14 @@
242 TIFFWarningExt(tif->tif_clientdata, module,
243 "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
245 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
246 + fip ? fip->field_name : "Unknown");
247 if(EstimateStripByteCounts(tif, dir, dircount) < 0)
249 } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
250 && td->td_nstrips > 2
251 && td->td_compression == COMPRESSION_NONE
252 && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
253 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
255 * XXX: Some vendors fill StripByteCount array with absolutely
256 * wrong values (it can be equal to StripOffset array, for
258 TIFFWarningExt(tif->tif_clientdata, module,
259 "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
261 - _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
262 + fip ? fip->field_name : "Unknown");
263 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
268 register TIFFDirEntry *dp;
269 register TIFFDirectory *td = &tif->tif_dir;
272 + /* i is used to iterate over td->td_nstrips, so must be
273 + * at least the same width.
274 + * -- taviso@google.com 15 Jun 2006
279 if (td->td_stripbytecount)
280 _TIFFfree(td->td_stripbytecount);
281 @@ -947,16 +975,18 @@
283 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
285 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
287 if (count > dir->tdir_count) {
288 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
289 "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
290 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
291 + fip ? fip->field_name : "Unknown",
292 dir->tdir_count, count);
294 } else if (count < dir->tdir_count) {
295 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
296 "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
297 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
298 + fip ? fip->field_name : "Unknown",
299 dir->tdir_count, count);
303 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
305 int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
306 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
307 tsize_t cc = dir->tdir_count * w;
309 /* Check for overflow. */
310 @@ -1013,7 +1044,7 @@
312 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
313 "Error fetching data for field \"%s\"",
314 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
315 + fip ? fip->field_name : "Unknown");
319 @@ -1039,10 +1070,12 @@
321 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
323 + const TIFFFieldInfo* fip;
325 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
326 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
327 "%s: Rational with zero denominator (num = %lu)",
328 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
329 + fip ? fip->field_name : "Unknown", num);
332 if (dir->tdir_type == TIFF_RATIONAL)
333 @@ -1159,6 +1192,20 @@
335 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
338 + * Prevent overflowing the v stack arrays below by performing a sanity
339 + * check on tdir_count, this should never be greater than two.
340 + * -- taviso@google.com 14 Jun 2006.
342 + if (dir->tdir_count > 2) {
343 + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
344 + TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
345 + "unexpected count for field \"%s\", %lu, expected 2; ignored.",
346 + fip ? fip->field_name : "Unknown",
351 switch (dir->tdir_type) {
354 @@ -1329,14 +1376,15 @@
356 return (TIFFFetchDoubleArray(tif, dir, (double*) v));
358 + { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
362 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
363 "cannot read TIFF_ANY type %d for field \"%s\"",
365 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
367 + fip ? fip->field_name : "Unknown");
372 @@ -1351,6 +1399,9 @@
374 const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
379 if (dp->tdir_count > 1) { /* array of values */
382 @@ -1493,6 +1544,7 @@
383 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
385 uint16 samples = tif->tif_dir.td_samplesperpixel;
386 + const TIFFFieldInfo* fip;
389 if (CheckDirCount(tif, dir, (uint32) samples)) {
390 @@ -1510,9 +1562,10 @@
392 for (i = 1; i < check_count; i++)
394 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
395 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
396 "Cannot handle different per-sample values for field \"%s\"",
397 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
398 + fip ? fip->field_name : "Unknown");
402 @@ -1534,6 +1587,7 @@
403 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
405 uint16 samples = tif->tif_dir.td_samplesperpixel;
406 + const TIFFFieldInfo* fip;
409 if (CheckDirCount(tif, dir, (uint32) samples)) {
410 @@ -1551,9 +1605,10 @@
411 check_count = samples;
412 for (i = 1; i < check_count; i++)
414 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
415 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
416 "Cannot handle different per-sample values for field \"%s\"",
417 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
418 + fip ? fip->field_name : "Unknown");
422 @@ -1574,6 +1629,7 @@
423 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
425 uint16 samples = tif->tif_dir.td_samplesperpixel;
426 + const TIFFFieldInfo* fip;
429 if (CheckDirCount(tif, dir, (uint32) samples)) {
430 @@ -1591,9 +1647,10 @@
432 for (i = 1; i < check_count; i++)
434 + fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
435 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
436 "Cannot handle different per-sample values for field \"%s\"",
437 - _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
438 + fip ? fip->field_name : "Unknown");
442 diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
443 --- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
444 +++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
445 @@ -1136,6 +1136,7 @@
446 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
448 Fax3BaseState* sp = Fax3State(tif);
449 + const TIFFFieldInfo* fip;
452 assert(sp->vsetparent != 0);
453 @@ -1181,7 +1182,13 @@
455 return (*sp->vsetparent)(tif, tag, ap);
457 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
459 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
460 + TIFFSetFieldBit(tif, fip->field_bit);
465 tif->tif_flags |= TIFF_DIRTYDIRECT;
468 diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
469 --- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
470 +++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
471 @@ -722,15 +722,31 @@
472 segment_width = TIFFhowmany(segment_width, sp->h_sampling);
473 segment_height = TIFFhowmany(segment_height, sp->v_sampling);
475 - if (sp->cinfo.d.image_width != segment_width ||
476 - sp->cinfo.d.image_height != segment_height) {
477 + if (sp->cinfo.d.image_width < segment_width ||
478 + sp->cinfo.d.image_height < segment_height) {
479 TIFFWarningExt(tif->tif_clientdata, module,
480 "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
483 sp->cinfo.d.image_width,
484 sp->cinfo.d.image_height);
487 + if (sp->cinfo.d.image_width > segment_width ||
488 + sp->cinfo.d.image_height > segment_height) {
490 + * This case could be dangerous, if the strip or tile size has been
491 + * reported as less than the amount of data jpeg will return, some
492 + * potential security issues arise. Catch this case and error out.
493 + * -- taviso@google.com 14 Jun 2006
495 + TIFFErrorExt(tif->tif_clientdata, module,
496 + "JPEG strip/tile size exceeds expected dimensions,"
497 + "expected %dx%d, got %dx%d", segment_width, segment_height,
498 + sp->cinfo.d.image_width, sp->cinfo.d.image_height);
502 if (sp->cinfo.d.num_components !=
503 (td->td_planarconfig == PLANARCONFIG_CONTIG ?
504 td->td_samplesperpixel : 1)) {
506 sp->cinfo.d.comp_info[0].v_samp_factor,
507 sp->h_sampling, sp->v_sampling);
510 + * There are potential security issues here for decoders that
511 + * have already allocated buffers based on the expected sampling
512 + * factors. Lets check the sampling factors dont exceed what
513 + * we were expecting.
514 + * -- taviso@google.com 14 June 2006
516 + if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
517 + sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
518 + TIFFErrorExt(tif->tif_clientdata, module,
519 + "Cannot honour JPEG sampling factors that"
520 + " exceed those specified.");
526 * XXX: Files written by the Intergraph software
527 * has different sampling factors stored in the
528 @@ -1521,15 +1553,18 @@
530 JPEGState *sp = JState(tif);
533 + /* assert(sp != 0); */
535 tif->tif_tagmethods.vgetfield = sp->vgetparent;
536 tif->tif_tagmethods.vsetfield = sp->vsetparent;
538 - if( sp->cinfo_initialized )
539 - TIFFjpeg_destroy(sp); /* release libjpeg resources */
540 - if (sp->jpegtables) /* tag value */
541 - _TIFFfree(sp->jpegtables);
543 + if( sp->cinfo_initialized )
544 + TIFFjpeg_destroy(sp); /* release libjpeg resources */
545 + if (sp->jpegtables) /* tag value */
546 + _TIFFfree(sp->jpegtables);
549 _TIFFfree(tif->tif_data); /* release local state */
550 tif->tif_data = NULL;
552 @@ -1541,6 +1576,7 @@
554 JPEGState* sp = JState(tif);
555 TIFFDirectory* td = &tif->tif_dir;
556 + const TIFFFieldInfo* fip;
560 @@ -1606,7 +1642,13 @@
562 return (*sp->vsetparent)(tif, tag, ap);
564 - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
566 + if ((fip = _TIFFFieldWithTag(tif, tag))) {
567 + TIFFSetFieldBit(tif, fip->field_bit);
572 tif->tif_flags |= TIFF_DIRTYDIRECT;
575 @@ -1726,7 +1768,11 @@
577 JPEGState* sp = JState(tif);
579 - assert(sp != NULL);
580 + /* assert(sp != NULL); */
582 + TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
587 if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
588 diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
589 --- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
590 +++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
591 @@ -105,11 +105,16 @@
592 * as codes of the form <color><npixels>
593 * until we've filled the scanline.
596 + * Ensure the run does not exceed the scanline
597 + * bounds, potentially resulting in a security issue.
598 + * -- taviso@google.com 14 Jun 2006.
605 + while (n-- > 0 && npixels < imagewidth)
607 if (npixels >= (int) imagewidth)
609 diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
610 --- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
611 +++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
613 if (tif->tif_flags & TIFF_SWAB)
614 TIFFSwabArrayOfShort(up, nsamples);
616 - for (i = 0; i < nsamples; i += llen, up += llen) {
618 + * if llen is not an exact multiple of nsamples, the decode operation
619 + * may overflow the output buffer, so truncate it enough to prevent that
620 + * but still salvage as much data as possible.
621 + * -- taviso@google.com 14th June 2006
623 + if (nsamples % llen)
624 + TIFFWarningExt(tif->tif_clientdata, module,
625 + "%s: stride %lu is not a multiple of sample count, "
626 + "%lu, data truncated.", tif->tif_name, llen, nsamples);
629 + for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
630 switch (sp->user_datafmt) {
631 case PIXARLOGDATAFMT_FLOAT:
632 horizontalAccumulateF(up, llen, sp->stride,
633 diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
634 --- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
635 +++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
642 int TIFFFillStrip(TIFF*, tstrip_t);
643 int TIFFFillTile(TIFF*, ttile_t);
644 static int TIFFStartStrip(TIFF*, tstrip_t);
646 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
647 _TIFFfree(tif->tif_rawdata);
648 tif->tif_flags &= ~TIFF_MYBUFFER;
649 - if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
651 + * This sanity check could potentially overflow, causing an OOB read.
652 + * verify that offset + bytecount is > offset.
653 + * -- taviso@google.com 14 Jun 2006
655 + if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
656 + bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
658 * This error message might seem strange, but it's
659 * what would happen if a read were done instead.
661 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
662 _TIFFfree(tif->tif_rawdata);
663 tif->tif_flags &= ~TIFF_MYBUFFER;
664 - if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
666 + * We must check this calculation doesnt overflow, potentially
667 + * causing an OOB read.
668 + * -- taviso@google.com 15 Jun 2006
670 + if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
671 + bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
672 tif->tif_curtile = NOTILE;