fix possible out of bounds read in tiff2vips

reading a malformed tiff file from a buffer could trigger out of bounds read thanks Matt Richards
2016-07-21 07:40:33 +01:00 · 2016-07-21 07:40:33 +01:00 · 3efee94e19
parent 7ec63c4451
commit 3efee94e19
2 changed files with 14 additions and 2 deletions
--- a/1
+++ b/1
@ -1,5 +1,6 @@
 18/5/16 started 8.3.2
 - more robust vips image reading
+- more robust tiff read [Matt Richards]

 15/4/16 started 8.3.1
 - rename vips wrapper script, it was still vips-8.2, thanks Benjamin
--- a/libvips/foreign/tiff2vips.c
+++ b/libvips/foreign/tiff2vips.c
@ -1832,9 +1832,17 @@ my_tiff_read( thandle_t st, tdata_t buffer, tsize_t size )
 {
 	ReadTiff *rtiff = (ReadTiff *) st;

-	size_t available = rtiff->len - rtiff->pos;
-	size_t copy = VIPS_MIN( size, available );
+	size_t available;
+	size_t copy;

+	if( rtiff->pos > rtiff->len ) {
+		vips_error( "tiff2vips", 
+			"%s", _( "read beyond end of buffer" ) );
+		return( 0 );
+	}
+
+	available = rtiff->len - rtiff->pos;
+	copy = VIPS_MIN( size, available );
 	memcpy( buffer, (unsigned char *) rtiff->buf + rtiff->pos, copy );
 	rtiff->pos += copy;

@ -1855,6 +1863,9 @@ my_tiff_close( thandle_t st )
 	return 0;
 }

+/* After calling this, ->pos is not bound by the size of the buffer, it can 
+ * have any positive value.
+ */
 static toff_t 
 my_tiff_seek( thandle_t st, toff_t pos, int whence )
 {